draft-ietf-dhc-vpn-option-02.txt   draft-ietf-dhc-vpn-option-03.txt 
Internet Engineering Task Force Richard Johnson Internet Engineering Task Force Richard Johnson
Internet Draft Kim Kinnear Internet Draft Kim Kinnear
Expiration: April 2003 Mark Stapp Expiration: March 2005 Mark Stapp
File: draft-ietf-dhc-vpn-option-02.txt Jay Kumarasamy File: draft-ietf-dhc-vpn-option-03.txt Jay Kumarasamy
Cisco Systems, Inc. Cisco Systems, Inc.
DHCP VPN Information option DHCP VPN Information option
<draft-ietf-dhc-vpn-option-02.txt> <draft-ietf-dhc-vpn-option-03.txt>
October 24, 2002 September 27, 2004
Status of this Memo Status of this Memo
By submitting this Internet-Draft, I certify that any applicable
patent or other IPR claims of which I am aware have been disclosed,
or will be disclosed, and any of which I become aware will be
disclosed, in accordance with RFC 3668.
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
skipping to change at page 2, line 12 skipping to change at page 2, line 20
needs to be passed to the DHCP server for proper address allocation needs to be passed to the DHCP server for proper address allocation
to take place. to take place.
1.0 Introduction 1.0 Introduction
There is a growing use of Virtual Private Network (VPN) There is a growing use of Virtual Private Network (VPN)
configurations. The growth comes from many areas; individual client configurations. The growth comes from many areas; individual client
systems needing to appear to be on the home corporate network even systems needing to appear to be on the home corporate network even
when traveling, ISPs providing extranet connectivity for customer when traveling, ISPs providing extranet connectivity for customer
companies, etc. In some of these cases there is a need for the DHCP companies, etc. In some of these cases there is a need for the DHCP
client to communicate to the DHCP server the VPN from which an server to know the VPN from which an address, and other resources,
address, and other resources, should be allocated. Currently there should be allocated.
is no way to pass this information.
This option would most likely not be used by an actual DHCP end-user If the allocation is being done through a DHCP relay, then a relay
client such as a workstation or laptop. It is primarily intended to suboption could be included. In some cases, however an IP address is
be used by a DHCP proxy client which would be using DHCP in order to being sought by a DHCP proxy on behalf of a client (would may be
allocate an IP address on behalf of some other protocol or client. assigned the address via a different protocol). In this case, there
is a need to include VPN information relating to the client as a DHCP
option.
A good example might be a dial-in aggregation device where PPP
addresses are acquired via DHCP and then given to the remove customer
system via IPCP. In a network where such a device is used to
aggregate PPP dial-in from multiple companies, each company may be
assigned a unique VPN.
This memo defines a new DHCP [2] option, the VPN Information option, This memo defines a new DHCP [2] option, the VPN Information option,
which allows the DHCP client to specify the VPN Information needed in which allows the DHCP client to specify the VPN Information needed in
order to allocate an address. If the receiving DHCP server order to allocate an address. If the receiving DHCP server
understands the VPN Information option, this information may be used understands the VPN Information option, this information may be used
in conjunction with other information in determining the subnet on in conjunction with other information in determining the subnet on
which to select an address as well as other information such as DNS which to select an address as well as other information such as DNS
server, default router, etc. server, default router, etc.
1.1 Conventions 1.1 Conventions
skipping to change at page 3, line 6 skipping to change at page 3, line 25
| TBD | n | t | v1 | v2 | v3 | ... | TBD | n | t | v1 | v2 | v3 | ...
+-----+-----+------+-----+-----+-----+--- +-----+-----+------+-----+-----+-----+---
Type: 0 NVT ASCII VPN identifier Type: 0 NVT ASCII VPN identifier
1 RFC2685 VPN-ID 1 RFC2685 VPN-ID
2-255 Not Allowed 2-255 Not Allowed
The option minimum length (n) is 2. The option minimum length (n) is 2.
There are two types of identifiers which can be placed in the VPN There are two types of identifiers which can be placed in the VPN
Information Suboption. The first type of identifier which can be Information Option. The first type of identifier which can be placed
placed in the VPN Information Suboption is an NVT ASCII string. It in the VPN Information Option is an NVT ASCII string. It MUST NOT be
MUST NOT be terminated with a zero byte. terminated with a zero byte.
The second type of identifier which can be placed in the VPN The second type of identifier which can be placed in the VPN
Information Suboption is an RFC2685 VPN-ID [4], which is typically 14 Information Option is an RFC2685 VPN-ID [4], which is typically 14
hex digits in length (though it can be any length as far as the VPN hex digits in length (though it can be any length as far as the VPN
Information Suboption is concerned). Information Option is concerned).
If the type field is set to zero (0), it indicates that all following If the type field is set to zero (0), it indicates that all following
bytes of the option contain a NVT ASCII string. This string MUST NOT bytes of the option contain a NVT ASCII string. This string MUST NOT
be terminated with a zero byte. be terminated with a zero byte.
If the type field is set to one (1), it indicates that all following If the type field is set to one (1), it indicates that all following
bytes should be interpreted in agreement with [4] as a VPN bytes should be interpreted in agreement with [4] as a VPN
Identifier, typically 14 hex digits. Identifier, typically 14 hex digits.
All other values of the type field are invalid as of this memo and All other values of the type field are invalid as of this memo and
VPN options containing any other value than zero (0) or one (1) VPN options containing any other value than zero (0) or one (1)
SHOULD be ignored. SHOULD be ignored.
Any VPN information contained in a DHCP Relay suboption SHOULD Any VPN information contained in a DHCP Relay Suboption SHOULD
override the information contained in this VPN Information option. override the information contained in this VPN Information option.
Servers configured to support this option MUST return an identical Servers configured to support this option MUST return an identical
copy of the option to any client that sends it, regardless of whether copy of the option to any client that sends it, regardless of whether
or not the client requests the option in a parameter request list. or not the client requests the option in a parameter request list.
Clients using this option MUST discard DHCPOFFER or DHCPACK packets Clients using this option MUST discard DHCPOFFER or DHCPACK packets
that do not contain this option. that do not contain this option.
This option provides the DHCP server additional information upon This option provides the DHCP server additional information upon
which to make a determination of address to be assigned. The DHCP which to make a determination of address to be assigned. The DHCP
skipping to change at page 4, line 6 skipping to change at page 4, line 25
preference to the information in the VPN Information Option. preference to the information in the VPN Information Option.
Servers that do not understand this option will allocate an address Servers that do not understand this option will allocate an address
using their normal algorithms and will not return this option in the using their normal algorithms and will not return this option in the
DHCPOFFER or DHCPACK. In this case the client will discard the DHCPOFFER or DHCPACK. In this case the client will discard the
DHCPOFFER or DHCPACK. Servers that understand this option but are DHCPOFFER or DHCPACK. Servers that understand this option but are
administratively configured to ignore the option MUST ignore the administratively configured to ignore the option MUST ignore the
option, use their normal algorithms to allocate an address, and MUST option, use their normal algorithms to allocate an address, and MUST
NOT return this option in the DHCPOFFER or DHCPACK. In this case the NOT return this option in the DHCPOFFER or DHCPACK. In this case the
client will discard the DHCPOFFER or DHCPACK. In other words, this client will discard the DHCPOFFER or DHCPACK. In other words, this
option MUST not appear in a DHCPOFFER from a server unless it was option MUST NOT appear in a DHCPOFFER from a server unless it was
used by the server in making the address allocation requested. used by the server in making the address allocation requested.
This option SHOULD NOT be used without also making use of the DHCP
Authentication option [5].
3.0 Security Considerations 3.0 Security Considerations
Message authentication in DHCP for intradomain use where the out-of- Message authentication in DHCP for intradomain use where the out-of-
band exchange of a shared secret is feasible is defined in [5]. band exchange of a shared secret is feasible is defined in [5].
Potential exposures to attack are discussed in section 7 of the DHCP Potential exposures to attack are discussed in section 7 of the DHCP
protocol specification in [2]. protocol specification in [2].
The VPN Information option could be used by a client in order to The VPN Information option could be used by a client in order to
obtain an IP address from a VPN other than the one where it should. obtain an IP address from a VPN other than the one where it should.
DHCP relays MAY choose to remove the option before passing on DHCP relays MAY choose to remove the option before passing on
skipping to change at page 5, line 11 skipping to change at page 5, line 29
made concurrently in the type byte codes of the VPN Information made concurrently in the type byte codes of the VPN Information
Option. The type bytes and data formats of the VPN Information Option. The type bytes and data formats of the VPN Information
Option and VPN Information Suboption MUST always be identical. Option and VPN Information Suboption MUST always be identical.
5.0 Acknowledgements 5.0 Acknowledgements
This document is the result of work done within Cisco Systems. This document is the result of work done within Cisco Systems.
Thanks to Kim Kinnear, Mark Stapp, and Jay Kumarasamy for their work Thanks to Kim Kinnear, Mark Stapp, and Jay Kumarasamy for their work
on this option definition and the other related work for which this on this option definition and the other related work for which this
is necessary. is necessary.
Copyright notice
Copyright (C) The Internet Society (2004). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
References References
[1] Bradner, S., "Key words for use in RFCs to Indicate [1] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, BCP 14, March 1997. Requirement Levels", RFC 2119, BCP 14, March 1997.
[2] Droms, R. "Dynamic Host Configuration Protocol", RFC 2131, [2] Droms, R. "Dynamic Host Configuration Protocol", RFC 2131,
March 1997. March 1997.
[3] Alexander, S. and Droms, R., "DHCP Options and BOOTP Vendor [3] Alexander, S. and Droms, R., "DHCP Options and BOOTP Vendor
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/