draft-ietf-dhc-vpn-option-06.txt   draft-ietf-dhc-vpn-option-07.txt 
Network Working Group R. Johnson Network Working Group R. Johnson
Internet-Draft J. Kumarasamy Internet-Draft J. Kumarasamy
Expires: October 14, 2007 K. Kinnear Expires: May 19, 2008 K. Kinnear
M. Stapp M. Stapp
Cisco Cisco
April 12, 2007 November 16, 2007
Virtual Subnet Selection Option Virtual Subnet Selection Option
draft-ietf-dhc-vpn-option-06.txt draft-ietf-dhc-vpn-option-07.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 36 skipping to change at page 1, line 36
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on October 14, 2007. This Internet-Draft will expire on May 19, 2008.
Copyright Notice Copyright Notice
Copyright (C) The IETF Trust (2007). Copyright (C) The IETF Trust (2007).
Abstract Abstract
This memo defines a new DHCP option for passing Virtual Subnet This memo defines existing usage for the Virtual Subnet Selection
Selection (VSS) information between the DHCP client and the DHCP (VSS) information option. It is intended for use primarily by DHCP
server. It is intended for use primarily by DHCP proxy clients in proxy clients in situations where VSS information needs to be passed
situations where VSS information needs to be passed to the DHCP to the DHCP server for proper address allocation to take place.
server for proper address allocation to take place.
The option number currently in use is TBD. This memo documents the The option number currently in use is 221. This memo documents the
current usage of the option in agreement with [7], which declares current usage of the option in agreement with [8], which declares
that any pre-existing usages of option numbers in the range 128 - 223 that any pre-existing usages of option numbers in the range 128 - 223
should be documented and the working group will try to officially should be documented and the working group will try to officially
assign those numbers to those options. assign those numbers to those options.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. VSS Information Definition . . . . . . . . . . . . . . . . . . 5 3. VSS Information Definition . . . . . . . . . . . . . . . . . . 5
4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 9 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 9
7. Informative References . . . . . . . . . . . . . . . . . . . . 10 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
7.1. Normative References . . . . . . . . . . . . . . . . . . . 10
7.2. Informative References . . . . . . . . . . . . . . . . . . 10
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11
Intellectual Property and Copyright Statements . . . . . . . . . . 12 Intellectual Property and Copyright Statements . . . . . . . . . . 12
1. Introduction 1. Introduction
There is a growing use of Virtual Private Network (VPN) There is a growing use of Virtual Private Network (VPN)
configurations. The growth comes from many areas; individual client configurations. The growth comes from many areas; individual client
systems needing to appear to be on the home corporate network even systems needing to appear to be on the home corporate network even
when traveling, ISPs providing extranet connectivity for customer when traveling, ISPs providing extranet connectivity for customer
companies, etc. In some of these cases there is a need for the DHCP companies, etc. In some of these cases there is a need for the DHCP
server to know the VPN (hereafter called a "Virtual Subnet Selector" server to know the VPN (hereafter called a "Virtual Subnet Selector"
or "VSS") from which an address, and other resources, should be or "VSS") from which an address, and other resources, should be
allocated. allocated.
If the allocation is being done through a DHCP relay, then a relay If the allocation is being done through a DHCP relay, then a relay
suboption could be included. In some cases, however an IP address is sub-option could be included. In some cases, however an IP address
being sought by a DHCP proxy on behalf of a client (would may be is being sought by a DHCP proxy on behalf of a client (which may be
assigned the address via a different protocol). In this case, there assigned the address via a different protocol). In this case, there
is a need to include VSS information relating to the client as a DHCP is a need to include VSS information relating to the client as a DHCP
option. option.
A good example might be a dial-in aggregation device where PPP A good example might be a dial-in aggregation device where PPP [10]
addresses are acquired via DHCP and then given to the remove customer addresses are acquired via DHCP and then given to the remote customer
system via IPCP. In a network where such a device is used to system via IPCP [9]. In a network where such a device is used to
aggregate PPP dial-in from multiple companies, each company may be aggregate PPP dial-in from multiple companies, each company may be
assigned a unique VSS. assigned a unique VSS.
This memo defines a new DHCP [2] option, the VSS Information option, This memo defines a new DHCP [4] option, the VSS Information option,
which allows the DHCP client to specify the VSS Information needed in which allows the DHCP client to specify the VSS Information needed in
order to allocate an address. If the receiving DHCP server order to allocate an address. If the receiving DHCP server
understands the VSS Information option, this information may be used understands the VSS Information option, this information may be used
in conjunction with other information in determining the subnet on in conjunction with other information in determining the subnet on
which to select an address as well as other information such as DNS which to select an address as well as other information such as DNS
server, default router, etc. server, default router, etc.
2. Conventions 2. Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY" and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY" and "OPTIONAL" in this
document are to be interpreted as described in [1]. document are to be interpreted as described in [3].
This document also uses the following terms:
DHCP Client
DHCP Client or "Client" is an Internet host using DHCP to obtain
configuration parameters such as a network address.
DHCP Server
A DHCP Server or "Server" is an Internet host that returns
configuration parameters to DHCP Clients.
DHCP relay agent
A DHCP relay agent is a third-party agent that transfers BOOTP and
DHCP messages between clients and servers residing on different
subnets, per [1] and [2].
downstream
Downstream is the direction from the access concentrator towards
the subscriber.
upstream
Upstream is the direction from the subscriber towards the access
concentrator.
VSS information
Information about a VPN necessary to allocate an address to a DHCP
client on that VPN and necessary to forward a DHCP reply packet to
a DHCP client on that VPN.
VPN
Virtual private network. A network which appears to the client to
be a private network.
VPN Identifier
The VPN-ID is defined by [6] to be a sequence of 7 octets.
3. VSS Information Definition 3. VSS Information Definition
The VSS Information option is a DHCP option [3]. The option contains The VSS Information option is a DHCP option [5]. The option contains
generalized VSS information in one of two formats: NVT ASCII VPN generalized VSS information in one of two formats: NVT ASCII VPN
identifier, or RFC2685 VPN-ID [4]. identifier, or RFC2685 VPN-ID [6].
The format of the option is: The format of the option is:
Code Len Type VSS Information octets Code Len Type VSS Information octets
+-----+-----+------+-----+-----+-----+--- +-----+-----+------+-----+-----+-----+---
| TBD | n | t | v1 | v2 | v3 | ... | 221 | n | t | v1 | v2 | v3 | ...
+-----+-----+------+-----+-----+-----+--- +-----+-----+------+-----+-----+-----+---
Type: 0 NVT ASCII VPN identifier Type: 0 NVT ASCII VPN identifier
1 RFC2685 VPN-ID 1 RFC2685 VPN-ID
2-255 Not Allowed 2-255 Not Allowed
Figure 1 Figure 1
The option minimum length (n) is 2. The option minimum length (n) is 2.
There are two types of identifiers which can be placed in the VSS There are two types of identifiers which can be placed in the VSS
Information Option. The first type of identifier which can be placed Information Option. The first type of identifier which can be placed
in the VSS Information Option is an NVT ASCII string. It MUST NOT be in the VSS Information Option is an NVT ASCII string. It MUST NOT be
terminated with a zero byte. terminated with a zero byte.
The second type of identifier which can be placed in the VSS The second type of identifier which can be placed in the VSS
Information Option is an RFC2685 VPN-ID [4], which is typically 14 Information Option is an RFC2685 VPN-ID [6], which is typically 7
hex digits in length (though it can be any length as far as the VSS octets (3 of VPN OUI followed by 4 of VPN index) in length (though it
Information Option is concerned). can be any length as far as the VSS Information Option is concerned).
If the type field is set to zero (0), it indicates that all following If the type field is set to zero (0), it indicates that all following
bytes of the option contain a NVT ASCII string. This string MUST NOT bytes of the option contain a NVT ASCII string. This string MUST NOT
be terminated with a zero byte. be terminated with a zero byte.
If the type field is set to one (1), it indicates that all following If the type field is set to one (1), it indicates that all following
bytes should be interpreted in agreement with RFC2685 as a VPN bytes should be interpreted in agreement with RFC2685 as a VPN
Identifier, typically 14 hex digits. Identifier, typically 7 octets.
All other values of the type field are invalid as of this memo and All other values of the type field are invalid as of this memo and
VSS options containing any other value than zero (0) or one (1) VSS options containing any other value than zero (0) or one (1)
SHOULD be ignored. SHOULD be ignored.
Any VSS information contained in a DHCP Relay Suboption SHOULD Since this option is placed in the packet in order to change the VPN
override the information contained in this VSS Information option. on which an IP address is allocated for a particular DHCP client, one
[8] presumes that an allocation on that VPN is necessary for correct
operation. If this presumption is correct, then a client which
places this option in a packet and doesn't receive it in the
returning packet should drop the packet since the IP address that was
allocated will not be in the correct VPN. If an IP address that is
not on the requested VPN is not required, then the client is free to
accept the IP address that is not on the VPN that the was requested.
Servers configured to support this option MUST return an identical Servers configured to support this option MUST return an identical
copy of the option to any client that sends it, regardless of whether copy of the option to any client that sends it, regardless of whether
or not the client requests the option in a parameter request list. or not the client requests the option in a parameter request list.
Clients using this option MUST discard DHCPOFFER or DHCPACK packets
that do not contain this option.
This option provides the DHCP server additional information upon This option provides the DHCP server additional information upon
which to make a determination of address to be assigned. The DHCP which to make a determination of address to be assigned. The DHCP
server, if it is configure to support this option, should use this server, if it is configured to support this option, should use this
information in addition to other options included in the DHCPDISCOVER information in addition to other options included in the DHCPDISCOVER
packet in order to assign an IP address for DHCP client. packet in order to assign an IP address for DHCP client.
In the event that a VSS Informmation Option and a VSS Information In the event that a Virtual Subnet Selection option and a Virtual
Relay Suboption are both received in a particular DHCP client packet, Subnet Selection sub-option [12] are both received in a particular
the information from the VSS Information Suboption MUST be used in DHCP client packet, the information from the Virtual Subnet Selection
preference to the information in the VSS Information Option. sub-option MUST be used in preference to the information in the
Virtual Subnet Selection option. This reasoning behind this approach
is that the relay-agent is almost certainly more trusted than the
DHCP client, and therefore information in the relay-agent-information
option that conflicts with information in the packet generated by the
DHCP client is more likely to be correct.
Servers that do not understand this option will allocate an address Servers that do not understand this option will allocate an address
using their normal algorithms and will not return this option in the using their normal algorithms and will not return this option in the
DHCPOFFER or DHCPACK. In this case the client will discard the DHCPOFFER or DHCPACK. In this case the client should consider
DHCPOFFER or DHCPACK. Servers that understand this option but are discarding the DHCPOFFER or DHCPACK, as mentioned above. Servers
administratively configured to ignore the option MUST ignore the that understand this option but are administratively configured to
option, use their normal algorithms to allocate an address, and MUST ignore the option MUST ignore the option, use their normal algorithms
NOT return this option in the DHCPOFFER or DHCPACK. In this case the to allocate an address, and MUST NOT return this option in the
client will discard the DHCPOFFER or DHCPACK. In other words, this DHCPOFFER or DHCPACK such that the client will know that the
option MUST NOT appear in a DHCPOFFER from a server unless it was allocated address is not in the VPN requested and will consider this
used by the server in making the address allocation requested. information in deciding whether or not to accept the DHCPOFFER. In
other words, this option MUST NOT appear in a DHCPOFFER or DHCPACK
from a server unless it was used by the server in making or updating
the address allocation requested.
4. Security Considerations 4. Security Considerations
Message authentication in DHCP for intradomain use where the out-of- Message authentication in DHCP for intradomain use where the out-of-
band exchange of a shared secret is feasible is defined in [5]. band exchange of a shared secret is feasible is defined in [11].
Potential exposures to attack are discussed in section 7 of the DHCP Potential exposures to attack are discussed in section 7 of the DHCP
protocol specification in [2]. protocol specification in [4].
The VSS Information option could be used by a client in order to The VSS Information option could be used by a client in order to
obtain an IP address from a VSS other than the one where it should. obtain an IP address from a VPN other than the one where it should.
DHCP relays MAY choose to remove the option before passing on Another possible defense would be for the DHCP relay to insert a
DHCPDISCOVER packets. Another possible defense would be for the DHCP Relay option containing a VSS Information Relay Sub-option, which
relay to insert a Relay option containing a VSS Information would override the DHCP VSS Information option.
Suboption, which would override the DHCP VSS Information option.
This option would allow a client to perform a more complete address- This option would allow a client to perform a more complete address-
pool exhaustion attack since the client would no longer be restricted pool exhaustion attack since the client would no longer be restricted
to attacking address-pools on just its local subnet. to attacking address-pools on just its local subnet.
Servers that implement the VSS Information option MUST by default Servers that implement the VSS Information option MUST by default
disable use of the feature; it must specifically be enabled through disable use of the feature; it must specifically be enabled through
configuration. Moreover, a server SHOULD provide the ability to configuration. Moreover, a server SHOULD provide the ability to
selectively enable use of the feature under restricted conditions, selectively enable use of the feature under restricted conditions,
e.g., by enabling use of the option only from explicitly configured e.g., by enabling use of the option only from explicitly configured
client-ids, enabling its use only by clients on a particular subnet, client-ids, enabling its use only by clients on a particular subnet,
or restricting the VSSs from which addresses may be requested. or restricting the VSSs from which addresses may be requested.
This option SHOULD NOT be used without also making use of the DHCP Implementations should consider using the DHCP Authentication option
Authentication option [5]. [11] in order to provide a higher level of security if it is deemed
necessary in their environment.
5. IANA Considerations 5. IANA Considerations
IANA is requested to assign option number 221 for this option, in IANA is requested to assign DHCP option number 221 for this option,
accordance with [7]. Option 221 has been used for this option and in accordance with [8].
there were no conflicting users of option 221 identified during the
6-month notification period specified in [7]. No assignment of While the type byte of the Virtual Subnet Selection option defines a
values for the type field need be made at this time. New values may number space that could be managed by IANA, expansion of this number
only be defined by IETF Consensus, as described in [6]. Basically, space is not anticipated and so creation of a registry of these
this means that they are defined by RFCs approved by the IESG. numbers is not required by this document. In the event that
additional values for the type byte are defined in subsequent
documents, IANA should at that time create a registry for these type
bytes. New values for the type byte may only be defined by IETF
Consensus, as described in [7]. Basically, this means that they are
defined by RFCs approved by the IESG.
Moreover, any changes or additions to the type byte codes MUST be Moreover, any changes or additions to the type byte codes MUST be
made concurrently in the type byte codes of the VSS Information made concurrently in the type byte codes of the VSS Information
Option. The type bytes and data formats of the VSS Information Option. The type bytes and data formats of the VSS Information
Option and VSS Information Suboption MUST always be identical. Option and VSS Information Relay Sub-option MUST always be identical.
6. Acknowledgements 6. Acknowledgements
This document is the result of work done within Cisco Systems. This document is the result of work done within Cisco Systems.
Thanks to Kim Kinnear, Mark Stapp, and Jay Kumarasamy for their work Thanks to Kim Kinnear, Mark Stapp, and Jay Kumarasamy for their work
on this option definition and the other related work for which this on this option definition and the other related work for which this
is necessary. is necessary.
7. Informative References 7. References
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement 7.1. Normative References
[1] Croft, B. and J. Gilmore, "Bootstrap Protocol (BOOTP)",
RFC 951, September 1985.
[2] Wimer, W., "Clarifications and Extensions for the Bootstrap
Protocol", RFC 1542, October 1993.
[3] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997. Levels", BCP 14, RFC 2119, March 1997.
[2] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, [4] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131,
March 1997. March 1997.
[3] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor [5] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor
Extensions", RFC 2132, March 1997. Extensions", RFC 2132, March 1997.
[4] Fox, B. and B. Gleeson, "Virtual Private Networks Identifier", [6] Fox, B. and B. Gleeson, "Virtual Private Networks Identifier",
RFC 2685, September 1999. RFC 2685, September 1999.
[5] Droms, R. and W. Arbaugh, "Authentication for DHCP Messages", [7] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
RFC 3118, June 2001. Considerations Section in RFCs", BCP 26, RFC 2434,
October 1998.
[6] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
[7] Volz, B., "Reclassifying Dynamic Host Configuration Protocol [8] Volz, B., "Reclassifying Dynamic Host Configuration Protocol
version 4 (DHCPv4) Options", RFC 3942, November 2004. version 4 (DHCPv4) Options", RFC 3942, November 2004.
[8] Kinnear, K., "Virtual Subnet Selection Sub-Option for the Relay 7.2. Informative References
[9] McGregor, G., "The PPP Internet Protocol Control Protocol
(IPCP)", RFC 1332, May 1992.
[10] Simpson, W., "The Point-to-Point Protocol (PPP)", STD 51,
RFC 1661, July 1994.
[11] Droms, R. and W. Arbaugh, "Authentication for DHCP Messages",
RFC 3118, June 2001.
[12] Kinnear, K., "Virtual Subnet Selection Sub-Option for the Relay
Agent Information Option for DHCPv4", Agent Information Option for DHCPv4",
draft-ietf-dhc-agent-vpn-id-04 (work in progress), March 2007. draft-ietf-dhc-agent-vpn-id-05 (work in progress),
November 2007.
Authors' Addresses Authors' Addresses
Richard A. Johnson Richard A. Johnson
Cisco Systems Cisco Systems
170 W. Tasman Dr. 170 W. Tasman Dr.
San Jose, CA 95134 San Jose, CA 95134
US US
Phone: +1 408 526 4000 Phone: +1 408 526 4000
 End of changes. 36 change blocks. 
74 lines changed or deleted 145 lines changed or added

This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/