draft-ietf-dhc-vpn-option-08.txt   draft-ietf-dhc-vpn-option-09.txt 
dhc Working Group Kim Kinnear DHC Working Group Kim Kinnear
Internet Draft Richard Johnson Internet Draft Richard Johnson
Intended Status: Standards Track Mark Stapp Intended Status: Standards Track Mark Stapp
Expires: August 22, 2008 Jay Kumarasamy Expires: January 8, 2009 Jay Kumarasamy
Cisco Systems Cisco Systems
February 22, 2008 July 8, 2008
Virtual Subnet Selection Options for DHCPv4 and DHCPv6 Virtual Subnet Selection Options for DHCPv4 and DHCPv6
<draft-ietf-dhc-vpn-option-08.txt> <draft-ietf-dhc-vpn-option-09.txt>
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 36 skipping to change at page 1, line 36
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on August 22, 2008. This Internet-Draft will expire on January 8, 2009
Copyright Notice Copyright Notice
Copyright (C) The IETF Trust (2008). Copyright (C) The IETF Trust (2008).
Abstract Abstract
This memo defines a Virtual Subnet Selection (VSS) option for DHCPv4 This memo defines a Virtual Subnet Selection (VSS) option for DHCPv4
and DHCPv6, and a DHCPv4 relay-agent-information sub-option. These and DHCPv6, and a DHCPv4 relay-agent-information sub-option. These
are intended for use by DHCP clients, relay agents, and proxy clients are intended for use by DHCP clients, relay agents, and proxy clients
in situations where VSS information needs to be passed to the DHCP in situations where VSS information needs to be passed to the DHCP
server for proper address or prefix allocation to take place. server for proper address or prefix allocation to take place.
For the DHCPv4 option and relay-agent-information sub-option, this For the DHCPv4 option and relay-agent-information sub-option, this
memo documents existing usage as per RFC 3942. memo documents existing usage as per RFC 3942 [RFC3942].
Table of Contents Table of Contents
1. Introduction................................................. 2 1. Introduction................................................. 2
2. Terminology.................................................. 3 2. Terminology.................................................. 3
3. Virtual Subnet Selection Option and Sub-Option Definitions... 4 3. Virtual Subnet Selection Option and Sub-Option Definitions... 5
3.1. DHCPv4 Virtual Subnet Selection Option..................... 5 3.1. DHCPv4 Virtual Subnet Selection Option..................... 5
3.2. DHCPv4 Virtual Subnet Selection Sub-Option................. 5 3.2. DHCPv4 Virtual Subnet Selection Sub-Option................. 5
3.3. DHCPv6 Virtual Subnet Selection Option..................... 5 3.3. DHCPv6 Virtual Subnet Selection Option..................... 6
3.4. Virtual Subnet Selection Type and Information.............. 6 3.4. Virtual Subnet Selection Type and Information.............. 6
4. Relay Agent Behavior......................................... 7 4. Overview of Virtual Subnet Selection Usage................... 7
4.1. VPN assignment by the DHCP server.......................... 8 5. Relay Agent Behavior......................................... 10
4.2. DHCP Leasequery............................................ 9 5.1. VPN assignment by the DHCP server.......................... 11
5. Client Behavior.............................................. 9 5.2. DHCP Leasequery............................................ 12
6. Server Behavior.............................................. 10 6. Client Behavior.............................................. 12
6.1. Returning the DHCPv4 or DHCPv6 Option...................... 11 7. Server Behavior.............................................. 13
6.2. Returning the DHCPv4 Sub-Option............................ 11 7.1. Returning the DHCPv4 or DHCPv6 Option...................... 14
6.3. Making sense of conflicting VSS information................ 12 7.2. Returning the DHCPv4 Sub-Option............................ 14
7. Security..................................................... 12 7.3. Making sense of conflicting VSS information................ 15
8. IANA Considerations.......................................... 13 8. Security..................................................... 15
9. Acknowledgments.............................................. 14 9. IANA Considerations.......................................... 16
10. Normative References........................................ 14 10. Acknowledgments............................................. 17
11. Informative References...................................... 14 11. Normative References........................................ 17
12. Authors' Addresses.......................................... 15 12. Informative References...................................... 18
13. Full Copyright Statement.................................... 16 13. Authors' Addresses.......................................... 18
14. Intellectual Property....................................... 16 14. Full Copyright Statement.................................... 19
15. Acknowledgment.............................................. 17 15. Intellectual Property....................................... 20
16. Acknowledgment.............................................. 20
1. Introduction 1. Introduction
There is a growing use of Virtual Private Network (VPN) There is a growing use of Virtual Private Network (VPN)
configurations. The growth comes from many areas; individual client configurations. The growth comes from many areas; individual client
systems needing to appear to be on the home corporate network even systems needing to appear to be on the home corporate network even
when traveling, ISPs providing extranet connectivity for customer when traveling, ISPs providing extranet connectivity for customer
companies, etc. In some of these cases there is a need for the DHCP companies, etc. In some of these cases there is a need for the DHCP
server to know the VPN (hereafter called a "Virtual Subnet Selector" server to know the VPN (hereafter called a "Virtual Subnet Selector"
or "VSS") from which an address, and other resources, should be or "VSS") from which an address, and other resources, should be
skipping to change at page 4, line 46 skipping to change at page 4, line 47
DHCP client on that VPN and necessary to forward a DHCP reply DHCP client on that VPN and necessary to forward a DHCP reply
packet to a DHCP client on that VPN. packet to a DHCP client on that VPN.
o "VPN" o "VPN"
Virtual private network. A network which appears to the client Virtual private network. A network which appears to the client
to be a private network. to be a private network.
o "VPN Identifier" o "VPN Identifier"
The VPN-ID is defined by [RFC 2685] to be a sequence of 7 The VPN-ID is defined by [RFC2685] to be a sequence of 7 octets.
octets.
3. Virtual Subnet Selection Option and Sub-Option Definitions 3. Virtual Subnet Selection Option and Sub-Option Definitions
The Virtual Subnet Selection options and sub-option contains a The Virtual Subnet Selection options and sub-option contains a
generalized way to specify the VSS information about a VPN. There generalized way to specify the VSS information about a VPN. There
are two options and one sub-option defined in this section. The are two options and one sub-option defined in this section. The
actual VSS information is identical in each. actual VSS information is identical in each.
3.1. DHCPv4 Virtual Subnet Selection Option 3.1. DHCPv4 Virtual Subnet Selection Option
skipping to change at page 5, line 26 skipping to change at page 5, line 30
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Code The option code (221). Code The option code (221).
Length The option length, minimum 1 octets. Length The option length, minimum 1 octets.
Type and VSS Information -- see Section 3.4 Type and VSS Information -- see Section 3.4
3.2. DHCPv4 Virtual Subnet Selection Sub-Option 3.2. DHCPv4 Virtual Subnet Selection Sub-Option
This is a sub-option of the relay-agent-information option [RFC This is a sub-option of the relay-agent-information option [RFC3046].
3046]. The format of the sub-option is: The format of the sub-option is:
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Length | Type | VSS Info. ... | Code | Length | Type | VSS Info. ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Code The sub-option code (151). Code The sub-option code (151).
Length The option length, minimum 1 octets. Length The option length, minimum 1 octets.
skipping to change at page 7, line 12 skipping to change at page 7, line 16
Indicates that there is no explicit, non-default VSS information Indicates that there is no explicit, non-default VSS information
but rather that this option references the normal, global, default but rather that this option references the normal, global, default
address space. In this case, there MUST NOT be any VSS Information address space. In this case, there MUST NOT be any VSS Information
and the length of the VSS option MUST be 1. and the length of the VSS option MUST be 1.
All other values of the Type field are invalid as of this memo and a All other values of the Type field are invalid as of this memo and a
VSS option with a Type field containing any value other than zero VSS option with a Type field containing any value other than zero
(0), one (1), or 255 SHOULD be ignored. (0), one (1), or 255 SHOULD be ignored.
4. Relay Agent Behavior 4. Overview of Virtual Subnet Selection Usage
At the highest level, the VSS option or sub-option determines the VPN
on which a DHCP client is supposed to receive an IP address. How the
option or sub-option is entered and processed is discussed below, but
the point of all of the discussion is to determine the VPN on which
the DHCP client resides. This will affect a relay agent, in that it
will have to ensure that the packets sent to and received from the
DHCP client flow over the correct VPN. This will affect the DHCP
server in that it determines the IP address space used for the IP
address allocation.
A DHCP server has as part of its configuration some IP address space
from which it allocates IP addresses to DHCP clients. These
allocations are typically for a limited time, and thus the DHCP
client gets a lease on the IP address. In the absence of any VPN
information, the IP address space is in the global or default VPN
used throughout the Internet. When a DHCP server deals with VPN
information, each VPN defines a new address space inside the server,
one distinct from the global or default IP address space. A server
which supports the VSS option or sub-option thereby supports
allocation of IP addresses from multiple different VPNs. Supporting
IP address allocation from multiple different VPNs means that the
DHCP server must be prepared to configure multiple different address
spaces (one per distinct VPN) and allocate IP addresses from these
different address spaces.
These address spaces are typically independent, so that the same IP
address could be allocated to one client in the global, default VPN,
and to a different client residing in a different VPN. There is no
conflict in this allocation, since the clients have essentially
different IP addresses. The IPv4 or IPv6 address is qualified by the
VPN.
Thus a VSS option or sub-option is a way of signaling the use of a
VPN other than the global or default VPN. The next question is: who
decides what VPN a DHCP client should be using?
There are three entities which can either insert a VSS option or
sub-option into a DHCPv4 packet or DHCPv6 message; a DHCP client, a
relay agent, or a DHCPv4 or DHCPv6 server. While all of these
entities could include a different VSS option or sub-option in every
request or response, this situation is neither typical nor useful.
There are two known paradigms for use of the VSS option or sub-
option, which are discussed below.
The typical use of the VSS option or sub-option is for the relay
agent to know the VPN on which the DHCP client is operating. The
DHCP client itself does not, in this scenario, know the VPN on which
it resides. The relay agent is responsible for mediating the access
between the VPN on which the DHCP client resides and the DHCP server.
In this situation, the relay agent will insert a VSS sub-option into
the relay-agent-information option (for DHCPv4) or a VSS option the
Relay-forward message (for DHCPv6) of every request it forwards from
the DHCP client. The server will use the VSS option or sub-option to
determine the VPN on which the client resides, and use that VPN
information to select the address space within its configuration from
which to allocate an IP address to the DHCP client.
In this scenario, the relay agent might also send in either a DHCPv4
or DHCPv6 Leasequery request, but in this case, it would use the VSS
option in the Leasequery request to select the correct address space
for the Leasequery. In this scenario, the relay agent would be
acting as a DHCP client from a Leasequery standpoint, but it would
not be as if a DHCP client were sending in a VSS option in a standard
DHCP address allocation request, say a DHCPDISCOVER.
In this scenario, only one relay agent would mediate the VPN access
for the DHCP client to the DHCP server, and it would be the relay
agent which inserts the VSS information into the packet and would
remove it prior to forwarding the packet on.
The DHCP server would know that it should respond to VPN information
specified in a VSS option or sub-option, and it would be configured
with appropriate VPN address spaces to service the projected client
requirements. Thus, in this common scenario, the DHCP client knows
nothing of any VPN access, the relay agent has been configured in
some way that allows it to determine the VPN of the DHCP client and
transmit that using a VSS option or sub-option to the DHCP server,
and the DHCP server responds to the VPN specified by the relay agent.
There is no conflict between different entities trying to specify
different VSS information -- each entity knows its role through
policy or configuration external to this document.
In the second scenario, the DHCP server would be configured in some
way to know the VPN on which a particular DHCP client should be given
access. The DHCP server would in this case include the VSS sub-
option in the relay-agent-information option for DHCPv4 or the VSS
option in the Relay-reply message for DHCPv6. The relay agent
responsible for mediating VPN access would use this information to
select the correct VPN for the DHCP client. In the event that there
were more than one relay agent involved in this transaction, some
external configuration or policy would be needed to inform the DHCPv6
server into which Relay-reply message the VSS option should go.
Once the relay agent has placed the DHCP client into the proper VPN,
it SHOULD begin including VSS information in requests that it
forwards to the DHCP server. Since this information does not
conflict with the DHCP server's idea of the proper VPN for the
client, everything works correctly.
In this second scenario, the DHCP client is again unaware of any VPN
activity. In this case, however, the DHCP server knows the VPN for
the client, and the relay agent responds to the VSS information
specified by the DHCP server. Similar to the first scenario, each
entity knows its role through a means external to this document and
no two entities try to specify VSS information in conflict.
There are many other scenarios which can be created with multiple
relay agents each inserting VSS information into different Relay-
forward messages, relay agent VSS information conflicting with client
VSS information, or DHCP server VSS information conflicting with
relay agent and client VSS information. Since these scenarios do not
describe situations that are useful today, specifying precisely how
to resolve all of these conflicts is unlikely to be valuable in the
event that these scenarios actually become practical in the future.
The current use of the VSS option and sub-option require that each
entity knows the part that it plays in dealing with VPN data. Each
entity -- client, relay agent or agents, and server -- SHOULD know
through some policy or configuration beyond the scope of this
document whether it is responsible for specifying VPN information
using the VSS option or sub-option or responsible for responding to
VSS information specified by another entity, or simply ignoring any
VSS information which it might see.
Some simple conflict resolution approaches are discussed below, in
the hopes that they will cover simple cases that may arise from
scenarios beyond those envisioned today. However, for more complex
scenarios, or simple scenarios where appropriate conflict resolution
strategies differ from those discussed in this document, a document
detailing the usage scenarios and appropriate conflict resolution
strategies SHOULD be created and submitted for discussion and
approval.
5. Relay Agent Behavior
A relay agent which receives a DHCP request from a DHCP client on a A relay agent which receives a DHCP request from a DHCP client on a
VPN should include Virtual Subnet Selection information in the DHCP VPN SHOULD include Virtual Subnet Selection information in the DHCP
packet prior to forwarding the packet on to the DHCP server. packet prior to forwarding the packet on to the DHCP server unless
inhibited from doing so by configuration information or policy to the
contrary.
A DHCPv4 relay agent SHOULD include a DHCPv4 VSS sub-option in a A DHCPv4 relay agent SHOULD include a DHCPv4 VSS sub-option in a
relay-agent-information option [RFC 3046], while a DHCPv6 relay agent relay-agent-information option [RFC 3046], while a DHCPv6 relay agent
SHOULD include a DHCPv6 VSS option in the Relay-forward message. SHOULD include a DHCPv6 VSS option in the Relay-forward message.
The value placed in the Virtual Subnet Selection sub-option or option The value placed in the Virtual Subnet Selection sub-option or option
SHOULD be sufficient for the relay agent to properly route any DHCP SHOULD be sufficient for the relay agent to properly route any DHCP
reply packet returned from the DHCP server to the DHCP client for reply packet returned from the DHCP server to the DHCP client for
which it is destined. which it is destined.
Since this option or sub-option is placed in the packet in order to Since this option or sub-option is placed in the packet in order to
change the VPN on which an IP address is allocated for a particular specify the VPN on which an IP address is allocated for a particular
DHCP client, one presumes that an allocation on that VPN is necessary DHCP client, one presumes that an allocation on that VPN is necessary
for correct operation. If this presumption is correct, then a relay for correct operation. If this presumption is correct, then a relay
agent which places this option in a packet and doesn't receive it (or agent which places this option in a packet and doesn't receive it (or
receives a different value than that sent to the server) in the receives a different value than that sent to the server) in the
returning packet should drop the packet since the IP address that was returning packet should drop the packet since the IP address that was
allocated will not be in the correct VPN. If an IP address that is allocated will not be in the correct VPN. If an IP address that is
not on the requested VPN is not required, then the relay agent is not on the requested VPN is not required, then the relay agent is
free to accept the IP address that is not on the VPN that was free to accept the IP address that is not on the VPN that was
requested. requested.
The converse, however, is more complicated. In the DHCPv6 case, the The converse, however, is more complicated. In the DHCPv6 case, the
appearance of the option in the Rely-reply packet does indeed appearance of the option in the Relay-reply packet does indeed
indicate that the DHCPv6 server understood and acted upon the indicate that the DHCPv6 server understood and acted upon the
contents of the VSS option in the Relay-forward packet. In the contents of the VSS option in the Relay-forward packet. In the
DHCPv4 case, however, the appearance of the sub-option in the relay- DHCPv4 case, however, the appearance of the sub-option in the relay-
agent-information option received by the relay agent does not agent-information option received by the relay agent does not
necessarily indicate that the DHCPv4 server even understood, let necessarily indicate that the DHCPv4 server even understood, let
alone acted correctly upon, the VSS sub-option that it received. alone acted correctly upon, the VSS sub-option that it received.
The reason is that [RFC 3046] specifies that a DHCPv4 server which The reason is that [RFC 3046] specifies that a DHCPv4 server which
supports the relay-agent-information option SHALL copy all sub- supports the relay-agent-information option SHALL copy all sub-
options received in a relay-agent-information option into any options received in a relay-agent-information option into any
skipping to change at page 8, line 46 skipping to change at page 11, line 43
with the others, the DHCP client will not receive a working address. with the others, the DHCP client will not receive a working address.
Note that in some environments a relay agent may choose to always Note that in some environments a relay agent may choose to always
place a VSS option or sub-option into packets and messages that it place a VSS option or sub-option into packets and messages that it
forwards in order to forestall any attempt by a downstream relay forwards in order to forestall any attempt by a downstream relay
agent or client to specify VSS information. In this case, a type agent or client to specify VSS information. In this case, a type
field of 255 is used to denote the global, default VPN. When the field of 255 is used to denote the global, default VPN. When the
type field of 255 is used, there MUST NOT be any additional VSS type field of 255 is used, there MUST NOT be any additional VSS
Information in the VSS option. Information in the VSS option.
4.1. VPN assignment by the DHCP server 5.1. VPN assignment by the DHCP server
In some cases, a DHCP server may use the Virtual Subnet Selection In some cases, a DHCP server may use the Virtual Subnet Selection
sub-option or option to inform a relay agent that a particular DHCP sub-option or option to inform a relay agent that a particular DHCP
client is associated with a particular VPN. It does this by sending client is associated with a particular VPN. It does this by sending
the Virtual Subnet Selection sub-option or option with the the Virtual Subnet Selection sub-option or option with the
appropriate information to the relay agent in the relay-agent- appropriate information to the relay agent in the relay-agent-
information option for DHCPv4 or the Relay-reply message in DHCPv6. information option for DHCPv4 or the Relay-reply message in DHCPv6.
If the relay agent is unable to honor the DHCP server's requirement If the relay agent is unable to honor the DHCP server's requirement
to place the DHCP client into that VPN it MUST drop the packet and to place the DHCP client into that VPN it MUST drop the packet and
not send it to the DHCP client. not send it to the DHCP client.
4.2. DHCP Leasequery In this situation, once the relay agent has placed the DHCP client
into the VPN specified by the DHCP server, it will send in a VSS
option or sub-option when forwarding packets from the client. The
DHCP server in normal operation will echo this VSS information into
the outgoing replies.
5.2. DHCP Leasequery
Sometimes a relay-agent needs to submit a DHCP Leasequery [RFC 4388] Sometimes a relay-agent needs to submit a DHCP Leasequery [RFC 4388]
[RFC 5007] packet to the DHCP server in order to recover information [RFC 5007] packet to the DHCP server in order to recover information
about existing DHCP allocated IP addresses on other than the normal, about existing DHCP allocated IP addresses on other than the normal,
global VPN. In the context of a DHCP Leasequery the relay agent is a global VPN. In the context of a DHCP Leasequery the relay agent is a
direct client of the DHCP server and is not relaying a packet for direct client of the DHCP server and is not relaying a packet for
another DHCP client. Thus, the instructions in Section 5 on Client another DHCP client. Thus, the instructions in Section 6 on Client
Behavior should be followed to include the necessary VSS information. Behavior should be followed to include the necessary VSS information.
5. Client Behavior 6. Client Behavior
A DHCPv4 or DHCPv6 client will employ the VSS option to communicate A DHCPv4 or DHCPv6 client will employ the VSS option to communicate
VSS information to their respective servers. This information MUST VSS information to their respective servers. This information MUST
be included in every message concerning any IP address on a different be included in every message concerning any IP address on a different
VPN than the global or default VPN. A DHCPv4 client will place the VPN than the global or default VPN. A DHCPv4 client will place the
DHCPv4 VSS option in its packets, and a DHCPv6 client will place the DHCPv4 VSS option in its packets, and a DHCPv6 client will place the
DHCPv6 VSS option in its messages. DHCPv6 VSS option in its messages.
A DHCPv6 client that needs to place a VSS option into a DHCPv6 A DHCPv6 client that needs to place a VSS option into a DHCPv6
message SHOULD place a single VSS option into the DHCPv6 message at message SHOULD place a single VSS option into the DHCPv6 message at
skipping to change at page 9, line 49 skipping to change at page 13, line 5
on which an IP address is allocated for a particular DHCP client, one on which an IP address is allocated for a particular DHCP client, one
presumes that an allocation on that VPN is necessary for correct presumes that an allocation on that VPN is necessary for correct
operation. If this presumption is correct, then a client which operation. If this presumption is correct, then a client which
places this option in a packet and doesn't receive it or receives a places this option in a packet and doesn't receive it or receives a
different value in the returning packet should drop the packet since different value in the returning packet should drop the packet since
the IP address that was allocated will not be in the correct VPN. If the IP address that was allocated will not be in the correct VPN. If
an IP address that is not on the requested VPN is not required, then an IP address that is not on the requested VPN is not required, then
the client is free to accept the IP address that is not on the VPN the client is free to accept the IP address that is not on the VPN
that the was requested. that the was requested.
Client's should be aware that some DHCP servers will return a VSS Clients should be aware that some DHCP servers will return a VSS
option with different values than that which was sent in. In option with different values than that which was sent in. In
addition, a client may receive a response from a DHCP server with a addition, a client may receive a response from a DHCP server with a
VSS option when none was sent in by the Client. VSS option when none was sent in by the Client.
Note that when sending a DHCP Leasequery request, a relay agent is Note that when sending a DHCP Leasequery request, a relay agent is
acting as a DHCP client and so it should include the respective acting as a DHCP client and so it should include the respective
DHCPv4 or DHCPv6 VSS option in its DHCPv4 or DHCPv6 Leasequery packet DHCPv4 or DHCPv6 VSS option in its DHCPv4 or DHCPv6 Leasequery packet
if the DHCP Leasequery request is generated for other than the if the DHCP Leasequery request is generated for other than the
default, global VPN. It should not include a DHCPv4 sub-option in default, global VPN. It should not include a DHCPv4 sub-option in
this case. this case.
6. Server Behavior 7. Server Behavior
A DHCP server receiving the VSS option or sub-option SHOULD allocate A DHCP server receiving the VSS option or sub-option SHOULD allocate
an IP address (or use the VSS information to access an already an IP address (or use the VSS information to access an already
allocated IP address) from the VPN specified by the included VSS allocated IP address) from the VPN specified by the included VSS
information. information.
In the case where the type field of the VSS option or sub-option is In the case where the type field of the VSS option or sub-option is
255, the VSS option denotes the global, default VPN. In this case, 255, the VSS option denotes the global, default VPN. In this case,
there is no explicit VSS information beyond the type field. there is no explicit VSS information beyond the type field.
skipping to change at page 10, line 42 skipping to change at page 13, line 46
sub-option. Thus, DHCP clients and relay agents SHOULD be prepared sub-option. Thus, DHCP clients and relay agents SHOULD be prepared
for either of these alternatives. for either of these alternatives.
In some cases, a DHCP server may use the Virtual Subnet Selection In some cases, a DHCP server may use the Virtual Subnet Selection
sub-option or option to inform a relay agent that a particular DHCP sub-option or option to inform a relay agent that a particular DHCP
client is associated with a particular VPN. It does this by sending client is associated with a particular VPN. It does this by sending
the Virtual Subnet Selection sub-option or option with the the Virtual Subnet Selection sub-option or option with the
appropriate information to the relay agent in the relay-agent- appropriate information to the relay agent in the relay-agent-
information option for DHCPv4 or the Relay-reply message in DHCPv6. information option for DHCPv4 or the Relay-reply message in DHCPv6.
In this situation, the relay agent will place the client in the
proper VPN, and then it will send in a VSS option or sub-option in
subsequent forwarded requests. The DHCP server will see this VSS
information and since it doesn't conflict in any way with the
server's notion of the VPN on which the client is supposed to reside,
it will process the requests based on the VPN specified in the VSS
option or sub-option, and echo the same VSS information in the
outgoing replies.
In a similar manner, a DHCP server may use the Virtual Subnet In a similar manner, a DHCP server may use the Virtual Subnet
Selection option to inform a DHCP client that the address (or Selection option to inform a DHCP client that the address (or
addresses) it allocated for the client is on a particular VPN. addresses) it allocated for the client is on a particular VPN.
In either case above, care should be taken to ensure that a client or In either case above, care should be taken to ensure that a client or
relay agent receiving a reply containing a VSS option will correctly relay agent receiving a reply containing a VSS option will correctly
understand the VSS option. Otherwise, the client or relay agent will understand the VSS option. Otherwise, the client or relay agent will
end up using the address as though it were a global address. end up using the address as though it were a global address.
6.1. Returning the DHCPv4 or DHCPv6 Option 7.1. Returning the DHCPv4 or DHCPv6 Option
DHCPv4 or DHCPv6 servers receiving a VSS option (for sub-option DHCPv4 or DHCPv6 servers receiving a VSS option (for sub-option
processing, see below) MUST return an instance of this option in the processing, see below) MUST return an instance of this option in the
reply packet or message if the server successfully uses this option reply packet or message if the server successfully uses this option
to allocate an IP address, and it MUST NOT include an instance of to allocate an IP address, and it MUST NOT include an instance of
this option if the server was unable to or not configured to support this option if the server was unable to or not configured to support
the requested VPN. the requested VPN.
If they echo the option (based on the criteria above), servers SHOULD If they echo the option (based on the criteria above), servers SHOULD
return the an exact copy of the option unless they desire to change return the an exact copy of the option unless they desire to change
the VPN on which a client was configured. the VPN on which a client was configured.
6.2. Returning the DHCPv4 Sub-Option 7.2. Returning the DHCPv4 Sub-Option
The case of the DHCPv4 sub-option is a bit more complicated. Note The case of the DHCPv4 sub-option is a bit more complicated. Note
that [RFC 3046] specifies that a DHCPv4 server which supports the that [RFC 3046] specifies that a DHCPv4 server which supports the
relay-agent-information option SHALL copy all sub-options received in relay-agent-information option SHALL copy all sub-options received in
a relay-agent-information option into any outgoing relay-agent- a relay-agent-information option into any outgoing relay-agent-
information option. Thus, the default behavior for any DHCPv4 server information option. Thus, the default behavior for any DHCPv4 server
is to return any VSS sub-option received to the relay agent whether is to return any VSS sub-option received to the relay agent whether
or not the DHCPv4 server understand the VSS sub-option. A server or not the DHCPv4 server understand the VSS sub-option. A server
which implements the VSS sub-option MUST include the VSS sub-option which implements the VSS sub-option MUST include the VSS sub-option
in the relay-agent-information option in the reply packet if it in the relay-agent-information option in the reply packet if it
skipping to change at page 12, line 5 skipping to change at page 15, line 14
Note that the appearance of the VSS sub-option in a reply packet from Note that the appearance of the VSS sub-option in a reply packet from
a DHCPv4 server to a relay-agent does not communicate any useful a DHCPv4 server to a relay-agent does not communicate any useful
information about whether or not the server used the VSS sub-option information about whether or not the server used the VSS sub-option
in its processing. However, the absence of a VSS sub-option in a in its processing. However, the absence of a VSS sub-option in a
reply from a DHCPv4 server when a VSS sub-option was included in a reply from a DHCPv4 server when a VSS sub-option was included in a
request to the DHCPv4 server is significant, and means that the request to the DHCPv4 server is significant, and means that the
server did not use the VSS information present in the sub-option in server did not use the VSS information present in the sub-option in
its processing. its processing.
6.3. Making sense of conflicting VSS information 7.3. Making sense of conflicting VSS information
It is possible for a DHCPv4 server to receive both a VSS option and a It is possible for a DHCPv4 server to receive both a VSS option and a
VSS sub-option in the same packet. Likewise, a DHCPv6 server can VSS sub-option in the same packet. Likewise, a DHCPv6 server can
receive multiple VSS options in nested Relay-forward messages as well receive multiple VSS options in nested Relay-forward messages as well
as in the client message itself. In either of these cases, the VSS as in the client message itself. In either of these cases, the VSS
information from the relay agent closest to the DHCP server SHOULD be information from the relay agent closest to the DHCP server SHOULD be
used in preference to all other VSS information received. In the used in preference to all other VSS information received. In the
DHCPv4 case, this means that the VSS sub-option takes precedence over DHCPv4 case, this means that the VSS sub-option takes precedence over
the VSS option, and in the DHCPv6 case, this means that the VSS the VSS option, and in the DHCPv6 case, this means that the VSS
option from the outer-most Relay-forward message in which a VSS option from the outer-most Relay-forward message in which a VSS
option appears takes precedence. option appears takes precedence.
The reasoning behind this approach is that the relay-agent closer to The reasoning behind this approach is that the relay-agent closer to
the DHCP server is almost certainly more trusted than the DHCP client the DHCP server is almost certainly more trusted than the DHCP client
or more distant relay agents, and therefore information in the or more distant relay agents, and therefore information in the
relay-agent-information option or the Relay-forward message is more relay-agent-information option or the Relay-forward message is more
likely to be correct. likely to be correct.
In general, relay agents SHOULD be aware through configuration or
policy external to this document whether or not they should be
including VSS information in packets that they forward and so there
should not be conflicts among relay agent specified VSS information.
In these situations where multiple VSS option or sub-options appear In these situations where multiple VSS option or sub-options appear
in the incoming packet or message, when constructing the response to in the incoming packet or message, when constructing the response to
be sent to the DHCP client or relay agent, all existing VSS options be sent to the DHCP client or relay agent, all existing VSS options
or sub-options MUST be replicated in the appropriate places in the or sub-options MUST be replicated in the appropriate places in the
response and MUST contain the VSS information that was used by the response and MUST contain the VSS information that was used by the
DHCP server to allocate the IP address. DHCP server to allocate the IP address.
7. Security 8. Security
Message authentication in DHCPv4 for intradomain use where the out- Message authentication in DHCPv4 for intradomain use where the out-
of-band exchange of a shared secret is feasible is defined in [RFC of-band exchange of a shared secret is feasible is defined in
3118]. Potential exposures to attack are discussed in section 7 of [RFC3118]. Potential exposures to attack are discussed in section 7
the DHCP protocol specification in [RFC 2131]. of the DHCP protocol specification in [RFC2131].
Implementations should consider using the DHCPv4 Authentication Implementations should consider using the DHCPv4 Authentication
option [RFC 3118] to protect DHCPv4 client access in order to provide option [RFC 3118] to protect DHCPv4 client access in order to provide
a higher level of security if it is deemed necessary in their a higher level of security if it is deemed necessary in their
environment. environment.
Message authentication in DHCPv4 relay agents as defined in Message authentication in DHCPv4 relay agents as defined in [RFC4030]
[RFC 4030] should be considered for DHCPv4 relay agents employing should be considered for DHCPv4 relay agents employing this sub-
this sub-option. Potential exposures to attack are discussed in option. Potential exposures to attack are discussed in section 7 of
section 7 of the DHCP protocol specification in [RFC 2131]. the DHCP protocol specification in [RFC2131].
For DHCPv6 use of the VSS option, the "Security Considerations" For DHCPv6 use of the VSS option, the "Security Considerations"
section of [RFC 3315] details the general threats to DHCPv6, and thus section of [RFC 3315] details the general threats to DHCPv6, and thus
to messages using the VSS option. The "Authentication of DHCP to messages using the VSS option. The "Authentication of DHCP
Messages" section of [RFC 3315] describes securing communication Messages" section of [RFC 3315] describes securing communication
between relay agents and servers, as well as clients and servers. between relay agents and servers, as well as clients and servers.
The VSS option could be used by a client in order to obtain an IP The VSS option could be used by a client in order to obtain an IP
address from a VPN other than the one where it should. This option address from a VPN other than the one where it should. This option
would allow a client to perform a more complete address-pool would allow a client to perform a more complete address-pool
skipping to change at page 13, line 28 skipping to change at page 16, line 42
option or sub-option to override the DHCP client's VSS option. option or sub-option to override the DHCP client's VSS option.
Servers that implement the VSS option and sub-option MUST by default Servers that implement the VSS option and sub-option MUST by default
disable use of the feature; it must specifically be enabled through disable use of the feature; it must specifically be enabled through
configuration. Moreover, a server SHOULD provide the ability to configuration. Moreover, a server SHOULD provide the ability to
selectively enable use of the feature under restricted conditions, selectively enable use of the feature under restricted conditions,
e.g., by enabling use of the option only from explicitly configured e.g., by enabling use of the option only from explicitly configured
client-ids, enabling its use only by clients on a particular subnet, client-ids, enabling its use only by clients on a particular subnet,
or restricting the VSSs from which addresses may be requested. or restricting the VSSs from which addresses may be requested.
8. IANA Considerations 9. IANA Considerations
IANA is requested to assign DHCPv4 option number 221 for the DHCPv4 IANA is requested to assign DHCPv4 option number 221 for the DHCPv4
VSS option defined in Section 3.1, in accordance with [RFC 3942]. VSS option defined in Section 3.1, in accordance with [RFC 3942].
IANA is requested to assign sub-option number 151 for the DHCPv4 IANA is requested to assign sub-option number 151 for the DHCPv4
sub-option defined in Section 3.2 from the DHCP Relay Agent Sub- sub-option defined in Section 3.2 from the DHCP Relay Agent Sub-
options space [RFC 3046], in accordance with the spirit of [RFC options space [RFC3046], in accordance with the spirit of [RFC3942].
3942]. While [RFC 3942] doesn't explicitly mention the sub-option While [RFC3942] doesn't explicitly mention the sub-option space for
space for the DHCP Relay Agent Information option [RFC 3046], sub- the DHCP Relay Agent Information option [RFC3046], sub-option 151 is
option 151 is already in use by existing implementations of this already in use by existing implementations of this sub-option and the
sub-option and the current draft is essentially compatible with these current draft is essentially compatible with these current
current implementations. implementations.
IANA has assigned the value of TBD for the DHCPv6 VSS option defined IANA has assigned the value of TBD for the DHCPv6 VSS option defined
in Section 3.3. in Section 3.3.
While the type byte defined in Section 3.4 defines a number space While the type byte defined in Section 3.4 defines a number space
that could be managed by IANA, expansion of this number space is not that could be managed by IANA, expansion of this number space is not
anticipated and so creation of a registry of these numbers is not anticipated and so creation of a registry of these numbers is not
required by this document. In the event that additional values for required by this document. In the event that additional values for
the type byte are defined in subsequent documents, IANA should at the type byte are defined in subsequent documents, IANA should at
that time create a registry for these type bytes. New values for the that time create a registry for these type bytes. New values for the
type byte may only be defined by IETF Consensus, as described in type byte may only be defined by IETF Consensus, as described in
[RFC 2434]. Basically, this means that they are defined by RFCs [RFC5226]. Basically, this means that they are defined by RFCs
approved by the IESG. approved by the IESG.
9. Acknowledgments 10. Acknowledgments
Bernie Volz recommended consolidation of the DHCPv4 option and sub- Bernie Volz recommended consolidation of the DHCPv4 option and sub-
option drafts after extensive review of the former drafts, and option drafts after extensive review of the former drafts, and
provided valuable assistance in structuring and reviewing this provided valuable assistance in structuring and reviewing this
document. Alper Yegin expressed interest in the DHCPv6 VSS option, document. Alper Yegin expressed interest in the DHCPv6 VSS option,
resulting in this combined draft covering all three areas. resulting in this combined draft covering all three areas.
10. Normative References 11. Normative References
[RFC 2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC 2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, March 1997. Requirement Levels", RFC 2119, March 1997.
[RFC 2131] Droms, R., "Dynamic Host Configuration Protocol", RFC [RFC2131] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131,
2131, March 1997. March 1997.
[RFC 2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor [RFC 2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor
Extensions", RFC 2132, March 1997. Extensions", RFC 2132, March 1997.
[RFC 2685] Fox, B., Gleeson, B., "Virtual Private Networks [RFC 2685] Fox, B., Gleeson, B., "Virtual Private Networks
Identifier", RFC 2685, September 1999. Identifier", RFC 2685, September 1999.
[RFC 3046] Patrick, M., "DHCP Relay Agent Information Option", RFC [RFC 3046] Patrick, M., "DHCP Relay Agent Information Option", RFC
3046, January 2001. 3046, January 2001.
[RFC 3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., [RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., and
and M. Carney, "Dynamic Host Configuration Protocol for IPv6 M. Carney, "Dynamic Host Configuration Protocol for IPv6
(DHCPv6)", RFC 3315, July 2003. (DHCPv6)", RFC 3315, July 2003.
[RFC 3633] Troan, O. and R. Droms, "IPv6 Prefix Options for Dynamic [RFC 3633] Troan, O. and R. Droms, "IPv6 Prefix Options for Dynamic
Host Configuration Protocol (DHCP) version 6", RFC 3633, December Host Configuration Protocol (DHCP) version 6", RFC 3633, December
2003. 2003.
11. Informative References 12. Informative References
[RFC 951] Croft, B. and J. Gilmore, "Bootstrap Protocol", RFC 951, [RFC 951] Croft, B. and J. Gilmore, "Bootstrap Protocol", RFC 951,
September 1985. September 1985.
[RFC 1542] Wimer, W., "Clarifications and Extensions for the [RFC1542] Wimer, W., "Clarifications and Extensions for the Bootstrap
Bootstrap Protol", RFC 1542, October 1993. Protocol", RFC 1542, October 1993.
[RFC 2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC 2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, March 1997. Requirement Levels", RFC 2119, March 1997.
[RFC 2434] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 2434, October
1998.
[RFC 3118] Droms, R. and W. Arbaugh, "Authentication for DHCP [RFC 3118] Droms, R. and W. Arbaugh, "Authentication for DHCP
Messages", RFC 3118, June 2001. Messages", RFC 3118, June 2001.
[RFC 3942] Volz, B., "Reclassifying Dynamic Host Configuration [RFC 3942] Volz, B., "Reclassifying Dynamic Host Configuration
Protocol version 4 (DHCPv4) Options", RFC 3942, November 2004. Protocol version 4 (DHCPv4) Options", RFC 3942, November 2004.
[RFC 4030] Stapp, M. and T. Lemon, "The Authentication Suboption for [RFC 4030] Stapp, M. and T. Lemon, "The Authentication Suboption for
the Dynamic Host Configuration Protocol (DHCP) Relay Agent the Dynamic Host Configuration Protocol (DHCP) Relay Agent
Option", RFC 4030, March 2005. Option", RFC 4030, March 2005.
[RFC 4388] Woundy, R. and K. Kinnear, "Dynamic Host Configuration [RFC 4388] Woundy, R. and K. Kinnear, "Dynamic Host Configuration
Protocol (DHCP) Leasequery", RFC 4388, February 2006. Protocol (DHCP) Leasequery", RFC 4388, February 2006.
[RFC 5007] Brzozowski, J., Kinnear, K., Volz, B., and S. Zeng, [RFC5007] Brzozowski, J., Kinnear, K., Volz, B., and S. Zeng, "DHCPv6
"DHCPv6 Leasequery", RFC 5007, September 2007. Leasequery", RFC 5007, September 2007.
12. Authors' Addresses [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 5226, May 2008.
13. Authors' Addresses
Kim Kinnear Kim Kinnear
Cisco Systems Cisco Systems
1414 Massachusetts Ave. 1414 Massachusetts Ave.
Boxborough, Massachusetts 01719 Boxborough, Massachusetts 01719
Phone: (978) 936-0000 Phone: (978) 936-0000
EMail: kkinnear@cisco.com EMail: kkinnear@cisco.com
Richard Johnson Richard Johnson
Cisco Systems Cisco Systems
170 W. Tasman Dr. 170 W. Tasman Dr.
San Jose, CA 95134 San Jose, CA 95134
Phone: (408) 526-4000 Phone: (408) 526-4000
EMail: raj@cisco.com EMail: raj@cisco.com
Mark Stapp Mark Stapp
skipping to change at page 16, line 17 skipping to change at page 19, line 31
Jay Kumarasamy Jay Kumarasamy
Cisco Systems Cisco Systems
170 W. Tasman Dr. 170 W. Tasman Dr.
San Jose, CA 95134 San Jose, CA 95134
Phone: (408) 526-4000 Phone: (408) 526-4000
EMail: jayk@cisco.com EMail: jayk@cisco.com
13. Full Copyright Statement 14. Full Copyright Statement
Copyright (C) The IETF Trust (2008). Copyright (C) The IETF Trust (2008).
This document is subject to the rights, licenses and restrictions This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors contained in BCP 78, and except as set forth therein, the authors
retain all their rights. retain all their rights.
This document and the information contained herein are provided on an This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
14. Intellectual Property 15. Intellectual Property
The IETF takes no position regarding the validity or scope of any The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79. found in BCP 78 and BCP 79.
skipping to change at page 17, line 12 skipping to change at page 20, line 29
such proprietary rights by implementers or users of this such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr. http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at this standard. Please address the information to the IETF at
ietf-ipr@ietf.org. ietf-ipr@ietf.org.
15. Acknowledgment 16. Acknowledgment
Funding for the RFC Editor function is provided by the IETF Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA). Administrative Support Activity (IASA).
 End of changes. 45 change blocks. 
79 lines changed or deleted 234 lines changed or added

This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/