draft-ietf-dhc-vpn-option-09.txt   draft-ietf-dhc-vpn-option-10.txt 
DHC Working Group Kim Kinnear DHC Working Group Kim Kinnear
Internet Draft Richard Johnson Internet Draft Richard Johnson
Intended Status: Standards Track Mark Stapp Intended Status: Standards Track Mark Stapp
Expires: January 8, 2009 Jay Kumarasamy Expires: September 3, 2009 Jay Kumarasamy
Cisco Systems Cisco Systems
July 8, 2008 March 3, 2009
Virtual Subnet Selection Options for DHCPv4 and DHCPv6 Virtual Subnet Selection Options for DHCPv4 and DHCPv6
<draft-ietf-dhc-vpn-option-09.txt> <draft-ietf-dhc-vpn-option-10.txt>
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any This Internet-Draft is submitted to IETF in full conformance with the
applicable patent or other IPR claims of which he or she is aware provisions of BCP 78 and BCP 79.
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on January 8, 2009 This Internet-Draft will expire on September 3, 2009
Copyright Notice Copyright Notice
Copyright (C) The IETF Trust (2008). Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of
publication of this document (http://trustee.ietf.org/license-info).
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document.
Abstract Abstract
This memo defines a Virtual Subnet Selection (VSS) option for DHCPv4 This memo defines a Virtual Subnet Selection (VSS) option for DHCPv4
and DHCPv6, and a DHCPv4 relay-agent-information sub-option. These and DHCPv6, and a DHCPv4 relay-agent-information sub-option. These
are intended for use by DHCP clients, relay agents, and proxy clients are intended for use by DHCP clients, relay agents, and proxy clients
in situations where VSS information needs to be passed to the DHCP in situations where VSS information needs to be passed to the DHCP
server for proper address or prefix allocation to take place. server for proper address or prefix allocation to take place.
For the DHCPv4 option and relay-agent-information sub-option, this For the DHCPv4 option and relay-agent-information sub-option, this
skipping to change at page 2, line 19 skipping to change at page 2, line 27
1. Introduction................................................. 2 1. Introduction................................................. 2
2. Terminology.................................................. 3 2. Terminology.................................................. 3
3. Virtual Subnet Selection Option and Sub-Option Definitions... 5 3. Virtual Subnet Selection Option and Sub-Option Definitions... 5
3.1. DHCPv4 Virtual Subnet Selection Option..................... 5 3.1. DHCPv4 Virtual Subnet Selection Option..................... 5
3.2. DHCPv4 Virtual Subnet Selection Sub-Option................. 5 3.2. DHCPv4 Virtual Subnet Selection Sub-Option................. 5
3.3. DHCPv6 Virtual Subnet Selection Option..................... 6 3.3. DHCPv6 Virtual Subnet Selection Option..................... 6
3.4. Virtual Subnet Selection Type and Information.............. 6 3.4. Virtual Subnet Selection Type and Information.............. 6
4. Overview of Virtual Subnet Selection Usage................... 7 4. Overview of Virtual Subnet Selection Usage................... 7
5. Relay Agent Behavior......................................... 10 5. Relay Agent Behavior......................................... 10
5.1. VPN assignment by the DHCP server.......................... 11 5.1. VPN assignment by the DHCP server.......................... 12
5.2. DHCP Leasequery............................................ 12 5.2. DHCP Leasequery............................................ 12
6. Client Behavior.............................................. 12 6. Client Behavior.............................................. 12
7. Server Behavior.............................................. 13 7. Server Behavior.............................................. 13
7.1. Returning the DHCPv4 or DHCPv6 Option...................... 14 7.1. Returning the DHCPv4 or DHCPv6 Option...................... 14
7.2. Returning the DHCPv4 Sub-Option............................ 14 7.2. Returning the DHCPv4 Sub-Option............................ 15
7.3. Making sense of conflicting VSS information................ 15 7.3. Making sense of conflicting VSS information................ 15
8. Security..................................................... 15 8. Security..................................................... 16
9. IANA Considerations.......................................... 16 9. IANA Considerations.......................................... 17
10. Acknowledgments............................................. 17 10. Acknowledgments............................................. 17
11. Normative References........................................ 17 11. References.................................................. 18
12. Informative References...................................... 18 11.1. Normative References...................................... 18
13. Authors' Addresses.......................................... 18 11.2. Informative References.................................... 18
14. Full Copyright Statement.................................... 19 12. Authors' Addresses.......................................... 19
15. Intellectual Property....................................... 20
16. Acknowledgment.............................................. 20
1. Introduction 1. Introduction
There is a growing use of Virtual Private Network (VPN) There is a growing use of Virtual Private Network (VPN)
configurations. The growth comes from many areas; individual client configurations. The growth comes from many areas; individual client
systems needing to appear to be on the home corporate network even systems needing to appear to be on the home corporate network even
when traveling, ISPs providing extranet connectivity for customer when traveling, ISPs providing extranet connectivity for customer
companies, etc. In some of these cases there is a need for the DHCP companies, etc. In some of these cases there is a need for the DHCP
server to know the VPN (hereafter called a "Virtual Subnet Selector" server to know the VPN (hereafter called a "Virtual Subnet Selector"
or "VSS") from which an address, and other resources, should be or "VSS") from which an address, and other resources, should be
skipping to change at page 3, line 20 skipping to change at page 3, line 26
If the allocation is being done through a DHCPv4 relay, then the If the allocation is being done through a DHCPv4 relay, then the
relay sub-option defined here should be included. In some cases, relay sub-option defined here should be included. In some cases,
however an IP address is being sought by a DHCPv4 proxy on behalf of however an IP address is being sought by a DHCPv4 proxy on behalf of
a client (which may be assigned the address via a different a client (which may be assigned the address via a different
protocol). In this case, there is a need to include VSS information protocol). In this case, there is a need to include VSS information
relating to the client as a DHCPv4 option. relating to the client as a DHCPv4 option.
If the allocation is being done through a DHCPv6 relay, then the If the allocation is being done through a DHCPv6 relay, then the
DHCPv6 VSS option defined in this document should be included in the DHCPv6 VSS option defined in this document should be included in the
Relay-forward and Relay-reply message going between the DHCPv6 relay Relay-forward and Relay-reply message going between the DHCPv6 relay
and server. In some cases, addresses or prefixes are being sought and server. In some cases, addresses or prefixes are being sought by
for by a DHCPv6 proxy on behalf of a client. In this case, there is a DHCPv6 proxy on behalf of a client. In this case, there is a need
a need for the client itself to supply the VSS information using the for the client itself to supply the VSS information using the DHCPv6
DHCPv6 VSS option in the messages that it sends to the DHCPv6 server. VSS option in the messages that it sends to the DHCPv6 server.
In the remaining text of this document, when a DHCPv6 address is In the remaining text of this document, when a DHCPv6 address is
indicated the same information applies to DHCPv6 Prefix Delegation indicated the same information applies to DHCPv6 Prefix Delegation
[RFC3633] as well. [RFC3633] as well.
2. Terminology 2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119]. document are to be interpreted as described in RFC 2119 [RFC2119].
skipping to change at page 4, line 8 skipping to change at page 4, line 14
and DHCP messages between clients and servers residing on and DHCP messages between clients and servers residing on
different subnets, per [RFC951] and [RFC1542]. different subnets, per [RFC951] and [RFC1542].
o "DHCP server" o "DHCP server"
A DHCP server is a host that returns configuration parameters to A DHCP server is a host that returns configuration parameters to
DHCP clients. DHCP clients.
o "DHCPv4 option" o "DHCPv4 option"
An option or used to implement a capability defined by the An option used to implement a capability defined by the DHCPv4
DHCPv4 RFCs [RFC2131][RFC2132]. These options have one octet RFCs [RFC2131][RFC2132]. These options have one-octet code and
code and size bytes. size fields.
o "DHCPv4 sub-option" o "DHCPv4 sub-option"
As used in this document, a DHCPv4 sub-option refers to a sub- As used in this document, a DHCPv4 sub-option refers to a sub-
option of the relay-agent-information option [RFC3046]. These option of the relay-agent-information option [RFC3046]. These
sub-options have one octet code and size bytes. sub-options have one-octet code and size fields.
o "DHCPv6 option" o "DHCPv6 option"
An option used to implement a capability defined by the DHCPv6 An option used to implement a capability defined by the DHCPv6
RFC [RFC3315]. These options have two octet code and size RFC [RFC3315]. These options have two-octet code and size
bytes. fields.
o "downstream" o "downstream"
Downstream is the direction from the access concentrator towards Downstream is the direction from the access concentrator towards
the subscriber. the subscriber.
o "upstream" o "upstream"
Upstream is the direction from the subscriber towards the access Upstream is the direction from the subscriber towards the access
concentrator. concentrator.
skipping to change at page 4, line 46 skipping to change at page 5, line 4
Information about a VPN necessary to allocate an address to a Information about a VPN necessary to allocate an address to a
DHCP client on that VPN and necessary to forward a DHCP reply DHCP client on that VPN and necessary to forward a DHCP reply
packet to a DHCP client on that VPN. packet to a DHCP client on that VPN.
o "VPN" o "VPN"
Virtual private network. A network which appears to the client Virtual private network. A network which appears to the client
to be a private network. to be a private network.
o "VPN Identifier" o "VPN Identifier"
The VPN-ID is defined by [RFC2685] to be a sequence of 7 octets. The VPN-ID is defined by [RFC2685] to be a sequence of 7 octets.
3. Virtual Subnet Selection Option and Sub-Option Definitions 3. Virtual Subnet Selection Option and Sub-Option Definitions
The Virtual Subnet Selection options and sub-option contains a The Virtual Subnet Selection options and sub-option contain a
generalized way to specify the VSS information about a VPN. There generalized way to specify the VSS information about a VPN. There
are two options and one sub-option defined in this section. The are two options and one sub-option defined in this section. The
actual VSS information is identical in each. actual VSS information is identical in each.
3.1. DHCPv4 Virtual Subnet Selection Option 3.1. DHCPv4 Virtual Subnet Selection Option
The format of the option is: The format of the option is:
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
skipping to change at page 6, line 39 skipping to change at page 6, line 39
Type VSS Information format: Type VSS Information format:
0 NVT ASCII VPN identifier 0 NVT ASCII VPN identifier
1 RFC2685 VPN-ID 1 RFC2685 VPN-ID
2-254 Not Allowed 2-254 Not Allowed
255 Global, default VPN. 255 Global, default VPN.
o Type 0 -- NVT ASCII VPN identifier o Type 0 -- NVT ASCII VPN identifier
Indicates that the VSS information consists of a NVT ASCII string. Indicates that the VSS information consists of a NVT ASCII
It MUST NOT be terminated with a zero byte. string. It MUST NOT be terminated with a zero byte.
o Type 1 -- RFC2685 VPN-ID o Type 1 -- RFC2685 VPN-ID
Indicates that the VSS information consists of an RFC2685 VPN-ID Indicates that the VSS information consists of an RFC2685 VPN-ID
[RFC2685], which is defined to be 7 octets in length. [RFC2685], which is defined to be 7 octets in length.
o Type 255 -- Global, default VPN o Type 255 -- Global, default VPN
Indicates that there is no explicit, non-default VSS information Indicates that there is no explicit, non-default VSS information
but rather that this option references the normal, global, default but rather that this option references the normal, global,
address space. In this case, there MUST NOT be any VSS Information default address space. In this case, there MUST NOT be any VSS
and the length of the VSS option MUST be 1. Information and the length of the VSS option MUST be 1.
All other values of the Type field are invalid as of this memo and a All other values of the Type field are invalid as of this memo and
VSS option with a Type field containing any value other than zero a VSS option with a Type field containing any value other than
(0), one (1), or 255 SHOULD be ignored. zero (0), one (1), or 255 SHOULD be ignored.
4. Overview of Virtual Subnet Selection Usage 4. Overview of Virtual Subnet Selection Usage
At the highest level, the VSS option or sub-option determines the VPN At the highest level, the VSS option or sub-option determines the VPN
on which a DHCP client is supposed to receive an IP address. How the on which a DHCP client is supposed to receive an IP address. How the
option or sub-option is entered and processed is discussed below, but option or sub-option is entered and processed is discussed below, but
the point of all of the discussion is to determine the VPN on which the point of all of the discussion is to determine the VPN on which
the DHCP client resides. This will affect a relay agent, in that it the DHCP client resides. This will affect a relay agent, in that it
will have to ensure that the packets sent to and received from the will have to ensure that the packets sent to and received from the
DHCP client flow over the correct VPN. This will affect the DHCP DHCP client flow over the correct VPN. This will affect the DHCP
skipping to change at page 8, line 20 skipping to change at page 8, line 20
request or response, this situation is neither typical nor useful. request or response, this situation is neither typical nor useful.
There are two known paradigms for use of the VSS option or sub- There are two known paradigms for use of the VSS option or sub-
option, which are discussed below. option, which are discussed below.
The typical use of the VSS option or sub-option is for the relay The typical use of the VSS option or sub-option is for the relay
agent to know the VPN on which the DHCP client is operating. The agent to know the VPN on which the DHCP client is operating. The
DHCP client itself does not, in this scenario, know the VPN on which DHCP client itself does not, in this scenario, know the VPN on which
it resides. The relay agent is responsible for mediating the access it resides. The relay agent is responsible for mediating the access
between the VPN on which the DHCP client resides and the DHCP server. between the VPN on which the DHCP client resides and the DHCP server.
In this situation, the relay agent will insert a VSS sub-option into In this situation, the relay agent will insert a VSS sub-option into
the relay-agent-information option (for DHCPv4) or a VSS option the the relay-agent-information option (for DHCPv4) or a VSS option into
Relay-forward message (for DHCPv6) of every request it forwards from the Relay-forward message (for DHCPv6) of every request it forwards
the DHCP client. The server will use the VSS option or sub-option to from the DHCP client. The server will use the VSS option or sub-
determine the VPN on which the client resides, and use that VPN option to determine the VPN on which the client resides, and use that
information to select the address space within its configuration from VPN information to select the address space within its configuration
which to allocate an IP address to the DHCP client. from which to allocate an IP address to the DHCP client.
In this scenario, the relay agent might also send in either a DHCPv4 In this scenario, the relay agent might also send a VSS option or
or DHCPv6 Leasequery request, but in this case, it would use the VSS sub-option in either a DHCPv4 or DHCPv6 Leasequery request, but in
option in the Leasequery request to select the correct address space this case, it would use the VSS option in the Leasequery request to
for the Leasequery. In this scenario, the relay agent would be select the correct address space for the Leasequery. In this
acting as a DHCP client from a Leasequery standpoint, but it would scenario, the relay agent would be acting as a DHCP client from a
not be as if a DHCP client were sending in a VSS option in a standard Leasequery standpoint, but it would not be as if a DHCP client were
DHCP address allocation request, say a DHCPDISCOVER. sending in a VSS option in a standard DHCP address allocation
request, say a DHCPDISCOVER.
In this scenario, only one relay agent would mediate the VPN access In this scenario, only one relay agent would mediate the VPN access
for the DHCP client to the DHCP server, and it would be the relay for the DHCP client to the DHCP server, and it would be the relay
agent which inserts the VSS information into the packet and would agent which inserts the VSS information into the request packet and
remove it prior to forwarding the packet on. would remove it prior to forwarding the response packet on.
The DHCP server would know that it should respond to VPN information The DHCP server would know that it should respond to VPN information
specified in a VSS option or sub-option, and it would be configured specified in a VSS option or sub-option, and it would be configured
with appropriate VPN address spaces to service the projected client with appropriate VPN address spaces to service the projected client
requirements. Thus, in this common scenario, the DHCP client knows requirements. Thus, in this common scenario, the DHCP client knows
nothing of any VPN access, the relay agent has been configured in nothing of any VPN access, the relay agent has been configured in
some way that allows it to determine the VPN of the DHCP client and some way that allows it to determine the VPN of the DHCP client and
transmit that using a VSS option or sub-option to the DHCP server, transmit that using a VSS option or sub-option to the DHCP server,
and the DHCP server responds to the VPN specified by the relay agent. and the DHCP server responds to the VPN specified by the relay agent.
There is no conflict between different entities trying to specify There is no conflict between different entities trying to specify
different VSS information -- each entity knows its role through different VSS information -- each entity knows its role through
policy or configuration external to this document. policy or configuration external to this document.
It is important to ensure that each entity in this scenario both
supports the VSS option and sub-option (for DHCPv4) or the VSS option
(for DHCPv6), and that it is configured correctly. Deploying relay
agents which support and emit VSS sub-options in concert with DHCPv4
servers which do not support the VSS option or sub-option as defined
in this document SHOULD NOT be done, as such an ensemble will not
operate correctly together because all of the IP addresses will be
allocated from the global or default VPN regardless of the VPN on
which the client's reside.
In the second scenario, the DHCP server would be configured in some In the second scenario, the DHCP server would be configured in some
way to know the VPN on which a particular DHCP client should be given way to know the VPN on which a particular DHCP client should be given
access. The DHCP server would in this case include the VSS sub- access. The DHCP server would in this case include the VSS sub-
option in the relay-agent-information option for DHCPv4 or the VSS option in the relay-agent-information option for DHCPv4 or the VSS
option in the Relay-reply message for DHCPv6. The relay agent option in the Relay-reply message for DHCPv6. The relay agent
responsible for mediating VPN access would use this information to responsible for mediating VPN access would use this information to
select the correct VPN for the DHCP client. In the event that there select the correct VPN for the DHCP client. In the event that there
were more than one relay agent involved in this transaction, some were more than one relay agent involved in this transaction, some
external configuration or policy would be needed to inform the DHCPv6 external configuration or policy would be needed to inform the DHCPv6
server into which Relay-reply message the VSS option should go. server into which Relay-reply message the VSS option should go.
skipping to change at page 9, line 29 skipping to change at page 9, line 39
conflict with the DHCP server's idea of the proper VPN for the conflict with the DHCP server's idea of the proper VPN for the
client, everything works correctly. client, everything works correctly.
In this second scenario, the DHCP client is again unaware of any VPN In this second scenario, the DHCP client is again unaware of any VPN
activity. In this case, however, the DHCP server knows the VPN for activity. In this case, however, the DHCP server knows the VPN for
the client, and the relay agent responds to the VSS information the client, and the relay agent responds to the VSS information
specified by the DHCP server. Similar to the first scenario, each specified by the DHCP server. Similar to the first scenario, each
entity knows its role through a means external to this document and entity knows its role through a means external to this document and
no two entities try to specify VSS information in conflict. no two entities try to specify VSS information in conflict.
Again, in this scenario, it is important that both the relay agent as
well as the DHCP server both support the VSS option and sub-option
(for DHCPv4) and the VSS option (for DHCPv6). Deploying and
configuring VPN support in one element and not in the other is not a
practical approach.
There are many other scenarios which can be created with multiple There are many other scenarios which can be created with multiple
relay agents each inserting VSS information into different Relay- relay agents each inserting VSS information into different Relay-
forward messages, relay agent VSS information conflicting with client forward messages, relay agent VSS information conflicting with client
VSS information, or DHCP server VSS information conflicting with VSS information, or DHCP server VSS information conflicting with
relay agent and client VSS information. Since these scenarios do not relay agent and client VSS information. Since these scenarios do not
describe situations that are useful today, specifying precisely how describe situations that are useful today, specifying precisely how
to resolve all of these conflicts is unlikely to be valuable in the to resolve all of these conflicts is unlikely to be valuable in the
event that these scenarios actually become practical in the future. event that these scenarios actually become practical in the future.
The current use of the VSS option and sub-option require that each The current use of the VSS option and sub-option require that each
skipping to change at page 10, line 24 skipping to change at page 10, line 40
A DHCPv4 relay agent SHOULD include a DHCPv4 VSS sub-option in a A DHCPv4 relay agent SHOULD include a DHCPv4 VSS sub-option in a
relay-agent-information option [RFC3046], while a DHCPv6 relay agent relay-agent-information option [RFC3046], while a DHCPv6 relay agent
SHOULD include a DHCPv6 VSS option in the Relay-forward message. SHOULD include a DHCPv6 VSS option in the Relay-forward message.
The value placed in the Virtual Subnet Selection sub-option or option The value placed in the Virtual Subnet Selection sub-option or option
SHOULD be sufficient for the relay agent to properly route any DHCP SHOULD be sufficient for the relay agent to properly route any DHCP
reply packet returned from the DHCP server to the DHCP client for reply packet returned from the DHCP server to the DHCP client for
which it is destined. which it is destined.
Anytime a relay agent places a VSS option or sub-option in a DHCP
request, it MUST send it only to a DHCP server which supports the VSS
option or sub-option.
Since this option or sub-option is placed in the packet in order to Since this option or sub-option is placed in the packet in order to
specify the VPN on which an IP address is allocated for a particular specify the VPN on which an IP address is allocated for a particular
DHCP client, one presumes that an allocation on that VPN is necessary DHCP client, one presumes that an allocation on that VPN is necessary
for correct operation. If this presumption is correct, then a relay for correct operation. If this presumption is correct, then a relay
agent which places this option in a packet and doesn't receive it (or agent which places this option in a packet and doesn't receive it (or
receives a different value than that sent to the server) in the receives a different value than that sent to the server) in the
returning packet should drop the packet since the IP address that was returning packet should drop the packet since the IP address that was
allocated will not be in the correct VPN. If an IP address that is allocated will not be in the correct VPN. If an IP address that is
not on the requested VPN is not required, then the relay agent is on the requested VPN is not required, then the relay agent is free to
free to accept the IP address that is not on the VPN that was accept the IP address that is not on the VPN that was requested.
requested.
The converse, however, is more complicated. In the DHCPv6 case, the The converse, however, is more complicated. In the DHCPv6 case, the
appearance of the option in the Relay-reply packet does indeed appearance of the option in the Relay-reply packet does indeed
indicate that the DHCPv6 server understood and acted upon the indicate that the DHCPv6 server understood and acted upon the
contents of the VSS option in the Relay-forward packet. In the contents of the VSS option in the Relay-forward packet. In the
DHCPv4 case, however, the appearance of the sub-option in the relay- DHCPv4 case, however, the appearance of the sub-option in the relay-
agent-information option received by the relay agent does not agent-information option received by the relay agent does not
necessarily indicate that the DHCPv4 server even understood, let necessarily indicate that the DHCPv4 server even understood, let
alone acted correctly upon, the VSS sub-option that it received. alone acted correctly upon, the VSS sub-option that it received.
The reason is that [RFC3046] specifies that a DHCPv4 server which The reason is that [RFC3046] specifies that a DHCPv4 server which
supports the relay-agent-information option SHALL copy all sub- supports the relay-agent-information option SHALL copy all sub-
options received in a relay-agent-information option into any options received in a relay-agent-information option into any
outgoing relay-agent-information option. Because of these outgoing relay-agent-information option. Because of these
requirements, even a DHCPv4 server which doesn't implement support requirements, even a DHCPv4 server which doesn't implement support
for Virtual Subnet Selection sub-option will almost certainly copy it for the Virtual Subnet Selection sub-option will almost certainly
into the outgoing relay-agent-information option. This means that copy it into the outgoing relay-agent-information option. This means
the appearance of the Virtual Subnet Selection sub-option in a that the appearance of the Virtual Subnet Selection sub-option in a
relay-agent-information option doesn't indicate support for the relay-agent-information option doesn't indicate support for the
Virtual Subnet Selection sub-option. Virtual Subnet Selection sub-option.
There are only two pieces of information which can be determined from There are only two pieces of information which can be determined from
the appearance or lack of appearance of the DHCPv4 Virtual Subnet the appearance or lack of appearance of the DHCPv4 Virtual Subnet
Selection sub-option in a relay-agent-information option received by Selection sub-option in a relay-agent-information option received by
a relay agent from a DHCPv4 server. First, if the Virtual Subnet a relay agent from a DHCPv4 server. First, if the Virtual Subnet
Selection sub-option does not appear, then the server was able to Selection sub-option does not appear, then the server was able to
support this sub-option but chose not to do so. Second, if the support this sub-option but chose not to do so. Second, if the
Virtual Subnet Selection sub-option appears and has a different value Virtual Subnet Selection sub-option appears and has a different value
skipping to change at page 12, line 7 skipping to change at page 12, line 25
In some cases, a DHCP server may use the Virtual Subnet Selection In some cases, a DHCP server may use the Virtual Subnet Selection
sub-option or option to inform a relay agent that a particular DHCP sub-option or option to inform a relay agent that a particular DHCP
client is associated with a particular VPN. It does this by sending client is associated with a particular VPN. It does this by sending
the Virtual Subnet Selection sub-option or option with the the Virtual Subnet Selection sub-option or option with the
appropriate information to the relay agent in the relay-agent- appropriate information to the relay agent in the relay-agent-
information option for DHCPv4 or the Relay-reply message in DHCPv6. information option for DHCPv4 or the Relay-reply message in DHCPv6.
If the relay agent is unable to honor the DHCP server's requirement If the relay agent is unable to honor the DHCP server's requirement
to place the DHCP client into that VPN it MUST drop the packet and to place the DHCP client into that VPN it MUST drop the packet and
not send it to the DHCP client. not send it to the DHCP client.
The DHCP server MUST NOT place VSS information in an outgoing packet
if the relay agent or DHCP client is unprepared to properly interpret
the VSS information.
In this situation, once the relay agent has placed the DHCP client In this situation, once the relay agent has placed the DHCP client
into the VPN specified by the DHCP server, it will send in a VSS into the VPN specified by the DHCP server, it will send in a VSS
option or sub-option when forwarding packets from the client. The option or sub-option when forwarding packets from the client. The
DHCP server in normal operation will echo this VSS information into DHCP server in normal operation will echo this VSS information into
the outgoing replies. the outgoing replies.
5.2. DHCP Leasequery 5.2. DHCP Leasequery
Sometimes a relay-agent needs to submit a DHCP Leasequery [RFC4388] Sometimes a relay-agent needs to submit a DHCP Leasequery [RFC4388]
[RFC5007] packet to the DHCP server in order to recover information [RFC5007] packet to the DHCP server in order to recover information
skipping to change at page 12, line 48 skipping to change at page 13, line 21
DHCPv6 address is indicated the same information applies to DHCPv6 DHCPv6 address is indicated the same information applies to DHCPv6
Prefix Delegation [RFC3633] as well. Prefix Delegation [RFC3633] as well.
Since this option is placed in the packet in order to change the VPN Since this option is placed in the packet in order to change the VPN
on which an IP address is allocated for a particular DHCP client, one on which an IP address is allocated for a particular DHCP client, one
presumes that an allocation on that VPN is necessary for correct presumes that an allocation on that VPN is necessary for correct
operation. If this presumption is correct, then a client which operation. If this presumption is correct, then a client which
places this option in a packet and doesn't receive it or receives a places this option in a packet and doesn't receive it or receives a
different value in the returning packet should drop the packet since different value in the returning packet should drop the packet since
the IP address that was allocated will not be in the correct VPN. If the IP address that was allocated will not be in the correct VPN. If
an IP address that is not on the requested VPN is not required, then an IP address that is on the requested VPN is not required, then the
the client is free to accept the IP address that is not on the VPN client is free to accept the IP address that is not on the VPN that
that the was requested. the was requested.
Clients should be aware that some DHCP servers will return a VSS Clients should be aware that some DHCP servers will return a VSS
option with different values than that which was sent in. In option with different values than that which was sent in. In
addition, a client may receive a response from a DHCP server with a addition, a client may receive a response from a DHCP server with a
VSS option when none was sent in by the Client. VSS option when none was sent in by the Client.
Note that when sending a DHCP Leasequery request, a relay agent is Note that when sending a DHCP Leasequery request, a relay agent is
acting as a DHCP client and so it should include the respective acting as a DHCP client and so it should include the respective
DHCPv4 or DHCPv6 VSS option in its DHCPv4 or DHCPv6 Leasequery packet DHCPv4 or DHCPv6 VSS option in its DHCPv4 or DHCPv6 Leasequery packet
if the DHCP Leasequery request is generated for other than the if the DHCP Leasequery request is generated for other than the
skipping to change at page 14, line 21 skipping to change at page 14, line 41
relay agent receiving a reply containing a VSS option will correctly relay agent receiving a reply containing a VSS option will correctly
understand the VSS option. Otherwise, the client or relay agent will understand the VSS option. Otherwise, the client or relay agent will
end up using the address as though it were a global address. end up using the address as though it were a global address.
7.1. Returning the DHCPv4 or DHCPv6 Option 7.1. Returning the DHCPv4 or DHCPv6 Option
DHCPv4 or DHCPv6 servers receiving a VSS option (for sub-option DHCPv4 or DHCPv6 servers receiving a VSS option (for sub-option
processing, see below) MUST return an instance of this option in the processing, see below) MUST return an instance of this option in the
reply packet or message if the server successfully uses this option reply packet or message if the server successfully uses this option
to allocate an IP address, and it MUST NOT include an instance of to allocate an IP address, and it MUST NOT include an instance of
this option if the server was unable to or not configured to support this option if the server is unable to support, is not configured to
the requested VPN. support, or does not implement support for VSS information in general
or the requested VPN in particular.
If they echo the option (based on the criteria above), servers SHOULD If they echo the option (based on the criteria above), servers SHOULD
return the an exact copy of the option unless they desire to change return an exact copy of the option unless they desire to change the
the VPN on which a client was configured. VPN on which a client was configured.
The appearance of the DHCPv6 VSS option in the OPTION_ORO [RFC3315]
or the OPTION_ERO [RFC4994] should not change the processing or
decision to return (or not to return) the VSS option as specified in
this document.
7.2. Returning the DHCPv4 Sub-Option 7.2. Returning the DHCPv4 Sub-Option
The case of the DHCPv4 sub-option is a bit more complicated. Note The case of the DHCPv4 sub-option is a bit more complicated. Note
that [RFC3046] specifies that a DHCPv4 server which supports the that [RFC3046] specifies that a DHCPv4 server which supports the
relay-agent-information option SHALL copy all sub-options received in relay-agent-information option SHALL copy all sub-options received in
a relay-agent-information option into any outgoing relay-agent- a relay-agent-information option into any outgoing relay-agent-
information option. Thus, the default behavior for any DHCPv4 server information option. Thus, the default behavior for any DHCPv4 server
is to return any VSS sub-option received to the relay agent whether is to return any VSS sub-option received to the relay agent whether
or not the DHCPv4 server understand the VSS sub-option. A server or not the DHCPv4 server understand the VSS sub-option. A server
skipping to change at page 17, line 27 skipping to change at page 18, line 5
type byte may only be defined by IETF Consensus, as described in type byte may only be defined by IETF Consensus, as described in
[RFC5226]. Basically, this means that they are defined by RFCs [RFC5226]. Basically, this means that they are defined by RFCs
approved by the IESG. approved by the IESG.
10. Acknowledgments 10. Acknowledgments
Bernie Volz recommended consolidation of the DHCPv4 option and sub- Bernie Volz recommended consolidation of the DHCPv4 option and sub-
option drafts after extensive review of the former drafts, and option drafts after extensive review of the former drafts, and
provided valuable assistance in structuring and reviewing this provided valuable assistance in structuring and reviewing this
document. Alper Yegin expressed interest in the DHCPv6 VSS option, document. Alper Yegin expressed interest in the DHCPv6 VSS option,
resulting in this combined draft covering all three areas. resulting in this combined draft covering all three areas. Alfred
Hoenes provided assistance with editorial review as well as raising
substantive protocol issues. David Hankins and Bernie Volz each
raised important protocol issues which resulted in a clarified
document. Josh Littlefield provided editorial assistance.
11. Normative References 11. References
11.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, March 1997. Requirement Levels", RFC 2119, March 1997.
[RFC2131] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, [RFC2131] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131,
March 1997. March 1997.
[RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor [RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor
Extensions", RFC 2132, March 1997. Extensions", RFC 2132, March 1997.
skipping to change at page 18, line 9 skipping to change at page 18, line 38
3046, January 2001. 3046, January 2001.
[RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., and [RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., and
M. Carney, "Dynamic Host Configuration Protocol for IPv6 M. Carney, "Dynamic Host Configuration Protocol for IPv6
(DHCPv6)", RFC 3315, July 2003. (DHCPv6)", RFC 3315, July 2003.
[RFC3633] Troan, O. and R. Droms, "IPv6 Prefix Options for Dynamic [RFC3633] Troan, O. and R. Droms, "IPv6 Prefix Options for Dynamic
Host Configuration Protocol (DHCP) version 6", RFC 3633, December Host Configuration Protocol (DHCP) version 6", RFC 3633, December
2003. 2003.
12. Informative References [RFC4994] Zeng, S., Volz, B., Kinnear, K. and J. Brzozowski, "DHCPv6
Relay Agent Echo Request Option", RFC 4994, September 2007.
11.2. Informative References
[RFC951] Croft, B. and J. Gilmore, "Bootstrap Protocol", RFC 951, [RFC951] Croft, B. and J. Gilmore, "Bootstrap Protocol", RFC 951,
September 1985. September 1985.
[RFC1542] Wimer, W., "Clarifications and Extensions for the Bootstrap [RFC1542] Wimer, W., "Clarifications and Extensions for the Bootstrap
Protocol", RFC 1542, October 1993. Protocol", RFC 1542, October 1993.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, March 1997.
[RFC3118] Droms, R. and W. Arbaugh, "Authentication for DHCP [RFC3118] Droms, R. and W. Arbaugh, "Authentication for DHCP
Messages", RFC 3118, June 2001. Messages", RFC 3118, June 2001.
[RFC3942] Volz, B., "Reclassifying Dynamic Host Configuration [RFC3942] Volz, B., "Reclassifying Dynamic Host Configuration
Protocol version 4 (DHCPv4) Options", RFC 3942, November 2004. Protocol version 4 (DHCPv4) Options", RFC 3942, November 2004.
[RFC4030] Stapp, M. and T. Lemon, "The Authentication Suboption for [RFC4030] Stapp, M. and T. Lemon, "The Authentication Suboption for
the Dynamic Host Configuration Protocol (DHCP) Relay Agent the Dynamic Host Configuration Protocol (DHCP) Relay Agent
Option", RFC 4030, March 2005. Option", RFC 4030, March 2005.
[RFC4388] Woundy, R. and K. Kinnear, "Dynamic Host Configuration [RFC4388] Woundy, R. and K. Kinnear, "Dynamic Host Configuration
Protocol (DHCP) Leasequery", RFC 4388, February 2006. Protocol (DHCP) Leasequery", RFC 4388, February 2006.
[RFC5007] Brzozowski, J., Kinnear, K., Volz, B., and S. Zeng, "DHCPv6 [RFC5007] Brzozowski, J., Kinnear, K., Volz, B., and S. Zeng, "DHCPv6
Leasequery", RFC 5007, September 2007. Leasequery", RFC 5007, September 2007.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 5226, May 2008. IANA Considerations Section in RFCs", BCP 26, RFC 5226, May 2008.
13. Authors' Addresses 12. Authors' Addresses
Kim Kinnear Kim Kinnear
Cisco Systems Cisco Systems
1414 Massachusetts Ave. 1414 Massachusetts Ave.
Boxborough, Massachusetts 01719 Boxborough, Massachusetts 01719
Phone: (978) 936-0000 Phone: (978) 936-0000
EMail: kkinnear@cisco.com EMail: kkinnear@cisco.com
Richard Johnson Richard Johnson
Cisco Systems Cisco Systems
170 W. Tasman Dr. 170 W. Tasman Dr.
San Jose, CA 95134 San Jose, CA 95134
Phone: (408) 526-4000 Phone: (408) 526-4000
EMail: raj@cisco.com EMail: raj@cisco.com
Mark Stapp Mark Stapp
skipping to change at page 19, line 30 skipping to change at line 902
EMail: mjs@cisco.com EMail: mjs@cisco.com
Jay Kumarasamy Jay Kumarasamy
Cisco Systems Cisco Systems
170 W. Tasman Dr. 170 W. Tasman Dr.
San Jose, CA 95134 San Jose, CA 95134
Phone: (408) 526-4000 Phone: (408) 526-4000
EMail: jayk@cisco.com EMail: jayk@cisco.com
14. Full Copyright Statement
Copyright (C) The IETF Trust (2008).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
15. Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
16. Acknowledgment
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
 End of changes. 38 change blocks. 
74 lines changed or deleted 113 lines changed or added

This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/