draft-ietf-dhc-vpn-option-10.txt   draft-ietf-dhc-vpn-option-11.txt 
DHC Working Group Kim Kinnear DHC Working Group Kim Kinnear
Internet Draft Richard Johnson Internet Draft Richard Johnson
Intended Status: Standards Track Mark Stapp Intended Status: Standards Track Mark Stapp
Expires: September 3, 2009 Jay Kumarasamy Expires: September 4, 2009 Jay Kumarasamy
Cisco Systems Cisco Systems
March 3, 2009 March 4, 2009
Virtual Subnet Selection Options for DHCPv4 and DHCPv6 Virtual Subnet Selection Options for DHCPv4 and DHCPv6
<draft-ietf-dhc-vpn-option-10.txt> <draft-ietf-dhc-vpn-option-11.txt>
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
skipping to change at page 1, line 34 skipping to change at page 1, line 34
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on September 3, 2009 This Internet-Draft will expire on September 4, 2009
Copyright Notice Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of Provisions Relating to IETF Documents in effect on the date of
publication of this document (http://trustee.ietf.org/license-info). publication of this document (http://trustee.ietf.org/license-info).
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 2, line 28 skipping to change at page 2, line 28
1. Introduction................................................. 2 1. Introduction................................................. 2
2. Terminology.................................................. 3 2. Terminology.................................................. 3
3. Virtual Subnet Selection Option and Sub-Option Definitions... 5 3. Virtual Subnet Selection Option and Sub-Option Definitions... 5
3.1. DHCPv4 Virtual Subnet Selection Option..................... 5 3.1. DHCPv4 Virtual Subnet Selection Option..................... 5
3.2. DHCPv4 Virtual Subnet Selection Sub-Option................. 5 3.2. DHCPv4 Virtual Subnet Selection Sub-Option................. 5
3.3. DHCPv6 Virtual Subnet Selection Option..................... 6 3.3. DHCPv6 Virtual Subnet Selection Option..................... 6
3.4. Virtual Subnet Selection Type and Information.............. 6 3.4. Virtual Subnet Selection Type and Information.............. 6
4. Overview of Virtual Subnet Selection Usage................... 7 4. Overview of Virtual Subnet Selection Usage................... 7
5. Relay Agent Behavior......................................... 10 5. Relay Agent Behavior......................................... 10
5.1. VPN assignment by the DHCP server.......................... 12 5.1. VPN assignment by the DHCP server.......................... 12
5.2. DHCP Leasequery............................................ 12 5.2. DHCP Leasequery............................................ 13
6. Client Behavior.............................................. 12 6. Client Behavior.............................................. 13
7. Server Behavior.............................................. 13 7. Server Behavior.............................................. 14
7.1. Returning the DHCPv4 or DHCPv6 Option...................... 14 7.1. Returning the DHCPv4 or DHCPv6 Option...................... 15
7.2. Returning the DHCPv4 Sub-Option............................ 15 7.2. Returning the DHCPv4 Sub-Option............................ 15
7.3. Making sense of conflicting VSS information................ 15 7.3. Making sense of conflicting VSS information................ 16
8. Security..................................................... 16 8. Security..................................................... 16
9. IANA Considerations.......................................... 17 9. IANA Considerations.......................................... 17
10. Acknowledgments............................................. 17 10. Acknowledgments............................................. 18
11. References.................................................. 18 11. References.................................................. 18
11.1. Normative References...................................... 18 11.1. Normative References...................................... 18
11.2. Informative References.................................... 18 11.2. Informative References.................................... 19
12. Authors' Addresses.......................................... 19 12. Authors' Addresses.......................................... 20
1. Introduction 1. Introduction
There is a growing use of Virtual Private Network (VPN) There is a growing use of Virtual Private Network (VPN)
configurations. The growth comes from many areas; individual client configurations. The growth comes from many areas; individual client
systems needing to appear to be on the home corporate network even systems needing to appear to be on the home corporate network even
when traveling, ISPs providing extranet connectivity for customer when traveling, ISPs providing extranet connectivity for customer
companies, etc. In some of these cases there is a need for the DHCP companies, etc. In some of these cases there is a need for the DHCP
server to know the VPN (hereafter called a "Virtual Subnet Selector" server to know the VPN (hereafter called a "Virtual Subnet Selector"
or "VSS") from which an address, and other resources, should be or "VSS") from which an address, and other resources, should be
skipping to change at page 3, line 48 skipping to change at page 3, line 48
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119]. document are to be interpreted as described in RFC 2119 [RFC2119].
This document uses the following terms: This document uses the following terms:
o "DHCP client" o "DHCP client"
A DHCP client is a host using DHCP to obtain configuration A DHCP client is a host using DHCP to obtain configuration
parameters such as a network address. parameters such as a network address.
o "DHCP proxy"
A DHCP proxy is a DHCP client which acquires IP addresses not
for its own use, but rather on behalf of another entity. There
are a variety of ways that a DHCP proxy can supply the addresses
it acquires to other entities that need them.
o "DHCP relay agent" o "DHCP relay agent"
A DHCP relay agent is a third-party agent that transfers BOOTP A DHCP relay agent is an agent that transfers BOOTP and DHCP
and DHCP messages between clients and servers residing on messages between clients and servers residing on different
different subnets, per [RFC951] and [RFC1542]. subnets, per [RFC951], [RFC1542], and [RFC3315].
o "DHCP server" o "DHCP server"
A DHCP server is a host that returns configuration parameters to A DHCP server is a host that returns configuration parameters to
DHCP clients. DHCP clients.
o "DHCPv4 option" o "DHCPv4 option"
An option used to implement a capability defined by the DHCPv4 An option used to implement a capability defined by the DHCPv4
RFCs [RFC2131][RFC2132]. These options have one-octet code and RFCs [RFC2131][RFC2132]. These options have one-octet code and
skipping to change at page 7, line 23 skipping to change at page 7, line 40
a VSS option with a Type field containing any value other than a VSS option with a Type field containing any value other than
zero (0), one (1), or 255 SHOULD be ignored. zero (0), one (1), or 255 SHOULD be ignored.
4. Overview of Virtual Subnet Selection Usage 4. Overview of Virtual Subnet Selection Usage
At the highest level, the VSS option or sub-option determines the VPN At the highest level, the VSS option or sub-option determines the VPN
on which a DHCP client is supposed to receive an IP address. How the on which a DHCP client is supposed to receive an IP address. How the
option or sub-option is entered and processed is discussed below, but option or sub-option is entered and processed is discussed below, but
the point of all of the discussion is to determine the VPN on which the point of all of the discussion is to determine the VPN on which
the DHCP client resides. This will affect a relay agent, in that it the DHCP client resides. This will affect a relay agent, in that it
will have to ensure that the packets sent to and received from the will have to ensure that DHCP packets sent to and received from the
DHCP client flow over the correct VPN. This will affect the DHCP DHCP client flow over the correct VPN. This will affect the DHCP
server in that it determines the IP address space used for the IP server in that it determines the IP address space used for the IP
address allocation. address allocation.
A DHCP server has as part of its configuration some IP address space A DHCP server has as part of its configuration some IP address space
from which it allocates IP addresses to DHCP clients. These from which it allocates IP addresses to DHCP clients. These
allocations are typically for a limited time, and thus the DHCP allocations are typically for a limited time, and thus the DHCP
client gets a lease on the IP address. In the absence of any VPN client gets a lease on the IP address. In the absence of any VPN
information, the IP address space is in the global or default VPN information, the IP address space is in the global or default VPN
used throughout the Internet. When a DHCP server deals with VPN used throughout the Internet. When a DHCP server deals with VPN
skipping to change at page 14, line 35 skipping to change at page 15, line 10
In a similar manner, a DHCP server may use the Virtual Subnet In a similar manner, a DHCP server may use the Virtual Subnet
Selection option to inform a DHCP client that the address (or Selection option to inform a DHCP client that the address (or
addresses) it allocated for the client is on a particular VPN. addresses) it allocated for the client is on a particular VPN.
In either case above, care should be taken to ensure that a client or In either case above, care should be taken to ensure that a client or
relay agent receiving a reply containing a VSS option will correctly relay agent receiving a reply containing a VSS option will correctly
understand the VSS option. Otherwise, the client or relay agent will understand the VSS option. Otherwise, the client or relay agent will
end up using the address as though it were a global address. end up using the address as though it were a global address.
If a server uses a different VPN than what was specified in the VSS
option or sub-option, it SHOULD send back the VPN information using
the same type as the received type. It MAY send back a different type
if it is not possible to use the same type (such as the RFC2685 VPN-
ID if no ASCII VPN identifier exists).
7.1. Returning the DHCPv4 or DHCPv6 Option 7.1. Returning the DHCPv4 or DHCPv6 Option
DHCPv4 or DHCPv6 servers receiving a VSS option (for sub-option DHCPv4 or DHCPv6 servers receiving a VSS option (for sub-option
processing, see below) MUST return an instance of this option in the processing, see below) MUST return an instance of this option in the
reply packet or message if the server successfully uses this option reply packet or message if the server successfully uses this option
to allocate an IP address, and it MUST NOT include an instance of to allocate an IP address, and it MUST NOT include an instance of
this option if the server is unable to support, is not configured to this option if the server is unable to support, is not configured to
support, or does not implement support for VSS information in general support, or does not implement support for VSS information in general
or the requested VPN in particular. or the requested VPN in particular.
skipping to change at page 15, line 14 skipping to change at page 15, line 43
this document. this document.
7.2. Returning the DHCPv4 Sub-Option 7.2. Returning the DHCPv4 Sub-Option
The case of the DHCPv4 sub-option is a bit more complicated. Note The case of the DHCPv4 sub-option is a bit more complicated. Note
that [RFC3046] specifies that a DHCPv4 server which supports the that [RFC3046] specifies that a DHCPv4 server which supports the
relay-agent-information option SHALL copy all sub-options received in relay-agent-information option SHALL copy all sub-options received in
a relay-agent-information option into any outgoing relay-agent- a relay-agent-information option into any outgoing relay-agent-
information option. Thus, the default behavior for any DHCPv4 server information option. Thus, the default behavior for any DHCPv4 server
is to return any VSS sub-option received to the relay agent whether is to return any VSS sub-option received to the relay agent whether
or not the DHCPv4 server understand the VSS sub-option. A server or not the DHCPv4 server understands the VSS sub-option. A server
which implements the VSS sub-option MUST include the VSS sub-option which implements the VSS sub-option MUST include the VSS sub-option
in the relay-agent-information option in the reply packet if it in the relay-agent-information option in the reply packet if it
successfully acted upon the VSS information in the incoming VSS sub- successfully acted upon the VSS information in the incoming VSS sub-
option. option.
Moreover, if a server uses different VSS information to allocate an Moreover, if a server uses different VSS information to allocate an
IP address than it receives in a particular DHCPv4 sub-option, it IP address than it receives in a particular DHCPv4 sub-option, it
MUST include that alternative VSS information in a sub-option that it MUST include that alternative VSS information in a sub-option that it
returns to the DHCPv4 relay agent. returns to the DHCPv4 relay agent.
skipping to change at page 16, line 47 skipping to change at page 17, line 25
option. Potential exposures to attack are discussed in section 7 of option. Potential exposures to attack are discussed in section 7 of
the DHCP protocol specification in [RFC2131]. the DHCP protocol specification in [RFC2131].
For DHCPv6 use of the VSS option, the "Security Considerations" For DHCPv6 use of the VSS option, the "Security Considerations"
section of [RFC3315] details the general threats to DHCPv6, and thus section of [RFC3315] details the general threats to DHCPv6, and thus
to messages using the VSS option. The "Authentication of DHCP to messages using the VSS option. The "Authentication of DHCP
Messages" section of [RFC3315] describes securing communication Messages" section of [RFC3315] describes securing communication
between relay agents and servers, as well as clients and servers. between relay agents and servers, as well as clients and servers.
The VSS option could be used by a client in order to obtain an IP The VSS option could be used by a client in order to obtain an IP
address from a VPN other than the one where it should. This option address from any VPN. This option would allow a client to perform a
would allow a client to perform a more complete address-pool more complete address-pool exhaustion attack since the client would
exhaustion attack since the client would no longer be restricted to no longer be restricted to attacking address-pools on just its local
attacking address-pools on just its local subnet. subnet.
A DHCP server that implements these options and sub-option should be A DHCP server that implements these options and sub-option should be
aware of this possibility and use whatever techniques that can be aware of this possibility and use whatever techniques that can be
devised to prevent such an attack. Information such as the giaddr in devised to prevent such an attack. Information such as the giaddr in
DHCPv4 or link address in the Relay-forward DHCPv6 message might be DHCPv4 or link address in the Relay-forward DHCPv6 message might be
used to detect and prevent this sort of attack. used to detect and prevent this sort of attack.
One possible defense would be for the DHCP relay to insert a VSS One possible defense would be for the DHCP relay to insert a VSS
option or sub-option to override the DHCP client's VSS option. option or sub-option to override the DHCP client's VSS option.
skipping to change at page 17, line 34 skipping to change at page 18, line 14
IANA is requested to assign sub-option number 151 for the DHCPv4 IANA is requested to assign sub-option number 151 for the DHCPv4
sub-option defined in Section 3.2 from the DHCP Relay Agent Sub- sub-option defined in Section 3.2 from the DHCP Relay Agent Sub-
options space [RFC3046], in accordance with the spirit of [RFC3942]. options space [RFC3046], in accordance with the spirit of [RFC3942].
While [RFC3942] doesn't explicitly mention the sub-option space for While [RFC3942] doesn't explicitly mention the sub-option space for
the DHCP Relay Agent Information option [RFC3046], sub-option 151 is the DHCP Relay Agent Information option [RFC3046], sub-option 151 is
already in use by existing implementations of this sub-option and the already in use by existing implementations of this sub-option and the
current draft is essentially compatible with these current current draft is essentially compatible with these current
implementations. implementations.
IANA has assigned the value of TBD for the DHCPv6 VSS option defined IANA is requested to assign the value of TBD for the DHCPv6 VSS
in Section 3.3. option defined in Section 3.3 from the DHCPv6 option registry.
While the type byte defined in Section 3.4 defines a number space While the type byte defined in Section 3.4 defines a number space
that could be managed by IANA, expansion of this number space is not that could be managed by IANA, expansion of this number space is not
anticipated and so creation of a registry of these numbers is not anticipated and so creation of a registry of these numbers is not
required by this document. In the event that additional values for required by this document. In the event that additional values for
the type byte are defined in subsequent documents, IANA should at the type byte are defined in subsequent documents, IANA should at
that time create a registry for these type bytes. New values for the that time create a registry for these type bytes. New values for the
type byte may only be defined by IETF Consensus, as described in type byte may only be defined by IETF Consensus, as described in
[RFC5226]. Basically, this means that they are defined by RFCs [RFC5226]. Basically, this means that they are defined by RFCs
approved by the IESG. approved by the IESG.
 End of changes. 15 change blocks. 
23 lines changed or deleted 36 lines changed or added

This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/