draft-ietf-dhc-vpn-option-11.txt   draft-ietf-dhc-vpn-option-12.txt 
DHC Working Group Kim Kinnear DHC Working Group Kim Kinnear
Internet Draft Richard Johnson Internet Draft Richard Johnson
Intended Status: Standards Track Mark Stapp Intended Status: Standards Track Mark Stapp
Expires: September 4, 2009 Jay Kumarasamy Expires: April 22, 2011 Cisco Systems
Cisco Systems Jay Kumarasamy
March 4, 2009 October 22, 2010
Virtual Subnet Selection Options for DHCPv4 and DHCPv6 Virtual Subnet Selection Options for DHCPv4 and DHCPv6
<draft-ietf-dhc-vpn-option-11.txt> <draft-ietf-dhc-vpn-option-12.txt>
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
skipping to change at page 1, line 34 skipping to change at page 1, line 34
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on September 4, 2009
Copyright Notice Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of Provisions Relating to IETF Documents
publication of this document (http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info) in effect on the date of
Please review these documents carefully, as they describe your rights publication of this document. Please review these documents
and restrictions with respect to this document. carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
This document may contain material from IETF Documents or IETF
Contributions published or made publicly available before November
10, 2008. The person(s) controlling the copyright in some of this
material may not have granted the IETF Trust the right to allow
modifications of such material outside the IETF Standards Process.
Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other
than English.
Abstract Abstract
This memo defines a Virtual Subnet Selection (VSS) option for DHCPv4 This memo defines a Virtual Subnet Selection (VSS) option for each of
and DHCPv6, and a DHCPv4 relay-agent-information sub-option. These DHCPv4 and DHCPv6, and a VSS sub-option carried in the DHCPv4 relay-
are intended for use by DHCP clients, relay agents, and proxy clients agent-information option. These are intended for use by DHCP
in situations where VSS information needs to be passed to the DHCP clients, relay agents, and proxy clients in situations where VSS
server for proper address or prefix allocation to take place. information needs to be passed to the DHCP server for proper address
or prefix allocation to take place.
For the DHCPv4 option and relay-agent-information sub-option, this For the DHCPv4 option and relay-agent-information sub-option, this
memo documents existing usage as per RFC 3942 [RFC3942]. memo documents existing usage as per RFC 3942 [RFC3942].
Table of Contents Table of Contents
1. Introduction................................................. 2 1. Introduction................................................. 3
2. Terminology.................................................. 3 2. Terminology.................................................. 4
3. Virtual Subnet Selection Option and Sub-Option Definitions... 5 3. Virtual Subnet Selection Option and Sub-Options Definitions.. 5
3.1. DHCPv4 Virtual Subnet Selection Option..................... 5 3.1. DHCPv4 Virtual Subnet Selection Option..................... 5
3.2. DHCPv4 Virtual Subnet Selection Sub-Option................. 5 3.2. DHCPv4 Virtual Subnet Selection Sub-Option................. 6
3.3. DHCPv6 Virtual Subnet Selection Option..................... 6 3.3. DHCPv6 Virtual Subnet Selection Option..................... 6
3.4. Virtual Subnet Selection Type and Information.............. 6 3.4. Virtual Subnet Selection Type and Information.............. 7
4. Overview of Virtual Subnet Selection Usage................... 7 4. Overview of Virtual Subnet Selection Usage................... 8
5. Relay Agent Behavior......................................... 10 4.1. VPN assignment by the DHCP relay agent..................... 9
5.1. VPN assignment by the DHCP server.......................... 12 4.2. VPN assignment by the DHCP server.......................... 12
5.2. DHCP Leasequery............................................ 13 4.3. Required Support........................................... 14
6. Client Behavior.............................................. 13 4.4. Alternative VPN assignment approaches...................... 14
7. Server Behavior.............................................. 14 5. Relay Agent Behavior......................................... 14
7.1. Returning the DHCPv4 or DHCPv6 Option...................... 15 5.1. VPN assignment by the DHCP server.......................... 16
7.2. Returning the DHCPv4 Sub-Option............................ 15 5.2. DHCP Leasequery............................................ 17
7.3. Making sense of conflicting VSS information................ 16 6. Client Behavior.............................................. 17
8. Security..................................................... 16 7. Server Behavior.............................................. 18
9. IANA Considerations.......................................... 17 7.1. Returning the DHCPv4 or DHCPv6 Option...................... 19
10. Acknowledgments............................................. 18 7.2. Returning the DHCPv4 Sub-Option............................ 20
11. References.................................................. 18 7.3. Making sense of conflicting VSS information................ 21
11.1. Normative References...................................... 18 8. Security..................................................... 21
11.2. Informative References.................................... 19 9. IANA Considerations.......................................... 22
12. Authors' Addresses.......................................... 20 10. Acknowledgments............................................. 23
11. References.................................................. 23
11.1. Normative References...................................... 23
11.2. Informative References.................................... 24
1. Introduction 1. Introduction
There is a growing use of Virtual Private Network (VPN) There is a growing use of Virtual Private Network (VPN)
configurations. The growth comes from many areas; individual client configurations. The growth comes from many areas; individual client
systems needing to appear to be on the home corporate network even systems needing to appear to be on the home corporate network even
when traveling, ISPs providing extranet connectivity for customer when traveling, ISPs providing extranet connectivity for customer
companies, etc. In some of these cases there is a need for the DHCP companies, etc. In some of these cases there is a need for the DHCP
server to know the VPN (hereafter called a "Virtual Subnet Selector" server to know the VPN (hereafter called a "Virtual Subnet Selector"
or "VSS") from which an address, and other resources, should be or "VSS") from which an address, and other resources, should be
allocated. allocated.
This memo defines a Virtual Subnet Selection (VSS) option for DHCPv4 This memo defines a Virtual Subnet Selection (VSS) option for each of
and DHCPv6, and a DHCPv4 relay-agent-information sub-option. These DHCPv4 and DHCPv6, and a VSS sub-option carried in the DHCPv4 relay-
are intended for use by DHCP clients, relay agents, and proxy clients agent-information option. These are intended for use by DHCP
in situations where VSS information needs to be passed to the DHCP clients, relay agents, and proxy clients in situations where VSS
server for proper address or prefix allocation to take place. If the information needs to be passed to the DHCP server for proper address
receiving DHCP server understands the VSS option or sub-option, this or prefix allocation to take place. If the receiving DHCP server
information may be used in conjunction with other information in understands the VSS option or sub-option, this information may be
determining the subnet on which to select an address as well as other used in conjunction with other information in determining the subnet
information such as DNS server, default router, etc. on which to select an address as well as other information such as
DNS server, default router, etc.
If the allocation is being done through a DHCPv4 relay, then the If the allocation is being done through a DHCPv4 relay, then the
relay sub-option defined here should be included. In some cases, relay sub-option defined here should be included. In some cases,
however an IP address is being sought by a DHCPv4 proxy on behalf of however, an IP address is being sought by a DHCPv4 proxy on behalf of
a client (which may be assigned the address via a different a client (which may be assigned the address via a different
protocol). In this case, there is a need to include VSS information protocol). In this case, there is a need to include VSS information
relating to the client as a DHCPv4 option. relating to the client as a DHCPv4 option.
If the allocation is being done through a DHCPv6 relay, then the If the allocation is being done through a DHCPv6 relay, then the
DHCPv6 VSS option defined in this document should be included in the DHCPv6 VSS option defined in this document should be included in the
Relay-forward and Relay-reply message going between the DHCPv6 relay Relay-forward and Relay-reply message going between the DHCPv6 relay
and server. In some cases, addresses or prefixes are being sought by and server. In some cases, addresses or prefixes are being sought by
a DHCPv6 proxy on behalf of a client. In this case, there is a need a DHCPv6 proxy on behalf of a client. In this case, there is a need
for the client itself to supply the VSS information using the DHCPv6 for the client itself to supply the VSS information using the DHCPv6
VSS option in the messages that it sends to the DHCPv6 server. VSS option in the messages that it sends to the DHCPv6 server.
In the remaining text of this document, when a DHCPv6 address is In the remaining text of this document, when a DHCPv6 address is
indicated the same information applies to DHCPv6 Prefix Delegation indicated the same information applies to DHCPv6 Prefix Delegation
[RFC3633] as well. [RFC3633] as well.
In the remaining text of this document, when the term VSS sub-option
is used, it refers to the VSS sub-option carried in the DHCPv4
relay-agent-information option.
2. Terminology 2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119]. document are to be interpreted as described in RFC 2119 [RFC2119].
This document uses the following terms: This document uses the following terms:
o "DHCP client" o "DHCP client"
skipping to change at page 4, line 37 skipping to change at page 5, line 11
As used in this document, a DHCPv4 sub-option refers to a sub- As used in this document, a DHCPv4 sub-option refers to a sub-
option of the relay-agent-information option [RFC3046]. These option of the relay-agent-information option [RFC3046]. These
sub-options have one-octet code and size fields. sub-options have one-octet code and size fields.
o "DHCPv6 option" o "DHCPv6 option"
An option used to implement a capability defined by the DHCPv6 An option used to implement a capability defined by the DHCPv6
RFC [RFC3315]. These options have two-octet code and size RFC [RFC3315]. These options have two-octet code and size
fields. fields.
o "downstream" o "Global VPN"
Downstream is the direction from the access concentrator towards
the subscriber.
o "upstream"
Upstream is the direction from the subscriber towards the access Indicates that the address being described belongs to the set of
concentrator. addresses not part of any VPN. In other words, the normal
address space operated on by DHCP. This includes private
addresses, for example the 10.x.x.x addresses as well as the
other private subnets that are not routed on the open internet.
o "VSS information" o "VSS information"
Information about a VPN necessary to allocate an address to a Information about a VPN necessary to allocate an address to a
DHCP client on that VPN and necessary to forward a DHCP reply DHCP client on that VPN and necessary to forward a DHCP reply
packet to a DHCP client on that VPN. packet to a DHCP client on that VPN.
o "VPN" o "VPN"
Virtual private network. A network which appears to the client Virtual private network. A network which appears to the client
to be a private network. to be a private network.
o "VPN Identifier" o "VPN Identifier"
The VPN-ID is defined by [RFC2685] to be a sequence of 7 octets. The VPN-ID is defined by [RFC2685] to be a sequence of 7 octets.
3. Virtual Subnet Selection Option and Sub-Option Definitions 3. Virtual Subnet Selection Option and Sub-Options Definitions
The Virtual Subnet Selection options and sub-option contain a The Virtual Subnet Selection options and sub-options contain a
generalized way to specify the VSS information about a VPN. There generalized way to specify the VSS information about a VPN. There
are two options and one sub-option defined in this section. The are two options and one sub-option defined in this section. The
actual VSS information is identical in each. actual VSS information is identical in each.
3.1. DHCPv4 Virtual Subnet Selection Option 3.1. DHCPv4 Virtual Subnet Selection Option
The format of the option is: The format of the option is:
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
skipping to change at page 7, line 9 skipping to change at page 7, line 28
3.4. Virtual Subnet Selection Type and Information 3.4. Virtual Subnet Selection Type and Information
All of the (sub)options defined above carry identical payloads, All of the (sub)options defined above carry identical payloads,
consisting of a type and additional VSS information as follows: consisting of a type and additional VSS information as follows:
Type VSS Information format: Type VSS Information format:
0 NVT ASCII VPN identifier 0 NVT ASCII VPN identifier
1 RFC2685 VPN-ID 1 RFC2685 VPN-ID
2-254 Not Allowed 2-252 Reserved
253 CONTROL (DHCPv4 VSS sub-option only)
254 Reserved
255 Global, default VPN. 255 Global, default VPN.
o Type 0 -- NVT ASCII VPN identifier o Type 0 -- NVT ASCII VPN identifier
Indicates that the VSS information consists of a NVT ASCII Indicates that the VSS information consists of a NVT ASCII
string. It MUST NOT be terminated with a zero byte. string. It MUST NOT be terminated with a zero byte.
o Type 1 -- RFC2685 VPN-ID o Type 1 -- RFC2685 VPN-ID
Indicates that the VSS information consists of an RFC2685 VPN-ID Indicates that the VSS information consists of an RFC2685 VPN-ID
[RFC2685], which is defined to be 7 octets in length. [RFC2685], which is defined to be 7 octets in length.
o Type 253 -- CONTROL
This is only valid for the DHCPv4 relay-agent-information option
sub-option. It indicates that another DHCPV4 VSS sub-option is
present in the relay-agent-information option. The sub-option
with type CONTROL MUST be removed by any DHCPv4 server which
successfully processes the information in the other DHCPv4 sub-
option with valid VSS information. In this case, there MUST NOT
be any VSS Information included in the sub-option, and the
length of the VSS sub-option MUST be 1.
o Type 255 -- Global, default VPN o Type 255 -- Global, default VPN
Indicates that there is no explicit, non-default VSS information Indicates that there is no explicit, non-default VSS information
but rather that this option references the normal, global, but rather that this option references the normal, global,
default address space. In this case, there MUST NOT be any VSS default address space. In this case, there MUST NOT be any VSS
Information and the length of the VSS option MUST be 1. Information included in the VSS option or sub-option and the
length of the MUST be 1.
All other values of the Type field are invalid as of this memo and All other values of the Type field are reserved.
a VSS option with a Type field containing any value other than
zero (0), one (1), or 255 SHOULD be ignored.
4. Overview of Virtual Subnet Selection Usage 4. Overview of Virtual Subnet Selection Usage
At the highest level, the VSS option or sub-option determines the VPN At the highest level, the VSS option or sub-option determines the VPN
on which a DHCP client is supposed to receive an IP address. How the on which a DHCP client is supposed to receive an IP address. How the
option or sub-option is entered and processed is discussed below, but option or sub-option is entered and processed is discussed below, but
the point of all of the discussion is to determine the VPN on which the point of all of the discussion is to determine the VPN on which
the DHCP client resides. This will affect a relay agent, in that it the DHCP client resides. This will affect a relay agent, in that it
will have to ensure that DHCP packets sent to and received from the will have to ensure that DHCP packets sent to and received from the
DHCP client flow over the correct VPN. This will affect the DHCP DHCP client flow over the correct VPN. This will affect the DHCP
skipping to change at page 8, line 16 skipping to change at page 8, line 50
information, each VPN defines a new address space inside the server, information, each VPN defines a new address space inside the server,
one distinct from the global or default IP address space. A server one distinct from the global or default IP address space. A server
which supports the VSS option or sub-option thereby supports which supports the VSS option or sub-option thereby supports
allocation of IP addresses from multiple different VPNs. Supporting allocation of IP addresses from multiple different VPNs. Supporting
IP address allocation from multiple different VPNs means that the IP address allocation from multiple different VPNs means that the
DHCP server must be prepared to configure multiple different address DHCP server must be prepared to configure multiple different address
spaces (one per distinct VPN) and allocate IP addresses from these spaces (one per distinct VPN) and allocate IP addresses from these
different address spaces. different address spaces.
These address spaces are typically independent, so that the same IP These address spaces are typically independent, so that the same IP
address could be allocated to one client in the global, default VPN, address (consisting of the same string of bytes) could be allocated
and to a different client residing in a different VPN. There is no to one client in the global, default VPN, and to a different client
conflict in this allocation, since the clients have essentially residing in a different VPN. There is no conflict in this
different IP addresses. The IPv4 or IPv6 address is qualified by the allocation, since the clients have essentially different addresses,
VPN. even though these addresses consist of the same string of bytes,
because the IPv4 or IPv6 address is qualified by the VPN.
Thus a VSS option or sub-option is a way of signaling the use of a Thus a VSS option or sub-option is a way of signaling the use of a
VPN other than the global or default VPN. The next question is: who VPN other than the global or default VPN. The next question is: who
decides what VPN a DHCP client should be using? decides what VPN a DHCP client should be using?
There are three entities which can either insert a VSS option or There are three entities which can either insert a VSS option or
sub-option into a DHCPv4 packet or DHCPv6 message; a DHCP client, a sub-option into a DHCPv4 packet or DHCPv6 message; a DHCP client, a
relay agent, or a DHCPv4 or DHCPv6 server. While all of these relay agent, or a DHCPv4 or DHCPv6 server. While all of these
entities could include a different VSS option or sub-option in every entities could include a different VSS option or sub-option in every
request or response, this situation is neither typical nor useful. request or response, this situation is neither typical nor useful.
There are two known paradigms for use of the VSS option or sub- There are two known paradigms for use of the VSS option or sub-
option, which are discussed below. option, which are discussed below.
4.1. VPN assignment by the DHCP relay agent
The typical use of the VSS option or sub-option is for the relay The typical use of the VSS option or sub-option is for the relay
agent to know the VPN on which the DHCP client is operating. The agent to know the VPN on which the DHCP client is operating. The
DHCP client itself does not, in this scenario, know the VPN on which DHCP client itself does not, in this approach, know the VPN on which
it resides. The relay agent is responsible for mediating the access it resides. The relay agent is responsible for mediating the access
between the VPN on which the DHCP client resides and the DHCP server. between the VPN on which the DHCP client resides and the DHCP server.
In this situation, the relay agent will insert a VSS sub-option into In this situation, the relay agent will insert two DHCPv4 VSS sub-
the relay-agent-information option (for DHCPv4) or a VSS option into options (one with valid VSS information, and one with type CONTROL)
the Relay-forward message (for DHCPv6) of every request it forwards into the relay-agent-information option or a DHCPv6 VSS option into
from the DHCP client. The server will use the VSS option or sub- the Relay-forward message of every request it forwards from the DHCP
option to determine the VPN on which the client resides, and use that client. The server will use the VSS option or sub-option to
VPN information to select the address space within its configuration determine the VPN on which the client resides, and use that VPN
from which to allocate an IP address to the DHCP client. information to select the address space within its configuration from
which to allocate an IP address to the DHCP client.
In this scenario, the relay agent might also send a VSS option or When, using this approach, a DHCPv4 relay agent inserts a VSS sub-
option with containing VSS information it MUST also insert a VSS
sub-option containing type CONTROL, no additional VSS information,
and a length of 1. This is to allow determination of whether or not
the DHCPv4 server actually processes the VSS information provided by
the DHCPv4 relay agent. If the DHCPv4 server supports the VSS
capabilities described in this document, it will remove the VSS sub-
option with type CONTROL from the relay-agent-information option that
it returns to the DHCPv4 relay agent. See Section 5 for more
information.
In this approach, the relay agent might also send a VSS option or
sub-option in either a DHCPv4 or DHCPv6 Leasequery request, but in sub-option in either a DHCPv4 or DHCPv6 Leasequery request, but in
this case, it would use the VSS option in the Leasequery request to this case, it would use the VSS option in the Leasequery request to
select the correct address space for the Leasequery. In this select the correct address space for the Leasequery. In this
scenario, the relay agent would be acting as a DHCP client from a approach, the relay agent would be acting as a DHCP client from a
Leasequery standpoint, but it would not be as if a DHCP client were Leasequery standpoint, but it would not be as if a DHCP client were
sending in a VSS option in a standard DHCP address allocation sending in a VSS option in a standard DHCP address allocation
request, say a DHCPDISCOVER. request, say a DHCPDISCOVER.
In this scenario, only one relay agent would mediate the VPN access In this approach, only one relay agent would mediate the VPN access
for the DHCP client to the DHCP server, and it would be the relay for the DHCP client to the DHCP server, and it would be the relay
agent which inserts the VSS information into the request packet and agent which inserts the VSS information into the request packet and
would remove it prior to forwarding the response packet on. would remove it prior to forwarding the response packet on.
In the diagram below is an example of a DHCPv4 client, DHCPv4 relay
agent, and DHCPv4 server. The DHCPv6 situation is similar, but uses
the DHCPv6 VSS option.
DHCPv4
DHCPv4 Relay DHCPv4
Client Agent Server
| | |
| >--DHCPDISCOVER--> | |
| on VRF "abc" | |
| | >--DHCPDISCOVER----> |
| | relay-agent-info: |
| | VSS type VRF:"abc"|
| | VSS type CONTROL |
| | |
| | <----DHCPOFFER-----< |
| | relay-agent-info: |
| | VSS type VRF:"abc"|
| | |
| <---DHCPOFFER----< | |
| on VRF "abc" | |
| | |
| >--DHCPREQUEST---> | |
| on VRF "abc" | |
| | >--DHCPREQUEST-----> |
| | relay-agent-info: |
| | VSS type VRF:"abc"|
| | VSS type CONTROL |
| | |
| | <----DHCPACK-------< |
| | relay-agent-info: |
| | VSS type VRF:"abc"|
| | |
| <---DHCPACK------< | |
| on VRF "abc" | |
| | |
... ... ...
Figure 4.1-1: DHCPv4 - Relay Agent knows VPN
The DHCP server would know that it should respond to VPN information The DHCP server would know that it should respond to VPN information
specified in a VSS option or sub-option, and it would be configured specified in a VSS option or sub-option, and it would be configured
with appropriate VPN address spaces to service the projected client with appropriate VPN address spaces to service the projected client
requirements. Thus, in this common scenario, the DHCP client knows requirements. Thus, in this common approach, the DHCP client knows
nothing of any VPN access, the relay agent has been configured in nothing of any VPN access, the relay agent has been configured in
some way that allows it to determine the VPN of the DHCP client and some way that allows it to determine the VPN of the DHCP client and
transmit that using a VSS option or sub-option to the DHCP server, transmit that using a VSS option or sub-option to the DHCP server,
and the DHCP server responds to the VPN specified by the relay agent. and the DHCP server responds to the VPN specified by the relay agent.
There is no conflict between different entities trying to specify There is no conflict between different entities trying to specify
different VSS information -- each entity knows its role through different VSS information -- each entity knows its role through
policy or configuration external to this document. policy or configuration external to this document.
It is important to ensure that each entity in this scenario both If any mis-configuration exists, it SHOULD result in a DHCP client
supports the VSS option and sub-option (for DHCPv4) or the VSS option being unable to acquire an IP address. For instance, a relay agent
(for DHCPv6), and that it is configured correctly. Deploying relay which supports VPN access SHOULD couple transmission of VSS options
agents which support and emit VSS sub-options in concert with DHCPv4 or sub-options to the configuration of VPN support, and not allow one
servers which do not support the VSS option or sub-option as defined without the other.
in this document SHOULD NOT be done, as such an ensemble will not
operate correctly together because all of the IP addresses will be
allocated from the global or default VPN regardless of the VPN on
which the client's reside.
In the second scenario, the DHCP server would be configured in some It is important to ensure that the relay agent and DHCP server both
way to know the VPN on which a particular DHCP client should be given support the VSS option and sub-option (for DHCPv4) or the VSS option
(for DHCPv6). Deploying DHCPv4 relay agents which support and emit
VSS sub-options in concert with DHCPv4 servers which do not support
the VSS option or sub-option as defined in this document SHOULD NOT
be done, as such an ensemble will not operate correctly. Should this
situation occur, however, the relay agent can detect the problem
(since the VSS sub-option with type CONTROL will appear in the
packets it receives from the DHCPv4 server), and it can issue
appropriate diagnostic messages.
4.2. VPN assignment by the DHCP server
In this approach, the DHCP server would be configured in some way to
know the VPN on which a particular DHCP client should be given
access. The DHCP server would in this case include the VSS sub- access. The DHCP server would in this case include the VSS sub-
option in the relay-agent-information option for DHCPv4 or the VSS option in the relay-agent-information option for DHCPv4 or the VSS
option in the Relay-reply message for DHCPv6. The relay agent option in the Relay-reply message for DHCPv6. The relay agent
responsible for mediating VPN access would use this information to responsible for mediating VPN access would use this information to
select the correct VPN for the DHCP client. In the event that there select the correct VPN for the DHCP client. In the unusal event that
were more than one relay agent involved in this transaction, some there were more than one relay agent involved in this transaction,
external configuration or policy would be needed to inform the DHCPv6 some external configuration or policy would be needed to inform the
server into which Relay-reply message the VSS option should go. DHCPv6 server into which Relay-reply message the VSS option should
go.
Once the relay agent has placed the DHCP client into the proper VPN, Once the relay agent has placed the DHCP client into the proper VPN,
it SHOULD begin including VSS information in requests that it it SHOULD begin including VSS information in requests that it
forwards to the DHCP server. Since this information does not forwards to the DHCP server. Since this information does not
conflict with the DHCP server's idea of the proper VPN for the conflict with the DHCP server's idea of the proper VPN for the
client, everything works correctly. client, everything works correctly.
In this second scenario, the DHCP client is again unaware of any VPN The diagram below shows this approach using DHCPv4. The DHCPv6
situation is similar, but uses the DHCPv6 VSS option instead.
DHCPv4
DHCPv4 Relay DHCPv4
Client Agent Server
| | |
| >--DHCPDISCOVER--> | |
| on unknown VPN | |
| | >--DHCPDISCOVER----> |
| | |
| | <----DHCPOFFER-----< |
| | relay-agent-info: |
| | VSS type VRF:"abc"|
| | |
| <---DHCPOFFER----< | |
| on VRF "abc" | |
| | |
| >--DHCPREQUEST---> | |
| on VRF "abc" | |
| | >--DHCPREQUEST-----> |
| | relay-agent-info: |
| | VSS type VRF:"abc"|
| | VSS type CONTROL |
| | |
| | <----DHCPACK-------< |
| | relay-agent-info: |
| | VSS type VRF:"abc"|
| | |
| <---DHCPACK------< | |
| on VRF "abc" | |
| | |
| | |
... ... ...
Figure 4.2-1: DHCPv4 - DHCPv4 Server knows VPN
In this approach, the DHCP client is again unaware of any VPN
activity. In this case, however, the DHCP server knows the VPN for activity. In this case, however, the DHCP server knows the VPN for
the client, and the relay agent responds to the VSS information the client, and the relay agent responds to the VSS information
specified by the DHCP server. Similar to the first scenario, each specified by the DHCP server. Similar to the previous approach, each
entity knows its role through a means external to this document and entity knows its role through a means external to this document and
no two entities try to specify VSS information in conflict. no two entities try to specify VSS information in conflict.
Again, in this scenario, it is important that both the relay agent as It is important that both the relay agent as well as the DHCP server
well as the DHCP server both support the VSS option and sub-option both support the VSS option and sub-option (for DHCPv4) and the VSS
(for DHCPv4) and the VSS option (for DHCPv6). Deploying and option (for DHCPv6). Deploying and configuring VPN support in one
configuring VPN support in one element and not in the other is not a element and not in the other is not a practical approach.
practical approach.
There are many other scenarios which can be created with multiple 4.3. Required Support
DHCP relay agents and servers MUST support the approach discussed in
Section 4.1. DHCP relay agents and server SHOULD support the
approach discussed in Section 4.2. DHCP relay agents and servers
SHOULD NOT be configured to operate with both approaches
simultaneously.
4.4. Alternative VPN assignment approaches
There are many other approaches which can be created with multiple
relay agents each inserting VSS information into different Relay- relay agents each inserting VSS information into different Relay-
forward messages, relay agent VSS information conflicting with client forward messages, relay agent VSS information conflicting with client
VSS information, or DHCP server VSS information conflicting with VSS information, or DHCP server VSS information conflicting with
relay agent and client VSS information. Since these scenarios do not relay agent and client VSS information. Since these approaches do
describe situations that are useful today, specifying precisely how not describe situations that are useful today, specifying precisely
to resolve all of these conflicts is unlikely to be valuable in the how to resolve all of these conflicts is unlikely to be valuable in
event that these scenarios actually become practical in the future. the event that these approaches actually become practical in the
future.
The current use of the VSS option and sub-option require that each The current use of the VSS option and sub-option require that each
entity knows the part that it plays in dealing with VPN data. Each entity knows the part that it plays in dealing with VPN data. Each
entity -- client, relay agent or agents, and server -- SHOULD know entity -- client, relay agent or agents, and server -- SHOULD know
through some policy or configuration beyond the scope of this through some policy or configuration beyond the scope of this
document whether it is responsible for specifying VPN information document whether it is responsible for specifying VPN information
using the VSS option or sub-option or responsible for responding to using the VSS option or sub-option or responsible for responding to
VSS information specified by another entity, or simply ignoring any VSS information specified by another entity, or simply ignoring any
VSS information which it might see. VSS information which it might see.
Some simple conflict resolution approaches are discussed below, in Some simple conflict resolution approaches are discussed below, in
the hopes that they will cover simple cases that may arise from the hopes that they will cover simple cases that may arise from
scenarios beyond those envisioned today. However, for more complex situations beyond those envisioned today. However, for more complex
scenarios, or simple scenarios where appropriate conflict resolution situations, or simple situations where appropriate conflict
strategies differ from those discussed in this document, a document resolution strategies differ from those discussed in this document, a
detailing the usage scenarios and appropriate conflict resolution document detailing the usage situations and appropriate conflict
strategies SHOULD be created and submitted for discussion and resolution strategies SHOULD be created and submitted for discussion
approval. and approval.
5. Relay Agent Behavior 5. Relay Agent Behavior
A relay agent which receives a DHCP request from a DHCP client on a A relay agent which receives a DHCP request from a DHCP client on a
VPN SHOULD include Virtual Subnet Selection information in the DHCP VPN SHOULD include Virtual Subnet Selection information in the DHCP
packet prior to forwarding the packet on to the DHCP server unless packet prior to forwarding the packet on to the DHCP server unless
inhibited from doing so by configuration information or policy to the inhibited from doing so by configuration information or policy to the
contrary. contrary.
A DHCPv4 relay agent SHOULD include a DHCPv4 VSS sub-option in a In this situation, a DHCPv4 relay agent MUST include a DHCPv4 VSS
relay-agent-information option [RFC3046], while a DHCPv6 relay agent sub-option in a relay-agent-information option [RFC3046], while a
SHOULD include a DHCPv6 VSS option in the Relay-forward message. DHCPv6 relay agent MUST include a DHCPv6 VSS option in the Relay-
forward message.
The value placed in the Virtual Subnet Selection sub-option or option The value placed in the Virtual Subnet Selection sub-option or option
SHOULD be sufficient for the relay agent to properly route any DHCP would typically be sufficient for the relay agent to properly route
reply packet returned from the DHCP server to the DHCP client for any DHCP reply packet returned from the DHCP server to the DHCP
which it is destined. client for which it is destined. In some cases, the information in
the VSS sub-option or option might be an index into some internal
Anytime a relay agent places a VSS option or sub-option in a DHCP table held in the relay agent, though this document places no
request, it MUST send it only to a DHCP server which supports the VSS requirement on a relay agent to have any such internal state.
option or sub-option.
Since this option or sub-option is placed in the packet in order to A DHCPv4 relay agent SHOULD, in addition, include a DHCPv4 VSS sub-
specify the VPN on which an IP address is allocated for a particular option with a type of CONTROL, no additional VSS information, and a
DHCP client, one presumes that an allocation on that VPN is necessary length of one, in the relay-agent-information option [RFC3046]. The
for correct operation. If this presumption is correct, then a relay inclusion of two VSS sub-options in the relay-agent-information
agent which places this option in a packet and doesn't receive it (or option, one with valid VSS information, and one with a type of
receives a different value than that sent to the server) in the CONTROL, will allow the DHCPv4 relay agent to determine whether the
returning packet should drop the packet since the IP address that was DHCPv4 server actually processed the information in the VSS sub-
allocated will not be in the correct VPN. If an IP address that is option containing valid VSS information.
on the requested VPN is not required, then the relay agent is free to
accept the IP address that is not on the VPN that was requested.
The converse, however, is more complicated. In the DHCPv6 case, the The reason to include this additional VSS DHCPv4 sub-option is that
appearance of the option in the Relay-reply packet does indeed [RFC3046] specifies (essentially) that a DHCPv4 server should copy
indicate that the DHCPv6 server understood and acted upon the all sub-options that it receives in a relay-agent-information option
contents of the VSS option in the Relay-forward packet. In the in a request into a corresponding relay-agent-information option in
DHCPv4 case, however, the appearance of the sub-option in the relay- the response. Thus, a server that didn't support the DHCPv4 VSS
agent-information option received by the relay agent does not sub-option would normally just copy it to the response packet,
necessarily indicate that the DHCPv4 server even understood, let leaving the relay agent to wonder if in fact the DHCPv4 server
alone acted correctly upon, the VSS sub-option that it received. actually used the VSS information when processing the request.
The reason is that [RFC3046] specifies that a DHCPv4 server which To alleviate this potential confusion, a DHCPvr4 relay agent instead
supports the relay-agent-information option SHALL copy all sub- sends in two VSS sub-options, one with valid VSS information, and one
options received in a relay-agent-information option into any with a VSS type of CONTROL. If both sub-options appear in the
outgoing relay-agent-information option. Because of these response from the DHCPv4 server, then the DHCPv4 relay agent MUST
requirements, even a DHCPv4 server which doesn't implement support assume that the DHCPv4 server did not act on the valid VSS
for the Virtual Subnet Selection sub-option will almost certainly information in one of the sub-options. If only the VSS sub-option
copy it into the outgoing relay-agent-information option. This means with the valid information appears in the response from the DHCPv4
that the appearance of the Virtual Subnet Selection sub-option in a server and no VSS sub-option with type CONTROL appears in the
relay-agent-information option doesn't indicate support for the response from the DHCPv4 server, then the relay agent SHOULD assume
Virtual Subnet Selection sub-option. that the DHCPv4 server acted successfully on the VSS sub-option with
the valid VSS information.
There are only two pieces of information which can be determined from Anytime a relay agent places a VSS option or sub-option in a DHCP
the appearance or lack of appearance of the DHCPv4 Virtual Subnet request, it SHOULD send it only to a DHCP server which supports the
Selection sub-option in a relay-agent-information option received by VSS option or sub-option, and it MUST check the response to determine
a relay agent from a DHCPv4 server. First, if the Virtual Subnet if the DHCP server actually honored the requested VSS information.
Selection sub-option does not appear, then the server was able to
support this sub-option but chose not to do so. Second, if the
Virtual Subnet Selection sub-option appears and has a different value
than the one originally included in the relay-agent-information
option, then the DHCP server was able to support this sub-option and
allocated an address using different VSS information than was
originally provided by the relay agent.
Thus, if a DHCPv4 relay agent has a requirement to determine if the In the DHCPv6 case, the appearance of the option in the Relay-reply
address allocated by a DHCPv4 server is on a particular VPN, it must packet indicates that the DHCPv6 server understood and acted upon the
use some other approach than the appearance of the VSS sub-option in contents of the VSS option in the Relay-forward packet. In the
the reply packet to make this determination. DHCPv4 case, as discussed above, the appearance of the VSS sub-option
containing valid VSS information without the appearance of a VSS
sub-option of type CONTROL indicates that the DHCPv4 server
successfully acted upon the VSS sub-option that was returned
containing valid VSS information.
This document does not create a requirement that a relay agent This document does not create a requirement that a relay agent
remember the contents of a VSS DHCPv4 sub-option or VSS DHCPv6 option remember the contents of a VSS DHCPv4 sub-option or VSS DHCPv6 option
sent to a DHCP server. In many cases, the relay agent may simply use sent to a DHCP server. In many cases, the relay agent may simply use
the value of the VSS returned by the DHCP server to forward the the value of the VSS returned by the DHCP server to forward the
response to the DHCP client. If the VSS information, the IP address response to the DHCP client. If the VSS information, the IP address
allocated, and the VPN capabilities of the relay agent all allocated, and the VPN capabilities of the relay agent all
interoperate correctly, then the DHCP client will receive a working interoperate correctly, then the DHCP client will receive a working
IP address. Alternatively, if any of these items don't interoperate IP address. Alternatively, if any of these items don't interoperate
with the others, the DHCP client will not receive a working address. with the others, the DHCP client will not receive a working address.
Note that in some environments a relay agent may choose to always Note that in some environments a relay agent may choose to always
place a VSS option or sub-option into packets and messages that it place a VSS option or sub-option into packets and messages that it
forwards in order to forestall any attempt by a downstream relay forwards in order to forestall any attempt by a relay agent closer to
agent or client to specify VSS information. In this case, a type the client or the client itself to specify VSS information. In this
field of 255 is used to denote the global, default VPN. When the case, a type field of 255 is used to denote the global, default VPN.
type field of 255 is used, there MUST NOT be any additional VSS When the type field of 255 is used, there MUST NOT be any additional
Information in the VSS option. VSS information in the VSS option or sub-option. In the DHCPv4 case,
an additional VSS sub-option with type CONTROL should be used, as
discussed above.
5.1. VPN assignment by the DHCP server 5.1. VPN assignment by the DHCP server
In some cases, a DHCP server may use the Virtual Subnet Selection In some cases, a DHCP server may use the Virtual Subnet Selection
sub-option or option to inform a relay agent that a particular DHCP sub-option or option to inform a relay agent that a particular DHCP
client is associated with a particular VPN. It does this by sending client is associated with a particular VPN. It does this by sending
the Virtual Subnet Selection sub-option or option with the the Virtual Subnet Selection sub-option or option with the
appropriate information to the relay agent in the relay-agent- appropriate information to the relay agent in the relay-agent-
information option for DHCPv4 or the Relay-reply message in DHCPv6. information option for DHCPv4 or the Relay-reply message in DHCPv6.
If the relay agent is unable to honor the DHCP server's requirement If the relay agent cannot respond correctly to the DHCP server's
to place the DHCP client into that VPN it MUST drop the packet and requirement to place the DHCP client into that VPN (perhaps because
not send it to the DHCP client. it has not been configured with a VPN that matches the VSS
information received from the DHCP server) it MUST drop the packet
The DHCP server MUST NOT place VSS information in an outgoing packet and not send it to the DHCP client.
if the relay agent or DHCP client is unprepared to properly interpret
the VSS information.
In this situation, once the relay agent has placed the DHCP client In this situation, once the relay agent has placed the DHCP client
into the VPN specified by the DHCP server, it will send in a VSS into the VPN specified by the DHCP server, it will insert a VSS
option or sub-option when forwarding packets from the client. The option or sub-option when forwarding packets from the client. The
DHCP server in normal operation will echo this VSS information into DHCP server in normal operation will echo this VSS information into
the outgoing replies. the outgoing replies.
In the event that the relay agent doesn't include VSS information on
subsequent requests after the DHCP server has included VSS
information in a reply to the relay agent, the DHCP server can
conclude that the relay agent doesn't support VSS processing, and the
DHCP server SHOULD stop processing this transaction and not respond
to the request.
5.2. DHCP Leasequery 5.2. DHCP Leasequery
Sometimes a relay-agent needs to submit a DHCP Leasequery [RFC4388] Sometimes a relay-agent needs to submit a DHCP Leasequery [RFC4388]
[RFC5007] packet to the DHCP server in order to recover information [RFC5007] packet to the DHCP server in order to recover information
about existing DHCP allocated IP addresses on other than the normal, about existing DHCP allocated IP addresses on other than the normal,
global VPN. In the context of a DHCP Leasequery the relay agent is a global VPN. In the context of a DHCP Leasequery the relay agent is a
direct client of the DHCP server and is not relaying a packet for direct client of the DHCP server and is not relaying a packet for
another DHCP client. Thus, the instructions in Section 6 on Client another DHCP client. Thus, the instructions in Section 6 on Client
Behavior should be followed to include the necessary VSS information. Behavior should be followed to include the necessary VSS information.
6. Client Behavior 6. Client Behavior
Typically, DHCPv4 and DHCPv6 clients have no interaction with VSS
options or sub-options. The VSS information is handled by exchanges
between a DHCPv4 or DHCPv6 relay agent and the corresponding DHCPv4
or DHCPv6 server.
However, there are times when an entity is acting as a DHCPv4 or
DHCPv6 client in that it is communicating directly with a DHCPv4 or
DHCPv6 server. In these instances -- where communications is
occurring without employing the DHCPv4 relay-agent-information option
or the DHCPv6 Relay-forward or Relay-reply messages, the entity is
acting as a DHCPv4 or DHCPv6 client with regard to its communication
with the DHCPv4 or DHCPv6 server, but not necessarily as a DHCP
client who is requesting a DHCPv4 or DHCPv6 address for its own use.
The client, in this context, may be requesting an IP address for
another entity, thus acting as a DHCP proxy. The client may be
requesting information about another client-to-address binding, using
the DHCPv4 [RFC4388] or DHCPv6 [RFC5007] Leasequery protocol.
In the rest of this section, the term "client" refers to an entity
communicating VSS information directly to a DHCPv4 or DHCPv6 server
without using the DHCPv4 relay-agent-information option or the DHCPv6
Relay-forward or Relay-reply messages, and there is no requirement
that such a client is a traditional DHCPv4 or DHCPv6 client
requesting an IP address binding for itself.
A DHCPv4 or DHCPv6 client will employ the VSS option to communicate A DHCPv4 or DHCPv6 client will employ the VSS option to communicate
VSS information to their respective servers. This information MUST VSS information to their respective servers. This information MUST
be included in every message concerning any IP address on a different be included in every message concerning any IP address on a different
VPN than the global or default VPN. A DHCPv4 client will place the VPN than the global or default VPN. A DHCPv4 client will place the
DHCPv4 VSS option in its packets, and a DHCPv6 client will place the DHCPv4 VSS option in its packets, and a DHCPv6 client will place the
DHCPv6 VSS option in its messages. DHCPv6 VSS option in its messages.
A DHCPv6 client that needs to place a VSS option into a DHCPv6 A DHCPv6 client that needs to place a VSS option into a DHCPv6
message SHOULD place a single VSS option into the DHCPv6 message at message SHOULD place a single VSS option into the DHCPv6 message at
the same level as the Client Identifier option. A DHCPv6 client MUST the same level as the Client Identifier option. A DHCPv6 client MUST
NOT include different VSS options in the same DHCPv6 message. NOT include different VSS options in the same DHCPv6 message.
Note that, as mentioned in Section 1, throughout this document when a Note that, as mentioned in Section 1, throughout this document when a
DHCPv6 address is indicated the same information applies to DHCPv6 DHCPv6 address is indicated the same information applies to DHCPv6
Prefix Delegation [RFC3633] as well. Prefix Delegation [RFC3633] as well.
Since this option is placed in the packet in order to change the VPN Since this option is placed in the packet in order to change the VPN
on which an IP address is allocated for a particular DHCP client, one on which an IP address is allocated for a particular DHCP client, one
presumes that an allocation on that VPN is necessary for correct presumes that an allocation on that VPN is necessary for correct
operation. If this presumption is correct, then a client which operation. Thus, a client which places this option in a packet and
places this option in a packet and doesn't receive it or receives a doesn't receive it or receives a different value in a returning
different value in the returning packet should drop the packet since packet SHOULD drop the packet since the IP address that was allocated
the IP address that was allocated will not be in the correct VPN. If will not be in the requested VPN.
an IP address that is on the requested VPN is not required, then the
client is free to accept the IP address that is not on the VPN that
the was requested.
Clients should be aware that some DHCP servers will return a VSS Clients should be aware that some DHCP servers will return a VSS
option with different values than that which was sent in. In option with different values than that which was sent in. In
addition, a client may receive a response from a DHCP server with a addition, a client may receive a response from a DHCP server with a
VSS option when none was sent in by the Client. VSS option when none was sent in by the Client.
Note that when sending a DHCP Leasequery request, a relay agent is Note that when sending a DHCP Leasequery request, a relay agent is
acting as a DHCP client and so it should include the respective acting as a DHCP client and so it SHOULD include the respective
DHCPv4 or DHCPv6 VSS option in its DHCPv4 or DHCPv6 Leasequery packet DHCPv4 or DHCPv6 VSS option in its DHCPv4 or DHCPv6 Leasequery packet
if the DHCP Leasequery request is generated for other than the if the DHCP Leasequery request is generated for other than the
default, global VPN. It should not include a DHCPv4 sub-option in default, global VPN. It SHOULD NOT include a DHCPv4 sub-option in
this case. this case.
7. Server Behavior 7. Server Behavior
A DHCP server receiving the VSS option or sub-option SHOULD allocate A DHCP server receiving the VSS option or sub-option SHOULD allocate
an IP address (or use the VSS information to access an already an IP address (or use the VSS information to access an already
allocated IP address) from the VPN specified by the included VSS allocated IP address) from the VPN specified by the included VSS
information. information.
In the case where the type field of the VSS option or sub-option is In the case where the type field of the VSS option or sub-option is
skipping to change at page 14, line 42 skipping to change at page 19, line 18
for either of these alternatives. for either of these alternatives.
In some cases, a DHCP server may use the Virtual Subnet Selection In some cases, a DHCP server may use the Virtual Subnet Selection
sub-option or option to inform a relay agent that a particular DHCP sub-option or option to inform a relay agent that a particular DHCP
client is associated with a particular VPN. It does this by sending client is associated with a particular VPN. It does this by sending
the Virtual Subnet Selection sub-option or option with the the Virtual Subnet Selection sub-option or option with the
appropriate information to the relay agent in the relay-agent- appropriate information to the relay agent in the relay-agent-
information option for DHCPv4 or the Relay-reply message in DHCPv6. information option for DHCPv4 or the Relay-reply message in DHCPv6.
In this situation, the relay agent will place the client in the In this situation, the relay agent will place the client in the
proper VPN, and then it will send in a VSS option or sub-option in proper VPN, and then it will insert a VSS option or sub-option in
subsequent forwarded requests. The DHCP server will see this VSS subsequent forwarded requests. The DHCP server will see this VSS
information and since it doesn't conflict in any way with the information and since it doesn't conflict in any way with the
server's notion of the VPN on which the client is supposed to reside, server's notion of the VPN on which the client is supposed to reside,
it will process the requests based on the VPN specified in the VSS it will process the requests based on the VPN specified in the VSS
option or sub-option, and echo the same VSS information in the option or sub-option, and echo the same VSS information in the
outgoing replies. outgoing replies.
In a similar manner, a DHCP server may use the Virtual Subnet The relay agent receiving a reply containing a VSS option should
Selection option to inform a DHCP client that the address (or support the VSS option. Otherwise the relay agent will end up
addresses) it allocated for the client is on a particular VPN. attempting to use the address as though it were a global address.
Should this happen, the subsequent DHCPREQUEST will not contain any
In either case above, care should be taken to ensure that a client or VSS information, in which case the DHCP server SHOULD NOT respond
relay agent receiving a reply containing a VSS option will correctly with a DHCPACK.
understand the VSS option. Otherwise, the client or relay agent will
end up using the address as though it were a global address.
If a server uses a different VPN than what was specified in the VSS If a server uses a different VPN than what was specified in the VSS
option or sub-option, it SHOULD send back the VPN information using option or sub-option, it SHOULD send back the VPN information using
the same type as the received type. It MAY send back a different type the same type as the received type. It MAY send back a different type
if it is not possible to use the same type (such as the RFC2685 VPN- if it is not possible to use the same type (such as the RFC2685 VPN-
ID if no ASCII VPN identifier exists). ID if no ASCII VPN identifier exists).
7.1. Returning the DHCPv4 or DHCPv6 Option 7.1. Returning the DHCPv4 or DHCPv6 Option
DHCPv4 or DHCPv6 servers receiving a VSS option (for sub-option DHCPv4 or DHCPv6 servers receiving a VSS option (for sub-option
skipping to change at page 15, line 30 skipping to change at page 20, line 5
reply packet or message if the server successfully uses this option reply packet or message if the server successfully uses this option
to allocate an IP address, and it MUST NOT include an instance of to allocate an IP address, and it MUST NOT include an instance of
this option if the server is unable to support, is not configured to this option if the server is unable to support, is not configured to
support, or does not implement support for VSS information in general support, or does not implement support for VSS information in general
or the requested VPN in particular. or the requested VPN in particular.
If they echo the option (based on the criteria above), servers SHOULD If they echo the option (based on the criteria above), servers SHOULD
return an exact copy of the option unless they desire to change the return an exact copy of the option unless they desire to change the
VPN on which a client was configured. VPN on which a client was configured.
The appearance of the DHCPv6 VSS option in the OPTION_ORO [RFC3315] The appearance of the DHCPv4 VSS option code in the DHCPv4 Parameter
or the OPTION_ERO [RFC4994] should not change the processing or Request List option [RFC2132] should not change the processing or
decision to return (or not to return) the VSS option as specified in decision to return or not return the VSS option as specified in this
this document. document. The appearance of the DHCPv6 VSS option in the OPTION_ORO
[RFC3315] or the OPTION_ERO [RFC4994] should not change the
processing or decision to return (or not to return) the VSS option as
specified in this document.
7.2. Returning the DHCPv4 Sub-Option 7.2. Returning the DHCPv4 Sub-Option
The case of the DHCPv4 sub-option is a bit more complicated. Note The case of the DHCPv4 sub-option is a bit more complicated. Note
that [RFC3046] specifies that a DHCPv4 server which supports the that [RFC3046] specifies that a DHCPv4 server which supports the
relay-agent-information option SHALL copy all sub-options received in relay-agent-information option SHALL copy all sub-options received in
a relay-agent-information option into any outgoing relay-agent- a relay-agent-information option into any outgoing relay-agent-
information option. Thus, the default behavior for any DHCPv4 server information option. Thus, the default behavior for any DHCPv4 server
is to return any VSS sub-option received to the relay agent whether is to return any VSS sub-option received to the relay agent whether
or not the DHCPv4 server understands the VSS sub-option. A server or not the DHCPv4 server understands the VSS sub-option.
which implements the VSS sub-option MUST include the VSS sub-option
in the relay-agent-information option in the reply packet if it In order to distinguish a DHCPv4 server which is simply copying
successfully acted upon the VSS information in the incoming VSS sub- relay-agent-information option sub-options from an incoming to an
option. outgoing relay-agent-informaion option from one which successfully
acted upon the information in the VSS sub-option, DHCPv4 relay agents
MUST include two VSS sub-options in the relay-agent-information in
the request. One of these VSS sub-options contains valid VSS
information, and one of these VSS sub-options has a type of CONTROL,
no additional VSS information, and a length of one.
A DHCPv4 server which does not support the VSS sub-option will copy
both sub-options into the outgoing relay-agent-information option,
thus signalling to the DHCPv4 relay agent that it did not understand
the VSS sub-option.
A DHCPv4 server which supports the VSS sub-option and acts upon the
VSS sub-option with valid VSS information in it:
o MUST copy the VSS sub-option containing the valid VSS
information into the outgoing relay-agent-information option
o MUST NOT copy the VSS sub-option with the type of CONTROL into
the outgoing relay-agent-information option
Moreover, if a server uses different VSS information to allocate an Moreover, if a server uses different VSS information to allocate an
IP address than it receives in a particular DHCPv4 sub-option, it IP address than it receives in a particular DHCPv4 sub-option, it
MUST include that alternative VSS information in a sub-option that it MUST include that alternative VSS information in the VSS sub-option
returns to the DHCPv4 relay agent. that it returns to the DHCPv4 relay agent instead of the origian VSS
information it was given.
If a DHCPv4 server supports this sub-option and for some reason If a DHCPv4 server supports this sub-option and for some reason
(perhaps administrative control) does not honor this sub-option from (perhaps administrative control) does not honor this sub-option from
the request then it MUST NOT echo this sub-option in the outgoing the request then it MUST NOT echo either sub-option into the outgoing
relay-agent-information option. relay-agent-information option.
Note that the appearance of the VSS sub-option in a reply packet from
a DHCPv4 server to a relay-agent does not communicate any useful
information about whether or not the server used the VSS sub-option
in its processing. However, the absence of a VSS sub-option in a
reply from a DHCPv4 server when a VSS sub-option was included in a
request to the DHCPv4 server is significant, and means that the
server did not use the VSS information present in the sub-option in
its processing.
7.3. Making sense of conflicting VSS information 7.3. Making sense of conflicting VSS information
It is possible for a DHCPv4 server to receive both a VSS option and a It is possible for a DHCPv4 server to receive both a VSS option and
VSS sub-option in the same packet. Likewise, a DHCPv6 server can VSS sub-options in the same packet. Likewise, a DHCPv6 server can
receive multiple VSS options in nested Relay-forward messages as well receive multiple VSS options in nested Relay-forward messages as well
as in the client message itself. In either of these cases, the VSS as in the client message itself. In either of these cases, the VSS
information from the relay agent closest to the DHCP server SHOULD be information from the relay agent closest to the DHCP server SHOULD be
used in preference to all other VSS information received. In the used in preference to all other VSS information received. In the
DHCPv4 case, this means that the VSS sub-option takes precedence over DHCPv4 case, this means that the VSS sub-option takes precedence over
the VSS option, and in the DHCPv6 case, this means that the VSS the VSS option, and in the DHCPv6 case, this means that the VSS
option from the outer-most Relay-forward message in which a VSS option from the outer-most Relay-forward message in which a VSS
option appears takes precedence. option appears takes precedence.
The reasoning behind this approach is that the relay-agent closer to The reasoning behind this approach is that the relay-agent closer to
skipping to change at page 16, line 44 skipping to change at page 21, line 35
or more distant relay agents, and therefore information in the or more distant relay agents, and therefore information in the
relay-agent-information option or the Relay-forward message is more relay-agent-information option or the Relay-forward message is more
likely to be correct. likely to be correct.
In general, relay agents SHOULD be aware through configuration or In general, relay agents SHOULD be aware through configuration or
policy external to this document whether or not they should be policy external to this document whether or not they should be
including VSS information in packets that they forward and so there including VSS information in packets that they forward and so there
should not be conflicts among relay agent specified VSS information. should not be conflicts among relay agent specified VSS information.
In these situations where multiple VSS option or sub-options appear In these situations where multiple VSS option or sub-options appear
in the incoming packet or message, when constructing the response to in the incoming packet or message, when the DHCP server constructs
be sent to the DHCP client or relay agent, all existing VSS options the response to be sent to the DHCP client or relay agent, all
or sub-options MUST be replicated in the appropriate places in the existing VSS options or sub-options MUST be replicated in the
response and MUST contain the VSS information that was used by the appropriate places in the response and MUST contain only the VSS
DHCP server to allocate the IP address. information that was used by the DHCP server to allocate the IP
address (with, of course, the exception of a DHCPv4 relay-agent-
information VSS sub-option with a type of CONTROL).
8. Security 8. Security
Message authentication in DHCPv4 for intradomain use where the out- Message authentication in DHCPv4 for intradomain use where the out-
of-band exchange of a shared secret is feasible is defined in of-band exchange of a shared secret is feasible is defined in
[RFC3118]. Potential exposures to attack are discussed in section 7 [RFC3118]. Potential exposures to attack are discussed in section 7
of the DHCP protocol specification in [RFC2131]. of the DHCP protocol specification in [RFC2131].
Implementations should consider using the DHCPv4 Authentication Implementations should consider using the DHCPv4 Authentication
option [RFC3118] to protect DHCPv4 client access in order to provide option [RFC3118] to protect DHCPv4 client access in order to provide
skipping to change at page 18, line 17 skipping to change at page 23, line 9
options space [RFC3046], in accordance with the spirit of [RFC3942]. options space [RFC3046], in accordance with the spirit of [RFC3942].
While [RFC3942] doesn't explicitly mention the sub-option space for While [RFC3942] doesn't explicitly mention the sub-option space for
the DHCP Relay Agent Information option [RFC3046], sub-option 151 is the DHCP Relay Agent Information option [RFC3046], sub-option 151 is
already in use by existing implementations of this sub-option and the already in use by existing implementations of this sub-option and the
current draft is essentially compatible with these current current draft is essentially compatible with these current
implementations. implementations.
IANA is requested to assign the value of TBD for the DHCPv6 VSS IANA is requested to assign the value of TBD for the DHCPv6 VSS
option defined in Section 3.3 from the DHCPv6 option registry. option defined in Section 3.3 from the DHCPv6 option registry.
While the type byte defined in Section 3.4 defines a number space The type byte defined in Section 3.4 defines a number space for which
that could be managed by IANA, expansion of this number space is not IANA is to create and maintain a new sub-registry entitled "VSS Type
anticipated and so creation of a registry of these numbers is not values". This sub-registry needs to be related to both the DHCPv4
required by this document. In the event that additional values for and DHCPv6 VSS options and the DHCPv4 relay-agent-information option
the type byte are defined in subsequent documents, IANA should at sub-option (all defined by this document), since the type byte in
that time create a registry for these type bytes. New values for the these two options and one sub-option MUST have identical definitions.
type byte may only be defined by IETF Consensus, as described in
[RFC5226]. Basically, this means that they are defined by RFCs New values for the type byte may only be defined by IETF Consensus,
approved by the IESG. as described in [RFC5226]. Basically, this means that they are
defined by RFCs approved by the IESG.
10. Acknowledgments 10. Acknowledgments
Bernie Volz recommended consolidation of the DHCPv4 option and sub- Bernie Volz recommended consolidation of the DHCPv4 option and sub-
option drafts after extensive review of the former drafts, and option drafts after extensive review of the former drafts, and
provided valuable assistance in structuring and reviewing this provided valuable assistance in structuring and reviewing this
document. Alper Yegin expressed interest in the DHCPv6 VSS option, document. Alper Yegin expressed interest in the DHCPv6 VSS option,
resulting in this combined draft covering all three areas. Alfred resulting in this combined draft covering all three areas. Alfred
Hoenes provided assistance with editorial review as well as raising Hoenes provided assistance with editorial review as well as raising
substantive protocol issues. David Hankins and Bernie Volz each substantive protocol issues. David Hankins and Bernie Volz each
raised important protocol issues which resulted in a clarified raised important protocol issues which resulted in a clarified
document. Josh Littlefield provided editorial assistance. document. Josh Littlefield provided editorial assistance. Several
IESG reviewers took the time to substantially review this document,
resulting in much increased clarity.
11. References 11. References
11.1. Normative References 11.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, March 1997. Requirement Levels", RFC 2119, March 1997.
[RFC2131] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, [RFC2131] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131,
March 1997. March 1997.
skipping to change at page 20, line 5 skipping to change at page 24, line 46
[RFC4388] Woundy, R. and K. Kinnear, "Dynamic Host Configuration [RFC4388] Woundy, R. and K. Kinnear, "Dynamic Host Configuration
Protocol (DHCP) Leasequery", RFC 4388, February 2006. Protocol (DHCP) Leasequery", RFC 4388, February 2006.
[RFC5007] Brzozowski, J., Kinnear, K., Volz, B., and S. Zeng, "DHCPv6 [RFC5007] Brzozowski, J., Kinnear, K., Volz, B., and S. Zeng, "DHCPv6
Leasequery", RFC 5007, September 2007. Leasequery", RFC 5007, September 2007.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 5226, May 2008. IANA Considerations Section in RFCs", BCP 26, RFC 5226, May 2008.
12. Authors' Addresses Authors' Addresses
Kim Kinnear Kim Kinnear
Cisco Systems Cisco Systems
1414 Massachusetts Ave. 1414 Massachusetts Ave.
Boxborough, Massachusetts 01719 Boxborough, Massachusetts 01719
Phone: (978) 936-0000 Phone: (978) 936-0000
EMail: kkinnear@cisco.com EMail: kkinnear@cisco.com
skipping to change at page 20, line 35 skipping to change at line 1100
Mark Stapp Mark Stapp
Cisco Systems Cisco Systems
1414 Massachusetts Ave. 1414 Massachusetts Ave.
Boxborough, Massachusetts 01719 Boxborough, Massachusetts 01719
Phone: (978) 936-0000 Phone: (978) 936-0000
EMail: mjs@cisco.com EMail: mjs@cisco.com
Jay Kumarasamy Jay Kumarasamy
Cisco Systems
170 W. Tasman Dr.
San Jose, CA 95134
Phone: (408) 526-4000
EMail: jayk@cisco.com
 End of changes. 66 change blocks. 
235 lines changed or deleted 425 lines changed or added

This html diff was produced by rfcdiff 1.40. The latest version is available from http://tools.ietf.org/tools/rfcdiff/