draft-ietf-dhc-vpn-option-12.txt   draft-ietf-dhc-vpn-option-13.txt 
DHC Working Group Kim Kinnear DHC Working Group Kim Kinnear
Internet Draft Richard Johnson Internet Draft Richard Johnson
Intended Status: Standards Track Mark Stapp Intended Status: Standards Track Mark Stapp
Expires: April 22, 2011 Cisco Systems Expires: October 29, 2011 Cisco Systems
Jay Kumarasamy Jay Kumarasamy
October 22, 2010 April 29, 2011
Virtual Subnet Selection Options for DHCPv4 and DHCPv6 Virtual Subnet Selection Options for DHCPv4 and DHCPv6
<draft-ietf-dhc-vpn-option-12.txt> <draft-ietf-dhc-vpn-option-13.txt>
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
skipping to change at page 1, line 36 skipping to change at page 1, line 36
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
Copyright Notice Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 36 skipping to change at page 2, line 36
For the DHCPv4 option and relay-agent-information sub-option, this For the DHCPv4 option and relay-agent-information sub-option, this
memo documents existing usage as per RFC 3942 [RFC3942]. memo documents existing usage as per RFC 3942 [RFC3942].
Table of Contents Table of Contents
1. Introduction................................................. 3 1. Introduction................................................. 3
2. Terminology.................................................. 4 2. Terminology.................................................. 4
3. Virtual Subnet Selection Option and Sub-Options Definitions.. 5 3. Virtual Subnet Selection Option and Sub-Options Definitions.. 5
3.1. DHCPv4 Virtual Subnet Selection Option..................... 5 3.1. DHCPv4 Virtual Subnet Selection Option..................... 5
3.2. DHCPv4 Virtual Subnet Selection Sub-Option................. 6 3.2. DHCPv4 Virtual Subnet Selection Sub-Option................. 6
3.3. DHCPv6 Virtual Subnet Selection Option..................... 6 3.3. DHCPv4 Virtual Subnet Selection Control Sub-Option......... 6
3.4. Virtual Subnet Selection Type and Information.............. 7 3.4. DHCPv6 Virtual Subnet Selection Option..................... 7
3.5. Virtual Subnet Selection Type and Information.............. 7
4. Overview of Virtual Subnet Selection Usage................... 8 4. Overview of Virtual Subnet Selection Usage................... 8
4.1. VPN assignment by the DHCP relay agent..................... 9 4.1. VPN assignment by the DHCP relay agent..................... 9
4.2. VPN assignment by the DHCP server.......................... 12 4.2. VPN assignment by the DHCP server.......................... 12
4.3. Required Support........................................... 14 4.3. Required Support........................................... 14
4.4. Alternative VPN assignment approaches...................... 14 4.4. Alternative VPN assignment approaches...................... 14
5. Relay Agent Behavior......................................... 14 5. Relay Agent Behavior......................................... 14
5.1. VPN assignment by the DHCP server.......................... 16 5.1. VPN assignment by the DHCP server.......................... 16
5.2. DHCP Leasequery............................................ 17 5.2. DHCP Leasequery............................................ 17
6. Client Behavior.............................................. 17 6. Client Behavior.............................................. 17
7. Server Behavior.............................................. 18 7. Server Behavior.............................................. 18
skipping to change at page 5, line 38 skipping to change at page 5, line 38
to be a private network. to be a private network.
o "VPN Identifier" o "VPN Identifier"
The VPN-ID is defined by [RFC2685] to be a sequence of 7 octets. The VPN-ID is defined by [RFC2685] to be a sequence of 7 octets.
3. Virtual Subnet Selection Option and Sub-Options Definitions 3. Virtual Subnet Selection Option and Sub-Options Definitions
The Virtual Subnet Selection options and sub-options contain a The Virtual Subnet Selection options and sub-options contain a
generalized way to specify the VSS information about a VPN. There generalized way to specify the VSS information about a VPN. There
are two options and one sub-option defined in this section. The are two options and two sub-options defined in this section. The
actual VSS information is identical in each. actual VSS information is identical both options and one of the two
sub-options.
3.1. DHCPv4 Virtual Subnet Selection Option 3.1. DHCPv4 Virtual Subnet Selection Option
The format of the option is: The format of the option is:
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Length | Type | VSS Info ... | Code | Length | Type | VSS Info ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Code The option code (221). Code The option code (221).
Length The option length, minimum 1 octets. Length The option length, minimum 1 octets.
Type and VSS Information -- see Section 3.4 Type and VSS Information -- see Section 3.5
3.2. DHCPv4 Virtual Subnet Selection Sub-Option 3.2. DHCPv4 Virtual Subnet Selection Sub-Option
This is a sub-option of the relay-agent-information option [RFC3046]. This is a sub-option of the relay-agent-information option [RFC3046].
The format of the sub-option is: The format of the sub-option is:
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Length | Type | VSS Info. ... | Code | Length | Type | VSS Info. ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Code The sub-option code (151). Code The sub-option code (151).
Length The option length, minimum 1 octets. Length The sub-option length, minimum 1 octets.
Type and VSS Information -- see Section 3.4 Type and VSS Information -- see Section 35.
3.3. DHCPv6 Virtual Subnet Selection Option 3.3. DHCPv4 Virtual Subnet Selection Control Sub-Option
This is a sub-option of the relay-agent-information option [RFC3046].
The format of the sub-option is:
0 1
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Code The sub-option code (TBD).
Length The sub-option length, 0.
This sub-option only only appears in the DHCPv4 relay-agent-
information option. In a DHCP request, it indicates that a DHCPv4
VSS sub-option is also present in the relay-agent-information option.
In a DHCP reply, if it appears in the relay-agent-information option,
it indicates that the DHCP server did not understand any DHCPv4 VSS
sub-option that also appears in the relay-agent-information option.
3.4. DHCPv6 Virtual Subnet Selection Option
The format of the DHCPv6 Virtual Subnet Selection option is shown The format of the DHCPv6 Virtual Subnet Selection option is shown
below. This option may be included by a client or relay-agent (or below. This option may be included by a client or relay-agent (or
both). both).
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| OPTION_VSS | option-len | | OPTION_VSS | option-len |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | VSS Information ... | | Type | VSS Information ... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
option-code OPTION_VSS (TBD). option-code OPTION_VSS (TBD).
option-len The number of octets in the option, minimum 1. option-len The number of octets in the option, minimum 1.
Type and VSS Information -- see Section 3.4 Type and VSS Information -- see Section 3.5
3.4. Virtual Subnet Selection Type and Information 3.5. Virtual Subnet Selection Type and Information
All of the (sub)options defined above carry identical payloads, All of the (sub)options defined above carry identical payloads,
consisting of a type and additional VSS information as follows: consisting of a type and additional VSS information as follows:
Type VSS Information format: Type VSS Information format:
0 NVT ASCII VPN identifier 0 NVT ASCII VPN identifier
1 RFC2685 VPN-ID 1 RFC2685 VPN-ID
2-252 Reserved 2-254 Reserved
253 CONTROL (DHCPv4 VSS sub-option only)
254 Reserved
255 Global, default VPN. 255 Global, default VPN.
o Type 0 -- NVT ASCII VPN identifier o Type 0 -- NVT ASCII VPN identifier
Indicates that the VSS information consists of a NVT ASCII Indicates that the VSS information consists of a NVT ASCII
string. It MUST NOT be terminated with a zero byte. string. It MUST NOT be terminated with a zero byte.
o Type 1 -- RFC2685 VPN-ID o Type 1 -- RFC2685 VPN-ID
Indicates that the VSS information consists of an RFC2685 VPN-ID Indicates that the VSS information consists of an RFC2685 VPN-ID
[RFC2685], which is defined to be 7 octets in length. [RFC2685], which is defined to be 7 octets in length.
o Type 253 -- CONTROL
This is only valid for the DHCPv4 relay-agent-information option
sub-option. It indicates that another DHCPV4 VSS sub-option is
present in the relay-agent-information option. The sub-option
with type CONTROL MUST be removed by any DHCPv4 server which
successfully processes the information in the other DHCPv4 sub-
option with valid VSS information. In this case, there MUST NOT
be any VSS Information included in the sub-option, and the
length of the VSS sub-option MUST be 1.
o Type 255 -- Global, default VPN o Type 255 -- Global, default VPN
Indicates that there is no explicit, non-default VSS information Indicates that there is no explicit, non-default VSS information
but rather that this option references the normal, global, but rather that this option references the normal, global,
default address space. In this case, there MUST NOT be any VSS default address space. In this case, there MUST NOT be any VSS
Information included in the VSS option or sub-option and the Information included in the VSS option or sub-option and the
length of the MUST be 1. length of the MUST be 1.
All other values of the Type field are reserved. All other values of the Type field are reserved.
skipping to change at page 9, line 28 skipping to change at page 9, line 40
There are two known paradigms for use of the VSS option or sub- There are two known paradigms for use of the VSS option or sub-
option, which are discussed below. option, which are discussed below.
4.1. VPN assignment by the DHCP relay agent 4.1. VPN assignment by the DHCP relay agent
The typical use of the VSS option or sub-option is for the relay The typical use of the VSS option or sub-option is for the relay
agent to know the VPN on which the DHCP client is operating. The agent to know the VPN on which the DHCP client is operating. The
DHCP client itself does not, in this approach, know the VPN on which DHCP client itself does not, in this approach, know the VPN on which
it resides. The relay agent is responsible for mediating the access it resides. The relay agent is responsible for mediating the access
between the VPN on which the DHCP client resides and the DHCP server. between the VPN on which the DHCP client resides and the DHCP server.
In this situation, the relay agent will insert two DHCPv4 VSS sub- In this situation, the relay agent will insert two DHCPv4 relay-
options (one with valid VSS information, and one with type CONTROL) agent-information sub-options (one VSS sub-option, and one VSS-
into the relay-agent-information option or a DHCPv6 VSS option into Control sub-option) into the relay-agent-information option or a
the Relay-forward message of every request it forwards from the DHCP DHCPv6 VSS option into the Relay-forward message of every request it
client. The server will use the VSS option or sub-option to forwards from the DHCP client. The server will use the DHCPv6 VSS
determine the VPN on which the client resides, and use that VPN option or DHCPv4 VSS sub-option to determine the VPN on which the
information to select the address space within its configuration from client resides, and use that VPN information to select the address
which to allocate an IP address to the DHCP client. space within its configuration from which to allocate an IP address
to the DHCP client.
When, using this approach, a DHCPv4 relay agent inserts a VSS sub- When, using this approach, a DHCPv4 relay agent inserts a VSS sub-
option with containing VSS information it MUST also insert a VSS option into the relay-agent-information option it MUST also insert a
sub-option containing type CONTROL, no additional VSS information, VSS-Control sub-option into the relay-agent-information-option. This
and a length of 1. This is to allow determination of whether or not is to allow determination of whether or not the DHCPv4 server
the DHCPv4 server actually processes the VSS information provided by actually processes the VSS information provided by the DHCPv4 relay
the DHCPv4 relay agent. If the DHCPv4 server supports the VSS agent. If the DHCPv4 server supports the VSS capabilities described
capabilities described in this document, it will remove the VSS sub- in this document, it will remove the VSS-Control sub-option from the
option with type CONTROL from the relay-agent-information option that relay-agent-information option that it returns to the DHCPv4 relay
it returns to the DHCPv4 relay agent. See Section 5 for more agent. See Section 5 for more information.
information.
In this approach, the relay agent might also send a VSS option or In this approach, the relay agent might also send a VSS option or
sub-option in either a DHCPv4 or DHCPv6 Leasequery request, but in sub-option in either a DHCPv4 or DHCPv6 Leasequery request, but in
this case, it would use the VSS option in the Leasequery request to this case, it would use the VSS option in the Leasequery request to
select the correct address space for the Leasequery. In this select the correct address space for the Leasequery. In this
approach, the relay agent would be acting as a DHCP client from a approach, the relay agent would be acting as a DHCP client from a
Leasequery standpoint, but it would not be as if a DHCP client were Leasequery standpoint, but it would not be as if a DHCP client were
sending in a VSS option in a standard DHCP address allocation sending in a VSS option in a standard DHCP address allocation
request, say a DHCPDISCOVER. request, say a DHCPDISCOVER.
skipping to change at page 11, line 15 skipping to change at page 11, line 15
DHCPv4 DHCPv4
DHCPv4 Relay DHCPv4 DHCPv4 Relay DHCPv4
Client Agent Server Client Agent Server
| | | | | |
| >--DHCPDISCOVER--> | | | >--DHCPDISCOVER--> | |
| on VRF "abc" | | | on VRF "abc" | |
| | >--DHCPDISCOVER----> | | | >--DHCPDISCOVER----> |
| | relay-agent-info: | | | relay-agent-info: |
| | VSS type VRF:"abc"| | | VSS type VRF:"abc"|
| | VSS type CONTROL | | | VSS-Control |
| | | | | |
| | <----DHCPOFFER-----< | | | <----DHCPOFFER-----< |
| | relay-agent-info: | | | relay-agent-info: |
| | VSS type VRF:"abc"| | | VSS type VRF:"abc"|
| | | | | |
| <---DHCPOFFER----< | | | <---DHCPOFFER----< | |
| on VRF "abc" | | | on VRF "abc" | |
| | | | | |
| >--DHCPREQUEST---> | | | >--DHCPREQUEST---> | |
| on VRF "abc" | | | on VRF "abc" | |
| | >--DHCPREQUEST-----> | | | >--DHCPREQUEST-----> |
| | relay-agent-info: | | | relay-agent-info: |
| | VSS type VRF:"abc"| | | VSS type VRF:"abc"|
| | VSS type CONTROL | | | VSS-Control |
| | | | | |
| | <----DHCPACK-------< | | | <----DHCPACK-------< |
| | relay-agent-info: | | | relay-agent-info: |
| | VSS type VRF:"abc"| | | VSS type VRF:"abc"|
| | | | | |
| <---DHCPACK------< | | | <---DHCPACK------< | |
| on VRF "abc" | | | on VRF "abc" | |
| | | | | |
... ... ... ... ... ...
Figure 4.1-1: DHCPv4 - Relay Agent knows VPN Figure 4.1-1: DHCPv4 - Relay Agent knows VPN
The DHCP server would know that it should respond to VPN information The DHCP server would know that it should respond to VPN information
specified in a VSS option or sub-option, and it would be configured specified in a VSS option or sub-option, and it would be configured
with appropriate VPN address spaces to service the projected client with appropriate VPN address spaces to service the projected client
requirements. Thus, in this common approach, the DHCP client knows requirements. Thus, in this common approach, the DHCP client knows
nothing of any VPN access, the relay agent has been configured in nothing of any VPN access, the relay agent has been configured in
some way that allows it to determine the VPN of the DHCP client and some way that allows it to determine the VPN of the DHCP client and
transmit that using a VSS option or sub-option to the DHCP server, transmit that using a VSS option or sub-option to the DHCP server,
skipping to change at page 12, line 20 skipping to change at page 12, line 20
or sub-options to the configuration of VPN support, and not allow one or sub-options to the configuration of VPN support, and not allow one
without the other. without the other.
It is important to ensure that the relay agent and DHCP server both It is important to ensure that the relay agent and DHCP server both
support the VSS option and sub-option (for DHCPv4) or the VSS option support the VSS option and sub-option (for DHCPv4) or the VSS option
(for DHCPv6). Deploying DHCPv4 relay agents which support and emit (for DHCPv6). Deploying DHCPv4 relay agents which support and emit
VSS sub-options in concert with DHCPv4 servers which do not support VSS sub-options in concert with DHCPv4 servers which do not support
the VSS option or sub-option as defined in this document SHOULD NOT the VSS option or sub-option as defined in this document SHOULD NOT
be done, as such an ensemble will not operate correctly. Should this be done, as such an ensemble will not operate correctly. Should this
situation occur, however, the relay agent can detect the problem situation occur, however, the relay agent can detect the problem
(since the VSS sub-option with type CONTROL will appear in the (since the VSS-Control sub-option will appear in the packets it
packets it receives from the DHCPv4 server), and it can issue receives from the DHCPv4 server, indicating the server did not
appropriate diagnostic messages. effectively process the VSS sub-option), and it can issue appropriate
diagnostic messages.
4.2. VPN assignment by the DHCP server 4.2. VPN assignment by the DHCP server
In this approach, the DHCP server would be configured in some way to In this approach, the DHCP server would be configured in some way to
know the VPN on which a particular DHCP client should be given know the VPN on which a particular DHCP client should be given
access. The DHCP server would in this case include the VSS sub- access. The DHCP server would in this case include the VSS sub-
option in the relay-agent-information option for DHCPv4 or the VSS option in the relay-agent-information option for DHCPv4 or the VSS
option in the Relay-reply message for DHCPv6. The relay agent option in the Relay-reply message for DHCPv6. The relay agent
responsible for mediating VPN access would use this information to responsible for mediating VPN access would use this information to
select the correct VPN for the DHCP client. In the unusal event that select the correct VPN for the DHCP client. In the unusal event that
skipping to change at page 13, line 26 skipping to change at page 13, line 26
| | VSS type VRF:"abc"| | | VSS type VRF:"abc"|
| | | | | |
| <---DHCPOFFER----< | | | <---DHCPOFFER----< | |
| on VRF "abc" | | | on VRF "abc" | |
| | | | | |
| >--DHCPREQUEST---> | | | >--DHCPREQUEST---> | |
| on VRF "abc" | | | on VRF "abc" | |
| | >--DHCPREQUEST-----> | | | >--DHCPREQUEST-----> |
| | relay-agent-info: | | | relay-agent-info: |
| | VSS type VRF:"abc"| | | VSS type VRF:"abc"|
| | VSS type CONTROL | | | VSS-Control |
| | | | | |
| | <----DHCPACK-------< | | | <----DHCPACK-------< |
| | relay-agent-info: | | | relay-agent-info: |
| | VSS type VRF:"abc"| | | VSS type VRF:"abc"|
| | | | | |
| <---DHCPACK------< | | | <---DHCPACK------< | |
| on VRF "abc" | | | on VRF "abc" | |
| | | | | |
| | | | | |
... ... ... ... ... ...
Figure 4.2-1: DHCPv4 - DHCPv4 Server knows VPN Figure 4.2-1: DHCPv4 - DHCPv4 Server knows VPN
In this approach, the DHCP client is again unaware of any VPN In this approach, the DHCP client is again unaware of any VPN
activity. In this case, however, the DHCP server knows the VPN for activity. In this case, however, the DHCP server knows the VPN for
the client, and the relay agent responds to the VSS information the client, and the relay agent responds to the VSS information
specified by the DHCP server. Similar to the previous approach, each specified by the DHCP server. Similar to the previous approach, each
entity knows its role through a means external to this document and entity knows its role through a means external to this document and
no two entities try to specify VSS information in conflict. no two entities try to specify VSS information in conflict.
skipping to change at page 15, line 15 skipping to change at page 15, line 15
forward message. forward message.
The value placed in the Virtual Subnet Selection sub-option or option The value placed in the Virtual Subnet Selection sub-option or option
would typically be sufficient for the relay agent to properly route would typically be sufficient for the relay agent to properly route
any DHCP reply packet returned from the DHCP server to the DHCP any DHCP reply packet returned from the DHCP server to the DHCP
client for which it is destined. In some cases, the information in client for which it is destined. In some cases, the information in
the VSS sub-option or option might be an index into some internal the VSS sub-option or option might be an index into some internal
table held in the relay agent, though this document places no table held in the relay agent, though this document places no
requirement on a relay agent to have any such internal state. requirement on a relay agent to have any such internal state.
A DHCPv4 relay agent SHOULD, in addition, include a DHCPv4 VSS sub- A DHCPv4 relay agent MUST, in addition, include a DHCPv4 VSS-Control
option with a type of CONTROL, no additional VSS information, and a sub-option (which has a length of zero) in the relay-agent-
length of one, in the relay-agent-information option [RFC3046]. The information option [RFC3046] whenever it includes a VSS sub-option in
inclusion of two VSS sub-options in the relay-agent-information the relay-agent-information option. The inclusion of the VSS sub-
option, one with valid VSS information, and one with a type of option and the VSS-Control sub-option in the relay-agent-information
CONTROL, will allow the DHCPv4 relay agent to determine whether the option will allow the DHCPv4 relay agent to determine whether the
DHCPv4 server actually processed the information in the VSS sub- DHCPv4 server actually processed the information in the VSS sub-
option containing valid VSS information. option when it receives the relay-agent-information option in the
reply from the DHCPv4 server.
The reason to include this additional VSS DHCPv4 sub-option is that The reason to include this additional VSS DHCPv4 sub-option is that
[RFC3046] specifies (essentially) that a DHCPv4 server should copy [RFC3046] specifies (essentially) that a DHCPv4 server should copy
all sub-options that it receives in a relay-agent-information option all sub-options that it receives in a relay-agent-information option
in a request into a corresponding relay-agent-information option in in a request into a corresponding relay-agent-information option in
the response. Thus, a server that didn't support the DHCPv4 VSS the response. Thus, a server that didn't support the DHCPv4 VSS
sub-option would normally just copy it to the response packet, sub-option would normally just copy it to the response packet,
leaving the relay agent to wonder if in fact the DHCPv4 server leaving the relay agent to wonder if in fact the DHCPv4 server
actually used the VSS information when processing the request. actually used the VSS information when processing the request.
To alleviate this potential confusion, a DHCPvr4 relay agent instead To alleviate this potential confusion, a DHCPvr4 relay agent instead
sends in two VSS sub-options, one with valid VSS information, and one sends in two sub-options: one VSS sub-option, and one VSS-Control
with a VSS type of CONTROL. If both sub-options appear in the sub-option. If both sub-options appear in the response from the
response from the DHCPv4 server, then the DHCPv4 relay agent MUST DHCPv4 server, then the DHCPv4 relay agent MUST assume that the
assume that the DHCPv4 server did not act on the valid VSS DHCPv4 server did not act on the VSS information in the VSS sub-
information in one of the sub-options. If only the VSS sub-option option. If only the VSS sub-option appears in the response from the
with the valid information appears in the response from the DHCPv4 DHCPv4 server and no VSS-Control sub-option appears in the response
server and no VSS sub-option with type CONTROL appears in the from the DHCPv4 server, then the relay agent SHOULD assume that the
response from the DHCPv4 server, then the relay agent SHOULD assume DHCPv4 server acted successfully on the VSS sub-option.
that the DHCPv4 server acted successfully on the VSS sub-option with
the valid VSS information.
Anytime a relay agent places a VSS option or sub-option in a DHCP Anytime a relay agent places a VSS option or sub-option in a DHCP
request, it SHOULD send it only to a DHCP server which supports the request, it SHOULD send it only to a DHCP server which supports the
VSS option or sub-option, and it MUST check the response to determine VSS option or sub-option, and it MUST check the response to determine
if the DHCP server actually honored the requested VSS information. if the DHCP server actually honored the requested VSS information.
In the DHCPv6 case, the appearance of the option in the Relay-reply In the DHCPv6 case, the appearance of the option in the Relay-reply
packet indicates that the DHCPv6 server understood and acted upon the packet indicates that the DHCPv6 server understood and acted upon the
contents of the VSS option in the Relay-forward packet. In the contents of the VSS option in the Relay-forward packet. In the
DHCPv4 case, as discussed above, the appearance of the VSS sub-option DHCPv4 case, as discussed above, the appearance of the VSS sub-option
containing valid VSS information without the appearance of a VSS without the appearance of a VSS-Control sub-option indicates that the
sub-option of type CONTROL indicates that the DHCPv4 server DHCPv4 server successfully acted upon the VSS sub-option.
successfully acted upon the VSS sub-option that was returned
containing valid VSS information.
This document does not create a requirement that a relay agent This document does not create a requirement that a relay agent
remember the contents of a VSS DHCPv4 sub-option or VSS DHCPv6 option remember the contents of a VSS DHCPv4 sub-option or VSS DHCPv6 option
sent to a DHCP server. In many cases, the relay agent may simply use sent to a DHCP server. In many cases, the relay agent may simply use
the value of the VSS returned by the DHCP server to forward the the value of the VSS returned by the DHCP server to forward the
response to the DHCP client. If the VSS information, the IP address response to the DHCP client. If the VSS information, the IP address
allocated, and the VPN capabilities of the relay agent all allocated, and the VPN capabilities of the relay agent all
interoperate correctly, then the DHCP client will receive a working interoperate correctly, then the DHCP client will receive a working
IP address. Alternatively, if any of these items don't interoperate IP address. Alternatively, if any of these items don't interoperate
with the others, the DHCP client will not receive a working address. with the others, the DHCP client will not receive a working address.
Note that in some environments a relay agent may choose to always Note that in some environments a relay agent may choose to always
place a VSS option or sub-option into packets and messages that it place a VSS option or sub-option into packets and messages that it
forwards in order to forestall any attempt by a relay agent closer to forwards in order to forestall any attempt by a relay agent closer to
the client or the client itself to specify VSS information. In this the client or the client itself to specify VSS information. In this
case, a type field of 255 is used to denote the global, default VPN. case, a type field of 255 is used to denote the global, default VPN.
When the type field of 255 is used, there MUST NOT be any additional When the type field of 255 is used, there MUST NOT be any additional
VSS information in the VSS option or sub-option. In the DHCPv4 case, VSS information in the VSS option or sub-option. In the DHCPv4 case,
an additional VSS sub-option with type CONTROL should be used, as an additional VSS-Control sub-option, as discussed above.
discussed above.
5.1. VPN assignment by the DHCP server 5.1. VPN assignment by the DHCP server
In some cases, a DHCP server may use the Virtual Subnet Selection In some cases, a DHCP server may use the Virtual Subnet Selection
sub-option or option to inform a relay agent that a particular DHCP sub-option or option to inform a relay agent that a particular DHCP
client is associated with a particular VPN. It does this by sending client is associated with a particular VPN. It does this by sending
the Virtual Subnet Selection sub-option or option with the the Virtual Subnet Selection sub-option or option with the
appropriate information to the relay agent in the relay-agent- appropriate information to the relay agent in the relay-agent-
information option for DHCPv4 or the Relay-reply message in DHCPv6. information option for DHCPv4 or the Relay-reply message in DHCPv6.
If the relay agent cannot respond correctly to the DHCP server's If the relay agent cannot respond correctly to the DHCP server's
skipping to change at page 19, line 39 skipping to change at page 19, line 35
Should this happen, the subsequent DHCPREQUEST will not contain any Should this happen, the subsequent DHCPREQUEST will not contain any
VSS information, in which case the DHCP server SHOULD NOT respond VSS information, in which case the DHCP server SHOULD NOT respond
with a DHCPACK. with a DHCPACK.
If a server uses a different VPN than what was specified in the VSS If a server uses a different VPN than what was specified in the VSS
option or sub-option, it SHOULD send back the VPN information using option or sub-option, it SHOULD send back the VPN information using
the same type as the received type. It MAY send back a different type the same type as the received type. It MAY send back a different type
if it is not possible to use the same type (such as the RFC2685 VPN- if it is not possible to use the same type (such as the RFC2685 VPN-
ID if no ASCII VPN identifier exists). ID if no ASCII VPN identifier exists).
A server which receives a VSS sub-option in the DHCPv4 relay-agent-
information option and does not receive a VSS-Control sub-option in
the relay-agent-information option MUST process the information
specified in the VSS sub-option in the same fashion as it would have
if it received both sub-options.
7.1. Returning the DHCPv4 or DHCPv6 Option 7.1. Returning the DHCPv4 or DHCPv6 Option
DHCPv4 or DHCPv6 servers receiving a VSS option (for sub-option DHCPv4 or DHCPv6 servers receiving a VSS option (for sub-option
processing, see below) MUST return an instance of this option in the processing, see below) MUST return an instance of this option in the
reply packet or message if the server successfully uses this option reply packet or message if the server successfully uses this option
to allocate an IP address, and it MUST NOT include an instance of to allocate an IP address, and it MUST NOT include an instance of
this option if the server is unable to support, is not configured to this option if the server is unable to support, is not configured to
support, or does not implement support for VSS information in general support, or does not implement support for VSS information in general
or the requested VPN in particular. or the requested VPN in particular.
skipping to change at page 20, line 27 skipping to change at page 20, line 29
relay-agent-information option SHALL copy all sub-options received in relay-agent-information option SHALL copy all sub-options received in
a relay-agent-information option into any outgoing relay-agent- a relay-agent-information option into any outgoing relay-agent-
information option. Thus, the default behavior for any DHCPv4 server information option. Thus, the default behavior for any DHCPv4 server
is to return any VSS sub-option received to the relay agent whether is to return any VSS sub-option received to the relay agent whether
or not the DHCPv4 server understands the VSS sub-option. or not the DHCPv4 server understands the VSS sub-option.
In order to distinguish a DHCPv4 server which is simply copying In order to distinguish a DHCPv4 server which is simply copying
relay-agent-information option sub-options from an incoming to an relay-agent-information option sub-options from an incoming to an
outgoing relay-agent-informaion option from one which successfully outgoing relay-agent-informaion option from one which successfully
acted upon the information in the VSS sub-option, DHCPv4 relay agents acted upon the information in the VSS sub-option, DHCPv4 relay agents
MUST include two VSS sub-options in the relay-agent-information in MUST include a VSS-Control sub-option in the relay-agent-information
the request. One of these VSS sub-options contains valid VSS any time that it includes a VSS sub-option in the relay-agent-
information, and one of these VSS sub-options has a type of CONTROL, information option.
no additional VSS information, and a length of one.
A DHCPv4 server which does not support the VSS sub-option will copy A DHCPv4 server which does not support the VSS sub-option will copy
both sub-options into the outgoing relay-agent-information option, both sub-options into the outgoing relay-agent-information option,
thus signalling to the DHCPv4 relay agent that it did not understand thus signalling to the DHCPv4 relay agent that it did not understand
the VSS sub-option. the VSS sub-option.
A DHCPv4 server which supports the VSS sub-option and acts upon the A DHCPv4 server which supports the VSS sub-option:
VSS sub-option with valid VSS information in it:
o MUST copy the VSS sub-option containing the valid VSS o MUST copy the VSS sub-option into the outgoing relay-agent-
information into the outgoing relay-agent-information option information option
o MUST NOT copy the VSS sub-option with the type of CONTROL into o MUST NOT copy the VSS-Control sub-option into the outgoing
the outgoing relay-agent-information option relay-agent-information option
Moreover, if a server uses different VSS information to allocate an Moreover, if a server uses different VSS information to allocate an
IP address than it receives in a particular DHCPv4 sub-option, it IP address than it receives in a particular DHCPv4 sub-option, it
MUST include that alternative VSS information in the VSS sub-option MUST include that alternative VSS information in the VSS sub-option
that it returns to the DHCPv4 relay agent instead of the origian VSS that it returns to the DHCPv4 relay agent instead of the original VSS
information it was given. information it was given.
If a DHCPv4 server supports this sub-option and for some reason If a DHCPv4 server supports this sub-option and for some reason
(perhaps administrative control) does not honor this sub-option from (perhaps administrative control) does not honor this sub-option from
the request then it MUST NOT echo either sub-option into the outgoing the request then it MUST NOT echo either sub-option into the outgoing
relay-agent-information option. relay-agent-information option.
7.3. Making sense of conflicting VSS information 7.3. Making sense of conflicting VSS information
It is possible for a DHCPv4 server to receive both a VSS option and It is possible for a DHCPv4 server to receive both a VSS option and
skipping to change at page 21, line 41 skipping to change at page 21, line 41
including VSS information in packets that they forward and so there including VSS information in packets that they forward and so there
should not be conflicts among relay agent specified VSS information. should not be conflicts among relay agent specified VSS information.
In these situations where multiple VSS option or sub-options appear In these situations where multiple VSS option or sub-options appear
in the incoming packet or message, when the DHCP server constructs in the incoming packet or message, when the DHCP server constructs
the response to be sent to the DHCP client or relay agent, all the response to be sent to the DHCP client or relay agent, all
existing VSS options or sub-options MUST be replicated in the existing VSS options or sub-options MUST be replicated in the
appropriate places in the response and MUST contain only the VSS appropriate places in the response and MUST contain only the VSS
information that was used by the DHCP server to allocate the IP information that was used by the DHCP server to allocate the IP
address (with, of course, the exception of a DHCPv4 relay-agent- address (with, of course, the exception of a DHCPv4 relay-agent-
information VSS sub-option with a type of CONTROL). information sub-option VSS-Control).
8. Security 8. Security
Message authentication in DHCPv4 for intradomain use where the out- Message authentication in DHCPv4 for intradomain use where the out-
of-band exchange of a shared secret is feasible is defined in of-band exchange of a shared secret is feasible is defined in
[RFC3118]. Potential exposures to attack are discussed in section 7 [RFC3118]. Potential exposures to attack are discussed in Section 7
of the DHCP protocol specification in [RFC2131]. of the DHCP protocol specification in [RFC2131].
Implementations should consider using the DHCPv4 Authentication Implementations should consider using the DHCPv4 Authentication
option [RFC3118] to protect DHCPv4 client access in order to provide option [RFC3118] to protect DHCPv4 client access in order to provide
a higher level of security if it is deemed necessary in their a higher level of security if it is deemed necessary in their
environment. environment.
Message authentication in DHCPv4 relay agents as defined in [RFC4030] Message authentication in DHCPv4 relay agents as defined in [RFC4030]
should be considered for DHCPv4 relay agents employing this sub- should be considered for DHCPv4 relay agents employing this sub-
option. Potential exposures to attack are discussed in section 7 of option. Potential exposures to attack are discussed in Section 7 of
the DHCP protocol specification in [RFC2131]. the DHCP protocol specification in [RFC2131].
For DHCPv6 use of the VSS option, the "Security Considerations" For DHCPv6 use of the VSS option, the "Security Considerations"
section of [RFC3315] details the general threats to DHCPv6, and thus Section of [RFC3315] details the general threats to DHCPv6, and thus
to messages using the VSS option. The "Authentication of DHCP to messages using the VSS option. The "Authentication of DHCP
Messages" section of [RFC3315] describes securing communication Messages" Section of [RFC3315] describes securing communication
between relay agents and servers, as well as clients and servers. between relay agents and servers, as well as clients and servers.
The VSS option could be used by a client in order to obtain an IP The VSS option could be used by a client in order to obtain an IP
address from any VPN. This option would allow a client to perform a address from any VPN. This option would allow a client to perform a
more complete address-pool exhaustion attack since the client would more complete address-pool exhaustion attack since the client would
no longer be restricted to attacking address-pools on just its local no longer be restricted to attacking address-pools on just its local
subnet. subnet.
A DHCP server that implements these options and sub-option should be A DHCP server that implements these options and sub-option should be
aware of this possibility and use whatever techniques that can be aware of this possibility and use whatever techniques that can be
skipping to change at page 22, line 45 skipping to change at page 22, line 45
selectively enable use of the feature under restricted conditions, selectively enable use of the feature under restricted conditions,
e.g., by enabling use of the option only from explicitly configured e.g., by enabling use of the option only from explicitly configured
client-ids, enabling its use only by clients on a particular subnet, client-ids, enabling its use only by clients on a particular subnet,
or restricting the VSSs from which addresses may be requested. or restricting the VSSs from which addresses may be requested.
9. IANA Considerations 9. IANA Considerations
IANA is requested to assign DHCPv4 option number 221 for the DHCPv4 IANA is requested to assign DHCPv4 option number 221 for the DHCPv4
VSS option defined in Section 3.1, in accordance with [RFC3942]. VSS option defined in Section 3.1, in accordance with [RFC3942].
IANA is requested to assign sub-option number 151 for the DHCPv4 IANA is requested to assign sub-option number 151 for the DHCPv4 VSS
sub-option defined in Section 3.2 from the DHCP Relay Agent Sub- sub-option defined in Section 3.2 from the DHCP Relay Agent Sub-
options space [RFC3046], in accordance with the spirit of [RFC3942]. options space [RFC3046], in accordance with the spirit of [RFC3942].
While [RFC3942] doesn't explicitly mention the sub-option space for While [RFC3942] doesn't explicitly mention the sub-option space for
the DHCP Relay Agent Information option [RFC3046], sub-option 151 is the DHCP Relay Agent Information option [RFC3046], sub-option 151 is
already in use by existing implementations of this sub-option and the already in use by existing implementations of this sub-option and the
current draft is essentially compatible with these current current draft is essentially upward compatible with these current
implementations. implementations.
IANA is requested to assign the value of TBD for the DHCPv4 VSS-
Control sub-option defined in Section 3.3.
IANA is requested to assign the value of TBD for the DHCPv6 VSS IANA is requested to assign the value of TBD for the DHCPv6 VSS
option defined in Section 3.3 from the DHCPv6 option registry. option defined in Section 3.4 from the DHCPv6 option registry.
The type byte defined in Section 3.4 defines a number space for which The type byte defined in Section 3.5 defines a number space for which
IANA is to create and maintain a new sub-registry entitled "VSS Type IANA is to create and maintain a new sub-registry entitled "VSS Type
values". This sub-registry needs to be related to both the DHCPv4 values". This sub-registry needs to be related to both the DHCPv4
and DHCPv6 VSS options and the DHCPv4 relay-agent-information option and DHCPv6 VSS options and the DHCPv4 relay-agent-information option
sub-option (all defined by this document), since the type byte in sub-option (all defined by this document), since the type byte in
these two options and one sub-option MUST have identical definitions. these two options and one sub-option MUST have identical definitions.
New values for the type byte may only be defined by IETF Consensus, New values for the type byte may only be defined by IETF Consensus,
as described in [RFC5226]. Basically, this means that they are as described in [RFC5226]. Basically, this means that they are
defined by RFCs approved by the IESG. defined by RFCs approved by the IESG.
 End of changes. 43 change blocks. 
96 lines changed or deleted 111 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/