draft-ietf-dhc-vpn-option-15.txt   rfc6607.txt 
DHC Working Group Kim Kinnear Internet Engineering Task Force (IETF) K. Kinnear
Internet Draft Richard Johnson Request for Comments: 6607 R. Johnson
Updates: 3046 Mark Stapp Updates: 3046 M. Stapp
Intended Status: Standards Track Cisco Systems Category: Standards Track Cisco Systems
Expires: July 26, 2012 Jay Kumarasamy ISSN: 2070-1721 April 2012
January 26, 2012
Virtual Subnet Selection Options for DHCPv4 and DHCPv6 Virtual Subnet Selection Options for DHCPv4 and DHCPv6
<draft-ietf-dhc-vpn-option-15.txt>
Status of this Memo Abstract
This Internet-Draft is submitted to IETF in full conformance with the This memo defines a DHCPv4 Virtual Subnet Selection (VSS) option, a
provisions of BCP 78 and BCP 79. DHCPv6 VSS option, and the DHCPv4 VSS and VSS-Control sub-options
carried in the DHCPv4 Relay Agent Information option. These are
intended for use by DHCP clients, relay agents, and proxy clients in
situations where VSS information needs to be passed to the DHCP
server for proper address or prefix allocation to take place.
Internet-Drafts are working documents of the Internet Engineering For the DHCPv4 option and Relay Agent Information sub-options, this
Task Force (IETF), its areas, and its working groups. Note that memo documents and extends existing usage as per RFC 3942. This memo
other groups may also distribute working documents as Internet- updates RFC 3046 regarding details relating to the copying of sub-
Drafts. options (see Section 8).
Internet-Drafts are draft documents valid for a maximum of six months Status of This Memo
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at This is an Internet Standards Track document.
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at This document is a product of the Internet Engineering Task Force
http://www.ietf.org/shadow.html. (IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc6607.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 17 skipping to change at page 3, line 5
10, 2008. The person(s) controlling the copyright in some of this 10, 2008. The person(s) controlling the copyright in some of this
material may not have granted the IETF Trust the right to allow material may not have granted the IETF Trust the right to allow
modifications of such material outside the IETF Standards Process. modifications of such material outside the IETF Standards Process.
Without obtaining an adequate license from the person(s) controlling Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other it for publication as an RFC or to translate it into languages other
than English. than English.
Abstract
This memo defines a Virtual Subnet Selection (VSS) option for each of
DHCPv4 and DHCPv6, and a VSS sub-option carried in the DHCPv4 relay-
agent-information option. These are intended for use by DHCP
clients, relay agents, and proxy clients in situations where VSS
information needs to be passed to the DHCP server for proper address
or prefix allocation to take place.
For the DHCPv4 option and relay-agent-information sub-option, this
memo documents existing usage as per RFC 3942 [RFC3942]. This memo
updates RFC 3046 [RFC3046] regarding details relating to copying of
sub-options (see Section 8).
Table of Contents Table of Contents
1. Introduction................................................. 3 1. Introduction ....................................................3
2. Terminology.................................................. 4 2. Terminology .....................................................4
3. Virtual Subnet Selection Option and Sub-Options Definitions.. 5 3. Virtual Subnet Selection Options and Sub-Options: Definitions ...6
3.1. DHCPv4 Virtual Subnet Selection Option..................... 5 3.1. DHCPv4 Virtual Subnet Selection Option .....................6
3.2. DHCPv4 Virtual Subnet Selection Sub-Option................. 6 3.2. DHCPv4 Virtual Subnet Selection Sub-Option .................6
3.3. DHCPv4 Virtual Subnet Selection Control Sub-Option......... 6 3.3. DHCPv4 Virtual Subnet Selection Control Sub-Option .........7
3.4. DHCPv6 Virtual Subnet Selection Option..................... 7 3.4. DHCPv6 Virtual Subnet Selection Option .....................7
3.5. Virtual Subnet Selection Type and Information.............. 7 3.5. Virtual Subnet Selection Type and Information ..............8
4. Overview of Virtual Subnet Selection Usage................... 8 4. Overview of Virtual Subnet Selection Usage ......................8
4.1. VPN assignment by the DHCP relay agent..................... 9 4.1. VPN Assignment by the DHCP Relay Agent .....................9
4.2. VPN assignment by the DHCP server.......................... 12 4.2. VPN Assignment by the DHCP Server .........................12
4.3. Required Support........................................... 14 4.3. Required Support ..........................................14
4.4. Alternative VPN assignment approaches...................... 14 4.4. Alternative VPN Assignment Approaches .....................14
5. Relay Agent Behavior......................................... 14 5. Relay Agent Behavior ...........................................15
5.1. VPN assignment by the DHCP server.......................... 16 5.1. VPN Assignment by the DHCP Server .........................16
5.2. DHCP Leasequery............................................ 17 5.2. DHCP Leasequery ...........................................17
6. Client Behavior.............................................. 17 6. Client Behavior ................................................17
7. Server Behavior.............................................. 18 7. Server Behavior ................................................19
7.1. Returning the DHCPv4 or DHCPv6 Option...................... 19 7.1. Returning the DHCPv4 or DHCPv6 Option .....................20
7.2. Returning the DHCPv4 Sub-Option............................ 20 7.2. Returning the DHCPv4 Sub-Option ...........................20
7.3. Making sense of conflicting VSS information................ 21 7.3. Making Sense of Conflicting VSS Information ...............21
8. Updates to RFC 3046.......................................... 21 8. Update to RFC 3046 .............................................22
9. Security..................................................... 22 9. Security Considerations ........................................22
10. IANA Considerations......................................... 23 10. IANA Considerations ...........................................23
11. Acknowledgments............................................. 23 11. Acknowledgments ...............................................24
12. References.................................................. 24 12. References ....................................................25
12.1. Normative References...................................... 24 12.1. Normative References .....................................25
12.2. Informative References.................................... 24 12.2. Informative References ...................................25
1. Introduction 1. Introduction
There is a growing use of Virtual Private Network (VPN) There is a growing use of Virtual Private Network (VPN)
configurations. The growth comes from many areas; individual client configurations. This growth comes from many areas: individual client
systems needing to appear to be on the home corporate network even systems needing to appear to be on the home corporate network even
when traveling, ISPs providing extranet connectivity for customer when traveling, ISPs providing extranet connectivity for customer
companies, etc. In some of these cases there is a need for the DHCP companies, etc. In some of these cases, there is a need for the DHCP
server to know the VPN (hereafter called a "Virtual Subnet Selector" server to know the VPN (also called a "Virtual Subnet Selector" or
or "VSS") from which an address, and other resources, should be "VSS" in this document) from which an address, and other resources,
allocated. should be allocated.
This memo defines a Virtual Subnet Selection (VSS) option for each of This memo defines a DHCPv4 Virtual Subnet Selection (VSS) option, a
DHCPv4 and DHCPv6, and a VSS sub-option carried in the DHCPv4 relay- DHCPv6 VSS option, and two VSS sub-options carried in the DHCPv4
agent-information option. These are intended for use by DHCP Relay Agent Information option. These are intended for use by DHCP
clients, relay agents, and proxy clients in situations where VSS clients, relay agents, and proxy clients in situations where VSS
information needs to be passed to the DHCP server for proper address information needs to be passed to the DHCP server for proper address
or prefix allocation to take place. If the receiving DHCP server or prefix allocation to take place. If the receiving DHCP server
understands the VSS option or sub-option, this information may be understands the VSS option or sub-options, this information may be
used in conjunction with other information in determining the subnet used in conjunction with other information in determining the subnet
on which to select an address as well as other information such as on which to select an address, as well as other information such as
DNS server, default router, etc. DNS server, default router, etc.
If the allocation is being done through a DHCPv4 relay, then the If the allocation is being done through a DHCPv4 relay, then the
relay-agent-information sub-option defined here should be included. Relay Agent Information sub-options defined here should be included.
In some cases, however, an IP address is being sought by a DHCPv4 In some cases, however, an IP address is being sought by a DHCPv4
proxy on behalf of a client (which may be assigned the address via a proxy on behalf of a client (which may be assigned the address via a
different protocol). In this case, there is a need to include VSS different protocol). In this case, there is a need to include VSS
information relating to the client as a DHCPv4 option. information relating to the client as a DHCPv4 option.
If the allocation is being done through a DHCPv6 relay, then the If the allocation is being done through a DHCPv6 relay, then the
DHCPv6 VSS option defined in this document should be included in the DHCPv6 VSS option defined in this document should be included in the
Relay-forward and Relay-reply message going between the DHCPv6 relay Relay-forward and Relay-reply messages going between the DHCPv6 relay
and server. In some cases, addresses or prefixes are being sought by and server. In some cases, addresses or prefixes are being sought by
a DHCPv6 proxy on behalf of a client. In this case, there is a need a DHCPv6 proxy on behalf of a client. In this case, there is a need
for the client itself to supply the VSS information using the DHCPv6 for the client itself to supply the VSS information using the DHCPv6
VSS option in the messages that it sends to the DHCPv6 server. VSS option in the messages that it sends to the DHCPv6 server.
In the remaining text of this document, when a DHCPv6 address is In the remaining text of this document, when a DHCPv6 address is
indicated the same information applies to DHCPv6 Prefix Delegation indicated, the same information applies to DHCPv6 prefix delegation
[RFC3633] as well. [RFC3633] as well.
In the remaining text of this document, when the term VSS sub-option In the remaining text of this document, when the term "VSS
is used, it refers to the VSS sub-option carried in the DHCPv4 sub-option" is used, it refers to the VSS sub-option carried in the
relay-agent-information option. DHCPv4 Relay Agent Information option.
2. Terminology 2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119]. document are to be interpreted as described in RFC 2119 [RFC2119].
This document uses the following terms: This document uses the following terms:
o "DHCP client" o DHCP client
A DHCP client is a host using DHCP to obtain configuration A DHCP client is a host using DHCP to obtain configuration
parameters such as a network address. parameters such as a network address.
o "DHCP proxy" o DHCP proxy
A DHCP proxy is a DHCP client which acquires IP addresses not A DHCP proxy is a DHCP client that acquires IP addresses not for
for its own use, but rather on behalf of another entity. There its own use but rather on behalf of another entity. There are a
are a variety of ways that a DHCP proxy can supply the addresses variety of ways that a DHCP proxy can supply the addresses it
it acquires to other entities that need them. acquires to other entities that need them.
o "DHCP relay agent" o DHCP relay agent
A DHCP relay agent is an agent that transfers BOOTP and DHCP A DHCP relay agent is an agent that transfers BOOTP and DHCP
messages between clients and servers residing on different messages between clients and servers residing on different
subnets, per [RFC951], [RFC1542], and [RFC3315]. subnets, per [RFC951], [RFC1542], and [RFC3315].
o "DHCP server" o DHCP server
A DHCP server is a host that returns configuration parameters to A DHCP server is a host that returns configuration parameters to
DHCP clients. DHCP clients.
o "DHCPv4 option" o DHCPv4 option
An option used to implement a capability defined by the DHCPv4 A DHCPv4 option is an option used to implement a capability
RFCs [RFC2131][RFC2132]. These options have one-octet code and defined by the DHCPv4 RFCs ([RFC2131] [RFC2132]). This option has
size fields. one-octet code and size fields.
o "DHCPv4 sub-option" o DHCPv4 sub-option
As used in this document, a DHCPv4 sub-option refers to a sub-
option of the relay-agent-information option [RFC3046]. These
sub-options have one-octet code and size fields.
o "DHCPv6 option" As used in this document, a DHCPv4 sub-option refers to a
sub-option of the Relay Agent Information option [RFC3046]. This
sub-option has one-octet code and size fields.
An option used to implement a capability defined by the DHCPv6 o DHCPv6 option
RFC [RFC3315]. These options have two-octet code and size
fields.
o "Global VPN" A DHCPv6 option is an option used to implement a capability
defined by the DHCPv6 RFC [RFC3315]. This option has two-octet
code and size fields.
Indicates that the address being described belongs to the set of o Global VPN
addresses not part of any VPN. In other words, the normal
address space operated on by DHCP. This includes private
addresses, for example the 10.x.x.x addresses as well as the
other private subnets that are not routed on the open internet.
o "NVT ASCII Identifier" This term indicates that the address being described belongs to
the set of addresses not part of any VPN -- in other words, the
normal address space operated on by DHCP. This includes private
addresses -- for example, the 10.x.x.x addresses as well as the
other private subnets that are not routed on the open Internet.
A Network Virtual Terminal (NVT) identifier is an identifier o NVT ASCII identifier
containing only characters from the ASCII repetoire and using
the Network Virtual Terminal encoding (see Appendix B in
[RFC5198]).
o "VSS information" A Network Virtual Terminal (NVT) identifier is an identifier
containing only characters from the ASCII repertoire and using the
Network Virtual Terminal encoding (see Appendix B of [RFC5198]).
Information about a VPN necessary to allocate an address to a o VSS information
DHCP client on that VPN and necessary to forward a DHCP reply
packet to a DHCP client on that VPN.
o "VPN" VSS information provides information about a VPN necessary to
allocate an address to a DHCP client on that VPN and necessary to
forward a DHCP reply packet to a DHCP client on that VPN.
Virtual private network. A network which appears to the client o VPN
to be a private network.
o "VPN Identifier" This term refers to a virtual private network. A VPN appears to
the client to be a private network.
The VPN-ID is defined by [RFC2685] to be a sequence of 7 octets. o VPN identifier
3. Virtual Subnet Selection Option and Sub-Options Definitions The VPN-ID is defined by [RFC2685] to be a sequence of 7 octets.
The Virtual Subnet Selection options and sub-options contain a 3. Virtual Subnet Selection Options and Sub-Options: Definitions
generalized way to specify the VSS information about a VPN. There
are two options and two sub-options defined in this section. The The VSS options and sub-options contain a generalized way to specify
actual VSS information is identical both options and one of the two the VSS information about a VPN. There are two options and two
sub-options. sub-options defined in this section. The actual VSS information is
identical for both options and for one of the two sub-options.
3.1. DHCPv4 Virtual Subnet Selection Option 3.1. DHCPv4 Virtual Subnet Selection Option
The format of the option is: The format of the option is shown below.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Length | Type | VSS Info ... | Code | Length | Type | VSS Info. ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Code The option code (221). Code The option code (221).
Length The option length, minimum 1 octets. Length The option length, minimum 1 octet.
Type and VSS Information -- see Section 3.5 Type and VSS Information -- see Section 3.5.
3.2. DHCPv4 Virtual Subnet Selection Sub-Option 3.2. DHCPv4 Virtual Subnet Selection Sub-Option
This is a sub-option of the relay-agent-information option [RFC3046]. This is a sub-option of the Relay Agent Information option [RFC3046].
The format of the sub-option is: The format of the sub-option is shown below.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Length | Type | VSS Info. ... | Code | Length | Type | VSS Info. ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Code The sub-option code (151). Code The sub-option code (151).
Length The sub-option length, minimum 1 octets. Length The sub-option length, minimum 1 octet.
Type and VSS Information -- see Section 3.5. Type and VSS Information -- see Section 3.5.
3.3. DHCPv4 Virtual Subnet Selection Control Sub-Option 3.3. DHCPv4 Virtual Subnet Selection Control Sub-Option
This is a sub-option of the relay-agent-information option [RFC3046]. This is a sub-option of the Relay Agent Information option [RFC3046].
The format of the sub-option is: The format of the sub-option is shown below.
0 1 0 1
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Length | | Code | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Code The sub-option code (TBD). Code The sub-option code (152).
Length The sub-option length, 0. Length The sub-option length, 0.
This sub-option only appears in the DHCPv4 relay-agent-information This sub-option only appears in the DHCPv4 Relay Agent Information
option. In a DHCP request, it indicates that a DHCPv4 VSS sub-option option. In a DHCP request, it indicates that a DHCPv4 VSS sub-option
is also present in the relay-agent-information option. In a DHCP is also present in the Relay Agent Information option. In a DHCP
reply, if it appears in the relay-agent-information option, it reply, if it appears in the Relay Agent Information option, it
indicates that the DHCP server did not understand any DHCPv4 VSS indicates that the DHCP server did not understand any DHCPv4 VSS
sub-option that also appears in the relay-agent-information option. sub-option that also appears in the Relay Agent Information option.
3.4. DHCPv6 Virtual Subnet Selection Option 3.4. DHCPv6 Virtual Subnet Selection Option
The format of the DHCPv6 Virtual Subnet Selection option is shown The format of the DHCPv6 VSS option is shown below. This option may
below. This option may be included by a client or relay-agent (or be included by a client or relay agent (or both).
both).
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| OPTION_VSS | option-len | | OPTION_VSS | option-len |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | VSS Information ... | | Type | VSS Information ... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
option-code OPTION_VSS (TBD). option-code OPTION_VSS (68).
option-len The number of octets in the option, minimum 1. option-len The number of octets in the option, minimum 1.
Type and VSS Information -- see Section 3.5 Type and VSS Information -- see Section 3.5.
3.5. Virtual Subnet Selection Type and Information 3.5. Virtual Subnet Selection Type and Information
All of the (sub)options defined above carry identical payloads, All of the (sub-)options defined above that carry VSS information use
consisting of a type and additional VSS information as follows: identical payloads consisting of a Type value and additional VSS
information, as follows:
Type VSS Information format:
0 NVT ASCII VPN identifier Type VSS Information Format
1 RFC2685 VPN-ID ------------------------------------------------------------
2-254 Unassigned 0 Network Virtual Terminal (NVT) ASCII VPN identifier
255 Global, default VPN. 1 RFC 2685 VPN-ID
2-254 Unassigned
255 Global, default VPN
o Type 0 -- Network Virtual Terminal (NVT) ASCII VPN identifier o Type 0 -- Network Virtual Terminal (NVT) ASCII VPN identifier
Indicates that the VSS information consists of an NVT ASCII Indicates that the VSS information consists of an NVT ASCII
string. It MUST NOT be terminated with a zero byte. string. It MUST NOT be terminated with a zero byte.
o Type 1 -- RFC2685 VPN-ID o Type 1 -- RFC 2685 VPN-ID
Indicates that the VSS information consists of an RFC2685 VPN-ID Indicates that the VSS information consists of an RFC 2685 VPN-ID
[RFC2685], which is defined to be 7 octets in length. [RFC2685], which is defined to be 7 octets in length.
o Type 255 -- Global, default VPN o Type 255 -- Global, default VPN
Indicates that there is no explicit, non-default VSS information Indicates that there is no explicit, non-default VSS information
but rather that this option references the normal, global, but rather that this option references the normal, global, default
default address space. In this case, there MUST NOT be any VSS address space. In this case, there MUST NOT be any VSS
Information included in the VSS option or sub-option and the information included in the VSS option or sub-option, and the
length of the option or sub-option MUST be 1. length of the option or sub-option MUST be 1.
All other values of the Type field are unassigned. All other values of the Type field are unassigned.
4. Overview of Virtual Subnet Selection Usage 4. Overview of Virtual Subnet Selection Usage
At the highest level, the VSS option or sub-option determines the VPN At the highest level, the VSS option or sub-option determines the VPN
on which a DHCP client is supposed to receive an IP address. How the on which a DHCP client is supposed to receive an IP address. How the
option or sub-option is entered and processed is discussed below, but option or sub-option is entered and processed is discussed below, but
the point of all of the discussion is to determine the VPN on which the point of all of the discussion is to determine the VPN on which
the DHCP client resides. This will affect a relay agent, in that it the DHCP client resides. This will affect a relay agent, in that it
will have to ensure that DHCP packets sent to and received from the will have to ensure that DHCP packets sent to and received from the
DHCP client flow over the correct VPN. This will affect the DHCP DHCP client flow over the correct VPN. This will affect the DHCP
skipping to change at page 9, line 6 skipping to change at page 9, line 13
address allocation. address allocation.
A DHCP server has as part of its configuration some IP address space A DHCP server has as part of its configuration some IP address space
from which it allocates IP addresses to DHCP clients. These from which it allocates IP addresses to DHCP clients. These
allocations are typically for a limited time, and thus the DHCP allocations are typically for a limited time, and thus the DHCP
client gets a lease on the IP address. In the absence of any VPN client gets a lease on the IP address. In the absence of any VPN
information, the IP address space is in the global or default VPN information, the IP address space is in the global or default VPN
used throughout the Internet. When a DHCP server deals with VPN used throughout the Internet. When a DHCP server deals with VPN
information, each VPN defines a new address space inside the server, information, each VPN defines a new address space inside the server,
one distinct from the global or default IP address space. A server one distinct from the global or default IP address space. A server
which supports the VSS option or sub-option thereby supports that supports the VSS option or sub-option thereby supports
allocation of IP addresses from multiple different VPNs. Supporting allocation of IP addresses from multiple different VPNs. Supporting
IP address allocation from multiple different VPNs means that the IP address allocation from multiple different VPNs means that the
DHCP server must be prepared to configure multiple different address DHCP server must be prepared to configure multiple different address
spaces (one per distinct VPN) and allocate IP addresses from these spaces (one per distinct VPN) and allocate IP addresses from these
different address spaces. different address spaces.
These address spaces are typically independent, so that the same IP These address spaces are typically independent, so that the same IP
address (consisting of the same string of bytes) could be allocated address (consisting of the same string of bytes) could be allocated
to one client in the global, default VPN, and to a different client to one client in the global, default VPN, and to a different client
residing in a different VPN. There is no conflict in this residing in a different VPN. There is no conflict in this
allocation, since the clients have essentially different addresses, allocation, since the clients have essentially different addresses,
even though these addresses consist of the same string of bytes, even though these addresses consist of the same string of bytes,
because the IPv4 or IPv6 address is qualified by the VPN. because the IPv4 or IPv6 address is qualified by the VPN.
Thus a VSS option or sub-option is a way of signaling the use of a Thus, a VSS option or sub-option is a way of signaling the use of a
VPN other than the global or default VPN. The next question is: who VPN other than the global or default VPN. This brings up the
decides what VPN a DHCP client should be using? question of who decides what VPN a DHCP client should be using.
There are three entities which can either insert a VSS option or There are three entities that can insert either a VSS option or
sub-option into a DHCPv4 packet or DHCPv6 message; a DHCP client, a sub-option into a DHCPv4 packet or DHCPv6 message: a DHCP client, a
relay agent, or a DHCPv4 or DHCPv6 server. While all of these relay agent, or a DHCPv4 or DHCPv6 server. While all of these
entities could include a different VSS option or sub-option in every entities could include a different VSS option or sub-option in every
request or response, this situation is neither typical nor useful. request or response, this situation is neither typical nor useful.
There are two known paradigms for use of the VSS option or sub- There are two known paradigms for use of the VSS option or
option, which are discussed below. sub-option; these are discussed below.
4.1. VPN assignment by the DHCP relay agent 4.1. VPN Assignment by the DHCP Relay Agent
The typical use of the VSS option or sub-option is for the relay The typical use of the VSS option or sub-option is for the relay
agent to know the VPN on which the DHCP client is operating. The agent to know the VPN on which the DHCP client is operating. The
DHCP client itself does not, in this approach, know the VPN on which DHCP client itself does not, in this approach, know the VPN on which
it resides. The relay agent is responsible for mediating the access it resides. The relay agent is responsible for mediating the access
between the VPN on which the DHCP client resides and the DHCP server. between the VPN on which the DHCP client resides and the DHCP server.
In this situation, the relay agent will insert two DHCPv4 relay- In this situation, the relay agent will insert two DHCPv4
agent-information sub-options (one VSS sub-option, and one VSS- Relay Agent Information sub-options (one VSS sub-option, and one
Control sub-option) into the relay-agent-information option or a VSS-Control sub-option) into the Relay Agent Information option, or a
DHCPv6 VSS option into the Relay-forward message of every request it DHCPv6 VSS option into the Relay-forward message of every request it
forwards from the DHCP client. The server will use the DHCPv6 VSS forwards from the DHCP client. The server will use the DHCPv6 VSS
option or DHCPv4 VSS sub-option to determine the VPN on which the option or DHCPv4 VSS sub-option to determine the VPN on which the
client resides, and use that VPN information to select the address client resides and will use that VPN information to select the
space within its configuration from which to allocate an IP address address space within its configuration from which to allocate an IP
to the DHCP client. address to the DHCP client.
When, using this approach, a DHCPv4 relay agent inserts a VSS sub- When, using this approach, a DHCPv4 relay agent inserts a VSS
option into the relay-agent-information option it MUST also insert a sub-option into the Relay Agent Information option, it MUST also
VSS-Control sub-option into the relay-agent-information-option. This insert a VSS-Control sub-option into the Relay Agent Information
is to allow determination of whether or not the DHCPv4 server option. This is to allow the determination of whether or not the
actually processes the VSS information provided by the DHCPv4 relay DHCPv4 server actually processes the VSS information provided by the
agent. If the DHCPv4 server supports the VSS capabilities described DHCPv4 relay agent. If the DHCPv4 server supports the VSS
in this document, it will remove the VSS-Control sub-option from the capabilities described in this document, it will remove the
relay-agent-information option that it returns to the DHCPv4 relay VSS-Control sub-option from the Relay Agent Information option that
agent. See Section 5 for more information. it returns to the DHCPv4 relay agent. See Section 5 for more
information.
In this approach, the relay agent might also send a VSS option or In this approach, the relay agent might also send a VSS option or
sub-option in either a DHCPv4 or DHCPv6 Leasequery request, but in sub-option in either a DHCPv4 or DHCPv6 Leasequery request [RFC4388]
this case, it would use the VSS option in the Leasequery request to [RFC5007], but in this case, it would use the VSS option in the
select the correct address space for the Leasequery. In this Leasequery request to select the correct address space for the
approach, the relay agent would be acting as a DHCP client from a Leasequery. In this approach, the relay agent would be acting as a
Leasequery standpoint, but it would not be as if a DHCP client were DHCP client from a leasequery standpoint, but it would not be as if a
sending in a VSS option in a standard DHCP address allocation DHCP client were sending in a VSS option in a standard DHCP address
request, say a DHCPDISCOVER. allocation request, say a DHCPDISCOVER.
In this approach, only one relay agent would mediate the VPN access In this approach, only one relay agent would mediate the VPN access
for the DHCP client to the DHCP server, and it would be the relay for the DHCP client to the DHCP server, and it would be the relay
agent which inserts the VSS information into the request packet and agent that inserts the VSS information into the request packet and
would remove it prior to forwarding the response packet on. that would remove it prior to forwarding the response packet.
In the diagram below is an example of a DHCPv4 client, DHCPv4 relay The diagram below shows an example of a DHCPv4 client, DHCPv4 relay
agent, and DHCPv4 server. The DHCPv6 situation is similar, but uses agent, and DHCPv4 server. The DHCPv6 situation is similar but uses
the DHCPv6 VSS option. the DHCPv6 VSS option.
DHCPv4 DHCPv4
DHCPv4 Relay DHCPv4 DHCPv4 Relay DHCPv4
Client Agent Server Client Agent Server
| | | | | |
| >--DHCPDISCOVER--> | | | >--DHCPDISCOVER--> | |
| on VRF "abc" | | | on VPN "abc" | |
| | >--DHCPDISCOVER----> | | | >--DHCPDISCOVER----> |
| | relay-agent-info: | | | Relay Agent Info: |
| | VSS type VRF:"abc"| | | VSS type 0:"abc" |
| | VSS-Control | | | VSS-Control |
| | | | | |
| | <----DHCPOFFER-----< | | | <----DHCPOFFER-----< |
| | relay-agent-info: | | | Relay Agent Info: |
| | VSS type VRF:"abc"| | | VSS type 0:"abc" |
| | | | | |
| <---DHCPOFFER----< | | | <---DHCPOFFER----< | |
| on VRF "abc" | | | on VPN "abc" | |
| | | | | |
| >--DHCPREQUEST---> | | | >--DHCPREQUEST---> | |
| on VRF "abc" | | | on VPN "abc" | |
| | >--DHCPREQUEST-----> | | | >--DHCPREQUEST-----> |
| | relay-agent-info: | | | Relay Agent Info: |
| | VSS type VRF:"abc"| | | VSS type 0:"abc" |
| | VSS-Control | | | VSS-Control |
| | | | | |
| | <----DHCPACK-------< | | | <----DHCPACK-------< |
| | relay-agent-info: | | | Relay Agent Info: |
| | VSS type VRF:"abc"| | | VSS type 0:"abc" |
| | | | | |
| <---DHCPACK------< | | | <---DHCPACK------< | |
| on VRF "abc" | | | on VPN "abc" | |
| | | | | |
... ... ... ... ... ...
Figure 4.1-1: DHCPv4 - Relay Agent knows VPN Figure 4.1-1: DHCPv4 - Relay Agent Knows VPN
The DHCP server would know that it should respond to VPN information The DHCP server would know that it should respond to VPN information
specified in a VSS option or sub-option, and it would be configured specified in a VSS option or sub-option, and it would be configured
with appropriate VPN address spaces to service the projected client with appropriate VPN address spaces to service the projected client
requirements. Thus, in this common approach, the DHCP client knows requirements. Thus, in this common approach, the DHCP client knows
nothing of any VPN access, the relay agent has been configured in nothing of any VPN access, the relay agent has been configured in
some way that allows it to determine the VPN of the DHCP client and some way that allows it to determine the VPN of the DHCP client and
transmit that using a VSS option or sub-option to the DHCP server, transmit that using a VSS option or sub-option to the DHCP server,
and the DHCP server responds to the VPN specified by the relay agent. and the DHCP server responds to the VPN specified by the relay agent.
There is no conflict between different entities trying to specify There is no conflict between different entities trying to specify
different VSS information -- each entity knows its role through different VSS information -- each entity knows its role through
policy or configuration external to this document. policy or configuration external to this document.
If any mis-configuration exists, it SHOULD result in a DHCP client If any misconfiguration exists, it SHOULD result in a DHCP client
being unable to acquire an IP address. For instance, a relay agent being unable to acquire an IP address. For instance, a relay agent
which supports VPN access SHOULD couple transmission of VSS options that supports VPN access SHOULD couple transmission of VSS options or
or sub-options to the configuration of VPN support, and not allow one sub-options to the configuration of VPN support and not allow one
without the other. without the other.
It is important to ensure that the relay agent and DHCP server both It is important to ensure that the relay agent and DHCP server both
support the VSS option and sub-option (for DHCPv4) or the VSS option support the VSS option and sub-options (for DHCPv4) or the VSS option
(for DHCPv6). Deploying DHCPv4 relay agents which support and emit (for DHCPv6). Deploying DHCPv4 relay agents that support and emit
VSS sub-options in concert with DHCPv4 servers which do not support VSS sub-options in concert with DHCPv4 servers that do not support
the VSS option or sub-option as defined in this document SHOULD NOT the VSS option or sub-option as defined in this document SHOULD NOT
be done, as such an ensemble will not operate correctly. Should this be done, as such an ensemble will not operate correctly. Should this
situation occur, however, the relay agent can detect the problem situation occur, however, the relay agent can detect the problem
(since the VSS-Control sub-option will appear in the packets it (since the VSS-Control sub-option will appear in the packets it
receives from the DHCPv4 server, indicating the server did not receives from the DHCPv4 server, indicating the server did not
effectively process the VSS sub-option), and it can issue appropriate effectively process the VSS sub-option), and it can issue appropriate
diagnostic messages. diagnostic messages.
4.2. VPN assignment by the DHCP server 4.2. VPN Assignment by the DHCP Server
In this approach, the DHCP server would be configured in some way to In this approach, the DHCP server would be configured in some way to
know the VPN on which a particular DHCP client should be given know the VPN on which a particular DHCP client should be given
access. The DHCP server would in this case include the VSS sub- access. The DHCP server would in this case include the VSS
option in the relay-agent-information option for DHCPv4 or the VSS sub-option in the Relay Agent Information option for DHCPv4 or the
option in the Relay-reply message for DHCPv6. The relay agent VSS option in the Relay-reply message for DHCPv6. The relay agent
responsible for mediating VPN access would use this information to responsible for mediating VPN access would use this information to
select the correct VPN for the DHCP client. In the unusal event that select the correct VPN for the DHCP client. In the unusual event
there were more than one relay agent involved in this transaction, that there were more than one relay agent involved in this
some external configuration or policy would be needed to inform the transaction, some external configuration or policy would be needed to
DHCPv6 server into which Relay-reply message the VSS option should inform the DHCPv6 server into which Relay-reply message the VSS
go. option should go.
Once the relay agent has placed the DHCP client into the proper VPN, Once the relay agent has placed the DHCP client into the proper VPN,
it SHOULD begin including VSS information in requests that it it SHOULD begin including VSS information in requests that it
forwards to the DHCP server. Since this information does not forwards to the DHCP server. Since this information does not
conflict with the DHCP server's idea of the proper VPN for the conflict with the DHCP server's idea of the proper VPN for the
client, everything works correctly. client, everything works correctly.
The diagram below shows this approach using DHCPv4. The DHCPv6 The diagram below shows this approach using DHCPv4. The DHCPv6
situation is similar, but uses the DHCPv6 VSS option instead. situation is similar but uses the DHCPv6 VSS option instead.
DHCPv4 DHCPv4
DHCPv4 Relay DHCPv4 DHCPv4 Relay DHCPv4
Client Agent Server Client Agent Server
| | | | | |
| >--DHCPDISCOVER--> | | | >--DHCPDISCOVER--> | |
| on unknown VPN | | | on unknown VPN | |
| | >--DHCPDISCOVER----> | | | >--DHCPDISCOVER----> |
| | | | | |
| | <----DHCPOFFER-----< | | | <----DHCPOFFER-----< |
| | relay-agent-info: | | | Relay Agent Info: |
| | VSS type VRF:"abc"| | | VSS type 0:"abc" |
| | | | | |
| <---DHCPOFFER----< | | | <---DHCPOFFER----< | |
| on VRF "abc" | | | on VPN "abc" | |
| | | | | |
| >--DHCPREQUEST---> | | | >--DHCPREQUEST---> | |
| on VRF "abc" | | | on VPN "abc" | |
| | >--DHCPREQUEST-----> | | | >--DHCPREQUEST-----> |
| | relay-agent-info: | | | Relay Agent Info: |
| | VSS type VRF:"abc"| | | VSS type 0:"abc" |
| | VSS-Control | | | VSS-Control |
| | | | | |
| | <----DHCPACK-------< | | | <----DHCPACK-------< |
| | relay-agent-info: | | | Relay Agent Info: |
| | VSS type VRF:"abc"| | | VSS type 0:"abc" |
| | | | | |
| <---DHCPACK------< | | | <---DHCPACK------< | |
| on VRF "abc" | | | on VPN "abc" | |
| | | | | |
| | | | | |
... ... ... ... ... ...
Figure 4.2-1: DHCPv4 - DHCPv4 Server knows VPN Figure 4.2-1: DHCPv4 - DHCPv4 Server Knows VPN
In this approach, the DHCP client is again unaware of any VPN In this approach, the DHCP client is again unaware of any VPN
activity. In this case, however, the DHCP server knows the VPN for activity. In this case, however, the DHCP server knows the VPN for
the client, and the relay agent responds to the VSS information the client, and the relay agent responds to the VSS information
specified by the DHCP server. Similar to the previous approach, each specified by the DHCP server. Similar to the previous approach, each
entity knows its role through a means external to this document and entity knows its role through a means external to this document, and
no two entities try to specify VSS information in conflict. no two entities try to specify VSS information in conflict.
It is important that both the relay agent as well as the DHCP server It is important that both the relay agent and the DHCP server support
both support the VSS option and sub-option (for DHCPv4) and the VSS the VSS option and sub-options (for DHCPv4) and the VSS option (for
option (for DHCPv6). Deploying and configuring VPN support in one DHCPv6). Deploying and configuring VPN support in one element and
element and not in the other is not a practical approach. not in the other is not a practical approach.
4.3. Required Support 4.3. Required Support
DHCP relay agents and servers MUST support the approach discussed in DHCP relay agents and servers MUST support the approach discussed in
Section 4.1. DHCP relay agents and server SHOULD support the Section 4.1. DHCP relay agents and servers SHOULD support the
approach discussed in Section 4.2. DHCP relay agents and servers approach discussed in Section 4.2. DHCP relay agents and servers
SHOULD NOT be configured to operate with both approaches SHOULD NOT be configured to operate with both approaches
simultaneously. simultaneously.
4.4. Alternative VPN assignment approaches 4.4. Alternative VPN Assignment Approaches
There are many other approaches which can be created with multiple There are many other approaches that can be created with multiple
relay agents each inserting VSS information into different Relay- relay agents each inserting VSS information into different
forward messages, relay agent VSS information conflicting with client Relay-forward messages, relay agent VSS information conflicting with
VSS information, or DHCP server VSS information conflicting with client VSS information, or DHCP server VSS information conflicting
relay agent and client VSS information. Since these approaches do with relay agent and client VSS information. Since these approaches
not describe situations that are useful today, specifying precisely do not describe situations that are useful today, specifying
how to resolve all of these conflicts is unlikely to be valuable in precisely how to resolve all of these conflicts is not likely to be
the event that these approaches actually become practical in the valuable in the event that these approaches actually become practical
future. in the future.
The current use of the VSS option and sub-option require that each The current use of the VSS option and sub-option requires that each
entity knows the part that it plays in dealing with VPN data. Each entity know the part that it plays in dealing with VPN data. Each
entity -- client, relay agent or agents, and server -- SHOULD know entity -- client, relay agent or agents, and server -- SHOULD know
through some policy or configuration beyond the scope of this through some policy or configuration beyond the scope of this
document whether it is responsible for specifying VPN information document whether it is responsible for specifying VPN information
using the VSS option or sub-option or responsible for responding to using the VSS option or sub-option or responsible for responding to
VSS information specified by another entity, or simply ignoring any VSS information specified by another entity, or whether it should
VSS information which it might see. simply ignore any VSS information that it might see.
Some simple conflict resolution approaches are discussed below, in Some simple conflict-resolution approaches are discussed below, in
the hopes that they will cover simple cases that may arise from the hopes that they will cover simple cases that may arise from
situations beyond those envisioned today. However, for more complex situations beyond those envisioned today. However, for more complex
situations, or simple situations where appropriate conflict situations, or simple situations where appropriate conflict-
resolution strategies differ from those discussed in this document, a resolution strategies differ from those discussed in this document, a
document detailing the usage situations and appropriate conflict document detailing the usage situations and appropriate conflict-
resolution strategies SHOULD be created and submitted for discussion resolution strategies SHOULD be created and submitted for discussion
and approval. and approval.
5. Relay Agent Behavior 5. Relay Agent Behavior
Implementers MAY provide a policy or configuration capability to Implementers MAY provide a policy or configuration capability to
enable or disable VSS support. enable or disable VSS support.
A relay agent which receives a DHCP request from a DHCP client on a A relay agent that receives a DHCP request from a DHCP client on a
VPN SHOULD include Virtual Subnet Selection information in the DHCP VPN SHOULD include VSS information in the DHCP packet prior to
packet prior to forwarding the packet on to the DHCP server unless forwarding the packet to the DHCP server unless inhibited from doing
inhibited from doing so by configuration information or policy to the so by configuration information or policy to the contrary.
contrary.
In this situation, a DHCPv4 relay agent MUST include a DHCPv4 VSS In this situation, a DHCPv4 relay agent MUST include a DHCPv4 VSS
sub-option in a relay-agent-information option [RFC3046], while a sub-option in a Relay Agent Information option [RFC3046], while a
DHCPv6 relay agent MUST include a DHCPv6 VSS option in the Relay- DHCPv6 relay agent MUST include a DHCPv6 VSS option in the
forward message. Relay-forward message.
The value placed in the Virtual Subnet Selection sub-option or option The value placed in the VSS sub-option or option would typically be
would typically be sufficient for the relay agent to properly route sufficient for the relay agent to properly route any DHCP reply
any DHCP reply packet returned from the DHCP server to the DHCP packet returned from the DHCP server to the DHCP client for which it
client for which it is destined. In some cases, the information in is destined. In some cases, the information in the VSS sub-option or
the VSS sub-option or option might be an index into some internal option might be an index to some internal table held in the relay
table held in the relay agent, though this document places no agent, though this document places no requirement on a relay agent to
requirement on a relay agent to have any such internal state. have any such internal state.
A DHCPv4 relay agent MUST, in addition, include a DHCPv4 VSS-Control A DHCPv4 relay agent MUST, in addition, include a DHCPv4 VSS-Control
sub-option (which has a length of zero) in the relay-agent- sub-option (which has a length of zero) in the
information option [RFC3046] whenever it includes a VSS sub-option in Relay Agent Information option [RFC3046] whenever it includes a VSS
the relay-agent-information option. The inclusion of the VSS sub- sub-option in the Relay Agent Information option. The inclusion of
option and the VSS-Control sub-option in the relay-agent-information the VSS sub-option and the VSS-Control sub-option in the
option will allow the DHCPv4 relay agent to determine whether the Relay Agent Information option will allow the DHCPv4 relay agent to
DHCPv4 server actually processed the information in the VSS sub- determine whether the DHCPv4 server actually processed the
option when it receives the relay-agent-information option in the information in the VSS sub-option when it receives the
reply from the DHCPv4 server. Relay Agent Information option in the reply from the DHCPv4 server.
The reason to include this additional VSS DHCPv4 sub-option is that The reason to include this additional VSS DHCPv4 sub-option is that
[RFC3046] specifies (essentially) that a DHCPv4 server should copy [RFC3046] specifies (essentially) that a DHCPv4 server should copy
all sub-options that it receives in a relay-agent-information option all sub-options that it receives in a Relay Agent Information option
in a request into a corresponding relay-agent-information option in in a request into a corresponding Relay Agent Information option in
the response. Thus, a server that didn't support the DHCPv4 VSS the response. Thus, a server that didn't support the DHCPv4 VSS
sub-option would normally just copy it to the response packet, sub-option would normally just copy it to the response packet,
leaving the relay agent to wonder if in fact the DHCPv4 server leaving the relay agent to wonder if in fact the DHCPv4 server
actually used the VSS information when processing the request. actually used the VSS information when processing the request.
To alleviate this potential confusion, a DHCPv4 relay agent instead To alleviate this potential confusion, a DHCPv4 relay agent instead
sends in two sub-options: one VSS sub-option, and one VSS-Control sends in two sub-options: one VSS sub-option, and one VSS-Control
sub-option. If both sub-options appear in the response from the sub-option. If both sub-options appear in the response from the
DHCPv4 server, then the DHCPv4 relay agent MUST assume that the DHCPv4 server, then the DHCPv4 relay agent MUST assume that the
DHCPv4 server did not act on the VSS information in the VSS sub- DHCPv4 server did not act on the VSS information in the VSS
option. If only the VSS sub-option appears in the response from the sub-option. If only the VSS sub-option appears in the response from
DHCPv4 server and no VSS-Control sub-option appears in the response the DHCPv4 server and no VSS-Control sub-option appears in the
from the DHCPv4 server, then the relay agent SHOULD assume that the response from the DHCPv4 server, then the relay agent SHOULD assume
DHCPv4 server acted successfully on the VSS sub-option. that the DHCPv4 server acted successfully on the VSS sub-option.
Anytime a relay agent places a VSS option or sub-option in a DHCP Any time a relay agent places a VSS option or sub-option in a DHCP
request, it SHOULD send it only to a DHCP server which supports the request, it SHOULD send it only to a DHCP server that supports the
VSS option or sub-option, and it MUST check the response to determine VSS option or sub-option, and it MUST check the response to determine
if the DHCP server actually honored the requested VSS information. if the DHCP server actually honored the requested VSS information.
In the DHCPv6 case, the appearance of the option in the Relay-reply In the DHCPv6 case, the appearance of the option in the Relay-reply
packet indicates that the DHCPv6 server understood and acted upon the packet indicates that the DHCPv6 server understood and acted upon the
contents of the VSS option in the Relay-forward packet. In the contents of the VSS option in the Relay-forward packet. In the
DHCPv4 case, as discussed above, the appearance of the VSS sub-option DHCPv4 case, as discussed above, the appearance of the VSS sub-option
without the appearance of a VSS-Control sub-option indicates that the without the appearance of a VSS-Control sub-option indicates that the
DHCPv4 server successfully acted upon the VSS sub-option. DHCPv4 server successfully acted upon the VSS sub-option.
This document does not create a requirement that a relay agent This document does not create a requirement that a relay agent
remember the contents of a VSS DHCPv4 sub-option or VSS DHCPv6 option remember the contents of a VSS DHCPv4 sub-option or VSS DHCPv6 option
sent to a DHCP server. In many cases, the relay agent may simply use sent to a DHCP server. In many cases, the relay agent may simply use
the value of the VSS returned by the DHCP server to forward the the value of the VSS option or sub-option returned by the DHCP server
response to the DHCP client. If the VSS information, the IP address to forward the response to the DHCP client. If the VSS information,
allocated, and the VPN capabilities of the relay agent all the IP address allocated, and the VPN capabilities of the relay agent
interoperate correctly, then the DHCP client will receive a working all interoperate correctly, then the DHCP client will receive a
IP address. Alternatively, if any of these items don't interoperate working IP address. Alternatively, if any of these items don't
with the others, the DHCP client will not receive a working address. interoperate with the others, the DHCP client will not receive a
working address.
Note that in some environments a relay agent may choose to always Note that in some environments a relay agent may choose to always
place a VSS option or sub-option into packets and messages that it place a VSS option or sub-option into packets and messages that it
forwards in order to forestall any attempt by a relay agent closer to forwards in order to forestall any attempt by a relay agent closer to
the client or the client itself to specify VSS information. In this the client or the client itself to specify VSS information. In this
case, a type field of 255 is used to denote the global, default VPN. case, a Type field of 255 is used to denote the global, default VPN.
When the type field of 255 is used, there MUST NOT be any additional When the Type field of 255 is used, there MUST NOT be any additional
VSS information in the VSS option or sub-option. In the DHCPv4 case, VSS information in the VSS option or sub-option. In the DHCPv4 case,
an additional VSS-Control sub-option would be required, as discussed an additional VSS-Control sub-option would be required, as discussed
above. above.
5.1. VPN assignment by the DHCP server 5.1. VPN Assignment by the DHCP Server
In some cases, a DHCP server may use the Virtual Subnet Selection In some cases, a DHCP server may use the VSS sub-option or option to
sub-option or option to inform a relay agent that a particular DHCP inform a relay agent that a particular DHCP client is associated with
client is associated with a particular VPN. It does this by sending a particular VPN. It does this by sending the VSS sub-option or
the Virtual Subnet Selection sub-option or option with the option with the appropriate information to the relay agent in the
appropriate information to the relay agent in the relay-agent- Relay Agent Information option for DHCPv4 or the Relay-reply message
information option for DHCPv4 or the Relay-reply message in DHCPv6. in DHCPv6. If the relay agent cannot respond correctly to the DHCP
If the relay agent cannot respond correctly to the DHCP server's server's requirement to place the DHCP client into that VPN (perhaps
requirement to place the DHCP client into that VPN (perhaps because because it has not been configured with a VPN that matches the VSS
it has not been configured with a VPN that matches the VSS information received from the DHCP server), it MUST drop the packet
information received from the DHCP server) it MUST drop the packet
and not send it to the DHCP client. and not send it to the DHCP client.
In this situation, once the relay agent has placed the DHCP client In this situation, once the relay agent has placed the DHCP client
into the VPN specified by the DHCP server, it will insert a VSS into the VPN specified by the DHCP server, it will insert a VSS
option or sub-option when forwarding packets from the client. The option or sub-option when forwarding packets from the client. The
DHCP server in normal operation will echo this VSS information into DHCP server in normal operation will echo this VSS information into
the outgoing replies. the outgoing replies.
In the event that the relay agent doesn't include VSS information on In the event that the relay agent doesn't include VSS information on
subsequent requests after the DHCP server has included VSS subsequent requests after the DHCP server has included VSS
information in a reply to the relay agent, the DHCP server can information in a reply to the relay agent, the DHCP server can
conclude that the relay agent doesn't support VSS processing, and the conclude that the relay agent doesn't support VSS processing, and the
DHCP server SHOULD stop processing this transaction and not respond DHCP server SHOULD stop processing this transaction and not respond
to the request. to the request.
5.2. DHCP Leasequery 5.2. DHCP Leasequery
Sometimes a relay-agent needs to submit a DHCP Leasequery [RFC4388] A relay agent sometimes needs to submit a DHCP Leasequery [RFC4388]
[RFC5007] packet to the DHCP server in order to recover information [RFC5007] packet to the DHCP server in order to recover information
about existing DHCP allocated IP addresses on other than the normal, about existing DHCP-allocated IP addresses on networks other than the
global VPN. In the context of a DHCP Leasequery the relay agent is a normal, global VPN. In the context of a DHCP Leasequery, the relay
direct client of the DHCP server and is not relaying a packet for agent is a direct client of the DHCP server and is not relaying a
another DHCP client. Thus, the instructions in Section 6 on Client packet for another DHCP client. Thus, the instructions in Section 6
Behavior should be followed to include the necessary VSS information. ("Client Behavior") should be followed to include the necessary VSS
information.
6. Client Behavior 6. Client Behavior
Typically, DHCPv4 and DHCPv6 clients have no interaction with VSS Typically, DHCPv4 and DHCPv6 clients have no interaction with VSS
options or sub-options. The VSS information is handled by exchanges options or sub-options. The VSS information is handled by exchanges
between a DHCPv4 or DHCPv6 relay agent and the corresponding DHCPv4 between a DHCPv4 or DHCPv6 relay agent and the corresponding DHCPv4
or DHCPv6 server. or DHCPv6 server.
However, there are times when an entity is acting as a DHCPv4 or However, there are times when an entity is acting as a DHCPv4 or
DHCPv6 client in that it is communicating directly with a DHCPv4 or DHCPv6 client in that it is communicating directly with a DHCPv4 or
DHCPv6 server. In these instances -- where communications is DHCPv6 server. In these instances -- where communication is
occurring without employing the DHCPv4 relay-agent-information option occurring without employing the DHCPv4 Relay Agent Information option
or the DHCPv6 Relay-forward or Relay-reply messages, the entity is or the DHCPv6 Relay-forward or Relay-reply messages -- the entity is
acting as a DHCPv4 or DHCPv6 client with regard to its communication acting as a DHCPv4 or DHCPv6 client with regard to its communication
with the DHCPv4 or DHCPv6 server, but not necessarily as a DHCP with the DHCPv4 or DHCPv6 server, but not necessarily as a DHCP
client who is requesting a DHCPv4 or DHCPv6 address for its own use. client that is requesting a DHCPv4 or DHCPv6 address for its own use.
The client, in this context, may be requesting an IP address for The client, in this context, may be requesting an IP address for
another entity, thus acting as a DHCP proxy. The client may be another entity, thus acting as a DHCP proxy. The client may be
requesting information about another client-to-address binding, using requesting information about another client-to-address binding, using
the DHCPv4 [RFC4388] or DHCPv6 [RFC5007] Leasequery protocol. the DHCPv4 [RFC4388] or DHCPv6 [RFC5007] leasequery protocol.
In the rest of this section, the term "client" refers to an entity In the rest of this section, the term "client" refers to an entity
communicating VSS information directly to a DHCPv4 or DHCPv6 server communicating VSS information directly to a DHCPv4 or DHCPv6 server
without using the DHCPv4 relay-agent-information option or the DHCPv6 without using the DHCPv4 Relay Agent Information option or the DHCPv6
Relay-forward or Relay-reply messages, and there is no requirement Relay-forward or Relay-reply messages, and there is no requirement
that such a client is a traditional DHCPv4 or DHCPv6 client that such a client be a traditional DHCPv4 or DHCPv6 client
requesting an IP address binding for itself. requesting an IP address binding for itself.
A DHCPv4 or DHCPv6 client will employ the VSS option to communicate DHCPv4 or DHCPv6 clients will employ the VSS option to communicate
VSS information to their respective servers. This information MUST VSS information to their respective servers. This information MUST
be included in every message concerning any IP address on a different be included in every message concerning any IP address on a different
VPN than the global or default VPN. A DHCPv4 client will place the VPN than the global or default VPN. A DHCPv4 client will place the
DHCPv4 VSS option in its packets, and a DHCPv6 client will place the DHCPv4 VSS option in its packets, and a DHCPv6 client will place the
DHCPv6 VSS option in its messages. DHCPv6 VSS option in its messages.
A DHCPv6 client that needs to place a VSS option into a DHCPv6 A DHCPv6 client that needs to place a VSS option into a DHCPv6
message SHOULD place a single VSS option into the DHCPv6 message at message SHOULD place a single VSS option into the DHCPv6 message at
the same level as the Client Identifier option. A DHCPv6 client MUST the same level as the Client Identifier option. A DHCPv6 client MUST
NOT include different VSS options in the same DHCPv6 message. NOT include different VSS options in the same DHCPv6 message.
Note that, as mentioned in Section 1, throughout this document when a Note that -- as mentioned in Section 1 -- throughout this document,
DHCPv6 address is indicated the same information applies to DHCPv6 when a DHCPv6 address is indicated, the same information applies to
Prefix Delegation [RFC3633] as well. DHCPv6 prefix delegation [RFC3633] as well.
Since this option is placed in the packet in order to change the VPN Since this option is placed in the packet in order to change the VPN
on which an IP address is allocated for a particular DHCP client, one on which an IP address is allocated for a particular DHCP client, one
presumes that an allocation on that VPN is necessary for correct presumes that an allocation on that VPN is necessary for correct
operation. Thus, a client which places this option in a packet and operation. Thus, a client that places this option in a packet and
doesn't receive it or receives a different value in a returning doesn't receive it or receives a different value in a returning
packet SHOULD drop the packet since the IP address that was allocated packet SHOULD drop the packet, since the IP address that was
will not be in the requested VPN. allocated will not be in the requested VPN.
Clients should be aware that some DHCP servers will return a VSS Clients should be aware that some DHCP servers will return a VSS
option with different values than that which was sent in. In option with different values than the values sent by the client. In
addition, a client may receive a response from a DHCP server with a addition, a client may receive a response from a DHCP server with a
VSS option when none was sent in by the Client. VSS option when none was sent by the client.
Note that when sending a DHCP Leasequery request, a relay agent is Note that when sending a DHCP Leasequery request, a relay agent is
acting as a DHCP client and so it SHOULD include the respective acting as a DHCP client, and so it SHOULD include the respective
DHCPv4 or DHCPv6 VSS option in its DHCPv4 or DHCPv6 Leasequery packet DHCPv4 or DHCPv6 VSS option in its DHCPv4 or DHCPv6 Leasequery packet
if the DHCP Leasequery request is generated for other than the if the DHCP Leasequery request is generated for other than the
default, global VPN. It SHOULD NOT include a DHCPv4 sub-option in default, global VPN. It SHOULD NOT include a DHCPv4 sub-option in
this case. this case.
7. Server Behavior 7. Server Behavior
A DHCP server receiving the VSS option or sub-option SHOULD allocate A DHCP server receiving the VSS option or sub-option SHOULD allocate
an IP address (or use the VSS information to access an already an IP address (or use the VSS information to access an already
allocated IP address) from the VPN specified by the included VSS allocated IP address) from the VPN specified by the included VSS
information. information.
In the case where the type field of the VSS option or sub-option is In the case where the Type field of the VSS option or sub-option is
255, the VSS option denotes the global, default VPN. In this case, 255, the VSS option denotes the global, default VPN. In this case,
there is no explicit VSS information beyond the type field. there is no explicit VSS information beyond the Type field.
This document does not prescribe any particular address allocation This document does not prescribe any particular address allocation
policy. A DHCP server may choose to attempt to allocate an address policy. A DHCP server may choose to attempt to allocate an address
using the VSS information and, if this is impossible, to not allocate using the VSS information and, if this is impossible, to not allocate
an address. Alternatively, a DHCP server may choose to attempt an address. Alternatively, a DHCP server may choose to attempt
address allocation based on the VSS information and, if that is not address allocation based on the VSS information and, if that is not
possible, it may fall back to allocating an address on the global or possible, it may fall back to allocating an address on the global or
default VPN. This, of course, is also the apparent behavior of any default VPN. This, of course, is also the apparent behavior of any
DHCP server which doesn't implement support for the VSS option and DHCP server that doesn't implement support for the VSS option and
sub-option. Thus, DHCP clients and relay agents SHOULD be prepared sub-option. Thus, DHCP clients and relay agents SHOULD be prepared
for either of these alternatives. for either of these alternatives.
In some cases, a DHCP server may use the Virtual Subnet Selection In some cases, a DHCP server may use the VSS sub-option or option to
sub-option or option to inform a relay agent that a particular DHCP inform a relay agent that a particular DHCP client is associated with
client is associated with a particular VPN. It does this by sending a particular VPN. It does this by sending the VSS sub-option or
the Virtual Subnet Selection sub-option or option with the option with the appropriate information to the relay agent in the
appropriate information to the relay agent in the relay-agent- Relay Agent Information option for DHCPv4 or the Relay-reply message
information option for DHCPv4 or the Relay-reply message in DHCPv6. in DHCPv6.
In this situation, the relay agent will place the client in the In this situation, the relay agent will place the client in the
proper VPN, and then it will insert a VSS option or sub-option in proper VPN, and then it will insert a VSS option or sub-option in
subsequent forwarded requests. The DHCP server will see this VSS subsequent forwarded requests. The DHCP server will see this VSS
information and since it doesn't conflict in any way with the information, and since it doesn't conflict in any way with the
server's notion of the VPN on which the client is supposed to reside, server's notion of the VPN on which the client is supposed to reside,
it will process the requests based on the VPN specified in the VSS it will process the requests based on the VPN specified in the VSS
option or sub-option, and echo the same VSS information in the option or sub-option, and echo the same VSS information in the
outgoing replies. outgoing replies.
The relay agent receiving a reply containing a VSS option should The relay agent receiving a reply containing a VSS option should
support the VSS option. Otherwise the relay agent will end up support the VSS option. Otherwise, the relay agent will end up
attempting to use the address as though it were a global address. attempting to use the address as though it were a global address.
Should this happen, the subsequent DHCPREQUEST will not contain any Should this happen, the subsequent DHCPREQUEST will not contain any
VSS information, in which case the DHCP server SHOULD NOT respond VSS information, in which case the DHCP server SHOULD NOT respond
with a DHCPACK. with a DHCPACK.
If a server uses a different VPN than what was specified in the VSS If a server uses a different VPN than what was specified in the VSS
option or sub-option, it SHOULD send back the VPN information using option or sub-option, it SHOULD send back the VPN information using
the same type as the received type. It MAY send back a different type the same type as the received type. It MAY send back a different
if it is not possible to use the same type (such as the RFC2685 VPN- type if it is not possible to use the same type (such as the RFC2685
ID if no ASCII VPN identifier exists). VPN-ID if no ASCII VPN identifier exists).
A server which receives a VSS sub-option in the DHCPv4 relay-agent- A server that receives a VSS sub-option in the DHCPv4
information option and does not receive a VSS-Control sub-option in Relay Agent Information option and does not receive a VSS-Control
the relay-agent-information option MUST process the information sub-option in the Relay Agent Information option MUST process the
specified in the VSS sub-option in the same fashion as it would have information specified in the VSS sub-option in the same fashion as it
if it received both sub-options. would have if it received both sub-options.
7.1. Returning the DHCPv4 or DHCPv6 Option 7.1. Returning the DHCPv4 or DHCPv6 Option
DHCPv4 or DHCPv6 servers receiving a VSS option (for sub-option DHCPv4 or DHCPv6 servers receiving a VSS option (for sub-option
processing, see below) MUST return an instance of this option in the processing, see below) MUST return an instance of this option in the
reply packet or message if the server successfully uses this option reply packet or message if the server successfully uses this option
to allocate an IP address, and it MUST NOT include an instance of to allocate an IP address, and it MUST NOT include an instance of
this option if the server is unable to support, is not configured to this option if the server is unable to support, is not configured to
support, or does not implement support for VSS information in general support, or does not implement support for VSS information in general
or the requested VPN in particular. or the requested VPN in particular.
skipping to change at page 20, line 21 skipping to change at page 20, line 42
Request List option [RFC2132] should not change the processing or Request List option [RFC2132] should not change the processing or
decision to return or not return the VSS option as specified in this decision to return or not return the VSS option as specified in this
document. The appearance of the DHCPv6 VSS option in the OPTION_ORO document. The appearance of the DHCPv6 VSS option in the OPTION_ORO
[RFC3315] or the OPTION_ERO [RFC4994] should not change the [RFC3315] or the OPTION_ERO [RFC4994] should not change the
processing or decision to return (or not to return) the VSS option as processing or decision to return (or not to return) the VSS option as
specified in this document. specified in this document.
7.2. Returning the DHCPv4 Sub-Option 7.2. Returning the DHCPv4 Sub-Option
The case of the DHCPv4 sub-option is a bit more complicated. Note The case of the DHCPv4 sub-option is a bit more complicated. Note
that [RFC3046] specifies that a DHCPv4 server which supports the that [RFC3046] specifies that a DHCPv4 server that supports the
relay-agent-information option SHALL copy all sub-options received in Relay Agent Information option SHALL copy all sub-options received in
a relay-agent-information option into any outgoing relay-agent- a Relay Agent Information option into any outgoing
information option. Thus, the default behavior for any DHCPv4 server Relay Agent Information option. Thus, the default behavior for any
is to return any VSS sub-option received to the relay agent whether DHCPv4 server is to return any VSS sub-option received to the relay
or not the DHCPv4 server understands the VSS sub-option. agent whether or not the DHCPv4 server understands the VSS
sub-option.
In order to distinguish a DHCPv4 server which is simply copying In order to distinguish a DHCPv4 server that is simply copying
relay-agent-information option sub-options from an incoming to an Relay Agent Information option sub-options from an incoming to an
outgoing relay-agent-informaion option from one which successfully outgoing Relay Agent Information option from a DHCPv4 server that
acted upon the information in the VSS sub-option, DHCPv4 relay agents successfully acted upon the information in the VSS sub-option, DHCPv4
MUST include a VSS-Control sub-option in the relay-agent-information relay agents MUST include a VSS-Control sub-option in the
any time that it includes a VSS sub-option in the relay-agent- Relay Agent Information any time that it includes a VSS sub-option in
information option. the Relay Agent Information option.
A DHCPv4 server which does not support the VSS sub-option will copy A DHCPv4 server that does not support the VSS sub-option will copy
both sub-options into the outgoing relay-agent-information option, both sub-options into the outgoing Relay Agent Information option,
thus signalling to the DHCPv4 relay agent that it did not understand thus signaling to the DHCPv4 relay agent that it did not understand
the VSS sub-option. the VSS sub-option.
A DHCPv4 server which supports the VSS sub-option: A DHCPv4 server that supports the VSS sub-option
o MUST copy the VSS sub-option into the outgoing relay-agent- o MUST copy the VSS sub-option into the outgoing
information option Relay Agent Information option
o MUST NOT copy the VSS-Control sub-option into the outgoing o MUST NOT copy the VSS-Control sub-option into the outgoing
relay-agent-information option Relay Agent Information option
Moreover, if a server uses different VSS information to allocate an Moreover, if a server uses different VSS information to allocate an
IP address than it receives in a particular DHCPv4 sub-option, it IP address than it receives in a particular DHCPv4 sub-option, it
MUST include that alternative VSS information in the VSS sub-option MUST include that alternative VSS information in the VSS sub-option
that it returns to the DHCPv4 relay agent instead of the original VSS that it returns to the DHCPv4 relay agent instead of the original VSS
information it was given. information it was given.
If a DHCPv4 server supports this sub-option and for some reason If a DHCPv4 server supports this sub-option and for some reason
(perhaps administrative control) does not honor this sub-option from (perhaps administrative control) does not honor this sub-option from
the request then it MUST NOT echo either sub-option into the outgoing the request, then it MUST NOT echo either sub-option into the
relay-agent-information option. outgoing Relay Agent Information option.
7.3. Making sense of conflicting VSS information 7.3. Making Sense of Conflicting VSS Information
It is possible for a DHCPv4 server to receive both a VSS option and It is possible for a DHCPv4 server to receive both a VSS option and
VSS sub-options in the same packet. Likewise, a DHCPv6 server can VSS sub-options in the same packet. Likewise, a DHCPv6 server can
receive multiple VSS options in nested Relay-forward messages as well receive multiple VSS options in nested Relay-forward messages as well
as in the client message itself. In either of these cases, the VSS as in the client message itself. In either of these cases, the VSS
information from the relay agent closest to the DHCP server SHOULD be information from the relay agent closest to the DHCP server SHOULD be
used in preference to all other VSS information received. In the used in preference to all other VSS information received. In the
DHCPv4 case, this means that the VSS sub-option takes precedence over DHCPv4 case, this means that the VSS sub-option takes precedence over
the VSS option, and in the DHCPv6 case, this means that the VSS the VSS option, and in the DHCPv6 case, this means that the VSS
option from the outer-most Relay-forward message in which a VSS option from the outermost Relay-forward message in which a VSS option
option appears takes precedence. appears takes precedence.
The reasoning behind this approach is that the relay-agent closer to The reasoning behind this approach is that the relay agent closer to
the DHCP server is almost certainly more trusted than the DHCP client the DHCP server is almost certainly more trusted than the DHCP client
or more distant relay agents, and therefore information in the or more distant relay agents, and therefore information in the
relay-agent-information option or the Relay-forward message is more Relay Agent Information option or the Relay-forward message is more
likely to be correct. likely to be correct.
In general, relay agents SHOULD be aware through configuration or In general, relay agents SHOULD be aware through configuration or
policy external to this document whether or not they should be policy external to this document whether or not they should be
including VSS information in packets that they forward and so there including VSS information in packets that they forward, and so these
should not be conflicts among relay agent specified VSS information. relay agents should not specify any conflicting VSS information.
In these situations where multiple VSS option or sub-options appear
in the incoming packet or message, when the DHCP server constructs
the response to be sent to the DHCP client or relay agent, all
existing VSS options or sub-options MUST be replicated in the
appropriate places in the response and MUST contain only the VSS
information that was used by the DHCP server to allocate the IP
address (with, of course, the exception of a DHCPv4 relay-agent-
information sub-option VSS-Control).
8. Updates to RFC 3046 In situations where multiple VSS options or sub-options appear in the
incoming packet or message, when the DHCP server constructs the
response to be sent to the DHCP client or relay agent, all existing
VSS options or sub-options MUST be replicated in the appropriate
places in the response and MUST contain only the VSS information that
was used by the DHCP server to allocate the IP address (with, of
course, the exception of a VSS-Control sub-option of a DHCPv4
Relay Agent Information option).
This document updates the specification of the Relay Agent 8. Update to RFC 3046
Information option in RFC 3046 as follows:
Change the first sentence, second paragraph, section 2.2 of RFC 3046: This document updates the specification of the
Relay Agent Information option in Section 2.2 of RFC 3046, in the
first sentence of the second paragraph, as follows:
o OLD: o OLD:
DHCP servers claiming to support the Relay Agent Information DHCP servers claiming to support the Relay Agent Information
option SHALL echo the entire contents of the Relay Agent option SHALL echo the entire contents of the Relay Agent
Information option in all replies. Information option in all replies.
o NEW: o NEW:
DHCP servers claiming to support the Relay Agent Information DHCP servers claiming to support the Relay Agent Information
option SHALL echo the entire contents of the Relay Agent option SHALL echo the entire contents of the
Information option in all replies, except if otherwise specified Relay Agent Information option in all replies, except if otherwise
in the definition of specific Relay Agent Information sub- specified in the definition of specific Relay Agent Information
options. sub-options.
9. Security 9. Security Considerations
Message authentication in DHCPv4 for intradomain use where the out- Message authentication in DHCPv4 for intradomain use where the out-
of-band exchange of a shared secret is feasible is defined in of-band exchange of a shared secret is feasible is defined in
[RFC3118]. Potential exposures to attack are discussed in Section 7 [RFC3118]. Potential exposures to attack are discussed in Section 7
of the DHCP protocol specification in [RFC2131]. of the DHCP protocol specification [RFC2131].
Implementations should consider using the DHCPv4 Authentication Implementations should consider using the DHCPv4 Authentication
option [RFC3118] to protect DHCPv4 client access in order to provide option [RFC3118] to protect DHCPv4 client access in order to provide
a higher level of security if it is deemed necessary in their a higher level of security if it is deemed necessary in their
environment. environment.
Message authentication in DHCPv4 relay agents as defined in [RFC4030] Message authentication in DHCPv4 relay agents as defined in [RFC4030]
should be considered for DHCPv4 relay agents employing this sub- should be considered for DHCPv4 relay agents employing the
option. Potential exposures to attack are discussed in Section 7 of sub-options defined in this document. Potential exposures to attack
the DHCP protocol specification in [RFC2131]. are discussed in Section 7 of the DHCP protocol specification
[RFC2131].
For DHCPv6 use of the VSS option, the "Security Considerations" For use of the VSS option by DHCPv6, the Security Considerations
Section of [RFC3315] details the general threats to DHCPv6, and thus section of [RFC3315] details the general threats to DHCPv6, and thus
to messages using the VSS option. The "Authentication of DHCP to messages using the VSS option. The "Authentication of DHCP
Messages" Section of [RFC3315] describes securing communication Messages" section of [RFC3315] describes securing communication
between relay agents and servers, as well as clients and servers. between relay agents and servers, as well as clients and servers.
The VSS option could be used by a client in order to obtain an IP The VSS option could be used by a client in order to obtain an IP
address from any VPN. This option would allow a client to perform a address from any VPN. This option would allow a client to perform a
more complete address-pool exhaustion attack since the client would more complete address-pool exhaustion attack, since the client would
no longer be restricted to attacking address-pools on just its local no longer be restricted to attacking address pools on just its local
subnet. subnet.
A DHCP server that implements these options and sub-option should be A DHCP server that implements these VSS options and the VSS
aware of this possibility and use whatever techniques that can be sub-option should be aware of this possibility and use whatever
devised to prevent such an attack. Information such as the giaddr in techniques can be devised to prevent such an attack. Information
DHCPv4 or link address in the Relay-forward DHCPv6 message might be such as the giaddr in DHCPv4 or link address in the Relay-forward
used to detect and prevent this sort of attack. DHCPv6 message might be used to detect and prevent this sort of
attack.
One possible defense would be for the DHCP relay to insert a VSS One possible defense would be for the DHCP relay agent to insert a
option or sub-option to override the DHCP client's VSS option. VSS option or sub-option to override the DHCP client's VSS option.
Servers that implement the VSS option and sub-option MUST by default Servers that implement the VSS option and sub-option MUST by default
disable use of the feature; it must specifically be enabled through disable use of the feature; it must specifically be enabled through
configuration. Moreover, a server SHOULD provide the ability to configuration. Moreover, a server SHOULD provide the ability to
selectively enable use of the feature under restricted conditions, selectively enable use of the feature under restricted conditions,
e.g., by enabling use of the option only from explicitly configured e.g., by enabling use of the option only from explicitly configured
client-ids, enabling its use only by clients on a particular subnet, client-ids, enabling its use only by clients on a particular subnet,
or restricting the VSSs from which addresses may be requested. or restricting the VSSs from which addresses may be requested.
10. IANA Considerations 10. IANA Considerations
IANA is requested to assign DHCPv4 option number 221 for the DHCPv4 IANA has assigned DHCPv4 option number 221 to the DHCPv4 Virtual
VSS option defined in Section 3.1, in accordance with [RFC3942]. Subnet Selection option defined in Section 3.1, in accordance with
[RFC3942].
IANA is requested to assign sub-option number 151 for the DHCPv4 VSS IANA has assigned sub-option number 151 to the DHCPv4 Virtual Subnet
sub-option defined in Section 3.2 from the DHCP Relay Agent Sub- Selection sub-option defined in Section 3.2 from the DHCP Relay Agent
options space [RFC3046], in accordance with the spirit of [RFC3942]. Sub-options space [RFC3046], in accordance with the spirit of
While [RFC3942] doesn't explicitly mention the sub-option space for [RFC3942]. While [RFC3942] doesn't explicitly mention the sub-option
the DHCP Relay Agent Information option [RFC3046], sub-option 151 is space for the DHCP Relay Agent Information option [RFC3046],
already in use by existing implementations of this sub-option and the sub-option 151 is already in use by existing implementations of this
current draft is essentially upward compatible with these current sub-option, and this document is essentially upward-compatible with
implementations. these current implementations.
IANA is requested to assign the value of TBD for the DHCPv4 VSS- IANA has assigned the value of 152 to the DHCPv4 Virtual Subnet
Control sub-option defined in Section 3.3. Selection Control sub-option defined in Section 3.3.
IANA is requested to assign the value of TBD for the DHCPv6 VSS IANA has assigned the value of 68 for the DHCPv6 Virtual Subnet
option defined in Section 3.4 from the DHCPv6 option registry. Selection option defined in Section 3.4 from the DHCP Option Codes
registry.
The type byte defined in Section 3.5 defines a number space for which The Type byte defined in Section 3.5 defines a number space for which
IANA is to create and maintain a new sub-registry entitled "VSS Type IANA has created and will maintain a new sub-registry entitled "VSS
values". This sub-registry needs to be related to both the DHCPv4 Type Options". This sub-registry needs to be related to both the
and DHCPv6 VSS options and the DHCPv4 relay-agent-information option DHCPv4 and DHCPv6 VSS options and the DHCPv4 Relay Agent Information
sub-option (all defined by this document), since the type byte in option sub-option (all defined by this document), since the Type byte
these two options and one sub-option MUST have identical definitions. in these two options and the VSS sub-option MUST have identical
definitions.
New values for the type byte may only be defined by IETF Consensus, New values for the Type byte may only be defined by IETF Review, as
as described in [RFC5226]. Basically, this means that they are described in [RFC5226]. Basically, this means that they are defined
defined by RFCs approved by the IESG. by RFCs approved by the IESG.
11. Acknowledgments 11. Acknowledgments
Bernie Volz recommended consolidation of the DHCPv4 option and sub- Jay Kumarasamy contributed to earlier versions of this document.
option drafts after extensive review of the former drafts, and Bernie Volz recommended consolidation of the DHCPv4 option and
provided valuable assistance in structuring and reviewing this sub-option documents after extensive review of those former
document. Alper Yegin expressed interest in the DHCPv6 VSS option, documents, and provided valuable assistance in structuring and
resulting in this combined draft covering all three areas. Alfred reviewing this document. Alper Yegin expressed interest in the
Hoenes provided assistance with editorial review as well as raising DHCPv6 VSS option, resulting in this combined document covering all
substantive protocol issues. David Hankins and Bernie Volz each three areas. Alfred Hoenes provided assistance with editorial review
raised important protocol issues which resulted in a clarified and also raised substantive protocol issues. David Hankins and
document. Josh Littlefield provided editorial assistance. Several Bernie Volz each raised important protocol issues that resulted in a
IESG reviewers took the time to substantially review this document, clarified document. Josh Littlefield provided editorial assistance.
resulting in much increased clarity. Several IESG reviewers took the time to substantially review this
document, resulting in much-improved clarity.
12. References 12. References
12.1. Normative References 12.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, March 1997. Requirement Levels", RFC 2119, March 1997.
[RFC2131] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, [RFC2131] Droms, R., "Dynamic Host Configuration Protocol",
March 1997. RFC 2131, March 1997.
[RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor [RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP
Extensions", RFC 2132, March 1997. Vendor Extensions", RFC 2132, March 1997.
[RFC2685] Fox, B., Gleeson, B., "Virtual Private Networks [RFC2685] Fox, B. and B. Gleeson, "Virtual Private Networks
Identifier", RFC 2685, September 1999. Identifier", RFC 2685, September 1999.
[RFC3046] Patrick, M., "DHCP Relay Agent Information Option", RFC [RFC3046] Patrick, M., "DHCP Relay Agent Information Option",
3046, January 2001. RFC 3046, January 2001.
[RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., and [RFC3315] Droms, R., Ed., Bound, J., Volz, B., Lemon, T., Perkins,
M. Carney, "Dynamic Host Configuration Protocol for IPv6 C., and M. Carney, "Dynamic Host Configuration Protocol
(DHCPv6)", RFC 3315, July 2003. for IPv6 (DHCPv6)", RFC 3315, July 2003.
[RFC3633] Troan, O. and R. Droms, "IPv6 Prefix Options for Dynamic [RFC3633] Troan, O. and R. Droms, "IPv6 Prefix Options for Dynamic
Host Configuration Protocol (DHCP) version 6", RFC 3633, December Host Configuration Protocol (DHCP) version 6", RFC 3633,
2003. December 2003.
[RFC4994] Zeng, S., Volz, B., Kinnear, K. and J. Brzozowski, "DHCPv6 [RFC4994] Zeng, S., Volz, B., Kinnear, K. and J. Brzozowski,
Relay Agent Echo Request Option", RFC 4994, September 2007. "DHCPv6 Relay Agent Echo Request Option", RFC 4994,
September 2007.
12.2. Informative References 12.2. Informative References
[RFC951] Croft, B. and J. Gilmore, "Bootstrap Protocol", RFC 951, [RFC951] Croft, W. and J. Gilmore, "Bootstrap Protocol", RFC 951,
September 1985. September 1985.
[RFC1542] Wimer, W., "Clarifications and Extensions for the Bootstrap [RFC1542] Wimer, W., "Clarifications and Extensions for the
Protocol", RFC 1542, October 1993. Bootstrap Protocol", RFC 1542, October 1993.
[RFC3118] Droms, R. and W. Arbaugh, "Authentication for DHCP [RFC3118] Droms, R., Ed., and W. Arbaugh, Ed., "Authentication for
Messages", RFC 3118, June 2001. DHCP Messages", RFC 3118, June 2001.
[RFC3942] Volz, B., "Reclassifying Dynamic Host Configuration [RFC3942] Volz, B., "Reclassifying Dynamic Host Configuration
Protocol version 4 (DHCPv4) Options", RFC 3942, November 2004. Protocol version 4 (DHCPv4) Options", RFC 3942,
November 2004.
[RFC4030] Stapp, M. and T. Lemon, "The Authentication Suboption for [RFC4030] Stapp, M. and T. Lemon, "The Authentication Suboption for
the Dynamic Host Configuration Protocol (DHCP) Relay Agent the Dynamic Host Configuration Protocol (DHCP) Relay
Option", RFC 4030, March 2005. Agent Option", RFC 4030, March 2005.
[RFC4388] Woundy, R. and K. Kinnear, "Dynamic Host Configuration [RFC4388] Woundy, R. and K. Kinnear, "Dynamic Host Configuration
Protocol (DHCP) Leasequery", RFC 4388, February 2006. Protocol (DHCP) Leasequery", RFC 4388, February 2006.
[RFC5007] Brzozowski, J., Kinnear, K., Volz, B., and S. Zeng, "DHCPv6 [RFC5007] Brzozowski, J., Kinnear, K., Volz, B., and S. Zeng,
Leasequery", RFC 5007, September 2007. "DHCPv6 Leasequery", RFC 5007, September 2007.
[RFC5198] Klensin, J. and M. Padlipsky, "Unicode Format for Network [RFC5198] Klensin, J. and M. Padlipsky, "Unicode Format for Network
Interchange", RFC 5198, March 2008. Interchange", RFC 5198, March 2008.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 5226, May 2008. IANA Considerations Section in RFCs", BCP 26, RFC 5226,
May 2008.
Authors' Addresses Authors' Addresses
Kim Kinnear Kim Kinnear
Cisco Systems Cisco Systems
1414 Massachusetts Ave. 1414 Massachusetts Ave.
Boxborough, Massachusetts 01719 Boxborough, MA 01719
Phone: (978) 936-0000
EMail: kkinnear@cisco.com
Richard Johnson
Cisco Systems
170 W. Tasman Dr.
San Jose, CA 95134
Phone: (408) 526-4000 Phone: (978) 936-0000
EMail: kkinnear@cisco.com
EMail: raj@cisco.com Richard Johnson
Mark Stapp Cisco Systems
Cisco Systems 170 W. Tasman Dr.
1414 Massachusetts Ave. San Jose, CA 95134
Boxborough, Massachusetts 01719
Phone: (978) 936-0000 Phone: (408) 526-4000
EMail: raj@cisco.com
EMail: mjs@cisco.com Mark Stapp
Cisco Systems
1414 Massachusetts Ave.
Boxborough, MA 01719
Jay Kumarasamy Phone: (978) 936-0000
EMail: mjs@cisco.com
 End of changes. 197 change blocks. 
588 lines changed or deleted 583 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/