draft-ietf-dhc-forcerenew-nonce-00.txt   draft-ietf-dhc-forcerenew-nonce-01.txt 
DHC WG D. Miles softwire D. Miles
Internet-Draft Alcatel-Lucent Internet-Draft Alcatel-Lucent
Intended status: Standards Track W. Dec Intended status: Standards Track W. Dec
Expires: December 5, 2009 Cisco Systems Expires: September 11, 2011 Cisco Systems
J. Bristow J. Bristow
Swisscom Schweiz AG Swisscom Schweiz AG
R. Maglione R. Maglione
Telecom Italia Telecom Italia
June 3, 2009 March 10, 2011
Forcerenew Nonce Authentication Forcerenew Nonce Authentication
draft-ietf-dhc-forcerenew-nonce-00 draft-ietf-dhc-forcerenew-nonce-01
Abstract
DHCP Forcerenew allows for the reconfiguration of a single host by
forcing the DHCP client into a Renew state on a trigger from the DHCP
server. In Forcerenew Nonce Authentication the server exchanges a
nonce with the client on the initial DHCP ACK that is used for
subsequent validation of a Forcerenew message.
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF). Note that other groups may also distribute
other groups may also distribute working documents as Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at This Internet-Draft will expire on September 11, 2011.
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on December 5, 2009.
Copyright Notice Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of Provisions Relating to IETF Documents
publication of this document (http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info) in effect on the date of
Please review these documents carefully, as they describe your rights publication of this document. Please review these documents
and restrictions with respect to this document. carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
Abstract include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
DHCP Forcerenew allows for the reconfiguration of a single host by This document may contain material from IETF Documents or IETF
forcing the DHCP client into a Renew state on a trigger from the DHCP Contributions published or made publicly available before November
server. In Forcerenew Nonce Authentication the server exchanges a 10, 2008. The person(s) controlling the copyright in some of this
nonce with the client on the initial DHCP ACK that is used for material may not have granted the IETF Trust the right to allow
subsequent validation of a Forcerenew message. modifications of such material outside the IETF Standards Process.
Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other
than English.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 4
2. Message authentication . . . . . . . . . . . . . . . . . . . . 3 3. Message authentication . . . . . . . . . . . . . . . . . . . . 4
2.1. Forcerenew Nonce Authentication . . . . . . . . . . . . . 3 3.1. Forcerenew Nonce Authentication . . . . . . . . . . . . . 4
2.1.1. Forcerenew Nonce Protocol Capability Option . . . . . 4 3.1.1. Forcerenew Nonce Protocol Capability Option . . . . . 5
2.1.2. Forcerenew Nonce Protocol . . . . . . . . . . . . . . 6 3.1.2. Forcerenew Nonce Protocol . . . . . . . . . . . . . . 7
2.1.3. Server considerations for Forcerenew Nonce 3.1.3. Server considerations for Forcerenew Nonce
Authentication . . . . . . . . . . . . . . . . . . . . 7
2.1.4. Client considerations for Forcerenew Nonce
Authentication . . . . . . . . . . . . . . . . . . . . 8 Authentication . . . . . . . . . . . . . . . . . . . . 8
3. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.1.4. Client considerations for Forcerenew Nonce
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 Authentication . . . . . . . . . . . . . . . . . . . . 9
5. Security Considerations . . . . . . . . . . . . . . . . . . . 9 4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10
5.1. Protocol vulnerabilities . . . . . . . . . . . . . . . . . 9 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10 6. Security Considerations . . . . . . . . . . . . . . . . . . . 10
6.1. Normative References . . . . . . . . . . . . . . . . . . . 10 6.1. Protocol vulnerabilities . . . . . . . . . . . . . . . . . 10
6.2. Informative References . . . . . . . . . . . . . . . . . . 10 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10 7.1. Normative References . . . . . . . . . . . . . . . . . . . 11
7.2. Informative References . . . . . . . . . . . . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11
1. Introduction 1. Introduction
This document defines extensions to Authentication for DHCP(v4) The DHCP Reconfigure Extension defined in [RFC3203] is a useful
Messages [RFC3118] to create a new authentication protocol for DHCPv4 mechanism allowing dynamic reconfiguration of a single host triggered
Forcerenew [RFC3203] messages. Authentication for DHCP [RFC3118] is by the DHCP server. Its application is currently limited by a
mandatory for Forcerenew, however as it is currently defined requirement that FORCERENEW message is always authenticated using
[RFC3118] requires distribution of constant token or shared-secret procedures as described in [RFC3118]. Authentication for DHCP
out-of-band to DHCP clients. The Forcerenew Nonce is exchanged [RFC3118] is mandatory for Forcerenew, however as it is currently
between server and client on initial DHCP ACK and is used for defined [RFC3118] requires distribution of constant token or shared-
verification of any subsequent Forcerenew message. secret out-of-band to DHCP clients. The mandatory authentication was
originally motivated by a legitimate security concern whereby in some
Forcerenew Nonce Authentication follows the model set forward in network environments a FORCERENEW message can be spoofed. However,
DHCPv6 [RFC3315] as the Reconfigure Key Authentication Protocol. in some networks native security mechanisms already provide
sufficient protection against spoofing of DHCP traffic. An example
of such network is a DSL Forum TR-101 [TR-101] compliant access
network. In such environments the mandatory coupling between
FORCERENEW and DHCP Authentication [RFC3118] can be relaxed. This
document defines extensions to Authentication for DHCP(v4) Messages
[RFC3118] to create a new authentication protocol for DHCPv4
Forcerenew [RFC3203] messages; this method does not require out-of-
band key distribution to DHCP clients. The Forcerenew Nonce is
exchanged between server and client on initial DHCP ACK and is used
for verification of any subsequent Forcerenew message.
1.1. Requirements Language 2. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119]. document are to be interpreted as described in [RFC2119].
2. Message authentication 3. Message authentication
The FORCERENEW message must be authenticated using either [RFC3118] The FORCERENEW message must be authenticated using either [RFC3118]
or the proposed Forcerenew Nonce Authentication protocol. or the proposed Forcerenew Nonce Authentication protocol.
2.1. Forcerenew Nonce Authentication 3.1. Forcerenew Nonce Authentication
The Forcerenew nonce authentication protocol provides protection The Forcerenew nonce authentication protocol provides protection
against misconfiguration of a client caused by a Forcerenew message against misconfiguration of a client caused by a Forcerenew message
sent by a malicious DHCP server. In this protocol, a DHCP server sent by a malicious DHCP server. In this protocol, a DHCP server
sends a Forcerenew nonce to the client in the initial exchange of sends a Forcerenew nonce to the client in the initial exchange of
DHCP messages. The client records the Forcerenew nonce for use in DHCP messages. The client records the Forcerenew nonce for use in
authenticating subsequent Forcerenew messages from that server. The authenticating subsequent Forcerenew messages from that server. The
server then includes an HMAC computed from the Forcerenew nonce in server then includes an HMAC computed from the Forcerenew nonce in
subsequent Forcerenew messages. subsequent Forcerenew messages.
skipping to change at page 4, line 5 skipping to change at page 5, line 16
HMAC in subsequent Forcerenew messages are carried as the HMAC in subsequent Forcerenew messages are carried as the
Authentication information in a DHCP Authentication option. The Authentication information in a DHCP Authentication option. The
format of the Authentication information is defined in the following format of the Authentication information is defined in the following
section. section.
The Forcerenew nonce protocol is used (initiated by the server) only The Forcerenew nonce protocol is used (initiated by the server) only
if the client and server are not using any other authentication if the client and server are not using any other authentication
protocol and the client and server have negotiated to use the protocol and the client and server have negotiated to use the
Forcerenew Nonce Authentication protocol. Forcerenew Nonce Authentication protocol.
2.1.1. Forcerenew Nonce Protocol Capability Option 3.1.1. Forcerenew Nonce Protocol Capability Option
A DHCP client indicates DHCP Forcerenew Nonce Protocol capability by A DHCP client indicates DHCP Forcerenew Nonce Protocol capability by
including a FORCERENEW_NONCE_CAPABLE(<TBD>) option in DHCP Discover including a FORCERENEW_NONCE_CAPABLE(<TBD>) option in DHCP Discover
and Request messages sent to the server. and Request messages sent to the server.
A DHCP server that does not support Forcerenew Nonce Protocol A DHCP server that does not support Forcerenew Nonce Protocol
authentication should ignore the FORCERENEW_NONCE_CAPABLE(<TBD>) authentication should ignore the FORCERENEW_NONCE_CAPABLE(<TBD>)
option. A DHCP server indicates DHCP Forcerenew Nonce Protocol option. A DHCP server indicates DHCP Forcerenew Nonce Protocol
preference by including a FORCERENEW_NONCE_CAPABLE(<TBD>) option in preference by including a FORCERENEW_NONCE_CAPABLE(<TBD>) option in
any DHCP Offer messages sent to the client. any DHCP Offer messages sent to the client.
A DHCP client MUST NOT send DHCP messages with authentication options A DHCP client MUST NOT send DHCP messages with authentication options
where the protocol value is Forcerenew Nonce Authentication(<TBD>). where the protocol value is Forcerenew Nonce Authentication(<TBD>).
The FORCERENEW_NONCE_CAPABLE option is a zero length option with code The FORCERENEW_NONCE_CAPABLE option is a zero length option with code
of <TDB> and format as follows: of <TDB> and format as follows:
Code Len
+-----+-----+ Code Len
| TBD | 0 | +-----+-----+
+-----+-----+ | TBD | 0 |
+-----+-----+
The client would indicate that it supports the functionality by The client would indicate that it supports the functionality by
inserting the FORCERENEW_NONCE_CAPABLE option in the DHCP Discover inserting the FORCERENEW_NONCE_CAPABLE option in the DHCP Discover
and Request messages. If the server supports Forcerenew nonce and Request messages. If the server supports Forcerenew nonce
authentication and is configured to require Forcerenew nonce authentication and is configured to require Forcerenew nonce
authentication, it will insert the FORCERENEW_NONCE_CAPABLE option in authentication, it will insert the FORCERENEW_NONCE_CAPABLE option in
the DHCP Offer message. the DHCP Offer message.
Server Client Server
(not selected) (selected)
v v v Server Client Server
| | | (not selected) (selected)
| Begins initialization |
| | |
| _____________/|\____________ |
|/DHCPDISCOVER | DHCPDISCOVER \|
| w/Forcerenew- | w/Forcerenew- |
| Nonce-Capable | Nonce-Capable |
| | |
Determines | Determines
configuration | configuration
| | |
|\ | /|
| \__________ | _________/ |
| DHCPOFFER \ | /DHCPOFFER |
|w/Forcerenew \ | /w/Forcerenew|
|Nonce-Capable \| /Nonce-Capable|
| | |
| Collects replies |
| | |
| Selects configuration |
| | |
| _____________/|\____________ |
|/ DHCPREQUEST | DHCPREQUEST\ |
| w/Forcerenew- | w/Forcerenew- |
| Nonce-Capable | Nonce-Capable |
| | |
| | Commits configuration
| | |
| |Creates 128-bit Forcerenew Nonce
| | |
| | _____________/|
| |/ DHCPACK |
| | w/Auth-Proto= |
| | Forcerenew- |
| | Nonce |
| | |
|Client stores Forcerenew Nonce |
| | |
| Initialization complete |
| | |
. . .
. . .
| | |
| Forcerenew |
| | _____________/|
| |/ DHCPFORCE |
| | w/Auth-Proto= |
| | Forcerenew- |
| | Digest(HMAC)|
| | |
| Client checks HMAC digest |
| using stored Forcerenew Nonce |
| | |
| |\____________ |
| | DHCPREQUEST\ |
| | w/Forcerenew- |
| | Nonce-Capable |
| | |
| | Commits configuration
| | |
| |Creates 128-bit Forcerenew Nonce
| | |
| | _____________/|
| |/ DHCPACK |
| | w/Auth-Proto= |
| | Forcerenew- |
| | Nonce |
| | |
| | |
| | |
. . .
. . .
| | |
| Graceful shutdown |
| | |
| |\ ____________ |
| | DHCPRELEASE \|
| | |
| | Discards lease
| | |
v v v
2.1.2. Forcerenew Nonce Protocol v v v
| | |
| Begins initialization |
| | |
| _____________/|\____________ |
|/DHCPDISCOVER | DHCPDISCOVER \|
| w/Forcerenew- | w/Forcerenew- |
| Nonce-Capable | Nonce-Capable |
| | |
Determines | Determines
configuration | configuration
| | |
|\ | /|
| \__________ | _________/ |
| DHCPOFFER \ | /DHCPOFFER |
|w/Forcerenew \ | /w/Forcerenew|
|Nonce-Capable \| /Nonce-Capable|
| | |
| Collects replies |
| | |
| Selects configuration |
| | |
| _____________/|\____________ |
|/ DHCPREQUEST | DHCPREQUEST\ |
| w/Forcerenew- | w/Forcerenew- |
| Nonce-Capable | Nonce-Capable |
| | |
| | Commits configuration
| | |
| |Creates 128-bit Forcerenew Nonce
| | |
| | _____________/|
| |/ DHCPACK |
| | w/Auth-Proto= |
| | Forcerenew- |
| | Nonce |
| | |
|Client stores Forcerenew Nonce |
| | |
| Initialization complete |
| | |
. . .
. . .
| | |
| Forcerenew |
| | _____________/|
| |/ DHCPFORCE |
| | w/Auth-Proto= |
| | Forcerenew- |
| | Digest(HMAC)|
| | |
| Client checks HMAC digest |
| using stored Forcerenew Nonce |
| | |
| |\____________ |
| | DHCPREQUEST\ |
| | w/Forcerenew- |
| | Nonce-Capable |
| | |
| | Commits configuration
| | |
| |Creates 128-bit Forcerenew Nonce
| | |
| | _____________/|
| |/ DHCPACK |
| | w/Auth-Proto= |
| | Forcerenew- |
| | Nonce |
| | |
| | |
| | |
. . .
. . .
| | |
| Graceful shutdown |
| | |
| |\ ____________ |
| | DHCPRELEASE \|
| | |
| | Discards lease
| | |
v v v
3.1.2. Forcerenew Nonce Protocol
[RFC3118] defined an extensible DHCPv4 authentication option which [RFC3118] defined an extensible DHCPv4 authentication option which
supports multiple protocols. The Forcerenew Nonce Protocol makes use supports multiple protocols. The Forcerenew Nonce Protocol makes use
of the DHCP authentication option defined in [RFC3118] re-using the of the DHCP authentication option defined in [RFC3118] re-using the
option format. option format.
The following fields are set in an DHCP authentication option for the The following fields are set in an DHCP authentication option for the
Forcerenew Nonce Authentication Protocol: Forcerenew Nonce Authentication Protocol:
protocol <TBD (IANA)> protocol <TBD (IANA)>
algorithm 1
algorithm 1
RDM 0 RDM 0
The format of the Authentication information for the Forcerenew Nonce The format of the Authentication information for the Forcerenew Nonce
Authentication Protocol is: Authentication Protocol is:
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Value (128 bits) | | Type | Value (128 bits) |
+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+ |
. . . .
. . . .
. +-+-+-+-+-+-+-+-+ . +-+-+-+-+-+-+-+-+
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type Type of data in Value field carried in this option: Type Type of data in Value field carried in this option:
1 Forcerenew Nonce value (used in ACK message). 1 Forcerenew Nonce value (used in ACK message)
2 HMAC-MD5 digest of the message (FORCERENEW 2 HMAC-MD5 digest of the message (FORCERENEW message)
message).
Value Data as defined by field. Value Data as defined by field
2.1.3. Server considerations for Forcerenew Nonce Authentication 3.1.3. Server considerations for Forcerenew Nonce Authentication
The use of Forcerenew Nonce Protocol is dependent on the client The use of Forcerenew Nonce Protocol is dependent on the client
indicating its capability through the FORCERENEW_NONCE_CAPABLE(<TBD>) indicating its capability through the FORCERENEW_NONCE_CAPABLE(<TBD>)
DHCP option in any DHCP Discover or Request messages. The DHCP DHCP option in any DHCP Discover or Request messages. The DHCP
Discovery or Request message from the client MUST contain the Discovery or Request message from the client MUST contain the
FORCERENEW_NONCE_CAPABLE(<TBD>) option if the Forcerenew Nonce FORCERENEW_NONCE_CAPABLE(<TBD>) option if the Forcerenew Nonce
Protocol is to be used by the server. The absence of the Protocol is to be used by the server. The absence of the
FORCERENEW_NONCE_CAPABLE(<TBD>) option indicates to the server that FORCERENEW_NONCE_CAPABLE(<TBD>) option indicates to the server that
the Forcerenew Nonce Authentication protocol is not supported and the Forcerenew Nonce Authentication protocol is not supported and
thus the server MUST NOT include a Forcerenew Nonce Protocol thus the server MUST NOT include a Forcerenew Nonce Protocol
skipping to change at page 8, line 20 skipping to change at page 9, line 27
selects a replay detection value according to the RDM selected by the selects a replay detection value according to the RDM selected by the
server, and computes an HMAC-MD5 of the Forcerenew message using the server, and computes an HMAC-MD5 of the Forcerenew message using the
Forcerenew nonce for the client. The server computes the HMAC-MD5 Forcerenew nonce for the client. The server computes the HMAC-MD5
over the entire DHCP Forcerenew message, including the Authentication over the entire DHCP Forcerenew message, including the Authentication
option; the HMAC-MD5 field in the Authentication option is set to option; the HMAC-MD5 field in the Authentication option is set to
zero for the HMAC-MD5 computation. The server includes the HMAC-MD5 zero for the HMAC-MD5 computation. The server includes the HMAC-MD5
in the authentication information field in an Authentication option in the authentication information field in an Authentication option
included in the Forcerenew message sent to the client with type set included in the Forcerenew message sent to the client with type set
to 2 (HMAC-MD5 digest). to 2 (HMAC-MD5 digest).
2.1.4. Client considerations for Forcerenew Nonce Authentication 3.1.4. Client considerations for Forcerenew Nonce Authentication
The client MUST indicate Forcerenew nonce Capability by including the The client MUST indicate Forcerenew nonce Capability by including the
FORCERENEW_NONCE_CAPABLE(<TBD>) DHCP option (Section 2.1.1) in all FORCERENEW_NONCE_CAPABLE(<TBD>) DHCP option (Section 2.1.1) in all
DHCP Discover and Request messages. DHCP servers that support DHCP Discover and Request messages. DHCP servers that support
Forcerenew nonce Protocol authentication MUST include the DHCP Forcerenew nonce Protocol authentication MUST include the DHCP
Forcerenew Nonce protocol authentication option in DHCP Offers with Forcerenew Nonce protocol authentication option in DHCP Offers with
type set to zero(0), allowing the client to use this capability in type set to zero(0), allowing the client to use this capability in
selecting DHCP servers should multiple Offers arrive. selecting DHCP servers should multiple Offers arrive.
A DHCP server has indicates its support through the inclusion of the A DHCP server has indicates its support through the inclusion of the
skipping to change at page 9, line 5 skipping to change at page 10, line 7
The client will receive a Forcerenew Nonce from the server in the The client will receive a Forcerenew Nonce from the server in the
initial DHCP Ack message from the server. The client records the initial DHCP Ack message from the server. The client records the
Forcerenew Nonce for use in authenticating subsequent Forcerenew Forcerenew Nonce for use in authenticating subsequent Forcerenew
messages. messages.
To authenticate a Forcerenew message, the client computes an HMAC-MD5 To authenticate a Forcerenew message, the client computes an HMAC-MD5
over the DHCP Forcerenew message, using the Forcerenew Nonce received over the DHCP Forcerenew message, using the Forcerenew Nonce received
from the server. If this computed HMAC-MD5 matches the value in the from the server. If this computed HMAC-MD5 matches the value in the
Authentication option, the client accepts the Forcerenew message. Authentication option, the client accepts the Forcerenew message.
3. Contributors 4. Acknowledgements
Comments are solicited and should be addressed to the DHC WG mailing Comments are solicited and should be addressed to the DHC WG mailing
list (dhcwg@ietf.org) and/or the authors. This contribution is based list (dhcwg@ietf.org) and/or the authors. This contribution is based
on work by Vitali Vinokour. Major sections of this draft use on work by Vitali Vinokour. Major sections of this draft use
modified text from [RFC3315]. The authors wish to thank Ted Lemon modified text from [RFC3315]. The authors wish to thank Ted Lemon
and Bernie Volz for their support. and Bernie Volz for their support.
4. IANA Considerations 5. IANA Considerations
This document requests IANA to allocate an option code for the newly This document requests IANA to allocate an option code for the newly
defined DHCP option FORCERENEW_NONCE_CAPABALE as described in the defined DHCP option FORCERENEW_NONCE_CAPABALE as described in the
text. text.
This document requests IANA to allocate a DHCP Authentication This document requests IANA to allocate a DHCP Authentication
Option(90) protocol number be assigned for Forcerenew Nonce Option(90) protocol number be assigned for Forcerenew Nonce
Authentication, per [RFC3118]. Authentication, per [RFC3118].
This document requests IANA to create a new namespace associated with This document requests IANA to create a new namespace associated with
the Forcerenew Nonce Authentication protocol: algorithm, per the Forcerenew Nonce Authentication protocol: algorithm, per
[RFC3118]. [RFC3118].
5. Security Considerations 6. Security Considerations
As in some network environments FORCERENEW can be used to snoop and As in some network environments FORCERENEW can be used to snoop and
spoof traffic, the FORCERENEW message MUST be authenticated using the spoof traffic, the FORCERENEW message MUST be authenticated using the
procedures as described in [RFC3118] or this proposal. In this procedures as described in [RFC3118] or this proposal. In this
proposal any party able intercept the nonce exchange could proposal any party able intercept the nonce exchange could
impersonate a server and thus offers no protection from man-in-the- impersonate a server and thus offers no protection from man-in-the-
middle attacks. FORCERENEW messages failing the authentication middle attacks. FORCERENEW messages failing the authentication
should be silently discarded by the client. should be silently discarded by the client.
5.1. Protocol vulnerabilities 6.1. Protocol vulnerabilities
The mechanism described in this document is vulnerable to a denial of The mechanism described in this document is vulnerable to a denial of
service attack through flooding a client with bogus FORCERENEW service attack through flooding a client with bogus FORCERENEW
messages. The calculations involved in authenticating the bogus messages. The calculations involved in authenticating the bogus
FORECERENEW messages may overwhelm the device on which the client is FORECERENEW messages may overwhelm the device on which the client is
running. running.
The mechanism described provides protection against the use of a The mechanism described provides protection against the use of a
FORCERENEW message by a malicious DHCP server to mount a denial of FORCERENEW message by a malicious DHCP server to mount a denial of
service or man-in-the-middle attack on a client. This protocol can service or man-in-the-middle attack on a client. This protocol can
be compromised by an attacker that can intercept the initial message be compromised by an attacker that can intercept the initial message
in which the DHCP server sends the nonce to the client. in which the DHCP server sends the nonce to the client.
6. References 7. References
6.1. Normative References 7.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3118] Droms, R. and B. Arbaugh, "Authentication for DHCP [RFC3118] Droms, R. and W. Arbaugh, "Authentication for DHCP
Messages", RFC 3118, June 2001. Messages", RFC 3118, June 2001.
[RFC3203] T'joens, Y., Hublet, C., and P. De Schrijver, "DHCP [RFC3203] T'Joens, Y., Hublet, C., and P. De Schrijver, "DHCP
reconfigure extension", RFC 3203, December 2001. reconfigure extension", RFC 3203, December 2001.
6.2. Informative References 7.2. Informative References
[RFC3315] Droms, R., "Dynamic Host Configuration Protocol for IPv6 [RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C.,
(DHCPv6)", RFC 3315, July 2003. and M. Carney, "Dynamic Host Configuration Protocol for
IPv6 (DHCPv6)", RFC 3315, July 2003.
[TR-101] Cohen et al, "Architecture & Transport: "Migration to
Ethernet Based DSL Aggregation, DSL Forum TR-101", 2005.
Authors' Addresses Authors' Addresses
David Miles David Miles
Alcatel-Lucent Alcatel-Lucent
L3 / 215 Spring St L3 / 215 Spring St
Melbourne, Victoria 3000 Melbourne, Victoria 3000,
Australia Australia
Phone: +61 3 9664 3308 Phone: +61 3 9664 3308
Fax:
Email: david.miles@alcatel-lucent.com Email: david.miles@alcatel-lucent.com
URI:
Wojciech Dec Wojciech Dec
Cisco Systems Cisco Systems
Haarlerbergpark Haarlerbergweg 13-19 Haarlerbergpark Haarlerbergweg 13-19
Amsterdam, NOORD-HOLLAND 1101 CH Amsterdam, NOORD-HOLLAND 1101 CH
Netherlands Netherlands
Phone: Phone:
Fax:
Email: wdec@cisco.com Email: wdec@cisco.com
URI:
James Bristow James Bristow
Swisscom Schweiz AG Swisscom Schweiz AG
Zentweg 9 Zentweg 9
Bern, 3050 Bern, 3050,
Switzerland Switzerland
Phone: Phone:
Fax:
Email: James.Bristow@swisscom.com Email: James.Bristow@swisscom.com
URI:
Roberta Maglione Roberta Maglione
Telecom Italia Telecom Italia
Via Reiss Romoli 274 Via Reiss Romoli 274
Torino, 10148 Torino 10148
Italy Italy
Phone: Phone:
Email: roberta.maglione@telecomitalia.it Email: roberta.maglione@telecomitalia.it
 End of changes. 50 change blocks. 
175 lines changed or deleted 206 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/