| draft-ietf-dhc-forcerenew-nonce-04.txt | draft-ietf-dhc-forcerenew-nonce-05.txt | |||
|---|---|---|---|---|
| dhc D. Miles | dhc D. Miles | |||
| Internet-Draft Google | Internet-Draft Google | |||
| Updates: 3203 (if approved) W. Dec | Updates: 3203 (if approved) W. Dec | |||
| Intended status: Standards Track Cisco Systems | Intended status: Standards Track Cisco Systems | |||
| Expires: August 17, 2012 J. Bristow | Expires: September 10, 2012 J. Bristow | |||
| Swisscom Schweiz AG | Swisscom Schweiz AG | |||
| R. Maglione | R. Maglione | |||
| Telecom Italia | Telecom Italia | |||
| February 14, 2012 | March 9, 2012 | |||
| Forcerenew Nonce Authentication | Forcerenew Nonce Authentication | |||
| draft-ietf-dhc-forcerenew-nonce-04 | draft-ietf-dhc-forcerenew-nonce-05 | |||
| Abstract | Abstract | |||
| Dynamic Host Configuration Protocol (DHCP) FORCERENEW allows for the | Dynamic Host Configuration Protocol (DHCP) FORCERENEW allows for the | |||
| reconfiguration of a single host by forcing the DHCP client into a | reconfiguration of a single host by forcing the DHCP client into a | |||
| Renew state on a trigger from the DHCP server. In Forcerenew Nonce | Renew state on a trigger from the DHCP server. In Forcerenew Nonce | |||
| Authentication the server sends a nonce to the client on the initial | Authentication the server sends a nonce to the client in the initial | |||
| DHCP ACK that is used for subsequent validation of a FORCERENEW | DHCP ACK that is used for subsequent validation of a FORCERENEW | |||
| message. This document updates RFC 3203. | message. This document updates RFC 3203. | |||
| Status of this Memo | Status of this Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on August 17, 2012. | This Internet-Draft will expire on September 10, 2012. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2012 IETF Trust and the persons identified as the | Copyright (c) 2012 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 16 | skipping to change at page 2, line 16 | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 | 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. Message authentication . . . . . . . . . . . . . . . . . . . . 3 | 3. Message authentication . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3.1. Forcerenew Nonce Authentication . . . . . . . . . . . . . 3 | 3.1. Forcerenew Nonce Authentication . . . . . . . . . . . . . 4 | |||
| 3.1.1. Forcerenew Nonce Protocol Capability Option . . . . . 4 | 3.1.1. Forcerenew Nonce Protocol Capability Option . . . . . 4 | |||
| 3.1.2. Forcerenew Nonce Protocol . . . . . . . . . . . . . . 6 | 3.1.2. Forcerenew Nonce Protocol . . . . . . . . . . . . . . 6 | |||
| 3.1.3. Server considerations for Forcerenew Nonce | 3.1.3. Server considerations for Forcerenew Nonce | |||
| Authentication . . . . . . . . . . . . . . . . . . . . 8 | Authentication . . . . . . . . . . . . . . . . . . . . 8 | |||
| 3.1.4. Client considerations for Forcerenew Nonce | 3.1.4. Client considerations for Forcerenew Nonce | |||
| Authentication . . . . . . . . . . . . . . . . . . . . 9 | Authentication . . . . . . . . . . . . . . . . . . . . 9 | |||
| 4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10 | 4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 10 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 10 | |||
| 6.1. Protocol vulnerabilities . . . . . . . . . . . . . . . . . 11 | 6.1. Protocol vulnerabilities . . . . . . . . . . . . . . . . . 11 | |||
| 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11 | 7. Normative References . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 7.1. Normative References . . . . . . . . . . . . . . . . . . . 11 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 7.2. Informative References . . . . . . . . . . . . . . . . . . 11 | ||||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 12 | ||||
| 1. Introduction | 1. Introduction | |||
| The DHCP Reconfigure Extension defined in [RFC3203] is a useful | The DHCP Reconfigure Extension defined in [RFC3203] is a useful | |||
| mechanism allowing dynamic reconfiguration of a single host triggered | mechanism allowing dynamic reconfiguration of a single host triggered | |||
| by the DHCP server. Its application is currently limited by a | by the DHCP server. Its application is currently limited by a | |||
| requirement that FORCERENEW message is always authenticated using | requirement that FORCERENEW message is always authenticated using | |||
| procedures as described in [RFC3118]. Authentication for DHCP | procedures as described in [RFC3118]. Authentication for DHCP | |||
| [RFC3118] is mandatory for FORCERENEW, however as it is currently | [RFC3118] is mandatory for FORCERENEW, however as it is currently | |||
| defined [RFC3118] requires distribution of constant token or shared- | defined [RFC3118] requires distribution of constant token or shared- | |||
| secret out-of-band to DHCP clients. The mandatory authentication was | secret out-of-band to DHCP clients. | |||
| originally motivated by a legitimate security concern whereby in some | ||||
| network environments DHCP messages can be spoofed and an attacker | The motivation for making authentication mandatory in DHCP FORCERENEW | |||
| could more accurately guess the timing of DHCP renewal messages by | was to prevent an off-network attacker from taking advantage of DHCP | |||
| first sending a FORCERENEW message. However, in some networks native | FORCERENEW to accurately predict the timing of a DHCP renewal. | |||
| security mechanisms already provide sufficient protection against | Without DHCP FORCERENEW, DHCP renewal timing is under the control of | |||
| spoofing of DHCP traffic. An example of such network is a Broadband | the client, and an off-network attacker has no way of predicting when | |||
| Forum TR-101 [TR-101i2] compliant access network. In such | it will happen, since it doesn't have access to the exchange between | |||
| environments the mandatory coupling between FORCERENEW and DHCP | the DHCP client and DHCP server. | |||
| Authentication [RFC3118] can be relaxed and a lighter authentication | ||||
| mechanism can be used for the FORCERENEW message. This document | However, the requirement to use the DHCP authentication described in | |||
| defines extensions to Authentication for DHCPv4 Messages [RFC3118] to | [RFC3118] is more stringent than is required for this use case, and | |||
| create a new authentication protocol for DHCPv4 FORCERENEW [RFC3203] | has limited adoption of DHCP FORCERENEW. [RFC3315] defines an | |||
| messages; this method does not require out-of-band key distribution | authentication protocol using a nonce to prevent off-network | |||
| to DHCP clients. The Forcerenew Nonce is exchanged between server | attackers from successfully causing clients to renew. Since the off- | |||
| and client on initial DHCP ACK and is used for verification of any | network attacker doesn't have access to the nonce, it can't trick the | |||
| subsequent FORCERENEW message. This document updates [RFC3203] | client into renewing at a time of its choosing. | |||
| This document defines extensions to Authentication for DHCPv4 | ||||
| Messages [RFC3118] to create a new authentication protocol for DHCPv4 | ||||
| FORCERENEW [RFC3203] messages; this method does not require out-of- | ||||
| band key distribution to DHCP clients. The Forcerenew Nonce is | ||||
| exchanged between server and client on initial DHCP ACK and is used | ||||
| for verification of any subsequent FORCERENEW message. This document | ||||
| updates [RFC3203] | ||||
| 2. Requirements Language | 2. Requirements Language | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in [RFC2119]. | document are to be interpreted as described in [RFC2119]. | |||
| 3. Message authentication | 3. Message authentication | |||
| The FORCERENEW message must be authenticated using either [RFC3118] | The FORCERENEW message MUST be authenticated using either [RFC3118] | |||
| or the proposed Forcerenew Nonce Authentication protocol. | or the proposed Forcerenew Nonce Authentication protocol. | |||
| 3.1. Forcerenew Nonce Authentication | 3.1. Forcerenew Nonce Authentication | |||
| The Forcerenew nonce authentication protocol provides protection | The Forcerenew nonce authentication protocol provides protection | |||
| against misconfiguration of a client caused by a FORCERENEW message | against misconfiguration of a client caused by a FORCERENEW message | |||
| sent by a malicious DHCP server. In this protocol, a DHCP server | sent by a malicious DHCP server. In this protocol, a DHCP server | |||
| sends a Forcerenew nonce to the client in the initial exchange of | sends a Forcerenew nonce to the client in the initial exchange of | |||
| DHCP messages. The client records the Forcerenew nonce for use in | DHCP messages. The client records the Forcerenew nonce for use in | |||
| authenticating subsequent Forcerenew messages from that server. The | authenticating subsequent Forcerenew messages from that server. The | |||
| skipping to change at page 4, line 25 | skipping to change at page 4, line 34 | |||
| specified in [RFC3118] and the client and server have negotiated to | specified in [RFC3118] and the client and server have negotiated to | |||
| use the Forcerenew Nonce Authentication protocol. | use the Forcerenew Nonce Authentication protocol. | |||
| 3.1.1. Forcerenew Nonce Protocol Capability Option | 3.1.1. Forcerenew Nonce Protocol Capability Option | |||
| A DHCP client indicates DHCP Forcerenew Nonce Protocol capability by | A DHCP client indicates DHCP Forcerenew Nonce Protocol capability by | |||
| including a FORCERENEW_NONCE_CAPABLE(<TBD>) option in DHCP Discover | including a FORCERENEW_NONCE_CAPABLE(<TBD>) option in DHCP Discover | |||
| and Request messages sent to the server. | and Request messages sent to the server. | |||
| A DHCP server that does not support Forcerenew Nonce Protocol | A DHCP server that does not support Forcerenew Nonce Protocol | |||
| authentication should ignore the FORCERENEW_NONCE_CAPABLE(<TBD>) | authentication SHOULD ignore the FORCERENEW_NONCE_CAPABLE(<TBD>) | |||
| option. A DHCP server indicates DHCP Forcerenew Nonce Protocol | option. A DHCP server indicates DHCP Forcerenew Nonce Protocol | |||
| preference by including a FORCERENEW_NONCE_CAPABLE(<TBD>) option in | preference by including a FORCERENEW_NONCE_CAPABLE(<TBD>) option in | |||
| any DHCP Offer messages sent to the client. | any DHCP Offer messages sent to the client. | |||
| A DHCP client MUST NOT send DHCP messages with authentication options | A DHCP client MUST NOT send DHCP messages with authentication options | |||
| where the protocol value is Forcerenew Nonce Authentication(<TBD>). | where the protocol value is Forcerenew Nonce Authentication(<TBD>). | |||
| The FORCERENEW_NONCE_CAPABLE option is a zero length option with code | The FORCERENEW_NONCE_CAPABLE option is a zero length option with code | |||
| of <TDB> and format as follows: | of <TDB> and format as follows: | |||
| skipping to change at page 9, line 7 | skipping to change at page 9, line 7 | |||
| If a capable server receives a DISCOVER or REQUEST (any type) that | If a capable server receives a DISCOVER or REQUEST (any type) that | |||
| indicates the client is capable, and the server has no previous nonce | indicates the client is capable, and the server has no previous nonce | |||
| recorded, it MUST generate a nonce and include it in the ACK. | recorded, it MUST generate a nonce and include it in the ACK. | |||
| The server selects a Forcerenew nonce for a client only during | The server selects a Forcerenew nonce for a client only during | |||
| Request/Ack message exchange. The server records the Forcerenew | Request/Ack message exchange. The server records the Forcerenew | |||
| nonce and transmits that nonce to the client in an Authentication | nonce and transmits that nonce to the client in an Authentication | |||
| option in the DHCP Ack message. | option in the DHCP Ack message. | |||
| The server SHOULD NOT include the nonce in an ACK when responding to | The server SHOULD NOT include the nonce in an ACK when responding to | |||
| a renew unless a nonce was generated. This minimizes the number of | a renew unless a new nonce was generated. This minimizes the number | |||
| times the nonce is sent over the wire. | of times the nonce is sent over the wire. | |||
| If the server to which the DHCP Request message was sent at time T1 | If the server to which the DHCP Request message was sent at time T1 | |||
| has not responded, the client enters the REBINDING state and attempts | has not responded, the client enters the REBINDING state and attempts | |||
| to contact any server. The new Server receiving the DHCP message | to contact any server. The new Server receiving the DHCP message | |||
| MUST generate a new nonce. | MUST generate a new nonce. | |||
| The Forcerenew nonce is 128 bits long, and MUST be a | The Forcerenew nonce is 128 bits long, and MUST be a | |||
| cryptographically strong random or pseudo-random number that cannot | cryptographically strong random or pseudo-random number that cannot | |||
| easily be predicted. The nonce is embedded as a 128-bit value of the | easily be predicted. The nonce is embedded as a 128-bit value of the | |||
| Authentication information where type is set to 1 (Forcerenew nonce | Authentication information where type is set to 1 (Forcerenew nonce | |||
| skipping to change at page 10, line 41 | skipping to change at page 10, line 41 | |||
| Data lenght: 1 | Data lenght: 1 | |||
| Description: Forcerenew Nonce Capable | Description: Forcerenew Nonce Capable | |||
| Reference: this document | Reference: this document | |||
| 6. Security Considerations | 6. Security Considerations | |||
| As in some network environments FORCERENEW can be used to snoop and | As in some network environments FORCERENEW can be used to snoop and | |||
| spoof traffic, the FORCERENEW message MUST be authenticated using the | spoof traffic, the FORCERENEW message MUST be authenticated using the | |||
| procedures as described in [RFC3118] or this proposal. | procedures as described in [RFC3118] or the mechanism described in | |||
| this document. | ||||
| The mechanism in [RFC3315] for DHCPv6, which this document mirrors | The mechanism in [RFC3315] for DHCPv6, which this document mirrors | |||
| for DHCPv4, uses a nonce to prevent an off-link attacker from | for DHCPv4, uses a nonce to prevent an off-link attacker from | |||
| successfully triggering a renewal on a client by sending | successfully triggering a renewal on a client by sending | |||
| DHCPFORCERENEW; since the attacker is off-link, it doesn't have the | DHCPFORCERENEW; since the attacker is off-link, it doesn't have the | |||
| nonce, and can't force a renewal. | nonce, and can't force a renewal. | |||
| An on-link attacker can always simply watch the DHCP renewal message | An on-link attacker can always simply watch the DHCP renewal message | |||
| go out and respond to it, so this mechanism is useless for preventing | go out and respond to it, so this mechanism is useless for preventing | |||
| on-link attacks, and hence the security of the nonce in the case of | on-link attacks, and hence the security of the nonce in the case of | |||
| on-link attacks isn't relevant. Any party able to intercept the | on-link attacks isn't relevant. Therefore HMAC-MD5 is by definition | |||
| nonce exchange could impersonate a server and thus offers no | adequate for the purpose, and there is no need for an extensible HMAC | |||
| protection from man-in-the- middle attacks. FORCERENEW messages | mechanism. FORCERENEW messages failing the authentication should be | |||
| failing the authentication should be silently discarded by the | silently discarded by the client. | |||
| client. | ||||
| 6.1. Protocol vulnerabilities | 6.1. Protocol vulnerabilities | |||
| The mechanism described in this document is vulnerable to a denial of | The mechanism described in this document is vulnerable to a denial of | |||
| service attack through flooding a client with bogus FORCERENEW | service attack through flooding a client with bogus FORCERENEW | |||
| messages. The calculations involved in authenticating the bogus | messages. The calculations involved in authenticating the bogus | |||
| FORECERENEW messages may overwhelm the device on which the client is | FORECERENEW messages may overwhelm the device on which the client is | |||
| running. | running. | |||
| The mechanism described provides protection against the use of a | The mechanism described provides protection against the use of a | |||
| FORCERENEW message by a malicious DHCP server to mount a denial of | FORCERENEW message by a malicious DHCP server to mount a denial of | |||
| service or man-in-the-middle attack on a client. This protocol can | service or man-in-the-middle attack on a client. This protocol can | |||
| be compromised by an attacker that can intercept the initial message | be compromised by an attacker that can intercept the initial message | |||
| in which the DHCP server sends the nonce to the client. | in which the DHCP server sends the nonce to the client. | |||
| 7. References | 7. Normative References | |||
| 7.1. Normative References | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC3118] Droms, R. and W. Arbaugh, "Authentication for DHCP | [RFC3118] Droms, R. and W. Arbaugh, "Authentication for DHCP | |||
| Messages", RFC 3118, June 2001. | Messages", RFC 3118, June 2001. | |||
| [RFC3203] T'Joens, Y., Hublet, C., and P. De Schrijver, "DHCP | [RFC3203] T'Joens, Y., Hublet, C., and P. De Schrijver, "DHCP | |||
| reconfigure extension", RFC 3203, December 2001. | reconfigure extension", RFC 3203, December 2001. | |||
| [RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., | [RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., | |||
| and M. Carney, "Dynamic Host Configuration Protocol for | and M. Carney, "Dynamic Host Configuration Protocol for | |||
| IPv6 (DHCPv6)", RFC 3315, July 2003. | IPv6 (DHCPv6)", RFC 3315, July 2003. | |||
| 7.2. Informative References | ||||
| [TR-101i2] | ||||
| Anschutz, T., "Migration to Ethernet-Based Broadband | ||||
| Aggregation Broadband Forum TR-101 Issue 2", July 2011. | ||||
| Authors' Addresses | Authors' Addresses | |||
| David Miles | David Miles | |||
| Phone: | Phone: | |||
| Fax: | Fax: | |||
| Email: | Email: | |||
| URI: | URI: | |||
| End of changes. 15 change blocks. | ||||
| 46 lines changed or deleted | 44 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||