--- 1/draft-ietf-dhc-forcerenew-nonce-04.txt 2012-03-09 12:13:56.598671078 +0100 +++ 2/draft-ietf-dhc-forcerenew-nonce-05.txt 2012-03-09 12:13:56.626671325 +0100 @@ -1,49 +1,49 @@ dhc D. Miles Internet-Draft Google Updates: 3203 (if approved) W. Dec Intended status: Standards Track Cisco Systems -Expires: August 17, 2012 J. Bristow +Expires: September 10, 2012 J. Bristow Swisscom Schweiz AG R. Maglione Telecom Italia - February 14, 2012 + March 9, 2012 Forcerenew Nonce Authentication - draft-ietf-dhc-forcerenew-nonce-04 + draft-ietf-dhc-forcerenew-nonce-05 Abstract Dynamic Host Configuration Protocol (DHCP) FORCERENEW allows for the reconfiguration of a single host by forcing the DHCP client into a Renew state on a trigger from the DHCP server. In Forcerenew Nonce - Authentication the server sends a nonce to the client on the initial + Authentication the server sends a nonce to the client in the initial DHCP ACK that is used for subsequent validation of a FORCERENEW message. This document updates RFC 3203. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on August 17, 2012. + This Internet-Draft will expire on September 10, 2012. Copyright Notice Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -51,72 +51,78 @@ to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 3. Message authentication . . . . . . . . . . . . . . . . . . . . 3 - 3.1. Forcerenew Nonce Authentication . . . . . . . . . . . . . 3 + 3.1. Forcerenew Nonce Authentication . . . . . . . . . . . . . 4 3.1.1. Forcerenew Nonce Protocol Capability Option . . . . . 4 3.1.2. Forcerenew Nonce Protocol . . . . . . . . . . . . . . 6 3.1.3. Server considerations for Forcerenew Nonce Authentication . . . . . . . . . . . . . . . . . . . . 8 3.1.4. Client considerations for Forcerenew Nonce Authentication . . . . . . . . . . . . . . . . . . . . 9 4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 6. Security Considerations . . . . . . . . . . . . . . . . . . . 10 6.1. Protocol vulnerabilities . . . . . . . . . . . . . . . . . 11 - 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11 - 7.1. Normative References . . . . . . . . . . . . . . . . . . . 11 - 7.2. Informative References . . . . . . . . . . . . . . . . . . 11 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 12 + 7. Normative References . . . . . . . . . . . . . . . . . . . . . 11 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11 1. Introduction The DHCP Reconfigure Extension defined in [RFC3203] is a useful mechanism allowing dynamic reconfiguration of a single host triggered by the DHCP server. Its application is currently limited by a requirement that FORCERENEW message is always authenticated using procedures as described in [RFC3118]. Authentication for DHCP [RFC3118] is mandatory for FORCERENEW, however as it is currently defined [RFC3118] requires distribution of constant token or shared- - secret out-of-band to DHCP clients. The mandatory authentication was - originally motivated by a legitimate security concern whereby in some - network environments DHCP messages can be spoofed and an attacker - could more accurately guess the timing of DHCP renewal messages by - first sending a FORCERENEW message. However, in some networks native - security mechanisms already provide sufficient protection against - spoofing of DHCP traffic. An example of such network is a Broadband - Forum TR-101 [TR-101i2] compliant access network. In such - environments the mandatory coupling between FORCERENEW and DHCP - Authentication [RFC3118] can be relaxed and a lighter authentication - mechanism can be used for the FORCERENEW message. This document - defines extensions to Authentication for DHCPv4 Messages [RFC3118] to - create a new authentication protocol for DHCPv4 FORCERENEW [RFC3203] - messages; this method does not require out-of-band key distribution - to DHCP clients. The Forcerenew Nonce is exchanged between server - and client on initial DHCP ACK and is used for verification of any - subsequent FORCERENEW message. This document updates [RFC3203] + secret out-of-band to DHCP clients. + + The motivation for making authentication mandatory in DHCP FORCERENEW + was to prevent an off-network attacker from taking advantage of DHCP + FORCERENEW to accurately predict the timing of a DHCP renewal. + Without DHCP FORCERENEW, DHCP renewal timing is under the control of + the client, and an off-network attacker has no way of predicting when + it will happen, since it doesn't have access to the exchange between + the DHCP client and DHCP server. + + However, the requirement to use the DHCP authentication described in + [RFC3118] is more stringent than is required for this use case, and + has limited adoption of DHCP FORCERENEW. [RFC3315] defines an + authentication protocol using a nonce to prevent off-network + attackers from successfully causing clients to renew. Since the off- + network attacker doesn't have access to the nonce, it can't trick the + client into renewing at a time of its choosing. + + This document defines extensions to Authentication for DHCPv4 + Messages [RFC3118] to create a new authentication protocol for DHCPv4 + FORCERENEW [RFC3203] messages; this method does not require out-of- + band key distribution to DHCP clients. The Forcerenew Nonce is + exchanged between server and client on initial DHCP ACK and is used + for verification of any subsequent FORCERENEW message. This document + updates [RFC3203] 2. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 3. Message authentication - The FORCERENEW message must be authenticated using either [RFC3118] + The FORCERENEW message MUST be authenticated using either [RFC3118] or the proposed Forcerenew Nonce Authentication protocol. 3.1. Forcerenew Nonce Authentication The Forcerenew nonce authentication protocol provides protection against misconfiguration of a client caused by a FORCERENEW message sent by a malicious DHCP server. In this protocol, a DHCP server sends a Forcerenew nonce to the client in the initial exchange of DHCP messages. The client records the Forcerenew nonce for use in authenticating subsequent Forcerenew messages from that server. The @@ -134,21 +140,21 @@ specified in [RFC3118] and the client and server have negotiated to use the Forcerenew Nonce Authentication protocol. 3.1.1. Forcerenew Nonce Protocol Capability Option A DHCP client indicates DHCP Forcerenew Nonce Protocol capability by including a FORCERENEW_NONCE_CAPABLE() option in DHCP Discover and Request messages sent to the server. A DHCP server that does not support Forcerenew Nonce Protocol - authentication should ignore the FORCERENEW_NONCE_CAPABLE() + authentication SHOULD ignore the FORCERENEW_NONCE_CAPABLE() option. A DHCP server indicates DHCP Forcerenew Nonce Protocol preference by including a FORCERENEW_NONCE_CAPABLE() option in any DHCP Offer messages sent to the client. A DHCP client MUST NOT send DHCP messages with authentication options where the protocol value is Forcerenew Nonce Authentication(). The FORCERENEW_NONCE_CAPABLE option is a zero length option with code of and format as follows: @@ -340,22 +347,22 @@ If a capable server receives a DISCOVER or REQUEST (any type) that indicates the client is capable, and the server has no previous nonce recorded, it MUST generate a nonce and include it in the ACK. The server selects a Forcerenew nonce for a client only during Request/Ack message exchange. The server records the Forcerenew nonce and transmits that nonce to the client in an Authentication option in the DHCP Ack message. The server SHOULD NOT include the nonce in an ACK when responding to - a renew unless a nonce was generated. This minimizes the number of - times the nonce is sent over the wire. + a renew unless a new nonce was generated. This minimizes the number + of times the nonce is sent over the wire. If the server to which the DHCP Request message was sent at time T1 has not responded, the client enters the REBINDING state and attempts to contact any server. The new Server receiving the DHCP message MUST generate a new nonce. The Forcerenew nonce is 128 bits long, and MUST be a cryptographically strong random or pseudo-random number that cannot easily be predicted. The nonce is embedded as a 128-bit value of the Authentication information where type is set to 1 (Forcerenew nonce @@ -421,74 +428,66 @@ Data lenght: 1 Description: Forcerenew Nonce Capable Reference: this document 6. Security Considerations As in some network environments FORCERENEW can be used to snoop and spoof traffic, the FORCERENEW message MUST be authenticated using the - procedures as described in [RFC3118] or this proposal. + procedures as described in [RFC3118] or the mechanism described in + this document. The mechanism in [RFC3315] for DHCPv6, which this document mirrors for DHCPv4, uses a nonce to prevent an off-link attacker from successfully triggering a renewal on a client by sending DHCPFORCERENEW; since the attacker is off-link, it doesn't have the nonce, and can't force a renewal. An on-link attacker can always simply watch the DHCP renewal message go out and respond to it, so this mechanism is useless for preventing on-link attacks, and hence the security of the nonce in the case of - on-link attacks isn't relevant. Any party able to intercept the - nonce exchange could impersonate a server and thus offers no - protection from man-in-the- middle attacks. FORCERENEW messages - failing the authentication should be silently discarded by the - client. + on-link attacks isn't relevant. Therefore HMAC-MD5 is by definition + adequate for the purpose, and there is no need for an extensible HMAC + mechanism. FORCERENEW messages failing the authentication should be + silently discarded by the client. 6.1. Protocol vulnerabilities The mechanism described in this document is vulnerable to a denial of service attack through flooding a client with bogus FORCERENEW messages. The calculations involved in authenticating the bogus FORECERENEW messages may overwhelm the device on which the client is running. The mechanism described provides protection against the use of a FORCERENEW message by a malicious DHCP server to mount a denial of service or man-in-the-middle attack on a client. This protocol can be compromised by an attacker that can intercept the initial message in which the DHCP server sends the nonce to the client. -7. References - -7.1. Normative References +7. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC3118] Droms, R. and W. Arbaugh, "Authentication for DHCP Messages", RFC 3118, June 2001. [RFC3203] T'Joens, Y., Hublet, C., and P. De Schrijver, "DHCP reconfigure extension", RFC 3203, December 2001. [RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., and M. Carney, "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", RFC 3315, July 2003. -7.2. Informative References - - [TR-101i2] - Anschutz, T., "Migration to Ethernet-Based Broadband - Aggregation Broadband Forum TR-101 Issue 2", July 2011. - Authors' Addresses David Miles Google Phone: Fax: Email: URI: