draft-ietf-dhc-proxyserver-opt-03.txt   draft-ietf-dhc-proxyserver-opt-04.txt 
Network Working Group Senthil K Balasubramanian Network Working Group Senthil K Balasubramanian
Internet-Draft Intoto Internet-Draft Intoto
Expires: September 2005 Michael Alexander Expires: December 2005 Michael Alexander
Gustaf Neumann Gustaf Neumann
Wirtschaftsuniversitaet Wien Wirtschaftsuniversitaet Wien
April 2005 July 2005
DHCP Option for Proxy Server Configuration DHCP Option for Proxy Server Configuration
draft-ietf-dhc-proxyserver-opt-03.txt draft-ietf-dhc-proxyserver-opt-04.txt
Status of this Memo Status of this Memo
This document is an Internet-Draft and is subject to all provisions This document is an Internet-Draft and is subject to all provisions
of section 3 of RFC 3667. By submitting this Internet-Draft, each of section 3 of RFC 3667. By submitting this Internet-Draft, each
author represents that any applicable patent or other IPR claims of author represents that any applicable patent or other IPR claims of
which he or she is aware have been or will be disclosed, and any of which he or she is aware have been or will be disclosed, and any of
which he or she become aware will be disclosed, in accordance with which he or she become aware will be disclosed, in accordance with
RFC 3668. RFC 3668.
skipping to change at page 1, line 44 skipping to change at page 1, line 43
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on September 2005. This Internet-Draft will expire on September 2005.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2005). All Rights Reserved. Copyright (C) The Internet Society (2005). All Rights Reserved.
IPR Statement
By submitting this Internet-Draft, each author represents
that any applicable patent or other IPR claims of which he
or she is aware have been or will be disclosed, and any of
which he or she becomes aware will be disclosed, in
accordance with Section 6 of BCP 79.
Abstract Abstract
This document defines a new Dynamic Host Configuration Protocol This document defines a new Dynamic Host Configuration Protocol
(DHCP) option, which can be used to configure the TCP/IP host's Proxy (DHCP) option, which can be used to configure Proxy Servers in
Server configuration for standard protocols like HTTP, FTP, NNTP, TCP/IP for standard protocols like HTTP, FTP, NNTP, SOCKS, SNMP,
SOCKS, Gopher, SLL and etc. Proxy Server provides controlled and SLL and etc. Proxy Servers provide controlled and efficient access
efficient access to the Internet by access control mechanism for to the Internet, include access control mechanisms for different
different types of user requests and caching frequently accessed types of user requests and cache frequently accessed information
information (Web pages and possibly files that might have been (Web pages and possibly files that might have been downloaded
downloaded using FTP and other protocols). using FTP and other protocols).
1. Terminologies Used 1. Terminologies Used
DHCP Client: A DHCP [RFC-2131] client is an Internet host that DHCP Client: A DHCP [RFC-2131] client is an Internet host that
uses DHCP to obtain configuration information such as uses DHCP to obtain configuration information such as a
network address. network address.
DHCP Server: A DHCP server [RFC-2131] is an Internet host that DHCP Server: A DHCP server [RFC-2131] is an Internet host that
returns configuration parameters to DHCP clients. returns configuration parameters to DHCP clients.
Proxy Server: In a enterprise network that connects to Internet, Proxy Server: In an enterprise network that connects to Internet,
a proxy server is a server that acts as an intermediary a proxy server is a server that acts as an intermediary
between a workstation user and the Internet so that the between a workstation user and the Internet so that the
enterprise can ensure security, administrative control, enterprise can ensure security and administrative control.
and caching service. A Proxy server MAY be associated A Proxy server MAY provide caching services or be
with or part of a gateway server that separates the associated with or part of a gateway server that separates
enterprise network from the outside network (Usually the enterprise network from the outside network (usually
Internet) and a firewall server that protects the the Internet) and a firewall that protects the enterprise
enterprise network from outside intrusion. network from outside intrusion.
RDF:A language (Resource Description Framework [RDF-SYN]) for RDF:A language (Resource Description Framework [RDF-SYN]) for
describing properties of web resources. describing properties of web resources.
2. Introduction 2. Introduction
The Dynamic Host Configuration Protocol [RFC-2131] provides a The Dynamic Host Configuration Protocol [RFC-2131] provides a
framework for passing configuration information to hosts on a TCP/IP framework for passing configuration information to hosts on a TCP/IP
network. This document describes a DHCP configuration option that network. This document describes a DHCP configuration option that
can be used to inform a DHCP client, the IP addresses of one or more can be used to inform a DHCP client of the IP addresses and properties
proxy services that are either available to it or that must be used of one or more proxy services that are either available to it or that
in order to access internet services, for example through a coporate must be used in order to access internet services, for example through
firewall. a coporate firewall.
The following diagram depicts the typical setup providing proxy The following diagram depicts the typical setup of a proxy server
service to clients on a network that is protected by a firewall. providing proxy services to clients on a network that is protected
by a firewall.
+---------------------------+ +-----------+ +---------------------------+ +-----------+
| | |Remote HTTP| | | |Remote HTTP|
| | HTTP |Server | | | HTTP |Server |
| +------------+ +-------------+<--->+-----------+ | +------------+ +-------------+<--->+-----------+
| | Clients | |Proxy Server | | | Clients | |Proxy Server |
| | Inside the |<------>| + | FTP +-----------+ | | Inside the |<------>| + | FTP +-----------+
| | Firewall | |Firewall |<--->|Remote FTP | | | Firewall | |Firewall |<--->|Remote FTP |
| +------------+ +-------------+ |Server | | +------------+ +-------------+ |Server |
| | ^ +-----------+ | | ^ +-----------+
skipping to change at page 3, line 8 skipping to change at page 3, line 8
+------------>|Server | +------------>|Server |
+-----------+ +-----------+
The primary use of proxies is to allow access to the World Wide Web The primary use of proxies is to allow access to the World Wide Web
from within a firewall. A proxy service typically runs on firewall from within a firewall. A proxy service typically runs on firewall
machine. It waits for a request from inside the firewall, forwards machine. It waits for a request from inside the firewall, forwards
the request to the remote server outside the firewall, reads the the request to the remote server outside the firewall, reads the
response and then sends it back to the client. Usually, all the response and then sends it back to the client. Usually, all the
clients use the same proxy within a given network, which helps in clients use the same proxy within a given network, which helps in
efficient caching of documents that are requested by a number of efficient caching of documents that are requested by a number of
clients. This behavior makes proxies attractive to clients not clients. Similarly, proxies can provide document caching functions
inside a firewall. on the outside Internet.
A proxy server increases the network security and user productivity A proxy server can increase network security and user productivity
by content filtering and controlling both internal and external by filtering content and controlling both internal and external
access to information. Also, it provides several other access to information. Also, it provides several other
functionalities that are not discussed here. functionalities that are not discussed here.
3. Requirements terminology 3. Requirements terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC 2119]. document are to be interpreted as described in [RFC 2119].
4. Proxy Server Configuration Option 4. Proxy Server Configuration Option
skipping to change at page 3, line 51 skipping to change at page 3, line 51
+--+--+--+--+--+--+--+--+--+ +--+--+--+--+--+--+--+--+--+
|p |l | f |IP address|port | |p |l | f |IP address|port |
+--+--+--+--+--+--+--+--+--+ +--+--+--+--+--+--+--+--+--+
The Protocol(p) is a two octet integer in network byte order, The Protocol(p) is a two octet integer in network byte order,
length (l) and flag (f) are one octet each; each IP length (l) and flag (f) are one octet each; each IP
address is four octets, and each port number is a two-octet address is four octets, and each port number is a two-octet
integer encoded in network byte order. integer encoded in network byte order.
The protocol type(p) specifies the type of Protocol and MUST be The protocol type(p) specifies the type of protocol and MUST be
one of the following assigned numbers. one of the following assigned numbers.
+-------------------------------+ +-------------------------------+
| protocol | Number | | protocol | Number |
+-------------------------------+ +-------------------------------+
| HTTP | 80 | | HTTP | 80 |
+-------------------------------+ +-------------------------------+
| FTP | 21 | | FTP | 21 |
+-------------------------------+ +-------------------------------+
| NNTP | 119 | | NNTP | 119 |
skipping to change at page 4, line 33 skipping to change at page 4, line 33
+-------------------------------+ +-------------------------------+
| RDF | TBD | | RDF | TBD |
+-------------------------------+ +-------------------------------+
If the protocol type field is RDF[RDF-SYN], then it MUST be If the protocol type field is RDF[RDF-SYN], then it MUST be
followed by len (length of RDF metadata) and the actual RDF followed by len (length of RDF metadata) and the actual RDF
metadata. metadata.
The length field (l) specifies the length of the Proxy Server The length field (l) specifies the length of the Proxy Server
Configuration entry. If some new protocol is introduced in the Configuration entry. If some new protocol is introduced in the
future and if some version of dhcpclient doesn't support, then future, and if some version of a given dhcpclient doesn't support
that particular entry can be ignored and process the following it, then that particular entry can be ignored. If it exists, the
Proxy Server Configuration Entry, if any. next following Proxy Server Configuration Entry can be processed.
The flag field (f) is by default 0. Otherwise, it can either The flag field (f) is by default 0. Otherwise, it can either
have "-" or "#". have "-" or "#".
If it is "-", then the entry becomes a destination address for If it is "-", then the entry becomes a destination address for
exclusion from forwarding to the proxy. If it is "#", then the proxy exclusion from forwarding to the proxy. If it is "#", then the proxy
requires authentication. requires authentication.
In cases where it makes sense to specify more than one proxy server In cases where it makes sense to specify more than one proxy server
for a given protocol, these proxy servers MUST be specified as for a given protocol, these proxy servers MUST be specified as
skipping to change at page 5, line 25 skipping to change at page 5, line 25
The following entry specifies the sample format of the RDF Meta The following entry specifies the sample format of the RDF Meta
data field data field
HTTP proxy: HTTP proxy:
<?xml version="1.0"?> <?xml version="1.0"?>
<!DOCTYPE rdf:RDF [<!ENTITY xsd "http://www.w3.org/2001/XMLSchema#">]> <!DOCTYPE rdf:RDF [<!ENTITY xsd "http://www.w3.org/2001/XMLSchema#">]>
<rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:dc="http://purl.org/dc/elements/1.1/"> xmlns:dc="http://purl.org/dc/elements/1.1/">
<rdf:Description rdf:about="http://http-proxy.duke.edu:8080"> <rdf:Description rdf:about="http://http-proxy.example.com:8080">
<dc:title>License Gate Proxy</dc:title> <dc:title>License Gate Proxy</dc:title>
<dc:creator>John Doe</dc:creator> <dc:creator>John Doe</dc:creator>
<dc:publisher>Duke OIT</dc:publisher> <dc:publisher>example.com IS</dc:publisher>
<dc:subject>Offsite Campus Resource Access Proxy</dc:subject> <dc:subject>Offsite Resource Access Proxy</dc:subject>
<dc:type>Service</dc:subject> <dc:type>Service</dc:subject>
<dc:rights>Current Duke faculty, staff, and students</dc:rights> <dc:rights>example.com employees</dc:rights>
<dc:date>2004-06-15</dc:date> <dc:date>2005-07-11</dc:date>
</rdf:Description> </rdf:Description>
</rdf:RDF> </rdf:RDF>
FTP proxy: FTP proxy:
<?xml version="1.0"?> <?xml version="1.0"?>
<!DOCTYPE rdf:RDF [<!ENTITY xsd "http://www.w3.org/2001/XMLSchema#">]> <!DOCTYPE rdf:RDF [<!ENTITY xsd "http://www.w3.org/2001/XMLSchema#">]>
<rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:dc="http://purl.org/dc/elements/1.1/"> xmlns:dc="http://purl.org/dc/elements/1.1/">
<rdf:Description rdf:about="ftp://ftp-proxy.duke.edu:8080"> <rdf:Description rdf:about="ftp://ftp-proxy.example.com:8080">
<dc:title>License Gate FTP Proxy</dc:title> <dc:title>License Gate FTP Proxy</dc:title>
<dc:creator>John Doe</dc:creator> <dc:creator>John Doe</dc:creator>
<dc:publisher>Duke OIT</dc:publisher> <dc:publisher>example.com IS</dc:publisher>
<dc:subject>Offsite Campus Resource Access Proxy</dc:subject> <dc:subject>Offsite Resource Access Proxy</dc:subject>
<dc:type>Service</dc:subject> <dc:type>Service</dc:subject>
<dc:rights>Current Duke faculty, staff, and students</dc:rights> <dc:rights>example.com employees</dc:rights>
<dc:date>2004-06-15</dc:date> <dc:date>2005-07-11</dc:date>
</rdf:Description> </rdf:Description>
</rdf:RDF> </rdf:RDF>
As such there is no minimum length to specify a proxy using RDF As such there is no minimum length to specify a proxy using RDF
metadata. But the minimum sensible statement would be a literal metadata. But the minimum sensible statement would be a literal
description of the proxy (<dc:title>License Gate Proxy</dc:title>) description of the proxy (<dc:title>License Gate Proxy</dc:title>)
giving a total of 418 characters including the overhead. giving a total of 418 characters including the overhead.
For example, with a description element of 60 characters, an URI of For example, with a description element of 60 characters, an URI of
80 characters plus a minimum XML/RDF syntax conformation/namespace 80 characters plus a minimum XML/RDF syntax conformation/namespace
declaration of: declaration from below the minimum length would be 418 octes.
21 Octets <?xml version="1.0"?> 21 Octets <?xml version="1.0"?>
70 Octets <!DOCTYPE rdf:RDF [<!ENTITY xsd "http://www.w3.org/2001/XMLSchema#">]> 70 Octets <!DOCTYPE rdf:RDF [<!ENTITY xsd "http://www.w3.org/2001/XMLSchema#">]>
64 Octets <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" 64 Octets <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
45 Octets xmlns:dc="http://purl.org/dc/elements/1.1/"> 45 Octets xmlns:dc="http://purl.org/dc/elements/1.1/">
109 Octets <rdf:Description rdf:about="..80 characters.."> 109 Octets <rdf:Description rdf:about="..80 characters..">
81 Octets <dc:title>..60 characters..</dc:title> 81 Octets <dc:title>..60 characters..</dc:title>
18 Octets </rdf:Description> 18 Octets </rdf:Description>
10 Octets </rdf:RDF> 10 Octets </rdf:RDF>
,the minimum length would be 418 octes.
5. Option Usage 5. Option Usage
The Proxy Server Configuration entries SHOULD not repeat the same The Proxy Server Configuration entries SHOULD not repeat the same
type of proxy entries. The port MUST be a valid TCP/UDP port. type of proxy entries. The port MUST be a valid TCP/UDP port.
If the length of the Proxy Server Configuration Option exceeds the If the length of the Proxy Server Configuration Option exceeds the
maximum permissible within a single option (255 octets), then the maximum permissible within a single option (255 octets), then the
option MUST be represented in the DHCP message as specified option MUST be represented in the DHCP message as specified
in [RFC-3396]. in [RFC-3396].
The following example shows how an RDF version of proxy server The following example shows how an RDF version of proxy server
skipping to change at page 6, line 41 skipping to change at page 6, line 39
Code Len Proto Len Code Len Proto Len
+-------+------+------+------+------+------+-....-+------+ +-------+------+------+------+------+------+-....-+------+
| TBD | 255 | RDF | 253 | RDF Meta Data.............| | TBD | 255 | RDF | 253 | RDF Meta Data.............|
+-------+------+------+------+------+------+-....-+------+ +-------+------+------+------+------+------+-....-+------+
Code Len Proto Len Code Len Proto Len
+-------+------+------+------+------+------+-....-+------+ +-------+------+------+------+------+------+-....-+------+
| TBD | 149 | RDF | 147 | RDF Meta Data.............| | TBD | 149 | RDF | 147 | RDF Meta Data.............|
+-------+------+------+------+------+------+-....-+------+ +-------+------+------+------+------+------+-....-+------+
The following example shows how the same RDF version of proxy The following example shows how a proxy server configuration entry
server configuration entry of 400 octets is represented in the of 400 octets is represented in RDF along with the normal
option along with a normal version (p|l|f|IP|port) of proxy (p|l|f|IP|port) format.
server configuration entry.
+---+---+----+-+-+-------------+----+---+---+...-+---+-----+ +---+---+----+-+-+-------------+----+---+---+...-+---+-----+
|TBD|255|HTTP|7|0|192.168.5.10 |8080|RDF|243| RDF Meta Data| |TBD|255|HTTP|7|0|192.168.5.10 |8080|RDF|243| RDF Meta Data|
+---+---+----+-+-+-------------+----+---+---+...-+---+-----+ +---+---+----+-+-+-------------+----+---+---+...-+---+-----+
+-------+------+------+------+------+------+-....-+------+ +-------+------+------+------+------+------+-....-+------+
| TBD | 159 | RDF | 157 | RDF Meta Data.............| | TBD | 159 | RDF | 157 | RDF Meta Data.............|
+-------+------+------+------+------+------+-....-+------+ +-------+------+------+------+------+------+-....-+------+
More than one RDF type of Proxy Server Configuration Entry MUST A Proxy Server Configuration Entry with more than one RDF type
not be sent in this option. This is because, the RDF Meta Data is of MUST not be sent in this option. This is because the RDF Meta
generally more than 255 octets and always require more than one Data is generally more than 255 octets and always requires more
option of this type as per [RFC-3396]. However, more than one proxy than one option of this type as per [RFC-3396]. However, more than one
server configuration (FTP, HTTP, SOCKS) can be specified with the proxy server configuration (FTP, HTTP, SOCKS) can be specified with
same RDF Meta Data as follows the same RDF Meta Data as follows:
HTTP and FTP Proxy HTTP and FTP Proxy
<?xml version="1.0"?> <?xml version="1.0"?>
<!DOCTYPE rdf:RDF [<!ENTITY xsd "http://www.w3.org/2001/XMLSchema#">]> <!DOCTYPE rdf:RDF [<!ENTITY xsd "http://www.w3.org/2001/XMLSchema#">]>
<rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:dc="http://purl.org/dc/elements/1.1/"> xmlns:dc="http://purl.org/dc/elements/1.1/">
<rdf:Description rdf:about="ftp://ftp-proxy.duke.edu:8080"> <rdf:Description rdf:about="http://http-proxy.example.com:8080">
<dc:title>License Gate FTP Proxy</dc:title> <dc:title>License Gate Proxy</dc:title>
<dc:creator>John Doe</dc:creator> <dc:creator>John Doe</dc:creator>
<dc:publisher>Duke OIT</dc:publisher> <dc:publisher>example.com IS</dc:publisher>
<dc:subject>Offsite Campus Resource Access Proxy</dc:subject> <dc:subject>Offsite Resource Access Proxy</dc:subject>
<dc:type>Service</dc:subject> <dc:type>Service</dc:subject>
<dc:rights>Current Duke faculty, staff, and students</dc:rights> <dc:rights>example.com employees</dc:rights>
<dc:date>2004-06-15</dc:date> <dc:date>2005-07-11</dc:date>
</rdf:Description> </rdf:Description>
<rdf:Description rdf:about="http://http-proxy.duke.edu:8080"> <rdf:Description rdf:about="ftp://ftp-proxy.example.com:8080">
<dc:title>License Gate Proxy</dc:title> <dc:title>License Gate FTP Proxy</dc:title>
<dc:creator>John Doe</dc:creator> <dc:creator>John Doe</dc:creator>
<dc:publisher>Duke OIT</dc:publisher> <dc:publisher>example.com IS</dc:publisher>
<dc:subject>Offsite Campus Resource Access Proxy</dc:subject> <dc:subject>Offsite Resource Access Proxy</dc:subject>
<dc:type>Service</dc:subject> <dc:type>Service</dc:subject>
<dc:rights>Current Duke faculty, staff, and students</dc:rights> <dc:rights>example.com employees</dc:rights>
<dc:date>2004-06-15</dc:date> <dc:date>2005-07-11</dc:date>
</rdf:Description> </rdf:Description>
</rdf:RDF> </rdf:RDF>
6. Security Considerations 6. Security Considerations
The DHCP Options defined here allow an intruder DHCP server to The DHCP Options defined here allow an intruder DHCP server to
misdirect a client, causing it to access a nonexistent or malicious misdirect a client, causing it to access a nonexistent or malicious
proxy server. This allows for a denial of service or man-in-the-middle proxy server. This allows for a denial of service or man-in-the-middle
attack. This is a well known property of the DCHP protocol; this option attacks. The latter security consideration is a well known property of
does not create any additional risk of such attacks. the DCHP protocol; this option does not create any additional risk
of such attacks.
DHCP provides an authentication mechanism, as described in [RFC-3118], DHCP provides an authentication mechanism, as described in [RFC-3118],
which may be used if authentication is required. which may be used if authentication is required.
7. IANA Considerations 7. IANA Considerations
IANA is requested to assign an option code to the Proxy Server IANA is requested to assign an option code to the Proxy Server
Configuration Option and protocol numbers for the SSL and RDF Configuration Option and protocol numbers for the SSL and RDF
protocol. protocol.
skipping to change at page 9, line 5 skipping to change at page 9, line 5
Protocol", Netscape Communications Corp., Nov 18, 1996. Protocol", Netscape Communications Corp., Nov 18, 1996.
[RFC-1625] M. St. Pierre, J. Fullton, K. Gamiel, J. Goldman, B. Kahle, [RFC-1625] M. St. Pierre, J. Fullton, K. Gamiel, J. Goldman, B. Kahle,
J. Kunze, H. Morris, F. Schiettecatte, "WAIS over Z39.50-1988", J. Kunze, H. Morris, F. Schiettecatte, "WAIS over Z39.50-1988",
RFC 1625, June 1994. RFC 1625, June 1994.
[RDF-SYN] Becket, D. and B. McBride, Ed., "RDF/XML Syntax Specification", [RDF-SYN] Becket, D. and B. McBride, Ed., "RDF/XML Syntax Specification",
W3C REC-rdf-syntax, February 2004, W3C REC-rdf-syntax, February 2004,
<http://www.w3.org/TR/rdf-syntax-grammar/>. <http://www.w3.org/TR/rdf-syntax-grammar/>.
Author's Address Authors' Addresses
Senthil K Balasubramanian Senthil K Balasubramanian
Intoto Software (I) Pvt Ltd Intoto Software (I) Pvt Ltd
Old No 3, New No 5, First Street, Old No 3, New No 5, First Street,
Nandanam Extension, Nandanam Extension,
Chennai, India 600 035 Chennai, India 600 035
Phone: +91 44 2827 5191 Phone: +91 44 5211 2783/4/5
EMail: ksenthil@intoto.com EMail: ksenthil@intoto.com
Michael Alexander Michael Alexander
Wirtschaftsuniversitaet Wien Wirtschaftsuniversitaet Wien
Augasse 2-6 Augasse 2-6
A-1090 Vienna, Austria A-1090 Vienna, Austria
Phone: +43 31336 4467 Phone: +43 31336 4467
Email: malexand@wu-wien.ac.at Email: malexand@wu-wien.ac.at
 End of changes. 

This html diff was produced by rfcdiff 1.25, available from http://www.levkowetz.com/ietf/tools/rfcdiff/