--- 1/draft-ietf-dhc-vpn-option-03.txt 2006-02-04 23:06:51.000000000 +0100 +++ 2/draft-ietf-dhc-vpn-option-04.txt 2006-02-04 23:06:51.000000000 +0100 @@ -1,266 +1,324 @@ +Network Working Group R. Johnson +Internet-Draft J. Kumarasamy +Expires: August 10, 2005 K. Kinnear + M. Stapp + Cisco + February 9, 2005 -Internet Engineering Task Force Richard Johnson -Internet Draft Kim Kinnear -Expiration: March 2005 Mark Stapp -File: draft-ietf-dhc-vpn-option-03.txt Jay Kumarasamy - Cisco Systems, Inc. - - DHCP VPN Information option - - - September 27, 2004 + Virtual Subnet Selection Option + draft-ietf-dhc-vpn-option-04.txt Status of this Memo - By submitting this Internet-Draft, I certify that any applicable - patent or other IPR claims of which I am aware have been disclosed, - or will be disclosed, and any of which I become aware will be - disclosed, in accordance with RFC 3668. - - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC2026. + This document is an Internet-Draft and is subject to all provisions + of section 3 of RFC 3667. By submitting this Internet-Draft, each + author represents that any applicable patent or other IPR claims of + which he or she is aware have been or will be disclosed, and any of + which he or she become aware will be disclosed, in accordance with + RFC 3668. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that - other groups may also distribute working documents as Internet- - Drafts. + other groups may also distribute working documents as + Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt + http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. + This Internet-Draft will expire on August 10, 2005. + Copyright Notice - Copyright (C) The Internet Society (2002). All Rights Reserved. + Copyright (C) The Internet Society (2005). Abstract - This memo defines a new DHCP option for passing VPN information - between the DHCP client and the DHCP server. It is intended for use - primarily by DHCP proxy clients in situations where VPN information - needs to be passed to the DHCP server for proper address allocation - to take place. + This memo defines a new DHCP option for passing Virtual Subnet + Selection (VSS) information between the DHCP client and the DHCP + server. It is intended for use primarily by DHCP proxy clients in + situations where VSS information needs to be passed to the DHCP + server for proper address allocation to take place. -1.0 Introduction + The option number currently in use is 221. This memo documents the + current usage of the option in agreement with RFC-3942[7] , which + declares that any pre-existing usages of option numbers in the range + 128 - 223 should be documented and the working group will try to + officially assign those numbers to those options. + +Table of Contents + + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 + 2. VSS Information Definition . . . . . . . . . . . . . . . . . 4 + 3. Security Considerations . . . . . . . . . . . . . . . . . . 6 + 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . 7 + 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 + 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 8 + Intellectual Property and Copyright Statements . . . . . . . 10 + +1. Introduction There is a growing use of Virtual Private Network (VPN) configurations. The growth comes from many areas; individual client systems needing to appear to be on the home corporate network even when traveling, ISPs providing extranet connectivity for customer companies, etc. In some of these cases there is a need for the DHCP - server to know the VPN from which an address, and other resources, - should be allocated. + server to know the VPN (hereafter called a "Virtual Subject Selector" + or "VSS") from which an address, and other resources, should be + allocated. If the allocation is being done through a DHCP relay, then a relay suboption could be included. In some cases, however an IP address is being sought by a DHCP proxy on behalf of a client (would may be assigned the address via a different protocol). In this case, there - is a need to include VPN information relating to the client as a DHCP + is a need to include VSS information relating to the client as a DHCP option. A good example might be a dial-in aggregation device where PPP addresses are acquired via DHCP and then given to the remove customer system via IPCP. In a network where such a device is used to aggregate PPP dial-in from multiple companies, each company may be - assigned a unique VPN. + assigned a unique VSS. - This memo defines a new DHCP [2] option, the VPN Information option, - which allows the DHCP client to specify the VPN Information needed in + This memo defines a new DHCP [2] option, the VSS Information option, + which allows the DHCP client to specify the VSS Information needed in order to allocate an address. If the receiving DHCP server - understands the VPN Information option, this information may be used + understands the VSS Information option, this information may be used in conjunction with other information in determining the subnet on which to select an address as well as other information such as DNS server, default router, etc. -1.1 Conventions - - The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", - "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this - document are to be interpreted as described in RFC-2119 [3]. - -2.0 VPN Information Option Definition +2. VSS Information Definition - The VPN Information option is a DHCP option [3]. The option contains - generalized VPN information in one of two formats: NVT ASCII VPN + The VSS Information option is a DHCP option [3]. The option contains + generalized VSS information in one of two formats: NVT ASCII VPN identifier, or RFC2685 VPN-ID [4]. The format of the option is: - Code Len Type VPN Information octets + Code Len Type VSS Information octets +-----+-----+------+-----+-----+-----+--- - | TBD | n | t | v1 | v2 | v3 | ... + | 221 | n | t | v1 | v2 | v3 | ... +-----+-----+------+-----+-----+-----+--- Type: 0 NVT ASCII VPN identifier 1 RFC2685 VPN-ID 2-255 Not Allowed + Figure 1 + The option minimum length (n) is 2. - There are two types of identifiers which can be placed in the VPN + There are two types of identifiers which can be placed in the VSS Information Option. The first type of identifier which can be placed - in the VPN Information Option is an NVT ASCII string. It MUST NOT be + in the VSS Information Option is an NVT ASCII string. It MUST NOT be terminated with a zero byte. - The second type of identifier which can be placed in the VPN + The second type of identifier which can be placed in the VSS Information Option is an RFC2685 VPN-ID [4], which is typically 14 - hex digits in length (though it can be any length as far as the VPN + hex digits in length (though it can be any length as far as the VSS Information Option is concerned). If the type field is set to zero (0), it indicates that all following bytes of the option contain a NVT ASCII string. This string MUST NOT be terminated with a zero byte. If the type field is set to one (1), it indicates that all following bytes should be interpreted in agreement with [4] as a VPN Identifier, typically 14 hex digits. All other values of the type field are invalid as of this memo and - VPN options containing any other value than zero (0) or one (1) + VSS options containing any other value than zero (0) or one (1) SHOULD be ignored. - Any VPN information contained in a DHCP Relay Suboption SHOULD - override the information contained in this VPN Information option. + Any VSS information contained in a DHCP Relay Suboption SHOULD + override the information contained in this VSS Information option Servers configured to support this option MUST return an identical copy of the option to any client that sends it, regardless of whether or not the client requests the option in a parameter request list. Clients using this option MUST discard DHCPOFFER or DHCPACK packets that do not contain this option. This option provides the DHCP server additional information upon which to make a determination of address to be assigned. The DHCP server, if it is configure to support this option, should use this information in addition to other options included in the DHCPDISCOVER packet in order to assign an IP address for DHCP client. - In the event that a VPN Informmation Option and a VPN Information + In the event that a VSS Informmation Option and a VSS Information Relay Suboption are both received in a particular DHCP client packet, - the information from the VPN Information Suboption MUST be used in - preference to the information in the VPN Information Option. + the information from the VSS Information Suboption MUST be used in + preference to the information in the VSS Information Option. Servers that do not understand this option will allocate an address using their normal algorithms and will not return this option in the DHCPOFFER or DHCPACK. In this case the client will discard the DHCPOFFER or DHCPACK. Servers that understand this option but are administratively configured to ignore the option MUST ignore the option, use their normal algorithms to allocate an address, and MUST NOT return this option in the DHCPOFFER or DHCPACK. In this case the client will discard the DHCPOFFER or DHCPACK. In other words, this option MUST NOT appear in a DHCPOFFER from a server unless it was used by the server in making the address allocation requested. This option SHOULD NOT be used without also making use of the DHCP Authentication option [5]. -3.0 Security Considerations +3. Security Considerations Message authentication in DHCP for intradomain use where the out-of- band exchange of a shared secret is feasible is defined in [5]. Potential exposures to attack are discussed in section 7 of the DHCP protocol specification in [2]. - The VPN Information option could be used by a client in order to - obtain an IP address from a VPN other than the one where it should. + The VSS Information option could be used by a client in order to + obtain an IP address from a VSS other than the one where it should. DHCP relays MAY choose to remove the option before passing on DHCPDISCOVER packets. Another possible defense would be for the DHCP - relay to insert a Relay option containing a VPN Information - Suboption, which would override the DHCP VPN Information option. + relay to insert a Relay option containing a VSS Information + Suboption, which would override the DHCP VSS Information option. - This option would allow a client to perform a more complete address- - pool exhaustion attack since the client would no longer be restricted - to attacking address-pools on just its local subnet. + This option would allow a client to perform a more complete + address-pool exhaustion attack since the client would no longer be + restricted to attacking address-pools on just its local subnet. - Servers that implement the VPN Information option MUST by default + Servers that implement the VSS Information option MUST by default disable use of the feature; it must specifically be enabled through configuration. Moreover, a server SHOULD provide the ability to selectively enable use of the feature under restricted conditions, e.g., by enabling use of the option only from explicitly configured client-ids, enabling its use only by clients on a particular subnet, - or restricting the VPNs from which addresses may be requested. + or restricting the VSSs from which addresses may be requested. -4.0 IANA Considerations +4. IANA Considerations - IANA has assigned a value of TBD for the DHCP option code described - in this document. No assignment of values for the type field need be - made at this time. New values may only be defined by IETF Consensus, - as described in [6]. Basically, this means that they are defined by - RFCs approved by the IESG. + No assignment of values for the type field need be made at this time. + New values may only be defined by IETF Consensus, as described in + [6]. Basically, this means that they are defined by RFCs approved by + the IESG. Moreover, any changes or additions to the type byte codes MUST be - made concurrently in the type byte codes of the VPN Information - Option. The type bytes and data formats of the VPN Information - Option and VPN Information Suboption MUST always be identical. + made concurrently in the type byte codes of the VSS Information + Option. The type bytes and data formats of the VSS Information + Option and VSS Information Suboption MUST always be identical. -5.0 Acknowledgements +5. Acknowledgements This document is the result of work done within Cisco Systems. Thanks to Kim Kinnear, Mark Stapp, and Jay Kumarasamy for their work on this option definition and the other related work for which this is necessary. -Copyright notice - - Copyright (C) The Internet Society (2004). This document is subject - to the rights, licenses and restrictions contained in BCP 78, and - except as set forth therein, the authors retain all their rights. - - This document and the information contained herein are provided on an - "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS - OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET - ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, - INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE - INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED - WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. - -References +6 References - [1] Bradner, S., "Key words for use in RFCs to Indicate - Requirement Levels", RFC 2119, BCP 14, March 1997. + [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement + Levels", RFC 2119, BCP 14, March 1997. - [2] Droms, R. "Dynamic Host Configuration Protocol", RFC 2131, + [2] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, March 1997. - [3] Alexander, S. and Droms, R., "DHCP Options and BOOTP Vendor + [3] Droms, R. and S. Alexander, "DHCP Options and BOOTP Vendor Extensions", RFC 2132, March 1997. - [4] Fox, B. and Gleeson, B., "Virtual Private Networks - Identifier", RFC 2685, September 1999 + [4] Fox, B. and B. Gleeson, "Virtual Private Networks Identifier", + RFC 2685, September 1999. - [5] Droms, R. "Authentication for DHCP Messages", RFC 3118, - June 2001 + [5] Droms, R., "Authentication for DHCP Messages", RFC 3118, June + 2001. - [6] Narten, T. and Alvestrand, H., - "Guidelines for Writing an IANA Considerations Section in RFCs", - RFC 2434, October 1998 + [6] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA + Considerations Section in RFCs", RFC 2434, October 1998. -Author Information: + [7] Volz, B., "Reclassifying Dynamic Host Configuration Protocol + version 4 (DHCPv4) Options", RFC 3942, November 2004. - Richard Johnson - Jay Kumarasamy +Authors' Addresses + + Richard A. Johnson Cisco Systems 170 W. Tasman Dr. San Jose, CA 95134 + US - Phone: (408) 526-4000 + Phone: +1 408 526 4000 + EMail: raj@cisco.com + Jay Kumarasamy + Cisco Systems + 170 W. Tasman Dr. + San Jose, CA 95134 + US + Phone: +1 408 526 4000 EMail: jayk@cisco.com - raj@cisco.com Kim Kinnear + Cisco Systems + 250 Apollo Drive + Chelmsford, MA 01824 + US + + Phone: +1 978 244 8000 + EMail: kkinnar@cisco.com + Mark Stapp Cisco Systems 250 Apollo Drive Chelmsford, MA 01824 + US - Phone: (978) 244-8000 + Phone: +1 978 244 8000 + EMail: mjs@cisco.com - EMail: kkinnear@cisco.com - mjs@cisco.com +Intellectual Property Statement + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; nor does it represent that it has + made any independent effort to identify any such rights. Information + on the procedures with respect to rights in RFC documents can be + found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use of + such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights that may cover technology that may be required to implement + this standard. Please address the information to the IETF at + ietf-ipr@ietf.org. + +Disclaimer of Validity + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET + ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, + INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE + INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Copyright Statement + + Copyright (C) The Internet Society (2005). This document is subject + to the rights, licenses and restrictions contained in BCP 78, and + except as set forth therein, the authors retain all their rights. + +Acknowledgment + + Funding for the RFC Editor function is currently provided by the + Internet Society.