draft-ietf-dhc-vpn-option-05.txt   draft-ietf-dhc-vpn-option-06.txt 
Network Working Group R. Johnson Network Working Group R. Johnson
Internet-Draft J. Kumarasamy Internet-Draft J. Kumarasamy
Expires: December 31, 2005 K. Kinnear Expires: October 14, 2007 K. Kinnear
M. Stapp M. Stapp
Cisco Cisco
June 29, 2005 April 12, 2007
Virtual Subnet Selection Option Virtual Subnet Selection Option
draft-ietf-dhc-vpn-option-05.txt draft-ietf-dhc-vpn-option-06.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 36 skipping to change at page 1, line 36
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on December 31, 2005. This Internet-Draft will expire on October 14, 2007.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2005). Copyright (C) The IETF Trust (2007).
Abstract Abstract
This memo defines a new DHCP option for passing Virtual Subnet This memo defines a new DHCP option for passing Virtual Subnet
Selection (VSS) information between the DHCP client and the DHCP Selection (VSS) information between the DHCP client and the DHCP
server. It is intended for use primarily by DHCP proxy clients in server. It is intended for use primarily by DHCP proxy clients in
situations where VSS information needs to be passed to the DHCP situations where VSS information needs to be passed to the DHCP
server for proper address allocation to take place. server for proper address allocation to take place.
The option number currently in use is 221. This memo documents the The option number currently in use is TBD. This memo documents the
current usage of the option in agreement with RFC-3942[7] , which current usage of the option in agreement with [7], which declares
declares that any pre-existing usages of option numbers in the range that any pre-existing usages of option numbers in the range 128 - 223
128 - 223 should be documented and the working group will try to should be documented and the working group will try to officially
officially assign those numbers to those options. assign those numbers to those options.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. VSS Information Definition . . . . . . . . . . . . . . . . . 4 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Security Considerations . . . . . . . . . . . . . . . . . . 6 3. VSS Information Definition . . . . . . . . . . . . . . . . . . 5
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . 7 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7
5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
6. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 8 7. Informative References . . . . . . . . . . . . . . . . . . . . 10
Intellectual Property and Copyright Statements . . . . . . . 10 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11
Intellectual Property and Copyright Statements . . . . . . . . . . 12
1. Introduction 1. Introduction
There is a growing use of Virtual Private Network (VPN) There is a growing use of Virtual Private Network (VPN)
configurations. The growth comes from many areas; individual client configurations. The growth comes from many areas; individual client
systems needing to appear to be on the home corporate network even systems needing to appear to be on the home corporate network even
when traveling, ISPs providing extranet connectivity for customer when traveling, ISPs providing extranet connectivity for customer
companies, etc. In some of these cases there is a need for the DHCP companies, etc. In some of these cases there is a need for the DHCP
server to know the VPN (hereafter called a "Virtual Subject Selector" server to know the VPN (hereafter called a "Virtual Subnet Selector"
or "VSS") from which an address, and other resources, should be or "VSS") from which an address, and other resources, should be
allocated. allocated.
If the allocation is being done through a DHCP relay, then a relay If the allocation is being done through a DHCP relay, then a relay
suboption could be included. In some cases, however an IP address is suboption could be included. In some cases, however an IP address is
being sought by a DHCP proxy on behalf of a client (would may be being sought by a DHCP proxy on behalf of a client (would may be
assigned the address via a different protocol). In this case, there assigned the address via a different protocol). In this case, there
is a need to include VSS information relating to the client as a DHCP is a need to include VSS information relating to the client as a DHCP
option. option.
skipping to change at page 4, line 5 skipping to change at page 4, line 5
assigned a unique VSS. assigned a unique VSS.
This memo defines a new DHCP [2] option, the VSS Information option, This memo defines a new DHCP [2] option, the VSS Information option,
which allows the DHCP client to specify the VSS Information needed in which allows the DHCP client to specify the VSS Information needed in
order to allocate an address. If the receiving DHCP server order to allocate an address. If the receiving DHCP server
understands the VSS Information option, this information may be used understands the VSS Information option, this information may be used
in conjunction with other information in determining the subnet on in conjunction with other information in determining the subnet on
which to select an address as well as other information such as DNS which to select an address as well as other information such as DNS
server, default router, etc. server, default router, etc.
2. VSS Information Definition 2. Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY" and "OPTIONAL" in this
document are to be interpreted as described in [1].
3. VSS Information Definition
The VSS Information option is a DHCP option [3]. The option contains The VSS Information option is a DHCP option [3]. The option contains
generalized VSS information in one of two formats: NVT ASCII VPN generalized VSS information in one of two formats: NVT ASCII VPN
identifier, or RFC2685 VPN-ID [4]. identifier, or RFC2685 VPN-ID [4].
The format of the option is: The format of the option is:
Code Len Type VSS Information octets Code Len Type VSS Information octets
+-----+-----+------+-----+-----+-----+--- +-----+-----+------+-----+-----+-----+---
| 221 | n | t | v1 | v2 | v3 | ... | TBD | n | t | v1 | v2 | v3 | ...
+-----+-----+------+-----+-----+-----+--- +-----+-----+------+-----+-----+-----+---
Type: 0 NVT ASCII VPN identifier Type: 0 NVT ASCII VPN identifier
1 RFC2685 VPN-ID 1 RFC2685 VPN-ID
2-255 Not Allowed 2-255 Not Allowed
Figure 1 Figure 1
The option minimum length (n) is 2. The option minimum length (n) is 2.
skipping to change at page 4, line 41 skipping to change at page 5, line 41
The second type of identifier which can be placed in the VSS The second type of identifier which can be placed in the VSS
Information Option is an RFC2685 VPN-ID [4], which is typically 14 Information Option is an RFC2685 VPN-ID [4], which is typically 14
hex digits in length (though it can be any length as far as the VSS hex digits in length (though it can be any length as far as the VSS
Information Option is concerned). Information Option is concerned).
If the type field is set to zero (0), it indicates that all following If the type field is set to zero (0), it indicates that all following
bytes of the option contain a NVT ASCII string. This string MUST NOT bytes of the option contain a NVT ASCII string. This string MUST NOT
be terminated with a zero byte. be terminated with a zero byte.
If the type field is set to one (1), it indicates that all following If the type field is set to one (1), it indicates that all following
bytes should be interpreted in agreement with [4] as a VPN bytes should be interpreted in agreement with RFC2685 as a VPN
Identifier, typically 14 hex digits. Identifier, typically 14 hex digits.
All other values of the type field are invalid as of this memo and All other values of the type field are invalid as of this memo and
VSS options containing any other value than zero (0) or one (1) VSS options containing any other value than zero (0) or one (1)
SHOULD be ignored. SHOULD be ignored.
Any VSS information contained in a DHCP Relay Suboption SHOULD Any VSS information contained in a DHCP Relay Suboption SHOULD
override the information contained in this VSS Information option override the information contained in this VSS Information option.
[8]
Servers configured to support this option MUST return an identical Servers configured to support this option MUST return an identical
copy of the option to any client that sends it, regardless of whether copy of the option to any client that sends it, regardless of whether
or not the client requests the option in a parameter request list. or not the client requests the option in a parameter request list.
Clients using this option MUST discard DHCPOFFER or DHCPACK packets Clients using this option MUST discard DHCPOFFER or DHCPACK packets
that do not contain this option. that do not contain this option.
This option provides the DHCP server additional information upon This option provides the DHCP server additional information upon
which to make a determination of address to be assigned. The DHCP which to make a determination of address to be assigned. The DHCP
server, if it is configure to support this option, should use this server, if it is configure to support this option, should use this
skipping to change at page 5, line 30 skipping to change at page 7, line 5
using their normal algorithms and will not return this option in the using their normal algorithms and will not return this option in the
DHCPOFFER or DHCPACK. In this case the client will discard the DHCPOFFER or DHCPACK. In this case the client will discard the
DHCPOFFER or DHCPACK. Servers that understand this option but are DHCPOFFER or DHCPACK. Servers that understand this option but are
administratively configured to ignore the option MUST ignore the administratively configured to ignore the option MUST ignore the
option, use their normal algorithms to allocate an address, and MUST option, use their normal algorithms to allocate an address, and MUST
NOT return this option in the DHCPOFFER or DHCPACK. In this case the NOT return this option in the DHCPOFFER or DHCPACK. In this case the
client will discard the DHCPOFFER or DHCPACK. In other words, this client will discard the DHCPOFFER or DHCPACK. In other words, this
option MUST NOT appear in a DHCPOFFER from a server unless it was option MUST NOT appear in a DHCPOFFER from a server unless it was
used by the server in making the address allocation requested. used by the server in making the address allocation requested.
This option SHOULD NOT be used without also making use of the DHCP 4. Security Considerations
Authentication option [5].
3. Security Considerations
Message authentication in DHCP for intradomain use where the out-of- Message authentication in DHCP for intradomain use where the out-of-
band exchange of a shared secret is feasible is defined in [5]. band exchange of a shared secret is feasible is defined in [5].
Potential exposures to attack are discussed in section 7 of the DHCP Potential exposures to attack are discussed in section 7 of the DHCP
protocol specification in [2]. protocol specification in [2].
The VSS Information option could be used by a client in order to The VSS Information option could be used by a client in order to
obtain an IP address from a VSS other than the one where it should. obtain an IP address from a VSS other than the one where it should.
DHCP relays MAY choose to remove the option before passing on DHCP relays MAY choose to remove the option before passing on
DHCPDISCOVER packets. Another possible defense would be for the DHCP DHCPDISCOVER packets. Another possible defense would be for the DHCP
skipping to change at page 7, line 5 skipping to change at page 7, line 31
to attacking address-pools on just its local subnet. to attacking address-pools on just its local subnet.
Servers that implement the VSS Information option MUST by default Servers that implement the VSS Information option MUST by default
disable use of the feature; it must specifically be enabled through disable use of the feature; it must specifically be enabled through
configuration. Moreover, a server SHOULD provide the ability to configuration. Moreover, a server SHOULD provide the ability to
selectively enable use of the feature under restricted conditions, selectively enable use of the feature under restricted conditions,
e.g., by enabling use of the option only from explicitly configured e.g., by enabling use of the option only from explicitly configured
client-ids, enabling its use only by clients on a particular subnet, client-ids, enabling its use only by clients on a particular subnet,
or restricting the VSSs from which addresses may be requested. or restricting the VSSs from which addresses may be requested.
4. IANA Considerations This option SHOULD NOT be used without also making use of the DHCP
Authentication option [5].
No assignment of values for the type field need be made at this time. 5. IANA Considerations
New values may only be defined by IETF Consensus, as described in
[6]. Basically, this means that they are defined by RFCs approved by IANA is requested to assign option number 221 for this option, in
the IESG. accordance with [7]. Option 221 has been used for this option and
there were no conflicting users of option 221 identified during the
6-month notification period specified in [7]. No assignment of
values for the type field need be made at this time. New values may
only be defined by IETF Consensus, as described in [6]. Basically,
this means that they are defined by RFCs approved by the IESG.
Moreover, any changes or additions to the type byte codes MUST be Moreover, any changes or additions to the type byte codes MUST be
made concurrently in the type byte codes of the VSS Information made concurrently in the type byte codes of the VSS Information
Option. The type bytes and data formats of the VSS Information Option. The type bytes and data formats of the VSS Information
Option and VSS Information Suboption MUST always be identical. Option and VSS Information Suboption MUST always be identical.
5. Acknowledgements 6. Acknowledgements
This document is the result of work done within Cisco Systems. This document is the result of work done within Cisco Systems.
Thanks to Kim Kinnear, Mark Stapp, and Jay Kumarasamy for their work Thanks to Kim Kinnear, Mark Stapp, and Jay Kumarasamy for their work
on this option definition and the other related work for which this on this option definition and the other related work for which this
is necessary. is necessary.
6. References 7. Informative References
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", RFC 2119, BCP 14, March 1997. Levels", BCP 14, RFC 2119, March 1997.
[2] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, [2] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131,
March 1997. March 1997.
[3] Droms, R. and S. Alexander, "DHCP Options and BOOTP Vendor [3] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor
Extensions", RFC 2132, March 1997. Extensions", RFC 2132, March 1997.
[4] Fox, B. and B. Gleeson, "Virtual Private Networks Identifier", [4] Fox, B. and B. Gleeson, "Virtual Private Networks Identifier",
RFC 2685, September 1999. RFC 2685, September 1999.
[5] Droms, R., "Authentication for DHCP Messages", RFC 3118, [5] Droms, R. and W. Arbaugh, "Authentication for DHCP Messages",
June 2001. RFC 3118, June 2001.
[6] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA [6] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
Considerations Section in RFCs", RFC 2434, October 1998. Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
[7] Volz, B., "Reclassifying Dynamic Host Configuration Protocol [7] Volz, B., "Reclassifying Dynamic Host Configuration Protocol
version 4 (DHCPv4) Options", RFC 3942, November 2004. version 4 (DHCPv4) Options", RFC 3942, November 2004.
[8] Kinnear, K., "Virtual Subnet Selection Sub-Option for the Relay
Agent Information Option for DHCPv4",
draft-ietf-dhc-agent-vpn-id-04 (work in progress), March 2007.
Authors' Addresses Authors' Addresses
Richard A. Johnson Richard A. Johnson
Cisco Systems Cisco Systems
170 W. Tasman Dr. 170 W. Tasman Dr.
San Jose, CA 95134 San Jose, CA 95134
US US
Phone: +1 408 526 4000 Phone: +1 408 526 4000
Email: raj@cisco.com Email: raj@cisco.com
skipping to change at page 10, line 5 skipping to change at page 12, line 5
Mark Stapp Mark Stapp
Cisco Systems Cisco Systems
250 Apollo Drive 250 Apollo Drive
Chelmsford, MA 01824 Chelmsford, MA 01824
US US
Phone: +1 978 244 8000 Phone: +1 978 244 8000
Email: mjs@cisco.com Email: mjs@cisco.com
Intellectual Property Statement Full Copyright Statement
Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79. found in BCP 78 and BCP 79.
skipping to change at page 10, line 29 skipping to change at page 12, line 45
such proprietary rights by implementers or users of this such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr. http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at this standard. Please address the information to the IETF at
ietf-ipr@ietf.org. ietf-ipr@ietf.org.
Disclaimer of Validity
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement
Copyright (C) The Internet Society (2005). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
Acknowledgment Acknowledgment
Funding for the RFC Editor function is currently provided by the Funding for the RFC Editor function is provided by the IETF
Internet Society. Administrative Support Activity (IASA).
 End of changes. 25 change blocks. 
56 lines changed or deleted 71 lines changed or added

This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/