| draft-ietf-dhc-vpn-option-11.txt | draft-ietf-dhc-vpn-option-12.txt | |||
|---|---|---|---|---|
| DHC Working Group Kim Kinnear | DHC Working Group Kim Kinnear | |||
| Internet Draft Richard Johnson | Internet Draft Richard Johnson | |||
| Intended Status: Standards Track Mark Stapp | Intended Status: Standards Track Mark Stapp | |||
| Expires: September 4, 2009 Jay Kumarasamy | Expires: April 22, 2011 Cisco Systems | |||
| Cisco Systems | Jay Kumarasamy | |||
| March 4, 2009 | October 22, 2010 | |||
| Virtual Subnet Selection Options for DHCPv4 and DHCPv6 | Virtual Subnet Selection Options for DHCPv4 and DHCPv6 | |||
| <draft-ietf-dhc-vpn-option-11.txt> | <draft-ietf-dhc-vpn-option-12.txt> | |||
| Status of this Memo | Status of this Memo | |||
| This Internet-Draft is submitted to IETF in full conformance with the | This Internet-Draft is submitted to IETF in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| other groups may also distribute working documents as Internet- | other groups may also distribute working documents as Internet- | |||
| Drafts. | Drafts. | |||
| skipping to change at page 1, line 34 | skipping to change at page 1, line 34 | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on September 4, 2009 | ||||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2009 IETF Trust and the persons identified as the | Copyright (c) 2010 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents in effect on the date of | Provisions Relating to IETF Documents | |||
| publication of this document (http://trustee.ietf.org/license-info). | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| Please review these documents carefully, as they describe your rights | publication of this document. Please review these documents | |||
| and restrictions with respect to this document. | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | ||||
| include Simplified BSD License text as described in Section 4.e of | ||||
| the Trust Legal Provisions and are provided without warranty as | ||||
| described in the Simplified BSD License. | ||||
| This document may contain material from IETF Documents or IETF | ||||
| Contributions published or made publicly available before November | ||||
| 10, 2008. The person(s) controlling the copyright in some of this | ||||
| material may not have granted the IETF Trust the right to allow | ||||
| modifications of such material outside the IETF Standards Process. | ||||
| Without obtaining an adequate license from the person(s) controlling | ||||
| the copyright in such materials, this document may not be modified | ||||
| outside the IETF Standards Process, and derivative works of it may | ||||
| not be created outside the IETF Standards Process, except to format | ||||
| it for publication as an RFC or to translate it into languages other | ||||
| than English. | ||||
| Abstract | Abstract | |||
| This memo defines a Virtual Subnet Selection (VSS) option for DHCPv4 | This memo defines a Virtual Subnet Selection (VSS) option for each of | |||
| and DHCPv6, and a DHCPv4 relay-agent-information sub-option. These | DHCPv4 and DHCPv6, and a VSS sub-option carried in the DHCPv4 relay- | |||
| are intended for use by DHCP clients, relay agents, and proxy clients | agent-information option. These are intended for use by DHCP | |||
| in situations where VSS information needs to be passed to the DHCP | clients, relay agents, and proxy clients in situations where VSS | |||
| server for proper address or prefix allocation to take place. | information needs to be passed to the DHCP server for proper address | |||
| or prefix allocation to take place. | ||||
| For the DHCPv4 option and relay-agent-information sub-option, this | For the DHCPv4 option and relay-agent-information sub-option, this | |||
| memo documents existing usage as per RFC 3942 [RFC3942]. | memo documents existing usage as per RFC 3942 [RFC3942]. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction................................................. 2 | 1. Introduction................................................. 3 | |||
| 2. Terminology.................................................. 3 | 2. Terminology.................................................. 4 | |||
| 3. Virtual Subnet Selection Option and Sub-Option Definitions... 5 | 3. Virtual Subnet Selection Option and Sub-Options Definitions.. 5 | |||
| 3.1. DHCPv4 Virtual Subnet Selection Option..................... 5 | 3.1. DHCPv4 Virtual Subnet Selection Option..................... 5 | |||
| 3.2. DHCPv4 Virtual Subnet Selection Sub-Option................. 5 | 3.2. DHCPv4 Virtual Subnet Selection Sub-Option................. 6 | |||
| 3.3. DHCPv6 Virtual Subnet Selection Option..................... 6 | 3.3. DHCPv6 Virtual Subnet Selection Option..................... 6 | |||
| 3.4. Virtual Subnet Selection Type and Information.............. 6 | 3.4. Virtual Subnet Selection Type and Information.............. 7 | |||
| 4. Overview of Virtual Subnet Selection Usage................... 7 | 4. Overview of Virtual Subnet Selection Usage................... 8 | |||
| 5. Relay Agent Behavior......................................... 10 | 4.1. VPN assignment by the DHCP relay agent..................... 9 | |||
| 5.1. VPN assignment by the DHCP server.......................... 12 | 4.2. VPN assignment by the DHCP server.......................... 12 | |||
| 5.2. DHCP Leasequery............................................ 13 | 4.3. Required Support........................................... 14 | |||
| 6. Client Behavior.............................................. 13 | 4.4. Alternative VPN assignment approaches...................... 14 | |||
| 7. Server Behavior.............................................. 14 | 5. Relay Agent Behavior......................................... 14 | |||
| 7.1. Returning the DHCPv4 or DHCPv6 Option...................... 15 | 5.1. VPN assignment by the DHCP server.......................... 16 | |||
| 7.2. Returning the DHCPv4 Sub-Option............................ 15 | 5.2. DHCP Leasequery............................................ 17 | |||
| 7.3. Making sense of conflicting VSS information................ 16 | 6. Client Behavior.............................................. 17 | |||
| 8. Security..................................................... 16 | 7. Server Behavior.............................................. 18 | |||
| 9. IANA Considerations.......................................... 17 | 7.1. Returning the DHCPv4 or DHCPv6 Option...................... 19 | |||
| 10. Acknowledgments............................................. 18 | 7.2. Returning the DHCPv4 Sub-Option............................ 20 | |||
| 11. References.................................................. 18 | 7.3. Making sense of conflicting VSS information................ 21 | |||
| 11.1. Normative References...................................... 18 | 8. Security..................................................... 21 | |||
| 11.2. Informative References.................................... 19 | 9. IANA Considerations.......................................... 22 | |||
| 12. Authors' Addresses.......................................... 20 | 10. Acknowledgments............................................. 23 | |||
| 11. References.................................................. 23 | ||||
| 11.1. Normative References...................................... 23 | ||||
| 11.2. Informative References.................................... 24 | ||||
| 1. Introduction | 1. Introduction | |||
| There is a growing use of Virtual Private Network (VPN) | There is a growing use of Virtual Private Network (VPN) | |||
| configurations. The growth comes from many areas; individual client | configurations. The growth comes from many areas; individual client | |||
| systems needing to appear to be on the home corporate network even | systems needing to appear to be on the home corporate network even | |||
| when traveling, ISPs providing extranet connectivity for customer | when traveling, ISPs providing extranet connectivity for customer | |||
| companies, etc. In some of these cases there is a need for the DHCP | companies, etc. In some of these cases there is a need for the DHCP | |||
| server to know the VPN (hereafter called a "Virtual Subnet Selector" | server to know the VPN (hereafter called a "Virtual Subnet Selector" | |||
| or "VSS") from which an address, and other resources, should be | or "VSS") from which an address, and other resources, should be | |||
| allocated. | allocated. | |||
| This memo defines a Virtual Subnet Selection (VSS) option for DHCPv4 | This memo defines a Virtual Subnet Selection (VSS) option for each of | |||
| and DHCPv6, and a DHCPv4 relay-agent-information sub-option. These | DHCPv4 and DHCPv6, and a VSS sub-option carried in the DHCPv4 relay- | |||
| are intended for use by DHCP clients, relay agents, and proxy clients | agent-information option. These are intended for use by DHCP | |||
| in situations where VSS information needs to be passed to the DHCP | clients, relay agents, and proxy clients in situations where VSS | |||
| server for proper address or prefix allocation to take place. If the | information needs to be passed to the DHCP server for proper address | |||
| receiving DHCP server understands the VSS option or sub-option, this | or prefix allocation to take place. If the receiving DHCP server | |||
| information may be used in conjunction with other information in | understands the VSS option or sub-option, this information may be | |||
| determining the subnet on which to select an address as well as other | used in conjunction with other information in determining the subnet | |||
| information such as DNS server, default router, etc. | on which to select an address as well as other information such as | |||
| DNS server, default router, etc. | ||||
| If the allocation is being done through a DHCPv4 relay, then the | If the allocation is being done through a DHCPv4 relay, then the | |||
| relay sub-option defined here should be included. In some cases, | relay sub-option defined here should be included. In some cases, | |||
| however an IP address is being sought by a DHCPv4 proxy on behalf of | however, an IP address is being sought by a DHCPv4 proxy on behalf of | |||
| a client (which may be assigned the address via a different | a client (which may be assigned the address via a different | |||
| protocol). In this case, there is a need to include VSS information | protocol). In this case, there is a need to include VSS information | |||
| relating to the client as a DHCPv4 option. | relating to the client as a DHCPv4 option. | |||
| If the allocation is being done through a DHCPv6 relay, then the | If the allocation is being done through a DHCPv6 relay, then the | |||
| DHCPv6 VSS option defined in this document should be included in the | DHCPv6 VSS option defined in this document should be included in the | |||
| Relay-forward and Relay-reply message going between the DHCPv6 relay | Relay-forward and Relay-reply message going between the DHCPv6 relay | |||
| and server. In some cases, addresses or prefixes are being sought by | and server. In some cases, addresses or prefixes are being sought by | |||
| a DHCPv6 proxy on behalf of a client. In this case, there is a need | a DHCPv6 proxy on behalf of a client. In this case, there is a need | |||
| for the client itself to supply the VSS information using the DHCPv6 | for the client itself to supply the VSS information using the DHCPv6 | |||
| VSS option in the messages that it sends to the DHCPv6 server. | VSS option in the messages that it sends to the DHCPv6 server. | |||
| In the remaining text of this document, when a DHCPv6 address is | In the remaining text of this document, when a DHCPv6 address is | |||
| indicated the same information applies to DHCPv6 Prefix Delegation | indicated the same information applies to DHCPv6 Prefix Delegation | |||
| [RFC3633] as well. | [RFC3633] as well. | |||
| In the remaining text of this document, when the term VSS sub-option | ||||
| is used, it refers to the VSS sub-option carried in the DHCPv4 | ||||
| relay-agent-information option. | ||||
| 2. Terminology | 2. Terminology | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in RFC 2119 [RFC2119]. | document are to be interpreted as described in RFC 2119 [RFC2119]. | |||
| This document uses the following terms: | This document uses the following terms: | |||
| o "DHCP client" | o "DHCP client" | |||
| skipping to change at page 4, line 37 | skipping to change at page 5, line 11 | |||
| As used in this document, a DHCPv4 sub-option refers to a sub- | As used in this document, a DHCPv4 sub-option refers to a sub- | |||
| option of the relay-agent-information option [RFC3046]. These | option of the relay-agent-information option [RFC3046]. These | |||
| sub-options have one-octet code and size fields. | sub-options have one-octet code and size fields. | |||
| o "DHCPv6 option" | o "DHCPv6 option" | |||
| An option used to implement a capability defined by the DHCPv6 | An option used to implement a capability defined by the DHCPv6 | |||
| RFC [RFC3315]. These options have two-octet code and size | RFC [RFC3315]. These options have two-octet code and size | |||
| fields. | fields. | |||
| o "downstream" | o "Global VPN" | |||
| Downstream is the direction from the access concentrator towards | ||||
| the subscriber. | ||||
| o "upstream" | ||||
| Upstream is the direction from the subscriber towards the access | Indicates that the address being described belongs to the set of | |||
| concentrator. | addresses not part of any VPN. In other words, the normal | |||
| address space operated on by DHCP. This includes private | ||||
| addresses, for example the 10.x.x.x addresses as well as the | ||||
| other private subnets that are not routed on the open internet. | ||||
| o "VSS information" | o "VSS information" | |||
| Information about a VPN necessary to allocate an address to a | Information about a VPN necessary to allocate an address to a | |||
| DHCP client on that VPN and necessary to forward a DHCP reply | DHCP client on that VPN and necessary to forward a DHCP reply | |||
| packet to a DHCP client on that VPN. | packet to a DHCP client on that VPN. | |||
| o "VPN" | o "VPN" | |||
| Virtual private network. A network which appears to the client | Virtual private network. A network which appears to the client | |||
| to be a private network. | to be a private network. | |||
| o "VPN Identifier" | o "VPN Identifier" | |||
| The VPN-ID is defined by [RFC2685] to be a sequence of 7 octets. | The VPN-ID is defined by [RFC2685] to be a sequence of 7 octets. | |||
| 3. Virtual Subnet Selection Option and Sub-Option Definitions | 3. Virtual Subnet Selection Option and Sub-Options Definitions | |||
| The Virtual Subnet Selection options and sub-option contain a | The Virtual Subnet Selection options and sub-options contain a | |||
| generalized way to specify the VSS information about a VPN. There | generalized way to specify the VSS information about a VPN. There | |||
| are two options and one sub-option defined in this section. The | are two options and one sub-option defined in this section. The | |||
| actual VSS information is identical in each. | actual VSS information is identical in each. | |||
| 3.1. DHCPv4 Virtual Subnet Selection Option | 3.1. DHCPv4 Virtual Subnet Selection Option | |||
| The format of the option is: | The format of the option is: | |||
| 0 1 2 3 | 0 1 2 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| skipping to change at page 7, line 9 | skipping to change at page 7, line 28 | |||
| 3.4. Virtual Subnet Selection Type and Information | 3.4. Virtual Subnet Selection Type and Information | |||
| All of the (sub)options defined above carry identical payloads, | All of the (sub)options defined above carry identical payloads, | |||
| consisting of a type and additional VSS information as follows: | consisting of a type and additional VSS information as follows: | |||
| Type VSS Information format: | Type VSS Information format: | |||
| 0 NVT ASCII VPN identifier | 0 NVT ASCII VPN identifier | |||
| 1 RFC2685 VPN-ID | 1 RFC2685 VPN-ID | |||
| 2-254 Not Allowed | 2-252 Reserved | |||
| 253 CONTROL (DHCPv4 VSS sub-option only) | ||||
| 254 Reserved | ||||
| 255 Global, default VPN. | 255 Global, default VPN. | |||
| o Type 0 -- NVT ASCII VPN identifier | o Type 0 -- NVT ASCII VPN identifier | |||
| Indicates that the VSS information consists of a NVT ASCII | Indicates that the VSS information consists of a NVT ASCII | |||
| string. It MUST NOT be terminated with a zero byte. | string. It MUST NOT be terminated with a zero byte. | |||
| o Type 1 -- RFC2685 VPN-ID | o Type 1 -- RFC2685 VPN-ID | |||
| Indicates that the VSS information consists of an RFC2685 VPN-ID | Indicates that the VSS information consists of an RFC2685 VPN-ID | |||
| [RFC2685], which is defined to be 7 octets in length. | [RFC2685], which is defined to be 7 octets in length. | |||
| o Type 253 -- CONTROL | ||||
| This is only valid for the DHCPv4 relay-agent-information option | ||||
| sub-option. It indicates that another DHCPV4 VSS sub-option is | ||||
| present in the relay-agent-information option. The sub-option | ||||
| with type CONTROL MUST be removed by any DHCPv4 server which | ||||
| successfully processes the information in the other DHCPv4 sub- | ||||
| option with valid VSS information. In this case, there MUST NOT | ||||
| be any VSS Information included in the sub-option, and the | ||||
| length of the VSS sub-option MUST be 1. | ||||
| o Type 255 -- Global, default VPN | o Type 255 -- Global, default VPN | |||
| Indicates that there is no explicit, non-default VSS information | Indicates that there is no explicit, non-default VSS information | |||
| but rather that this option references the normal, global, | but rather that this option references the normal, global, | |||
| default address space. In this case, there MUST NOT be any VSS | default address space. In this case, there MUST NOT be any VSS | |||
| Information and the length of the VSS option MUST be 1. | Information included in the VSS option or sub-option and the | |||
| length of the MUST be 1. | ||||
| All other values of the Type field are invalid as of this memo and | All other values of the Type field are reserved. | |||
| a VSS option with a Type field containing any value other than | ||||
| zero (0), one (1), or 255 SHOULD be ignored. | ||||
| 4. Overview of Virtual Subnet Selection Usage | 4. Overview of Virtual Subnet Selection Usage | |||
| At the highest level, the VSS option or sub-option determines the VPN | At the highest level, the VSS option or sub-option determines the VPN | |||
| on which a DHCP client is supposed to receive an IP address. How the | on which a DHCP client is supposed to receive an IP address. How the | |||
| option or sub-option is entered and processed is discussed below, but | option or sub-option is entered and processed is discussed below, but | |||
| the point of all of the discussion is to determine the VPN on which | the point of all of the discussion is to determine the VPN on which | |||
| the DHCP client resides. This will affect a relay agent, in that it | the DHCP client resides. This will affect a relay agent, in that it | |||
| will have to ensure that DHCP packets sent to and received from the | will have to ensure that DHCP packets sent to and received from the | |||
| DHCP client flow over the correct VPN. This will affect the DHCP | DHCP client flow over the correct VPN. This will affect the DHCP | |||
| skipping to change at page 8, line 16 | skipping to change at page 8, line 50 | |||
| information, each VPN defines a new address space inside the server, | information, each VPN defines a new address space inside the server, | |||
| one distinct from the global or default IP address space. A server | one distinct from the global or default IP address space. A server | |||
| which supports the VSS option or sub-option thereby supports | which supports the VSS option or sub-option thereby supports | |||
| allocation of IP addresses from multiple different VPNs. Supporting | allocation of IP addresses from multiple different VPNs. Supporting | |||
| IP address allocation from multiple different VPNs means that the | IP address allocation from multiple different VPNs means that the | |||
| DHCP server must be prepared to configure multiple different address | DHCP server must be prepared to configure multiple different address | |||
| spaces (one per distinct VPN) and allocate IP addresses from these | spaces (one per distinct VPN) and allocate IP addresses from these | |||
| different address spaces. | different address spaces. | |||
| These address spaces are typically independent, so that the same IP | These address spaces are typically independent, so that the same IP | |||
| address could be allocated to one client in the global, default VPN, | address (consisting of the same string of bytes) could be allocated | |||
| and to a different client residing in a different VPN. There is no | to one client in the global, default VPN, and to a different client | |||
| conflict in this allocation, since the clients have essentially | residing in a different VPN. There is no conflict in this | |||
| different IP addresses. The IPv4 or IPv6 address is qualified by the | allocation, since the clients have essentially different addresses, | |||
| VPN. | even though these addresses consist of the same string of bytes, | |||
| because the IPv4 or IPv6 address is qualified by the VPN. | ||||
| Thus a VSS option or sub-option is a way of signaling the use of a | Thus a VSS option or sub-option is a way of signaling the use of a | |||
| VPN other than the global or default VPN. The next question is: who | VPN other than the global or default VPN. The next question is: who | |||
| decides what VPN a DHCP client should be using? | decides what VPN a DHCP client should be using? | |||
| There are three entities which can either insert a VSS option or | There are three entities which can either insert a VSS option or | |||
| sub-option into a DHCPv4 packet or DHCPv6 message; a DHCP client, a | sub-option into a DHCPv4 packet or DHCPv6 message; a DHCP client, a | |||
| relay agent, or a DHCPv4 or DHCPv6 server. While all of these | relay agent, or a DHCPv4 or DHCPv6 server. While all of these | |||
| entities could include a different VSS option or sub-option in every | entities could include a different VSS option or sub-option in every | |||
| request or response, this situation is neither typical nor useful. | request or response, this situation is neither typical nor useful. | |||
| There are two known paradigms for use of the VSS option or sub- | There are two known paradigms for use of the VSS option or sub- | |||
| option, which are discussed below. | option, which are discussed below. | |||
| 4.1. VPN assignment by the DHCP relay agent | ||||
| The typical use of the VSS option or sub-option is for the relay | The typical use of the VSS option or sub-option is for the relay | |||
| agent to know the VPN on which the DHCP client is operating. The | agent to know the VPN on which the DHCP client is operating. The | |||
| DHCP client itself does not, in this scenario, know the VPN on which | DHCP client itself does not, in this approach, know the VPN on which | |||
| it resides. The relay agent is responsible for mediating the access | it resides. The relay agent is responsible for mediating the access | |||
| between the VPN on which the DHCP client resides and the DHCP server. | between the VPN on which the DHCP client resides and the DHCP server. | |||
| In this situation, the relay agent will insert a VSS sub-option into | In this situation, the relay agent will insert two DHCPv4 VSS sub- | |||
| the relay-agent-information option (for DHCPv4) or a VSS option into | options (one with valid VSS information, and one with type CONTROL) | |||
| the Relay-forward message (for DHCPv6) of every request it forwards | into the relay-agent-information option or a DHCPv6 VSS option into | |||
| from the DHCP client. The server will use the VSS option or sub- | the Relay-forward message of every request it forwards from the DHCP | |||
| option to determine the VPN on which the client resides, and use that | client. The server will use the VSS option or sub-option to | |||
| VPN information to select the address space within its configuration | determine the VPN on which the client resides, and use that VPN | |||
| from which to allocate an IP address to the DHCP client. | information to select the address space within its configuration from | |||
| which to allocate an IP address to the DHCP client. | ||||
| In this scenario, the relay agent might also send a VSS option or | When, using this approach, a DHCPv4 relay agent inserts a VSS sub- | |||
| option with containing VSS information it MUST also insert a VSS | ||||
| sub-option containing type CONTROL, no additional VSS information, | ||||
| and a length of 1. This is to allow determination of whether or not | ||||
| the DHCPv4 server actually processes the VSS information provided by | ||||
| the DHCPv4 relay agent. If the DHCPv4 server supports the VSS | ||||
| capabilities described in this document, it will remove the VSS sub- | ||||
| option with type CONTROL from the relay-agent-information option that | ||||
| it returns to the DHCPv4 relay agent. See Section 5 for more | ||||
| information. | ||||
| In this approach, the relay agent might also send a VSS option or | ||||
| sub-option in either a DHCPv4 or DHCPv6 Leasequery request, but in | sub-option in either a DHCPv4 or DHCPv6 Leasequery request, but in | |||
| this case, it would use the VSS option in the Leasequery request to | this case, it would use the VSS option in the Leasequery request to | |||
| select the correct address space for the Leasequery. In this | select the correct address space for the Leasequery. In this | |||
| scenario, the relay agent would be acting as a DHCP client from a | approach, the relay agent would be acting as a DHCP client from a | |||
| Leasequery standpoint, but it would not be as if a DHCP client were | Leasequery standpoint, but it would not be as if a DHCP client were | |||
| sending in a VSS option in a standard DHCP address allocation | sending in a VSS option in a standard DHCP address allocation | |||
| request, say a DHCPDISCOVER. | request, say a DHCPDISCOVER. | |||
| In this scenario, only one relay agent would mediate the VPN access | In this approach, only one relay agent would mediate the VPN access | |||
| for the DHCP client to the DHCP server, and it would be the relay | for the DHCP client to the DHCP server, and it would be the relay | |||
| agent which inserts the VSS information into the request packet and | agent which inserts the VSS information into the request packet and | |||
| would remove it prior to forwarding the response packet on. | would remove it prior to forwarding the response packet on. | |||
| In the diagram below is an example of a DHCPv4 client, DHCPv4 relay | ||||
| agent, and DHCPv4 server. The DHCPv6 situation is similar, but uses | ||||
| the DHCPv6 VSS option. | ||||
| DHCPv4 | ||||
| DHCPv4 Relay DHCPv4 | ||||
| Client Agent Server | ||||
| | | | | ||||
| | >--DHCPDISCOVER--> | | | ||||
| | on VRF "abc" | | | ||||
| | | >--DHCPDISCOVER----> | | ||||
| | | relay-agent-info: | | ||||
| | | VSS type VRF:"abc"| | ||||
| | | VSS type CONTROL | | ||||
| | | | | ||||
| | | <----DHCPOFFER-----< | | ||||
| | | relay-agent-info: | | ||||
| | | VSS type VRF:"abc"| | ||||
| | | | | ||||
| | <---DHCPOFFER----< | | | ||||
| | on VRF "abc" | | | ||||
| | | | | ||||
| | >--DHCPREQUEST---> | | | ||||
| | on VRF "abc" | | | ||||
| | | >--DHCPREQUEST-----> | | ||||
| | | relay-agent-info: | | ||||
| | | VSS type VRF:"abc"| | ||||
| | | VSS type CONTROL | | ||||
| | | | | ||||
| | | <----DHCPACK-------< | | ||||
| | | relay-agent-info: | | ||||
| | | VSS type VRF:"abc"| | ||||
| | | | | ||||
| | <---DHCPACK------< | | | ||||
| | on VRF "abc" | | | ||||
| | | | | ||||
| ... ... ... | ||||
| Figure 4.1-1: DHCPv4 - Relay Agent knows VPN | ||||
| The DHCP server would know that it should respond to VPN information | The DHCP server would know that it should respond to VPN information | |||
| specified in a VSS option or sub-option, and it would be configured | specified in a VSS option or sub-option, and it would be configured | |||
| with appropriate VPN address spaces to service the projected client | with appropriate VPN address spaces to service the projected client | |||
| requirements. Thus, in this common scenario, the DHCP client knows | requirements. Thus, in this common approach, the DHCP client knows | |||
| nothing of any VPN access, the relay agent has been configured in | nothing of any VPN access, the relay agent has been configured in | |||
| some way that allows it to determine the VPN of the DHCP client and | some way that allows it to determine the VPN of the DHCP client and | |||
| transmit that using a VSS option or sub-option to the DHCP server, | transmit that using a VSS option or sub-option to the DHCP server, | |||
| and the DHCP server responds to the VPN specified by the relay agent. | and the DHCP server responds to the VPN specified by the relay agent. | |||
| There is no conflict between different entities trying to specify | There is no conflict between different entities trying to specify | |||
| different VSS information -- each entity knows its role through | different VSS information -- each entity knows its role through | |||
| policy or configuration external to this document. | policy or configuration external to this document. | |||
| It is important to ensure that each entity in this scenario both | If any mis-configuration exists, it SHOULD result in a DHCP client | |||
| supports the VSS option and sub-option (for DHCPv4) or the VSS option | being unable to acquire an IP address. For instance, a relay agent | |||
| (for DHCPv6), and that it is configured correctly. Deploying relay | which supports VPN access SHOULD couple transmission of VSS options | |||
| agents which support and emit VSS sub-options in concert with DHCPv4 | or sub-options to the configuration of VPN support, and not allow one | |||
| servers which do not support the VSS option or sub-option as defined | without the other. | |||
| in this document SHOULD NOT be done, as such an ensemble will not | ||||
| operate correctly together because all of the IP addresses will be | ||||
| allocated from the global or default VPN regardless of the VPN on | ||||
| which the client's reside. | ||||
| In the second scenario, the DHCP server would be configured in some | It is important to ensure that the relay agent and DHCP server both | |||
| way to know the VPN on which a particular DHCP client should be given | support the VSS option and sub-option (for DHCPv4) or the VSS option | |||
| (for DHCPv6). Deploying DHCPv4 relay agents which support and emit | ||||
| VSS sub-options in concert with DHCPv4 servers which do not support | ||||
| the VSS option or sub-option as defined in this document SHOULD NOT | ||||
| be done, as such an ensemble will not operate correctly. Should this | ||||
| situation occur, however, the relay agent can detect the problem | ||||
| (since the VSS sub-option with type CONTROL will appear in the | ||||
| packets it receives from the DHCPv4 server), and it can issue | ||||
| appropriate diagnostic messages. | ||||
| 4.2. VPN assignment by the DHCP server | ||||
| In this approach, the DHCP server would be configured in some way to | ||||
| know the VPN on which a particular DHCP client should be given | ||||
| access. The DHCP server would in this case include the VSS sub- | access. The DHCP server would in this case include the VSS sub- | |||
| option in the relay-agent-information option for DHCPv4 or the VSS | option in the relay-agent-information option for DHCPv4 or the VSS | |||
| option in the Relay-reply message for DHCPv6. The relay agent | option in the Relay-reply message for DHCPv6. The relay agent | |||
| responsible for mediating VPN access would use this information to | responsible for mediating VPN access would use this information to | |||
| select the correct VPN for the DHCP client. In the event that there | select the correct VPN for the DHCP client. In the unusal event that | |||
| were more than one relay agent involved in this transaction, some | there were more than one relay agent involved in this transaction, | |||
| external configuration or policy would be needed to inform the DHCPv6 | some external configuration or policy would be needed to inform the | |||
| server into which Relay-reply message the VSS option should go. | DHCPv6 server into which Relay-reply message the VSS option should | |||
| go. | ||||
| Once the relay agent has placed the DHCP client into the proper VPN, | Once the relay agent has placed the DHCP client into the proper VPN, | |||
| it SHOULD begin including VSS information in requests that it | it SHOULD begin including VSS information in requests that it | |||
| forwards to the DHCP server. Since this information does not | forwards to the DHCP server. Since this information does not | |||
| conflict with the DHCP server's idea of the proper VPN for the | conflict with the DHCP server's idea of the proper VPN for the | |||
| client, everything works correctly. | client, everything works correctly. | |||
| In this second scenario, the DHCP client is again unaware of any VPN | The diagram below shows this approach using DHCPv4. The DHCPv6 | |||
| situation is similar, but uses the DHCPv6 VSS option instead. | ||||
| DHCPv4 | ||||
| DHCPv4 Relay DHCPv4 | ||||
| Client Agent Server | ||||
| | | | | ||||
| | >--DHCPDISCOVER--> | | | ||||
| | on unknown VPN | | | ||||
| | | >--DHCPDISCOVER----> | | ||||
| | | | | ||||
| | | <----DHCPOFFER-----< | | ||||
| | | relay-agent-info: | | ||||
| | | VSS type VRF:"abc"| | ||||
| | | | | ||||
| | <---DHCPOFFER----< | | | ||||
| | on VRF "abc" | | | ||||
| | | | | ||||
| | >--DHCPREQUEST---> | | | ||||
| | on VRF "abc" | | | ||||
| | | >--DHCPREQUEST-----> | | ||||
| | | relay-agent-info: | | ||||
| | | VSS type VRF:"abc"| | ||||
| | | VSS type CONTROL | | ||||
| | | | | ||||
| | | <----DHCPACK-------< | | ||||
| | | relay-agent-info: | | ||||
| | | VSS type VRF:"abc"| | ||||
| | | | | ||||
| | <---DHCPACK------< | | | ||||
| | on VRF "abc" | | | ||||
| | | | | ||||
| | | | | ||||
| ... ... ... | ||||
| Figure 4.2-1: DHCPv4 - DHCPv4 Server knows VPN | ||||
| In this approach, the DHCP client is again unaware of any VPN | ||||
| activity. In this case, however, the DHCP server knows the VPN for | activity. In this case, however, the DHCP server knows the VPN for | |||
| the client, and the relay agent responds to the VSS information | the client, and the relay agent responds to the VSS information | |||
| specified by the DHCP server. Similar to the first scenario, each | specified by the DHCP server. Similar to the previous approach, each | |||
| entity knows its role through a means external to this document and | entity knows its role through a means external to this document and | |||
| no two entities try to specify VSS information in conflict. | no two entities try to specify VSS information in conflict. | |||
| Again, in this scenario, it is important that both the relay agent as | It is important that both the relay agent as well as the DHCP server | |||
| well as the DHCP server both support the VSS option and sub-option | both support the VSS option and sub-option (for DHCPv4) and the VSS | |||
| (for DHCPv4) and the VSS option (for DHCPv6). Deploying and | option (for DHCPv6). Deploying and configuring VPN support in one | |||
| configuring VPN support in one element and not in the other is not a | element and not in the other is not a practical approach. | |||
| practical approach. | ||||
| There are many other scenarios which can be created with multiple | 4.3. Required Support | |||
| DHCP relay agents and servers MUST support the approach discussed in | ||||
| Section 4.1. DHCP relay agents and server SHOULD support the | ||||
| approach discussed in Section 4.2. DHCP relay agents and servers | ||||
| SHOULD NOT be configured to operate with both approaches | ||||
| simultaneously. | ||||
| 4.4. Alternative VPN assignment approaches | ||||
| There are many other approaches which can be created with multiple | ||||
| relay agents each inserting VSS information into different Relay- | relay agents each inserting VSS information into different Relay- | |||
| forward messages, relay agent VSS information conflicting with client | forward messages, relay agent VSS information conflicting with client | |||
| VSS information, or DHCP server VSS information conflicting with | VSS information, or DHCP server VSS information conflicting with | |||
| relay agent and client VSS information. Since these scenarios do not | relay agent and client VSS information. Since these approaches do | |||
| describe situations that are useful today, specifying precisely how | not describe situations that are useful today, specifying precisely | |||
| to resolve all of these conflicts is unlikely to be valuable in the | how to resolve all of these conflicts is unlikely to be valuable in | |||
| event that these scenarios actually become practical in the future. | the event that these approaches actually become practical in the | |||
| future. | ||||
| The current use of the VSS option and sub-option require that each | The current use of the VSS option and sub-option require that each | |||
| entity knows the part that it plays in dealing with VPN data. Each | entity knows the part that it plays in dealing with VPN data. Each | |||
| entity -- client, relay agent or agents, and server -- SHOULD know | entity -- client, relay agent or agents, and server -- SHOULD know | |||
| through some policy or configuration beyond the scope of this | through some policy or configuration beyond the scope of this | |||
| document whether it is responsible for specifying VPN information | document whether it is responsible for specifying VPN information | |||
| using the VSS option or sub-option or responsible for responding to | using the VSS option or sub-option or responsible for responding to | |||
| VSS information specified by another entity, or simply ignoring any | VSS information specified by another entity, or simply ignoring any | |||
| VSS information which it might see. | VSS information which it might see. | |||
| Some simple conflict resolution approaches are discussed below, in | Some simple conflict resolution approaches are discussed below, in | |||
| the hopes that they will cover simple cases that may arise from | the hopes that they will cover simple cases that may arise from | |||
| scenarios beyond those envisioned today. However, for more complex | situations beyond those envisioned today. However, for more complex | |||
| scenarios, or simple scenarios where appropriate conflict resolution | situations, or simple situations where appropriate conflict | |||
| strategies differ from those discussed in this document, a document | resolution strategies differ from those discussed in this document, a | |||
| detailing the usage scenarios and appropriate conflict resolution | document detailing the usage situations and appropriate conflict | |||
| strategies SHOULD be created and submitted for discussion and | resolution strategies SHOULD be created and submitted for discussion | |||
| approval. | and approval. | |||
| 5. Relay Agent Behavior | 5. Relay Agent Behavior | |||
| A relay agent which receives a DHCP request from a DHCP client on a | A relay agent which receives a DHCP request from a DHCP client on a | |||
| VPN SHOULD include Virtual Subnet Selection information in the DHCP | VPN SHOULD include Virtual Subnet Selection information in the DHCP | |||
| packet prior to forwarding the packet on to the DHCP server unless | packet prior to forwarding the packet on to the DHCP server unless | |||
| inhibited from doing so by configuration information or policy to the | inhibited from doing so by configuration information or policy to the | |||
| contrary. | contrary. | |||
| A DHCPv4 relay agent SHOULD include a DHCPv4 VSS sub-option in a | In this situation, a DHCPv4 relay agent MUST include a DHCPv4 VSS | |||
| relay-agent-information option [RFC3046], while a DHCPv6 relay agent | sub-option in a relay-agent-information option [RFC3046], while a | |||
| SHOULD include a DHCPv6 VSS option in the Relay-forward message. | DHCPv6 relay agent MUST include a DHCPv6 VSS option in the Relay- | |||
| forward message. | ||||
| The value placed in the Virtual Subnet Selection sub-option or option | The value placed in the Virtual Subnet Selection sub-option or option | |||
| SHOULD be sufficient for the relay agent to properly route any DHCP | would typically be sufficient for the relay agent to properly route | |||
| reply packet returned from the DHCP server to the DHCP client for | any DHCP reply packet returned from the DHCP server to the DHCP | |||
| which it is destined. | client for which it is destined. In some cases, the information in | |||
| the VSS sub-option or option might be an index into some internal | ||||
| Anytime a relay agent places a VSS option or sub-option in a DHCP | table held in the relay agent, though this document places no | |||
| request, it MUST send it only to a DHCP server which supports the VSS | requirement on a relay agent to have any such internal state. | |||
| option or sub-option. | ||||
| Since this option or sub-option is placed in the packet in order to | A DHCPv4 relay agent SHOULD, in addition, include a DHCPv4 VSS sub- | |||
| specify the VPN on which an IP address is allocated for a particular | option with a type of CONTROL, no additional VSS information, and a | |||
| DHCP client, one presumes that an allocation on that VPN is necessary | length of one, in the relay-agent-information option [RFC3046]. The | |||
| for correct operation. If this presumption is correct, then a relay | inclusion of two VSS sub-options in the relay-agent-information | |||
| agent which places this option in a packet and doesn't receive it (or | option, one with valid VSS information, and one with a type of | |||
| receives a different value than that sent to the server) in the | CONTROL, will allow the DHCPv4 relay agent to determine whether the | |||
| returning packet should drop the packet since the IP address that was | DHCPv4 server actually processed the information in the VSS sub- | |||
| allocated will not be in the correct VPN. If an IP address that is | option containing valid VSS information. | |||
| on the requested VPN is not required, then the relay agent is free to | ||||
| accept the IP address that is not on the VPN that was requested. | ||||
| The converse, however, is more complicated. In the DHCPv6 case, the | The reason to include this additional VSS DHCPv4 sub-option is that | |||
| appearance of the option in the Relay-reply packet does indeed | [RFC3046] specifies (essentially) that a DHCPv4 server should copy | |||
| indicate that the DHCPv6 server understood and acted upon the | all sub-options that it receives in a relay-agent-information option | |||
| contents of the VSS option in the Relay-forward packet. In the | in a request into a corresponding relay-agent-information option in | |||
| DHCPv4 case, however, the appearance of the sub-option in the relay- | the response. Thus, a server that didn't support the DHCPv4 VSS | |||
| agent-information option received by the relay agent does not | sub-option would normally just copy it to the response packet, | |||
| necessarily indicate that the DHCPv4 server even understood, let | leaving the relay agent to wonder if in fact the DHCPv4 server | |||
| alone acted correctly upon, the VSS sub-option that it received. | actually used the VSS information when processing the request. | |||
| The reason is that [RFC3046] specifies that a DHCPv4 server which | To alleviate this potential confusion, a DHCPvr4 relay agent instead | |||
| supports the relay-agent-information option SHALL copy all sub- | sends in two VSS sub-options, one with valid VSS information, and one | |||
| options received in a relay-agent-information option into any | with a VSS type of CONTROL. If both sub-options appear in the | |||
| outgoing relay-agent-information option. Because of these | response from the DHCPv4 server, then the DHCPv4 relay agent MUST | |||
| requirements, even a DHCPv4 server which doesn't implement support | assume that the DHCPv4 server did not act on the valid VSS | |||
| for the Virtual Subnet Selection sub-option will almost certainly | information in one of the sub-options. If only the VSS sub-option | |||
| copy it into the outgoing relay-agent-information option. This means | with the valid information appears in the response from the DHCPv4 | |||
| that the appearance of the Virtual Subnet Selection sub-option in a | server and no VSS sub-option with type CONTROL appears in the | |||
| relay-agent-information option doesn't indicate support for the | response from the DHCPv4 server, then the relay agent SHOULD assume | |||
| Virtual Subnet Selection sub-option. | that the DHCPv4 server acted successfully on the VSS sub-option with | |||
| the valid VSS information. | ||||
| There are only two pieces of information which can be determined from | Anytime a relay agent places a VSS option or sub-option in a DHCP | |||
| the appearance or lack of appearance of the DHCPv4 Virtual Subnet | request, it SHOULD send it only to a DHCP server which supports the | |||
| Selection sub-option in a relay-agent-information option received by | VSS option or sub-option, and it MUST check the response to determine | |||
| a relay agent from a DHCPv4 server. First, if the Virtual Subnet | if the DHCP server actually honored the requested VSS information. | |||
| Selection sub-option does not appear, then the server was able to | ||||
| support this sub-option but chose not to do so. Second, if the | ||||
| Virtual Subnet Selection sub-option appears and has a different value | ||||
| than the one originally included in the relay-agent-information | ||||
| option, then the DHCP server was able to support this sub-option and | ||||
| allocated an address using different VSS information than was | ||||
| originally provided by the relay agent. | ||||
| Thus, if a DHCPv4 relay agent has a requirement to determine if the | In the DHCPv6 case, the appearance of the option in the Relay-reply | |||
| address allocated by a DHCPv4 server is on a particular VPN, it must | packet indicates that the DHCPv6 server understood and acted upon the | |||
| use some other approach than the appearance of the VSS sub-option in | contents of the VSS option in the Relay-forward packet. In the | |||
| the reply packet to make this determination. | DHCPv4 case, as discussed above, the appearance of the VSS sub-option | |||
| containing valid VSS information without the appearance of a VSS | ||||
| sub-option of type CONTROL indicates that the DHCPv4 server | ||||
| successfully acted upon the VSS sub-option that was returned | ||||
| containing valid VSS information. | ||||
| This document does not create a requirement that a relay agent | This document does not create a requirement that a relay agent | |||
| remember the contents of a VSS DHCPv4 sub-option or VSS DHCPv6 option | remember the contents of a VSS DHCPv4 sub-option or VSS DHCPv6 option | |||
| sent to a DHCP server. In many cases, the relay agent may simply use | sent to a DHCP server. In many cases, the relay agent may simply use | |||
| the value of the VSS returned by the DHCP server to forward the | the value of the VSS returned by the DHCP server to forward the | |||
| response to the DHCP client. If the VSS information, the IP address | response to the DHCP client. If the VSS information, the IP address | |||
| allocated, and the VPN capabilities of the relay agent all | allocated, and the VPN capabilities of the relay agent all | |||
| interoperate correctly, then the DHCP client will receive a working | interoperate correctly, then the DHCP client will receive a working | |||
| IP address. Alternatively, if any of these items don't interoperate | IP address. Alternatively, if any of these items don't interoperate | |||
| with the others, the DHCP client will not receive a working address. | with the others, the DHCP client will not receive a working address. | |||
| Note that in some environments a relay agent may choose to always | Note that in some environments a relay agent may choose to always | |||
| place a VSS option or sub-option into packets and messages that it | place a VSS option or sub-option into packets and messages that it | |||
| forwards in order to forestall any attempt by a downstream relay | forwards in order to forestall any attempt by a relay agent closer to | |||
| agent or client to specify VSS information. In this case, a type | the client or the client itself to specify VSS information. In this | |||
| field of 255 is used to denote the global, default VPN. When the | case, a type field of 255 is used to denote the global, default VPN. | |||
| type field of 255 is used, there MUST NOT be any additional VSS | When the type field of 255 is used, there MUST NOT be any additional | |||
| Information in the VSS option. | VSS information in the VSS option or sub-option. In the DHCPv4 case, | |||
| an additional VSS sub-option with type CONTROL should be used, as | ||||
| discussed above. | ||||
| 5.1. VPN assignment by the DHCP server | 5.1. VPN assignment by the DHCP server | |||
| In some cases, a DHCP server may use the Virtual Subnet Selection | In some cases, a DHCP server may use the Virtual Subnet Selection | |||
| sub-option or option to inform a relay agent that a particular DHCP | sub-option or option to inform a relay agent that a particular DHCP | |||
| client is associated with a particular VPN. It does this by sending | client is associated with a particular VPN. It does this by sending | |||
| the Virtual Subnet Selection sub-option or option with the | the Virtual Subnet Selection sub-option or option with the | |||
| appropriate information to the relay agent in the relay-agent- | appropriate information to the relay agent in the relay-agent- | |||
| information option for DHCPv4 or the Relay-reply message in DHCPv6. | information option for DHCPv4 or the Relay-reply message in DHCPv6. | |||
| If the relay agent is unable to honor the DHCP server's requirement | If the relay agent cannot respond correctly to the DHCP server's | |||
| to place the DHCP client into that VPN it MUST drop the packet and | requirement to place the DHCP client into that VPN (perhaps because | |||
| not send it to the DHCP client. | it has not been configured with a VPN that matches the VSS | |||
| information received from the DHCP server) it MUST drop the packet | ||||
| The DHCP server MUST NOT place VSS information in an outgoing packet | and not send it to the DHCP client. | |||
| if the relay agent or DHCP client is unprepared to properly interpret | ||||
| the VSS information. | ||||
| In this situation, once the relay agent has placed the DHCP client | In this situation, once the relay agent has placed the DHCP client | |||
| into the VPN specified by the DHCP server, it will send in a VSS | into the VPN specified by the DHCP server, it will insert a VSS | |||
| option or sub-option when forwarding packets from the client. The | option or sub-option when forwarding packets from the client. The | |||
| DHCP server in normal operation will echo this VSS information into | DHCP server in normal operation will echo this VSS information into | |||
| the outgoing replies. | the outgoing replies. | |||
| In the event that the relay agent doesn't include VSS information on | ||||
| subsequent requests after the DHCP server has included VSS | ||||
| information in a reply to the relay agent, the DHCP server can | ||||
| conclude that the relay agent doesn't support VSS processing, and the | ||||
| DHCP server SHOULD stop processing this transaction and not respond | ||||
| to the request. | ||||
| 5.2. DHCP Leasequery | 5.2. DHCP Leasequery | |||
| Sometimes a relay-agent needs to submit a DHCP Leasequery [RFC4388] | Sometimes a relay-agent needs to submit a DHCP Leasequery [RFC4388] | |||
| [RFC5007] packet to the DHCP server in order to recover information | [RFC5007] packet to the DHCP server in order to recover information | |||
| about existing DHCP allocated IP addresses on other than the normal, | about existing DHCP allocated IP addresses on other than the normal, | |||
| global VPN. In the context of a DHCP Leasequery the relay agent is a | global VPN. In the context of a DHCP Leasequery the relay agent is a | |||
| direct client of the DHCP server and is not relaying a packet for | direct client of the DHCP server and is not relaying a packet for | |||
| another DHCP client. Thus, the instructions in Section 6 on Client | another DHCP client. Thus, the instructions in Section 6 on Client | |||
| Behavior should be followed to include the necessary VSS information. | Behavior should be followed to include the necessary VSS information. | |||
| 6. Client Behavior | 6. Client Behavior | |||
| Typically, DHCPv4 and DHCPv6 clients have no interaction with VSS | ||||
| options or sub-options. The VSS information is handled by exchanges | ||||
| between a DHCPv4 or DHCPv6 relay agent and the corresponding DHCPv4 | ||||
| or DHCPv6 server. | ||||
| However, there are times when an entity is acting as a DHCPv4 or | ||||
| DHCPv6 client in that it is communicating directly with a DHCPv4 or | ||||
| DHCPv6 server. In these instances -- where communications is | ||||
| occurring without employing the DHCPv4 relay-agent-information option | ||||
| or the DHCPv6 Relay-forward or Relay-reply messages, the entity is | ||||
| acting as a DHCPv4 or DHCPv6 client with regard to its communication | ||||
| with the DHCPv4 or DHCPv6 server, but not necessarily as a DHCP | ||||
| client who is requesting a DHCPv4 or DHCPv6 address for its own use. | ||||
| The client, in this context, may be requesting an IP address for | ||||
| another entity, thus acting as a DHCP proxy. The client may be | ||||
| requesting information about another client-to-address binding, using | ||||
| the DHCPv4 [RFC4388] or DHCPv6 [RFC5007] Leasequery protocol. | ||||
| In the rest of this section, the term "client" refers to an entity | ||||
| communicating VSS information directly to a DHCPv4 or DHCPv6 server | ||||
| without using the DHCPv4 relay-agent-information option or the DHCPv6 | ||||
| Relay-forward or Relay-reply messages, and there is no requirement | ||||
| that such a client is a traditional DHCPv4 or DHCPv6 client | ||||
| requesting an IP address binding for itself. | ||||
| A DHCPv4 or DHCPv6 client will employ the VSS option to communicate | A DHCPv4 or DHCPv6 client will employ the VSS option to communicate | |||
| VSS information to their respective servers. This information MUST | VSS information to their respective servers. This information MUST | |||
| be included in every message concerning any IP address on a different | be included in every message concerning any IP address on a different | |||
| VPN than the global or default VPN. A DHCPv4 client will place the | VPN than the global or default VPN. A DHCPv4 client will place the | |||
| DHCPv4 VSS option in its packets, and a DHCPv6 client will place the | DHCPv4 VSS option in its packets, and a DHCPv6 client will place the | |||
| DHCPv6 VSS option in its messages. | DHCPv6 VSS option in its messages. | |||
| A DHCPv6 client that needs to place a VSS option into a DHCPv6 | A DHCPv6 client that needs to place a VSS option into a DHCPv6 | |||
| message SHOULD place a single VSS option into the DHCPv6 message at | message SHOULD place a single VSS option into the DHCPv6 message at | |||
| the same level as the Client Identifier option. A DHCPv6 client MUST | the same level as the Client Identifier option. A DHCPv6 client MUST | |||
| NOT include different VSS options in the same DHCPv6 message. | NOT include different VSS options in the same DHCPv6 message. | |||
| Note that, as mentioned in Section 1, throughout this document when a | Note that, as mentioned in Section 1, throughout this document when a | |||
| DHCPv6 address is indicated the same information applies to DHCPv6 | DHCPv6 address is indicated the same information applies to DHCPv6 | |||
| Prefix Delegation [RFC3633] as well. | Prefix Delegation [RFC3633] as well. | |||
| Since this option is placed in the packet in order to change the VPN | Since this option is placed in the packet in order to change the VPN | |||
| on which an IP address is allocated for a particular DHCP client, one | on which an IP address is allocated for a particular DHCP client, one | |||
| presumes that an allocation on that VPN is necessary for correct | presumes that an allocation on that VPN is necessary for correct | |||
| operation. If this presumption is correct, then a client which | operation. Thus, a client which places this option in a packet and | |||
| places this option in a packet and doesn't receive it or receives a | doesn't receive it or receives a different value in a returning | |||
| different value in the returning packet should drop the packet since | packet SHOULD drop the packet since the IP address that was allocated | |||
| the IP address that was allocated will not be in the correct VPN. If | will not be in the requested VPN. | |||
| an IP address that is on the requested VPN is not required, then the | ||||
| client is free to accept the IP address that is not on the VPN that | ||||
| the was requested. | ||||
| Clients should be aware that some DHCP servers will return a VSS | Clients should be aware that some DHCP servers will return a VSS | |||
| option with different values than that which was sent in. In | option with different values than that which was sent in. In | |||
| addition, a client may receive a response from a DHCP server with a | addition, a client may receive a response from a DHCP server with a | |||
| VSS option when none was sent in by the Client. | VSS option when none was sent in by the Client. | |||
| Note that when sending a DHCP Leasequery request, a relay agent is | Note that when sending a DHCP Leasequery request, a relay agent is | |||
| acting as a DHCP client and so it should include the respective | acting as a DHCP client and so it SHOULD include the respective | |||
| DHCPv4 or DHCPv6 VSS option in its DHCPv4 or DHCPv6 Leasequery packet | DHCPv4 or DHCPv6 VSS option in its DHCPv4 or DHCPv6 Leasequery packet | |||
| if the DHCP Leasequery request is generated for other than the | if the DHCP Leasequery request is generated for other than the | |||
| default, global VPN. It should not include a DHCPv4 sub-option in | default, global VPN. It SHOULD NOT include a DHCPv4 sub-option in | |||
| this case. | this case. | |||
| 7. Server Behavior | 7. Server Behavior | |||
| A DHCP server receiving the VSS option or sub-option SHOULD allocate | A DHCP server receiving the VSS option or sub-option SHOULD allocate | |||
| an IP address (or use the VSS information to access an already | an IP address (or use the VSS information to access an already | |||
| allocated IP address) from the VPN specified by the included VSS | allocated IP address) from the VPN specified by the included VSS | |||
| information. | information. | |||
| In the case where the type field of the VSS option or sub-option is | In the case where the type field of the VSS option or sub-option is | |||
| skipping to change at page 14, line 42 | skipping to change at page 19, line 18 | |||
| for either of these alternatives. | for either of these alternatives. | |||
| In some cases, a DHCP server may use the Virtual Subnet Selection | In some cases, a DHCP server may use the Virtual Subnet Selection | |||
| sub-option or option to inform a relay agent that a particular DHCP | sub-option or option to inform a relay agent that a particular DHCP | |||
| client is associated with a particular VPN. It does this by sending | client is associated with a particular VPN. It does this by sending | |||
| the Virtual Subnet Selection sub-option or option with the | the Virtual Subnet Selection sub-option or option with the | |||
| appropriate information to the relay agent in the relay-agent- | appropriate information to the relay agent in the relay-agent- | |||
| information option for DHCPv4 or the Relay-reply message in DHCPv6. | information option for DHCPv4 or the Relay-reply message in DHCPv6. | |||
| In this situation, the relay agent will place the client in the | In this situation, the relay agent will place the client in the | |||
| proper VPN, and then it will send in a VSS option or sub-option in | proper VPN, and then it will insert a VSS option or sub-option in | |||
| subsequent forwarded requests. The DHCP server will see this VSS | subsequent forwarded requests. The DHCP server will see this VSS | |||
| information and since it doesn't conflict in any way with the | information and since it doesn't conflict in any way with the | |||
| server's notion of the VPN on which the client is supposed to reside, | server's notion of the VPN on which the client is supposed to reside, | |||
| it will process the requests based on the VPN specified in the VSS | it will process the requests based on the VPN specified in the VSS | |||
| option or sub-option, and echo the same VSS information in the | option or sub-option, and echo the same VSS information in the | |||
| outgoing replies. | outgoing replies. | |||
| In a similar manner, a DHCP server may use the Virtual Subnet | The relay agent receiving a reply containing a VSS option should | |||
| Selection option to inform a DHCP client that the address (or | support the VSS option. Otherwise the relay agent will end up | |||
| addresses) it allocated for the client is on a particular VPN. | attempting to use the address as though it were a global address. | |||
| Should this happen, the subsequent DHCPREQUEST will not contain any | ||||
| In either case above, care should be taken to ensure that a client or | VSS information, in which case the DHCP server SHOULD NOT respond | |||
| relay agent receiving a reply containing a VSS option will correctly | with a DHCPACK. | |||
| understand the VSS option. Otherwise, the client or relay agent will | ||||
| end up using the address as though it were a global address. | ||||
| If a server uses a different VPN than what was specified in the VSS | If a server uses a different VPN than what was specified in the VSS | |||
| option or sub-option, it SHOULD send back the VPN information using | option or sub-option, it SHOULD send back the VPN information using | |||
| the same type as the received type. It MAY send back a different type | the same type as the received type. It MAY send back a different type | |||
| if it is not possible to use the same type (such as the RFC2685 VPN- | if it is not possible to use the same type (such as the RFC2685 VPN- | |||
| ID if no ASCII VPN identifier exists). | ID if no ASCII VPN identifier exists). | |||
| 7.1. Returning the DHCPv4 or DHCPv6 Option | 7.1. Returning the DHCPv4 or DHCPv6 Option | |||
| DHCPv4 or DHCPv6 servers receiving a VSS option (for sub-option | DHCPv4 or DHCPv6 servers receiving a VSS option (for sub-option | |||
| skipping to change at page 15, line 30 | skipping to change at page 20, line 5 | |||
| reply packet or message if the server successfully uses this option | reply packet or message if the server successfully uses this option | |||
| to allocate an IP address, and it MUST NOT include an instance of | to allocate an IP address, and it MUST NOT include an instance of | |||
| this option if the server is unable to support, is not configured to | this option if the server is unable to support, is not configured to | |||
| support, or does not implement support for VSS information in general | support, or does not implement support for VSS information in general | |||
| or the requested VPN in particular. | or the requested VPN in particular. | |||
| If they echo the option (based on the criteria above), servers SHOULD | If they echo the option (based on the criteria above), servers SHOULD | |||
| return an exact copy of the option unless they desire to change the | return an exact copy of the option unless they desire to change the | |||
| VPN on which a client was configured. | VPN on which a client was configured. | |||
| The appearance of the DHCPv6 VSS option in the OPTION_ORO [RFC3315] | The appearance of the DHCPv4 VSS option code in the DHCPv4 Parameter | |||
| or the OPTION_ERO [RFC4994] should not change the processing or | Request List option [RFC2132] should not change the processing or | |||
| decision to return (or not to return) the VSS option as specified in | decision to return or not return the VSS option as specified in this | |||
| this document. | document. The appearance of the DHCPv6 VSS option in the OPTION_ORO | |||
| [RFC3315] or the OPTION_ERO [RFC4994] should not change the | ||||
| processing or decision to return (or not to return) the VSS option as | ||||
| specified in this document. | ||||
| 7.2. Returning the DHCPv4 Sub-Option | 7.2. Returning the DHCPv4 Sub-Option | |||
| The case of the DHCPv4 sub-option is a bit more complicated. Note | The case of the DHCPv4 sub-option is a bit more complicated. Note | |||
| that [RFC3046] specifies that a DHCPv4 server which supports the | that [RFC3046] specifies that a DHCPv4 server which supports the | |||
| relay-agent-information option SHALL copy all sub-options received in | relay-agent-information option SHALL copy all sub-options received in | |||
| a relay-agent-information option into any outgoing relay-agent- | a relay-agent-information option into any outgoing relay-agent- | |||
| information option. Thus, the default behavior for any DHCPv4 server | information option. Thus, the default behavior for any DHCPv4 server | |||
| is to return any VSS sub-option received to the relay agent whether | is to return any VSS sub-option received to the relay agent whether | |||
| or not the DHCPv4 server understands the VSS sub-option. A server | or not the DHCPv4 server understands the VSS sub-option. | |||
| which implements the VSS sub-option MUST include the VSS sub-option | ||||
| in the relay-agent-information option in the reply packet if it | In order to distinguish a DHCPv4 server which is simply copying | |||
| successfully acted upon the VSS information in the incoming VSS sub- | relay-agent-information option sub-options from an incoming to an | |||
| option. | outgoing relay-agent-informaion option from one which successfully | |||
| acted upon the information in the VSS sub-option, DHCPv4 relay agents | ||||
| MUST include two VSS sub-options in the relay-agent-information in | ||||
| the request. One of these VSS sub-options contains valid VSS | ||||
| information, and one of these VSS sub-options has a type of CONTROL, | ||||
| no additional VSS information, and a length of one. | ||||
| A DHCPv4 server which does not support the VSS sub-option will copy | ||||
| both sub-options into the outgoing relay-agent-information option, | ||||
| thus signalling to the DHCPv4 relay agent that it did not understand | ||||
| the VSS sub-option. | ||||
| A DHCPv4 server which supports the VSS sub-option and acts upon the | ||||
| VSS sub-option with valid VSS information in it: | ||||
| o MUST copy the VSS sub-option containing the valid VSS | ||||
| information into the outgoing relay-agent-information option | ||||
| o MUST NOT copy the VSS sub-option with the type of CONTROL into | ||||
| the outgoing relay-agent-information option | ||||
| Moreover, if a server uses different VSS information to allocate an | Moreover, if a server uses different VSS information to allocate an | |||
| IP address than it receives in a particular DHCPv4 sub-option, it | IP address than it receives in a particular DHCPv4 sub-option, it | |||
| MUST include that alternative VSS information in a sub-option that it | MUST include that alternative VSS information in the VSS sub-option | |||
| returns to the DHCPv4 relay agent. | that it returns to the DHCPv4 relay agent instead of the origian VSS | |||
| information it was given. | ||||
| If a DHCPv4 server supports this sub-option and for some reason | If a DHCPv4 server supports this sub-option and for some reason | |||
| (perhaps administrative control) does not honor this sub-option from | (perhaps administrative control) does not honor this sub-option from | |||
| the request then it MUST NOT echo this sub-option in the outgoing | the request then it MUST NOT echo either sub-option into the outgoing | |||
| relay-agent-information option. | relay-agent-information option. | |||
| Note that the appearance of the VSS sub-option in a reply packet from | ||||
| a DHCPv4 server to a relay-agent does not communicate any useful | ||||
| information about whether or not the server used the VSS sub-option | ||||
| in its processing. However, the absence of a VSS sub-option in a | ||||
| reply from a DHCPv4 server when a VSS sub-option was included in a | ||||
| request to the DHCPv4 server is significant, and means that the | ||||
| server did not use the VSS information present in the sub-option in | ||||
| its processing. | ||||
| 7.3. Making sense of conflicting VSS information | 7.3. Making sense of conflicting VSS information | |||
| It is possible for a DHCPv4 server to receive both a VSS option and a | It is possible for a DHCPv4 server to receive both a VSS option and | |||
| VSS sub-option in the same packet. Likewise, a DHCPv6 server can | VSS sub-options in the same packet. Likewise, a DHCPv6 server can | |||
| receive multiple VSS options in nested Relay-forward messages as well | receive multiple VSS options in nested Relay-forward messages as well | |||
| as in the client message itself. In either of these cases, the VSS | as in the client message itself. In either of these cases, the VSS | |||
| information from the relay agent closest to the DHCP server SHOULD be | information from the relay agent closest to the DHCP server SHOULD be | |||
| used in preference to all other VSS information received. In the | used in preference to all other VSS information received. In the | |||
| DHCPv4 case, this means that the VSS sub-option takes precedence over | DHCPv4 case, this means that the VSS sub-option takes precedence over | |||
| the VSS option, and in the DHCPv6 case, this means that the VSS | the VSS option, and in the DHCPv6 case, this means that the VSS | |||
| option from the outer-most Relay-forward message in which a VSS | option from the outer-most Relay-forward message in which a VSS | |||
| option appears takes precedence. | option appears takes precedence. | |||
| The reasoning behind this approach is that the relay-agent closer to | The reasoning behind this approach is that the relay-agent closer to | |||
| skipping to change at page 16, line 44 | skipping to change at page 21, line 35 | |||
| or more distant relay agents, and therefore information in the | or more distant relay agents, and therefore information in the | |||
| relay-agent-information option or the Relay-forward message is more | relay-agent-information option or the Relay-forward message is more | |||
| likely to be correct. | likely to be correct. | |||
| In general, relay agents SHOULD be aware through configuration or | In general, relay agents SHOULD be aware through configuration or | |||
| policy external to this document whether or not they should be | policy external to this document whether or not they should be | |||
| including VSS information in packets that they forward and so there | including VSS information in packets that they forward and so there | |||
| should not be conflicts among relay agent specified VSS information. | should not be conflicts among relay agent specified VSS information. | |||
| In these situations where multiple VSS option or sub-options appear | In these situations where multiple VSS option or sub-options appear | |||
| in the incoming packet or message, when constructing the response to | in the incoming packet or message, when the DHCP server constructs | |||
| be sent to the DHCP client or relay agent, all existing VSS options | the response to be sent to the DHCP client or relay agent, all | |||
| or sub-options MUST be replicated in the appropriate places in the | existing VSS options or sub-options MUST be replicated in the | |||
| response and MUST contain the VSS information that was used by the | appropriate places in the response and MUST contain only the VSS | |||
| DHCP server to allocate the IP address. | information that was used by the DHCP server to allocate the IP | |||
| address (with, of course, the exception of a DHCPv4 relay-agent- | ||||
| information VSS sub-option with a type of CONTROL). | ||||
| 8. Security | 8. Security | |||
| Message authentication in DHCPv4 for intradomain use where the out- | Message authentication in DHCPv4 for intradomain use where the out- | |||
| of-band exchange of a shared secret is feasible is defined in | of-band exchange of a shared secret is feasible is defined in | |||
| [RFC3118]. Potential exposures to attack are discussed in section 7 | [RFC3118]. Potential exposures to attack are discussed in section 7 | |||
| of the DHCP protocol specification in [RFC2131]. | of the DHCP protocol specification in [RFC2131]. | |||
| Implementations should consider using the DHCPv4 Authentication | Implementations should consider using the DHCPv4 Authentication | |||
| option [RFC3118] to protect DHCPv4 client access in order to provide | option [RFC3118] to protect DHCPv4 client access in order to provide | |||
| skipping to change at page 18, line 17 | skipping to change at page 23, line 9 | |||
| options space [RFC3046], in accordance with the spirit of [RFC3942]. | options space [RFC3046], in accordance with the spirit of [RFC3942]. | |||
| While [RFC3942] doesn't explicitly mention the sub-option space for | While [RFC3942] doesn't explicitly mention the sub-option space for | |||
| the DHCP Relay Agent Information option [RFC3046], sub-option 151 is | the DHCP Relay Agent Information option [RFC3046], sub-option 151 is | |||
| already in use by existing implementations of this sub-option and the | already in use by existing implementations of this sub-option and the | |||
| current draft is essentially compatible with these current | current draft is essentially compatible with these current | |||
| implementations. | implementations. | |||
| IANA is requested to assign the value of TBD for the DHCPv6 VSS | IANA is requested to assign the value of TBD for the DHCPv6 VSS | |||
| option defined in Section 3.3 from the DHCPv6 option registry. | option defined in Section 3.3 from the DHCPv6 option registry. | |||
| While the type byte defined in Section 3.4 defines a number space | The type byte defined in Section 3.4 defines a number space for which | |||
| that could be managed by IANA, expansion of this number space is not | IANA is to create and maintain a new sub-registry entitled "VSS Type | |||
| anticipated and so creation of a registry of these numbers is not | values". This sub-registry needs to be related to both the DHCPv4 | |||
| required by this document. In the event that additional values for | and DHCPv6 VSS options and the DHCPv4 relay-agent-information option | |||
| the type byte are defined in subsequent documents, IANA should at | sub-option (all defined by this document), since the type byte in | |||
| that time create a registry for these type bytes. New values for the | these two options and one sub-option MUST have identical definitions. | |||
| type byte may only be defined by IETF Consensus, as described in | ||||
| [RFC5226]. Basically, this means that they are defined by RFCs | New values for the type byte may only be defined by IETF Consensus, | |||
| approved by the IESG. | as described in [RFC5226]. Basically, this means that they are | |||
| defined by RFCs approved by the IESG. | ||||
| 10. Acknowledgments | 10. Acknowledgments | |||
| Bernie Volz recommended consolidation of the DHCPv4 option and sub- | Bernie Volz recommended consolidation of the DHCPv4 option and sub- | |||
| option drafts after extensive review of the former drafts, and | option drafts after extensive review of the former drafts, and | |||
| provided valuable assistance in structuring and reviewing this | provided valuable assistance in structuring and reviewing this | |||
| document. Alper Yegin expressed interest in the DHCPv6 VSS option, | document. Alper Yegin expressed interest in the DHCPv6 VSS option, | |||
| resulting in this combined draft covering all three areas. Alfred | resulting in this combined draft covering all three areas. Alfred | |||
| Hoenes provided assistance with editorial review as well as raising | Hoenes provided assistance with editorial review as well as raising | |||
| substantive protocol issues. David Hankins and Bernie Volz each | substantive protocol issues. David Hankins and Bernie Volz each | |||
| raised important protocol issues which resulted in a clarified | raised important protocol issues which resulted in a clarified | |||
| document. Josh Littlefield provided editorial assistance. | document. Josh Littlefield provided editorial assistance. Several | |||
| IESG reviewers took the time to substantially review this document, | ||||
| resulting in much increased clarity. | ||||
| 11. References | 11. References | |||
| 11.1. Normative References | 11.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", RFC 2119, March 1997. | Requirement Levels", RFC 2119, March 1997. | |||
| [RFC2131] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, | [RFC2131] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, | |||
| March 1997. | March 1997. | |||
| skipping to change at page 20, line 5 | skipping to change at page 24, line 46 | |||
| [RFC4388] Woundy, R. and K. Kinnear, "Dynamic Host Configuration | [RFC4388] Woundy, R. and K. Kinnear, "Dynamic Host Configuration | |||
| Protocol (DHCP) Leasequery", RFC 4388, February 2006. | Protocol (DHCP) Leasequery", RFC 4388, February 2006. | |||
| [RFC5007] Brzozowski, J., Kinnear, K., Volz, B., and S. Zeng, "DHCPv6 | [RFC5007] Brzozowski, J., Kinnear, K., Volz, B., and S. Zeng, "DHCPv6 | |||
| Leasequery", RFC 5007, September 2007. | Leasequery", RFC 5007, September 2007. | |||
| [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an | [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an | |||
| IANA Considerations Section in RFCs", BCP 26, RFC 5226, May 2008. | IANA Considerations Section in RFCs", BCP 26, RFC 5226, May 2008. | |||
| 12. Authors' Addresses | Authors' Addresses | |||
| Kim Kinnear | Kim Kinnear | |||
| Cisco Systems | Cisco Systems | |||
| 1414 Massachusetts Ave. | 1414 Massachusetts Ave. | |||
| Boxborough, Massachusetts 01719 | Boxborough, Massachusetts 01719 | |||
| Phone: (978) 936-0000 | Phone: (978) 936-0000 | |||
| EMail: kkinnear@cisco.com | EMail: kkinnear@cisco.com | |||
| skipping to change at page 20, line 35 | skipping to change at line 1100 | |||
| Mark Stapp | Mark Stapp | |||
| Cisco Systems | Cisco Systems | |||
| 1414 Massachusetts Ave. | 1414 Massachusetts Ave. | |||
| Boxborough, Massachusetts 01719 | Boxborough, Massachusetts 01719 | |||
| Phone: (978) 936-0000 | Phone: (978) 936-0000 | |||
| EMail: mjs@cisco.com | EMail: mjs@cisco.com | |||
| Jay Kumarasamy | Jay Kumarasamy | |||
| Cisco Systems | ||||
| 170 W. Tasman Dr. | ||||
| San Jose, CA 95134 | ||||
| Phone: (408) 526-4000 | ||||
| EMail: jayk@cisco.com | ||||
| End of changes. 66 change blocks. | ||||
| 235 lines changed or deleted | 425 lines changed or added | |||
This html diff was produced by rfcdiff 1.40. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||