--- 1/draft-ietf-dhc-vpn-option-13.txt 2011-11-15 20:14:06.570754364 +0100 +++ 2/draft-ietf-dhc-vpn-option-14.txt 2011-11-15 20:14:06.618754269 +0100 @@ -1,20 +1,20 @@ DHC Working Group Kim Kinnear Internet Draft Richard Johnson -Intended Status: Standards Track Mark Stapp -Expires: October 29, 2011 Cisco Systems - Jay Kumarasamy - April 29, 2011 +Updates: 3046 Mark Stapp +Intended Status: Standards Track Cisco Systems +Expires: May 15, 2012 Jay Kumarasamy + November 15, 2011 Virtual Subnet Selection Options for DHCPv4 and DHCPv6 - + Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. @@ -60,21 +60,23 @@ Abstract This memo defines a Virtual Subnet Selection (VSS) option for each of DHCPv4 and DHCPv6, and a VSS sub-option carried in the DHCPv4 relay- agent-information option. These are intended for use by DHCP clients, relay agents, and proxy clients in situations where VSS information needs to be passed to the DHCP server for proper address or prefix allocation to take place. For the DHCPv4 option and relay-agent-information sub-option, this - memo documents existing usage as per RFC 3942 [RFC3942]. + memo documents existing usage as per RFC 3942 [RFC3942]. This memo + updates RFC 3046 [RFC3046] regarding details relating to copying of + sub-options (see Section 8). Table of Contents 1. Introduction................................................. 3 2. Terminology.................................................. 4 3. Virtual Subnet Selection Option and Sub-Options Definitions.. 5 3.1. DHCPv4 Virtual Subnet Selection Option..................... 5 3.2. DHCPv4 Virtual Subnet Selection Sub-Option................. 6 3.3. DHCPv4 Virtual Subnet Selection Control Sub-Option......... 6 3.4. DHCPv6 Virtual Subnet Selection Option..................... 7 @@ -85,26 +87,27 @@ 4.3. Required Support........................................... 14 4.4. Alternative VPN assignment approaches...................... 14 5. Relay Agent Behavior......................................... 14 5.1. VPN assignment by the DHCP server.......................... 16 5.2. DHCP Leasequery............................................ 17 6. Client Behavior.............................................. 17 7. Server Behavior.............................................. 18 7.1. Returning the DHCPv4 or DHCPv6 Option...................... 19 7.2. Returning the DHCPv4 Sub-Option............................ 20 7.3. Making sense of conflicting VSS information................ 21 - 8. Security..................................................... 21 - 9. IANA Considerations.......................................... 22 - 10. Acknowledgments............................................. 23 - 11. References.................................................. 23 - 11.1. Normative References...................................... 23 - 11.2. Informative References.................................... 24 + 8. Updates to RFC 3046.......................................... 21 + 9. Security..................................................... 22 + 10. IANA Considerations......................................... 23 + 11. Acknowledgments............................................. 23 + 12. References.................................................. 24 + 12.1. Normative References...................................... 24 + 12.2. Informative References.................................... 24 1. Introduction There is a growing use of Virtual Private Network (VPN) configurations. The growth comes from many areas; individual client systems needing to appear to be on the home corporate network even when traveling, ISPs providing extranet connectivity for customer companies, etc. In some of these cases there is a need for the DHCP server to know the VPN (hereafter called a "Virtual Subnet Selector" or "VSS") from which an address, and other resources, should be @@ -927,21 +929,42 @@ In these situations where multiple VSS option or sub-options appear in the incoming packet or message, when the DHCP server constructs the response to be sent to the DHCP client or relay agent, all existing VSS options or sub-options MUST be replicated in the appropriate places in the response and MUST contain only the VSS information that was used by the DHCP server to allocate the IP address (with, of course, the exception of a DHCPv4 relay-agent- information sub-option VSS-Control). -8. Security +8. Updates to RFC 3046 + + This document updates the specification of the Relay Agent + Information option in RFC 3046 as follows: + + Change the first sentence, second paragraph, section 2.2 of RFC 3046: + + o OLD: + + DHCP servers claiming to support the Relay Agent Information + option SHALL echo the entire contents of the Relay Agent + Information option in all replies. + + o NEW: + + DHCP servers claiming to support the Relay Agent Information + option SHALL echo the entire contents of the Relay Agent + Information option in all replies, except if otherwise specified + in the definition of specific Relay Agent Information sub- + options. + +9. Security Message authentication in DHCPv4 for intradomain use where the out- of-band exchange of a shared secret is feasible is defined in [RFC3118]. Potential exposures to attack are discussed in Section 7 of the DHCP protocol specification in [RFC2131]. Implementations should consider using the DHCPv4 Authentication option [RFC3118] to protect DHCPv4 client access in order to provide a higher level of security if it is deemed necessary in their environment. @@ -973,21 +996,21 @@ option or sub-option to override the DHCP client's VSS option. Servers that implement the VSS option and sub-option MUST by default disable use of the feature; it must specifically be enabled through configuration. Moreover, a server SHOULD provide the ability to selectively enable use of the feature under restricted conditions, e.g., by enabling use of the option only from explicitly configured client-ids, enabling its use only by clients on a particular subnet, or restricting the VSSs from which addresses may be requested. -9. IANA Considerations +10. IANA Considerations IANA is requested to assign DHCPv4 option number 221 for the DHCPv4 VSS option defined in Section 3.1, in accordance with [RFC3942]. IANA is requested to assign sub-option number 151 for the DHCPv4 VSS sub-option defined in Section 3.2 from the DHCP Relay Agent Sub- options space [RFC3046], in accordance with the spirit of [RFC3942]. While [RFC3942] doesn't explicitly mention the sub-option space for the DHCP Relay Agent Information option [RFC3046], sub-option 151 is already in use by existing implementations of this sub-option and the @@ -1004,37 +1027,37 @@ IANA is to create and maintain a new sub-registry entitled "VSS Type values". This sub-registry needs to be related to both the DHCPv4 and DHCPv6 VSS options and the DHCPv4 relay-agent-information option sub-option (all defined by this document), since the type byte in these two options and one sub-option MUST have identical definitions. New values for the type byte may only be defined by IETF Consensus, as described in [RFC5226]. Basically, this means that they are defined by RFCs approved by the IESG. -10. Acknowledgments +11. Acknowledgments Bernie Volz recommended consolidation of the DHCPv4 option and sub- option drafts after extensive review of the former drafts, and provided valuable assistance in structuring and reviewing this document. Alper Yegin expressed interest in the DHCPv6 VSS option, resulting in this combined draft covering all three areas. Alfred Hoenes provided assistance with editorial review as well as raising substantive protocol issues. David Hankins and Bernie Volz each raised important protocol issues which resulted in a clarified document. Josh Littlefield provided editorial assistance. Several IESG reviewers took the time to substantially review this document, resulting in much increased clarity. -11. References +12. References -11.1. Normative References +12.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119, March 1997. [RFC2131] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, March 1997. [RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor Extensions", RFC 2132, March 1997. @@ -1048,21 +1071,21 @@ M. Carney, "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", RFC 3315, July 2003. [RFC3633] Troan, O. and R. Droms, "IPv6 Prefix Options for Dynamic Host Configuration Protocol (DHCP) version 6", RFC 3633, December 2003. [RFC4994] Zeng, S., Volz, B., Kinnear, K. and J. Brzozowski, "DHCPv6 Relay Agent Echo Request Option", RFC 4994, September 2007. -11.2. Informative References +12.2. Informative References [RFC951] Croft, B. and J. Gilmore, "Bootstrap Protocol", RFC 951, September 1985. [RFC1542] Wimer, W., "Clarifications and Extensions for the Bootstrap Protocol", RFC 1542, October 1993. [RFC3118] Droms, R. and W. Arbaugh, "Authentication for DHCP Messages", RFC 3118, June 2001.