Network Working Group R. Johnson Internet-Draft J. Kumarasamy Expires: May 19, 2008 K. Kinnear M. Stapp Cisco November 16, 2007 Virtual Subnet Selection Option draft-ietf-dhc-vpn-option-07.txt Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on May 19, 2008. Copyright Notice Copyright (C) The IETF Trust (2007). Johnson, et al. Expires May 19, 2008 [Page 1] Internet-Draft Virtual Subnet Selection Option November 2007 Abstract This memo defines existing usage for the Virtual Subnet Selection (VSS) information option. It is intended for use primarily by DHCP proxy clients in situations where VSS information needs to be passed to the DHCP server for proper address allocation to take place. The option number currently in use is 221. This memo documents the current usage of the option in agreement with [8], which declares that any pre-existing usages of option numbers in the range 128 - 223 should be documented and the working group will try to officially assign those numbers to those options. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. VSS Information Definition . . . . . . . . . . . . . . . . . . 5 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 9 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10 7.1. Normative References . . . . . . . . . . . . . . . . . . . 10 7.2. Informative References . . . . . . . . . . . . . . . . . . 10 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11 Intellectual Property and Copyright Statements . . . . . . . . . . 12 Johnson, et al. Expires May 19, 2008 [Page 2] Internet-Draft Virtual Subnet Selection Option November 2007 1. Introduction There is a growing use of Virtual Private Network (VPN) configurations. The growth comes from many areas; individual client systems needing to appear to be on the home corporate network even when traveling, ISPs providing extranet connectivity for customer companies, etc. In some of these cases there is a need for the DHCP server to know the VPN (hereafter called a "Virtual Subnet Selector" or "VSS") from which an address, and other resources, should be allocated. If the allocation is being done through a DHCP relay, then a relay sub-option could be included. In some cases, however an IP address is being sought by a DHCP proxy on behalf of a client (which may be assigned the address via a different protocol). In this case, there is a need to include VSS information relating to the client as a DHCP option. A good example might be a dial-in aggregation device where PPP [10] addresses are acquired via DHCP and then given to the remote customer system via IPCP [9]. In a network where such a device is used to aggregate PPP dial-in from multiple companies, each company may be assigned a unique VSS. This memo defines a new DHCP [4] option, the VSS Information option, which allows the DHCP client to specify the VSS Information needed in order to allocate an address. If the receiving DHCP server understands the VSS Information option, this information may be used in conjunction with other information in determining the subnet on which to select an address as well as other information such as DNS server, default router, etc. Johnson, et al. Expires May 19, 2008 [Page 3] Internet-Draft Virtual Subnet Selection Option November 2007 2. Conventions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY" and "OPTIONAL" in this document are to be interpreted as described in [3]. This document also uses the following terms: DHCP Client DHCP Client or "Client" is an Internet host using DHCP to obtain configuration parameters such as a network address. DHCP Server A DHCP Server or "Server" is an Internet host that returns configuration parameters to DHCP Clients. DHCP relay agent A DHCP relay agent is a third-party agent that transfers BOOTP and DHCP messages between clients and servers residing on different subnets, per [1] and [2]. downstream Downstream is the direction from the access concentrator towards the subscriber. upstream Upstream is the direction from the subscriber towards the access concentrator. VSS information Information about a VPN necessary to allocate an address to a DHCP client on that VPN and necessary to forward a DHCP reply packet to a DHCP client on that VPN. VPN Virtual private network. A network which appears to the client to be a private network. VPN Identifier The VPN-ID is defined by [6] to be a sequence of 7 octets. Johnson, et al. Expires May 19, 2008 [Page 4] Internet-Draft Virtual Subnet Selection Option November 2007 3. VSS Information Definition The VSS Information option is a DHCP option [5]. The option contains generalized VSS information in one of two formats: NVT ASCII VPN identifier, or RFC2685 VPN-ID [6]. The format of the option is: Code Len Type VSS Information octets +-----+-----+------+-----+-----+-----+--- | 221 | n | t | v1 | v2 | v3 | ... +-----+-----+------+-----+-----+-----+--- Type: 0 NVT ASCII VPN identifier 1 RFC2685 VPN-ID 2-255 Not Allowed Figure 1 The option minimum length (n) is 2. There are two types of identifiers which can be placed in the VSS Information Option. The first type of identifier which can be placed in the VSS Information Option is an NVT ASCII string. It MUST NOT be terminated with a zero byte. The second type of identifier which can be placed in the VSS Information Option is an RFC2685 VPN-ID [6], which is typically 7 octets (3 of VPN OUI followed by 4 of VPN index) in length (though it can be any length as far as the VSS Information Option is concerned). If the type field is set to zero (0), it indicates that all following bytes of the option contain a NVT ASCII string. This string MUST NOT be terminated with a zero byte. If the type field is set to one (1), it indicates that all following bytes should be interpreted in agreement with RFC2685 as a VPN Identifier, typically 7 octets. All other values of the type field are invalid as of this memo and VSS options containing any other value than zero (0) or one (1) SHOULD be ignored. Since this option is placed in the packet in order to change the VPN on which an IP address is allocated for a particular DHCP client, one presumes that an allocation on that VPN is necessary for correct operation. If this presumption is correct, then a client which places this option in a packet and doesn't receive it in the Johnson, et al. Expires May 19, 2008 [Page 5] Internet-Draft Virtual Subnet Selection Option November 2007 returning packet should drop the packet since the IP address that was allocated will not be in the correct VPN. If an IP address that is not on the requested VPN is not required, then the client is free to accept the IP address that is not on the VPN that the was requested. Servers configured to support this option MUST return an identical copy of the option to any client that sends it, regardless of whether or not the client requests the option in a parameter request list. This option provides the DHCP server additional information upon which to make a determination of address to be assigned. The DHCP server, if it is configured to support this option, should use this information in addition to other options included in the DHCPDISCOVER packet in order to assign an IP address for DHCP client. In the event that a Virtual Subnet Selection option and a Virtual Subnet Selection sub-option [12] are both received in a particular DHCP client packet, the information from the Virtual Subnet Selection sub-option MUST be used in preference to the information in the Virtual Subnet Selection option. This reasoning behind this approach is that the relay-agent is almost certainly more trusted than the DHCP client, and therefore information in the relay-agent-information option that conflicts with information in the packet generated by the DHCP client is more likely to be correct. Servers that do not understand this option will allocate an address using their normal algorithms and will not return this option in the DHCPOFFER or DHCPACK. In this case the client should consider discarding the DHCPOFFER or DHCPACK, as mentioned above. Servers that understand this option but are administratively configured to ignore the option MUST ignore the option, use their normal algorithms to allocate an address, and MUST NOT return this option in the DHCPOFFER or DHCPACK such that the client will know that the allocated address is not in the VPN requested and will consider this information in deciding whether or not to accept the DHCPOFFER. In other words, this option MUST NOT appear in a DHCPOFFER or DHCPACK from a server unless it was used by the server in making or updating the address allocation requested. Johnson, et al. Expires May 19, 2008 [Page 6] Internet-Draft Virtual Subnet Selection Option November 2007 4. Security Considerations Message authentication in DHCP for intradomain use where the out-of- band exchange of a shared secret is feasible is defined in [11]. Potential exposures to attack are discussed in section 7 of the DHCP protocol specification in [4]. The VSS Information option could be used by a client in order to obtain an IP address from a VPN other than the one where it should. Another possible defense would be for the DHCP relay to insert a Relay option containing a VSS Information Relay Sub-option, which would override the DHCP VSS Information option. This option would allow a client to perform a more complete address- pool exhaustion attack since the client would no longer be restricted to attacking address-pools on just its local subnet. Servers that implement the VSS Information option MUST by default disable use of the feature; it must specifically be enabled through configuration. Moreover, a server SHOULD provide the ability to selectively enable use of the feature under restricted conditions, e.g., by enabling use of the option only from explicitly configured client-ids, enabling its use only by clients on a particular subnet, or restricting the VSSs from which addresses may be requested. Implementations should consider using the DHCP Authentication option [11] in order to provide a higher level of security if it is deemed necessary in their environment. Johnson, et al. Expires May 19, 2008 [Page 7] Internet-Draft Virtual Subnet Selection Option November 2007 5. IANA Considerations IANA is requested to assign DHCP option number 221 for this option, in accordance with [8]. While the type byte of the Virtual Subnet Selection option defines a number space that could be managed by IANA, expansion of this number space is not anticipated and so creation of a registry of these numbers is not required by this document. In the event that additional values for the type byte are defined in subsequent documents, IANA should at that time create a registry for these type bytes. New values for the type byte may only be defined by IETF Consensus, as described in [7]. Basically, this means that they are defined by RFCs approved by the IESG. Moreover, any changes or additions to the type byte codes MUST be made concurrently in the type byte codes of the VSS Information Option. The type bytes and data formats of the VSS Information Option and VSS Information Relay Sub-option MUST always be identical. Johnson, et al. Expires May 19, 2008 [Page 8] Internet-Draft Virtual Subnet Selection Option November 2007 6. Acknowledgements This document is the result of work done within Cisco Systems. Thanks to Kim Kinnear, Mark Stapp, and Jay Kumarasamy for their work on this option definition and the other related work for which this is necessary. Johnson, et al. Expires May 19, 2008 [Page 9] Internet-Draft Virtual Subnet Selection Option November 2007 7. References 7.1. Normative References [1] Croft, B. and J. Gilmore, "Bootstrap Protocol (BOOTP)", RFC 951, September 1985. [2] Wimer, W., "Clarifications and Extensions for the Bootstrap Protocol", RFC 1542, October 1993. [3] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [4] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, March 1997. [5] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor Extensions", RFC 2132, March 1997. [6] Fox, B. and B. Gleeson, "Virtual Private Networks Identifier", RFC 2685, September 1999. [7] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 2434, October 1998. [8] Volz, B., "Reclassifying Dynamic Host Configuration Protocol version 4 (DHCPv4) Options", RFC 3942, November 2004. 7.2. Informative References [9] McGregor, G., "The PPP Internet Protocol Control Protocol (IPCP)", RFC 1332, May 1992. [10] Simpson, W., "The Point-to-Point Protocol (PPP)", STD 51, RFC 1661, July 1994. [11] Droms, R. and W. Arbaugh, "Authentication for DHCP Messages", RFC 3118, June 2001. [12] Kinnear, K., "Virtual Subnet Selection Sub-Option for the Relay Agent Information Option for DHCPv4", draft-ietf-dhc-agent-vpn-id-05 (work in progress), November 2007. Johnson, et al. Expires May 19, 2008 [Page 10] Internet-Draft Virtual Subnet Selection Option November 2007 Authors' Addresses Richard A. Johnson Cisco Systems 170 W. Tasman Dr. San Jose, CA 95134 US Phone: +1 408 526 4000 Email: raj@cisco.com Jay Kumarasamy Cisco Systems 170 W. Tasman Dr. San Jose, CA 95134 US Phone: +1 408 526 4000 Email: jayk@cisco.com Kim Kinnear Cisco Systems 250 Apollo Drive Chelmsford, MA 01824 US Phone: +1 978 244 8000 Email: kkinnar@cisco.com Mark Stapp Cisco Systems 250 Apollo Drive Chelmsford, MA 01824 US Phone: +1 978 244 8000 Email: mjs@cisco.com Johnson, et al. Expires May 19, 2008 [Page 11] Internet-Draft Virtual Subnet Selection Option November 2007 Full Copyright Statement Copyright (C) The IETF Trust (2007). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Acknowledgment Funding for the RFC Editor function is provided by the IETF Administrative Support Activity (IASA). Johnson, et al. Expires May 19, 2008 [Page 12]