DHC Working Group Y. Cui Internet-Draft Q. Sun Intended status: Standards Track Tsinghua University Expires: December 28, 2013 T. Lemon Nominum, Inc. June 26, 2013 Handling Unknown DHCPv6 Messages draft-ietf-dhc-dhcpv6-unknown-msg-01 Abstract Dynamic Host Configuration Protocol version 6 (DHCPv6) isn't specific about handling messages with unknown types. This memo describes the problems and defines how a DHCPv6 function node should behave in this case. This document updates RFC3315. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on December 28, 2013. Copyright Notice Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as Cui, et al. Expires December 28, 2013 [Page 1] Internet-Draft Handling Unknown DHCPv6 Messages June 2013 described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Requirements Language . . . . . . . . . . . . . . . . . . . . . 3 3. Problem Statement . . . . . . . . . . . . . . . . . . . . . . . 3 4. Relay Agent Behavior Update . . . . . . . . . . . . . . . . . . 3 4.1. Definition of a Valid Message . . . . . . . . . . . . . . . 4 4.2. Relaying a Message towards Server . . . . . . . . . . . . . 4 4.3. Relaying a Message towards Client . . . . . . . . . . . . . 4 5. Client and Server Behavior Update . . . . . . . . . . . . . . . 5 6. Security Considerations . . . . . . . . . . . . . . . . . . . . 5 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6 8. Contributors List . . . . . . . . . . . . . . . . . . . . . . . 6 9. Normative References . . . . . . . . . . . . . . . . . . . . . 6 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 6 Cui, et al. Expires December 28, 2013 [Page 2] Internet-Draft Handling Unknown DHCPv6 Messages June 2013 1. Introduction Dynamic Host Configuration Protocol version 6 (DHCPv6) [RFC3315] provides a framework for conveying IPv6 configuration information to hosts on a TCP/IP network. But [RFC3315] is not specific about how to deal with message with unrecognized types. This document describe the problems and defines the behavior of a DHCPv6 function node when handling unknown DHCPv6 messages. This document updates [RFC3315]. 2. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 3. Problem Statement The relay agent is bound to send a message either to the server or to the client. But RFC3315 doesn't explicitly describe how the relay agent can find out it should send a message towards the server or towards the client. Another issue is that, it's not specific in RFC3315 about what a relay agent should do if it doesn't recognize the received messages. The relay agent isn't required to relay the messages, nor advised to drop them. In addition, there is no specific requirement of the client or server on dealing with an unknown message in RFC3315. 4. Relay Agent Behavior Update A relay agent relays the message towards the server or the client according to the message type. Relay-reply messages are sent toward the client. The Relay-forward message and other types of message are sent toward the server. We say "toward the client" and "toward the server" because relay agents may be chained together, so a relay message may be sent through multiple relays along the path to its destination. Relay- reply messages specify a destination address; the relay agent extracts the encapsulated message and sends it to the specified destination address. Any message other than a Relay-reply does not have such a specified destination, so it follows the default forwarding path configured on the relay agent, which is always toward Cui, et al. Expires December 28, 2013 [Page 3] Internet-Draft Handling Unknown DHCPv6 Messages June 2013 the server. 4.1. Definition of a Valid Message Section 20.1 of [RFC3315] states that: "When a relay agent receives a valid message to be relayed, it constructs a new Relay-forward message." It doesn't define what a valid message is. In this document, we specify the definition: the message is valid for constructing a new Relay-forward message if the recipient is a relay agent, the relay agent does not identify itself as the intended recipient, and the message is not a Relay-Reply message. We state the definition in this way for the following reasons: o Any message received by a client or server is clearly not a candidate for forwarding. o Any message received by the relay in response to a message it has sent to the server-e.g., a RECONFIGURE-REPLY message-is also not a candidate for forwarding. o A standards-compliant DHCP server will never send a message to a relay other than in response to a message from a relay, so there should never be a case where a relay receives a message for which it is the intended recipient, but is not able to recognize that it is the intended recipient for the message. o A Relay-Reply message is an encapsulation intended for the client or for a relay agent closer to the client. It specifies a destination, and hence is never to be encapsulated and sent back to the server. Any message that does not meet any of these criteria must therefore be a message intended to be relayed to the DHCP server. 4.2. Relaying a Message towards Server If the relay agent received a Relay-forward message, Section 20.1.2 of [RFC3315] defines the related behavior. If the relay agent received messages other than Relay-forward and Relay-reply, it MUST forward them as is described in Section 20.1.1 of [RFC3315]. 4.3. Relaying a Message towards Client If the relay agent received a Relay-reply message, it MUST unpack the Cui, et al. Expires December 28, 2013 [Page 4] Internet-Draft Handling Unknown DHCPv6 Messages June 2013 message and forward it as is defined in Section 20.2 of [RFC3315], regardless of the message type in Relay Message Option. 5. Client and Server Behavior Update There are chances that the client or server would receive DHCPv6 messages with unknown types. In this case, the client or server MUST discard the unrecognized messages. 6. Security Considerations As the relay agent will forward all unknown types of DHCPv6 messages, a malicious attacker can interfere with the relaying function by constructing fake DHCPv6 messages with arbitrary type code. The same problem may happen in current DHCPv4 and DHCPv6 practice where the attacker has to construct the fake DHCP message with an known type code. Clients and servers that implement this specification will discard unknown DHCPv6 messages. Since RFC3315 did not specify either relay, client or server behavior in the presence of unknown messages, it is possible that some servers or clients that have not been updated to conform to this specification might be made vulnerable to client attacks through the relay agent. For this reason, we recommend that relay agents, clients and servers be updated to follow this new specification. However, in most deployment scenarios, it will be much easier to attack clients directly than through a relay; furthermore, attacks using unknown message types are already possible on the local wire. So in most cases, if clients are not upgraded there should be minimal additional risk; at sites where only servers and relays can be upgraded, the incremental benefit of doing so most likely exceeds any risk due to vulnerable clients. Nothing in this update should be construed to mean that relay agents may not be administratively configurable to drop messages on the basis of the message type, for security reasons (e.g., in a firewall). The sole purpose of requiring relay agents to relay unknown messages is to ensure that when legitimate new messages are defined in the protocol, relay agents, even if they were manufactured prior to the definition of these new messages, will, by default, succeed in relaying such messages. Cui, et al. Expires December 28, 2013 [Page 5] Internet-Draft Handling Unknown DHCPv6 Messages June 2013 7. IANA Considerations This document does not include an IANA request. 8. Contributors List Many thanks for Bernie Volz, Cong Liu and Yuchi Chen's contributions to the draft. 9. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., and M. Carney, "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", RFC 3315, July 2003. Authors' Addresses Yong Cui Tsinghua University Department of Computer Science, Tsinghua University Beijing 100084 P.R.China Phone: +86-10-6260-3059 Email: yong@csnet1.cs.tsinghua.edu.cn Qi Sun Tsinghua University Department of Computer Science, Tsinghua University Beijing 100084 P.R.China Phone: +86-10-6278-5822 Email: sunqi@csnet1.cs.tsinghua.edu.cn Ted Lemon Nominum, Inc. 2000 Seaport Blvd Redwood City, CA 94063 USA Cui, et al. Expires December 28, 2013 [Page 6] Internet-Draft Handling Unknown DHCPv6 Messages June 2013 Phone: +1-650-381-6000 Email: mellon@nominum.com Cui, et al. Expires December 28, 2013 [Page 7]