| < draft-ietf-dhc-paa-option-04.txt | draft-ietf-dhc-paa-option-05.txt > | |||
|---|---|---|---|---|
| DHC Working Group L. Morand | DHC Working Group L. Morand | |||
| Internet-Draft France Telecom R&D | Internet-Draft France Telecom R&D | |||
| Intended status: Standards Track S. Kumar | Intended status: Standards Track A. Yegin | |||
| Expires: March 15, 2007 Samsung India Software Operations | Expires: June 21, 2007 Samsung | |||
| A. Yegin | S. Kumar | |||
| Samsung Advanced Institute of | Tech Mahindra Ltd | |||
| Technology | ||||
| S. Madanapalli | S. Madanapalli | |||
| Samsung India Software Operations | Samsung | |||
| September 11, 2006 | December 18, 2006 | |||
| DHCP options for PANA Authentication Agents | DHCP options for PANA Authentication Agents | |||
| draft-ietf-dhc-paa-option-04 | draft-ietf-dhc-paa-option-05 | |||
| Status of this Memo | Status of this Memo | |||
| By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
| applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
| have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
| aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| skipping to change at page 1, line 40 ¶ | skipping to change at page 1, line 39 ¶ | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on March 15, 2007. | This Internet-Draft will expire on June 21, 2007. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (C) The Internet Society (2006). | Copyright (C) The IETF Trust (2006). | |||
| Abstract | Abstract | |||
| This document defines new DHCPv4 and DHCPv6 options that contain a | This document defines new DHCPv4 and DHCPv6 options that contain a | |||
| list of IP addresses to locate one or more of PANA Authentication | list of IP addresses to locate one or more of PANA Authentication | |||
| Agents (PAA). This is one of the many methods that a PANA Client | Agents (PAA). This is one of the methods that a PANA Client (PaC) | |||
| (PaC) can use to locate PANA Authentication Agents (PAA). | can use to locate PANA Authentication Agents (PAA). | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Specification of Requirements . . . . . . . . . . . . . . . . . 3 | 2. Specification of Requirements . . . . . . . . . . . . . . . . . 3 | |||
| 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 4. PANA Authentication Agent DHCPv4 Option . . . . . . . . . . . . 4 | 4. PANA Authentication Agent DHCPv4 Option . . . . . . . . . . . . 4 | |||
| 5. PANA Authentication Agent DHCPv6 Option . . . . . . . . . . . . 4 | 5. PANA Authentication Agent DHCPv6 Option . . . . . . . . . . . . 5 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 5 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 7. Security Considerations . . . . . . . . . . . . . . . . . . . . 6 | 7. Security Considerations . . . . . . . . . . . . . . . . . . . . 6 | |||
| 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 6 | 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . . 6 | 9.1. Normative References . . . . . . . . . . . . . . . . . . . 7 | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . . 6 | 9.2. Informative References . . . . . . . . . . . . . . . . . . 7 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 6 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| Intellectual Property and Copyright Statements . . . . . . . . . . 8 | Intellectual Property and Copyright Statements . . . . . . . . . . 9 | |||
| 1. Introduction | 1. Introduction | |||
| The Protocol for carrying Authentication for Network Access (PANA) | The Protocol for carrying Authentication for Network Access (PANA) | |||
| [I-D.ietf-pana-pana] defines a new Extensible Authentication Protocol | [I-D.ietf-pana-pana] defines a new Extensible Authentication Protocol | |||
| (EAP) [RFC3748] lower layer that uses IP between the protocol end- | (EAP) [RFC3748] lower layer that uses IP between the protocol end- | |||
| points. | points. | |||
| The PANA protocol is run between a PANA Client (PaC) and a PANA | The PANA protocol is run between a PANA Client (PaC) and a PANA | |||
| Authentication Agent (PAA) in order to perform authentication and | Authentication Agent (PAA) in order to perform authentication and | |||
| authorization for the network access service. | authorization for the network access service. | |||
| This document specifies DHCPv4 [RFC2131] and DHCPv6 [RFC3315] options | This document specifies DHCPv4 [RFC2131] and DHCPv6 [RFC3315] options | |||
| that allow PANA client (PaC) to discover PANA Authentication Agents | that allow PANA client (PaC) to discover PANA Authentication Agents | |||
| (PAA). This is one of the many methods for locating PAAs. | (PAA). This is one of the methods for locating PAAs. | |||
| The DHCP options defined in this document are used only as a PAA | ||||
| discovery mechanism. These DHCP options MUST NOT be used to perform | ||||
| any negotiation on the use of PANA between the PaC and a PAA. | ||||
| 2. Specification of Requirements | 2. Specification of Requirements | |||
| In this document, several words are used to signify the requirements | In this document, several words are used to signify the requirements | |||
| of the specification. These words are often capitalized. The key | of the specification. These words are often capitalized. The key | |||
| words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", | words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", | |||
| "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document | "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document | |||
| are to be interpreted as described in [RFC2119]. | are to be interpreted as described in [RFC2119]. | |||
| 3. Terminology | 3. Terminology | |||
| skipping to change at page 4, line 27 ¶ | skipping to change at page 4, line 34 ¶ | |||
| | option-code | option-length | | | option-code | option-length | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | | | | | | |||
| + PAA IPv4 Address + | + PAA IPv4 Address + | |||
| | | | | | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | ... | | | ... | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| Figure 1: PAA DHCPv4 option | Figure 1: PAA DHCPv4 option | |||
| option-code: OPTION_PANA_AGENT (TBD) | option-code: OPTION_PANA_AGENT (TBD) | |||
| option-length: Length of the 'options' field in octets; | option-length: Length of the 'options' field in octets; | |||
| MUST be a multiple of four (4) | MUST be a multiple of four (4) | |||
| PAA IPv4 Address: IPv4 address of a PAA for the client to use; | PAA IPv4 Address: IPv4 address of a PAA for the client to use. | |||
| The PAAs are listed in the order of preference | The PAAs are listed in the order of preference | |||
| for use by the client. | for use by the client. | |||
| A DHCPv4 client requests the PAA DHCPv4 Option in a Parameter Request | A PaC (DHCPv4 client) SHOULD request the PAA DHCPv4 Option in a | |||
| List as described in [RFC2131] and [RFC2132]. | Parameter Request List as described in [RFC2131] and [RFC2132]. | |||
| The DHCPv4 client MUST try the records in the order listed in the PAA | If configured with a (list of) PAA address(es), a DHCPv4 server | |||
| DHCPv4 option. | SHOULD send a client with the PAA DHCPv4 option, even if this option | |||
| is not explicitly requested by the client. | ||||
| A PaC (DHCPv4 client) receiving the PAA DHCPv4 option SHOULD use the | ||||
| (list of) IP address(es) to locate PAA. | ||||
| The PaC (DHCPv4 client) MUST try the records in the order listed in | ||||
| the PAA DHCPv4 option received from the DHCPv4 server. | ||||
| 5. PANA Authentication Agent DHCPv6 Option | 5. PANA Authentication Agent DHCPv6 Option | |||
| This section defines a DHCPv6 option that carries a list of 128-bit | This section defines a DHCPv6 option that carries a list of 128-bit | |||
| (binary) IPv6 addresses indicating one or more PANA Authentication | (binary) IPv6 addresses indicating one or more PANA Authentication | |||
| Agents (PAA) available to the PANA client. | Agents (PAA) available to the PANA client. | |||
| The DHCPv6 option for PANA Authentication Agent has the format shown | The DHCPv6 option for PANA Authentication Agent has the format shown | |||
| in Fig. 2. | in Fig. 2. | |||
| skipping to change at page 5, line 22 ¶ | skipping to change at page 5, line 37 ¶ | |||
| | | | | | | |||
| + PAA IPv6 Address + | + PAA IPv6 Address + | |||
| | | | | | | |||
| + + | + + | |||
| | | | | | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | .... | | | .... | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| Figure 2: PAA DHCPv6 option | Figure 2: PAA DHCPv6 option | |||
| option-code: OPTION_PANA_AGENT (TBD) | option-code: OPTION_PANA_AGENT (TBD) | |||
| option-length: Length of the 'options' field in octets; | option-length: Length of the 'options' field in octets; | |||
| MUST be a multiple of sixteen (16) | MUST be a multiple of sixteen (16) | |||
| PAA IPv6 Address: IPv6 address of a PAA for the client to use; | PAA IPv6 Address: IPv6 address of a PAA for the client to use. | |||
| The PAAs are listed in the order of preference | The PAAs are listed in the order of preference | |||
| for use by the client. | for use by the client. | |||
| A DHCPv6 client requests the PAA DHCPv6 option in an Options Request | A PaC DHCPv6 client SHOULD request the PAA DHCPv6 option in an | |||
| Option (ORO) as described in the DHCPv6 specification [RFC3315]. | Options Request Option (ORO) as described in the DHCPv6 specification | |||
| [RFC3315]. | ||||
| The DHCPv6 client MUST try the records in the order listed in the PAA | If configured with a (list of) PAA address(es), a DHCPv6 server | |||
| DHCPv6 option. | SHOULD send a client with the PAA DHCPv6 option, even if this option | |||
| is not explicitly requested by the client. | ||||
| A PaC (DHCPv6 client) receiving the PAA DHCPv6 option SHOULD use the | ||||
| (list of) IP address(es) to locate PAA. | ||||
| The PaC (DHCPv6 client) MUST try the records in the order listed in | ||||
| the PAA DHCPv6 option received from the DHCPv6 server. | ||||
| 6. IANA Considerations | 6. IANA Considerations | |||
| The following DHCPv4 option code for PANA Authentication Agent option | The following DHCPv4 option code for PANA Authentication Agent option | |||
| MUST be assigned by IANA: | MUST be assigned by IANA: | |||
| Option Name Value Described in | ||||
| ----------------------------------------------- | Option Name Value Described in | |||
| OPTION_PANA_AGENT TBD Section 4 | ----------------------------------------------- | |||
| OPTION_PANA_AGENT TBD Section 4 | ||||
| The following DHCPv6 option code for PANA Authentication Agent | The following DHCPv6 option code for PANA Authentication Agent | |||
| options MUST be assigned by IANA: | options MUST be assigned by IANA: | |||
| Option Name Value Described in | ||||
| ------------------------------------------------ | Option Name Value Described in | |||
| OPTION_PAA_AGENT TBD Section 5 | ------------------------------------------------ | |||
| OPTION_PAA_AGENT TBD Section 5 | ||||
| 7. Security Considerations | 7. Security Considerations | |||
| The security considerations in [RFC2131], [RFC2132] and [RFC3315] | The security considerations in [RFC2131], [RFC2132] and [RFC3315] | |||
| apply. If an adversary manages to modify the response from a DHCP | apply. If an adversary manages to modify the response from a DHCP | |||
| server or insert its own response, a PANA Client could be led to | server or insert its own response, a PANA Client could be led to | |||
| contact a rogue PANA Agent, possibly one that then intercepts call | contact a rogue PANA Authentication Agent, possibly one that then | |||
| requests or denies service. | intercepts call requests or denies service. | |||
| In most of the networks, the DHCP exchange that delivers the options | ||||
| prior to network access authentication is neither integrity protected | ||||
| nor origin authenticated. Therefore, the options defined in this | ||||
| document MUST NOT be used to perform any negotiation on the use of | ||||
| PANA between the PANA Client and a PANA Authentication Agent. Using | ||||
| the presence (or absence) of these DHCP options as an indication of | ||||
| network mandating PANA authentication (or not) is an example such a | ||||
| negotiation mechanism. This negotiation would allow bidding down | ||||
| attacks by making the clients choose to use a lower-grade security | ||||
| mechanism (or even no security at all). | ||||
| 8. Acknowledgements | 8. Acknowledgements | |||
| Thanks to Ralph Droms, Stig Venaas, Ted Lemon, Andre Kostur, Bernie | We would like to thank to Ralph Droms, Stig Venaas, Ted Lemon, Andre | |||
| Volz, Soohong Daniel Park and Yoshihiro Ohba for their valuable | Kostur and Bernie Volz for their valuable comments. We would like to | |||
| comments. | thank also Jari Arkko, Thomas Norten, Bernard Aboba that provided | |||
| several draft reviews, as well as all members of the PANA and DHC | ||||
| working groups that contribute to improve this document. | ||||
| 9. References | 9. References | |||
| 9.1. Normative References | 9.1. Normative References | |||
| [I-D.ietf-pana-pana] | [I-D.ietf-pana-pana] | |||
| Forsberg, D., "Protocol for Carrying Authentication for | Forsberg, D., "Protocol for Carrying Authentication for | |||
| Network Access (PANA)", draft-ietf-pana-pana-12 (work in | Network Access (PANA)", draft-ietf-pana-pana-13 (work in | |||
| progress), August 2006. | progress), December 2006. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC2131] Droms, R., "Dynamic Host Configuration Protocol", | [RFC2131] Droms, R., "Dynamic Host Configuration Protocol", | |||
| RFC 2131, March 1997. | RFC 2131, March 1997. | |||
| [RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor | [RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor | |||
| Extensions", RFC 2132, March 1997. | Extensions", RFC 2132, March 1997. | |||
| skipping to change at page 7, line 9 ¶ | skipping to change at page 7, line 45 ¶ | |||
| 9.2. Informative References | 9.2. Informative References | |||
| [RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H. | [RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H. | |||
| Levkowetz, "Extensible Authentication Protocol (EAP)", | Levkowetz, "Extensible Authentication Protocol (EAP)", | |||
| RFC 3748, June 2004. | RFC 3748, June 2004. | |||
| Authors' Addresses | Authors' Addresses | |||
| Lionel Morand | Lionel Morand | |||
| France Telecom R&D | France Telecom R&D | |||
| 38-40 rue du general Leclerc | ||||
| 92794 Issy-Les-Moulineaux Cedex 9 | ||||
| France | ||||
| Phone: +33 1 45296257 | ||||
| Email: lionel.morand@orange-ft.com | Email: lionel.morand@orange-ft.com | |||
| Suraj Kumar | ||||
| Samsung India Software Operations | ||||
| No. 66/1, BAGMANE TECH PARK, C V RAMAN NAGAR | ||||
| Bangalore | ||||
| India | ||||
| Phone: +91 80 41819999 | ||||
| Email: suraj.kumar@samsung.com | ||||
| Alper E. Yegin | Alper E. Yegin | |||
| Samsung Advanced Institute of Technology | Samsung | |||
| Email: alper01.yegin@partner.samsung.com | Email: alper01.yegin@partner.samsung.com | |||
| Suraj Kumar | ||||
| Tech Mahindra Ltd | ||||
| Email: surajk@techmahindra.com | ||||
| Syam Madanapalli | Syam Madanapalli | |||
| Samsung India Software Operations | Samsung | |||
| No. 66/1, BAGMANE TECH PARK, C V RAMAN NAGAR | ||||
| Bangalore | ||||
| India | ||||
| Phone: +91 80 41819999 | ||||
| Email: syam@samsung.com | Email: syam@samsung.com | |||
| Full Copyright Statement | Full Copyright Statement | |||
| Copyright (C) The Internet Society (2006). | Copyright (C) The IETF Trust (2006). | |||
| This document is subject to the rights, licenses and restrictions | This document is subject to the rights, licenses and restrictions | |||
| contained in BCP 78, and except as set forth therein, the authors | contained in BCP 78, and except as set forth therein, the authors | |||
| retain all their rights. | retain all their rights. | |||
| This document and the information contained herein are provided on an | This document and the information contained herein are provided on an | |||
| "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | |||
| OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET | OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND | |||
| ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, | THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS | |||
| INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE | OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF | |||
| INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED | THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED | |||
| WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. | WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. | |||
| Intellectual Property | Intellectual Property | |||
| The IETF takes no position regarding the validity or scope of any | The IETF takes no position regarding the validity or scope of any | |||
| Intellectual Property Rights or other rights that might be claimed to | Intellectual Property Rights or other rights that might be claimed to | |||
| pertain to the implementation or use of the technology described in | pertain to the implementation or use of the technology described in | |||
| this document or the extent to which any license under such rights | this document or the extent to which any license under such rights | |||
| might or might not be available; nor does it represent that it has | might or might not be available; nor does it represent that it has | |||
| made any independent effort to identify any such rights. Information | made any independent effort to identify any such rights. Information | |||
| End of changes. 33 change blocks. | ||||
| 79 lines changed or deleted | 99 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||