idnits 2.17.1 draft-ietf-dhc-dhcpv6-client-link-layer-addr-opt-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 146 has weird spacing: '...a valid hardw...' -- The document date (March 11, 2013) is 4026 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 3315 (Obsoleted by RFC 8415) Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group G. Halwasia 3 Internet-Draft S. Bhandari 4 Intended status: Standards Track W. Dec 5 Expires: September 12, 2013 Cisco Systems 6 March 11, 2013 8 Client Link-layer Address Option in DHCPv6 9 draft-ietf-dhc-dhcpv6-client-link-layer-addr-opt-05 11 Abstract 13 This document specifies the format and mechanism that is to be used 14 for encoding client link-layer address in DHCPv6 Relay-Forward 15 messages by defining a new DHCPv6 Client Link-layer Address option. 17 Requirements Language 19 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 20 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 21 document are to be interpreted as described in RFC 2119 [RFC2119]. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at http://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on September 12, 2013. 40 Copyright Notice 42 Copyright (c) 2013 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (http://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 2. Problem Background and Scenario . . . . . . . . . . . . . . . 2 59 3. DHCPv6 Client Link-layer Address Option . . . . . . . . . . . 3 60 4. DHCPv6 Relay Agent Behavior . . . . . . . . . . . . . . . . . 4 61 5. DHCPv6 Server Behavior . . . . . . . . . . . . . . . . . . . 4 62 6. DHCPv6 Client Behavior . . . . . . . . . . . . . . . . . . . 5 63 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 64 8. Security Considerations . . . . . . . . . . . . . . . . . . . 5 65 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 66 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 67 10.1. Normative References . . . . . . . . . . . . . . . . . . 6 68 10.2. Informative References . . . . . . . . . . . . . . . . . 6 69 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 71 1. Introduction 73 This specification defines an optional mechanism and the related 74 DHCPv6 option to allow first-hop DHCPv6 relay agents (relay agents 75 that are connected to the same link as the client) to provide the 76 client's link-layer address in the DHCPv6 messages being sent towards 77 the server. 79 2. Problem Background and Scenario 81 DHCPv4 protocol specification [RFC2131] provides a way to specify the 82 client link-layer address in the DHCPv4 message header. DHCPv4 83 message header has 'htype' and 'chaddr' fields to specify client 84 link-layer address type and link-layer address respectively. The 85 client link-layer address thus learnt can be used by DHCPv4 server 86 and relay in different ways. In some of the deployments DHCPv4 87 servers use 'chaddr' as a customer identifier and a key for lookup in 88 the client lease database. 90 With the incremental deployment of IPv6 to existing IPv4 networks, 91 which results in a dual-stack network environment, there will be 92 devices that act as both DHCPv4 and DHCPv6 clients. In service 93 provider deployments, a typical DHCPv4 implementation will use the 94 client link-layer address as one of the keys to build DHCP client 95 lease database. In dual stack scenarios operators need to be able to 96 associate DHCPv4 and DHCPv6 messages with the same client interface, 97 based on an identifier that is common to the interface. The client 98 link-layer address is such an identifier. 100 Currently, the DHCPv6 protocol specification [RFC3315] does not 101 define a way to communicate the client link-layer address to the DHCP 102 server in cases where the DHCP server is not connected to the same 103 network link as the DHCP client. DHCPv6 protocol specification 104 mandates all clients to prepare and send DUID as the client 105 identifier option in all the DHCPv6 message exchange. However none 106 of these methods provide a simple way to extract client's link-layer 107 address. This presents a problem to an operator who is using an 108 existing DHCPv4 system with the client link-layer address as the 109 customer identifier, and desires to correlate DHCPv6 assignments 110 using the same identifier. [RFC4361] describes a mechanism for using 111 the same DUID in both DHCPv4 and DHCPv6. Unfortunately, this 112 specification requires modification of existing DHCPv4 clients, and 113 has not seen broad adoption in the industry (indeed, we are not aware 114 of any commercial implementations). 116 Providing an option in DHCPv6 Relay-Forward messages to carry client 117 link-layer address explicitly will help above mentioned scenarios. 118 For example, it can be used along with other identifiers to associate 119 DHCPv4 and DHCPv6 messages from a dual stack client. Further, having 120 client link-layer address in DHCPv6 will help in proving additional 121 information in event debugging and logging related to the client at 122 relay and server. The proposed option may be used in wide range of 123 networks, two notable deployment models are service provider and 124 enterprise network environments. 126 3. DHCPv6 Client Link-layer Address Option 128 The format of the DHCPv6 Client Link-layer Address option is shown 129 below. 131 0 1 2 3 132 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 133 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 134 | OPTION_CLIENT_LINKLAYER_ADDR | option-length | 135 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 136 | link-layer type (16 bits) | | 137 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 138 | link-layer address (variable length) | 139 | | 140 | | 141 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 143 option-code: OPTION_CLIENT_LINKLAYER_ADDR (TBD) 144 option-length: 2 + length of link-layer address 145 link-layer type: Client Link-layer address type. The link-layer 146 type MUST be a valid hardware type assigned 147 by the IANA, as described in [RFC0826] 148 link-layer address: Client Link-layer address. 150 4. DHCPv6 Relay Agent Behavior 152 DHCPv6 Relay agents which receive messages originating from clients 153 (for example Solicit and Request, but not, for example, Relay-Forward 154 or Advertise) MAY include the link-layer source address of the 155 received DHCPv6 message in Client Link-layer Address option in 156 relayed DHCPv6 Relay-Forward messages. The DHCPv6 Relay agent 157 behavior can depend on configuration that decides whether the Client 158 Link-layer Address option needs to be included. 160 5. DHCPv6 Server Behavior 162 If DHCPv6 Server is configured to store or use client link-layer 163 address, it SHOULD look for the client link-layer address option in 164 the Relay-Forward DHCP message of the DHCPv6 Relay agent closest to 165 the client. The mechanism described in this document is not 166 necessary in the case where the DHCPv6 Server is connected to the 167 same network link as the client, because the server can obtain the 168 link-layer address from the link-layer header of the DHCPv6 message. 169 If the DHCP server receives a Client Link-layer Address option 170 anywhere in any encapsulated message that is not a Relay-Forward DHCP 171 message, the server MUST silently ignore that option. 173 There is no requirement that a server return this option and its data 174 in a downstream DHCP message. 176 6. DHCPv6 Client Behavior 178 Client Link-layer Address option is only exchanged between the relay 179 agents and the servers. DHCPv6 clients are not aware of the usage of 180 Client Link-layer Address option. DHCPv6 client MUST NOT send Client 181 Link-layer Address option, and MUST ignore Client Link-layer Address 182 option if received. 184 7. IANA Considerations 186 IANA is requested to assign an option code to 187 OPTION_CLIENT_LINKLAYER_ADDR from the "DHCP Option Codes" registry 188 (http://www.iana.org/assignments/dhcpv6-parameters/dhcpv6- 189 parameters.xml). 191 8. Security Considerations 193 It is possible for a rogue DHCPv6 relay agent to insert an incorrect 194 Client Link Layer Address option for malicious purposes. A DHCPv6 195 client can also pose as a rogue DHCP relay agent, sending a Relay- 196 Forward message containing an incorrect Client Link Layer Address 197 option. In either case, it would be possible for a DHCPv6 client to 198 masquerade as the same device as a DHCPv4 client, when in fact the 199 two are distinct. 201 One possible attack that could be accomplished using this masquerade 202 would be in the case where a DHCPv4 client is using DHCPv4 to do a 203 Dynamic DNS update to install an A record so that it can be reached 204 by other nodes [RFC4702]. A masquerading DHCPv6 client could use 205 DHCPv6 to install an AAAA record with the same name [RFC4704]. Dual- 206 stack nodes attempting to connect to the DHCPv4 client might then be 207 tricked into connecting to the masquerading DHCPv6 client instead. 209 It is possible that there are other attacks that could be 210 accomplished using this masquerading technique, although the authors 211 are not aware of any. To prevent masquerades of this sort, DHCP 212 server administrators are strongly advised to configure DHCP servers 213 that use this option to communicate with their relay agents using 214 IPsec as described in Section 21.1 of [RFC3315]. 216 In some networks, it may be the case that the operator of the 217 physical network and the provider of connectivity over that network 218 are administratively separate, such that the client link-layer 219 address option would reveal information to one or the other party 220 that they do not need and could not otherwise obtain. It is also 221 possible in some cases that a relay agent might communicate with a 222 DHCP server over an open network where eavesdropping would be 223 possible. In these cases, it is strongly recommended, in order to 224 protect end-user privacy, that network operators use IPsec to provide 225 confidentiality for messages between the relay agent and DHCP server. 227 9. Acknowledgements 229 Many thanks to Ted Lemon, Bernie Volz, Hemant Singh, Simon Hobson, 230 Tina TSOU, Andre Kostur, Chuck Anderson, Steinar Haug, Niall 231 O'Reilly, Jarrod Johnson, Tomek Mrugalski and Vincent Zimmer for 232 their input and review. 234 10. References 236 10.1. Normative References 238 [RFC0826] Plummer, D., "Ethernet Address Resolution Protocol: Or 239 converting network protocol addresses to 48.bit Ethernet 240 address for transmission on Ethernet hardware", STD 37, 241 RFC 826, November 1982. 243 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 244 Requirement Levels", BCP 14, RFC 2119, March 1997. 246 [RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., 247 and M. Carney, "Dynamic Host Configuration Protocol for 248 IPv6 (DHCPv6)", RFC 3315, July 2003. 250 [RFC4361] Lemon, T. and B. Sommerfeld, "Node-specific Client 251 Identifiers for Dynamic Host Configuration Protocol 252 Version Four (DHCPv4)", RFC 4361, February 2006. 254 10.2. Informative References 256 [RFC2131] Droms, R., "Dynamic Host Configuration Protocol", RFC 257 2131, March 1997. 259 [RFC4702] Stapp, M., Volz, B., and Y. Rekhter, "The Dynamic Host 260 Configuration Protocol (DHCP) Client Fully Qualified 261 Domain Name (FQDN) Option", RFC 4702, October 2006. 263 [RFC4704] Volz, B., "The Dynamic Host Configuration Protocol for 264 IPv6 (DHCPv6) Client Fully Qualified Domain Name (FQDN) 265 Option", RFC 4704, October 2006. 267 Authors' Addresses 269 Gaurav Halwasia 270 Cisco Systems 271 Cessna Business Park, Sarjapura Marathalli Outer Ring Road 272 Bangalore, KARNATAKA 560 087 273 India 275 Phone: +91 80 4429 2703 276 Email: ghalwasi@cisco.com 278 Shwetha Bhandari 279 Cisco Systems 280 Cessna Business Park, Sarjapura Marathalli Outer Ring Road 281 Bangalore, KARNATAKA 560 087 282 India 284 Phone: +91 80 4429 2627 285 Email: shwethab@cisco.com 287 Wojciech Dec 288 Cisco Systems 289 Haarlerbergweg 13-19 290 1101 CH Amsterdam, Amsterdam 560 087 291 The Netherlands 293 Email: wdec@cisco.com