idnits 2.17.1 draft-ietf-dhc-forcerenew-nonce-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year (Using the creation date from RFC3203, updated by this document, for RFC5378 checks: 2000-03-03) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (February 14, 2012) is 4452 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 3315 (Obsoleted by RFC 8415) Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 dhc D. Miles 3 Internet-Draft Google 4 Updates: 3203 (if approved) W. Dec 5 Intended status: Standards Track Cisco Systems 6 Expires: August 17, 2012 J. Bristow 7 Swisscom Schweiz AG 8 R. Maglione 9 Telecom Italia 10 February 14, 2012 12 Forcerenew Nonce Authentication 13 draft-ietf-dhc-forcerenew-nonce-04 15 Abstract 17 Dynamic Host Configuration Protocol (DHCP) FORCERENEW allows for the 18 reconfiguration of a single host by forcing the DHCP client into a 19 Renew state on a trigger from the DHCP server. In Forcerenew Nonce 20 Authentication the server sends a nonce to the client on the initial 21 DHCP ACK that is used for subsequent validation of a FORCERENEW 22 message. This document updates RFC 3203. 24 Status of this Memo 26 This Internet-Draft is submitted in full conformance with the 27 provisions of BCP 78 and BCP 79. 29 Internet-Drafts are working documents of the Internet Engineering 30 Task Force (IETF). Note that other groups may also distribute 31 working documents as Internet-Drafts. The list of current Internet- 32 Drafts is at http://datatracker.ietf.org/drafts/current/. 34 Internet-Drafts are draft documents valid for a maximum of six months 35 and may be updated, replaced, or obsoleted by other documents at any 36 time. It is inappropriate to use Internet-Drafts as reference 37 material or to cite them other than as "work in progress." 39 This Internet-Draft will expire on August 17, 2012. 41 Copyright Notice 43 Copyright (c) 2012 IETF Trust and the persons identified as the 44 document authors. All rights reserved. 46 This document is subject to BCP 78 and the IETF Trust's Legal 47 Provisions Relating to IETF Documents 48 (http://trustee.ietf.org/license-info) in effect on the date of 49 publication of this document. Please review these documents 50 carefully, as they describe your rights and restrictions with respect 51 to this document. Code Components extracted from this document must 52 include Simplified BSD License text as described in Section 4.e of 53 the Trust Legal Provisions and are provided without warranty as 54 described in the Simplified BSD License. 56 Table of Contents 58 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 59 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 60 3. Message authentication . . . . . . . . . . . . . . . . . . . . 3 61 3.1. Forcerenew Nonce Authentication . . . . . . . . . . . . . 3 62 3.1.1. Forcerenew Nonce Protocol Capability Option . . . . . 4 63 3.1.2. Forcerenew Nonce Protocol . . . . . . . . . . . . . . 6 64 3.1.3. Server considerations for Forcerenew Nonce 65 Authentication . . . . . . . . . . . . . . . . . . . . 8 66 3.1.4. Client considerations for Forcerenew Nonce 67 Authentication . . . . . . . . . . . . . . . . . . . . 9 68 4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10 69 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 70 6. Security Considerations . . . . . . . . . . . . . . . . . . . 10 71 6.1. Protocol vulnerabilities . . . . . . . . . . . . . . . . . 11 72 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11 73 7.1. Normative References . . . . . . . . . . . . . . . . . . . 11 74 7.2. Informative References . . . . . . . . . . . . . . . . . . 11 75 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 12 77 1. Introduction 79 The DHCP Reconfigure Extension defined in [RFC3203] is a useful 80 mechanism allowing dynamic reconfiguration of a single host triggered 81 by the DHCP server. Its application is currently limited by a 82 requirement that FORCERENEW message is always authenticated using 83 procedures as described in [RFC3118]. Authentication for DHCP 84 [RFC3118] is mandatory for FORCERENEW, however as it is currently 85 defined [RFC3118] requires distribution of constant token or shared- 86 secret out-of-band to DHCP clients. The mandatory authentication was 87 originally motivated by a legitimate security concern whereby in some 88 network environments DHCP messages can be spoofed and an attacker 89 could more accurately guess the timing of DHCP renewal messages by 90 first sending a FORCERENEW message. However, in some networks native 91 security mechanisms already provide sufficient protection against 92 spoofing of DHCP traffic. An example of such network is a Broadband 93 Forum TR-101 [TR-101i2] compliant access network. In such 94 environments the mandatory coupling between FORCERENEW and DHCP 95 Authentication [RFC3118] can be relaxed and a lighter authentication 96 mechanism can be used for the FORCERENEW message. This document 97 defines extensions to Authentication for DHCPv4 Messages [RFC3118] to 98 create a new authentication protocol for DHCPv4 FORCERENEW [RFC3203] 99 messages; this method does not require out-of-band key distribution 100 to DHCP clients. The Forcerenew Nonce is exchanged between server 101 and client on initial DHCP ACK and is used for verification of any 102 subsequent FORCERENEW message. This document updates [RFC3203] 104 2. Requirements Language 106 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 107 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 108 document are to be interpreted as described in [RFC2119]. 110 3. Message authentication 112 The FORCERENEW message must be authenticated using either [RFC3118] 113 or the proposed Forcerenew Nonce Authentication protocol. 115 3.1. Forcerenew Nonce Authentication 117 The Forcerenew nonce authentication protocol provides protection 118 against misconfiguration of a client caused by a FORCERENEW message 119 sent by a malicious DHCP server. In this protocol, a DHCP server 120 sends a Forcerenew nonce to the client in the initial exchange of 121 DHCP messages. The client records the Forcerenew nonce for use in 122 authenticating subsequent Forcerenew messages from that server. The 123 server then includes an HMAC computed from the Forcerenew nonce in 124 subsequent FORCERENEW messages. 126 Both the Forcerenew nonce sent from the server to the client and the 127 HMAC in subsequent FORCERENEW messages are carried as the 128 Authentication information in a DHCP Authentication option. The 129 format of the Authentication information is defined in the following 130 section. 132 The Forcerenew nonce protocol is used (initiated by the server) only 133 if the client and server are not using the authentication mechanism 134 specified in [RFC3118] and the client and server have negotiated to 135 use the Forcerenew Nonce Authentication protocol. 137 3.1.1. Forcerenew Nonce Protocol Capability Option 139 A DHCP client indicates DHCP Forcerenew Nonce Protocol capability by 140 including a FORCERENEW_NONCE_CAPABLE() option in DHCP Discover 141 and Request messages sent to the server. 143 A DHCP server that does not support Forcerenew Nonce Protocol 144 authentication should ignore the FORCERENEW_NONCE_CAPABLE() 145 option. A DHCP server indicates DHCP Forcerenew Nonce Protocol 146 preference by including a FORCERENEW_NONCE_CAPABLE() option in 147 any DHCP Offer messages sent to the client. 149 A DHCP client MUST NOT send DHCP messages with authentication options 150 where the protocol value is Forcerenew Nonce Authentication(). 152 The FORCERENEW_NONCE_CAPABLE option is a zero length option with code 153 of and format as follows: 155 Code Len 156 +-----+-----+ 157 | TBD | 0 | 158 +-----+-----+ 160 The client would indicate that it supports the functionality by 161 inserting the FORCERENEW_NONCE_CAPABLE option in the DHCP Discover 162 and Request messages. If the server supports Forcerenew nonce 163 authentication and requires Forcerenew nonce authentication, it will 164 insert the FORCERENEW_NONCE_CAPABLE option in the DHCP Offer message. 166 Server Client Server 167 (not selected) (selected) 169 v v v 170 | | | 171 | Begins initialization | 172 | | | 173 | _____________/|\____________ | 174 |/DHCPDISCOVER | DHCPDISCOVER \| 175 | w/Forcerenew- | w/Forcerenew- | 176 | Nonce-Capable | Nonce-Capable | 177 | | | 178 Determines | Determines 179 configuration | configuration 180 | | | 181 |\ | /| 182 | \__________ | _________/ | 183 | DHCPOFFER \ | /DHCPOFFER | 184 |w/Forcerenew \ | /w/Forcerenew| 185 |Nonce-Capable \| /Nonce-Capable| 186 | | | 187 | Collects replies | 188 | | | 189 | Selects configuration | 190 | | | 191 | _____________/|\____________ | 192 |/ DHCPREQUEST | DHCPREQUEST\ | 193 | w/Forcerenew- | w/Forcerenew- | 194 | Nonce-Capable | Nonce-Capable | 195 | | | 196 | | Commits configuration 197 | | | 198 | |Creates 128-bit Forcerenew Nonce 199 | | | 200 | | _____________/| 201 | |/ DHCPACK | 202 | | w/Auth-Proto= | 203 | | Forcerenew- | 204 | | Nonce | 205 | | | 206 |Client stores Forcerenew Nonce | 207 | | | 208 | Initialization complete | 209 | | | 210 . . . 211 . . . 212 | | | 213 | Forcerenew | 214 | | _____________/| 215 | |/ DHCPFORCE | 216 | | w/Auth-Proto= | 217 | | Forcerenew- | 218 | | Digest(HMAC)| 219 | | | 220 | Client checks HMAC digest | 221 | using stored Forcerenew Nonce | 222 | | | 223 | |\____________ | 224 | | DHCPREQUEST\ | 225 | | w/Forcerenew- | 226 | | Nonce-Capable | 227 | | | 228 | | Commits configuration 229 | | | 230 | |Creates 128-bit Forcerenew Nonce 231 | | | 232 | | _____________/| 233 | |/ DHCPACK | 234 | | w/Auth-Proto= | 235 | | Forcerenew- | 236 | | Nonce | 237 | | | 238 | | | 239 | | | 240 . . . 241 . . . 242 | | | 243 | Graceful shutdown | 244 | | | 245 | |\ ____________ | 246 | | DHCPRELEASE \| 247 | | | 248 | | Discards lease 249 | | | 250 v v v 252 3.1.2. Forcerenew Nonce Protocol 254 The Forcerenew Nonce Protocol makes use of both the DHCP 255 authentication option defined in [RFC3118] re-using the option format 256 and of the Reconfigure Key Authentication Protocol defined in 257 [RFC3315]. 259 The following diagram defines the format of the DHCP authentication 260 option: 262 0 1 2 3 263 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 265 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 266 | Code | Length | Protocol | Algorithm | 267 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 268 | RDM | Replay Detection (64 bits) | 269 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 270 | Replay cont. | 271 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 272 | Replay cont. | | 273 +-+-+-+-+-+-+-+-+ | 274 | | 275 | Authentication Information | 276 | | 277 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 279 The following fields are set in an DHCP authentication option for the 280 Forcerenew Nonce Authentication Protocol: 282 code 90 284 length field contains the length of the protocol 286 protocol 3 288 algorithm 1 290 Replay Detection field is per the Replay Detection Method (RDM) 292 Replay Detection Method (RDM) 0 294 Authentication Information: specified below 296 The format of the Authentication information for the Forcerenew Nonce 297 Authentication Protocol is: 299 0 1 2 3 300 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 301 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 302 | Type | Value (128 bits) | 303 +-+-+-+-+-+-+-+-+ | 304 . . 305 . . 306 . +-+-+-+-+-+-+-+-+ 307 | | 308 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 310 Type Type of data in Value field carried in this option: 312 1 Forcerenew nonce Value (used in ACK message) 314 2 HMAC-MD5 digest of the message (FORCERENEW message) 316 Value Data as defined by field 318 3.1.3. Server considerations for Forcerenew Nonce Authentication 320 The use of Forcerenew Nonce Protocol is dependent on the client 321 indicating its capability through the FORCERENEW_NONCE_CAPABLE() 322 DHCP option in any DHCP Discover or Request messages. The DHCP 323 Discovery or Request message from the client MUST contain the 324 FORCERENEW_NONCE_CAPABLE() option if the Forcerenew Nonce 325 Protocol is to be used by the server. The absence of the 326 FORCERENEW_NONCE_CAPABLE() option indicates to the server that 327 the Forcerenew Nonce Authentication protocol is not supported and 328 thus the server MUST NOT include a Forcerenew Nonce Protocol 329 Authentication option in the DHCP Ack. 331 The server indicates its support of the Forcerenew Nonce Protocol 332 authentication by including the DHCP FORCERENEW_NONCE_CAPABLE() 333 option in the DHCP Offer message. The server SHOULD NOT include this 334 option unless the client has indicated its capability in a DHCP 335 Discovery message . The presence of the 336 FORCERENEW_NONCE_CAPABLE() option in the DHCP offer may be used 337 by clients to prefer Forcerenew nonce Protocol authentication-capable 338 DHCP servers over those servers which do not support such capability. 340 If a capable server receives a DISCOVER or REQUEST (any type) that 341 indicates the client is capable, and the server has no previous nonce 342 recorded, it MUST generate a nonce and include it in the ACK. 344 The server selects a Forcerenew nonce for a client only during 345 Request/Ack message exchange. The server records the Forcerenew 346 nonce and transmits that nonce to the client in an Authentication 347 option in the DHCP Ack message. 349 The server SHOULD NOT include the nonce in an ACK when responding to 350 a renew unless a nonce was generated. This minimizes the number of 351 times the nonce is sent over the wire. 353 If the server to which the DHCP Request message was sent at time T1 354 has not responded, the client enters the REBINDING state and attempts 355 to contact any server. The new Server receiving the DHCP message 356 MUST generate a new nonce. 358 The Forcerenew nonce is 128 bits long, and MUST be a 359 cryptographically strong random or pseudo-random number that cannot 360 easily be predicted. The nonce is embedded as a 128-bit value of the 361 Authentication information where type is set to 1 (Forcerenew nonce 362 Value). 364 To provide authentication for a Forcerenew message, the server 365 selects a replay detection value according to the RDM selected by the 366 server, and computes an HMAC-MD5 of the Forcerenew message, based on 367 the procedure specified in section 21.5 of [RFC3315], using the 368 Forcerenew nonce for the client. The server computes the HMAC-MD5, 369 based on the procedure specified in section 21.5 of [RFC3315], over 370 the entire DHCP Forcerenew message, including the Authentication 371 option; the HMAC-MD5 field in the Authentication option is set to 372 zero for the HMAC-MD5 computation. The server includes the HMAC-MD5 373 in the authentication information field in an Authentication option 374 included in the Forcerenew message sent to the client with type set 375 to 2 (HMAC-MD5 digest). 377 3.1.4. Client considerations for Forcerenew Nonce Authentication 379 A client that supports this mechanism MUST indicate Forcerenew nonce 380 Capability by including the FORCERENEW_NONCE_CAPABLE() DHCP 381 option defined in Section 3.1.1 in all DHCP Discover and Request 382 messages. DHCP servers that support Forcerenew nonce Protocol 383 authentication MUST include the FORCERENEW_NONCE_CAPABLE() DHCP 384 option in all DHCP Offers, allowing the client to use this capability 385 in selecting DHCP servers should multiple Offers arrive. 387 The client MUST validate the DHCP Ack message contains a Forcerenew 388 Nonce in a DHCP authentication option. If the server has indicated 389 capability for Forcerenew Nonce Protocol authentication in the DHCP 390 OFFER and the subsequent ACK received by the client while in the 391 selecting state omits a valid DHCP authentication option for the 392 Forcerenew Nonce Protocol, the client MUST discard the message and 393 return to the INIT stat 394 The client MUST record the Forcerenew Nonce from any valid ACK it 395 receives, if the ACK contains one. 397 To authenticate a Forcerenew message, the client computes an HMAC- 398 MD5, based on the procedure specified in section 21.5 of [RFC3315], 399 over the DHCP FORCERENEW message, using the Forcerenew Nonce received 400 from the server. If this computed HMAC-MD5 matches the value in the 401 Authentication option, the client accepts the FORCERENEW message. 403 4. Acknowledgements 405 Comments are solicited and should be addressed to the DHC WG mailing 406 list (dhcwg@ietf.org) and/or the authors. This contribution is based 407 on work by Vitali Vinokour. Major sections of this draft use 408 modified text from [RFC3315]. The authors wish to thank Ted Lemon, 409 Matthew Ryan and Bernie Volz for their support. 411 5. IANA Considerations 413 This document requests IANA to assign the following new DHCPv4 option 414 code from the registry "BOOTP Vendor Extensions and DHCP Options" 415 maintained at http://www.iana.org/assignments/bootp-dhcp-parameters: 417 Tag: TBD 419 Name: FORCERENEW_NONCE_CAPABALE 421 Data lenght: 1 423 Description: Forcerenew Nonce Capable 425 Reference: this document 427 6. Security Considerations 429 As in some network environments FORCERENEW can be used to snoop and 430 spoof traffic, the FORCERENEW message MUST be authenticated using the 431 procedures as described in [RFC3118] or this proposal. 433 The mechanism in [RFC3315] for DHCPv6, which this document mirrors 434 for DHCPv4, uses a nonce to prevent an off-link attacker from 435 successfully triggering a renewal on a client by sending 436 DHCPFORCERENEW; since the attacker is off-link, it doesn't have the 437 nonce, and can't force a renewal. 439 An on-link attacker can always simply watch the DHCP renewal message 440 go out and respond to it, so this mechanism is useless for preventing 441 on-link attacks, and hence the security of the nonce in the case of 442 on-link attacks isn't relevant. Any party able to intercept the 443 nonce exchange could impersonate a server and thus offers no 444 protection from man-in-the- middle attacks. FORCERENEW messages 445 failing the authentication should be silently discarded by the 446 client. 448 6.1. Protocol vulnerabilities 450 The mechanism described in this document is vulnerable to a denial of 451 service attack through flooding a client with bogus FORCERENEW 452 messages. The calculations involved in authenticating the bogus 453 FORECERENEW messages may overwhelm the device on which the client is 454 running. 456 The mechanism described provides protection against the use of a 457 FORCERENEW message by a malicious DHCP server to mount a denial of 458 service or man-in-the-middle attack on a client. This protocol can 459 be compromised by an attacker that can intercept the initial message 460 in which the DHCP server sends the nonce to the client. 462 7. References 464 7.1. Normative References 466 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 467 Requirement Levels", BCP 14, RFC 2119, March 1997. 469 [RFC3118] Droms, R. and W. Arbaugh, "Authentication for DHCP 470 Messages", RFC 3118, June 2001. 472 [RFC3203] T'Joens, Y., Hublet, C., and P. De Schrijver, "DHCP 473 reconfigure extension", RFC 3203, December 2001. 475 [RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., 476 and M. Carney, "Dynamic Host Configuration Protocol for 477 IPv6 (DHCPv6)", RFC 3315, July 2003. 479 7.2. Informative References 481 [TR-101i2] 482 Anschutz, T., "Migration to Ethernet-Based Broadband 483 Aggregation Broadband Forum TR-101 Issue 2", July 2011. 485 Authors' Addresses 487 David Miles 488 Google 490 Phone: 491 Fax: 492 Email: 493 URI: 495 Wojciech Dec 496 Cisco Systems 497 Haarlerbergpark Haarlerbergweg 13-19 498 Amsterdam, NOORD-HOLLAND 1101 CH 499 Netherlands 501 Phone: 502 Fax: 503 Email: wdec@cisco.com 504 URI: 506 James Bristow 507 Swisscom Schweiz AG 508 Zentweg 9 509 Bern, 3050, 510 Switzerland 512 Phone: 513 Fax: 514 Email: James.Bristow@swisscom.com 515 URI: 517 Roberta Maglione 518 Telecom Italia 519 Via Reiss Romoli 274 520 Torino 10148 521 Italy 523 Phone: 524 Email: roberta.maglione@telecomitalia.it