idnits 2.17.1 draft-ietf-dhc-leasequery-by-remote-id-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Sep 2009 rather than the newer Notice from 28 Dec 2009. (See https://trustee.ietf.org/license-info/) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (November 23, 2009) is 5261 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC2132' is defined on line 666, but no explicit reference was found in the text Summary: 1 error (**), 0 flaws (~~), 3 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 DHC Working Group P. Kurapati 3 Internet-Draft 4 Expires: May 27, 2010 R. Desetti 5 B. Joshi 6 Infosys Technologies Ltd. 7 November 23, 2009 9 DHCPv4 Leasequery by relay agent remote ID 10 draft-ietf-dhc-leasequery-by-remote-id-04.txt 12 Abstract 14 Some Relay Agents extract lease information from the DHCP message 15 exchanged between the client and DHCP server. This lease information 16 is used by relay agents for various purposes like antispoofing and 17 prevention of flooding. RFC 4388 defines a mechanism for relay 18 agents to retrieve the lease information from the DHCP server as and 19 when this information is lost. The existing leasequery mechanism is 20 data driven, which means that a relay agent can initiate the 21 leasequery only when it starts receiving data from/to the clients. 22 In certain scenarios, this model is not scalable. This document 23 first looks at issues in existing mechanism and then proposes a new 24 query type, query by remote ID, to address these issues. 26 Status of this Memo 28 This Internet-Draft is submitted to IETF in full conformance with the 29 provisions of BCP 78 and BCP 79. 31 Internet-Drafts are working documents of the Internet Engineering 32 Task Force (IETF), its areas, and its working groups. Note that 33 other groups may also distribute working documents as Internet- 34 Drafts. 36 Internet-Drafts are draft documents valid for a maximum of six months 37 and may be updated, replaced, or obsoleted by other documents at any 38 time. It is inappropriate to use Internet-Drafts as reference 39 material or to cite them other than as "work in progress." 41 The list of current Internet-Drafts can be accessed at 42 http://www.ietf.org/ietf/1id-abstracts.txt. 44 The list of Internet-Draft Shadow Directories can be accessed at 45 http://www.ietf.org/shadow.html. 47 This Internet-Draft will expire on May 27, 2010. 49 Copyright Notice 51 Copyright (c) 2009 IETF Trust and the persons identified as the 52 document authors. All rights reserved. 54 This document is subject to BCP 78 and the IETF Trust's Legal 55 Provisions Relating to IETF Documents 56 (http://trustee.ietf.org/license-info) in effect on the date of 57 publication of this document. Please review these documents 58 carefully, as they describe your rights and restrictions with respect 59 to this document. Code Components extracted from this document must 60 include Simplified BSD License text as described in Section 4.e of 61 the Trust Legal Provisions and are provided without warranty as 62 described in the BSD License. 64 Table of Contents 66 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 67 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 68 3. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . 7 69 4. Design Goals . . . . . . . . . . . . . . . . . . . . . . . . . 9 70 4.1. Information Acquisition before Data Starts . . . . . . . . 9 71 4.2. Reduce Negative Caching . . . . . . . . . . . . . . . . . 9 72 4.3. Antispoofing in 'Fast Path' . . . . . . . . . . . . . . . 9 73 5. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 10 74 6. Protocol Details . . . . . . . . . . . . . . . . . . . . . . . 11 75 6.1. Sending the DHCPLEASEQUERY Message . . . . . . . . . . . . 11 76 6.2. Receiving the DHCPLEASEQUERY Message . . . . . . . . . . . 12 77 6.3. Responding to the DHCPLEASEQUERY Message . . . . . . . . . 12 78 6.4. Determining the IP address to be used in the response . . 12 79 6.5. Building a DHCPLEASEUNKNOWN or DHCPLEASEACTIVE Message . . 13 80 6.6. Sending a DHCPLEASEACTIVE or DHCPLEASEUNKNOWN Message . . 14 81 6.7. Receiving a DHCPLEASEACTIVE or DHCPLEASEUNKNOWN Message . 15 82 6.8. Receiving No Response to the DHCPLEASEQUERY Message . . . 15 83 6.9. Lease Binding Data Storage Requirements . . . . . . . . . 15 84 6.10. Using the DHCPLEASEQUERY Message with Multiple DHCP 85 Servers . . . . . . . . . . . . . . . . . . . . . . . . . 16 86 7. RFC 4388 Considerations . . . . . . . . . . . . . . . . . . . 17 87 8. Security Considerations . . . . . . . . . . . . . . . . . . . 18 88 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 89 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 20 90 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 21 91 11.1. Normative Reference . . . . . . . . . . . . . . . . . . . 21 92 11.2. Informative Reference . . . . . . . . . . . . . . . . . . 21 93 Appendix A. Why a New Leasequery is Required? . . . . . . . . . . 22 94 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 25 96 1. Introduction 98 DHCP relay agents snoop DHCP messages and append a relay agent 99 information option before relaying them to the configured DHCP 100 Server. In this process, some relay agents also glean the lease 101 information sent by the server and maintain this locally. This 102 information is used to prevent spoofing attempts from clients and 103 also sometimes to install routing information. When a relay agent 104 reboots, this information is lost. RFC 4388 [RFC4388] has defined a 105 mechanism to retrieve this lease information from the DHCP server. 106 The existing query types defined by RFC 4388 [RFC4388] are data- 107 driven. When a client sends data upstream, the relay agent can query 108 the server about the related lease information, based on the source 109 MAC/IP address. These mechanisms do not scale well when there are 110 thousands of clients connected to the relay agent. In the data- 111 driven model, DHCP Leasequery does not provide the full, consolidated 112 active Lease informations associated with a given connection/circuit 113 which will result in inefficient anti-spoofing. The relay agent also 114 has to contend with considerable resources for negative caching 115 specially under spoofing attacks. 117 We need a mechanism for a relay agent to retrieve the consolidated 118 lease information for a given connection/circuit before upstream 119 traffic is sent by the clients. 121 +--------+ 122 | DHCP | +--------------+ 123 | Server |-...-| DSLAM | 124 | | | Relay Agent | 125 +--------+ +--------------+ 126 | | 127 +------+ +------+ 128 |Modem1| |Modem2| 129 +------+ +------+ 130 | | | 131 +-----+ +-----+ +-----+ 132 |Host1| |Host2| |Host3| 133 +-----+ +-----+ +-----+ 135 Figure 1 137 For example, when a DSLAM acting as a Relay Agent is rebooted, it 138 should query the server for the lease information for all the 139 connections/circuits. Also, as shown in the above figure, there 140 could be multiple clients on one DSL circuit. The relay agent should 141 get the lease information of all the clients connected to a DSL 142 circuit. This is possible by introducing a new query type based on 143 the Remote Id sub-option of the Relay Agent Information option. This 144 document talks about the motivation for the new query type and the 145 method to perform it. 147 2. Terminology 149 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 150 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 151 document are to be interpreted as described in RFC 2119 [RFC2119]. 153 This document uses the following terms: 155 o "access concentrator" 157 An access concentrator is a router or switch at the broadband access 158 provider's edge of a public broadband access network. This document 159 assumes that the access concentrator includes the DHCP relay agent 160 functionality. 162 o "DHCP client" 164 A DHCP client is an Internet host using DHCP to obtain configuration 165 parameters such as a network address. 167 o "DHCP relay agent" 169 A DHCP relay agent is a third-party agent that transfers Bootstrap 170 Protocol (BOOTP) and DHCP messages between clients and servers 171 residing on different subnets, per RFC 951 [RFC951] and RFC 1542 172 [RFC1542]. 174 o "DHCP server" 176 A DHCP server is an Internet host that returns configuration 177 parameters to DHCP clients. 179 o "downstream" 181 Downstream is the direction from the access concentrator towards the 182 broadband subscriber. 184 o "fast path" 186 Data transfer which happens through Network Processor or an ASIC 187 which are programmed to forward the data at very high speeds. 189 o "gleaning" 191 Gleaning is the extraction of location information from DHCP 192 messages, as the messages are forwarded by the DHCP relay agent 193 function. 195 o "location information" 197 Location information is information needed by the access concentrator 198 to forward traffic to a broadband-accessible host. This information 199 includes knowledge of the host hardware address, the port or virtual 200 circuit that leads to the host, and/or the hardware address of the 201 intervening subscriber modem. 203 o "MAC address" 205 In the context of a DHCP packet, a MAC address consists of the 206 following fields: hardware type "htype", hardware length "hlen", and 207 client hardware address "chaddr". 209 o "slow path" 211 Data transfer which happens through the control plane. Typically 212 this has very limited buffers to store data and the speeds are very 213 low compared to fast path data transfer. 215 o "upstream" 217 Upstream is the direction from the broadband subscriber towards the 218 access concentrator. 220 3. Motivation 222 Consider a typical access concentrator (e.g., DSLAM) working also as 223 a DHCP relay agent. A "Fast path" and a "slow path" generally exist 224 in most networking boxes. Fast path processing is done in a network 225 processor or an ASIC (Application Specific Integrated Circuit). Slow 226 path processing is done in a normal processor. As much as possible, 227 regular data handling code should be in the fast path. Slow path 228 processing should be reduced as it may become a bottleneck. 230 For an access concentrator having multiple access ports, multiple IP 231 addresses may be assigned using DHCP to a single port and the number 232 of clients on a port may be unknown. The access concentrator may 233 also not know the network portions of the IP addresses that are 234 assigned to its DHCP clients. 236 The access concentrator gleans IP address or other information from 237 DHCP negotiations for antispoofing and other purposes. The 238 antispoofing itself is done in fast path. Access concentrator keeps 239 track of only one list of IP addresses: list of IP addresses that are 240 assigned by DHCP server; upstream traffic from all other IP addresses 241 is dropped. If a client starts its data transfer after its DHCP 242 negotiations have been gleaned by the access concentrator, no 243 legitimate packets will be dropped because of antispoofing. In other 244 words, antispoofing is effective (no legitimate packets are dropped 245 and all spoofed packets are dropped) and efficient (antispoofing is 246 done in the fast path). The intention is to achieve similar 247 effective and efficient antispoofing in the lease query scenario also 248 when an access concentrator loses its gleaned information (for 249 example, because of a reboot). 251 After a deep analysis, we found that the three existing query types 252 supported by RFC 4388[RFC4388] do not provide effective and efficient 253 antispoofing for the above scenario and a new mechanism is required. 255 The existing query types 257 o necessitate a data-driven approach: the lease queries can only be 258 done when the access concentrator receives data; that results in 259 increased outage time for clients; 261 o result in excessive negative caching, consuming a lot of resources 262 under a spoofing attack; 264 o result in antispoofing being done in the slow path instead of the 265 fast path. 267 The deeper analysis, which led to the above conclusions, itself 268 appears as an Appendix to this document. 270 4. Design Goals 272 The goal of this document is to provide a lightweight mechanism for 273 an access concentrator to retrieve lease information available in the 274 DHCP server. The mechanism SHOULD also support an access 275 concentrator to retrieve consolidated lease information for a 276 connection/circuit. 278 4.1. Information Acquisition before Data Starts 280 The existing data driven approach specified by RFC 4388 [RFC4388] 281 means that the lease queries can only be performed when the access 282 concentrator receives data. If there was an approach to initiate 283 lease queries even before the calls come up, then that would be more 284 effective. For antispoofing, packets need to be dropped until the 285 access concentrator gets the lease information from the DHCP server. 286 If the access concentrator finishes the lease queries before it 287 receives upstream data, then there is no need to drop legitimate 288 packets. So, effectively outage time may be reduced. The lease 289 queries should help in retrieving lease information even before the 290 data starts flowing and should be independent of data traffic. 292 4.2. Reduce Negative Caching 294 If lease queries yield negative results that need to be cached, then 295 that puts additional overhead on the access concentrator. Negative 296 caches not only consume precious resources but they also need to be 297 managed. Hence they should be avoided as much as possible. The 298 lease queries should reduce the need for negative caching as far as 299 possible. 301 4.3. Antispoofing in 'Fast Path' 303 If antispoofing is not done in the fast path, it will become a 304 bottleneck and may lead to denial of service of the access 305 concentrator. The lease queries should make it possible to do 306 antispoofing in the fast path. 308 5. Protocol Overview 310 RFC 3046 [RFC3046] defines two sub-options for the Relay Agent 311 Information option. Sub-option 1 corresponds to the circuit ID that 312 identifies the local circuit of the access concentrator. This sub- 313 option is unique to the relay agent. Sub-option 2 corresponds to the 314 remote ID that identifies the remote host end of the circuit. This 315 is globally unique in the network. 317 This document defines a new query type based on the remote ID sub- 318 option. Suppose that the access concentrator (e.g., DSLAM) lost the 319 lease information when it was rebooted. When the access concentrator 320 comes up, it would initiate (for each connection/circuit) a 321 DHCPLEASEQUERY message containing the Relay Agent Information option 322 [RFC3046] with sub-option remote ID. The DHCP server must return an 323 IP address in the ciaddr field if it has any record of the client 324 described by the remote ID. In the absence of specific configuration 325 information to the contrary, it SHOULD be the IP address with the 326 latest client-last-transaction-time associated with the client 327 described by the remote ID. The DHCP servers that implement this 328 document always send a response ( DHCPLEASEACTIVE or 329 DHCPLEASEUNKNOWN) to the DHCPLEASEQUERY message. The reasons why a 330 DHCPLEASEACTIVE or DHCPLEASEUNKNOWN message is generated are 331 explained in the specific query regimes below. Servers that do not 332 implement DHCPLEASEQUERY based on remote ID SHOULD simply not 333 respond. 335 The query regime is described below: 337 o Query by Agent Remote ID sub-option: 339 For this query, the requester supplies in the DHCPLEASEQUERY message 340 only an option 82 which will include only an Agent Remote ID sub- 341 option. The DHCP server will return any information that it has on 342 the IP address most recently accessed by a client with that Agent 343 Remote ID. In addition, it SHOULD supply any additional IP addresses 344 that have been associated with the Agent Remote ID in different 345 subnets. Information about these bindings can then be found using 346 the Query by IP Address, as described in RFC 4388 [RFC4388]. 348 The DHCP server MUST reply with a DHCPLEASEACTIVE message if the 349 Agent Remote ID in the DHCPLEASEQUERY message currently has an active 350 lease on an IP address in this DHCP server. Otherwise, the server 351 MUST reply with a DHCPLEASEUNKNOWN message. 353 6. Protocol Details 355 In this section, DHCPLEASEQUERY message refers to DHCPLEASEQUERY 356 message with query by remote ID. 358 6.1. Sending the DHCPLEASEQUERY Message 360 The DHCPLEASEQUERY message is typically sent by an access 361 concentrator. The DHCPLEASEQUERY message uses the DHCP message 362 format as described in RFC2131 [RFC2131], and uses message number 10 363 in the DHCP Message Type option (option 53). The DHCPLEASEQUERY 364 message has the following pertinent message contents: 366 o The giaddr MUST be set to the IP address of the requester (i.e., 367 the access concentrator). The giaddr is the return address of the 368 DHCPLEASEACTIVE or DHCPLEASEUNKNOWN message from the DHCP server. 369 Note that this use of the giaddr is consistent with the definition 370 of giaddr in RFC2131 [RFC2131], where the giaddr is always used as 371 the return address of the DHCP response message. In some (but not 372 all) contexts in RFC 2131, the address to allocate to a client is 373 selected based on 'giaddr'. 375 o The Parameter Request List option (option 55) SHOULD be set to the 376 options of interest to the requester. It MUST include the Relay 377 Agent Information option (option 82). The other interesting 378 options are likely to include the IP Address Lease Time option 379 (option 51), and possibly the Vendor class identifier option 380 (option 60). In the absence of a Parameter Request List option, 381 the server SHOULD return the same options it would return for a 382 DHCPREQUEST message that didn't contain a Parameter Request List 383 option (option 55), which includes those mandated by Section 4.3.1 384 of [RFC2131] as well as any options that the server was configured 385 to always return to a client. 387 Additional details concerning different query types are: 389 o Query by Agent Remote ID sub-option: 391 * There MUST be a Relay Agent Information option (option 82) with 392 only an Agent Remote ID sub-option (sub-option 2) in the 393 DHCPLEASEQUERY message. 395 * The ciaddr field MUST be set to zero. 397 * The values of htype, hlen, and chaddr MUST be set to zero. 399 * The Client-identifier option (option 61) MUST NOT appear in the 400 packet. 402 The DHCPLEASEQUERY message SHOULD be sent to a DHCP server which is 403 known to possess authoritative information concerning the remote ID. 404 The DHCPLEASEQUERY message MAY be sent to more than one DHCP server, 405 and in the absence of information concerning which DHCP server might 406 possess authoritative information concerning the remote ID, it SHOULD 407 be sent to all DHCP servers configured for the associated relay agent 408 (if any are known). 410 6.2. Receiving the DHCPLEASEQUERY Message 412 A DHCPLEASEQUERY message MUST have a non-zero giaddr. The 413 DHCPLEASEQUERY message MUST have a zero ciaddr, a zero htype/hlen/ 414 chaddr, and no Client-identifier option. The DHCPLEASEQUERY message 415 MUST have a relay agent option 82 with only a remote ID sub-option. 417 6.3. Responding to the DHCPLEASEQUERY Message 419 There are two possible responses to a DHCPLEASEQUERY message: 421 o DHCPLEASEUNKNOWN 423 The DHCPLEASEUNKNOWN message indicates that the client specified in 424 the DHCPLEASEQUERY message is not allocated any lease or it is not 425 managed by the server. 427 o DHCPLEASEACTIVE 429 The DHCPLEASEACTIVE message indicates that the server not only knows 430 the client specified in the DHCPLEASEQUERY message, but also knows 431 that there is an active lease for that client. 433 6.4. Determining the IP address to be used in the response 435 Since the response to a DHCPLEASEQUERY request can only contain full 436 information about one IP address -- the one that appears in the 437 ciaddr field -- determination of the IP address about which to 438 respond is a key issue. Of course, the values of additional IP 439 addresses for which a client has a lease must also be returned in the 440 associated-ip option (RFC 4388 [RFC4388], Section 6.1, #3). This is 441 the only information returned not directly associated with the IP 442 address in the ciaddr field. 444 The IP address placed in the ciaddr field of a DHCPLEASEACTIVE 445 message MUST be the IP address with the latest client-last- 446 transaction-time associated with the client described by the remote 447 ID specified in the DHCPLEASEQUERY message. 449 If there is only a single IP address that fulfils this criteria, then 450 it MUST be placed in the ciaddr field of the DHCPLEASEACTIVE message. 452 In the case where more than one IP address has been accessed by the 453 client specified by the Remote ID, then the DHCP server MUST return 454 the IP address returned to the client in the most recent transaction 455 with the client unless the DHCP server has been configured by the 456 server administrator to use some other preference mechanism. 458 6.5. Building a DHCPLEASEUNKNOWN or DHCPLEASEACTIVE Message 460 In a DHCPLEASEUNKNOWN response message, the DHCP server MUST echo the 461 Option 82 received in the DHCPLEASEQUERY message. No other options 462 are returned for these messages. With that the processing for a 463 DHCPLEASEUNKNOWN message is complete. 465 For the DHCPLEASEACTIVE message, the rest of the processing largely 466 involves returning information about the IP address specified in the 467 ciaddr field. 469 The MAC address of the DHCPLEASEACTIVE message MUST be set to the 470 values that identify the client associated with the IP address in the 471 ciaddr field of the DHCPLEASEACTIVE message. 473 If the Client-identifier option (option 61) is specified in the 474 Parameter Request List option (option 55), then the Client-identifier 475 (if any) of the client associated with the IP address in the ciaddr 476 field SHOULD be returned in the DHCPLEASEACTIVE message. 478 In the case where more than one IP address has been involved in a 479 DHCP message exchange with the client specified by the Agent Remote 480 ID, then the list of all those IP addresses MUST be returned in the 481 associated-ip option, whether or not that option was requested as 482 part of the Parameter Request List option. 484 If the IP Address Lease Time option (option 51) is specified in the 485 Parameter Request List then the DHCP server MUST return this option 486 in the DHCPLEASEACTIVE message with its value equal to the time 487 remaining until lease expiration. 489 A request for the Renewal (T1) Time Value option or the Rebinding 490 (T2) Time Value option in the Parameter Request List of the 491 DHCPLEASEQUERY message MUST be handled like the IP Address Lease Time 492 option is handled. The DHCP server SHOULD return these options (when 493 requested) with the remaining time until renewal or rebinding, 494 respectively. 496 The information contained in the most recent Relay Agent Information 497 option received from the relay agent associated with this IP address 498 MUST be included in the DHCPLEASEACTIVE message. 500 The DHCPLEASEACTIVE message SHOULD include the values of all other 501 options not specifically discussed above that were requested in the 502 Parameter Request List of the DHCPLEASEQUERY message and that are 503 acceptable to return based on the list of "non-sensitive options", 504 discussed below. 506 DHCP servers SHOULD be configurable with a list of "non-sensitive 507 options" that can be returned to the access concentrator when 508 specified in the Parameter Request List of the DHCPLEASEQUERY 509 message. Any option not on this list SHOULD NOT be returned to an 510 access concentrator, even if requested by that access concentrator. 512 The DHCP server uses information from its lease binding database to 513 supply the DHCPLEASEACTIVE option values. The values of the options 514 that were returned to the DHCP client would generally be preferred, 515 but in the absence of those, options that were sent in DHCP client 516 requests would be acceptable. 518 In some cases, the Relay Agent Information option in an incoming 519 DHCPREQUEST packet is used to help determine the options returned to 520 the DHCP client that sent the DHCPREQUEST. When responding to a 521 DHCPLEASEQUERY message, the DHCP server MUST use the saved Relay 522 Agent Information option just like it did when responding to the DHCP 523 client in order to determine the values of any options requested by 524 the DHCPLEASEQUERY message. The goal is to return the same option 525 values to the DHCPLEASEQUERY as those that were returned to the 526 DHCPDISCOVER or DHCPREQUEST from the DHCP client (unless otherwise 527 specified, above). 529 In the event that two servers are cooperating to provide a high- 530 availability DHCP server, as supported by [RFC2131], they would have 531 to communicate some information about IP address bindings to each 532 other. In order to properly support the DHCPLEASEQUERY message, 533 these servers MUST ensure that they communicate the Relay Agent 534 Information option information to each other in addition to any other 535 IP address binding information. 537 6.6. Sending a DHCPLEASEACTIVE or DHCPLEASEUNKNOWN Message 539 The server expects a giaddr in the DHCPLEASEQUERY message, and 540 unicasts the DHCPLEASEACTIVE or DHCPLEASEUNKNOWN message to the 541 giaddr. 543 6.7. Receiving a DHCPLEASEACTIVE or DHCPLEASEUNKNOWN Message 545 When a DHCPLEASEACTIVE message is received in response to the 546 DHCPLEASEQUERY message, it means that there is a currently active 547 lease for this IP address in this DHCP server. The access 548 concentrator SHOULD use the information in the "htype", "hlen", and 549 "chaddr" fields of the DHCPLEASEACTIVE as well as Relay Agent 550 Information option information included in the packet to refresh its 551 location information for this IP address. An access concentrator is 552 likely to query by IP address for all the IP addresses specified in 553 the associated-ip option in the response, if any, at this point in 554 time. 556 When a DHCPLEASEUNKNOWN message is received by an access concentrator 557 that had sent out a DHCPLEASEQUERY message, it means that the DHCP 558 server does not have definitive information concerning the DHCP 559 client specified in the Agent Remote ID sub-option of the 560 DHCPLEASEQUERY message. The Access Concentrator MAY store this 561 information for future use. However, a DHCPLEASEQUERY SHOULD NOT be 562 attempted with the same Remote ID sub-option. 564 For leasequery by remote-id, the impact of negative caching is 565 greatly reduced as the response leads to "definitive" information on 566 all the hosts connected behind the connection. Note that in the case 567 of data-driven approach, a host spoofing several IP addresses can 568 lead to negative caching of greater magnitude. Another important 569 change this draft brings is the removal of "periodic" leasequeries 570 generated from negative caching caused by DHCPLEASEUNKNOWN. Since 571 the information obtained through query by remote-id is complete, 572 there is no need of attempting leasequery again for the same 573 connection. 575 6.8. Receiving No Response to the DHCPLEASEQUERY Message 577 When an access concentrator receives no response to a DHCPLEASEQUERY 578 message, it should be handled in the same manner as suggested in RFC 579 4388 [RFC4388]. 581 6.9. Lease Binding Data Storage Requirements 583 Implementation Note: 585 To generate replies for a lease query by remote-id efficiently, a 586 DHCP server should index the lease binding data structures using 587 remote-id. 589 6.10. Using the DHCPLEASEQUERY Message with Multiple DHCP Servers 591 This scenario should be handled in the same way it is done in RFC 592 4388 [RFC4388]. 594 7. RFC 4388 Considerations 596 This document is compatible with RFC 4388 [RFC4388] based 597 implementations, which means that a client that supports this 598 extension can work with a server not supporting this document, 599 provided it uses RFC 4388 [RFC4388] defined query types. Also, a 600 server supporting this document can work with a client not supporting 601 this query type. However, there are some changes that this document 602 proposes with respect to RFC 4388 [RFC4388]. Implementers extending 603 RFC 4388 [RFC4388] implementations to support this document, should 604 take note of the following points: 606 o RFC 4388 [RFC4388] suggests that a DHCPLEASEUNASSIGNED is returned 607 only in the case of 'query by IP address'. All other query types 608 will have a return message of either DHCPLEASEACTIVE or 609 DHCPLEASEUNKNOWN. Although it would be possible to return 610 DHCPLEASEUNASSIGNED in case of a query by remote-id, in order to 611 maintain compatibility with other similar query types (MAC and 612 Client-id) a query by remote-id does not support a 613 DHCPLEASEUNASSIGNED response. 615 o There may be cases where a query by IP address/MAC address/Client 616 Identifier has an option 82 containing remote ID. In that case, 617 the query will still be recognized as query by IP address/MAC 618 address/Client Identifier as specified by RFC 4388 [RFC4388]. 620 o Section 6.4 of RFC 4388 [RFC4388] suggests that a DHCPLEASEUNKNOWN 621 MUST NOT have any other option present. But for a query by remote 622 ID, option 82 MUST be present in the reply. 624 8. Security Considerations 626 This document does not introduce any new security concerns beyond 627 those specified in the original leasequery protocol RFC 4388 628 [RFC4388] specifications. 630 9. IANA Considerations 632 This document does not introduce any new namespaces for the IANA to 633 manage and does not request any new code point allocation. [[ RFC- 634 Editor: Please remove this section before publication. ]] 636 10. Acknowledgements 638 Copious amounts of text in this document are derived from RFC 4388 639 [RFC4388]. Kim kinnear, Damien Neil, Stephen Jacob and Alfred Hoenes 640 provided valuable feedback on this document. 642 11. References 644 11.1. Normative Reference 646 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 647 Requirement Levels", BCP 14, RFC 2119, March 1997. 649 [RFC4388] Woundy, R. and K. Kinnear, "Dynamic Host Configuration 650 Protocol (DHCP) Leasequery", RFC 4388, February 2006. 652 [RFC2131] Droms, R., "Dynamic Host Configuration Protocol", 653 RFC 2131, March 1997. 655 [RFC3046] Patrick, M., "DHCP Relay Agent Information Option", 656 RFC 3046, January 2001. 658 11.2. Informative Reference 660 [RFC951] Croft, B. and J. Gilmore, "Bootstrap Protocol (BOOTP)", 661 RFC 951, September 1985. 663 [RFC1542] Wimer, W., "Clarifications and Extensions for the 664 Bootstrap Protocol", RFC 1542, October 1993. 666 [RFC2132] Droms, R. and S. Alexander, "DHCP Options and BOOTP Vendor 667 Extensions", RFC 2132, March 1997. 669 Appendix A. Why a New Leasequery is Required? 671 The three existing query types supported by RFC 4388 do not provide 672 effective and efficient antispoofing for the above scenario. 674 o Query by Client Identifier 676 Query by Client Identifier is not possible because to use that, an 677 access concentrator needs to glean the client identifier also, but 678 the whole issue is that we need leasequeries because the gleaned 679 information was lost. On the other hand, we can query by client 680 identifier when a client sends a DHCP request, but then there may not 681 be any need for lease query as such -- regular gleaning may be 682 enough. 684 o Query by IP Address 686 RFC 4388 suggests that it is preferable to use Query by IP Address 687 when getting downstream traffic. 689 Query by IP address is not very useful in downstream traffic because 690 downstream traffic may not exist for the clients on a access port. 691 (In most Internet applications, downstream traffic exists only when a 692 client sends upstream traffic). In other words, the client will be 693 denied service until it gets downstream traffic, which may never 694 come. 696 Query by IP address may be used for upstream traffic. Then whenever 697 an upstream packet comes whose IP address is unknown to the access 698 concentrator, a lease query may be initiated. A related question is 699 what to do with that upstream traffic itself until lease query 700 response comes? If the traffic is dropped, we may be dropping 701 legitimate traffic. If the traffic is forwarded, we may be 702 forwarding spoofed packets. Once the lease response comes, 703 subsequent traffic is handled depending on the response. If a 704 DHCPLEASEACTIVE response arrives, the access concentrator will accept 705 the traffic. If a DHCPLEASEUNASSIGNED response arrives, the access 706 concentrator will drop the traffic corresponding to the IP address. 707 If a DHCPLEASEUNKNOWN response arrives, the access concentrator may 708 drop the traffic corresponding to the IP address but will have to 709 periodically send the lease query for that IP address again 710 (additional overhead). The process is triggered whenever an unknown 711 IP address comes. 713 Note that the access concentrator needs to keep track of 4 lists of 714 IP addresses: (1) List of IP addresses for which it got 715 DHCPLEASEACTIVE responses; (2) List of IP addresses for which it got 716 DHCPLEASEUNASSIGNED responses; (3) List of IP addresses for which it 717 got DHCPLEASEUNKNOWN responses; (4) All other IP addresses. 719 This approach may be acceptable if only legitimate traffic is 720 received. Consider however the case when someone sends packets that 721 use spoofed IP addresses. In that case, the lease response will be 722 DHCPLEASEUNASSIGNED or DHCPLEASEUNKNOWN. RFC 4388 suggests usage of 723 negative caching in this regard (which involves additional 724 resources). 726 In a spoofing type of attack, negative caching information may grow 727 considerably if the attacker varies the source IP address. For each 728 such new source IP address, traffic will come to the slow path, a new 729 lease query needs to be initiated, the response will be processed, 730 and negative caching needs to be done. That means using many 731 resources for negative caching. 733 RFC 4388 suggests that if the access concentrator knows the network 734 portion of the IP addresses that are assigned to its clients, then 735 some amount of antispoofing can be done in the fast path and some 736 lease queries may be avoided. But as indicated above, that 737 information may not always be available to access concentrators. 739 Effectively, antispoofing support involves considerable slow path 740 processing and considerable resources tied for negative caching. 742 RFC 4388 says that DHCP servers should be protected from being 743 flooded with too many leasequery requests and access concentrators 744 also should not send too many lease query messages at a time. This 745 would mean that legitimate clients may be excessively delayed getting 746 their information in the face of spoofing attacks. 748 It is concluded that antispoofing is neither effective nor efficient 749 with this query type. 751 o Query by MAC Address 753 Query by MAC address can also be used similar to query by IP address 754 described above. Indeed, query by MAC address may be better than 755 query by IP address in one sense because of the possible presence of 756 an associated-ip option in lease responses. (Note that an 757 associated-ip option does not appear in responses for query by IP 758 address.) With associated-ip option, the access concentrator can get 759 information not only about the IP address/MAC address that triggered 760 the lease query but also about other IP addresses that are associated 761 with the original MAC address. That way, when traffic that uses the 762 other IP addresses comes along, the access concentrator is already 763 prepared to deal with them. 765 Although query by MAC address is better than query by IP address in 766 the above respect, it has a specific problem which is not shared by 767 query by IP address. For a query by MAC address, only two types of 768 responses are possible: DHCPLEASEUNKNOWN and DHCPLEASEACTIVE; 769 DHCPLEASEUNASSIGNED is not supported. This is particularly 770 troublesome when a DHCP server indeed has definitive information that 771 no IP addresses are associated with the specified MAC address in the 772 leasequery, but it is forced to respond with DHCPLEASEUNKNOWN instead 773 of DHCPLEASEUNASSIGNED. As we have seen above, unlike 774 DHCPLEASEUNASSIGNED, DHCPLEASEUNKNOWN requires periodic querying the 775 DHCP server, an additional overhead. 777 Moreover, query by MAC address also shares all other issues we 778 discussed above for query by IP address. 780 We conclude that existing lease query types are not appropriate to 781 achieve effective and efficient antispoofing. 783 Authors' Addresses 785 Pavan Kurapati 787 Email: pavan.kurapati@gmail.com 789 D.T.V Ramakrishna Rao 790 Infosys Technologies Ltd. 791 44 Electronics City, Hosur Road 792 Bangalore 560 100 793 India 795 Email: ramakrishnadtv@infosys.com 796 URI: http://www.infosys.com/ 798 Bharat Joshi 799 Infosys Technologies Ltd. 800 44 Electronics City, Hosur Road 801 Bangalore 560 100 802 India 804 Email: bharat_joshi@infosys.com 805 URI: http://www.infosys.com/