idnits 2.17.1 draft-ietf-dhc-relay-port-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (August 28, 2017) is 2426 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 3315 (Obsoleted by RFC 8415) Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Networking Working Group N. Shen 3 Internet-Draft E. Chen 4 Intended status: Standards Track Cisco Systems 5 Expires: March 1, 2018 August 28, 2017 7 Generalized UDP Source Port for DHCP Relay 8 draft-ietf-dhc-relay-port-06 10 Abstract 12 This document proposes an extension to the DHCP protocols that allows 13 a relay agent to receive packets from a server or an upstream relay 14 agent on any UDP port, not just the default port 67 for IPv4 or 15 default port 547 for IPv6. 17 Status of This Memo 19 This Internet-Draft is submitted in full conformance with the 20 provisions of BCP 78 and BCP 79. 22 Internet-Drafts are working documents of the Internet Engineering 23 Task Force (IETF). Note that other groups may also distribute 24 working documents as Internet-Drafts. The list of current Internet- 25 Drafts is at http://datatracker.ietf.org/drafts/current/. 27 Internet-Drafts are draft documents valid for a maximum of six months 28 and may be updated, replaced, or obsoleted by other documents at any 29 time. It is inappropriate to use Internet-Drafts as reference 30 material or to cite them other than as "work in progress." 32 This Internet-Draft will expire on March 1, 2018. 34 Copyright Notice 36 Copyright (c) 2017 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents 41 (http://trustee.ietf.org/license-info) in effect on the date of 42 publication of this document. Please review these documents 43 carefully, as they describe your rights and restrictions with respect 44 to this document. Code Components extracted from this document must 45 include Simplified BSD License text as described in Section 4.e of 46 the Trust Legal Provisions and are provided without warranty as 47 described in the Simplified BSD License. 49 Table of Contents 51 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 52 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 53 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 54 3. Changes to DHCP Specifications . . . . . . . . . . . . . . . 3 55 3.1. Changes to DHCPv4 in RFC 2131 . . . . . . . . . . . . . . 3 56 3.2. Changes to DHCPv6 in RFC 3315 . . . . . . . . . . . . . . 4 57 4. Relay Source Port Sub-option and Option . . . . . . . . . . . 4 58 4.1. Source Port Sub-option for DHCPv4 . . . . . . . . . . . . 4 59 4.2. Relay Source Port Option for DHCPv6 . . . . . . . . . . . 5 60 5. Relay Agent and Server Behavior . . . . . . . . . . . . . . . 6 61 5.1. DHCPv4 . . . . . . . . . . . . . . . . . . . . . . . . . 6 62 5.2. DHCPv6 . . . . . . . . . . . . . . . . . . . . . . . . . 6 63 5.3. Compatibility . . . . . . . . . . . . . . . . . . . . . . 7 64 6. An IPv6 Cascaded Relay Example . . . . . . . . . . . . . . . 7 65 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 66 8. Security Considerations . . . . . . . . . . . . . . . . . . . 8 67 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 8 68 10. Normative References . . . . . . . . . . . . . . . . . . . . 9 69 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 71 1. Introduction 73 RFC 2131 [RFC2131] and RFC 3315 [RFC3315] specify the use of UDP as 74 the transport protocol for DHCP. They also define both the server 75 side and client side port numbers. The IPv4 server port is UDP 76 number (67) and the client port is UDP number (68); for IPv6 the 77 server port is (546) and the client port is (547). 79 This fixed UDP port of DHCP protocol scheme creates challenges in 80 certain DHCP relay operations. For instance, in a large scale DHCP 81 relay implementation on a single switch node, the DHCP relay 82 functionality may be partitioned among multiple relay processes. All 83 these DHCP relay processes may share the same IP address of the 84 switch node. If the UDP source port has to be a fixed number as 85 currently specified, the transport socket operation of DHCP packets 86 would need to go through a central entity or process which would 87 defeat the purpose of distributing DHCP relay functionality. 89 In some large-scale deployment, the decision to split the DHCP 90 functionality into multiple processes on a node may not be purely 91 based on DHCP relay computational load. But rather DHCP relay could 92 just be one of the functions in a multi-process implementation. 94 Although assigning a different IP/IPv6 source address for each DHCP 95 relay process can be a solution, it would introduce operational and 96 network management complexities, especially given the scarceness of 97 the IPv4 addresses. 99 This document proposes an extension to relax the fixed UDP source 100 port requirement for the DHCP relay agents. This extension requires 101 a DHCP server to remember the inbound packet's UDP port number along 102 with the IP/IPv6 address. The DHCP server when sending back replies 103 MUST use the UDP port number that the incoming relay agent uses 104 instead of the fixed DHCP port number. In the case of IPv6 cascaded 105 relay agents [RFC3315], the upstream relay agent needs to use the 106 "Relay Source Port Option" to record the downstream source port and 107 it MUST use this recorded port number instead of the fixed DHCP port 108 number when replaying the reply messages. 110 1.1. Requirements Language 112 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 113 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 114 document are to be interpreted as described in RFC 2119 [RFC2119]. 116 2. Terminology 118 Downstream Device: In the DHCP relay context, it refers to the next 119 relay agent for forwarding Relay-reply Messages. 121 Upstream Device: In the DHCP relay context, it refers to the next 122 relay agent or DHCP server for forwarding Relay-forward 123 Messages. 125 Relay Source Port: This is the UDP port that a relay agent uses to 126 receive Relay-forward Messages from an upstream device. 128 Downstream Source Port: This is the UDP port that the downstream 129 device uses when forwarding Relay-forward Messages to this 130 relay agent device. This UDP port is to be used by this 131 relay agent device when forwarding the Relay-reply Messages 132 to that downstream device. 134 Non-DHCP UDP Port: Any valid UDP port other than port 67 for DHCPv4 135 and port 547 for DHCPv6. 137 3. Changes to DHCP Specifications 139 3.1. Changes to DHCPv4 in RFC 2131 141 Section 4.1 of RFC 2131 [RFC2131] specifies that: 143 DHCP uses UDP as its transport protocol. DHCP messages from a 144 client to a server are sent to the 'DHCP server' port (67), and 145 DHCP messages from a server to a client are sent to the 'DHCP 146 client' port (68). 148 This specification adds the following extension to the above 149 paragraph. 151 DHCP messages from a relay agent to a server are sent to the 'DHCP 152 server' port (67), and the UDP source port it uses can be any 153 valid UDP port available in the relay system, including the DHCP 154 port 67. The default port number is 67 if there is no explicit 155 configuration for the generalized source UDP port extension for 156 DHCP relay. 158 3.2. Changes to DHCPv6 in RFC 3315 160 Section 5.2 of RFC 3315 [RFC3315] specifies that: 162 Clients listen for DHCP messages on UDP port 546. Servers and 163 relay agents listen for DHCP messages on UDP port 547. 165 This specification adds the following extension to the above 166 paragraph. 168 A DHCP relay agent can listen for DHCP messages from a server or 169 another upstream relay agent device on any valid UDP port 170 available in the relay system including the DHCP UDP port 547. 171 The default UDP port is 547 if there is no explicit configuration 172 for the generalized UDP source port extension for DHCP relay. 174 4. Relay Source Port Sub-option and Option 176 Relay agents do not maintain state. To return a message to its 177 source, the relay agent must include all the required information in 178 the Relay-Forward message. When a relay in a sequence of cascaded 179 relays does not use the standard source port, that source port must 180 be included along with the source address. This option allows the 181 relay agent to do so. 183 4.1. Source Port Sub-option for DHCPv4 185 The Relay Agent "Source Port Sub-option" is a new option, and it is 186 part of the relay-agent-information option for DHCPv4 [RFC3046]. 188 The format of the "Source Port Sub-option" is shown below: 190 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 191 | SubOpt Code | Len | 192 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 194 Where: 196 SubOpt Code: SUBOPT_RELAY_PORT. 8 bits value, to be assigned by 197 IANA. 199 Len: 8 bits value to be set to 0. 201 4.2. Relay Source Port Option for DHCPv6 203 The "Relay Source Port Option" is a new DHCPv6 option. It MUST be 204 used either by a DHCPv6 relay agent that uses a non-DHCP UDP port 205 (not 547) communicating with the IPv6 server and the upstream relay 206 agent, or by a IPv6 relay agent that detects the use of a non-DHCP 207 UDP port (not 547) by a downstream relay agent. 209 The format of the "Relay Source Port Option" is shown below: 211 0 1 2 3 212 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 213 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 214 | OPTION_RELAY_RELAY_PORT | Option-Len | 215 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 216 | Downstream Source Port | 217 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 219 Where: 221 Option-Code: OPTION_RELAY_RELAY_PORT. 16 bits value, to be 222 assigned by IANA. 224 Option-Len: 16 bits value to be set to 2. 226 Downstream Source Port: 16 bits value. To be set by the IPv6 227 relay either to the downstream relay agent's UDP source 228 port used for the UDP packet, or to zero if only the 229 local relay agent uses the non-DHCP UDP port (not 547). 231 5. Relay Agent and Server Behavior 233 5.1. DHCPv4 235 When a relay agent uses a non-DHCP UDP port (not 67) communicating 236 with the DHCP server, it MUST include the "Source Port Sub-option" in 237 Relay-forward messages to indicate that. 239 When an IPv4 server receives a message from a relay agent with the 240 "Source Port Sub-option", it MUST remember the UDP source port of the 241 message and use that port number as the UDP destination port when 242 sending the reply message to the same relay agent. 244 5.2. DHCPv6 246 The IPv6 relay agent MUST include the "Relay Source Port Option" when 247 it uses a non-DHCP UDP port (not 547) to communicate to a DHCPv6 248 server or an upstream IPv6 relay agent. Also when an IPv6 relay 249 agent detects that a downstream relay agent uses a non-DHCP UDP port 250 in the packet, it MUST record the port number in the "Downstream 251 Source Port" field of this option. If this option is included to 252 indicate only the local non-DHCP UDP port usage and there is no 253 downstream relay agent's non-DHCP UDP port usage, the field 254 Downstream Source Port field MUST be set to zero. 256 The IPv6 relay agent MUST include this option in the following three 257 cases: 259 1) The local relay agent uses a non-DHCP UDP port (not 547). 261 2) the downstream relay agent uses a non-DHCP UDP port (not 547). 263 3) the local relay agent and the downstream relay agent both use 264 non-DHCP UDP ports (not 547). 266 In the first case, the value of the "Downstream Source Port" field is 267 set to zero. In the other two cases, the value of the field is set 268 to the UDP port number that the downstream relay agent uses. 270 When an IPv6 server receives a Relay-forward message with the "Relay 271 Source Port Option", it MUST copy the option when constructing the 272 Relay-reply chain in response to the Relay-forward message. This 273 option MUST NOT appear in any message other than a Relay-forward or 274 Relay-reply message. Additionally, the IPv6 server MUST check and 275 use the UDP source port from the UDP packet of the Relay-forward 276 message in replying to the relay agent. 278 When a relay agent receives a Relay-reply message with the "Relay 279 Source Port Option" from a server or from an upstream relay agent, if 280 the "Downstream Source Port" field in the option is non-zero, it MUST 281 use this UDP port number to forward the Relay-reply message to the 282 downstream relay agent. 284 5.3. Compatibility 286 Sites that need for relay agents to specify a source port will need 287 to install new DHCP server and DHCP relay agent software with this 288 feature. If a site installs only DHCP relay agent software with this 289 feature, there is no possibility that the DHCP server will be able to 290 communicate to the relay agent. 292 The implementation is advised to allow configuration for relay agent 293 specifying a DHCP relay port number. It can be used to allow the 294 relay agent either using a normal DHCP UDP port or non-DHCP UDP port. 296 6. An IPv6 Cascaded Relay Example 298 An example of IPv6 cascaded relay agents with the "Relay Source Port 299 Option" is shown below. 301 (forward) (forward) (forward) 302 Relay1 ----------> Relay2 ----------> Relay3 ----------> Server 303 (1000) (547) (547) 304 (reply) (reply) (reply) 305 <---------- <---------- <---------- 307 In the above diagram, all the IPv6 devices support this generalized 308 UDP source port extension except for Relay3. Relay1 is the only 309 relay agent device uses a non-DHCP UDP port (not 547). Relay2 is the 310 upstream device of Relay1. 312 Both Relay1 and Relay2 include the "Relay Source Port Option" in 313 Relay-forward message. Relay1 sets the "Downstream Source Port" 314 field in the option to zero. Relay2 notices the "Relay Source Port 315 Option" is included in the message from Relay1, and it determines 316 that the UDP source port used by Relay1 is 1000. Relay2 will include 317 the "Relay Source Port Option" and it sets the "Downstream Source 318 Port" field in the option to 1000. The IPv6 server copies the "Relay 319 Source Port Option" when replying with the Relay-reply message. 321 When Relay2 receives the Relay-reply message with the "Relay Source 322 Port Option", it finds the "Downstream Source Port" field has the 323 value of 1000. Relay2 then uses this port number in the UDP packet 324 when sending the Relay-reply message to Relay1. 326 When Relay1 receives the Relay-reply message with the "Relay Source 327 Port Option", it finds that the "Downstream Source Port" field has 328 the value of zero. Relay1 then uses the normal IPv6 port 547 in the 329 packet sending the Relay-reply message to its downstream relay agent 330 or uses UDP port 546 to an IPv6 client. 332 7. IANA Considerations 334 A new sub-option, DHCPv4 Relay Source Port, is defined in this 335 document within the IPv4 Relay Agent Information Option. It needs to 336 be assigned by IANA in the "DHCP Relay Agent Sub-Option Codes" 337 registry, http://www.iana.org/assignments/bootp-dhcp-parameters as 338 specified in [RFC3046]. 340 A new option, DHCPv6 Relay Source Port, is defined in this document 341 for DHCPv6 and it needs to be assigned by IANA for the DHCPv6 option 342 code, in the "Option Codes" registry for DHCPv6, 343 http://www.iana.org/assignments/dhcpv6-parameters as specified in 344 [RFC3315]. 346 8. Security Considerations 348 [RFC3118] and [RFC3315] described many of the threats in using DHCP. 349 This extension does not raise addition security issues. 351 Although if the network uses firewall to block or allow DHCP packets 352 with both static UDP source and destination port numbers, this may no 353 longer match the packets from new DHCP relay agent and server 354 software. The firewall rules need to be modified only to match the 355 DHCP server side of the UDP port number, and if necessary, IP 356 addresses and other attributes. 358 9. Acknowledgments 360 The authors would like to thank Peter Arberg, Luyuan Fang, Bhanu 361 Gopalasetty, Andre Kostur, Ted Lemon, Kishore Seshadri and Jackelyn 362 Shen for their review and comments of this document. 364 The authors would like to thank Bernie Volz for discussions that led 365 to the definition of The Relay Source Port sub-option and DHCPv6 366 Relay Source Port Option. 368 The RFC text was produced using Marshall Rose's xml2rfc tool. 370 10. Normative References 372 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 373 Requirement Levels", BCP 14, RFC 2119, 374 DOI 10.17487/RFC2119, March 1997, . 377 [RFC2131] Droms, R., "Dynamic Host Configuration Protocol", 378 RFC 2131, DOI 10.17487/RFC2131, March 1997, 379 . 381 [RFC3046] Patrick, M., "DHCP Relay Agent Information Option", 382 RFC 3046, DOI 10.17487/RFC3046, January 2001, 383 . 385 [RFC3118] Droms, R., Ed. and W. Arbaugh, Ed., "Authentication for 386 DHCP Messages", RFC 3118, DOI 10.17487/RFC3118, June 2001, 387 . 389 [RFC3315] Droms, R., Ed., Bound, J., Volz, B., Lemon, T., Perkins, 390 C., and M. Carney, "Dynamic Host Configuration Protocol 391 for IPv6 (DHCPv6)", RFC 3315, DOI 10.17487/RFC3315, July 392 2003, . 394 Authors' Addresses 396 Naiming Shen 397 Cisco Systems 398 560 McCarthy Blvd. 399 Milpitas, CA 95035 400 US 402 Email: naiming@cisco.com 404 Enke Chen 405 Cisco Systems 406 560 McCarthy Blvd. 407 Milpitas, CA 95035 408 US 410 Email: enkechen@cisco.com