idnits 2.17.1 draft-ietf-dhc-relay-server-security-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (February 7, 2017) is 2632 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 3315 (Obsoleted by RFC 8415) ** Obsolete normative reference: RFC 7321 (Obsoleted by RFC 8221) == Outdated reference: A later version (-21) exists of draft-ietf-dhc-sedhcpv6-20 Summary: 2 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group B. Volz 3 Internet-Draft Cisco Systems 4 Intended status: Standards Track Y. Pal 5 Expires: August 11, 2017 Cisco Systems, Inc. 6 February 7, 2017 8 Security of Messages Exchanged Between Servers and Relay Agents 9 draft-ietf-dhc-relay-server-security-03.txt 11 Abstract 13 The Dynamic Host Configuration Protocol for IPv4 (DHCPv4) has no 14 guidance for how to secure messages exchanged between servers and 15 relay agents. The Dynamic Host Configuration Protocol for IPv6 16 (DHCPv6) states that IPsec should be used to secure messages 17 exchanged between servers and relay agents, but does not require 18 encryption. And, with recent concerns about pervasive monitoring and 19 other attacks, it is appropriate to require securing relay to relay 20 and relay to server communication for DHCPv6 and relay to server 21 communication for DHCPv4. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at http://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on August 11, 2017. 40 Copyright Notice 42 Copyright (c) 2017 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (http://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 This document may contain material from IETF Documents or IETF 56 Contributions published or made publicly available before November 57 10, 2008. The person(s) controlling the copyright in some of this 58 material may not have granted the IETF Trust the right to allow 59 modifications of such material outside the IETF Standards Process. 60 Without obtaining an adequate license from the person(s) controlling 61 the copyright in such materials, this document may not be modified 62 outside the IETF Standards Process, and derivative works of it may 63 not be created outside the IETF Standards Process, except to format 64 it for publication as an RFC or to translate it into languages other 65 than English. 67 Table of Contents 69 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 70 2. Requirements Language and Terminology . . . . . . . . . . . . 3 71 3. Security of Messages Exchanged Between Servers and Relay 72 Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 73 4. Security Considerations . . . . . . . . . . . . . . . . . . . 4 74 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 75 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 5 76 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 77 7.1. Normative References . . . . . . . . . . . . . . . . . . 6 78 7.2. Informative References . . . . . . . . . . . . . . . . . 6 79 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 81 1. Introduction 83 The Dynamic Host Configuration Protocol for IPv4 (DHCPv4) [RFC2131] 84 and [RFC1542] has no guidance for how to secure messages exchanged 85 between servers and relay agents. The Dynamic Host Configuration 86 Protocol for IPv6 (DHCPv6) [RFC3315] states that IPsec should be used 87 to secure messages exchanged between servers and relay agents, but 88 does not recommend encryption. And, with recent concerns about 89 pervasive monitoring [RFC7258], it is appropriate to require use of 90 IPsec with encryption for relay to server communication for DHCPv4 91 and require use of IPsec with encryption for relay to relay and relay 92 to server communication for DHCPv6. 94 2. Requirements Language and Terminology 96 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 97 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 98 document are to be interpreted as described in [RFC2119] when they 99 appear in ALL CAPS. When these words are not in ALL CAPS (such as 100 "should" or "Should"), they have their usual English meanings, and 101 are not to be interpreted as [RFC2119] key words. 103 This document uses terminology from [RFC1542], [RFC2131], and 104 [RFC3315]. 106 3. Security of Messages Exchanged Between Servers and Relay Agents 108 For DHCPv6 [RFC3315], this specification REQUIRES IPsec encryption of 109 relay to relay and relay to server communication and replaces the 110 text in RFC3315 Section 21.1. 112 For DHCPv4 [RFC2131], this specification REQUIRES IPsec encryption of 113 relay to server communication. 115 By using IPsec with encryption for this communication, the 116 potentially sensitive client message and relay included information, 117 such as the DHCPv4 relay-agent information option (82) [RFC3046], 118 vendor-specific information (for example, [CableLabs-DHCP]), and 119 Access-Network-Identifier Option(s) [RFC7839], are protected from 120 pervasive monitoring and other attacks. 122 Relay agents and servers MUST exchange messages securely using the 123 IPsec mechanisms described in [RFC4301]. If a client message is 124 relayed through multiple relay agents, each of the relay agents MUST 125 have an established independent, pairwise trust relationships. That 126 is, if messages from client C will be relayed by relay agent A to 127 relay agent B and then to the server, relay agents A and B MUST be 128 configured to use IPsec for the messages they exchange, and relay 129 agent B and the server MUST be configured to use IPsec for the 130 messages they exchange. 132 Selectors Relay agents are manually configured with the 133 addresses of the relay agent or server to 134 which DHCP messages are to be forwarded. 135 Each relay agent and server that will be 136 using IPsec for securing DHCP messages MUST 137 also be configured with a list of the relay 138 agents to which messages will be returned. 139 The selectors for the relay agents and 140 servers will be the pairs of addresses 141 defining relay agents and servers and the 142 direction of DHCP message exchange on DHCPv4 143 UDP port 67 or DHCPv6 UDP port 547. 145 Mode Relay agents and servers MUST use IPsec in 146 transport mode and Encapsulating Security 147 Payload (ESP). 149 Encryption and authentication algorithms 150 This document REQUIRES combined mode 151 algorithms for ESP authenticated encryption, 152 ESP encryption algorithms, and ESP 153 authentication algorithms as per Sections 154 2.1, 2.2, and 2.3 of [RFC7321] respectively. 155 Encryption is required as relay agents may 156 forward unencrypted client messages as well 157 as include additional sensitive information, 158 such as vendor-specific information (for 159 example, [CableLabs-DHCP]) and [RFC7839]. 161 Key management Because both relay agents and servers tend to 162 be managed by a single organizational entity, 163 public key schemes MAY be optional. Manually 164 configured key management MAY suffice, but 165 does not provide defense against replayed 166 messages. Accordingly, IKEv2 [RFC7296] with 167 preshared secrets SHOULD be supported. IKEv2 168 with public keys MAY be supported. 169 Additional information on manual vs automated 170 key management and when one should be used 171 over the other can be found in [RFC4107]. 173 Security policy DHCP messages between relay agents and 174 servers MUST only be accepted from DHCP peers 175 as identified in the local configuration. 177 Authentication Shared keys, indexed to the source IP address 178 of the received DHCP message, are adequate in 179 this application. 181 4. Security Considerations 183 The security model specified in this document is hop-by-hop. For 184 DHCPv6, there could be multiple relay agents between a client and 185 server and each of these hops needs to be secured. For DHCPv4, there 186 is no support for multiple relays. 188 As this document only mandates securing messages exchanged between 189 relay agents and servers, the message exchanges between clients and 190 the first hop relay agent or server are not secured. Clients may 191 follow the recommendations in [RFC7844] to minimize what information 192 they expose or make use of [I-D.ietf-dhc-sedhcpv6] to secure 193 communication between the client and server. 195 As mentioned in [RFC4552] Section 14, the following are known 196 limitations of the usage of manual keys: 198 o As the sequence numbers cannot be negotiated, replay protection 199 cannot be provided. This leaves DHCP insecure against all the 200 attacks that can be performed by replaying DHCP packets. 202 o Manual keys are usually long lived (changing them often is a 203 tedious task). This gives an attacker enough time to discover the 204 keys. 206 It should be noted if the requirements in this document are followed, 207 while the DHCP traffic on the wire between relays and servers is 208 encrypted, the unencrypted data may still be available through other 209 attacks on the DHCP servers, relays, and related systems. Securing 210 these systems and the data in databases and logs also needs to be 211 considered - on the systems themselves and if transferred over a 212 network (i.e., to network attached storage, for backups, or to 213 operational support systems). 215 Use of IPsec as described herein is also applicable to Lightweight 216 DHCPv6 Relay Agents [RFC6221], as they have a link-local address 217 which can be used to secure communication with their next hop 218 relay(s). 220 5. IANA Considerations 222 This document has no requests of the fantastic IANA team. 224 6. Acknowledgments 226 The motivation for this document was several IESG discusses on recent 227 DHCP relay agent options. 229 Thanks to Kim Kinnear, Jinmei Tatuya, and Tomek Mrugalski for 230 reviewing drafts and helping to improve the document. And, thanks to 231 the authors of [RFC3315] for the original Section 21.1 text. 233 7. References 234 7.1. Normative References 236 [RFC1542] Wimer, W., "Clarifications and Extensions for the 237 Bootstrap Protocol", RFC 1542, DOI 10.17487/RFC1542, 238 October 1993, . 240 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 241 Requirement Levels", BCP 14, RFC 2119, 242 DOI 10.17487/RFC2119, March 1997, 243 . 245 [RFC2131] Droms, R., "Dynamic Host Configuration Protocol", 246 RFC 2131, DOI 10.17487/RFC2131, March 1997, 247 . 249 [RFC3315] Droms, R., Ed., Bound, J., Volz, B., Lemon, T., Perkins, 250 C., and M. Carney, "Dynamic Host Configuration Protocol 251 for IPv6 (DHCPv6)", RFC 3315, DOI 10.17487/RFC3315, July 252 2003, . 254 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the 255 Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, 256 December 2005, . 258 [RFC7321] McGrew, D. and P. Hoffman, "Cryptographic Algorithm 259 Implementation Requirements and Usage Guidance for 260 Encapsulating Security Payload (ESP) and Authentication 261 Header (AH)", RFC 7321, DOI 10.17487/RFC7321, August 2014, 262 . 264 7.2. Informative References 266 [CableLabs-DHCP] 267 "CableLabs' DHCP Options Registry", 268 . 271 [I-D.ietf-dhc-sedhcpv6] 272 Jiang, S., Li, L., Cui, Y., Jinmei, T., Lemon, T., and D. 273 Zhang, "Secure DHCPv6", draft-ietf-dhc-sedhcpv6-20 (work 274 in progress), January 2017. 276 [RFC3046] Patrick, M., "DHCP Relay Agent Information Option", 277 RFC 3046, DOI 10.17487/RFC3046, January 2001, 278 . 280 [RFC4107] Bellovin, S. and R. Housley, "Guidelines for Cryptographic 281 Key Management", BCP 107, RFC 4107, DOI 10.17487/RFC4107, 282 June 2005, . 284 [RFC4552] Gupta, M. and N. Melam, "Authentication/Confidentiality 285 for OSPFv3", RFC 4552, DOI 10.17487/RFC4552, June 2006, 286 . 288 [RFC6221] Miles, D., Ed., Ooghe, S., Dec, W., Krishnan, S., and A. 289 Kavanagh, "Lightweight DHCPv6 Relay Agent", RFC 6221, 290 DOI 10.17487/RFC6221, May 2011, 291 . 293 [RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an 294 Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258, May 295 2014, . 297 [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. 298 Kivinen, "Internet Key Exchange Protocol Version 2 299 (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October 300 2014, . 302 [RFC7839] Bhandari, S., Gundavelli, S., Grayson, M., Volz, B., and 303 J. Korhonen, "Access-Network-Identifier Option in DHCP", 304 RFC 7839, DOI 10.17487/RFC7839, June 2016, 305 . 307 [RFC7844] Huitema, C., Mrugalski, T., and S. Krishnan, "Anonymity 308 Profiles for DHCP Clients", RFC 7844, 309 DOI 10.17487/RFC7844, May 2016, 310 . 312 Authors' Addresses 314 Bernie Volz 315 Cisco Systems, Inc. 316 1414 Massachusetts Ave 317 Boxborough, MA 01719 318 USA 320 Email: volz@cisco.com 321 Yogendra Pal 322 Cisco Systems, Inc. 323 Cessna Business Park, 324 Varthur Hobli, Outer Ring Road, 325 Bangalore, Karnataka 560103 326 India 328 Email: yogpal@cisco.com