idnits 2.17.1 draft-ietf-dhc-relay-server-security-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (April 19, 2017) is 2564 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 3315 (Obsoleted by RFC 8415) ** Obsolete normative reference: RFC 7321 (Obsoleted by RFC 8221) Summary: 2 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group B. Volz 3 Internet-Draft Cisco Systems 4 Intended status: Standards Track Y. Pal 5 Expires: October 21, 2017 Cisco Systems, Inc. 6 April 19, 2017 8 Security of Messages Exchanged Between Servers and Relay Agents 9 draft-ietf-dhc-relay-server-security-05.txt 11 Abstract 13 The Dynamic Host Configuration Protocol for IPv4 (DHCPv4) has no 14 guidance for how to secure messages exchanged between servers and 15 relay agents. The Dynamic Host Configuration Protocol for IPv6 16 (DHCPv6) states that IPsec should be used to secure messages 17 exchanged between servers and relay agents, but does not require 18 encryption. And, with recent concerns about pervasive monitoring and 19 other attacks, it is appropriate to require securing relay to relay 20 and relay to server communication for DHCPv6 and relay to server 21 communication for DHCPv4. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at http://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on October 21, 2017. 40 Copyright Notice 42 Copyright (c) 2017 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (http://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 This document may contain material from IETF Documents or IETF 56 Contributions published or made publicly available before November 57 10, 2008. The person(s) controlling the copyright in some of this 58 material may not have granted the IETF Trust the right to allow 59 modifications of such material outside the IETF Standards Process. 60 Without obtaining an adequate license from the person(s) controlling 61 the copyright in such materials, this document may not be modified 62 outside the IETF Standards Process, and derivative works of it may 63 not be created outside the IETF Standards Process, except to format 64 it for publication as an RFC or to translate it into languages other 65 than English. 67 Table of Contents 69 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 70 2. Requirements Language and Terminology . . . . . . . . . . . . 3 71 3. Security of Messages Exchanged Between Servers and Relay 72 Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 73 4. Security Considerations . . . . . . . . . . . . . . . . . . . 5 74 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 75 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 6 76 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 77 7.1. Normative References . . . . . . . . . . . . . . . . . . 6 78 7.2. Informative References . . . . . . . . . . . . . . . . . 6 79 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 81 1. Introduction 83 The Dynamic Host Configuration Protocol for IPv4 (DHCPv4) [RFC2131] 84 and [RFC1542] has no guidance for how to secure messages exchanged 85 between servers and relay agents. The Dynamic Host Configuration 86 Protocol for IPv6 (DHCPv6) [RFC3315] states that IPsec should be used 87 to secure messages exchanged between servers and relay agents, but 88 does not recommend encryption. And, with recent concerns about 89 pervasive monitoring [RFC7258], it is appropriate to require use of 90 IPsec with encryption for relay to server communication for DHCPv4 91 and require use of IPsec with encryption for relay to relay and relay 92 to server communication for DHCPv6. 94 This document specifies the optional requirements for relay agent and 95 server implementations to support IPsec authentication and encryption 96 and recommends operators enable this IPsec support. 98 2. Requirements Language and Terminology 100 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 101 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 102 document are to be interpreted as described in [RFC2119] when they 103 appear in ALL CAPS. When these words are not in ALL CAPS (such as 104 "should" or "Should"), they have their usual English meanings, and 105 are not to be interpreted as [RFC2119] key words. 107 This document uses terminology from [RFC1542], [RFC2131], and 108 [RFC3315]. 110 3. Security of Messages Exchanged Between Servers and Relay Agents 112 For DHCPv6 [RFC3315], this specification REQUIRES relay and server 113 implementations to support IPsec encryption of relay to relay and 114 relay to server communication as documented below (this replaces the 115 text in RFC3315 Section 21.1). 117 For DHCPv4 [RFC2131], this specification REQUIRES relay and server 118 implementations to support IPsec encryption of relay to server 119 communication as documented below. 121 This specification RECOMMENDS that operators enable IPsec for this 122 communication. 124 By using IPsec with encryption for this communication, the 125 potentially sensitive client message and relay included information, 126 such as the DHCPv4 relay-agent information option (82) [RFC3046], 127 vendor-specific information (for example, [CableLabs-DHCP]), and 128 Access-Network-Identifier Option(s) [RFC7839], are protected from 129 pervasive monitoring and other attacks. 131 Relay agents and servers MUST be able to exchange messages using the 132 IPsec mechanisms described in [RFC4301] and with the conditions 133 below. If a client message is relayed through multiple relay agents 134 (relay chain), each of the relay agents MUST have an established 135 independent, pairwise trust relationships. That is, if messages from 136 client C will be relayed by relay agent A to relay agent B and then 137 to the server, relay agents A and B MUST be configured to use IPsec 138 for the messages they exchange, and relay agent B and the server MUST 139 be configured to use IPsec for the messages they exchange. 141 Relay agents and servers use IPsec with the following conditions: 143 Selectors Relay agents are manually configured with the 144 addresses of the relay agent or server to 145 which DHCP messages are to be forwarded. 147 Each relay agent and server that will be 148 using IPsec for securing DHCP messages MUST 149 also be configured with a list of the relay 150 agents to which messages will be returned. 151 The selectors for the relay agents and 152 servers will be the pairs of addresses 153 defining relay agents and servers and the 154 direction of DHCP message exchange on DHCPv4 155 UDP port 67 or DHCPv6 UDP port 547. 157 Mode Relay agents and servers MUST use IPsec in 158 transport mode and Encapsulating Security 159 Payload (ESP). 161 Encryption and authentication algorithms 162 This document REQUIRES combined mode 163 algorithms for ESP authenticated encryption, 164 ESP encryption algorithms, and ESP 165 authentication algorithms as per Sections 166 2.1, 2.2, and 2.3 of [RFC7321] respectively. 167 Encryption is required as relay agents may 168 forward unencrypted client messages as well 169 as include additional sensitive information, 170 such as vendor-specific information (for 171 example, [CableLabs-DHCP]) and [RFC7839]. 173 Key management Because both relay agents and servers tend to 174 be managed by a single organizational entity, 175 public key schemes MAY be optional. Manually 176 configured key management MAY suffice, but 177 does not provide defense against replayed 178 messages. Accordingly, IKEv2 [RFC7296] with 179 pre-shared secrets SHOULD be supported. 180 IKEv2 with public keys MAY be supported. 181 Additional information on manual vs automated 182 key management and when one should be used 183 over the other can be found in [RFC4107]. 185 Security policy DHCP messages between relay agents and 186 servers MUST only be accepted from DHCP peers 187 as identified in the local configuration. 189 Authentication Shared keys, indexed to the source IP address 190 of the received DHCP message, are adequate in 191 this application. 193 Note: As using IPsec with multicast has additional complexities (see 194 [RFC5374]), relay agents SHOULD be configured to forward DHCP 195 messages to unicast addresses. 197 4. Security Considerations 199 The security model specified in this document is hop-by-hop. For 200 DHCPv6, there could be multiple relay agents between a client and 201 server and each of these hops needs to be secured. For DHCPv4, there 202 is no support for multiple relays. 204 As this document only mandates securing messages exchanged between 205 relay agents and servers, the message exchanges between clients and 206 the first hop relay agent or server are not secured. Clients may 207 follow the recommendations in [RFC7844] to minimize what information 208 they expose or make use of [I-D.ietf-dhc-sedhcpv6] to secure 209 communication between the client and server. 211 As mentioned in [RFC4552] Section 14, the following are known 212 limitations of the usage of manual keys: 214 o As the sequence numbers cannot be negotiated, replay protection 215 cannot be provided. This leaves DHCP insecure against all the 216 attacks that can be performed by replaying DHCP packets. 218 o Manual keys are usually long lived (changing them often is a 219 tedious task). This gives an attacker enough time to discover the 220 keys. 222 It should be noted if the requirements in this document are followed, 223 while the DHCP traffic on the wire between relays and servers is 224 encrypted, the unencrypted data may still be available through other 225 attacks on the DHCP servers, relays, and related systems. Securing 226 these systems and the data in databases and logs also needs to be 227 considered - on the systems themselves and if transferred over a 228 network (i.e., to network attached storage, for backups, or to 229 operational support systems). 231 Use of IPsec as described herein is also applicable to Lightweight 232 DHCPv6 Relay Agents [RFC6221], as they have a link-local address 233 which can be used to secure communication with their next hop 234 relay(s). 236 5. IANA Considerations 238 This document has no requests of the fantastic IANA team. 240 6. Acknowledgments 242 The motivation for this document was several IESG discusses on recent 243 DHCP relay agent options. 245 Thanks to Kim Kinnear, Jinmei Tatuya, Francis Dupont, and Tomek 246 Mrugalski for reviewing drafts and helping to improve the document. 247 And, thanks to the authors of [RFC3315] for the original Section 21.1 248 text. 250 7. References 252 7.1. Normative References 254 [RFC1542] Wimer, W., "Clarifications and Extensions for the 255 Bootstrap Protocol", RFC 1542, DOI 10.17487/RFC1542, 256 October 1993, . 258 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 259 Requirement Levels", BCP 14, RFC 2119, 260 DOI 10.17487/RFC2119, March 1997, 261 . 263 [RFC2131] Droms, R., "Dynamic Host Configuration Protocol", 264 RFC 2131, DOI 10.17487/RFC2131, March 1997, 265 . 267 [RFC3315] Droms, R., Ed., Bound, J., Volz, B., Lemon, T., Perkins, 268 C., and M. Carney, "Dynamic Host Configuration Protocol 269 for IPv6 (DHCPv6)", RFC 3315, DOI 10.17487/RFC3315, July 270 2003, . 272 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the 273 Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, 274 December 2005, . 276 [RFC7321] McGrew, D. and P. Hoffman, "Cryptographic Algorithm 277 Implementation Requirements and Usage Guidance for 278 Encapsulating Security Payload (ESP) and Authentication 279 Header (AH)", RFC 7321, DOI 10.17487/RFC7321, August 2014, 280 . 282 7.2. Informative References 284 [CableLabs-DHCP] 285 "CableLabs' DHCP Options Registry", 286 . 289 [I-D.ietf-dhc-sedhcpv6] 290 Li, L., Jiang, S., Cui, Y., Jinmei, T., Lemon, T., and D. 291 Zhang, "Secure DHCPv6", draft-ietf-dhc-sedhcpv6-21 (work 292 in progress), February 2017. 294 [RFC3046] Patrick, M., "DHCP Relay Agent Information Option", 295 RFC 3046, DOI 10.17487/RFC3046, January 2001, 296 . 298 [RFC4107] Bellovin, S. and R. Housley, "Guidelines for Cryptographic 299 Key Management", BCP 107, RFC 4107, DOI 10.17487/RFC4107, 300 June 2005, . 302 [RFC4552] Gupta, M. and N. Melam, "Authentication/Confidentiality 303 for OSPFv3", RFC 4552, DOI 10.17487/RFC4552, June 2006, 304 . 306 [RFC5374] Weis, B., Gross, G., and D. Ignjatic, "Multicast 307 Extensions to the Security Architecture for the Internet 308 Protocol", RFC 5374, DOI 10.17487/RFC5374, November 2008, 309 . 311 [RFC6221] Miles, D., Ed., Ooghe, S., Dec, W., Krishnan, S., and A. 312 Kavanagh, "Lightweight DHCPv6 Relay Agent", RFC 6221, 313 DOI 10.17487/RFC6221, May 2011, 314 . 316 [RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an 317 Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258, May 318 2014, . 320 [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. 321 Kivinen, "Internet Key Exchange Protocol Version 2 322 (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October 323 2014, . 325 [RFC7839] Bhandari, S., Gundavelli, S., Grayson, M., Volz, B., and 326 J. Korhonen, "Access-Network-Identifier Option in DHCP", 327 RFC 7839, DOI 10.17487/RFC7839, June 2016, 328 . 330 [RFC7844] Huitema, C., Mrugalski, T., and S. Krishnan, "Anonymity 331 Profiles for DHCP Clients", RFC 7844, 332 DOI 10.17487/RFC7844, May 2016, 333 . 335 Authors' Addresses 337 Bernie Volz 338 Cisco Systems, Inc. 339 1414 Massachusetts Ave 340 Boxborough, MA 01719 341 USA 343 Email: volz@cisco.com 345 Yogendra Pal 346 Cisco Systems, Inc. 347 Cessna Business Park, 348 Varthur Hobli, Outer Ring Road, 349 Bangalore, Karnataka 560103 350 India 352 Email: yogpal@cisco.com