idnits 2.17.1 draft-ietf-dhc-sedhcpv6-11.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document date (March 8, 2016) is 2970 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC2460' is defined on line 984, but no explicit reference was found in the text == Unused Reference: 'RFC4443' is defined on line 998, but no explicit reference was found in the text == Unused Reference: 'RFC4270' is defined on line 1030, but no explicit reference was found in the text == Unused Reference: 'RFC6273' is defined on line 1040, but no explicit reference was found in the text == Unused Reference: 'RSA' is defined on line 1049, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2460 (Obsoleted by RFC 8200) ** Obsolete normative reference: RFC 3315 (Obsoleted by RFC 8415) ** Obsolete normative reference: RFC 7283 (Obsoleted by RFC 8415) -- Obsolete informational reference (is this intentional?): RFC 2629 (Obsoleted by RFC 7749) -- Obsolete informational reference (is this intentional?): RFC 5226 (Obsoleted by RFC 8126) Summary: 3 errors (**), 0 flaws (~~), 7 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 DHC Working Group S. Jiang 3 Internet-Draft Huawei Technologies Co., Ltd 4 Intended status: Standards Track L. Li 5 Expires: September 9, 2016 Y. Cui 6 Tsinghua University 7 T. Jinmei 8 Infoblox Inc. 9 T. Lemon 10 Nominum, Inc. 11 D. Zhang 12 March 8, 2016 14 Secure DHCPv6 15 draft-ietf-dhc-sedhcpv6-11 17 Abstract 19 The Dynamic Host Configuration Protocol for IPv6 (DHCPv6) enables 20 DHCPv6 servers to pass configuration parameters. It offers 21 configuration flexibility. If not secured, DHCPv6 is vulnerable to 22 various attacks. This document analyzes the security issues of 23 DHCPv6 and specifies the secure DHCPv6 mechanism for authentication 24 and encryption of messages between a DHCPv6 client and a DHCPv6 25 server. 27 Status of This Memo 29 This Internet-Draft is submitted in full conformance with the 30 provisions of BCP 78 and BCP 79. 32 Internet-Drafts are working documents of the Internet Engineering 33 Task Force (IETF). Note that other groups may also distribute 34 working documents as Internet-Drafts. The list of current Internet- 35 Drafts is at http://datatracker.ietf.org/drafts/current/. 37 Internet-Drafts are draft documents valid for a maximum of six months 38 and may be updated, replaced, or obsoleted by other documents at any 39 time. It is inappropriate to use Internet-Drafts as reference 40 material or to cite them other than as "work in progress." 42 This Internet-Draft will expire on September 9, 2016. 44 Copyright Notice 46 Copyright (c) 2016 IETF Trust and the persons identified as the 47 document authors. All rights reserved. 49 This document is subject to BCP 78 and the IETF Trust's Legal 50 Provisions Relating to IETF Documents 51 (http://trustee.ietf.org/license-info) in effect on the date of 52 publication of this document. Please review these documents 53 carefully, as they describe your rights and restrictions with respect 54 to this document. Code Components extracted from this document must 55 include Simplified BSD License text as described in Section 4.e of 56 the Trust Legal Provisions and are provided without warranty as 57 described in the Simplified BSD License. 59 Table of Contents 61 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 62 2. Requirements Language and Terminology . . . . . . . . . . . . 3 63 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 64 4. Security Issues of DHCPv6 . . . . . . . . . . . . . . . . . . 4 65 5. Secure DHCPv6 Overview . . . . . . . . . . . . . . . . . . . 5 66 5.1. Solution Overview . . . . . . . . . . . . . . . . . . . . 5 67 5.2. New Components . . . . . . . . . . . . . . . . . . . . . 6 68 5.3. Support for Algorithm Agility . . . . . . . . . . . . . . 7 69 5.4. Applicability . . . . . . . . . . . . . . . . . . . . . . 7 70 6. DHCPv6 Client Behavior . . . . . . . . . . . . . . . . . . . 8 71 7. DHCPv6 Server Behavior . . . . . . . . . . . . . . . . . . . 11 72 8. Relay Agent Behavior . . . . . . . . . . . . . . . . . . . . 12 73 9. Processing Rules . . . . . . . . . . . . . . . . . . . . . . 12 74 9.1. Timestamp Check . . . . . . . . . . . . . . . . . . . . . 12 75 10. Extensions for Secure DHCPv6 . . . . . . . . . . . . . . . . 14 76 10.1. New DHCPv6 Options . . . . . . . . . . . . . . . . . . . 14 77 10.1.1. Certificate Option . . . . . . . . . . . . . . . . . 14 78 10.1.2. Timestamp Option . . . . . . . . . . . . . . . . . . 15 79 10.1.3. Encrypted-message Option . . . . . . . . . . . . . . 16 80 10.2. New DHCPv6 Messages . . . . . . . . . . . . . . . . . . 17 81 10.3. Status Codes . . . . . . . . . . . . . . . . . . . . . . 17 82 11. Security Considerations . . . . . . . . . . . . . . . . . . . 18 83 12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 84 13. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 19 85 14. Change log [RFC Editor: Please remove] . . . . . . . . . . . 20 86 15. Open Issues [RFC Editor: Please remove] . . . . . . . . . . . 21 87 16. References . . . . . . . . . . . . . . . . . . . . . . . . . 22 88 16.1. Normative References . . . . . . . . . . . . . . . . . . 22 89 16.2. Informative References . . . . . . . . . . . . . . . . . 23 90 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 92 1. Introduction 94 The Dynamic Host Configuration Protocol for IPv6 (DHCPv6, [RFC3315]) 95 enables DHCPv6 servers to pass configuration parameters and offers 96 configuration flexibility. If not being secured, DHCPv6 is 97 vulnerable to various attacks. 99 This document analyzes the security issues of DHCPv6 and provides the 100 following mechanisms for improving the security of DHCPv6 between the 101 DHCPv6 client and the DHCPv6 server: 103 o the authentication of the DHCPv6 client and the DHCPv6 server to 104 defend against active attacks, such as spoofing attack. 106 o the encryption between the DHCPv6 client and the DHCPv6 server in 107 order to protect the DHCPv6 from passive attacks, such as 108 pervasive monitoring. 110 Note: this secure mechanism in this document does not protect outer 111 options in Relay-Forward and Relay-Reply messages, either added by a 112 relay agent toward a server or added by a server toward a relay 113 agent. Communication between a server and a relay agent, and 114 communications between relay agents, may be secured through the use 115 of IPsec, as described in section 21.1 in [RFC3315]. 117 The security mechanism specified in this document achieves DHCPv6 118 authentication and encryption based on the sender's certificate. We 119 introduce two new DHCPv6 messages: Encrypted-Query message and 120 Encrypted-Response message and three new DHCPv6 options: Certificate 121 option, Timestamp option and Encrypted-message option for DHCPv6 122 authentication and encryption. The Certificate option is used for 123 DHCPv6 authentication. The Encryption-Query message, Encryption- 124 Response message and Encrypted-message option are used for DHCPv6 125 encryption. The timestamp option is used to defend against replay 126 attack. 128 2. Requirements Language and Terminology 130 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 131 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 132 document are to be interpreted as described in [RFC2119] when they 133 appear in ALL CAPS. When these words are not in ALL CAPS (such as 134 "should" or "Should"), they have their usual English meanings, and 135 are not to be interpreted as [RFC2119] key words. 137 3. Terminology 139 This section defines terminology specific to secure DHCPv6 used in 140 this document. 142 secure DHCPv6 client: A node that initiates the DHCPv6 request on a 143 link to obtain the DHCPv6 configuration parameters 144 from one or more DHCPv6 servers. The configuration 145 process is authenticated and encrypted using the 146 defined mechanisms in this document. 148 secure DHCPv6 server: A node that responds to requests from clients 149 using the authentication and encryption mechanism 150 defined in this document. 152 4. Security Issues of DHCPv6 154 DHCPv6 is a client/server protocol that provides managed 155 configuration of devices. It enables a DHCPv6 server to 156 automatically configure relevant network parameters on clients. The 157 basic DHCPv6 specification [RFC3315] defines security mechanisms, but 158 they have some flaws and can be improved. 160 The basic DHCPv6 specifications can optionally authenticate the 161 origin of messages and validate the integrity of messages using an 162 authentication option with a symmetric key pair. [RFC3315] relies on 163 pre-established secret keys. For any kind of meaningful security, 164 each DHCPv6 client would need to be configured with its own secret 165 key; [RFC3315] provides no mechanism for doing this. 167 For the out of band approach, operators can set up a key database for 168 both servers and clients from which the client obtains a key before 169 running DHCPv6. Manual key distribution runs counter to the goal of 170 minimizing the configuration data needed at each host. 172 [RFC3315] provides an additional mechanism for preventing off-network 173 timing attacks using the Reconfigure message: the Reconfigure Key 174 authentication method. However, this method protects only the 175 Reconfigure message. The key is transmitted in plaintext to the 176 client in earlier exchanges and so this method is vulnerable to 177 active attacks. 179 In addition, the current DHCPv6 messages are still transmitted in 180 cleartext and the privacy information within the DHCPv6 message is 181 not protected from passive attack, such as pervasive monitoring. The 182 IETF has expressed strong agreement that pervasive monitoring is an 183 attack that needs to be mitigated where possible in [RFC7258]. 185 In comparison, the security mechanisms defined in this document 186 provides for authentication and encryption based on the public key 187 certificates of the client and server. The DHCPv6 authentication can 188 protect DHCPv6 from active attacks, such as spoofing attack. And the 189 DHCPv6 encryption defends against passive attacks, such as pervasive 190 monitoring attack. 192 5. Secure DHCPv6 Overview 194 5.1. Solution Overview 196 This solution provides authentication and encryption mechanisms based 197 on the certificates of the DHCPv6 client and server. Before the 198 standard DHCPv6 configuration process, the Information-request and 199 Reply messages are exchanged to select one authenticated DHCPv6 200 server. After the mutual authentication between the DHCPv6 client 201 and server, the following DHCPv6 configuration process is encrypted 202 to avoid the privacy information disclosure. We introduce two new 203 DHCPv6 messages: Encrypted-Query message, Encrypted-Response message 204 and three new DHCPv6 options: Encrypted-message option, Certificate 205 option, Timestamp option. Based on the new defined messages and 206 options, the corresponding authentication and encryption mechanisms 207 are achieved. 209 The following figure illustrates secure DHCPv6 procedure. The DHCPv6 210 client first sends an Information-request message to the standard 211 multicast address to all DHCPv6 servers. The Information-request 212 message is used to request the servers for the servers' certificates 213 information, without going through any address, prefix or non- 214 security option assignment process. The Information-request is sent 215 without any client's private information, such as Client Identifier 216 option or the Certificate option, to minimize client's privacy 217 information leakage. When receiving the Information-request message, 218 the server sends the Reply message that contains the server's 219 Certificate option and Server Identifier option. Upon the receipt of 220 the Reply message, the DHCPv6 client verifies the server's identity 221 according to the contained certificate in the Reply message. If 222 there are multiple authenticated DHCPv6 servers, the client selects 223 one authenticated DHCPv6 server for the following DHCPv6 224 configuration process. If there are no authenticated DHCPv6 servers 225 or existing servers failed authentication, the client should retry a 226 number of times. In this way, it is difficult for a rogue server to 227 beat out a busy "real" server. And then the client takes some other 228 alternative action depending on its local policy. 230 After the server's authentication, the first DHCPv6 message sent from 231 the client to the server, such as Solicit message, contains the 232 client's Certificate information for client authentication. The 233 DHCPv6 client sends the Encrypted-Query message to server, which 234 carries the Encrypted-message option and the Server Identifier 235 option. The Encrypted-message option contains the encrypted DHCPv6 236 message sent from the client to the server. When the DHCPv6 server 237 receives the Encrypted-Query message, it decrypts the message using 238 its private key. If the decrypted message contains the client's 239 Certificate option, the DHCPv6 server verifies the client's identity 240 according to the contained client certificate information. 242 After the client's authentication, the server sends the Encrypted- 243 Response message to the client, which contains the Encrypted-message 244 option. The Encrypted-message option contains the encrypted DHCPv6 245 message sent from server to client, which is encrypted using the 246 client's public key. If the message fails client authentication, 247 then the server sends the corresponding error status code to the 248 client. During the encrypted DHCPv6 configuration process, the 249 timestamp option can be contained in the encrypted DHCPv6 messages to 250 defend against replay attacks. 252 +-------------+ +-------------+ 253 |DHCPv6 Client| |DHCPv6 Server| 254 +-------------+ +-------------+ 255 | Information-request | 256 |----------------------------------------->| 257 | Option Request option | 258 | | 259 | Reply | 260 |<-----------------------------------------| 261 | Certificate option | 262 | Server Identifier option | 263 | | 264 | Encryption-Query | 265 |----------------------------------------->| 266 | Encrypted-message option | 267 | Server Identifier option | 268 | | 269 | Encryption-Response | 270 |<-----------------------------------------| 271 | Encrypted-message option | 272 | | 274 Secure DHCPv6 Procedure 276 5.2. New Components 278 The new components of the mechanism specified in this document are as 279 follows: 281 o Servers and clients that use certificates first generate a public/ 282 private key pair and then obtain a certificate that signs the 283 public key. The Certificate option is defined to carry the 284 certificate of the sender. 286 o A timestamp that can be used to detect replayed packet. The 287 Timestamp option is defined to carry the current time of the 288 client/server. The secure DHCPv6 client/server need to meet some 289 accuracy requirements and be synced to global time, while the 290 timestamp checking mechanism allows a configurable time value for 291 clock drift. The real time provision is out of scope of this 292 document. 294 o The Encrypted-message option that contains the encrypted DHCPv6 295 message. 297 o The Encrypted-Query message that is sent from the secure DHCPv6 298 client to the secure DHCPv6 server. The Encrypted-Query message 299 contains the Encrypted-message option and Server Identifier 300 option. 302 o The Encrypted-Response message that is sent from the secure DHCPv6 303 server to the secure DHCPv6 client. The Encrypted-Response 304 message contains the Encrypted-message option. 306 5.3. Support for Algorithm Agility 308 Encryption algorithm is used for DHCPv6 encryption to defend against 309 passive attack. In order to provide a means of addressing problems 310 that may emerge in the future with existing encryption algorithms, 311 this document provides a mechanism for negotiating the use of more 312 encryption algorithms in the future. 314 The support for algorithm agility in this document is mainly a 315 unilateral notification mechanism from sender to recipient. A 316 recipient MAY support various algorithms simultaneously among 317 different senders, and the different senders in a same administrative 318 domain may be allowed to use various algorithms simultaneously. It 319 is NOT RECOMMENDED that the same sender and recipient use various 320 algorithms in a single communication session. 322 If the server does not support the algorithm used by the client, the 323 server SHOULD reply with an AlgorithmNotSupported status code 324 (defined in Section 10.3) to the client. Upon receiving this status 325 code, the client MAY resend the message protected with the mandatory 326 algorithm (defined in Section 10.1.1). 328 5.4. Applicability 330 In principle, Secure DHCPv6 is applicable in any environment where 331 physical security on the link is not assured and attacks on DHCPv6 332 are a concern. In practice, however, it will rely on some 333 operational assumptions mainly regarding public key distribution and 334 management, until more lessons are learned and more experiences are 335 achieved. 337 One feasible environment in an early deployment stage would be 338 enterprise networks. In such networks the security policy tends to 339 be strict and it will be easier to manage client hosts. One trivial 340 deployment scenario is therefore to manually pre-configure client 341 with the trusted servers' public key and manually register clients' 342 public keys for the server. It may also be possible to deploy an 343 internal PKI to make this less reliant on manual operations, although 344 it is currently subject to future study specifically how to integrate 345 such a PKI into the DHCPv6 service for the network. 347 Note that this deployment scenario based on manual operation is not 348 different very much from the existing, shared-secret based 349 authentication mechanisms defined in [RFC3315] in terms of 350 operational costs. However, Secure DHCPv6 is still securer than the 351 shared-secret mechanism in that even if clients' keys stored for the 352 server are stolen that does not mean an immediate threat as these are 353 public keys. In addition, if some kind of PKI is used with Secure 354 DHCPv6, even if the initial installation of the certificates is done 355 manually, it will help reduce operational costs of revocation in case 356 a private key (especially that of the server) is compromised. 358 It is believed that Secure DHCPv6 could be more widely applicable 359 with integration of generic PKI so that it will be more easily 360 deployed. But such a deployment requires more general issues with 361 PKI deployment be addressed, and it is currently unknown whether we 362 can find practical deployment scenarios. It is subject to future 363 study and experiments, and out of scope of this document. 365 6. DHCPv6 Client Behavior 367 For the secure DHCPv6 client, a certificate is needed for client 368 authentication. The client is pre-configured with a certificate and 369 its corresponding private key. If the client is pre-configured with 370 public key not certificate, it can generate the self-signed 371 certificate for client authentication. 373 The secure DHCPv6 client multicasts the Information-request message 374 to the DHCPv6 servers. The Information-request message MUST NOT 375 include any option which may reveal the private information of the 376 client, such as the Client Identifier option or the Certificate 377 option. The Information-request message is used by the DHCPv6 client 378 to request the server's identity verification information without 379 having addresses, prefixes or any non-security options assigned to 380 it. The Option Request option in the Information-request message 381 MUST contain the option code of the Certificate option. 383 When receiving the Reply messages from DHCPv6 servers, a secure 384 DHCPv6 client SHOULD discard any DHCPv6 messages when the Certificate 385 option or Server Identifier option is missing. And then the client 386 SHOULD first check the support of the encryption algorithm that the 387 server used. If the check fails, the Reply message SHOULD be 388 dropped. If the encryption algorithm is supported, the client then 389 checks the authority of this server. The client SHOULD also use the 390 same algorithms in the return messages. 392 The client SHOULD validate the certificate according to the rules 393 defined in [RFC5280]. An implementation may create a local trust 394 certificate record for verified certificates in order to avoid 395 repeated verification procedure in the future. A certificate that 396 finds a match in the local trust certificate list is treated as 397 verified. The message transaction-id is used as the identifier of 398 the authenticated server's public key for encryption. At this point, 399 the client has either recognized the certificate of the server, or 400 decided to drop the message. 402 If there are multiple authenticated DHCPv6 servers, the client 403 selects one DHCPv6 server for the following network parameters 404 configuration. The client can also choose other implementation 405 method depending on the client's local policy if the defined protocol 406 can also run normally. For example, the client can try multiple 407 transactions (each with different server) at the "same" time. If 408 there are no authenticated DHCPv6 servers or existing servers failed 409 authentication, the client should retry a number of times. In this 410 way, it is difficult for the rogue server to beat out a busy "real" 411 server. And then the client takes some alternative action depending 412 on its local policy, such as attempting to use an unsecured DHCPv6 413 server. The client conducts the server discovery process as per 414 section 18.1.5 of [RFC3315] to avoid the packet storm. 416 Once the server has been authenticated, the DHCPv6 client sends the 417 Encrypted-Query message to the DHCPv6 server. The Encrypted-Query 418 message contains the Encrypted-message option, which MUST be 419 constructed as explained in Section 10.1.3, and Server Identifier 420 option. The Encrypted-message option contains the DHCPv6 message 421 that is encrypted using the selected server's public key. The Server 422 Identifier option is externally visible to avoid decryption cost by 423 those unselected servers. 425 For the encrypted DHCPv6 message sent from the DHCPv6 client to the 426 DHCPv6 server, the first DHCPv6 message, such as Solicit message, 427 MUST contain the Certificate option for client authentication. The 428 Certificate option MUST be constructed as explained in 429 Section 10.1.1. If the client have multiple certificate with 430 different public/private key pairs, the message transaction-id is 431 used as the identifier of the client's private key for decryption. 432 In addition, the encrypted DHCPv6 message can contain the timestamp 433 option to defend against replay attacks. The timestamp option MUST 434 be constructed as explained in Section 10.1.2. 436 For the received Encrypted-Response message, the client extracts the 437 Encrypted-message option and decrypts it using its private key to 438 obtain the original DHCPv6 message. Then it handles the message as 439 per [RFC3315]. If the decrypted DHCPv6 message contains the 440 timestamp option, the DHCPv6 client checks the timestamp according to 441 the rule defined in Section 9.1. The DHCPv6 message, which fails the 442 timestamp check, MUST be discarded. If the client fails to get the 443 proper parameters from the chosen server, it sends the Encrypted- 444 Query message to another authenticated server for parameters 445 configuration until the client obtains the proper parameters. 447 When the client receives a Reply message with an error status code, 448 the error status code indicates the failure reason on the server 449 side. According to the received status code, the client MAY take 450 follow-up action: 452 o Upon receiving an AlgorithmNotSupported error status code, the 453 client SHOULD resend the message protected with one of the 454 mandatory algorithms. 456 o Upon receiving an AuthenticationFail error status code, the client 457 is not able to build up the secure communication with the server. 458 However, there may be other DHCPv6 servers available that 459 successfully complete authentication. The client MAY use the 460 AuthenticationFail as a hint and switch to other certificate if it 461 has another one; but otherwise treat the message containing the 462 status code as if it had not been received. But it SHOULD NOT 463 retry with the same certificate. However, if the client decides 464 to retransmit using the same certificate after receiving 465 AuthenticationFail, it MUST NOT retransmit immediately and MUST 466 follow normal retransmission routines defined in [RFC3315]. 468 o Upon receiving a DecryptionFail error status code, the client MAY 469 resend the message following normal retransmission routines 470 defined in [RFC3315]. 472 o Upon receiving a TimestampFail error status code, the client MAY 473 resend the message with an adjusted timestamp according to the 474 returned clock from the DHCPv6 server. The client SHOULD NOT 475 change its own clock, but only compute an offset for the 476 communication session. 478 7. DHCPv6 Server Behavior 480 For the secure DHCPv6 server, a certificate is need for server 481 authentication. The server is pre-configured with a certificate and 482 its corresponding private key. If the server is pre-configured with 483 public key not certificate, it can generate the self-signed 484 certificate for server authentication. 486 When the DHCPv6 server receives the Information-request message and 487 the contained Option Request option identifies the request is for the 488 server certificate information, it replies with a Reply message to 489 the client. The Reply message MUST contain the requested Certificate 490 option, which MUST be constructed as explained in Section 10.1.1, and 491 Server Identifier option. 493 Upon the receipt of Encrypted-Query message, the server checks the 494 Server Identifier option. It decrypts the Encrypted-message option 495 using its private key if it is the target server. The DHCPv6 server 496 drops the message that is not for it, thus not paying cost to decrypt 497 messages not for it. 499 If the decrypted message is a Solicit/Information-request message, 500 the secure DHCPv6 server SHOULD discard the received message if the 501 Certificate option is missing. In such failure, the server SHOULD 502 reply with an UnspecFail (value 1, [RFC3315]) error status code. 504 If a Certificate option is provided, the server SHOULD first check 505 the support of the encryption algorithm that the client used. If the 506 check fails, the server SHOULD reply with an AlgorithmNotSupported 507 error status code, defined in Section 10.3 back to the client. If 508 the encryption algorithm is supported, the server then checks the 509 authority of this client. 511 The server SHOULD validate the certificate according to the rules 512 defined in [RFC5280]. An implementation may create a local trust 513 certificate record for verified certificates in order to avoid 514 repeated verification procedure in the future. A certificate that 515 finds a match in the local trust certificate list is treated as 516 verified. The message that fails certificate validation MUST be 517 dropped. In such failure, the DHCPv6 server SHOULD reply with an 518 AuthenticationFail error status code, defined in Section 10.3, back 519 to the client. At this point, the server has either recognized the 520 authentication of the client, or decided to drop the message. 522 If the decrypted message contains the timestamp option, the server 523 checks the timestamp according to the rule defined in Section 9.1. 524 If the timestamp check fails, a TimestampFail error status code, 525 defined in Section 10.3, should be sent back to the client. 527 Depending on server's local policy, the message without a Timestamp 528 option MAY be acceptable or rejected. If the server rejects such a 529 message, a TimestampFail error status code should be sent back to the 530 client. The Reply message that carries the TimestampFail error 531 status code SHOULD carry a timestamp option, which indicates the 532 server's clock for the client to use. 534 Once the client has been authenticated, the DHCPv6 server sends the 535 Encrypted-response message to the DHCPv6 client. The Encrypted- 536 response message contains the Encrypted-message option, which MUST be 537 constructed as explained in Section 10.1.3. The Encrypted-message 538 option contains the encrypted DHCPv6 message that is encrypted using 539 the authenticated client's public key. To provide the replay 540 protection, the timestamp option can be contained in the encrypted 541 DHCPv6 message. 543 8. Relay Agent Behavior 545 When a DHCPv6 relay agent receives an Encrypted-query or Encrypted- 546 response message, it may not recognize this message. The unknown 547 messages MUST be forwarded as described in [RFC7283]. 549 When a DHCPv6 relay agent recognizes the Encrypted-query and 550 Encrypted-response messages, it forwards the message according to 551 section 20 of [RFC3315]. There is nothing more the relay agents have 552 to do, it neither needs to verify the messages from client or server, 553 nor add any secure DHCPv6 options. Actually, by definition in this 554 document, relay agents MUST NOT add any secure DHCPv6 options. 556 Relay-forward and Relay-reply messages MUST NOT contain any 557 additional Certificate option or Timestamp option, aside from those 558 present in the innermost encapsulated messages from the client or 559 server. 561 9. Processing Rules 563 9.1. Timestamp Check 565 In order to check the Timestamp option, defined in Section 10.1.2, 566 recipients SHOULD be configured with an allowed timestamp Delta 567 value, a "fuzz factor" for comparisons, and an allowed clock drift 568 parameter. The recommended default value for the allowed Delta is 569 300 seconds (5 minutes); for fuzz factor 1 second; and for clock 570 drift, 0.01 second. 572 Note: the Timestamp mechanism is based on the assumption that 573 communication peers have roughly synchronized clocks, within certain 574 allowed clock drift. So, an accurate clock is not necessary. If one 575 has a clock too far from the current time, the timestamp mechanism 576 would not work. 578 To facilitate timestamp checking, each recipient SHOULD store the 579 following information for each sender, from which at least one 580 accepted secure DHCPv6 message is successfully verified (for 581 timestamp check): 583 o The receive time of the last received and accepted DHCPv6 message. 584 This is called RDlast. 586 o The timestamp in the last received and accepted DHCPv6 message. 587 This is called TSlast. 589 A verified (for timestamp check) secure DHCPv6 message initiates the 590 update of the above variables in the recipient's record. 592 Recipients MUST check the Timestamp field as follows: 594 o When a message is received from a new peer (i.e., one that is not 595 stored in the cache), the received timestamp, TSnew, is checked, 596 and the message is accepted if the timestamp is recent enough to 597 the reception time of the packet, RDnew: 599 -Delta < (RDnew - TSnew) < +Delta 601 After the signature verification also succeeds, the RDnew and 602 TSnew values SHOULD be stored in the cache as RDlast and TSlast. 604 o When a message is received from a known peer (i.e., one that 605 already has an entry in the cache), the timestamp is checked 606 against the previously received Secure DHCPv6 message: 608 TSnew + fuzz > TSlast + (RDnew - RDlast) x (1 - drift) - fuzz 610 If this inequality does not hold or RDnew < RDlast, the recipient 611 SHOULD silently discard the message. If, on the other hand, the 612 inequality holds, the recipient SHOULD process the message. 614 Moreover, if the above inequality holds and TSnew > TSlast, the 615 recipient SHOULD update RDlast and TSlast after the signature 616 verification also successes. Otherwise, the recipient MUST NOT 617 update RDlast or TSlast. 619 An implementation MAY use some mechanism such as a timestamp cache to 620 strengthen resistance to replay attacks. When there is a very large 621 number of nodes on the same link, or when a cache filling attack is 622 in progress, it is possible that the cache holding the most recent 623 timestamp per sender will become full. In this case, the node MUST 624 remove some entries from the cache or refuse some new requested 625 entries. The specific policy as to which entries are preferred over 626 others is left as an implementation decision. 628 An implementation MAY statefully record the latest timestamps from 629 senders. In such implementation, the timestamps MUST be strictly 630 monotonously increasing. This is reasonable given that DHCPv6 631 messages are rarely misordered. 633 10. Extensions for Secure DHCPv6 635 This section describes the extensions to DHCPv6. Three new DHCPv6 636 options, two new DHCPv6 messages and four status codes are defined. 638 10.1. New DHCPv6 Options 640 10.1.1. Certificate Option 642 The Certificate option carries the certificate of the client/server. 643 The format of the Certificate option is described as follows: 645 0 1 2 3 646 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 647 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 648 | OPTION_CERTIFICATE | option-len | 649 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 650 | EA-id | | 651 +-+-+-+-+-+-+-+-+ . 652 . Certificate (variable length) . 653 . . 654 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 656 option-code OPTION_CERTIFICATE (TBA1). 658 option-len 1 + Length of certificate in octets. 660 EA-id Encryption Algorithm id. The encryption algorithm 661 is used for the encrypted DHCPv6 configuration 662 process. This design is adopted in order to provide 663 encryption algorithm agility. The value is from the 664 Encryption Algorithm for Secure DHCPv6 registry in 665 IANA. A registry of the initial assigned values 666 is defined in Section 12. 668 Certificate A variable-length field containing certificate. The 669 encoding of certificate and certificate data MUST 670 be in format as defined in Section 3.6, [RFC7296]. 671 The support of X.509 certificate is mandatory. 673 10.1.2. Timestamp Option 675 The Timestamp option carries the current time on the sender. It adds 676 the anti-replay protection to the DHCPv6 messages. It is optional. 678 0 1 2 3 679 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 680 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 681 | OPTION_TIMESTAMP | option-len | 682 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 683 | | 684 | Timestamp (64-bit) | 685 | | 686 | | 687 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 689 option-code OPTION_TIMESTAMP (TBA2). 691 option-len 8, in octets. 693 Timestamp The current time of day (SeND-format timestamp 694 in UTC (Coordinated Universal Time). It can reduce 695 the danger of replay attacks. The timestamp data MUST 696 be in format as defined in Section 5.3.1, [RFC3971]. 698 10.1.3. Encrypted-message Option 700 The Encrypted-message option carries the encrypted DHCPv6 message 701 with the recipient's public key. 703 The format of the Encrypted-message option is: 705 0 1 2 3 706 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 707 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 708 | option-code | option-len | 709 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 710 | | 711 . encrypted DHCPv6 message . 712 . (variable) . 713 . . 714 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 716 Figure 1: Encrypted-message Option Format 718 option-code OPTION_ENCRYPTED_MSG (TBA3). 720 option-len Length of the encrypted DHCPv6 message. 722 encrypted DHCPv6 message A variable length field containing the 723 encrypted DHCPv6 message sent by the client or the server. In 724 Encrypted-Query message, it contains encrypted DHCPv6 message sent 725 by a client. In Encrypted-response message, it contains encrypted 726 DHCPv6 message sent by a server. 728 10.2. New DHCPv6 Messages 730 Two new DHCPv6 messages are defined to achieve the DHCPv6 encryption: 731 Encrypted-Query and Encrypted-Response. Both the DHCPv6 messages 732 defined in this document share the following format: 734 0 1 2 3 735 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 736 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 737 | msg-type | transaction-id | 738 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 739 | | 740 . options . 741 . (variable) . 742 | | 743 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 745 Figure 2: The format of Encrypted-Query and Encrypted-Response 746 Messages 748 msg-type Identifier of the message type. It can be either 749 Encrypted-Query (TBA4) or DHCPv6-Response (TBA5). 751 transaction-id The transaction ID for this message exchange. 753 options The Encrypted-Query message MUST contain the Server 754 Identifier option and Encrypted-message option. The 755 Encrypted-Response message MUST contain the 756 Encrypted-message option. 758 10.3. Status Codes 760 The following new status codes, see Section 5.4 of [RFC3315] are 761 defined. 763 o AlgorithmNotSupported (TBD6): indicates that the DHCPv6 server 764 does not support algorithms that sender used. 766 o AuthenticationFail (TBD7): indicates that the DHCPv6 client fails 767 authentication check. 769 o TimestampFail (TBD8): indicates the message from DHCPv6 client 770 fails the timestamp check. 772 o DecryptionFail (TBD9): indicates the message from DHCPv6 client 773 fails the DHCPv6 message decryption. 775 11. Security Considerations 777 This document provides the authentication and encryption mechanisms 778 for DHCPv6. 780 A server, whose local policy accepts messages without a Timestamp 781 option, may have to face the risk of replay attacks. 783 A window of vulnerability for replay attacks exists until the 784 timestamp expires. Secure DHCPv6 nodes are protected against replay 785 attacks as long as they cache the state created by the message 786 containing the timestamp. The cached state allows the node to 787 protect itself against replayed messages. However, once the node 788 flushes the state for whatever reason, an attacker can re-create the 789 state by replaying an old message while the timestamp is still valid. 790 In addition, the effectiveness of timestamps is largely dependent 791 upon the accuracy of synchronization between communicating nodes. 792 However, how the two communicating nodes can be synchronized is out 793 of scope of this work. 795 Attacks against time synchronization protocols such as NTP [RFC5905] 796 may cause Secure DHCPv6 nodes to have an incorrect timestamp value. 797 This can be used to launch replay attacks, even outside the normal 798 window of vulnerability. To protect against these attacks, it is 799 recommended that Secure DHCPv6 nodes keep independently maintained 800 clocks or apply suitable security measures for the time 801 synchronization protocols. 803 12. IANA Considerations 805 This document defines three new DHCPv6 [RFC3315] options. The IANA 806 is requested to assign values for these three options from the DHCPv6 807 Option Codes table of the DHCPv6 Parameters registry maintained in 808 http://www.iana.org/assignments/dhcpv6-parameters. The three options 809 are: 811 The Certificate option (TBA1), described in Section 10.1.1. 813 The Timestamp option (TBA2),described in Section 10.1.2. 815 The Encrypted-message option (TBA3), described in Section 10.1.3. 817 The IANA is also requested to assign value for these two messages 818 from the DHCPv6 Message Types table of the DHCPv6 Parameters registry 819 maintained in http://www.iana.org/assignments/dhcpv6-parameters. The 820 two messages are: 822 The Encrypted-Query message (TBA4), described in Section 10.2. 824 The Encrypted-Response message (TBA5), described in Section 10.2. 826 The IANA is also requested to add one new registry tables to the 827 DHCPv6 Parameters registry maintained in 828 http://www.iana.org/assignments/dhcpv6-parameters. The table is the 829 Encryption Algorithm for Secure DHCPv6 table. 831 Initial values for these registries are given below. Future 832 assignments are to be made through Standards Action [RFC5226]. 833 Assignments for each registry consist of a name, a value and a RFC 834 number where the registry is defined. 836 Encryption algorithm for Secure DHCPv6. The values in this table are 837 8-bit unsigned integers. The following initial values are assigned 838 for encryption algorithm for Secure DHCPv6 in this document: 840 Name | Value | RFCs 841 -------------------+---------+-------------- 842 RSA | 0 | this document 844 IANA is requested to assign the following new DHCPv6 Status Codes, 845 defined in Section 10.3, in the DHCPv6 Parameters registry maintained 846 in http://www.iana.org/assignments/dhcpv6-parameters: 848 Code | Name | Reference 849 ---------+-----------------------+-------------- 850 TBD6 | AlgorithmNotSupported | this document 851 TBD7 | AuthenticationFail | this document 852 TBD8 | TimestampFail | this document 853 TBD9 | DecryptionFail | this document 855 13. Acknowledgements 857 The authors would like to thank Tomek Mrugalski, Bernie Volz, 858 Jianping Wu, Randy Bush, Yiu Lee, Sean Shen, Ralph Droms, Jari Arkko, 859 Sean Turner, Stephen Farrell, Christian Huitema, Stephen Kent, Thomas 860 Huth, David Schumacher, Francis Dupont, Gang Chen, Suresh Krishnan, 861 Fred Templin, Robert Elz, Nico Williams, Erik Kline, Alan DeKok, 862 Bernard Aboba, Sam Hartman, Qi Sun, Zilong Liu and other members of 863 the IETF DHC working group for their valuable comments. 865 This document was produced using the xml2rfc tool [RFC2629]. 867 14. Change log [RFC Editor: Please remove] 869 draft-ietf-dhc-sedhcpv6-11: Delete the Signature option, because the 870 encrypted DHCPv6 message and the Information-request message (only 871 contain the certificate option) don't need the signature option for 872 message integrity check; Rewrite the "Applicability" section; Add the 873 encryption algorithm negotiation process; To support the encryption 874 algorithm negotiation, the Certificate option contains the EA- 875 id(encryption algorithm identifier) field; Reserve the timestamp 876 option to defend against the replay attacks for encrypted DHCPv6 877 configuration process; Modify the client behavior when there is no 878 authenticated DHCPv6 server; Add the DecryptionFail error code. 879 2016-3-9. 881 draft-ietf-dhc-sedhcpv6-10: merge DHCPv6 authentication and DHCPv6 882 encryption. The public key option is removed, because the device can 883 generate the self-signed certificate if it is pre-configured the 884 public key not the certificate. 2015-12-10. 886 draft-ietf-dhc-sedhcpv6-09: change some texts about the deployment 887 part.2015-12-10. 889 draft-ietf-dhc-sedhcpv6-08: clarified what the client and the server 890 should do if it receives a message using unsupported algorithm; 891 refined the error code treatment regarding to AuthenticationFail and 892 TimestampFail; added consideration on how to reduce the DoS attack 893 when using TOFU; other general editorial cleanups. 2015-06-10. 895 draft-ietf-dhc-sedhcpv6-07: removed the deployment consideration 896 section; instead, described more straightforward use cases with TOFU 897 in the overview section, and clarified how the public keys would be 898 stored at the recipient when TOFU is used. The overview section also 899 clarified the integration of PKI or other similar infrastructure is 900 an open issue. 2015-03-23. 902 draft-ietf-dhc-sedhcpv6-06: remove the limitation that only clients 903 use PKI- certificates and only servers use public keys. The new text 904 would allow clients use public keys and servers use PKI-certificates. 905 2015-02-18. 907 draft-ietf-dhc-sedhcpv6-05: addressed comments from mail list that 908 responsed to the second WGLC. 2014-12-08. 910 draft-ietf-dhc-sedhcpv6-04: addressed comments from mail list. 911 Making timestamp an independent and optional option. Reduce the 912 serverside authentication to base on only client's certificate. 913 Reduce the clientside authentication to only Leaf of Faith base on 914 server's public key. 2014-09-26. 916 draft-ietf-dhc-sedhcpv6-03: addressed comments from WGLC. Added a 917 new section "Deployment Consideration". Corrected the Public Key 918 Field in the Public Key Option. Added consideration for large DHCPv6 919 message transmission. Added TimestampFail error code. Refined the 920 retransmission rules on clients. 2014-06-18. 922 draft-ietf-dhc-sedhcpv6-02: addressed comments (applicability 923 statement, redesign the error codes and their logic) from IETF89 DHC 924 WG meeting and volunteer reviewers. 2014-04-14. 926 draft-ietf-dhc-sedhcpv6-01: addressed comments from IETF88 DHC WG 927 meeting. Moved Dacheng Zhang from acknowledgement to be co-author. 928 2014-02-14. 930 draft-ietf-dhc-sedhcpv6-00: adopted by DHC WG. 2013-11-19. 932 draft-jiang-dhc-sedhcpv6-02: removed protection between relay agent 933 and server due to complexity, following the comments from Ted Lemon, 934 Bernie Volz. 2013-10-16. 936 draft-jiang-dhc-sedhcpv6-01: update according to review comments from 937 Ted Lemon, Bernie Volz, Ralph Droms. Separated Public Key/ 938 Certificate option into two options. Refined many detailed 939 processes. 2013-10-08. 941 draft-jiang-dhc-sedhcpv6-00: original version, this draft is a 942 replacement of draft-ietf-dhc-secure-dhcpv6, which reached IESG and 943 dead because of consideration regarding to CGA. The authors followed 944 the suggestion from IESG making a general public key based mechanism. 945 2013-06-29. 947 15. Open Issues [RFC Editor: Please remove] 949 this protocol changes DHCPv6 message exchanges quite substantially: 950 previously, the client first sends a Solicit message, gets possibly 951 multiple Advertise messages, chooses the server (= sender of one of 952 the Advertises) that would be best for the client, and then sends a 953 Request to that chosen server. Now the server selection is done at 954 the key exchange phase (the initial Information-request and Reply 955 exchange), and the Solicit can be sent only to a single server. If 956 the client doesn't like the Advertise it could restart the whole 957 process, but it will be more expensive, and there's no guarantee that 958 other servers can provide a better Advertise. 960 One might argue that it's okay as "secure DHCPv6" is an "optional" 961 extension. But, with keeping in mind that the current IETF trend is 962 to make everything privacy-aware (often by making everything 963 encrypted), I'd personally say we should consider it to be the 964 standard mode of DHCPv6 operation even if users can still disable it. 965 From this point of view, I think we should either 967 o A. make the server selection behavior more compatible with the 968 pre-encryption protocol, or 970 o B. accept we give up the previous server selection feature for 971 privacy (after careful assessment of its effect and with clear wg 972 consensus), and explicitly note that. we might even have to 973 reflect that in rfc3315bis. 975 16. References 977 16.1. Normative References 979 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 980 Requirement Levels", BCP 14, RFC 2119, 981 DOI 10.17487/RFC2119, March 1997, 982 . 984 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 985 (IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460, 986 December 1998, . 988 [RFC3315] Droms, R., Ed., Bound, J., Volz, B., Lemon, T., Perkins, 989 C., and M. Carney, "Dynamic Host Configuration Protocol 990 for IPv6 (DHCPv6)", RFC 3315, DOI 10.17487/RFC3315, July 991 2003, . 993 [RFC3971] Arkko, J., Ed., Kempf, J., Zill, B., and P. Nikander, 994 "SEcure Neighbor Discovery (SEND)", RFC 3971, 995 DOI 10.17487/RFC3971, March 2005, 996 . 998 [RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet 999 Control Message Protocol (ICMPv6) for the Internet 1000 Protocol Version 6 (IPv6) Specification", RFC 4443, 1001 DOI 10.17487/RFC4443, March 2006, 1002 . 1004 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 1005 Housley, R., and W. Polk, "Internet X.509 Public Key 1006 Infrastructure Certificate and Certificate Revocation List 1007 (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, 1008 . 1010 [RFC5905] Mills, D., Martin, J., Ed., Burbank, J., and W. Kasch, 1011 "Network Time Protocol Version 4: Protocol and Algorithms 1012 Specification", RFC 5905, DOI 10.17487/RFC5905, June 2010, 1013 . 1015 [RFC7283] Cui, Y., Sun, Q., and T. Lemon, "Handling Unknown DHCPv6 1016 Messages", RFC 7283, DOI 10.17487/RFC7283, July 2014, 1017 . 1019 [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. 1020 Kivinen, "Internet Key Exchange Protocol Version 2 1021 (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October 1022 2014, . 1024 16.2. Informative References 1026 [RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629, 1027 DOI 10.17487/RFC2629, June 1999, 1028 . 1030 [RFC4270] Hoffman, P. and B. Schneier, "Attacks on Cryptographic 1031 Hashes in Internet Protocols", RFC 4270, 1032 DOI 10.17487/RFC4270, November 2005, 1033 . 1035 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an 1036 IANA Considerations Section in RFCs", BCP 26, RFC 5226, 1037 DOI 10.17487/RFC5226, May 2008, 1038 . 1040 [RFC6273] Kukec, A., Krishnan, S., and S. Jiang, "The Secure 1041 Neighbor Discovery (SEND) Hash Threat Analysis", RFC 6273, 1042 DOI 10.17487/RFC6273, June 2011, 1043 . 1045 [RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an 1046 Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258, May 1047 2014, . 1049 [RSA] RSA Laboratories, "RSA Encryption Standard, Version 2.1, 1050 PKCS 1", November 2002. 1052 Authors' Addresses 1053 Sheng Jiang 1054 Huawei Technologies Co., Ltd 1055 Q14, Huawei Campus, No.156 Beiqing Road 1056 Hai-Dian District, Beijing, 100095 1057 CN 1059 Email: jiangsheng@huawei.com 1061 Lishan Li 1062 Tsinghua University 1063 Beijing 100084 1064 P.R.China 1066 Phone: +86-15201441862 1067 Email: lilishan48@gmail.com 1069 Yong Cui 1070 Tsinghua University 1071 Beijing 100084 1072 P.R.China 1074 Phone: +86-10-6260-3059 1075 Email: yong@csnet1.cs.tsinghua.edu.cn 1077 Tatuya Jinmei 1078 Infoblox Inc. 1079 3111 Coronado Drive 1080 Santa Clara, CA 1081 US 1083 Email: jinmei@wide.ad.jp 1085 Ted Lemon 1086 Nominum, Inc. 1087 2000 Seaport Blvd 1088 Redwood City, CA 94063 1089 USA 1091 Phone: +1-650-381-6000 1092 Email: Ted.Lemon@nominum.com 1093 Dacheng Zhang 1094 Beijing 1095 CN 1097 Email: dacheng.zhang@gmail.com