idnits 2.17.1 

draft-ietf-dhc-vpn-option-06.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** It looks like you're using RFC 3978 boilerplate.  You should update this
     to the boilerplate described in the IETF Trust License Policy document
     (see https://trustee.ietf.org/license-info), which is required now.

  -- Found old boilerplate from RFC 3978, Section 5.1 on line 17.

  -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on
     line 310.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 321.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 328.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 334.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  == No 'Intended status' indicated for this document; assuming Proposed
     Standard


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** The abstract seems to contain references ([7]), which it shouldn't. 
     Please replace those with straight textual mentions of the documents in
     question.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust Copyright Line does not match the
     current year

  == Line 255 has weird spacing: '... Option  for D...'

  == The document seems to lack the recommended RFC 2119 boilerplate, even if
     it appears to use RFC 2119 keywords -- however, there's a paragraph with
     a matching beginning. Boilerplate error?

     (The document does seem to have the reference to RFC 2119 which the
     ID-Checklist requires).
  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (April 12, 2007) is 6218 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  -- Obsolete informational reference (is this intentional?): RFC 2434 (ref.
     '6') (Obsoleted by RFC 5226)

  == Outdated reference: A later version (-06) exists of
     draft-ietf-dhc-agent-vpn-id-04


     Summary: 2 errors (**), 0 flaws (~~), 5 warnings (==), 8 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	Network Working Group                                         R. Johnson
3	Internet-Draft                                             J. Kumarasamy
4	Expires: October 14, 2007                                     K. Kinnear
5	                                                                M. Stapp
6	                                                                   Cisco
7	                                                          April 12, 2007

9	                    Virtual Subnet Selection Option
10	                    draft-ietf-dhc-vpn-option-06.txt

12	Status of this Memo

14	   By submitting this Internet-Draft, each author represents that any
15	   applicable patent or other IPR claims of which he or she is aware
16	   have been or will be disclosed, and any of which he or she becomes
17	   aware will be disclosed, in accordance with Section 6 of BCP 79.

19	   Internet-Drafts are working documents of the Internet Engineering
20	   Task Force (IETF), its areas, and its working groups.  Note that
21	   other groups may also distribute working documents as Internet-
22	   Drafts.

24	   Internet-Drafts are draft documents valid for a maximum of six months
25	   and may be updated, replaced, or obsoleted by other documents at any
26	   time.  It is inappropriate to use Internet-Drafts as reference
27	   material or to cite them other than as "work in progress."

29	   The list of current Internet-Drafts can be accessed at
30	   http://www.ietf.org/ietf/1id-abstracts.txt.

32	   The list of Internet-Draft Shadow Directories can be accessed at
33	   http://www.ietf.org/shadow.html.

35	   This Internet-Draft will expire on October 14, 2007.

37	Copyright Notice

39	   Copyright (C) The IETF Trust (2007).

41	Abstract

43	   This memo defines a new DHCP option for passing Virtual Subnet
44	   Selection (VSS) information between the DHCP client and the DHCP
45	   server.  It is intended for use primarily by DHCP proxy clients in
46	   situations where VSS information needs to be passed to the DHCP
47	   server for proper address allocation to take place.

49	   The option number currently in use is TBD.  This memo documents the
50	   current usage of the option in agreement with [7], which declares
51	   that any pre-existing usages of option numbers in the range 128 - 223
52	   should be documented and the working group will try to officially
53	   assign those numbers to those options.

55	Table of Contents

57	   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
58	   2.  Conventions  . . . . . . . . . . . . . . . . . . . . . . . . .  4
59	   3.  VSS Information Definition . . . . . . . . . . . . . . . . . .  5
60	   4.  Security Considerations  . . . . . . . . . . . . . . . . . . .  7
61	   5.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . .  8
62	   6.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . .  9
63	   7.  Informative References . . . . . . . . . . . . . . . . . . . . 10
64	   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11
65	   Intellectual Property and Copyright Statements . . . . . . . . . . 12

67	1.  Introduction

69	   There is a growing use of Virtual Private Network (VPN)
70	   configurations.  The growth comes from many areas; individual client
71	   systems needing to appear to be on the home corporate network even
72	   when traveling, ISPs providing extranet connectivity for customer
73	   companies, etc.  In some of these cases there is a need for the DHCP
74	   server to know the VPN (hereafter called a "Virtual Subnet Selector"
75	   or "VSS") from which an address, and other resources, should be
76	   allocated.

78	   If the allocation is being done through a DHCP relay, then a relay
79	   suboption could be included.  In some cases, however an IP address is
80	   being sought by a DHCP proxy on behalf of a client (would may be
81	   assigned the address via a different protocol).  In this case, there
82	   is a need to include VSS information relating to the client as a DHCP
83	   option.

85	   A good example might be a dial-in aggregation device where PPP
86	   addresses are acquired via DHCP and then given to the remove customer
87	   system via IPCP.  In a network where such a device is used to
88	   aggregate PPP dial-in from multiple companies, each company may be
89	   assigned a unique VSS.

91	   This memo defines a new DHCP [2] option, the VSS Information option,
92	   which allows the DHCP client to specify the VSS Information needed in
93	   order to allocate an address.  If the receiving DHCP server
94	   understands the VSS Information option, this information may be used
95	   in conjunction with other information in determining the subnet on
96	   which to select an address as well as other information such as DNS
97	   server, default router, etc.

99	2.  Conventions

101	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
102	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY" and "OPTIONAL" in this
103	   document are to be interpreted as described in [1].

105	3.  VSS Information Definition

107	   The VSS Information option is a DHCP option [3].  The option contains
108	   generalized VSS information in one of two formats: NVT ASCII VPN
109	   identifier, or RFC2685 VPN-ID [4].

111	   The format of the option is:

113	    Code   Len   Type   VSS Information octets
114	   +-----+-----+------+-----+-----+-----+---
115	   | TBD |  n  |  t   | v1  | v2  | v3  | ...
116	   +-----+-----+------+-----+-----+-----+---

118	   Type:   0       NVT ASCII VPN identifier
119	           1       RFC2685 VPN-ID
120	           2-255   Not Allowed

122	                                 Figure 1

124	   The option minimum length (n) is 2.

126	   There are two types of identifiers which can be placed in the VSS
127	   Information Option.  The first type of identifier which can be placed
128	   in the VSS Information Option is an NVT ASCII string.  It MUST NOT be
129	   terminated with a zero byte.

131	   The second type of identifier which can be placed in the VSS
132	   Information Option is an RFC2685 VPN-ID [4], which is typically 14
133	   hex digits in length (though it can be any length as far as the VSS
134	   Information Option is concerned).

136	   If the type field is set to zero (0), it indicates that all following
137	   bytes of the option contain a NVT ASCII string.  This string MUST NOT
138	   be terminated with a zero byte.

140	   If the type field is set to one (1), it indicates that all following
141	   bytes should be interpreted in agreement with RFC2685 as a VPN
142	   Identifier, typically 14 hex digits.

144	   All other values of the type field are invalid as of this memo and
145	   VSS options containing any other value than zero (0) or one (1)
146	   SHOULD be ignored.

148	   Any VSS information contained in a DHCP Relay Suboption SHOULD
149	   override the information contained in this VSS Information option.
150	   [8]

152	   Servers configured to support this option MUST return an identical
153	   copy of the option to any client that sends it, regardless of whether
154	   or not the client requests the option in a parameter request list.
155	   Clients using this option MUST discard DHCPOFFER or DHCPACK packets
156	   that do not contain this option.

158	   This option provides the DHCP server additional information upon
159	   which to make a determination of address to be assigned.  The DHCP
160	   server, if it is configure to support this option, should use this
161	   information in addition to other options included in the DHCPDISCOVER
162	   packet in order to assign an IP address for DHCP client.

164	   In the event that a VSS Informmation Option and a VSS Information
165	   Relay Suboption are both received in a particular DHCP client packet,
166	   the information from the VSS Information Suboption MUST be used in
167	   preference to the information in the VSS Information Option.

169	   Servers that do not understand this option will allocate an address
170	   using their normal algorithms and will not return this option in the
171	   DHCPOFFER or DHCPACK.  In this case the client will discard the
172	   DHCPOFFER or DHCPACK.  Servers that understand this option but are
173	   administratively configured to ignore the option MUST ignore the
174	   option, use their normal algorithms to allocate an address, and MUST
175	   NOT return this option in the DHCPOFFER or DHCPACK.  In this case the
176	   client will discard the DHCPOFFER or DHCPACK.  In other words, this
177	   option MUST NOT appear in a DHCPOFFER from a server unless it was
178	   used by the server in making the address allocation requested.

180	4.  Security Considerations

182	   Message authentication in DHCP for intradomain use where the out-of-
183	   band exchange of a shared secret is feasible is defined in [5].
184	   Potential exposures to attack are discussed in section 7 of the DHCP
185	   protocol specification in [2].

187	   The VSS Information option could be used by a client in order to
188	   obtain an IP address from a VSS other than the one where it should.
189	   DHCP relays MAY choose to remove the option before passing on
190	   DHCPDISCOVER packets.  Another possible defense would be for the DHCP
191	   relay to insert a Relay option containing a VSS Information
192	   Suboption, which would override the DHCP VSS Information option.

194	   This option would allow a client to perform a more complete address-
195	   pool exhaustion attack since the client would no longer be restricted
196	   to attacking address-pools on just its local subnet.

198	   Servers that implement the VSS Information option MUST by default
199	   disable use of the feature; it must specifically be enabled through
200	   configuration.  Moreover, a server SHOULD provide the ability to
201	   selectively enable use of the feature under restricted conditions,
202	   e.g., by enabling use of the option only from explicitly configured
203	   client-ids, enabling its use only by clients on a particular subnet,
204	   or restricting the VSSs from which addresses may be requested.

206	   This option SHOULD NOT be used without also making use of the DHCP
207	   Authentication option [5].

209	5.  IANA Considerations

211	   IANA is requested to assign option number 221 for this option, in
212	   accordance with [7].  Option 221 has been used for this option and
213	   there were no conflicting users of option 221 identified during the
214	   6-month notification period specified in [7].  No assignment of
215	   values for the type field need be made at this time.  New values may
216	   only be defined by IETF Consensus, as described in [6].  Basically,
217	   this means that they are defined by RFCs approved by the IESG.

219	   Moreover, any changes or additions to the type byte codes MUST be
220	   made concurrently in the type byte codes of the VSS Information
221	   Option.  The type bytes and data formats of the VSS Information
222	   Option and VSS Information Suboption MUST always be identical.

224	6.  Acknowledgements

226	   This document is the result of work done within Cisco Systems.
227	   Thanks to Kim Kinnear, Mark Stapp, and Jay Kumarasamy for their work
228	   on this option definition and the other related work for which this
229	   is necessary.

231	7.  Informative References

233	   [1]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
234	        Levels", BCP 14, RFC 2119, March 1997.

236	   [2]  Droms, R., "Dynamic Host Configuration Protocol", RFC 2131,
237	        March 1997.

239	   [3]  Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor
240	        Extensions", RFC 2132, March 1997.

242	   [4]  Fox, B. and B. Gleeson, "Virtual Private Networks Identifier",
243	        RFC 2685, September 1999.

245	   [5]  Droms, R. and W. Arbaugh, "Authentication for DHCP Messages",
246	        RFC 3118, June 2001.

248	   [6]  Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
249	        Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.

251	   [7]  Volz, B., "Reclassifying Dynamic Host Configuration Protocol
252	        version 4 (DHCPv4) Options", RFC 3942, November 2004.

254	   [8]  Kinnear, K., "Virtual Subnet Selection Sub-Option for the Relay
255	        Agent Information Option  for DHCPv4",
256	        draft-ietf-dhc-agent-vpn-id-04 (work in progress), March 2007.

258	Authors' Addresses

260	   Richard A. Johnson
261	   Cisco Systems
262	   170 W. Tasman Dr.
263	   San Jose, CA  95134
264	   US

266	   Phone: +1 408 526 4000
267	   Email: raj@cisco.com

269	   Jay Kumarasamy
270	   Cisco Systems
271	   170 W. Tasman Dr.
272	   San Jose, CA  95134
273	   US

275	   Phone: +1 408 526 4000
276	   Email: jayk@cisco.com

278	   Kim Kinnear
279	   Cisco Systems
280	   250 Apollo Drive
281	   Chelmsford, MA  01824
282	   US

284	   Phone: +1 978 244 8000
285	   Email: kkinnar@cisco.com

287	   Mark Stapp
288	   Cisco Systems
289	   250 Apollo Drive
290	   Chelmsford, MA  01824
291	   US

293	   Phone: +1 978 244 8000
294	   Email: mjs@cisco.com

296	Full Copyright Statement

298	   Copyright (C) The IETF Trust (2007).

300	   This document is subject to the rights, licenses and restrictions
301	   contained in BCP 78, and except as set forth therein, the authors
302	   retain all their rights.

304	   This document and the information contained herein are provided on an
305	   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
306	   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
307	   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
308	   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
309	   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
310	   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

312	Intellectual Property

314	   The IETF takes no position regarding the validity or scope of any
315	   Intellectual Property Rights or other rights that might be claimed to
316	   pertain to the implementation or use of the technology described in
317	   this document or the extent to which any license under such rights
318	   might or might not be available; nor does it represent that it has
319	   made any independent effort to identify any such rights.  Information
320	   on the procedures with respect to rights in RFC documents can be
321	   found in BCP 78 and BCP 79.

323	   Copies of IPR disclosures made to the IETF Secretariat and any
324	   assurances of licenses to be made available, or the result of an
325	   attempt made to obtain a general license or permission for the use of
326	   such proprietary rights by implementers or users of this
327	   specification can be obtained from the IETF on-line IPR repository at
328	   http://www.ietf.org/ipr.

330	   The IETF invites any interested party to bring to its attention any
331	   copyrights, patents or patent applications, or other proprietary
332	   rights that may cover technology that may be required to implement
333	   this standard.  Please address the information to the IETF at
334	   ietf-ipr@ietf.org.

336	Acknowledgment

338	   Funding for the RFC Editor function is provided by the IETF
339	   Administrative Support Activity (IASA).