idnits 2.17.1 draft-ietf-dhc-vpn-option-11.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** The document seems to lack a License Notice according IETF Trust Provisions of 28 Dec 2009, Section 6.b.i or Provisions of 12 Sep 2009 Section 6.b -- however, there's a paragraph with a matching beginning. Boilerplate error? (You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Feb 2009 rather than one of the newer Notices. See https://trustee.ietf.org/license-info/.) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([RFC3942]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (March 4, 2009) is 5525 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 3315 (Obsoleted by RFC 8415) ** Obsolete normative reference: RFC 3633 (Obsoleted by RFC 8415) -- Obsolete informational reference (is this intentional?): RFC 5226 (Obsoleted by RFC 8126) Summary: 4 errors (**), 0 flaws (~~), 1 warning (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 DHC Working Group Kim Kinnear 3 Internet Draft Richard Johnson 4 Intended Status: Standards Track Mark Stapp 5 Expires: September 4, 2009 Jay Kumarasamy 6 Cisco Systems 7 March 4, 2009 9 Virtual Subnet Selection Options for DHCPv4 and DHCPv6 10 12 Status of this Memo 14 This Internet-Draft is submitted to IETF in full conformance with the 15 provisions of BCP 78 and BCP 79. 17 Internet-Drafts are working documents of the Internet Engineering 18 Task Force (IETF), its areas, and its working groups. Note that 19 other groups may also distribute working documents as Internet- 20 Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference 25 material or to cite them other than as "work in progress." 27 The list of current Internet-Drafts can be accessed at 28 http://www.ietf.org/ietf/1id-abstracts.txt. 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html. 33 This Internet-Draft will expire on September 4, 2009 35 Copyright Notice 37 Copyright (c) 2009 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents in effect on the date of 42 publication of this document (http://trustee.ietf.org/license-info). 43 Please review these documents carefully, as they describe your rights 44 and restrictions with respect to this document. 46 Abstract 48 This memo defines a Virtual Subnet Selection (VSS) option for DHCPv4 49 and DHCPv6, and a DHCPv4 relay-agent-information sub-option. These 50 are intended for use by DHCP clients, relay agents, and proxy clients 51 in situations where VSS information needs to be passed to the DHCP 52 server for proper address or prefix allocation to take place. 54 For the DHCPv4 option and relay-agent-information sub-option, this 55 memo documents existing usage as per RFC 3942 [RFC3942]. 57 Table of Contents 59 1. Introduction................................................. 2 60 2. Terminology.................................................. 3 61 3. Virtual Subnet Selection Option and Sub-Option Definitions... 5 62 3.1. DHCPv4 Virtual Subnet Selection Option..................... 5 63 3.2. DHCPv4 Virtual Subnet Selection Sub-Option................. 5 64 3.3. DHCPv6 Virtual Subnet Selection Option..................... 6 65 3.4. Virtual Subnet Selection Type and Information.............. 6 66 4. Overview of Virtual Subnet Selection Usage................... 7 67 5. Relay Agent Behavior......................................... 10 68 5.1. VPN assignment by the DHCP server.......................... 12 69 5.2. DHCP Leasequery............................................ 13 70 6. Client Behavior.............................................. 13 71 7. Server Behavior.............................................. 14 72 7.1. Returning the DHCPv4 or DHCPv6 Option...................... 15 73 7.2. Returning the DHCPv4 Sub-Option............................ 15 74 7.3. Making sense of conflicting VSS information................ 16 75 8. Security..................................................... 16 76 9. IANA Considerations.......................................... 17 77 10. Acknowledgments............................................. 18 78 11. References.................................................. 18 79 11.1. Normative References...................................... 18 80 11.2. Informative References.................................... 19 81 12. Authors' Addresses.......................................... 20 83 1. Introduction 85 There is a growing use of Virtual Private Network (VPN) 86 configurations. The growth comes from many areas; individual client 87 systems needing to appear to be on the home corporate network even 88 when traveling, ISPs providing extranet connectivity for customer 89 companies, etc. In some of these cases there is a need for the DHCP 90 server to know the VPN (hereafter called a "Virtual Subnet Selector" 91 or "VSS") from which an address, and other resources, should be 92 allocated. 94 This memo defines a Virtual Subnet Selection (VSS) option for DHCPv4 95 and DHCPv6, and a DHCPv4 relay-agent-information sub-option. These 96 are intended for use by DHCP clients, relay agents, and proxy clients 97 in situations where VSS information needs to be passed to the DHCP 98 server for proper address or prefix allocation to take place. If the 99 receiving DHCP server understands the VSS option or sub-option, this 100 information may be used in conjunction with other information in 101 determining the subnet on which to select an address as well as other 102 information such as DNS server, default router, etc. 104 If the allocation is being done through a DHCPv4 relay, then the 105 relay sub-option defined here should be included. In some cases, 106 however an IP address is being sought by a DHCPv4 proxy on behalf of 107 a client (which may be assigned the address via a different 108 protocol). In this case, there is a need to include VSS information 109 relating to the client as a DHCPv4 option. 111 If the allocation is being done through a DHCPv6 relay, then the 112 DHCPv6 VSS option defined in this document should be included in the 113 Relay-forward and Relay-reply message going between the DHCPv6 relay 114 and server. In some cases, addresses or prefixes are being sought by 115 a DHCPv6 proxy on behalf of a client. In this case, there is a need 116 for the client itself to supply the VSS information using the DHCPv6 117 VSS option in the messages that it sends to the DHCPv6 server. 119 In the remaining text of this document, when a DHCPv6 address is 120 indicated the same information applies to DHCPv6 Prefix Delegation 121 [RFC3633] as well. 123 2. Terminology 125 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 126 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 127 document are to be interpreted as described in RFC 2119 [RFC2119]. 129 This document uses the following terms: 131 o "DHCP client" 133 A DHCP client is a host using DHCP to obtain configuration 134 parameters such as a network address. 136 o "DHCP proxy" 138 A DHCP proxy is a DHCP client which acquires IP addresses not 139 for its own use, but rather on behalf of another entity. There 140 are a variety of ways that a DHCP proxy can supply the addresses 141 it acquires to other entities that need them. 143 o "DHCP relay agent" 145 A DHCP relay agent is an agent that transfers BOOTP and DHCP 146 messages between clients and servers residing on different 147 subnets, per [RFC951], [RFC1542], and [RFC3315]. 149 o "DHCP server" 151 A DHCP server is a host that returns configuration parameters to 152 DHCP clients. 154 o "DHCPv4 option" 156 An option used to implement a capability defined by the DHCPv4 157 RFCs [RFC2131][RFC2132]. These options have one-octet code and 158 size fields. 160 o "DHCPv4 sub-option" 162 As used in this document, a DHCPv4 sub-option refers to a sub- 163 option of the relay-agent-information option [RFC3046]. These 164 sub-options have one-octet code and size fields. 166 o "DHCPv6 option" 168 An option used to implement a capability defined by the DHCPv6 169 RFC [RFC3315]. These options have two-octet code and size 170 fields. 172 o "downstream" 174 Downstream is the direction from the access concentrator towards 175 the subscriber. 177 o "upstream" 179 Upstream is the direction from the subscriber towards the access 180 concentrator. 182 o "VSS information" 184 Information about a VPN necessary to allocate an address to a 185 DHCP client on that VPN and necessary to forward a DHCP reply 186 packet to a DHCP client on that VPN. 188 o "VPN" 190 Virtual private network. A network which appears to the client 191 to be a private network. 193 o "VPN Identifier" 195 The VPN-ID is defined by [RFC2685] to be a sequence of 7 octets. 197 3. Virtual Subnet Selection Option and Sub-Option Definitions 199 The Virtual Subnet Selection options and sub-option contain a 200 generalized way to specify the VSS information about a VPN. There 201 are two options and one sub-option defined in this section. The 202 actual VSS information is identical in each. 204 3.1. DHCPv4 Virtual Subnet Selection Option 206 The format of the option is: 208 0 1 2 3 209 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 210 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 211 | Code | Length | Type | VSS Info ... 212 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 214 Code The option code (221). 216 Length The option length, minimum 1 octets. 218 Type and VSS Information -- see Section 3.4 220 3.2. DHCPv4 Virtual Subnet Selection Sub-Option 222 This is a sub-option of the relay-agent-information option [RFC3046]. 223 The format of the sub-option is: 225 0 1 2 3 226 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 227 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 228 | Code | Length | Type | VSS Info. ... 229 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 231 Code The sub-option code (151). 233 Length The option length, minimum 1 octets. 235 Type and VSS Information -- see Section 3.4 237 3.3. DHCPv6 Virtual Subnet Selection Option 239 The format of the DHCPv6 Virtual Subnet Selection option is shown 240 below. This option may be included by a client or relay-agent (or 241 both). 243 0 1 2 3 244 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 245 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 246 | OPTION_VSS | option-len | 247 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 248 | Type | VSS Information ... | 249 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 251 option-code OPTION_VSS (TBD). 253 option-len The number of octets in the option, minimum 1. 255 Type and VSS Information -- see Section 3.4 257 3.4. Virtual Subnet Selection Type and Information 259 All of the (sub)options defined above carry identical payloads, 260 consisting of a type and additional VSS information as follows: 262 Type VSS Information format: 264 0 NVT ASCII VPN identifier 265 1 RFC2685 VPN-ID 266 2-254 Not Allowed 267 255 Global, default VPN. 269 o Type 0 -- NVT ASCII VPN identifier 271 Indicates that the VSS information consists of a NVT ASCII 272 string. It MUST NOT be terminated with a zero byte. 274 o Type 1 -- RFC2685 VPN-ID 276 Indicates that the VSS information consists of an RFC2685 VPN-ID 277 [RFC2685], which is defined to be 7 octets in length. 279 o Type 255 -- Global, default VPN 281 Indicates that there is no explicit, non-default VSS information 282 but rather that this option references the normal, global, 283 default address space. In this case, there MUST NOT be any VSS 284 Information and the length of the VSS option MUST be 1. 286 All other values of the Type field are invalid as of this memo and 287 a VSS option with a Type field containing any value other than 288 zero (0), one (1), or 255 SHOULD be ignored. 290 4. Overview of Virtual Subnet Selection Usage 292 At the highest level, the VSS option or sub-option determines the VPN 293 on which a DHCP client is supposed to receive an IP address. How the 294 option or sub-option is entered and processed is discussed below, but 295 the point of all of the discussion is to determine the VPN on which 296 the DHCP client resides. This will affect a relay agent, in that it 297 will have to ensure that DHCP packets sent to and received from the 298 DHCP client flow over the correct VPN. This will affect the DHCP 299 server in that it determines the IP address space used for the IP 300 address allocation. 302 A DHCP server has as part of its configuration some IP address space 303 from which it allocates IP addresses to DHCP clients. These 304 allocations are typically for a limited time, and thus the DHCP 305 client gets a lease on the IP address. In the absence of any VPN 306 information, the IP address space is in the global or default VPN 307 used throughout the Internet. When a DHCP server deals with VPN 308 information, each VPN defines a new address space inside the server, 309 one distinct from the global or default IP address space. A server 310 which supports the VSS option or sub-option thereby supports 311 allocation of IP addresses from multiple different VPNs. Supporting 312 IP address allocation from multiple different VPNs means that the 313 DHCP server must be prepared to configure multiple different address 314 spaces (one per distinct VPN) and allocate IP addresses from these 315 different address spaces. 317 These address spaces are typically independent, so that the same IP 318 address could be allocated to one client in the global, default VPN, 319 and to a different client residing in a different VPN. There is no 320 conflict in this allocation, since the clients have essentially 321 different IP addresses. The IPv4 or IPv6 address is qualified by the 322 VPN. 324 Thus a VSS option or sub-option is a way of signaling the use of a 325 VPN other than the global or default VPN. The next question is: who 326 decides what VPN a DHCP client should be using? 328 There are three entities which can either insert a VSS option or 329 sub-option into a DHCPv4 packet or DHCPv6 message; a DHCP client, a 330 relay agent, or a DHCPv4 or DHCPv6 server. While all of these 331 entities could include a different VSS option or sub-option in every 332 request or response, this situation is neither typical nor useful. 333 There are two known paradigms for use of the VSS option or sub- 334 option, which are discussed below. 336 The typical use of the VSS option or sub-option is for the relay 337 agent to know the VPN on which the DHCP client is operating. The 338 DHCP client itself does not, in this scenario, know the VPN on which 339 it resides. The relay agent is responsible for mediating the access 340 between the VPN on which the DHCP client resides and the DHCP server. 341 In this situation, the relay agent will insert a VSS sub-option into 342 the relay-agent-information option (for DHCPv4) or a VSS option into 343 the Relay-forward message (for DHCPv6) of every request it forwards 344 from the DHCP client. The server will use the VSS option or sub- 345 option to determine the VPN on which the client resides, and use that 346 VPN information to select the address space within its configuration 347 from which to allocate an IP address to the DHCP client. 349 In this scenario, the relay agent might also send a VSS option or 350 sub-option in either a DHCPv4 or DHCPv6 Leasequery request, but in 351 this case, it would use the VSS option in the Leasequery request to 352 select the correct address space for the Leasequery. In this 353 scenario, the relay agent would be acting as a DHCP client from a 354 Leasequery standpoint, but it would not be as if a DHCP client were 355 sending in a VSS option in a standard DHCP address allocation 356 request, say a DHCPDISCOVER. 358 In this scenario, only one relay agent would mediate the VPN access 359 for the DHCP client to the DHCP server, and it would be the relay 360 agent which inserts the VSS information into the request packet and 361 would remove it prior to forwarding the response packet on. 363 The DHCP server would know that it should respond to VPN information 364 specified in a VSS option or sub-option, and it would be configured 365 with appropriate VPN address spaces to service the projected client 366 requirements. Thus, in this common scenario, the DHCP client knows 367 nothing of any VPN access, the relay agent has been configured in 368 some way that allows it to determine the VPN of the DHCP client and 369 transmit that using a VSS option or sub-option to the DHCP server, 370 and the DHCP server responds to the VPN specified by the relay agent. 371 There is no conflict between different entities trying to specify 372 different VSS information -- each entity knows its role through 373 policy or configuration external to this document. 375 It is important to ensure that each entity in this scenario both 376 supports the VSS option and sub-option (for DHCPv4) or the VSS option 377 (for DHCPv6), and that it is configured correctly. Deploying relay 378 agents which support and emit VSS sub-options in concert with DHCPv4 379 servers which do not support the VSS option or sub-option as defined 380 in this document SHOULD NOT be done, as such an ensemble will not 381 operate correctly together because all of the IP addresses will be 382 allocated from the global or default VPN regardless of the VPN on 383 which the client's reside. 385 In the second scenario, the DHCP server would be configured in some 386 way to know the VPN on which a particular DHCP client should be given 387 access. The DHCP server would in this case include the VSS sub- 388 option in the relay-agent-information option for DHCPv4 or the VSS 389 option in the Relay-reply message for DHCPv6. The relay agent 390 responsible for mediating VPN access would use this information to 391 select the correct VPN for the DHCP client. In the event that there 392 were more than one relay agent involved in this transaction, some 393 external configuration or policy would be needed to inform the DHCPv6 394 server into which Relay-reply message the VSS option should go. 396 Once the relay agent has placed the DHCP client into the proper VPN, 397 it SHOULD begin including VSS information in requests that it 398 forwards to the DHCP server. Since this information does not 399 conflict with the DHCP server's idea of the proper VPN for the 400 client, everything works correctly. 402 In this second scenario, the DHCP client is again unaware of any VPN 403 activity. In this case, however, the DHCP server knows the VPN for 404 the client, and the relay agent responds to the VSS information 405 specified by the DHCP server. Similar to the first scenario, each 406 entity knows its role through a means external to this document and 407 no two entities try to specify VSS information in conflict. 409 Again, in this scenario, it is important that both the relay agent as 410 well as the DHCP server both support the VSS option and sub-option 411 (for DHCPv4) and the VSS option (for DHCPv6). Deploying and 412 configuring VPN support in one element and not in the other is not a 413 practical approach. 415 There are many other scenarios which can be created with multiple 416 relay agents each inserting VSS information into different Relay- 417 forward messages, relay agent VSS information conflicting with client 418 VSS information, or DHCP server VSS information conflicting with 419 relay agent and client VSS information. Since these scenarios do not 420 describe situations that are useful today, specifying precisely how 421 to resolve all of these conflicts is unlikely to be valuable in the 422 event that these scenarios actually become practical in the future. 424 The current use of the VSS option and sub-option require that each 425 entity knows the part that it plays in dealing with VPN data. Each 426 entity -- client, relay agent or agents, and server -- SHOULD know 427 through some policy or configuration beyond the scope of this 428 document whether it is responsible for specifying VPN information 429 using the VSS option or sub-option or responsible for responding to 430 VSS information specified by another entity, or simply ignoring any 431 VSS information which it might see. 433 Some simple conflict resolution approaches are discussed below, in 434 the hopes that they will cover simple cases that may arise from 435 scenarios beyond those envisioned today. However, for more complex 436 scenarios, or simple scenarios where appropriate conflict resolution 437 strategies differ from those discussed in this document, a document 438 detailing the usage scenarios and appropriate conflict resolution 439 strategies SHOULD be created and submitted for discussion and 440 approval. 442 5. Relay Agent Behavior 444 A relay agent which receives a DHCP request from a DHCP client on a 445 VPN SHOULD include Virtual Subnet Selection information in the DHCP 446 packet prior to forwarding the packet on to the DHCP server unless 447 inhibited from doing so by configuration information or policy to the 448 contrary. 450 A DHCPv4 relay agent SHOULD include a DHCPv4 VSS sub-option in a 451 relay-agent-information option [RFC3046], while a DHCPv6 relay agent 452 SHOULD include a DHCPv6 VSS option in the Relay-forward message. 454 The value placed in the Virtual Subnet Selection sub-option or option 455 SHOULD be sufficient for the relay agent to properly route any DHCP 456 reply packet returned from the DHCP server to the DHCP client for 457 which it is destined. 459 Anytime a relay agent places a VSS option or sub-option in a DHCP 460 request, it MUST send it only to a DHCP server which supports the VSS 461 option or sub-option. 463 Since this option or sub-option is placed in the packet in order to 464 specify the VPN on which an IP address is allocated for a particular 465 DHCP client, one presumes that an allocation on that VPN is necessary 466 for correct operation. If this presumption is correct, then a relay 467 agent which places this option in a packet and doesn't receive it (or 468 receives a different value than that sent to the server) in the 469 returning packet should drop the packet since the IP address that was 470 allocated will not be in the correct VPN. If an IP address that is 471 on the requested VPN is not required, then the relay agent is free to 472 accept the IP address that is not on the VPN that was requested. 474 The converse, however, is more complicated. In the DHCPv6 case, the 475 appearance of the option in the Relay-reply packet does indeed 476 indicate that the DHCPv6 server understood and acted upon the 477 contents of the VSS option in the Relay-forward packet. In the 478 DHCPv4 case, however, the appearance of the sub-option in the relay- 479 agent-information option received by the relay agent does not 480 necessarily indicate that the DHCPv4 server even understood, let 481 alone acted correctly upon, the VSS sub-option that it received. 483 The reason is that [RFC3046] specifies that a DHCPv4 server which 484 supports the relay-agent-information option SHALL copy all sub- 485 options received in a relay-agent-information option into any 486 outgoing relay-agent-information option. Because of these 487 requirements, even a DHCPv4 server which doesn't implement support 488 for the Virtual Subnet Selection sub-option will almost certainly 489 copy it into the outgoing relay-agent-information option. This means 490 that the appearance of the Virtual Subnet Selection sub-option in a 491 relay-agent-information option doesn't indicate support for the 492 Virtual Subnet Selection sub-option. 494 There are only two pieces of information which can be determined from 495 the appearance or lack of appearance of the DHCPv4 Virtual Subnet 496 Selection sub-option in a relay-agent-information option received by 497 a relay agent from a DHCPv4 server. First, if the Virtual Subnet 498 Selection sub-option does not appear, then the server was able to 499 support this sub-option but chose not to do so. Second, if the 500 Virtual Subnet Selection sub-option appears and has a different value 501 than the one originally included in the relay-agent-information 502 option, then the DHCP server was able to support this sub-option and 503 allocated an address using different VSS information than was 504 originally provided by the relay agent. 506 Thus, if a DHCPv4 relay agent has a requirement to determine if the 507 address allocated by a DHCPv4 server is on a particular VPN, it must 508 use some other approach than the appearance of the VSS sub-option in 509 the reply packet to make this determination. 511 This document does not create a requirement that a relay agent 512 remember the contents of a VSS DHCPv4 sub-option or VSS DHCPv6 option 513 sent to a DHCP server. In many cases, the relay agent may simply use 514 the value of the VSS returned by the DHCP server to forward the 515 response to the DHCP client. If the VSS information, the IP address 516 allocated, and the VPN capabilities of the relay agent all 517 interoperate correctly, then the DHCP client will receive a working 518 IP address. Alternatively, if any of these items don't interoperate 519 with the others, the DHCP client will not receive a working address. 521 Note that in some environments a relay agent may choose to always 522 place a VSS option or sub-option into packets and messages that it 523 forwards in order to forestall any attempt by a downstream relay 524 agent or client to specify VSS information. In this case, a type 525 field of 255 is used to denote the global, default VPN. When the 526 type field of 255 is used, there MUST NOT be any additional VSS 527 Information in the VSS option. 529 5.1. VPN assignment by the DHCP server 531 In some cases, a DHCP server may use the Virtual Subnet Selection 532 sub-option or option to inform a relay agent that a particular DHCP 533 client is associated with a particular VPN. It does this by sending 534 the Virtual Subnet Selection sub-option or option with the 535 appropriate information to the relay agent in the relay-agent- 536 information option for DHCPv4 or the Relay-reply message in DHCPv6. 537 If the relay agent is unable to honor the DHCP server's requirement 538 to place the DHCP client into that VPN it MUST drop the packet and 539 not send it to the DHCP client. 541 The DHCP server MUST NOT place VSS information in an outgoing packet 542 if the relay agent or DHCP client is unprepared to properly interpret 543 the VSS information. 545 In this situation, once the relay agent has placed the DHCP client 546 into the VPN specified by the DHCP server, it will send in a VSS 547 option or sub-option when forwarding packets from the client. The 548 DHCP server in normal operation will echo this VSS information into 549 the outgoing replies. 551 5.2. DHCP Leasequery 553 Sometimes a relay-agent needs to submit a DHCP Leasequery [RFC4388] 554 [RFC5007] packet to the DHCP server in order to recover information 555 about existing DHCP allocated IP addresses on other than the normal, 556 global VPN. In the context of a DHCP Leasequery the relay agent is a 557 direct client of the DHCP server and is not relaying a packet for 558 another DHCP client. Thus, the instructions in Section 6 on Client 559 Behavior should be followed to include the necessary VSS information. 561 6. Client Behavior 563 A DHCPv4 or DHCPv6 client will employ the VSS option to communicate 564 VSS information to their respective servers. This information MUST 565 be included in every message concerning any IP address on a different 566 VPN than the global or default VPN. A DHCPv4 client will place the 567 DHCPv4 VSS option in its packets, and a DHCPv6 client will place the 568 DHCPv6 VSS option in its messages. 570 A DHCPv6 client that needs to place a VSS option into a DHCPv6 571 message SHOULD place a single VSS option into the DHCPv6 message at 572 the same level as the Client Identifier option. A DHCPv6 client MUST 573 NOT include different VSS options in the same DHCPv6 message. 575 Note that, as mentioned in Section 1, throughout this document when a 576 DHCPv6 address is indicated the same information applies to DHCPv6 577 Prefix Delegation [RFC3633] as well. 579 Since this option is placed in the packet in order to change the VPN 580 on which an IP address is allocated for a particular DHCP client, one 581 presumes that an allocation on that VPN is necessary for correct 582 operation. If this presumption is correct, then a client which 583 places this option in a packet and doesn't receive it or receives a 584 different value in the returning packet should drop the packet since 585 the IP address that was allocated will not be in the correct VPN. If 586 an IP address that is on the requested VPN is not required, then the 587 client is free to accept the IP address that is not on the VPN that 588 the was requested. 590 Clients should be aware that some DHCP servers will return a VSS 591 option with different values than that which was sent in. In 592 addition, a client may receive a response from a DHCP server with a 593 VSS option when none was sent in by the Client. 595 Note that when sending a DHCP Leasequery request, a relay agent is 596 acting as a DHCP client and so it should include the respective 597 DHCPv4 or DHCPv6 VSS option in its DHCPv4 or DHCPv6 Leasequery packet 598 if the DHCP Leasequery request is generated for other than the 599 default, global VPN. It should not include a DHCPv4 sub-option in 600 this case. 602 7. Server Behavior 604 A DHCP server receiving the VSS option or sub-option SHOULD allocate 605 an IP address (or use the VSS information to access an already 606 allocated IP address) from the VPN specified by the included VSS 607 information. 609 In the case where the type field of the VSS option or sub-option is 610 255, the VSS option denotes the global, default VPN. In this case, 611 there is no explicit VSS information beyond the type field. 613 This document does not prescribe any particular address allocation 614 policy. A DHCP server may choose to attempt to allocate an address 615 using the VSS information and, if this is impossible, to not allocate 616 an address. Alternatively, a DHCP server may choose to attempt 617 address allocation based on the VSS information and, if that is not 618 possible, it may fall back to allocating an address on the global or 619 default VPN. This, of course, is also the apparent behavior of any 620 DHCP server which doesn't implement support for the VSS option and 621 sub-option. Thus, DHCP clients and relay agents SHOULD be prepared 622 for either of these alternatives. 624 In some cases, a DHCP server may use the Virtual Subnet Selection 625 sub-option or option to inform a relay agent that a particular DHCP 626 client is associated with a particular VPN. It does this by sending 627 the Virtual Subnet Selection sub-option or option with the 628 appropriate information to the relay agent in the relay-agent- 629 information option for DHCPv4 or the Relay-reply message in DHCPv6. 631 In this situation, the relay agent will place the client in the 632 proper VPN, and then it will send in a VSS option or sub-option in 633 subsequent forwarded requests. The DHCP server will see this VSS 634 information and since it doesn't conflict in any way with the 635 server's notion of the VPN on which the client is supposed to reside, 636 it will process the requests based on the VPN specified in the VSS 637 option or sub-option, and echo the same VSS information in the 638 outgoing replies. 640 In a similar manner, a DHCP server may use the Virtual Subnet 641 Selection option to inform a DHCP client that the address (or 642 addresses) it allocated for the client is on a particular VPN. 644 In either case above, care should be taken to ensure that a client or 645 relay agent receiving a reply containing a VSS option will correctly 646 understand the VSS option. Otherwise, the client or relay agent will 647 end up using the address as though it were a global address. 649 If a server uses a different VPN than what was specified in the VSS 650 option or sub-option, it SHOULD send back the VPN information using 651 the same type as the received type. It MAY send back a different type 652 if it is not possible to use the same type (such as the RFC2685 VPN- 653 ID if no ASCII VPN identifier exists). 655 7.1. Returning the DHCPv4 or DHCPv6 Option 657 DHCPv4 or DHCPv6 servers receiving a VSS option (for sub-option 658 processing, see below) MUST return an instance of this option in the 659 reply packet or message if the server successfully uses this option 660 to allocate an IP address, and it MUST NOT include an instance of 661 this option if the server is unable to support, is not configured to 662 support, or does not implement support for VSS information in general 663 or the requested VPN in particular. 665 If they echo the option (based on the criteria above), servers SHOULD 666 return an exact copy of the option unless they desire to change the 667 VPN on which a client was configured. 669 The appearance of the DHCPv6 VSS option in the OPTION_ORO [RFC3315] 670 or the OPTION_ERO [RFC4994] should not change the processing or 671 decision to return (or not to return) the VSS option as specified in 672 this document. 674 7.2. Returning the DHCPv4 Sub-Option 676 The case of the DHCPv4 sub-option is a bit more complicated. Note 677 that [RFC3046] specifies that a DHCPv4 server which supports the 678 relay-agent-information option SHALL copy all sub-options received in 679 a relay-agent-information option into any outgoing relay-agent- 680 information option. Thus, the default behavior for any DHCPv4 server 681 is to return any VSS sub-option received to the relay agent whether 682 or not the DHCPv4 server understands the VSS sub-option. A server 683 which implements the VSS sub-option MUST include the VSS sub-option 684 in the relay-agent-information option in the reply packet if it 685 successfully acted upon the VSS information in the incoming VSS sub- 686 option. 688 Moreover, if a server uses different VSS information to allocate an 689 IP address than it receives in a particular DHCPv4 sub-option, it 690 MUST include that alternative VSS information in a sub-option that it 691 returns to the DHCPv4 relay agent. 693 If a DHCPv4 server supports this sub-option and for some reason 694 (perhaps administrative control) does not honor this sub-option from 695 the request then it MUST NOT echo this sub-option in the outgoing 696 relay-agent-information option. 698 Note that the appearance of the VSS sub-option in a reply packet from 699 a DHCPv4 server to a relay-agent does not communicate any useful 700 information about whether or not the server used the VSS sub-option 701 in its processing. However, the absence of a VSS sub-option in a 702 reply from a DHCPv4 server when a VSS sub-option was included in a 703 request to the DHCPv4 server is significant, and means that the 704 server did not use the VSS information present in the sub-option in 705 its processing. 707 7.3. Making sense of conflicting VSS information 709 It is possible for a DHCPv4 server to receive both a VSS option and a 710 VSS sub-option in the same packet. Likewise, a DHCPv6 server can 711 receive multiple VSS options in nested Relay-forward messages as well 712 as in the client message itself. In either of these cases, the VSS 713 information from the relay agent closest to the DHCP server SHOULD be 714 used in preference to all other VSS information received. In the 715 DHCPv4 case, this means that the VSS sub-option takes precedence over 716 the VSS option, and in the DHCPv6 case, this means that the VSS 717 option from the outer-most Relay-forward message in which a VSS 718 option appears takes precedence. 720 The reasoning behind this approach is that the relay-agent closer to 721 the DHCP server is almost certainly more trusted than the DHCP client 722 or more distant relay agents, and therefore information in the 723 relay-agent-information option or the Relay-forward message is more 724 likely to be correct. 726 In general, relay agents SHOULD be aware through configuration or 727 policy external to this document whether or not they should be 728 including VSS information in packets that they forward and so there 729 should not be conflicts among relay agent specified VSS information. 731 In these situations where multiple VSS option or sub-options appear 732 in the incoming packet or message, when constructing the response to 733 be sent to the DHCP client or relay agent, all existing VSS options 734 or sub-options MUST be replicated in the appropriate places in the 735 response and MUST contain the VSS information that was used by the 736 DHCP server to allocate the IP address. 738 8. Security 740 Message authentication in DHCPv4 for intradomain use where the out- 741 of-band exchange of a shared secret is feasible is defined in 742 [RFC3118]. Potential exposures to attack are discussed in section 7 743 of the DHCP protocol specification in [RFC2131]. 745 Implementations should consider using the DHCPv4 Authentication 746 option [RFC3118] to protect DHCPv4 client access in order to provide 747 a higher level of security if it is deemed necessary in their 748 environment. 750 Message authentication in DHCPv4 relay agents as defined in [RFC4030] 751 should be considered for DHCPv4 relay agents employing this sub- 752 option. Potential exposures to attack are discussed in section 7 of 753 the DHCP protocol specification in [RFC2131]. 755 For DHCPv6 use of the VSS option, the "Security Considerations" 756 section of [RFC3315] details the general threats to DHCPv6, and thus 757 to messages using the VSS option. The "Authentication of DHCP 758 Messages" section of [RFC3315] describes securing communication 759 between relay agents and servers, as well as clients and servers. 761 The VSS option could be used by a client in order to obtain an IP 762 address from any VPN. This option would allow a client to perform a 763 more complete address-pool exhaustion attack since the client would 764 no longer be restricted to attacking address-pools on just its local 765 subnet. 767 A DHCP server that implements these options and sub-option should be 768 aware of this possibility and use whatever techniques that can be 769 devised to prevent such an attack. Information such as the giaddr in 770 DHCPv4 or link address in the Relay-forward DHCPv6 message might be 771 used to detect and prevent this sort of attack. 773 One possible defense would be for the DHCP relay to insert a VSS 774 option or sub-option to override the DHCP client's VSS option. 776 Servers that implement the VSS option and sub-option MUST by default 777 disable use of the feature; it must specifically be enabled through 778 configuration. Moreover, a server SHOULD provide the ability to 779 selectively enable use of the feature under restricted conditions, 780 e.g., by enabling use of the option only from explicitly configured 781 client-ids, enabling its use only by clients on a particular subnet, 782 or restricting the VSSs from which addresses may be requested. 784 9. IANA Considerations 786 IANA is requested to assign DHCPv4 option number 221 for the DHCPv4 787 VSS option defined in Section 3.1, in accordance with [RFC3942]. 789 IANA is requested to assign sub-option number 151 for the DHCPv4 790 sub-option defined in Section 3.2 from the DHCP Relay Agent Sub- 791 options space [RFC3046], in accordance with the spirit of [RFC3942]. 792 While [RFC3942] doesn't explicitly mention the sub-option space for 793 the DHCP Relay Agent Information option [RFC3046], sub-option 151 is 794 already in use by existing implementations of this sub-option and the 795 current draft is essentially compatible with these current 796 implementations. 798 IANA is requested to assign the value of TBD for the DHCPv6 VSS 799 option defined in Section 3.3 from the DHCPv6 option registry. 801 While the type byte defined in Section 3.4 defines a number space 802 that could be managed by IANA, expansion of this number space is not 803 anticipated and so creation of a registry of these numbers is not 804 required by this document. In the event that additional values for 805 the type byte are defined in subsequent documents, IANA should at 806 that time create a registry for these type bytes. New values for the 807 type byte may only be defined by IETF Consensus, as described in 808 [RFC5226]. Basically, this means that they are defined by RFCs 809 approved by the IESG. 811 10. Acknowledgments 813 Bernie Volz recommended consolidation of the DHCPv4 option and sub- 814 option drafts after extensive review of the former drafts, and 815 provided valuable assistance in structuring and reviewing this 816 document. Alper Yegin expressed interest in the DHCPv6 VSS option, 817 resulting in this combined draft covering all three areas. Alfred 818 Hoenes provided assistance with editorial review as well as raising 819 substantive protocol issues. David Hankins and Bernie Volz each 820 raised important protocol issues which resulted in a clarified 821 document. Josh Littlefield provided editorial assistance. 823 11. References 825 11.1. Normative References 827 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 828 Requirement Levels", RFC 2119, March 1997. 830 [RFC2131] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, 831 March 1997. 833 [RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor 834 Extensions", RFC 2132, March 1997. 836 [RFC2685] Fox, B., Gleeson, B., "Virtual Private Networks 837 Identifier", RFC 2685, September 1999. 839 [RFC3046] Patrick, M., "DHCP Relay Agent Information Option", RFC 840 3046, January 2001. 842 [RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., and 843 M. Carney, "Dynamic Host Configuration Protocol for IPv6 844 (DHCPv6)", RFC 3315, July 2003. 846 [RFC3633] Troan, O. and R. Droms, "IPv6 Prefix Options for Dynamic 847 Host Configuration Protocol (DHCP) version 6", RFC 3633, December 848 2003. 850 [RFC4994] Zeng, S., Volz, B., Kinnear, K. and J. Brzozowski, "DHCPv6 851 Relay Agent Echo Request Option", RFC 4994, September 2007. 853 11.2. Informative References 855 [RFC951] Croft, B. and J. Gilmore, "Bootstrap Protocol", RFC 951, 856 September 1985. 858 [RFC1542] Wimer, W., "Clarifications and Extensions for the Bootstrap 859 Protocol", RFC 1542, October 1993. 861 [RFC3118] Droms, R. and W. Arbaugh, "Authentication for DHCP 862 Messages", RFC 3118, June 2001. 864 [RFC3942] Volz, B., "Reclassifying Dynamic Host Configuration 865 Protocol version 4 (DHCPv4) Options", RFC 3942, November 2004. 867 [RFC4030] Stapp, M. and T. Lemon, "The Authentication Suboption for 868 the Dynamic Host Configuration Protocol (DHCP) Relay Agent 869 Option", RFC 4030, March 2005. 871 [RFC4388] Woundy, R. and K. Kinnear, "Dynamic Host Configuration 872 Protocol (DHCP) Leasequery", RFC 4388, February 2006. 874 [RFC5007] Brzozowski, J., Kinnear, K., Volz, B., and S. Zeng, "DHCPv6 875 Leasequery", RFC 5007, September 2007. 877 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an 878 IANA Considerations Section in RFCs", BCP 26, RFC 5226, May 2008. 880 12. Authors' Addresses 882 Kim Kinnear 883 Cisco Systems 884 1414 Massachusetts Ave. 885 Boxborough, Massachusetts 01719 887 Phone: (978) 936-0000 889 EMail: kkinnear@cisco.com 891 Richard Johnson 892 Cisco Systems 893 170 W. Tasman Dr. 894 San Jose, CA 95134 896 Phone: (408) 526-4000 898 EMail: raj@cisco.com 900 Mark Stapp 901 Cisco Systems 902 1414 Massachusetts Ave. 903 Boxborough, Massachusetts 01719 905 Phone: (978) 936-0000 907 EMail: mjs@cisco.com 909 Jay Kumarasamy 910 Cisco Systems 911 170 W. Tasman Dr. 912 San Jose, CA 95134 914 Phone: (408) 526-4000 916 EMail: jayk@cisco.com