idnits 2.17.1 draft-ietf-dhc-vpn-option-15.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([RFC3942], [RFC3046]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year (Using the creation date from RFC3046, updated by this document, for RFC5378 checks: 1996-12-16) -- The document seems to contain a disclaimer for pre-RFC5378 work, and may have content which was first submitted before 10 November 2008. The disclaimer is necessary when there are original authors that you have been unable to contact, or if some do not wish to grant the BCP78 rights to the IETF Trust. If you are able to get all authors (current and original) to grant those rights, you can and should remove the disclaimer; otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (January 26, 2012) is 4473 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 3315 (Obsoleted by RFC 8415) ** Obsolete normative reference: RFC 3633 (Obsoleted by RFC 8415) -- Obsolete informational reference (is this intentional?): RFC 5226 (Obsoleted by RFC 8126) Summary: 3 errors (**), 0 flaws (~~), 1 warning (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 DHC Working Group Kim Kinnear 3 Internet Draft Richard Johnson 4 Updates: 3046 Mark Stapp 5 Intended Status: Standards Track Cisco Systems 6 Expires: July 26, 2012 Jay Kumarasamy 7 January 26, 2012 9 Virtual Subnet Selection Options for DHCPv4 and DHCPv6 10 12 Status of this Memo 14 This Internet-Draft is submitted to IETF in full conformance with the 15 provisions of BCP 78 and BCP 79. 17 Internet-Drafts are working documents of the Internet Engineering 18 Task Force (IETF), its areas, and its working groups. Note that 19 other groups may also distribute working documents as Internet- 20 Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference 25 material or to cite them other than as "work in progress." 27 The list of current Internet-Drafts can be accessed at 28 http://www.ietf.org/ietf/1id-abstracts.txt. 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html. 33 Copyright Notice 35 Copyright (c) 2012 IETF Trust and the persons identified as the 36 document authors. All rights reserved. 38 This document is subject to BCP 78 and the IETF Trust's Legal 39 Provisions Relating to IETF Documents 40 (http://trustee.ietf.org/license-info) in effect on the date of 41 publication of this document. Please review these documents 42 carefully, as they describe your rights and restrictions with respect 43 to this document. Code Components extracted from this document must 44 include Simplified BSD License text as described in Section 4.e of 45 the Trust Legal Provisions and are provided without warranty as 46 described in the Simplified BSD License. 48 This document may contain material from IETF Documents or IETF 49 Contributions published or made publicly available before November 50 10, 2008. The person(s) controlling the copyright in some of this 51 material may not have granted the IETF Trust the right to allow 52 modifications of such material outside the IETF Standards Process. 53 Without obtaining an adequate license from the person(s) controlling 54 the copyright in such materials, this document may not be modified 55 outside the IETF Standards Process, and derivative works of it may 56 not be created outside the IETF Standards Process, except to format 57 it for publication as an RFC or to translate it into languages other 58 than English. 60 Abstract 62 This memo defines a Virtual Subnet Selection (VSS) option for each of 63 DHCPv4 and DHCPv6, and a VSS sub-option carried in the DHCPv4 relay- 64 agent-information option. These are intended for use by DHCP 65 clients, relay agents, and proxy clients in situations where VSS 66 information needs to be passed to the DHCP server for proper address 67 or prefix allocation to take place. 69 For the DHCPv4 option and relay-agent-information sub-option, this 70 memo documents existing usage as per RFC 3942 [RFC3942]. This memo 71 updates RFC 3046 [RFC3046] regarding details relating to copying of 72 sub-options (see Section 8). 74 Table of Contents 76 1. Introduction................................................. 3 77 2. Terminology.................................................. 4 78 3. Virtual Subnet Selection Option and Sub-Options Definitions.. 5 79 3.1. DHCPv4 Virtual Subnet Selection Option..................... 5 80 3.2. DHCPv4 Virtual Subnet Selection Sub-Option................. 6 81 3.3. DHCPv4 Virtual Subnet Selection Control Sub-Option......... 6 82 3.4. DHCPv6 Virtual Subnet Selection Option..................... 7 83 3.5. Virtual Subnet Selection Type and Information.............. 7 84 4. Overview of Virtual Subnet Selection Usage................... 8 85 4.1. VPN assignment by the DHCP relay agent..................... 9 86 4.2. VPN assignment by the DHCP server.......................... 12 87 4.3. Required Support........................................... 14 88 4.4. Alternative VPN assignment approaches...................... 14 89 5. Relay Agent Behavior......................................... 14 90 5.1. VPN assignment by the DHCP server.......................... 16 91 5.2. DHCP Leasequery............................................ 17 92 6. Client Behavior.............................................. 17 93 7. Server Behavior.............................................. 18 94 7.1. Returning the DHCPv4 or DHCPv6 Option...................... 19 95 7.2. Returning the DHCPv4 Sub-Option............................ 20 96 7.3. Making sense of conflicting VSS information................ 21 97 8. Updates to RFC 3046.......................................... 21 98 9. Security..................................................... 22 99 10. IANA Considerations......................................... 23 100 11. Acknowledgments............................................. 23 101 12. References.................................................. 24 102 12.1. Normative References...................................... 24 103 12.2. Informative References.................................... 24 105 1. Introduction 107 There is a growing use of Virtual Private Network (VPN) 108 configurations. The growth comes from many areas; individual client 109 systems needing to appear to be on the home corporate network even 110 when traveling, ISPs providing extranet connectivity for customer 111 companies, etc. In some of these cases there is a need for the DHCP 112 server to know the VPN (hereafter called a "Virtual Subnet Selector" 113 or "VSS") from which an address, and other resources, should be 114 allocated. 116 This memo defines a Virtual Subnet Selection (VSS) option for each of 117 DHCPv4 and DHCPv6, and a VSS sub-option carried in the DHCPv4 relay- 118 agent-information option. These are intended for use by DHCP 119 clients, relay agents, and proxy clients in situations where VSS 120 information needs to be passed to the DHCP server for proper address 121 or prefix allocation to take place. If the receiving DHCP server 122 understands the VSS option or sub-option, this information may be 123 used in conjunction with other information in determining the subnet 124 on which to select an address as well as other information such as 125 DNS server, default router, etc. 127 If the allocation is being done through a DHCPv4 relay, then the 128 relay-agent-information sub-option defined here should be included. 129 In some cases, however, an IP address is being sought by a DHCPv4 130 proxy on behalf of a client (which may be assigned the address via a 131 different protocol). In this case, there is a need to include VSS 132 information relating to the client as a DHCPv4 option. 134 If the allocation is being done through a DHCPv6 relay, then the 135 DHCPv6 VSS option defined in this document should be included in the 136 Relay-forward and Relay-reply message going between the DHCPv6 relay 137 and server. In some cases, addresses or prefixes are being sought by 138 a DHCPv6 proxy on behalf of a client. In this case, there is a need 139 for the client itself to supply the VSS information using the DHCPv6 140 VSS option in the messages that it sends to the DHCPv6 server. 142 In the remaining text of this document, when a DHCPv6 address is 143 indicated the same information applies to DHCPv6 Prefix Delegation 144 [RFC3633] as well. 146 In the remaining text of this document, when the term VSS sub-option 147 is used, it refers to the VSS sub-option carried in the DHCPv4 148 relay-agent-information option. 150 2. Terminology 152 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 153 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 154 document are to be interpreted as described in RFC 2119 [RFC2119]. 156 This document uses the following terms: 158 o "DHCP client" 160 A DHCP client is a host using DHCP to obtain configuration 161 parameters such as a network address. 163 o "DHCP proxy" 165 A DHCP proxy is a DHCP client which acquires IP addresses not 166 for its own use, but rather on behalf of another entity. There 167 are a variety of ways that a DHCP proxy can supply the addresses 168 it acquires to other entities that need them. 170 o "DHCP relay agent" 172 A DHCP relay agent is an agent that transfers BOOTP and DHCP 173 messages between clients and servers residing on different 174 subnets, per [RFC951], [RFC1542], and [RFC3315]. 176 o "DHCP server" 178 A DHCP server is a host that returns configuration parameters to 179 DHCP clients. 181 o "DHCPv4 option" 183 An option used to implement a capability defined by the DHCPv4 184 RFCs [RFC2131][RFC2132]. These options have one-octet code and 185 size fields. 187 o "DHCPv4 sub-option" 188 As used in this document, a DHCPv4 sub-option refers to a sub- 189 option of the relay-agent-information option [RFC3046]. These 190 sub-options have one-octet code and size fields. 192 o "DHCPv6 option" 194 An option used to implement a capability defined by the DHCPv6 195 RFC [RFC3315]. These options have two-octet code and size 196 fields. 198 o "Global VPN" 200 Indicates that the address being described belongs to the set of 201 addresses not part of any VPN. In other words, the normal 202 address space operated on by DHCP. This includes private 203 addresses, for example the 10.x.x.x addresses as well as the 204 other private subnets that are not routed on the open internet. 206 o "NVT ASCII Identifier" 208 A Network Virtual Terminal (NVT) identifier is an identifier 209 containing only characters from the ASCII repetoire and using 210 the Network Virtual Terminal encoding (see Appendix B in 211 [RFC5198]). 213 o "VSS information" 215 Information about a VPN necessary to allocate an address to a 216 DHCP client on that VPN and necessary to forward a DHCP reply 217 packet to a DHCP client on that VPN. 219 o "VPN" 221 Virtual private network. A network which appears to the client 222 to be a private network. 224 o "VPN Identifier" 226 The VPN-ID is defined by [RFC2685] to be a sequence of 7 octets. 228 3. Virtual Subnet Selection Option and Sub-Options Definitions 230 The Virtual Subnet Selection options and sub-options contain a 231 generalized way to specify the VSS information about a VPN. There 232 are two options and two sub-options defined in this section. The 233 actual VSS information is identical both options and one of the two 234 sub-options. 236 3.1. DHCPv4 Virtual Subnet Selection Option 238 The format of the option is: 240 0 1 2 3 241 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 242 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 243 | Code | Length | Type | VSS Info ... 244 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 246 Code The option code (221). 248 Length The option length, minimum 1 octets. 250 Type and VSS Information -- see Section 3.5 252 3.2. DHCPv4 Virtual Subnet Selection Sub-Option 254 This is a sub-option of the relay-agent-information option [RFC3046]. 255 The format of the sub-option is: 257 0 1 2 3 258 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 259 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 260 | Code | Length | Type | VSS Info. ... 261 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 263 Code The sub-option code (151). 265 Length The sub-option length, minimum 1 octets. 267 Type and VSS Information -- see Section 3.5. 269 3.3. DHCPv4 Virtual Subnet Selection Control Sub-Option 271 This is a sub-option of the relay-agent-information option [RFC3046]. 272 The format of the sub-option is: 274 0 1 275 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 276 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 277 | Code | Length | 278 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 280 Code The sub-option code (TBD). 282 Length The sub-option length, 0. 284 This sub-option only appears in the DHCPv4 relay-agent-information 285 option. In a DHCP request, it indicates that a DHCPv4 VSS sub-option 286 is also present in the relay-agent-information option. In a DHCP 287 reply, if it appears in the relay-agent-information option, it 288 indicates that the DHCP server did not understand any DHCPv4 VSS 289 sub-option that also appears in the relay-agent-information option. 291 3.4. DHCPv6 Virtual Subnet Selection Option 293 The format of the DHCPv6 Virtual Subnet Selection option is shown 294 below. This option may be included by a client or relay-agent (or 295 both). 297 0 1 2 3 298 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 299 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 300 | OPTION_VSS | option-len | 301 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 302 | Type | VSS Information ... | 303 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 305 option-code OPTION_VSS (TBD). 307 option-len The number of octets in the option, minimum 1. 309 Type and VSS Information -- see Section 3.5 311 3.5. Virtual Subnet Selection Type and Information 313 All of the (sub)options defined above carry identical payloads, 314 consisting of a type and additional VSS information as follows: 316 Type VSS Information format: 318 0 NVT ASCII VPN identifier 319 1 RFC2685 VPN-ID 320 2-254 Unassigned 321 255 Global, default VPN. 323 o Type 0 -- Network Virtual Terminal (NVT) ASCII VPN identifier 325 Indicates that the VSS information consists of an NVT ASCII 326 string. It MUST NOT be terminated with a zero byte. 328 o Type 1 -- RFC2685 VPN-ID 330 Indicates that the VSS information consists of an RFC2685 VPN-ID 331 [RFC2685], which is defined to be 7 octets in length. 333 o Type 255 -- Global, default VPN 335 Indicates that there is no explicit, non-default VSS information 336 but rather that this option references the normal, global, 337 default address space. In this case, there MUST NOT be any VSS 338 Information included in the VSS option or sub-option and the 339 length of the option or sub-option MUST be 1. 341 All other values of the Type field are unassigned. 343 4. Overview of Virtual Subnet Selection Usage 345 At the highest level, the VSS option or sub-option determines the VPN 346 on which a DHCP client is supposed to receive an IP address. How the 347 option or sub-option is entered and processed is discussed below, but 348 the point of all of the discussion is to determine the VPN on which 349 the DHCP client resides. This will affect a relay agent, in that it 350 will have to ensure that DHCP packets sent to and received from the 351 DHCP client flow over the correct VPN. This will affect the DHCP 352 server in that it determines the IP address space used for the IP 353 address allocation. 355 A DHCP server has as part of its configuration some IP address space 356 from which it allocates IP addresses to DHCP clients. These 357 allocations are typically for a limited time, and thus the DHCP 358 client gets a lease on the IP address. In the absence of any VPN 359 information, the IP address space is in the global or default VPN 360 used throughout the Internet. When a DHCP server deals with VPN 361 information, each VPN defines a new address space inside the server, 362 one distinct from the global or default IP address space. A server 363 which supports the VSS option or sub-option thereby supports 364 allocation of IP addresses from multiple different VPNs. Supporting 365 IP address allocation from multiple different VPNs means that the 366 DHCP server must be prepared to configure multiple different address 367 spaces (one per distinct VPN) and allocate IP addresses from these 368 different address spaces. 370 These address spaces are typically independent, so that the same IP 371 address (consisting of the same string of bytes) could be allocated 372 to one client in the global, default VPN, and to a different client 373 residing in a different VPN. There is no conflict in this 374 allocation, since the clients have essentially different addresses, 375 even though these addresses consist of the same string of bytes, 376 because the IPv4 or IPv6 address is qualified by the VPN. 378 Thus a VSS option or sub-option is a way of signaling the use of a 379 VPN other than the global or default VPN. The next question is: who 380 decides what VPN a DHCP client should be using? 382 There are three entities which can either insert a VSS option or 383 sub-option into a DHCPv4 packet or DHCPv6 message; a DHCP client, a 384 relay agent, or a DHCPv4 or DHCPv6 server. While all of these 385 entities could include a different VSS option or sub-option in every 386 request or response, this situation is neither typical nor useful. 387 There are two known paradigms for use of the VSS option or sub- 388 option, which are discussed below. 390 4.1. VPN assignment by the DHCP relay agent 392 The typical use of the VSS option or sub-option is for the relay 393 agent to know the VPN on which the DHCP client is operating. The 394 DHCP client itself does not, in this approach, know the VPN on which 395 it resides. The relay agent is responsible for mediating the access 396 between the VPN on which the DHCP client resides and the DHCP server. 397 In this situation, the relay agent will insert two DHCPv4 relay- 398 agent-information sub-options (one VSS sub-option, and one VSS- 399 Control sub-option) into the relay-agent-information option or a 400 DHCPv6 VSS option into the Relay-forward message of every request it 401 forwards from the DHCP client. The server will use the DHCPv6 VSS 402 option or DHCPv4 VSS sub-option to determine the VPN on which the 403 client resides, and use that VPN information to select the address 404 space within its configuration from which to allocate an IP address 405 to the DHCP client. 407 When, using this approach, a DHCPv4 relay agent inserts a VSS sub- 408 option into the relay-agent-information option it MUST also insert a 409 VSS-Control sub-option into the relay-agent-information-option. This 410 is to allow determination of whether or not the DHCPv4 server 411 actually processes the VSS information provided by the DHCPv4 relay 412 agent. If the DHCPv4 server supports the VSS capabilities described 413 in this document, it will remove the VSS-Control sub-option from the 414 relay-agent-information option that it returns to the DHCPv4 relay 415 agent. See Section 5 for more information. 417 In this approach, the relay agent might also send a VSS option or 418 sub-option in either a DHCPv4 or DHCPv6 Leasequery request, but in 419 this case, it would use the VSS option in the Leasequery request to 420 select the correct address space for the Leasequery. In this 421 approach, the relay agent would be acting as a DHCP client from a 422 Leasequery standpoint, but it would not be as if a DHCP client were 423 sending in a VSS option in a standard DHCP address allocation 424 request, say a DHCPDISCOVER. 426 In this approach, only one relay agent would mediate the VPN access 427 for the DHCP client to the DHCP server, and it would be the relay 428 agent which inserts the VSS information into the request packet and 429 would remove it prior to forwarding the response packet on. 431 In the diagram below is an example of a DHCPv4 client, DHCPv4 relay 432 agent, and DHCPv4 server. The DHCPv6 situation is similar, but uses 433 the DHCPv6 VSS option. 435 DHCPv4 436 DHCPv4 Relay DHCPv4 437 Client Agent Server 439 | | | 440 | >--DHCPDISCOVER--> | | 441 | on VRF "abc" | | 442 | | >--DHCPDISCOVER----> | 443 | | relay-agent-info: | 444 | | VSS type VRF:"abc"| 445 | | VSS-Control | 446 | | | 447 | | <----DHCPOFFER-----< | 448 | | relay-agent-info: | 449 | | VSS type VRF:"abc"| 450 | | | 451 | <---DHCPOFFER----< | | 452 | on VRF "abc" | | 453 | | | 454 | >--DHCPREQUEST---> | | 455 | on VRF "abc" | | 456 | | >--DHCPREQUEST-----> | 457 | | relay-agent-info: | 458 | | VSS type VRF:"abc"| 459 | | VSS-Control | 460 | | | 461 | | <----DHCPACK-------< | 462 | | relay-agent-info: | 463 | | VSS type VRF:"abc"| 464 | | | 465 | <---DHCPACK------< | | 466 | on VRF "abc" | | 467 | | | 468 ... ... ... 470 Figure 4.1-1: DHCPv4 - Relay Agent knows VPN 472 The DHCP server would know that it should respond to VPN information 473 specified in a VSS option or sub-option, and it would be configured 474 with appropriate VPN address spaces to service the projected client 475 requirements. Thus, in this common approach, the DHCP client knows 476 nothing of any VPN access, the relay agent has been configured in 477 some way that allows it to determine the VPN of the DHCP client and 478 transmit that using a VSS option or sub-option to the DHCP server, 479 and the DHCP server responds to the VPN specified by the relay agent. 480 There is no conflict between different entities trying to specify 481 different VSS information -- each entity knows its role through 482 policy or configuration external to this document. 484 If any mis-configuration exists, it SHOULD result in a DHCP client 485 being unable to acquire an IP address. For instance, a relay agent 486 which supports VPN access SHOULD couple transmission of VSS options 487 or sub-options to the configuration of VPN support, and not allow one 488 without the other. 490 It is important to ensure that the relay agent and DHCP server both 491 support the VSS option and sub-option (for DHCPv4) or the VSS option 492 (for DHCPv6). Deploying DHCPv4 relay agents which support and emit 493 VSS sub-options in concert with DHCPv4 servers which do not support 494 the VSS option or sub-option as defined in this document SHOULD NOT 495 be done, as such an ensemble will not operate correctly. Should this 496 situation occur, however, the relay agent can detect the problem 497 (since the VSS-Control sub-option will appear in the packets it 498 receives from the DHCPv4 server, indicating the server did not 499 effectively process the VSS sub-option), and it can issue appropriate 500 diagnostic messages. 502 4.2. VPN assignment by the DHCP server 504 In this approach, the DHCP server would be configured in some way to 505 know the VPN on which a particular DHCP client should be given 506 access. The DHCP server would in this case include the VSS sub- 507 option in the relay-agent-information option for DHCPv4 or the VSS 508 option in the Relay-reply message for DHCPv6. The relay agent 509 responsible for mediating VPN access would use this information to 510 select the correct VPN for the DHCP client. In the unusal event that 511 there were more than one relay agent involved in this transaction, 512 some external configuration or policy would be needed to inform the 513 DHCPv6 server into which Relay-reply message the VSS option should 514 go. 516 Once the relay agent has placed the DHCP client into the proper VPN, 517 it SHOULD begin including VSS information in requests that it 518 forwards to the DHCP server. Since this information does not 519 conflict with the DHCP server's idea of the proper VPN for the 520 client, everything works correctly. 522 The diagram below shows this approach using DHCPv4. The DHCPv6 523 situation is similar, but uses the DHCPv6 VSS option instead. 525 DHCPv4 526 DHCPv4 Relay DHCPv4 527 Client Agent Server 529 | | | 530 | >--DHCPDISCOVER--> | | 531 | on unknown VPN | | 532 | | >--DHCPDISCOVER----> | 533 | | | 534 | | <----DHCPOFFER-----< | 535 | | relay-agent-info: | 536 | | VSS type VRF:"abc"| 537 | | | 538 | <---DHCPOFFER----< | | 539 | on VRF "abc" | | 540 | | | 541 | >--DHCPREQUEST---> | | 542 | on VRF "abc" | | 543 | | >--DHCPREQUEST-----> | 544 | | relay-agent-info: | 545 | | VSS type VRF:"abc"| 546 | | VSS-Control | 547 | | | 548 | | <----DHCPACK-------< | 549 | | relay-agent-info: | 550 | | VSS type VRF:"abc"| 551 | | | 552 | <---DHCPACK------< | | 553 | on VRF "abc" | | 554 | | | 555 | | | 556 ... ... ... 558 Figure 4.2-1: DHCPv4 - DHCPv4 Server knows VPN 560 In this approach, the DHCP client is again unaware of any VPN 561 activity. In this case, however, the DHCP server knows the VPN for 562 the client, and the relay agent responds to the VSS information 563 specified by the DHCP server. Similar to the previous approach, each 564 entity knows its role through a means external to this document and 565 no two entities try to specify VSS information in conflict. 567 It is important that both the relay agent as well as the DHCP server 568 both support the VSS option and sub-option (for DHCPv4) and the VSS 569 option (for DHCPv6). Deploying and configuring VPN support in one 570 element and not in the other is not a practical approach. 572 4.3. Required Support 574 DHCP relay agents and servers MUST support the approach discussed in 575 Section 4.1. DHCP relay agents and server SHOULD support the 576 approach discussed in Section 4.2. DHCP relay agents and servers 577 SHOULD NOT be configured to operate with both approaches 578 simultaneously. 580 4.4. Alternative VPN assignment approaches 582 There are many other approaches which can be created with multiple 583 relay agents each inserting VSS information into different Relay- 584 forward messages, relay agent VSS information conflicting with client 585 VSS information, or DHCP server VSS information conflicting with 586 relay agent and client VSS information. Since these approaches do 587 not describe situations that are useful today, specifying precisely 588 how to resolve all of these conflicts is unlikely to be valuable in 589 the event that these approaches actually become practical in the 590 future. 592 The current use of the VSS option and sub-option require that each 593 entity knows the part that it plays in dealing with VPN data. Each 594 entity -- client, relay agent or agents, and server -- SHOULD know 595 through some policy or configuration beyond the scope of this 596 document whether it is responsible for specifying VPN information 597 using the VSS option or sub-option or responsible for responding to 598 VSS information specified by another entity, or simply ignoring any 599 VSS information which it might see. 601 Some simple conflict resolution approaches are discussed below, in 602 the hopes that they will cover simple cases that may arise from 603 situations beyond those envisioned today. However, for more complex 604 situations, or simple situations where appropriate conflict 605 resolution strategies differ from those discussed in this document, a 606 document detailing the usage situations and appropriate conflict 607 resolution strategies SHOULD be created and submitted for discussion 608 and approval. 610 5. Relay Agent Behavior 612 Implementers MAY provide a policy or configuration capability to 613 enable or disable VSS support. 615 A relay agent which receives a DHCP request from a DHCP client on a 616 VPN SHOULD include Virtual Subnet Selection information in the DHCP 617 packet prior to forwarding the packet on to the DHCP server unless 618 inhibited from doing so by configuration information or policy to the 619 contrary. 621 In this situation, a DHCPv4 relay agent MUST include a DHCPv4 VSS 622 sub-option in a relay-agent-information option [RFC3046], while a 623 DHCPv6 relay agent MUST include a DHCPv6 VSS option in the Relay- 624 forward message. 626 The value placed in the Virtual Subnet Selection sub-option or option 627 would typically be sufficient for the relay agent to properly route 628 any DHCP reply packet returned from the DHCP server to the DHCP 629 client for which it is destined. In some cases, the information in 630 the VSS sub-option or option might be an index into some internal 631 table held in the relay agent, though this document places no 632 requirement on a relay agent to have any such internal state. 634 A DHCPv4 relay agent MUST, in addition, include a DHCPv4 VSS-Control 635 sub-option (which has a length of zero) in the relay-agent- 636 information option [RFC3046] whenever it includes a VSS sub-option in 637 the relay-agent-information option. The inclusion of the VSS sub- 638 option and the VSS-Control sub-option in the relay-agent-information 639 option will allow the DHCPv4 relay agent to determine whether the 640 DHCPv4 server actually processed the information in the VSS sub- 641 option when it receives the relay-agent-information option in the 642 reply from the DHCPv4 server. 644 The reason to include this additional VSS DHCPv4 sub-option is that 645 [RFC3046] specifies (essentially) that a DHCPv4 server should copy 646 all sub-options that it receives in a relay-agent-information option 647 in a request into a corresponding relay-agent-information option in 648 the response. Thus, a server that didn't support the DHCPv4 VSS 649 sub-option would normally just copy it to the response packet, 650 leaving the relay agent to wonder if in fact the DHCPv4 server 651 actually used the VSS information when processing the request. 653 To alleviate this potential confusion, a DHCPv4 relay agent instead 654 sends in two sub-options: one VSS sub-option, and one VSS-Control 655 sub-option. If both sub-options appear in the response from the 656 DHCPv4 server, then the DHCPv4 relay agent MUST assume that the 657 DHCPv4 server did not act on the VSS information in the VSS sub- 658 option. If only the VSS sub-option appears in the response from the 659 DHCPv4 server and no VSS-Control sub-option appears in the response 660 from the DHCPv4 server, then the relay agent SHOULD assume that the 661 DHCPv4 server acted successfully on the VSS sub-option. 663 Anytime a relay agent places a VSS option or sub-option in a DHCP 664 request, it SHOULD send it only to a DHCP server which supports the 665 VSS option or sub-option, and it MUST check the response to determine 666 if the DHCP server actually honored the requested VSS information. 668 In the DHCPv6 case, the appearance of the option in the Relay-reply 669 packet indicates that the DHCPv6 server understood and acted upon the 670 contents of the VSS option in the Relay-forward packet. In the 671 DHCPv4 case, as discussed above, the appearance of the VSS sub-option 672 without the appearance of a VSS-Control sub-option indicates that the 673 DHCPv4 server successfully acted upon the VSS sub-option. 675 This document does not create a requirement that a relay agent 676 remember the contents of a VSS DHCPv4 sub-option or VSS DHCPv6 option 677 sent to a DHCP server. In many cases, the relay agent may simply use 678 the value of the VSS returned by the DHCP server to forward the 679 response to the DHCP client. If the VSS information, the IP address 680 allocated, and the VPN capabilities of the relay agent all 681 interoperate correctly, then the DHCP client will receive a working 682 IP address. Alternatively, if any of these items don't interoperate 683 with the others, the DHCP client will not receive a working address. 685 Note that in some environments a relay agent may choose to always 686 place a VSS option or sub-option into packets and messages that it 687 forwards in order to forestall any attempt by a relay agent closer to 688 the client or the client itself to specify VSS information. In this 689 case, a type field of 255 is used to denote the global, default VPN. 690 When the type field of 255 is used, there MUST NOT be any additional 691 VSS information in the VSS option or sub-option. In the DHCPv4 case, 692 an additional VSS-Control sub-option would be required, as discussed 693 above. 695 5.1. VPN assignment by the DHCP server 697 In some cases, a DHCP server may use the Virtual Subnet Selection 698 sub-option or option to inform a relay agent that a particular DHCP 699 client is associated with a particular VPN. It does this by sending 700 the Virtual Subnet Selection sub-option or option with the 701 appropriate information to the relay agent in the relay-agent- 702 information option for DHCPv4 or the Relay-reply message in DHCPv6. 703 If the relay agent cannot respond correctly to the DHCP server's 704 requirement to place the DHCP client into that VPN (perhaps because 705 it has not been configured with a VPN that matches the VSS 706 information received from the DHCP server) it MUST drop the packet 707 and not send it to the DHCP client. 709 In this situation, once the relay agent has placed the DHCP client 710 into the VPN specified by the DHCP server, it will insert a VSS 711 option or sub-option when forwarding packets from the client. The 712 DHCP server in normal operation will echo this VSS information into 713 the outgoing replies. 715 In the event that the relay agent doesn't include VSS information on 716 subsequent requests after the DHCP server has included VSS 717 information in a reply to the relay agent, the DHCP server can 718 conclude that the relay agent doesn't support VSS processing, and the 719 DHCP server SHOULD stop processing this transaction and not respond 720 to the request. 722 5.2. DHCP Leasequery 724 Sometimes a relay-agent needs to submit a DHCP Leasequery [RFC4388] 725 [RFC5007] packet to the DHCP server in order to recover information 726 about existing DHCP allocated IP addresses on other than the normal, 727 global VPN. In the context of a DHCP Leasequery the relay agent is a 728 direct client of the DHCP server and is not relaying a packet for 729 another DHCP client. Thus, the instructions in Section 6 on Client 730 Behavior should be followed to include the necessary VSS information. 732 6. Client Behavior 734 Typically, DHCPv4 and DHCPv6 clients have no interaction with VSS 735 options or sub-options. The VSS information is handled by exchanges 736 between a DHCPv4 or DHCPv6 relay agent and the corresponding DHCPv4 737 or DHCPv6 server. 739 However, there are times when an entity is acting as a DHCPv4 or 740 DHCPv6 client in that it is communicating directly with a DHCPv4 or 741 DHCPv6 server. In these instances -- where communications is 742 occurring without employing the DHCPv4 relay-agent-information option 743 or the DHCPv6 Relay-forward or Relay-reply messages, the entity is 744 acting as a DHCPv4 or DHCPv6 client with regard to its communication 745 with the DHCPv4 or DHCPv6 server, but not necessarily as a DHCP 746 client who is requesting a DHCPv4 or DHCPv6 address for its own use. 748 The client, in this context, may be requesting an IP address for 749 another entity, thus acting as a DHCP proxy. The client may be 750 requesting information about another client-to-address binding, using 751 the DHCPv4 [RFC4388] or DHCPv6 [RFC5007] Leasequery protocol. 753 In the rest of this section, the term "client" refers to an entity 754 communicating VSS information directly to a DHCPv4 or DHCPv6 server 755 without using the DHCPv4 relay-agent-information option or the DHCPv6 756 Relay-forward or Relay-reply messages, and there is no requirement 757 that such a client is a traditional DHCPv4 or DHCPv6 client 758 requesting an IP address binding for itself. 760 A DHCPv4 or DHCPv6 client will employ the VSS option to communicate 761 VSS information to their respective servers. This information MUST 762 be included in every message concerning any IP address on a different 763 VPN than the global or default VPN. A DHCPv4 client will place the 764 DHCPv4 VSS option in its packets, and a DHCPv6 client will place the 765 DHCPv6 VSS option in its messages. 767 A DHCPv6 client that needs to place a VSS option into a DHCPv6 768 message SHOULD place a single VSS option into the DHCPv6 message at 769 the same level as the Client Identifier option. A DHCPv6 client MUST 770 NOT include different VSS options in the same DHCPv6 message. 772 Note that, as mentioned in Section 1, throughout this document when a 773 DHCPv6 address is indicated the same information applies to DHCPv6 774 Prefix Delegation [RFC3633] as well. 776 Since this option is placed in the packet in order to change the VPN 777 on which an IP address is allocated for a particular DHCP client, one 778 presumes that an allocation on that VPN is necessary for correct 779 operation. Thus, a client which places this option in a packet and 780 doesn't receive it or receives a different value in a returning 781 packet SHOULD drop the packet since the IP address that was allocated 782 will not be in the requested VPN. 784 Clients should be aware that some DHCP servers will return a VSS 785 option with different values than that which was sent in. In 786 addition, a client may receive a response from a DHCP server with a 787 VSS option when none was sent in by the Client. 789 Note that when sending a DHCP Leasequery request, a relay agent is 790 acting as a DHCP client and so it SHOULD include the respective 791 DHCPv4 or DHCPv6 VSS option in its DHCPv4 or DHCPv6 Leasequery packet 792 if the DHCP Leasequery request is generated for other than the 793 default, global VPN. It SHOULD NOT include a DHCPv4 sub-option in 794 this case. 796 7. Server Behavior 798 A DHCP server receiving the VSS option or sub-option SHOULD allocate 799 an IP address (or use the VSS information to access an already 800 allocated IP address) from the VPN specified by the included VSS 801 information. 803 In the case where the type field of the VSS option or sub-option is 804 255, the VSS option denotes the global, default VPN. In this case, 805 there is no explicit VSS information beyond the type field. 807 This document does not prescribe any particular address allocation 808 policy. A DHCP server may choose to attempt to allocate an address 809 using the VSS information and, if this is impossible, to not allocate 810 an address. Alternatively, a DHCP server may choose to attempt 811 address allocation based on the VSS information and, if that is not 812 possible, it may fall back to allocating an address on the global or 813 default VPN. This, of course, is also the apparent behavior of any 814 DHCP server which doesn't implement support for the VSS option and 815 sub-option. Thus, DHCP clients and relay agents SHOULD be prepared 816 for either of these alternatives. 818 In some cases, a DHCP server may use the Virtual Subnet Selection 819 sub-option or option to inform a relay agent that a particular DHCP 820 client is associated with a particular VPN. It does this by sending 821 the Virtual Subnet Selection sub-option or option with the 822 appropriate information to the relay agent in the relay-agent- 823 information option for DHCPv4 or the Relay-reply message in DHCPv6. 825 In this situation, the relay agent will place the client in the 826 proper VPN, and then it will insert a VSS option or sub-option in 827 subsequent forwarded requests. The DHCP server will see this VSS 828 information and since it doesn't conflict in any way with the 829 server's notion of the VPN on which the client is supposed to reside, 830 it will process the requests based on the VPN specified in the VSS 831 option or sub-option, and echo the same VSS information in the 832 outgoing replies. 834 The relay agent receiving a reply containing a VSS option should 835 support the VSS option. Otherwise the relay agent will end up 836 attempting to use the address as though it were a global address. 837 Should this happen, the subsequent DHCPREQUEST will not contain any 838 VSS information, in which case the DHCP server SHOULD NOT respond 839 with a DHCPACK. 841 If a server uses a different VPN than what was specified in the VSS 842 option or sub-option, it SHOULD send back the VPN information using 843 the same type as the received type. It MAY send back a different type 844 if it is not possible to use the same type (such as the RFC2685 VPN- 845 ID if no ASCII VPN identifier exists). 847 A server which receives a VSS sub-option in the DHCPv4 relay-agent- 848 information option and does not receive a VSS-Control sub-option in 849 the relay-agent-information option MUST process the information 850 specified in the VSS sub-option in the same fashion as it would have 851 if it received both sub-options. 853 7.1. Returning the DHCPv4 or DHCPv6 Option 855 DHCPv4 or DHCPv6 servers receiving a VSS option (for sub-option 856 processing, see below) MUST return an instance of this option in the 857 reply packet or message if the server successfully uses this option 858 to allocate an IP address, and it MUST NOT include an instance of 859 this option if the server is unable to support, is not configured to 860 support, or does not implement support for VSS information in general 861 or the requested VPN in particular. 863 If they echo the option (based on the criteria above), servers SHOULD 864 return an exact copy of the option unless they desire to change the 865 VPN on which a client was configured. 867 The appearance of the DHCPv4 VSS option code in the DHCPv4 Parameter 868 Request List option [RFC2132] should not change the processing or 869 decision to return or not return the VSS option as specified in this 870 document. The appearance of the DHCPv6 VSS option in the OPTION_ORO 871 [RFC3315] or the OPTION_ERO [RFC4994] should not change the 872 processing or decision to return (or not to return) the VSS option as 873 specified in this document. 875 7.2. Returning the DHCPv4 Sub-Option 877 The case of the DHCPv4 sub-option is a bit more complicated. Note 878 that [RFC3046] specifies that a DHCPv4 server which supports the 879 relay-agent-information option SHALL copy all sub-options received in 880 a relay-agent-information option into any outgoing relay-agent- 881 information option. Thus, the default behavior for any DHCPv4 server 882 is to return any VSS sub-option received to the relay agent whether 883 or not the DHCPv4 server understands the VSS sub-option. 885 In order to distinguish a DHCPv4 server which is simply copying 886 relay-agent-information option sub-options from an incoming to an 887 outgoing relay-agent-informaion option from one which successfully 888 acted upon the information in the VSS sub-option, DHCPv4 relay agents 889 MUST include a VSS-Control sub-option in the relay-agent-information 890 any time that it includes a VSS sub-option in the relay-agent- 891 information option. 893 A DHCPv4 server which does not support the VSS sub-option will copy 894 both sub-options into the outgoing relay-agent-information option, 895 thus signalling to the DHCPv4 relay agent that it did not understand 896 the VSS sub-option. 898 A DHCPv4 server which supports the VSS sub-option: 900 o MUST copy the VSS sub-option into the outgoing relay-agent- 901 information option 903 o MUST NOT copy the VSS-Control sub-option into the outgoing 904 relay-agent-information option 906 Moreover, if a server uses different VSS information to allocate an 907 IP address than it receives in a particular DHCPv4 sub-option, it 908 MUST include that alternative VSS information in the VSS sub-option 909 that it returns to the DHCPv4 relay agent instead of the original VSS 910 information it was given. 912 If a DHCPv4 server supports this sub-option and for some reason 913 (perhaps administrative control) does not honor this sub-option from 914 the request then it MUST NOT echo either sub-option into the outgoing 915 relay-agent-information option. 917 7.3. Making sense of conflicting VSS information 919 It is possible for a DHCPv4 server to receive both a VSS option and 920 VSS sub-options in the same packet. Likewise, a DHCPv6 server can 921 receive multiple VSS options in nested Relay-forward messages as well 922 as in the client message itself. In either of these cases, the VSS 923 information from the relay agent closest to the DHCP server SHOULD be 924 used in preference to all other VSS information received. In the 925 DHCPv4 case, this means that the VSS sub-option takes precedence over 926 the VSS option, and in the DHCPv6 case, this means that the VSS 927 option from the outer-most Relay-forward message in which a VSS 928 option appears takes precedence. 930 The reasoning behind this approach is that the relay-agent closer to 931 the DHCP server is almost certainly more trusted than the DHCP client 932 or more distant relay agents, and therefore information in the 933 relay-agent-information option or the Relay-forward message is more 934 likely to be correct. 936 In general, relay agents SHOULD be aware through configuration or 937 policy external to this document whether or not they should be 938 including VSS information in packets that they forward and so there 939 should not be conflicts among relay agent specified VSS information. 941 In these situations where multiple VSS option or sub-options appear 942 in the incoming packet or message, when the DHCP server constructs 943 the response to be sent to the DHCP client or relay agent, all 944 existing VSS options or sub-options MUST be replicated in the 945 appropriate places in the response and MUST contain only the VSS 946 information that was used by the DHCP server to allocate the IP 947 address (with, of course, the exception of a DHCPv4 relay-agent- 948 information sub-option VSS-Control). 950 8. Updates to RFC 3046 952 This document updates the specification of the Relay Agent 953 Information option in RFC 3046 as follows: 955 Change the first sentence, second paragraph, section 2.2 of RFC 3046: 957 o OLD: 959 DHCP servers claiming to support the Relay Agent Information 960 option SHALL echo the entire contents of the Relay Agent 961 Information option in all replies. 963 o NEW: 965 DHCP servers claiming to support the Relay Agent Information 966 option SHALL echo the entire contents of the Relay Agent 967 Information option in all replies, except if otherwise specified 968 in the definition of specific Relay Agent Information sub- 969 options. 971 9. Security 973 Message authentication in DHCPv4 for intradomain use where the out- 974 of-band exchange of a shared secret is feasible is defined in 975 [RFC3118]. Potential exposures to attack are discussed in Section 7 976 of the DHCP protocol specification in [RFC2131]. 978 Implementations should consider using the DHCPv4 Authentication 979 option [RFC3118] to protect DHCPv4 client access in order to provide 980 a higher level of security if it is deemed necessary in their 981 environment. 983 Message authentication in DHCPv4 relay agents as defined in [RFC4030] 984 should be considered for DHCPv4 relay agents employing this sub- 985 option. Potential exposures to attack are discussed in Section 7 of 986 the DHCP protocol specification in [RFC2131]. 988 For DHCPv6 use of the VSS option, the "Security Considerations" 989 Section of [RFC3315] details the general threats to DHCPv6, and thus 990 to messages using the VSS option. The "Authentication of DHCP 991 Messages" Section of [RFC3315] describes securing communication 992 between relay agents and servers, as well as clients and servers. 994 The VSS option could be used by a client in order to obtain an IP 995 address from any VPN. This option would allow a client to perform a 996 more complete address-pool exhaustion attack since the client would 997 no longer be restricted to attacking address-pools on just its local 998 subnet. 1000 A DHCP server that implements these options and sub-option should be 1001 aware of this possibility and use whatever techniques that can be 1002 devised to prevent such an attack. Information such as the giaddr in 1003 DHCPv4 or link address in the Relay-forward DHCPv6 message might be 1004 used to detect and prevent this sort of attack. 1006 One possible defense would be for the DHCP relay to insert a VSS 1007 option or sub-option to override the DHCP client's VSS option. 1009 Servers that implement the VSS option and sub-option MUST by default 1010 disable use of the feature; it must specifically be enabled through 1011 configuration. Moreover, a server SHOULD provide the ability to 1012 selectively enable use of the feature under restricted conditions, 1013 e.g., by enabling use of the option only from explicitly configured 1014 client-ids, enabling its use only by clients on a particular subnet, 1015 or restricting the VSSs from which addresses may be requested. 1017 10. IANA Considerations 1019 IANA is requested to assign DHCPv4 option number 221 for the DHCPv4 1020 VSS option defined in Section 3.1, in accordance with [RFC3942]. 1022 IANA is requested to assign sub-option number 151 for the DHCPv4 VSS 1023 sub-option defined in Section 3.2 from the DHCP Relay Agent Sub- 1024 options space [RFC3046], in accordance with the spirit of [RFC3942]. 1025 While [RFC3942] doesn't explicitly mention the sub-option space for 1026 the DHCP Relay Agent Information option [RFC3046], sub-option 151 is 1027 already in use by existing implementations of this sub-option and the 1028 current draft is essentially upward compatible with these current 1029 implementations. 1031 IANA is requested to assign the value of TBD for the DHCPv4 VSS- 1032 Control sub-option defined in Section 3.3. 1034 IANA is requested to assign the value of TBD for the DHCPv6 VSS 1035 option defined in Section 3.4 from the DHCPv6 option registry. 1037 The type byte defined in Section 3.5 defines a number space for which 1038 IANA is to create and maintain a new sub-registry entitled "VSS Type 1039 values". This sub-registry needs to be related to both the DHCPv4 1040 and DHCPv6 VSS options and the DHCPv4 relay-agent-information option 1041 sub-option (all defined by this document), since the type byte in 1042 these two options and one sub-option MUST have identical definitions. 1044 New values for the type byte may only be defined by IETF Consensus, 1045 as described in [RFC5226]. Basically, this means that they are 1046 defined by RFCs approved by the IESG. 1048 11. Acknowledgments 1050 Bernie Volz recommended consolidation of the DHCPv4 option and sub- 1051 option drafts after extensive review of the former drafts, and 1052 provided valuable assistance in structuring and reviewing this 1053 document. Alper Yegin expressed interest in the DHCPv6 VSS option, 1054 resulting in this combined draft covering all three areas. Alfred 1055 Hoenes provided assistance with editorial review as well as raising 1056 substantive protocol issues. David Hankins and Bernie Volz each 1057 raised important protocol issues which resulted in a clarified 1058 document. Josh Littlefield provided editorial assistance. Several 1059 IESG reviewers took the time to substantially review this document, 1060 resulting in much increased clarity. 1062 12. References 1064 12.1. Normative References 1066 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1067 Requirement Levels", RFC 2119, March 1997. 1069 [RFC2131] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, 1070 March 1997. 1072 [RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor 1073 Extensions", RFC 2132, March 1997. 1075 [RFC2685] Fox, B., Gleeson, B., "Virtual Private Networks 1076 Identifier", RFC 2685, September 1999. 1078 [RFC3046] Patrick, M., "DHCP Relay Agent Information Option", RFC 1079 3046, January 2001. 1081 [RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., and 1082 M. Carney, "Dynamic Host Configuration Protocol for IPv6 1083 (DHCPv6)", RFC 3315, July 2003. 1085 [RFC3633] Troan, O. and R. Droms, "IPv6 Prefix Options for Dynamic 1086 Host Configuration Protocol (DHCP) version 6", RFC 3633, December 1087 2003. 1089 [RFC4994] Zeng, S., Volz, B., Kinnear, K. and J. Brzozowski, "DHCPv6 1090 Relay Agent Echo Request Option", RFC 4994, September 2007. 1092 12.2. Informative References 1094 [RFC951] Croft, B. and J. Gilmore, "Bootstrap Protocol", RFC 951, 1095 September 1985. 1097 [RFC1542] Wimer, W., "Clarifications and Extensions for the Bootstrap 1098 Protocol", RFC 1542, October 1993. 1100 [RFC3118] Droms, R. and W. Arbaugh, "Authentication for DHCP 1101 Messages", RFC 3118, June 2001. 1103 [RFC3942] Volz, B., "Reclassifying Dynamic Host Configuration 1104 Protocol version 4 (DHCPv4) Options", RFC 3942, November 2004. 1106 [RFC4030] Stapp, M. and T. Lemon, "The Authentication Suboption for 1107 the Dynamic Host Configuration Protocol (DHCP) Relay Agent 1108 Option", RFC 4030, March 2005. 1110 [RFC4388] Woundy, R. and K. Kinnear, "Dynamic Host Configuration 1111 Protocol (DHCP) Leasequery", RFC 4388, February 2006. 1113 [RFC5007] Brzozowski, J., Kinnear, K., Volz, B., and S. Zeng, "DHCPv6 1114 Leasequery", RFC 5007, September 2007. 1116 [RFC5198] Klensin, J. and M. Padlipsky, "Unicode Format for Network 1117 Interchange", RFC 5198, March 2008. 1119 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an 1120 IANA Considerations Section in RFCs", BCP 26, RFC 5226, May 2008. 1122 Authors' Addresses 1124 Kim Kinnear 1125 Cisco Systems 1126 1414 Massachusetts Ave. 1127 Boxborough, Massachusetts 01719 1129 Phone: (978) 936-0000 1131 EMail: kkinnear@cisco.com 1133 Richard Johnson 1134 Cisco Systems 1135 170 W. Tasman Dr. 1136 San Jose, CA 95134 1138 Phone: (408) 526-4000 1140 EMail: raj@cisco.com 1141 Mark Stapp 1142 Cisco Systems 1143 1414 Massachusetts Ave. 1144 Boxborough, Massachusetts 01719 1146 Phone: (978) 936-0000 1148 EMail: mjs@cisco.com 1150 Jay Kumarasamy