idnits 2.17.1 draft-nalluri-dhc-dhcpv6-lwm2m-bootstrap-options-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (July 27, 2017) is 2466 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC2119' is defined on line 381, but no explicit reference was found in the text == Unused Reference: 'RFC2131' is defined on line 386, but no explicit reference was found in the text == Unused Reference: 'RFC4306' is defined on line 404, but no explicit reference was found in the text == Unused Reference: 'RFC5280' is defined on line 408, but no explicit reference was found in the text == Unused Reference: 'RFC7227' is defined on line 414, but no explicit reference was found in the text ** Obsolete normative reference: RFC 3315 (Obsoleted by RFC 8415) ** Obsolete normative reference: RFC 4306 (Obsoleted by RFC 5996) Summary: 2 errors (**), 0 flaws (~~), 7 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 DHC working group S. Nalluri 3 Internet-Draft Ericsson 4 Intended status: Standards Track July 27, 2017 5 Expires: January 28, 2018 7 DHCPv6 Options for LWM2M bootstrap information 8 draft-nalluri-dhc-dhcpv6-lwm2m-bootstrap-options-03 10 Abstract 12 This document defines Dynamic Host Configuration Protocol and Dynamic 13 Host Configuration Protocol version 6 (DHCPv6) Options for LWM2M 14 client bootstrap information, which are used to carry Uniform 15 Resource Locater of LWM2M bootstrap server and certificate that 16 validates the public key presented by server. 18 Status of This Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at http://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on January 28, 2018. 35 Copyright Notice 37 Copyright (c) 2017 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (http://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 53 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2 54 3. LWM2M bootstrap server information through DHC . . . . . . . 3 55 3.1. DHCPv6 option for LWM2M bootstrap server URI . . . . . . 3 56 3.2. DHCPv6 option for LWM2M server certificate . . . . . . . 4 57 3.3. DHCPv4 option for LWM2M bootstrap server URI . . . . . . 4 58 3.4. DHCPv4 option for LWM2M server certificate . . . . . . . 5 59 4. LWM2M-server-certificate encoding . . . . . . . . . . . . . . 5 60 5. Appearance of Option . . . . . . . . . . . . . . . . . . . . 6 61 5.1. Appearance of options in DHCPv6 control messages . . . . 6 62 5.2. Appearance of options in DHCPv4 control messages . . . . 6 63 6. Configuration Guidelines for the Server . . . . . . . . . . . 7 64 7. DHCPv4/DHCPv6 Client Behavior . . . . . . . . . . . . . . . . 7 65 8. Relay agent Behavior . . . . . . . . . . . . . . . . . . . . 8 66 9. Security Considerations . . . . . . . . . . . . . . . . . . . 8 67 10. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . 8 68 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 69 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 70 12.1. Normative References . . . . . . . . . . . . . . . . . . 9 71 12.2. Informative References . . . . . . . . . . . . . . . . . 10 72 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 10 74 1. Introduction 76 Light weight machine to machine (LWM2M) protocol is used to manage 77 end device life cycle in machine to machine communication scenarios. 78 LWM2M device bootstrap is an optional life cycle phase for devices to 79 get needed information when starting up for first time. Information 80 gathered during bootstrapping might include management server details 81 and security certificates required to establish connectivity with 82 management server. Information required to connect with bootstrap 83 server might be hard coded during device manufacturing phase. 85 Hard coding configuration by device manufacturer forces device 86 operator to use same configuration as hard coded. It is possible 87 that reachability information of bootstrap server that is hard coded 88 may be outdated and boot strap server reachability might fail during 89 first use of device. In such cases connectivity with bootstrap 90 server is possible only through device software upgrade. 92 2. Terminology 94 This document makes use of the following terms: 96 LWM2M: Lightweight Machine to Machine is a protocol from Open Mobile 97 alliance for device management in M2M or Internet of Things 98 scenarios 100 LWM2M bootstrap server: The server that provides LWM2M bootstrap 101 interface which is used to optionally configure a LWM2M Client so 102 that it can successfully register with a LWM2M management Server 104 LWM2M management server: The server that provides registration, 105 device management and service enablement interface to manage a 106 LWM2M client. 108 3. LWM2M bootstrap server information through DHC 110 LWM2M bootstrap server details like URI and security certificate can 111 be collected during dynamic host configuration phase. DHCPv4 and 112 DHCPv6 options can be extended to collect LWM2M bootstrap server 113 information for IPv4 and IPv6 networks respectively. DHCPv4 or 114 DHCPv6 client requests LWM2M bootstrap server URI and LWM2M server 115 certificate using new options proposed in sections below 117 3.1. DHCPv6 option for LWM2M bootstrap server URI 119 DHCPv6 option OPTION_LWM2M_BOOTSTRAP_URI conveys URI through which 120 LWM2M client can reach LWM2M bootstrap server reachable through IPv6 121 network. The format of LWM2M bootstrap server URI option is as shown 122 below: 124 0 1 2 3 125 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 126 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 127 | option-code | option-len | 128 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 129 | LWM2M-bootstrap-URI | 130 | ... | 131 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 133 option-code: OPTION_LWM2M_BOOTSTRAP_URI 135 option-len: Length of the 'LWM2M-bootstrap-URI' field in octets 137 LWM2M-bootstrap-URI: This string is URI of LWM2M bootstrap server. 138 The string is not null-terminated. 140 3.2. DHCPv6 option for LWM2M server certificate 142 DHCPv6 option OPTION_LWM2M_SERVER_CERTIFICATE conveys security 143 certificate which can be used by LWM2M client to establish secure 144 connection with LWM2M server reachable through IPv6 network. The 145 format of LWM2M server certificate option is as shown below: 147 0 1 2 3 148 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 149 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 150 | option-code | option-len | 151 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 152 |cert-encoding| | 153 +-+-+-+-+-+-+-+ + 154 | LWM2M-server-certificate | 155 | (variable length data) | 156 | | 157 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 159 option-code: OPTION_LWM2M_SERVER_CERTIFICATE 161 option-len: Length of the 'LWM2M-server-certificate' field in octets 163 cert-encoding: This field indicates the type of certificate or 164 certificate-related information contained in LWM2M-server- 165 certificate field. See Section 4 for details. 167 LWM2M-server-certificate: Digital certificate of LWM2M server 168 encoded according to cert-encoding. See Section 4 for details 170 3.3. DHCPv4 option for LWM2M bootstrap server URI 172 DHCPv4 option OPTION_LWM2M_BOOTSTRAP_URI conveys URI through which 173 LWM2M client can reach LWM2M bootstrap server reachable through IPv4 174 network. The format of LWM2M bootstrap server URI option is as shown 175 below: 177 0 1 2 3 178 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 179 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 180 | option-code | option-len | LWM2M-bootstrap-URI | 181 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 182 | | 183 | LWM2M-bootstrap-URI | 184 | ... | 185 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 187 option-code: OPTION_LWM2M_BOOTSTRAP_URI 188 option-len: Length of the 'LWM2M-bootstrap-URI' field in octets 190 LWM2M-bootstrap-URI: This string is URI of LWM2M bootstrap server. 191 The string is not null-terminated. 193 3.4. DHCPv4 option for LWM2M server certificate 195 DHCPv4 option OPTION_LWM2M_SERVER_CERTIFICATE conveys security 196 certificate which can be used by LWM2M client to establish secure 197 connection with LWM2M server reachable through IPv4 network. The 198 format of LWM2M server certificate option is as shown below: 200 0 1 2 3 201 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 202 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 203 | option-code | option-len | cert-encoding | | 204 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + 205 | | 206 | LWM2M-server-certificate | 207 | (variable length data) | 208 | | 209 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 211 option-code: OPTION_LWM2M_SERVER_CERTIFICATE 213 option-len: Length of the 'LWM2M-server-certificate' field in octets 215 cert-encoding: This field indicates the type of certificate or 216 certificate-related information contained in LWM2M-server- 217 certificate field. See Section 4 for details. 219 LWM2M-server-certificate: Digital certificate of LWM2M server 220 encoded accoring to cert-encodeing. See Section 4 for details 222 4. LWM2M-server-certificate encoding 224 As defined in Section 3.6 of [RFC7296] and [IKEv2IANA] the values in 225 the following table are allocated for Certificate Encoding types. 226 Other values may have been added since then or will be added after 227 the publication of this document. Readers should refer to 228 [IKEv2IANA] for latest values. 230 Certificate Encoding Value 231 ---------------------------------------------------- 232 PKCS #7 wrapped X.509 certificate 1 UNSPECIFIED 233 PGP Certificate 2 UNSPECIFIED 234 DNS Signed Key 3 UNSPECIFIED 235 X.509 Certificate - Signature 4 236 Kerberos Token 6 UNSPECIFIED 237 Certificate Revocation List (CRL) 7 238 Authority Revocation List (ARL) 8 UNSPECIFIED 239 SPKI Certificate 9 UNSPECIFIED 240 X.509 Certificate - Attribute 10 UNSPECIFIED 241 Deprecated (was Raw RSA Key) 11 DEPRECATED 242 Hash and URL of X.509 certificate 12 243 Hash and URL of X.509 bundle 13 244 OCSP Public Key 14 245 Raw Public Key 15 246 Unassigned 16-200 247 Private use 201-255 249 5. Appearance of Option 251 5.1. Appearance of options in DHCPv6 control messages 253 The OPTION_LWM2M_BOOTSTRAP_URI and OPTION_LWM2M_SERVER_CERTIFICATE 254 options MUST NOT appear in messages other than the following: SOLICIT 255 (1), ADVERTISE (2), REQUEST (3),REPLY (4) RENEW (5), REBIND (6), 256 INFORMATION-REQUEST (11). If this option appears in messages other 257 than those specified above, the receiver MUST ignore it. 259 The option number for OPTION_LWM2M_BOOTSTRAP_URI and 260 OPTION_LWM2M_SERVER_CERTIFICATE options MAY appear in the "Option 261 Request" option [RFC3315] in the following messages: SOLICIT (1), 262 REQUEST (3), RENEW (5), REBIND (6), INFORMATION-REQUEST (11) and 263 RECONFIGURE (10). If this option number appears in the "Option 264 Request" option in messages other than those specified above, the 265 receiver SHOULD ignore it. 267 5.2. Appearance of options in DHCPv4 control messages 269 The OPTION_LWM2M_BOOTSTRAP_URI and OPTION_LWM2M_SERVER_CERTIFICATE 270 options MUST NOT appear in messages other than the following: 271 DHCPDISCOVER (1), DHCPOFFER (2), DHCPREQUEST (3), DHCPACK (5) and 272 DHCPINFORM (8). If this option appears in messages other than those 273 specified above, the receiver MUST ignore it. 275 The option number for OPTION_LWM2M_BOOTSTRAP_URI and 276 OPTION_LWM2M_SERVER_CERTIFICATE options MAY appear in the "Parameter 277 Request List" option [RFC2132] in the following messages: 279 DHCPDISCOVER (1), DHCPOFFER (2), DHCPREQUEST (3), DHCPACK (5) and 280 DHCPINFORM (8). If this option number appears in the "Parameter 281 Request List" option in messages other than those specified above, 282 the receiver SHOULD ignore it. 284 Maximum possible value of DHCPv4 "option-len" is 255. LWM2M-server- 285 certificate MAY be of length more than 255. To accommodate larger 286 certificate, DHCP server SHOULD follow encoding as mentioned in 287 [RFC3396]. 289 6. Configuration Guidelines for the Server 291 DHCPv4 or DHCPv6 server that supports OPTION_LWM2M_BOOTSTRAP_URI and 292 OPTION_LWM2M_SERVER_CERTIFICATE SHOULD be configured with one and 293 only one LWM2M bootstrap server URI, and one and only one certificate 294 that validates bootstrap server's public key. 296 In the absence of URI configuration, DHCP server SHOULD ignore option 297 OPTION_LWM2M_BOOTSTRAP_URI, and SHOULD continue processing of DHCP 298 control message 300 In the absence of certificate configuration, DHCP server SHOULD 301 ignore option OPTION_LWM2M_SERVER_CERTIFICATE, and SHOULD continue 302 processing of DHCP control message 304 7. DHCPv4/DHCPv6 Client Behavior 306 DHCP or DHCPv6 client MAY decide need for inclusion of 307 OPTION_LWM2M_BOOTSTRAP_URI and OPTION_LWM2M_SERVER_CERTIFICATE 308 options in DHCPv4 or DHCPv6 control messages if device is capable of 309 supporting LWM2M client functionality irrespective of state of LWM2M 310 client. It is possible that LWM2M client MAY not be active before 311 DHCPv4 or DHCPv6 message exchanges happens. In such scenario, DHCPv4 312 or DHCPv6 client MAY collect LWM2M bootstrap server URI and LWM2M 313 server certificate and keep ready for LWM2M client initialization 315 DHCPv4 or DHCPv6 client MAY prefer collecting LWM2M bootstrap server 316 URI and LWM2M server certificate by including 317 OPTION_LWM2M_BOOTSTRAP_URI and OPTION_LWM2M_SERVER_CERTIFICATE 318 options in DHCPINFORM or INFORMATION-REQUEST message which MAY be 319 send during LWM2M client initialization 321 LWM2M client devices running with IPv6 stack MAY use stateless auto 322 address configuration to get IPv6 address. Such clients MAY use 323 DHCPv6 INFORMATION-REQUEST to get LWM2M bootstrap URI and LWM2M 324 server server certificate through options OPTION_LWM2M_BOOTSTRAP_URI 325 and OPTION_LWM2M_SERVER_CERTIFICATE 327 8. Relay agent Behavior 329 This draft does not impose any new requirements on DHCPv4 or DHCPv6 330 relay agent functionality 332 9. Security Considerations 334 OPTION_LWM2M_BOOTSTRAP_URI and OPTION_LWM2M_SERVER_CERTIFICAT options 335 could be used by an intruder to advertise the URI of a malicious 336 LWM2M bootstrap server and certificate and can alter the LWM2M 337 management server details provided to LWM2M client. The consequences 338 of such an attack can be critical, because any data that is reported 339 by LWM2M client MAY reach unwanted LWM2M management server. As an 340 example, an attacker could collect data from secure locations by 341 deploying malicious servers. 343 To prevent these attacks, it is strongly advisable to secure the use 344 of this option by either: 346 o Using authenticated DHCP as described in [RFC3315], Section 21. 348 o Using options OPTION_LWM2M_BOOTSTRAP_URI and 349 OPTION_LWM2M_SERVER_CERTIFICATE only with trusted DHCP server 351 The security considerations documented in [RFC3315] are to be 352 considered. 354 10. Acknowledgement 356 Particular thanks to A. Keraenen, J. Jimenez, J. Melen and S. 357 Krishnan for the concept, inputs and review. 359 11. IANA Considerations 361 IANA is requested to assign new DHCPv6 option codes in the registry 362 maintained in http://www.iana.org/assignments/dhcpv6-parameters: 364 | Option Name | Value | 365 |---------------------------------+----------| 366 | OPTION_LWM2M_BOOTSTRAP_URI | TBA | 367 | OPTION_LWM2M_SERVER_CERTIFICATE | TBA | 369 IANA is requested to assign new DHCPv4 option codes in the registry 370 maintained in http://www.iana.org/assignments/bootp-dhcp-parameters: 372 | Option Name | Value | 373 |--------------------------------+---------| 374 | OPTION_LWM2M_BOOTSTRAP_URI | TBA | 375 | OPTION_LWM2M_SERVER_CERTIFICATE| TBA | 377 12. References 379 12.1. Normative References 381 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 382 Requirement Levels", BCP 14, RFC 2119, 383 DOI 10.17487/RFC2119, March 1997, 384 . 386 [RFC2131] Droms, R., "Dynamic Host Configuration Protocol", 387 RFC 2131, DOI 10.17487/RFC2131, March 1997, 388 . 390 [RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor 391 Extensions", RFC 2132, DOI 10.17487/RFC2132, March 1997, 392 . 394 [RFC3315] Droms, R., Ed., Bound, J., Volz, B., Lemon, T., Perkins, 395 C., and M. Carney, "Dynamic Host Configuration Protocol 396 for IPv6 (DHCPv6)", RFC 3315, DOI 10.17487/RFC3315, July 397 2003, . 399 [RFC3396] Lemon, T. and S. Cheshire, "Encoding Long Options in the 400 Dynamic Host Configuration Protocol (DHCPv4)", RFC 3396, 401 DOI 10.17487/RFC3396, November 2002, 402 . 404 [RFC4306] Kaufman, C., Ed., "Internet Key Exchange (IKEv2) 405 Protocol", RFC 4306, DOI 10.17487/RFC4306, December 2005, 406 . 408 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 409 Housley, R., and W. Polk, "Internet X.509 Public Key 410 Infrastructure Certificate and Certificate Revocation List 411 (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, 412 . 414 [RFC7227] Hankins, D., Mrugalski, T., Siodelski, M., Jiang, S., and 415 S. Krishnan, "Guidelines for Creating New DHCPv6 Options", 416 BCP 187, RFC 7227, DOI 10.17487/RFC7227, May 2014, 417 . 419 [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. 420 Kivinen, "Internet Key Exchange Protocol Version 2 421 (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October 422 2014, . 424 12.2. Informative References 426 [IKEv2IANA] 427 "Internet Key Exchange Version 2 (IKEv2) Parameters", 428 n.d., . 431 Author's Address 433 Srinivas Rao Nalluri 434 Ericsson 435 Bangalore 436 India 438 Email: srinivasa.rao.nalluri@ericsson.com