draft-ietf-dhc-forcerenew-nonce-07.txt   rfc6704.txt 
dhc D. Miles Internet Engineering Task Force (IETF) D. Miles
Internet-Draft Google Request for Comments: 6704 Google
Updates: 3203 (if approved) W. Dec Updates: 3203 W. Dec
Intended status: Standards Track Cisco Systems Category: Standards Track Cisco Systems
Expires: December 16, 2012 J. Bristow ISSN: 2070-1721 J. Bristow
Swisscom Schweiz AG Swisscom Schweiz AG
R. Maglione R. Maglione
Telecom Italia Telecom Italia
June 14, 2012 August 2012
Forcerenew Nonce Authentication Forcerenew Nonce Authentication
draft-ietf-dhc-forcerenew-nonce-07
Abstract Abstract
Dynamic Host Configuration Protocol (DHCP) FORCERENEW allows for the Dynamic Host Configuration Protocol (DHCP) FORCERENEW allows for the
reconfiguration of a single host by forcing the DHCP client into a reconfiguration of a single host by forcing the DHCP client into a
Renew state on a trigger from the DHCP server. In Forcerenew Nonce Renew state on a trigger from the DHCP server. In the Forcerenew
Authentication the server sends a nonce to the client in the initial Nonce Authentication protocol, the server sends a nonce to the client
DHCP ACK that is used for subsequent validation of a FORCERENEW in the initial DHCP ACK that is used for subsequent validation of a
message. This document updates RFC 3203. FORCERENEW message. This document updates RFC 3203.
Status of this Memo
This Internet-Draft is submitted in full conformance with the Status of This Memo
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering This is an Internet Standards Track document.
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 5741.
This Internet-Draft will expire on December 16, 2012. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc6704.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction ....................................................2
2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 2. Requirements Language ...........................................3
3. Message authentication . . . . . . . . . . . . . . . . . . . . 3 3. Message Authentication ..........................................3
3.1. Forcerenew Nonce Authentication . . . . . . . . . . . . . 4 3.1. Forcerenew Nonce Authentication ............................3
3.1.1. Forcerenew Nonce Protocol Capability Option . . . . . 4 3.1.1. Forcerenew Nonce Protocol Capability Option .........4
3.1.2. Forcerenew Nonce Protocol . . . . . . . . . . . . . . 7 3.1.2. Forcerenew Nonce Authentication Protocol ............6
3.1.3. Server considerations for Forcerenew Nonce 3.1.3. Server Considerations for Forcerenew Nonce
Authentication . . . . . . . . . . . . . . . . . . . . 8 Authentication ......................................8
3.1.4. Client considerations for Forcerenew Nonce 3.1.4. Client Considerations for Forcerenew Nonce
Authentication . . . . . . . . . . . . . . . . . . . . 9 Authentication ......................................9
4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10 4. IANA Considerations ............................................10
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 5. Security Considerations ........................................10
6. Security Considerations . . . . . . . . . . . . . . . . . . . 11 5.1. Protocol Vulnerabilities ..................................11
6.1. Protocol vulnerabilities . . . . . . . . . . . . . . . . . 11 6. Acknowledgements ...............................................11
7. Normative References . . . . . . . . . . . . . . . . . . . . . 11 7. Normative References ...........................................11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 12
1. Introduction 1. Introduction
The DHCP Reconfigure Extension defined in [RFC3203] is a useful The DHCP reconfigure extension defined in [RFC3203] is a useful
mechanism allowing dynamic reconfiguration of a single host triggered mechanism allowing dynamic reconfiguration of a single host triggered
by the DHCP server. Its application is currently limited by a by the DHCP server. Its application is currently limited by a
requirement that FORCERENEW message is always authenticated using requirement that a Forcerenew message is always authenticated using
procedures as described in [RFC3118]. Authentication for DHCP procedures as described in [RFC3118]. Authentication for DHCP
[RFC3118] is mandatory for FORCERENEW, however as it is currently [RFC3118] is mandatory for FORCERENEW; however, as it is currently
defined [RFC3118] requires distribution of constant token or shared- defined, [RFC3118] requires distribution of constant token or shared-
secret out-of-band to DHCP clients. secret out-of-band to DHCP clients.
The motivation for making authentication mandatory in DHCP FORCERENEW The motivation for making authentication mandatory in DHCP FORCERENEW
was to prevent an off-network attacker from taking advantage of DHCP was to prevent an off-network attacker from taking advantage of DHCP
FORCERENEW to accurately predict the timing of a DHCP renewal. FORCERENEW to accurately predict the timing of a DHCP renewal.
Without DHCP FORCERENEW, DHCP renewal timing is under the control of Without DHCP FORCERENEW, DHCP renewal timing is under the control of
the client, and an off-network attacker has no way of predicting when the client, and an off-network attacker has no way of predicting when
it will happen, since it doesn't have access to the exchange between it will happen, since it doesn't have access to the exchange between
the DHCP client and DHCP server. the DHCP client and DHCP server.
However, the requirement to use the DHCP authentication described in However, the requirement to use the DHCP authentication described in
[RFC3118] is more stringent than is required for this use case, and [RFC3118] is more stringent than is required for this use case and
has limited adoption of DHCP FORCERENEW. [RFC3315] defines an has limited adoption of DHCP FORCERENEW. [RFC3315] defines an
authentication protocol using a nonce to prevent off-network authentication protocol using a nonce to prevent off-network
attackers from successfully causing clients to renew. Since the off- attackers from successfully causing clients to renew. Since the off-
network attacker doesn't have access to the nonce, it can't trick the network attacker doesn't have access to the nonce, it can't trick the
client into renewing at a time of its choosing. client into renewing at a time of its choosing.
This document defines extensions to Authentication for DHCPv4 This document defines extensions to Authentication for DHCPv4
Messages [RFC3118] to create a new authentication protocol for DHCPv4 Messages [RFC3118] to create a new authentication protocol for DHCPv4
FORCERENEW [RFC3203] messages; this method does not require out-of- FORCERENEW [RFC3203] messages; this method does not require out-of-
band key distribution to DHCP clients. The Forcerenew Nonce is band key distribution to DHCP clients. The Forcerenew Nonce is
exchanged between server and client on initial DHCP ACK and is used exchanged between server and client on initial DHCP ACK and is used
for verification of any subsequent FORCERENEW message. This document for verification of any subsequent FORCERENEW message. This document
updates [RFC3203] updates [RFC3203].
2. Requirements Language 2. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
3. Message authentication 3. Message Authentication
The FORCERENEW message MUST be authenticated using either [RFC3118] The Forcerenew message MUST be authenticated using either [RFC3118]
or the proposed Forcerenew Nonce Authentication protocol. or the proposed Forcerenew Nonce Authentication protocol.
3.1. Forcerenew Nonce Authentication 3.1. Forcerenew Nonce Authentication
The Forcerenew nonce authentication protocol provides protection The Forcerenew Nonce Authentication protocol provides protection
against misconfiguration of a client caused by a FORCERENEW message against misconfiguration of a client caused by a Forcerenew message
sent by a malicious DHCP server. In this protocol, a DHCP server sent by a malicious DHCP server. In this protocol, a DHCP server
sends a Forcerenew nonce to the client in the initial exchange of sends a Forcerenew Nonce to the client in the initial exchange of
DHCP messages. The client records the Forcerenew nonce for use in DHCP messages. The client records the Forcerenew Nonce for use in
authenticating subsequent Forcerenew messages from that server. The authenticating subsequent Forcerenew messages from that server. The
server then includes an HMAC computed from the Forcerenew nonce in server then includes a Hashed Message Authentication Code (HMAC)
subsequent FORCERENEW messages. computed from the Forcerenew nonce in subsequent Forcerenew messages.
Both the Forcerenew nonce sent from the server to the client and the Both the Forcerenew Nonce sent from the server to the client and the
HMAC in subsequent FORCERENEW messages are carried as the HMAC in subsequent Forcerenew messages are carried as the
Authentication information in a DHCP Authentication option. The Authentication information in a DHCP Authentication option. The
format of the Authentication information is defined in the following format of the Authentication information is defined in the following
section. section.
The Forcerenew nonce protocol is used (initiated by the server) only The Forcerenew Nonce Authentication protocol is used (initiated by
if the client and server are not using the authentication mechanism the server) only if the client and server are not using the
specified in [RFC3118] and the client and server have negotiated to authentication mechanism specified in [RFC3118] and the client and
use the Forcerenew Nonce Authentication protocol. server have negotiated to use the Forcerenew Nonce Authentication
protocol.
3.1.1. Forcerenew Nonce Protocol Capability Option 3.1.1. Forcerenew Nonce Protocol Capability Option
A DHCP client indicates DHCP Forcerenew Nonce Protocol capability by A DHCP client indicates DHCP Forcerenew Nonce Protocol capability by
including a FORCERENEW_NONCE_CAPABLE(<TBD>) option in DHCP Discover including a FORCERENEW_NONCE_CAPABLE (145) option in DHCP Discover
and Request messages sent to the server. and Request messages sent to the server.
A DHCP server that does not support Forcerenew Nonce Protocol A DHCP server that does not support Forcerenew Nonce Authentication
authentication SHOULD ignore the FORCERENEW_NONCE_CAPABLE(<TBD>) protocol authentication SHOULD ignore the FORCERENEW_NONCE_CAPABLE
option. A DHCP server indicates DHCP Forcerenew Nonce Protocol (145) option. A DHCP server indicates DHCP Forcerenew Nonce Protocol
preference by including a FORCERENEW_NONCE_CAPABLE(<TBD>) option in preference by including a FORCERENEW_NONCE_CAPABLE (145) option in
any DHCP Offer messages sent to the client. any DHCP Offer messages sent to the client.
A DHCP client MUST NOT send DHCP messages with authentication options A DHCP client MUST NOT send DHCP messages with authentication options
where the protocol value is Forcerenew Nonce Authentication(<TBD>). where the protocol value is Forcerenew Nonce Authentication.
The FORCERENEW_NONCE_CAPABLE option contains code <TDB>, length n and The FORCERENEW_NONCE_CAPABLE option contains code 145, length n, and
a sequence of algorithms the client supports: a sequence of algorithms the client supports:
Code Len Algorithms Code Len Algorithms
+-----+-----+----+----+----+ +-----+-----+----+----+----+
| TBD | n | A1 | A2 | A3 | .... | 145 | n | A1 | A2 | A3 | ....
+-----+-----+----+----+----+ +-----+-----+----+----+----+
This document, in section Section 3.1.2, defines the Forcerenew Nonce Figure 1: FORCERENEW_NONCE_CAPABLE Option
Protocol for algorithm equal to 1 and type equal to 2; future
documents will specify the other values for algorithm !=1 and type In this document, Section 3.1.2 defines the Forcerenew Nonce
!=2, allowing a different algorithm to be used with shorter/longer Authentication protocol for algorithm equal to 1 and type equal to 2;
values. future documents will specify the other values for algorithm !=1 and
type !=2, allowing a different algorithm to be used with shorter/
longer values.
The client would indicate that it supports the functionality by The client would indicate that it supports the functionality by
inserting the FORCERENEW_NONCE_CAPABLE option in the DHCP Discover inserting the FORCERENEW_NONCE_CAPABLE option in the DHCP Discover
and Request messages. If the server supports Forcerenew nonce and Request messages. If the server supports Forcerenew nonce
authentication and requires Forcerenew nonce authentication, it will authentication and requires Forcerenew nonce authentication, it will
insert the FORCERENEW_NONCE_CAPABLE option in the DHCP Offer message. insert the FORCERENEW_NONCE_CAPABLE option in the DHCPOFFER.
Server Client Server Server Client Server
(not selected) (selected) (not selected) (selected)
v v v v v v
| | | | | |
| Begins initialization | | Begins initialization |
| | | | | |
| _____________/|\____________ | | _____________/|\____________ |
|/DHCPDISCOVER | DHCPDISCOVER \| |/DHCPDISCOVER | DHCPDISCOVER \|
| w/Forcerenew- | w/Forcerenew- | | w/FORCERENEW- | w/FORCERENEW- |
| Nonce-Capable | Nonce-Capable | | NONCE-CAPABLE | NONCE-CAPABLE |
| | | | | |
Determines | Determines Determines | Determines
configuration | configuration configuration | configuration
| | | | | |
|\ | /| |\ | /|
| \__________ | _________/ | | \__________ | _________/ |
| DHCPOFFER \ | /DHCPOFFER | | DHCPOFFER \ | /DHCPOFFER |
|w/Forcerenew \ | /w/Forcerenew| |w/FORCERENEW \ | /w/FORCERENEW|
|Nonce-Capable \| /Nonce-Capable| |NONCE-CAPABLE \| /NONCE-CAPABLE|
| | | | | |
| Collects replies | | Collects replies |
| | | | | |
| Selects configuration | | Selects configuration |
| | | | | |
| _____________/|\____________ | | _____________/|\____________ |
|/ DHCPREQUEST | DHCPREQUEST\ | |/ DHCPREQUEST | DHCPREQUEST\ |
| w/Forcerenew- | w/Forcerenew- | | w/Forcerenew- | w/Forcerenew- |
| Nonce-Capable | Nonce-Capable | | Nonce-Capable | Nonce-Capable |
| | | | | |
skipping to change at page 6, line 25 skipping to change at page 6, line 15
| |/ DHCPFORCE | | |/ DHCPFORCE |
| | w/Auth-Proto= | | | w/Auth-Proto= |
| | Forcerenew- | | | Forcerenew- |
| | Digest(HMAC)| | | Digest(HMAC)|
| | | | | |
| Client checks HMAC digest | | Client checks HMAC digest |
| using stored Forcerenew Nonce | | using stored Forcerenew Nonce |
| | | | | |
| |\____________ | | |\____________ |
| | DHCPREQUEST\ | | | DHCPREQUEST\ |
| | w/Forcerenew- | | | w/FORCERENEW- |
| | Nonce-Capable | | | NONCE-CAPABLE |
| | | | | |
| | Commits configuration | | Commits configuration
| | | | | |
| |Creates 128-bit Forcerenew Nonce | |Creates 128-bit Forcerenew Nonce
| | | | | |
| | _____________/| | | _____________/|
| |/ DHCPACK | | |/ DHCPACK |
| | w/Auth-Proto= | | | w/Auth-Proto= |
| | Forcerenew- | | | Forcerenew- |
| | Nonce | | | Nonce |
skipping to change at page 7, line 5 skipping to change at page 6, line 42
| | | | | |
| Graceful shutdown | | Graceful shutdown |
| | | | | |
| |\ ____________ | | |\ ____________ |
| | DHCPRELEASE \| | | DHCPRELEASE \|
| | | | | |
| | Discards lease | | Discards lease
| | | | | |
v v v v v v
3.1.2. Forcerenew Nonce Protocol Figure 2: Timeline Diagram of Messages Exchanged between DHCP Client
and Servers Using the Forcerenew Nonce Authentication Protocol
The Forcerenew Nonce Protocol makes use of both the DHCP 3.1.2. Forcerenew Nonce Authentication Protocol
authentication option defined in [RFC3118] re-using the option format
and of the Reconfigure Key Authentication Protocol defined in The Forcerenew Nonce Authentication protocol makes use of both the
DHCP authentication option defined in [RFC3118] reusing the option
format and of the Reconfigure Key Authentication Protocol defined in
[RFC3315]. [RFC3315].
The following diagram defines the format of the DHCP authentication The following diagram defines the format of the DHCP authentication
option: option:
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Length | Protocol | Algorithm | | Code | Length | Protocol | Algorithm |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| RDM | Replay Detection (64 bits) | | RDM | Replay Detection (64 bits) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Replay cont. | | Replay cont. |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Replay cont. | | | Replay cont. | |
+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+ |
| | | |
| Authentication Information | | Authentication Information |
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 3: Format of the DHCP Authentication Option
The following fields are set in an DHCP authentication option for the The following fields are set in an DHCP authentication option for the
Forcerenew Nonce Authentication Protocol: Forcerenew Nonce Authentication protocol.
code 90 Code: 90 (Authentication) per [RFC3118]
length field contains the length of the protocol Length: contains the length of the protocol
protocol 3 Protocol: 3 (Reconfigure Key) per [RFC3118]
algorithm 1 Algorithm: 1 (HMAC-MD5) per [RFC3118] and [RFC3315]
Replay Detection field is per the Replay Detection Method (RDM) Replay Detection: per the Replay Detection Method (RDM)
Replay Detection Method (RDM) 0
Authentication Information: specified below Replay Detection Method (RDM): 0
The format of the Authentication information for the Forcerenew Nonce Authentication Information: specified below
Authentication Protocol is:
0 1 2 3 The format of the Authentication Information for the Forcerenew Nonce
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 Authentication Protocol is as follows:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Value (128 bits) |
+-+-+-+-+-+-+-+-+ |
. .
. .
. +-+-+-+-+-+-+-+-+
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type Type of data in Value field carried in this option: 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Value (128 bits) |
+-+-+-+-+-+-+-+-+ |
. .
. .
. +-+-+-+-+-+-+-+-+
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1 Forcerenew nonce Value (used in ACK message) Figure 4: Format of the Authentication Information
2 HMAC-MD5 digest of the message (FORCERENEW message) Type: The type of data in Value field carried in this option:
Value Data as defined by field 1 Forcerenew nonce Value (used in ACK message)
3.1.3. Server considerations for Forcerenew Nonce Authentication 2 HMAC-MD5 digest of the message (Forcerenew message)
The use of Forcerenew Nonce Protocol is dependent on the client Value: The message authentication code generated by applying MD5
indicating its capability through the FORCERENEW_NONCE_CAPABLE(<TBD>) to the DHCP message
DHCP option in any DHCP Discover or Request messages. The DHCP
Discovery or Request message from the client MUST contain the
FORCERENEW_NONCE_CAPABLE(<TBD>) option if the Forcerenew Nonce
Protocol is to be used by the server. The absence of the
FORCERENEW_NONCE_CAPABLE(<TBD>) option indicates to the server that
the Forcerenew Nonce Authentication protocol is not supported and
thus the server MUST NOT include a Forcerenew Nonce Protocol
Authentication option in the DHCP Ack.
The server indicates its support of the Forcerenew Nonce Protocol 3.1.3. Server Considerations for Forcerenew Nonce Authentication
authentication by including the DHCP FORCERENEW_NONCE_CAPABLE(<TBD>)
option in the DHCP Offer message. The server SHOULD NOT include this The use of Forcerenew Nonce Authentication protocol is dependent on
option unless the client has indicated its capability in a DHCP the client indicating its capability through the
Discovery message . The presence of the FORCERENEW_NONCE_CAPABLE (145) DHCP option in any DHCP Discover or
FORCERENEW_NONCE_CAPABLE(<TDB>) option in the DHCP offer may be used Request messages. The DHCP Discovery or Request message from the
by clients to prefer Forcerenew nonce Protocol authentication-capable client MUST contain the FORCERENEW_NONCE_CAPABLE (145) option if the
DHCP servers over those servers which do not support such capability. Forcerenew Nonce Protocol is to be used by the server. The absence
of the FORCERENEW_NONCE_CAPABLE (145) option indicates to the server
that the Forcerenew Nonce Authentication protocol is not supported;
thus, the server MUST NOT include a Forcerenew Nonce Protocol
Authentication option in the DHCP ACK.
The server indicates its support of the Forcerenew Nonce
Authentication protocol by including the DHCP
FORCERENEW_NONCE_CAPABLE (145) option in the DHCPOFFER. The server
SHOULD NOT include this option unless the client has indicated its
capability in a DHCP Discovery message. The presence of the
FORCERENEW_NONCE_CAPABLE (145) option in the DHCP offer may be used
by clients to prefer DHCP servers that are Forcerenew Nonce
Authentication protocol capable over those servers that do not
support such capability.
If a capable server receives a DISCOVER or REQUEST (any type) that If a capable server receives a DISCOVER or REQUEST (any type) that
indicates the client is capable, and the server has no previous nonce indicates the client is capable, and the server has no previous nonce
recorded, it MUST generate a nonce and include it in the ACK. recorded, it MUST generate a nonce and include it in the ACK.
The server selects a Forcerenew nonce for a client only during The server selects a Forcerenew Nonce for a client only during
Request/Ack message exchange. The server records the Forcerenew Request/ACK message exchange. The server records the Forcerenew
nonce and transmits that nonce to the client in an Authentication nonce and transmits that nonce to the client in an Authentication
option in the DHCP Ack message. option in the DHCP ACK message.
The server SHOULD NOT include the nonce in an ACK when responding to The server SHOULD NOT include the nonce in an ACK when responding to
a renew unless a new nonce was generated. This minimizes the number a renew unless a new nonce was generated. This minimizes the number
of times the nonce is sent over the wire. of times the nonce is sent over the wire.
If the server to which the DHCP Request message was sent at time T1 If the server to which the DHCP Request message was sent at time T1
has not responded, the client enters the REBINDING state and attempts has not responded, the client enters the REBINDING state and attempts
to contact any server. The new Server receiving the DHCP message to contact any server. The new Server receiving the DHCP message
MUST generate a new nonce. MUST generate a new nonce.
The Forcerenew nonce is 128 bits long, and MUST be a The Forcerenew nonce is 128 bits long, and it MUST be a
cryptographically strong random or pseudo-random number that cannot cryptographically strong random or pseudo-random number that cannot
easily be predicted. The nonce is embedded as a 128-bit value of the easily be predicted. The nonce is embedded as a 128-bit value of the
Authentication information where type is set to 1 (Forcerenew nonce Authentication information where type is set to 1 (Forcerenew nonce
Value). Value).
To provide authentication for a Forcerenew message, the server To provide authentication for a Forcerenew message, the server
selects a replay detection value according to the RDM selected by the selects a replay detection value according to the RDM selected by the
server, and computes an HMAC-MD5 of the Forcerenew message, based on server and computes an HMAC-MD5 of the Forcerenew message, based on
the procedure specified in section 21.5 of [RFC3315], using the the procedure specified in Section 21.5 of [RFC3315], using the
Forcerenew nonce for the client. The server computes the HMAC-MD5, Forcerenew Nonce for the client. The server computes the HMAC-MD5
based on the procedure specified in section 21.5 of [RFC3315], over over the entire DHCP Forcerenew message, including the Authentication
the entire DHCP Forcerenew message, including the Authentication
option; the HMAC-MD5 field in the Authentication option is set to option; the HMAC-MD5 field in the Authentication option is set to
zero for the HMAC-MD5 computation. The server includes the HMAC-MD5 zero for the HMAC-MD5 computation
in the authentication information field in an Authentication option
included in the Forcerenew message sent to the client with type set
to 2 (HMAC-MD5 digest).
3.1.4. Client considerations for Forcerenew Nonce Authentication 3.1.4. Client Considerations for Forcerenew Nonce Authentication
A client that supports this mechanism MUST indicate Forcerenew nonce A client that supports this mechanism MUST indicate Forcerenew nonce
Capability by including the FORCERENEW_NONCE_CAPABLE(<TBD>) DHCP Capability by including the FORCERENEW_NONCE_CAPABLE (145) DHCP
option defined in Section 3.1.1 in all DHCP Discover and Request option defined in Section 3.1.1 in all DHCP Discover and Request
messages. DHCP servers that support Forcerenew nonce Protocol messages. DHCP servers that support Forcerenew nonce Protocol
authentication MUST include the FORCERENEW_NONCE_CAPABLE(<TBD>) DHCP authentication MUST include the FORCERENEW_NONCE_CAPABLE (145) DHCP
option in all DHCP Offers, allowing the client to use this capability option in all DHCP Offers, allowing the client to use this capability
in selecting DHCP servers should multiple Offers arrive. in selecting DHCP servers should multiple Offers arrive.
The client MUST validate the DHCP Ack message contains a Forcerenew The client MUST validate the DHCP ACK message contains a Forcerenew
Nonce in a DHCP authentication option. If the server has indicated Nonce in a DHCP authentication option. If the server has indicated
capability for Forcerenew Nonce Protocol authentication in the DHCP capability for Forcerenew Nonce Authentication protocol in the DHCP
OFFER and the subsequent ACK received by the client while in the OFFER and the subsequent ACK received by the client while in the
selecting state omits a valid DHCP authentication option for the selecting state omits a valid DHCP authentication option for the
Forcerenew Nonce Protocol, the client MUST discard the message and Forcerenew Nonce Authentication protocol, the client MUST discard the
return to the INIT stat message and return to the INIT state.
The client MUST record the Forcerenew Nonce from any valid ACK it The client MUST record the Forcerenew Nonce from any valid ACK it
receives, if the ACK contains one. receives, if the ACK contains one.
To authenticate a Forcerenew message, the client computes an HMAC- To authenticate a Forcerenew message, the client computes an HMAC-
MD5, based on the procedure specified in section 21.5 of [RFC3315], MD5, based on the procedure specified in Section 21.5 of [RFC3315],
over the DHCP FORCERENEW message (after setting the HMAC-MD5 field in over the DHCP Forcerenew message (after setting the HMAC-MD5 field in
the Authentication option to zero), using the Forcerenew Nonce the Authentication option to zero), using the Forcerenew Nonce
received from the server. If this computed HMAC-MD5 matches the received from the server. If this computed HMAC-MD5 matches the
value in the Authentication option, the client accepts the FORCERENEW value in the Authentication option, the client accepts the FORCERENEW
message. message.
4. Acknowledgements 4. IANA Considerations
Comments are solicited and should be addressed to the DHC WG mailing
list (dhcwg@ietf.org) and/or the authors. This contribution is based
on work by Vitali Vinokour. Major sections of this draft use
modified text from [RFC3315]. The authors wish to thank Ted Lemon,
Matthew Ryan and Bernie Volz for their support.
5. IANA Considerations
This document requests IANA to assign the following new DHCPv4 option IANA has assigned the following new DHCPv4 option code from the
code from the registry "BOOTP Vendor Extensions and DHCP Options" registry "BOOTP Vendor Extensions and DHCP Options" maintained at
maintained at http://www.iana.org/assignments/bootp-dhcp-parameters: http://www.iana.org/assignments/bootp-dhcp-parameters:
Tag: TBD Tag: 145
Name: FORCERENEW_NONCE_CAPABALE Name: FORCERENEW_NONCE_CAPABLE
Data lenght: 1 Data length: 1
Description: Forcerenew Nonce Capable Description: Forcerenew Nonce Capable
Reference: this document Reference: this document
6. Security Considerations 5. Security Considerations
As in some network environments FORCERENEW can be used to snoop and As in some network environments FORCERENEW can be used to snoop and
spoof traffic, the FORCERENEW message MUST be authenticated using the spoof traffic, the FORCERENEW message MUST be authenticated using the
procedures as described in [RFC3118] or the mechanism described in procedures as described in [RFC3118] or the mechanism described in
this document. this document.
The mechanism in [RFC3315] for DHCPv6, which this document mirrors The mechanism in [RFC3315] for DHCPv6, which this document mirrors
for DHCPv4, uses a nonce to prevent an off-link attacker from for DHCPv4, uses a nonce to prevent an off-link attacker from
successfully triggering a renewal on a client by sending successfully triggering a renewal on a client by sending
DHCPFORCERENEW; since the attacker is off-link, it doesn't have the DHCPFORCERENEW; since the attacker is off-link, it doesn't have the
nonce, and can't force a renewal. nonce, and can't force a renewal.
An on-link attacker can always simply watch the DHCP renewal message An on-link attacker can always simply watch the DHCP renewal message
go out and respond to it, so this mechanism is useless for preventing go out and respond to it, so this mechanism is useless for preventing
on-link attacks, and hence the security of the nonce in the case of on-link attacks; hence, the security of the nonce in the case of on-
on-link attacks isn't relevant. Therefore HMAC-MD5 is by definition link attacks isn't relevant. Therefore, HMAC-MD5 is, by definition,
adequate for the purpose, and there is no need for an extensible HMAC adequate for the purpose, and there is no need for an extensible HMAC
mechanism. FORCERENEW messages failing the authentication should be mechanism. FORCERENEW messages failing the authentication should be
silently discarded by the client. silently discarded by the client.
6.1. Protocol vulnerabilities 5.1. Protocol Vulnerabilities
The mechanism described in this document is vulnerable to a denial of The mechanism described in this document is vulnerable to a denial-
service attack through flooding a client with bogus FORCERENEW of-service (DoS) attack through flooding a client with bogus
messages. The calculations involved in authenticating the bogus FORCERENEW messages. The calculations involved in authenticating the
FORECERENEW messages may overwhelm the device on which the client is bogus FORECERENEW messages may overwhelm the device on which the
running. client is running.
The mechanism described provides protection against the use of a The mechanism described provides protection against the use of a
FORCERENEW message by a malicious DHCP server to mount a denial of FORCERENEW message by a malicious DHCP server to mount a DoS or man-
service or man-in-the-middle attack on a client. This protocol can in-the-middle attack on a client. This protocol can be compromised
be compromised by an attacker that can intercept the initial message by an attacker that can intercept the initial message in which the
in which the DHCP server sends the nonce to the client. DHCP server sends the nonce to the client.
6. Acknowledgements
This contribution is based on work by Vitali Vinokour. Major
sections of this document use modified text from [RFC3315]. The
authors wish to thank Ted Lemon, Matthew Ryan, and Bernie Volz for
their support.
7. Normative References 7. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3118] Droms, R. and W. Arbaugh, "Authentication for DHCP [RFC3118] Droms, R. and W. Arbaugh, "Authentication for DHCP
Messages", RFC 3118, June 2001. Messages", RFC 3118, June 2001.
[RFC3203] T'Joens, Y., Hublet, C., and P. De Schrijver, "DHCP [RFC3203] T'Joens, Y., Hublet, C., and P. De Schrijver, "DHCP
skipping to change at page 12, line 12 skipping to change at page 12, line 10
[RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., [RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C.,
and M. Carney, "Dynamic Host Configuration Protocol for and M. Carney, "Dynamic Host Configuration Protocol for
IPv6 (DHCPv6)", RFC 3315, July 2003. IPv6 (DHCPv6)", RFC 3315, July 2003.
Authors' Addresses Authors' Addresses
David Miles David Miles
Google Google
Phone: EMail: davidmiles@google.com
Fax:
Email:
URI:
Wojciech Dec Wojciech Dec
Cisco Systems Cisco Systems
Haarlerbergpark Haarlerbergweg 13-19 Haarlerbergpark Haarlerbergweg 13-19
Amsterdam, NOORD-HOLLAND 1101 CH Amsterdam, NOORD-HOLLAND 1101 CH
Netherlands Netherlands
Phone: EMail: wdec@cisco.com
Fax:
Email: wdec@cisco.com
URI:
James Bristow James Bristow
Swisscom Schweiz AG Swisscom Schweiz AG
Zentweg 9 Zentweg 9
Bern, 3050, Bern, 3050,
Switzerland Switzerland
Phone: EMail: James.Bristow@swisscom.com
Fax:
Email: James.Bristow@swisscom.com
URI:
Roberta Maglione Roberta Maglione
Telecom Italia Telecom Italia
Via Reiss Romoli 274 Via Reiss Romoli 274
Torino 10148 Torino 10148
Italy Italy
Phone: EMail: roberta.maglione@telecomitalia.it
Email: roberta.maglione@telecomitalia.it
 End of changes. 77 change blocks. 
192 lines changed or deleted 185 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/