draft-ietf-dhc-relay-id-suboption-12.txt   draft-ietf-dhc-relay-id-suboption-13.txt 
DHC B. Joshi DHC B. Joshi
Internet-Draft D. Ramakrishna Rao Internet-Draft D. Ramakrishna Rao
Intended status: Standards Track Infosys Ltd. Intended status: Standards Track Infosys Ltd.
Expires: July 19, 2013 M. Stapp Expires: August 23, 2013 M. Stapp
Cisco Systems, Inc. Cisco Systems, Inc.
January 15, 2013 February 19, 2013
The DHCPv4 Relay Agent Identifier Suboption The DHCPv4 Relay Agent Identifier Suboption
draft-ietf-dhc-relay-id-suboption-12.txt draft-ietf-dhc-relay-id-suboption-13.txt
Abstract Abstract
This document defines a new Relay Agent Identifier suboption for the This document defines a new Relay Agent Identifier suboption for the
Dynamic Host Configuration Protocol's (DHCP) Relay Agent Information Dynamic Host Configuration Protocol's (DHCP) Relay Agent Information
option. The suboption carries a value that uniquely identifies the option. The suboption carries a value that uniquely identifies the
relay agent device within the administrative domain. The value is relay agent device within the administrative domain. The value is
normally administratively-configured in the relay agent. The normally administratively-configured in the relay agent. The
suboption allows a DHCP relay agent to include the identifier in the suboption allows a DHCP relay agent to include the identifier in the
DHCP messages it sends. DHCP messages it sends.
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 19, 2013. This Internet-Draft will expire on August 23, 2013.
Copyright Notice Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 18 skipping to change at page 2, line 18
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Example Use-Cases . . . . . . . . . . . . . . . . . . . . . . . 3 3. Example Use-Cases . . . . . . . . . . . . . . . . . . . . . . . 3
3.1. Bulk Leasequery . . . . . . . . . . . . . . . . . . . . . . 3 3.1. Bulk Leasequery . . . . . . . . . . . . . . . . . . . . . . 3
3.2. Industrial Ethernet . . . . . . . . . . . . . . . . . . . . 3 3.2. Industrial Ethernet . . . . . . . . . . . . . . . . . . . . 3
4. Suboption Format . . . . . . . . . . . . . . . . . . . . . . . 4 4. Suboption Format . . . . . . . . . . . . . . . . . . . . . . . 4
5. Identifier Stability . . . . . . . . . . . . . . . . . . . . . 4 5. Identifier Stability . . . . . . . . . . . . . . . . . . . . . 4
5.1. Identifier Uniqueness . . . . . . . . . . . . . . . . . . . 5
6. Security Considerations . . . . . . . . . . . . . . . . . . . . 6 6. Security Considerations . . . . . . . . . . . . . . . . . . . . 6
6.1. Forged Relay ID attacks . . . . . . . . . . . . . . . . . . 6
6.2. Factory Floor Scenario . . . . . . . . . . . . . . . . . . 7
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 7 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 7
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 7 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 8
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8
9.1. Normative References . . . . . . . . . . . . . . . . . . . 7 9.1. Normative References . . . . . . . . . . . . . . . . . . . 8
9.2. Informative References . . . . . . . . . . . . . . . . . . 8 9.2. Informative References . . . . . . . . . . . . . . . . . . 8
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 8 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 8
1. Introduction 1. Introduction
The Dynamic Host Configuration Protocol for IPv4 (DHCPv4) [RFC2131] The Dynamic Host Configuration Protocol for IPv4 (DHCPv4) [RFC2131]
provides IP addresses and configuration information for IPv4 clients. provides IP addresses and configuration information for IPv4 clients.
It includes a relay agent capability, in which network elements It includes a relay agent capability, in which network elements
receive broadcast messages from clients and forward them to DHCP receive broadcast messages from clients and forward them to DHCP
servers as unicast messages. In many network environments, relay servers as unicast messages. In many network environments, relay
skipping to change at page 5, line 38 skipping to change at page 5, line 38
Handling situations where a relay agent device is replaced is another Handling situations where a relay agent device is replaced is another
aspect of stability. One of the use-cases for the relay identifier aspect of stability. One of the use-cases for the relay identifier
is to permit a server to associate clients' lease bindings with the is to permit a server to associate clients' lease bindings with the
relay device connected to the clients. If the relay device is relay device connected to the clients. If the relay device is
replaced, because it has failed or been upgraded, it may be desirable replaced, because it has failed or been upgraded, it may be desirable
for the new device to continue to provide the same relay identifier for the new device to continue to provide the same relay identifier
as the old device. Therefore if a relay agent supports relay-id, the as the old device. Therefore if a relay agent supports relay-id, the
relay-id should be administratively configurable. relay-id should be administratively configurable.
DISCUSSION: 5.1. Identifier Uniqueness
Administrators should take special care to ensure that relay-ids
configured in their relay agents are not duplicated. Some
implementation advice is offered to administrators with regard
to configuration of relay-ids, detection and consequences of
duplicate relay-ids.
Configuration of Relay-IDs:
Various strategies may be used to configure relay-ids. Any Administrators should take special care to ensure that relay-ids
proposed strategy should be evaluated in terms of whether it can configured in their relay agents are not duplicated. There are a
ensure unique relay-ids in the administrative domain. It should number of strategies that may be used to achieve this.
be noted that relay-ids configured using the strategy must also
satisfy requirements as stated in the rest of this document
(especially Section 5). One strategy that may be used is relay-id
on a relay agent may re-use an existing identifier or set of
identifiers that are already guaranteed to be unique (e.g.,
UUID [RFC4122] or IP address).
Consequences and Detection of Duplication of Relay-IDs: Administrators may use a strategy to configure unique relay-ids. One
such strategy is that a relay-id on a relay agent may re-use an
existing identifier or set of identifiers that are already guaranteed
to be unique (e.g., UUID [RFC4122]).
This document only defines relay-id suboption but not its For administrators who are already using a provisioning system to
use-cases. Consequences of duplication of relay-ids depend on manage their networking infrastructure, it may work to enumerate
how relay-ids are used. Administrators should create mechanisms relay agents on the basis of roles, and then as a second step, assign
to detect duplication of relay-ids. those roles to specific relay agents or groups of relay agents. In
such a scenario, when a replacement relay agent is first seen by the
DHCP server, this could trigger a configuration event on the
provisioning system, and the new relay agent could be assigned to the
role of the relay agent it is replacing.
Some mechanisms to detect duplication can be created based on In some cases it may be that the DHCP server has configurable event
use-cases of relay-id. For example, DHCP servers use various notification, and that a duplicate relay-id would cause some event
decision criteria during allocation of IP addresses and other that could trigger a notification, and that would never happen in any
resources. If relay-id is part of the decision criteria, DHCP other case. In this scenario, administrators should take advantage
server will attempt, but fail, to allocate the same resource of this feature. This is not a perfect solution, because it will not
(typically an IP address) to two devices on the opposite side work until such an event occurs.
of the two relay agents with duplicate IDs. In most cases this
won't happen, because the DHCP server isn't configured that way;
in the cases where it does happen, DHCP server should log the
failure.
It should be emphasized that these mechanisms may not be A network management/provisioning system may also be able to collect
fool-proof at indicating duplication of relay-ids as the cause a full list of all relay agents on the network. It may then notice
(the failures may be caused because of other reasons as well.) that more than one device reports the same relay-id. In such a case,
But they serve as a first step in the analysis towards detection the provisioning system could notify the administrator of the fault,
of duplication relay-ids. which could then be corrected.
In contrast, the following approach is suggested as a general This is not an exhaustive list of strategies. We suggest an
mechanism to detect duplication of relay-ids. Network management additional strategy in the security considerations section;
systems collect various types of information from the devices administrators are also encouraged to consider the specifics of their
under their control. As part of this, they should also collect own network configuration to see if there is some way to detect
relay-id configured for each relay-agent (it becomes easy to do duplicate relay-ids other than the ones listed here, if none of these
if relay-id is exposed as a MIB field). At the network management will work.
subsystem that has visibility into the entire administrative
domain, it should have back-end tools to check for duplicate
relay ids in the collected information.
6. Security Considerations 6. Security Considerations
6.1. Forged Relay ID attacks
Security issues with the Relay Agent Information option and its use Security issues with the Relay Agent Information option and its use
by servers in address assignment are discussed in [RFC3046] and by servers in address assignment are discussed in [RFC3046] and
[RFC4030]. The DHCP Relay Agent Information option depends on a [RFC4030]. The DHCP Relay Agent Information option depends on a
trusted relationship between the DHCP relay agent and the DHCP trusted relationship between the DHCP relay agent and the DHCP
server, as described in Section 5 of RFC 3046. While the server, as described in Section 5 of RFC 3046. While the
introduction of fraudulent DHCP relay agent information options can introduction of fraudulent DHCP relay agent information options can
be prevented by a perimeter defense that blocks these options unless be prevented by a perimeter defense that blocks these options unless
the DHCP relay agent is trusted, a deeper defense using the the DHCP relay agent is trusted, a deeper defense using the
authentication suboption for DHCP relay agent information option authentication suboption for DHCP relay agent information option
[RFC4030] SHOULD be deployed as well. It also helps in avoiding [RFC4030] SHOULD be deployed as well. It also helps in avoiding
duplication of relay identifiers by malicious entities. However, duplication of relay identifiers by malicious entities. However,
implementation of authentication suboption for DHCP relay agent implementation of authentication suboption for DHCP relay agent
information option [RFC4030] is not a must to support relay-id information option [RFC4030] is not a must to support relay-id
suboption. suboption.
6.2. Factory Floor Scenario
One possible use case for the relay-id suboption is the automated
configuration of machines on a factory floor. In this situation,
various sections of the factory floor might be on their own network
links, with a relay agent interposed between those links and the DHCP
server. The relay-id of each relay agent might cause special
configurations to be downloaded to those devices to control their
behavior.
If a relay agent was deployed on the factory floor in such a
situation, with an incorrect relay-id, there is the potential that
devices could be misconfigured in a way that could produce incorrect
results, cause physical damage, or even create hazardous conditions
for workers.
In deployment scenarios like this one, administrators must use some
dependable technique to ensure that such misconfigurations do not
occur. It is beyond the scope of this document to provide a complete
list of such techniques.
However, as an example, a relay agent device intended for use in such
a scenario could require the use of a hardware token that contains
the relay-id, that is physically attached to the installation
location of the relay agent device, and that can be connected to and
disconnected from the relay agent device without the use of special
tools. Such a relay agent device should not be operable when this
hardware token is not connected to it: either it should fail because
it presents an unknown identifier to the DHCP server, or it should
simply refuse to relay DHCP packets until the token is connected to
it.
A relay agent device that does not provide a clear mitigation
strategy for a scenario where misconfiguration could have damaging or
hazardous consequences should not be deployed in such a scenario.
7. IANA Considerations 7. IANA Considerations
We request that IANA assign a new suboption code from the registry of We request that IANA assign a new suboption code from the registry of
DHCP Agent Sub-Option Codes maintained in DHCP Agent Sub-Option Codes maintained in
http://www.iana.org/assignments/bootp-dhcp-parameters. http://www.iana.org/assignments/bootp-dhcp-parameters.
Relay Agent Identifier Suboption [TBA] Relay Agent Identifier Suboption [TBA]
8. Acknowledgments 8. Acknowledgments
 End of changes. 16 change blocks. 
54 lines changed or deleted 81 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/