draft-ietf-dhc-subnet-option-03.txt   draft-ietf-dhc-subnet-option-04.txt 
Network Working Group G. Waters Network Working Group G. Waters
INTERNET-DRAFT Nortel Networks INTERNET-DRAFT Nortel Networks
June 1999 April 2000
The Subnet Selection Option for DHCP The Subnet Selection Option for DHCP
<draft-ietf-dhc-subnet-option-03.txt> <draft-ietf-dhc-subnet-option-04.txt>
Thursday, June 24, 1999, 10:43 AM Friday, April 7, 2000, 12:11 PM
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with all This document is an Internet-Draft and is in full conformance with all
provisions of Section 10 of RFC2026. provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering Task Internet-Drafts are working documents of the Internet Engineering Task
Force (IETF), its areas, and its working groups. Note that other Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts. groups may also distribute working documents as Internet-Drafts.
skipping to change at line 37 skipping to change at page 1, line 39
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
To learn the current status of any Internet-Draft, please check the To learn the current status of any Internet-Draft, please check the
"1id-abstracts.txt" listing contained in the Internet-Drafts Shadow "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
Directories on ds.internic.net (US East Coast), nic.nordu.net Directories on ds.internic.net (US East Coast), nic.nordu.net
(Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim). (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim).
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (1999). All Rights Reserved. Copyright (C) The Internet Society (2000). All Rights Reserved.
Abstract Abstract
This memo defines a new DHCP option for selecting the subnet on which This memo defines a new DHCP option for selecting the subnet on which
to allocate an address. This option would override a DHCP server's to allocate an address. This option would override a DHCP server's
normal methods of selecting the subnet on which to allocate an address normal methods of selecting the subnet on which to allocate an address
for a client. for a client.
Waters Expires: Jun 1999 + 6 months [Page 1]
Table of Contents Table of Contents
1. Introduction......................................................2 1. Introduction......................................................2
1.1. Motivational Example.........................................2 1.1. Motivational Example.........................................2
2. Subnet Selection Option Definition................................3 2. Subnet Selection Option Definition................................3
3. Intellectual Property.............................................4 3. Intellectual Property.............................................4
4. Acknowledgements..................................................4 4. Acknowledgements..................................................4
5. Security Considerations...........................................4 5. Security Considerations...........................................4
6. References........................................................5 6. References........................................................5
7. Editor's Addresses................................................5 7. Editor's Addresses................................................5
skipping to change at line 98 skipping to change at page 3, line 5
then managing those addresses among its clients. then managing those addresses among its clients.
In this scenario, the device is connected to a private "internal" In this scenario, the device is connected to a private "internal"
network on which the DHCP server would be located. The device is also network on which the DHCP server would be located. The device is also
connected to one or more service providing "external" networks (i.e.: connected to one or more service providing "external" networks (i.e.:
the networks that the device's clients are connected to). Furthermore, the networks that the device's clients are connected to). Furthermore,
the internal network is not IP connected to the external networks, the internal network is not IP connected to the external networks,
although inside the device there is connectivity between the internal although inside the device there is connectivity between the internal
and external networks (e.g.: though the backplane). and external networks (e.g.: though the backplane).
Waters Expires: Jun 1999 + 6 months [Page 2]
Recall that the device is allocating addresses for its clients on the Recall that the device is allocating addresses for its clients on the
external networks and that there is no IP connectivity between the external networks and that there is no IP connectivity between the
internal network and the external networks. The DHCP requests cannot internal network and the external networks. The DHCP requests cannot
originate from the external networks since packets cannot be routed originate from the external networks since packets cannot be routed
between the external network and the internal network. Thus, the DHCP between the external network and the internal network. Thus, the DHCP
requests must originate from the internal network. The problem with requests must originate from the internal network. The problem with
originating the DHCP requests from the internal network is that the originating the DHCP requests from the internal network is that the
DHCP server will allocate addresses on the internal network's subnet, DHCP server will allocate addresses on the internal network's subnet,
when what is required are addresses on the external subnets. The when what is required are addresses on the external subnets. The
subnet selection option provides a solution to this problem. subnet selection option provides a solution to this problem.
skipping to change at line 150 skipping to change at page 4, line 5
option to any client that sends it, regardless of whether or not the option to any client that sends it, regardless of whether or not the
client requests the option in a parameter request list. Clients using client requests the option in a parameter request list. Clients using
this option MUST discard DHCPOFFER or DHCPACK packets that do not this option MUST discard DHCPOFFER or DHCPACK packets that do not
contain this option. contain this option.
This option does not require changes to operations or features of the This option does not require changes to operations or features of the
DHCP server other than to select the subnet on which to allocate an DHCP server other than to select the subnet on which to allocate an
address. For example, the handling of DHCPDISCOVER for an unknown address. For example, the handling of DHCPDISCOVER for an unknown
subnet should continue to operate unchanged. subnet should continue to operate unchanged.
Waters Expires: Jun 1999 + 6 months [Page 3]
When this option is present and the server supports this option, the When this option is present and the server supports this option, the
server MUST NOT offer an address that is not on the requested subnet server MUST NOT offer an address that is not on the requested subnet
or network segment. or network segment.
During an address renew, the DHCP server may send a DHCPACK directly During an address renew, the DHCP server may send a DHCPACK directly
to the allocated address, however packets from the DHCP server may not to the allocated address, however packets from the DHCP server may not
be routable to the address. Thus, in all packets that the DHCP client be routable to the address. Thus, in all packets that the DHCP client
sends that contain the subnet selection option, the giaddr field in sends that contain the subnet selection option, the giaddr field in
the BOOTP header MUST be set to an IP address on which the DHCP client the BOOTP header MUST be set to an IP address on which the DHCP client
will accept DHCP packets (e.g.: the address of the subnet connected to will accept DHCP packets (e.g.: the address of the subnet connected to
skipping to change at line 201 skipping to change at page 5, line 5
This document is the result of work undertaken the by DHCP working This document is the result of work undertaken the by DHCP working
group. Thanks to Ted Lemon, Tim Aston and Ralph Droms for their group. Thanks to Ted Lemon, Tim Aston and Ralph Droms for their
helpful comments in this work. helpful comments in this work.
5. Security Considerations 5. Security Considerations
DHCP currently provides no authentication or security mechanisms. DHCP currently provides no authentication or security mechanisms.
Potential exposures to attack are discussed is section 7 of the Potential exposures to attack are discussed is section 7 of the
protocol specification [RFC2131]. protocol specification [RFC2131].
Waters Expires: Jun 1999 + 6 months [Page 4]
The subnet selection option allows for the DHCP client to specify the The subnet selection option allows for the DHCP client to specify the
subnet on which to allocate an address. This would allow a client to subnet on which to allocate an address. This would allow a client to
perform a more complete address-pool exhaustion attack since the perform a more complete address-pool exhaustion attack since the
client would no longer be restricted to attacking address-pools on client would no longer be restricted to attacking address-pools on
just its local subnet. Under the current DHCP security model there is just its local subnet. Under the current DHCP security model there is
no methods available to circumvent this type of attack. no methods available to circumvent this type of attack.
6. References 6. References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
skipping to change at line 233 skipping to change at page 5, line 36
Nortel Networks Nortel Networks
310-875 Carling Avenue, 310-875 Carling Avenue,
Ottawa, Ontario K1S 5P1 Ottawa, Ontario K1S 5P1
Canada Canada
Phone: +1 613-798-4925 Phone: +1 613-798-4925
Email: gww@nortelnetworks.com Email: gww@nortelnetworks.com
8. Full Copyright Statement 8. Full Copyright Statement
Copyright (C) The Internet Society (1999). All Rights Reserved. Copyright (C) The Internet Society (2000). All Rights Reserved.
This document and translations of it may be copied and furnished to This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published and or assist in its implementation may be prepared, copied, published and
distributed, in whole or in part, without restriction of any kind, distributed, in whole or in part, without restriction of any kind,
provided that the above copyright notice and this paragraph are provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of developing Internet organizations, except as needed for the purpose of developing
Internet standards in which case the procedures for copyrights defined Internet standards in which case the procedures for copyrights defined
in the Internet Standards process must be followed, or as required to in the Internet Standards process must be followed, or as required to
translate it into languages other than English. translate it into languages other than English.
The limited permissions granted above are perpetual and will not be The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns. revoked by the Internet Society or its successors or assigns.
Waters Expires: Jun 1999 + 6 months [Page 5]
This document and the information contained herein is provided on an This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT
NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN
WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Waters Expires: Jun 1999 + 6 months [Page 6]
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/