DHC Working Group Y. Cui Internet-Draft L. Li Intended status: Standards Track J. Wu Expires: April 20, 2016 Tsinghua University L. Yiu Comcast October 18, 2015 Encryption Mechanism for DHCPv6 draft-cui-dhc-dhcpv6-encryption-04 Abstract The Dynamic Host Configuration Protocol for IPv6 (DHCPv6) enables DHCPv6 servers to configure network parameters dynamically. However, due to the unsecured nature, various critical identifiers used in DHCPv6 are vulnerable to several types of attack. In order to protect the DHCPv6 from passive attack, such as pervasive monitoring attack, this document provides a mechanism to achieve the encryption between the DHCPv6 client and server. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on April 20, 2016. Copyright Notice Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents Cui, et al. Expires April 20, 2016 [Page 1] Internet-Draft DHCPv6 Encryption October 2015 carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 3. Solution Overview . . . . . . . . . . . . . . . . . . . . . . 3 4. Client Behavior . . . . . . . . . . . . . . . . . . . . . . . 5 5. Relay Agent Behavior . . . . . . . . . . . . . . . . . . . . 6 6. Server Behavior . . . . . . . . . . . . . . . . . . . . . . . 6 7. New DHCPv6 Messages . . . . . . . . . . . . . . . . . . . . . 7 8. New DHCPv6 Options . . . . . . . . . . . . . . . . . . . . . 7 8.1. Encrypted-message Option . . . . . . . . . . . . . . . . 7 8.2. Encryption Public Key Option . . . . . . . . . . . . . . 8 9. Security Considerations . . . . . . . . . . . . . . . . . . . 9 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 11. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 9 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 12.1. Normative References . . . . . . . . . . . . . . . . . . 9 12.2. Informative References . . . . . . . . . . . . . . . . . 10 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 1. Introduction The Dynamic Host Configuration Protocol for IPv6 [RFC3315] enables DHCPv6 servers to configure network parameters dynamically. Due to the unsecured nature of DHCPv6, the various critical identifiers are vulnerable to several types of attacks, particularly pervasive monitoring (PM) [RFC7258]. [I-D.ietf-dhc-dhcpv6-privacy] analyses the DHCPv6 privacy issues and discusses how various identifiers used in DHCPv6 could become a source for gleaning additional information of an individual. The IETF has expressed strong agreement that PM is an attack that needs to be mitigated where possible in [RFC7258]. Prior work has addressed some aspects of DHCPv6 security, but until now there has been little work to protect the DHCPv6 from passive attack, such as pervasive monitoring attack. Secure DHCPv6 [I-D.ietf-dhc-sedhcpv6] provides the authentication mechanism between DHCPv6 client and server along with the DHCPv6 transaction. However, the DHCPv6 message is still transmitted in clear text and the private information within the DHCPv6 message is not protected from pervasive monitoring. Anonymity profile for DHCP clients [I-D.ietf-dhc-anonymity-profile] provides guidelines on the composition of DHCPv4 or DHCPv6 request to minimize the disclosure of Cui, et al. Expires April 20, 2016 [Page 2] Internet-Draft DHCPv6 Encryption October 2015 identifying information. However, anonymity profile limits the use of the certain options and cannot protect all identifiers used in DHCP if new option containing some private information is defined. In addition, the anonymity profile cannot work in some situation where the client wants anonymity to attackers but not to the valid DHCP server. Besides, a separate encryption mechanism such as DTLS is also infeasible for DHCPv6, because the DHCPv6 relay can not recognize the 'secure' DHCPv6 message and may drop the DTLS messages. The proposed solution provides a mechanism to achieve the encryption between the DHCPv6 client and server in order to protect the DHCPv6 from passive attack, such as pervasive monitoring. Before the DHCPv6 configuration process, the Information-request and Reply messages exchange is used to inform the client of the server's public key. After the public key exchange, the following DHCPv6 messages are encrypted and encapsulated into two newly defined DHCPv6 messages: Encrypted-Query and Encrypted-Response. In this way, the various identifiers contained in DHCPv6 message are protected from passive attack. 2. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 3. Solution Overview In the proposed solution, the server's public key is communicated to the client before the standard DHCPv6 transactions. Once the client gets notified with the public key, the successive DHCPv6 configuration process can be encrypted with the recipient's public key. The encrypted DHCPv6 messages are put into the newly defined DHCPv6 option: encrypted-message option, and encapsulated into the two new DHCPv6 messages: Encrypted-Query and Encrypted-Response. This mechanism is used for the stateful DHCPv6 process starting with a SOLICIT message and the stateless DHCPv6 process starting with an Information-request message. This solution is based on the public/private key pairs of the DHCPv6 client and server. The client/server firstly generates a pair of public/private keys. The solution adds the Information-request and Reply messages exchange before the standard DHCPv6 configuration process. The information-request message is used by the client to obtain the server's public key information without having addresses assigned to it. The DHCPv6 client firstly multicasts an Information- request message to DHCPv6 servers. The client MUST request the encryption public key option in the Option Request option. When Cui, et al. Expires April 20, 2016 [Page 3] Internet-Draft DHCPv6 Encryption October 2015 receiving the Information-request message with the request for encryption public key, the server sends the Reply message that contains the server's public key option and server identifier option. Upon the receipt of the Reply message, the DHCPv6 client records the server's DUID as well as the corresponding public key. If the client receives multiple Reply messages, the client selects one DHCPv6 server for the following network parameters configuration. After the server's public key notification, the following DHCPv6 exchanges are encrypted with the recipient's public key and encapsulated into the encrypted-message option. For the stateful/ stateless scenario, the Solicit/Information-request message MUST contain the public key option to communicate the client's public key. The client sends the Encrypted-Query message to server, which carries the server identifier option and the encrypted-message option. The DHCPv6 server replies with the Encrypted-Response message to client, which contains the encrypted-message option. The following figure illustrates the DHCPv6 encryption procedure of the client-server exchanges involving four messages. Cui, et al. Expires April 20, 2016 [Page 4] Internet-Draft DHCPv6 Encryption October 2015 +-------------+ +-------------+ |DHCPv6 Client| |DHCPv6 Server| +-------------+ +-------------+ | Information-request | |----------------------------------------->| | Option Request option | | | | Reply | |<-----------------------------------------| | encryption public key option | | server identifier option | | | | Encryption-Query | |----------------------------------------->| | encrypted-message option (Solicit) | | server identifier option | | | | Encryption-Response | |<-----------------------------------------| | encrypted-message option (Advertise) | | | | Encryption-Query | |----------------------------------------->| | encrypted-message option (Request) | | server identifier option | | | | Encryption-Response | |<-----------------------------------------| | encrypted-message option (Reply) | DHCPv6 Encryption Procedure 4. Client Behavior If the client supports the encryption mode, it MUST generate a public/private key pair. For the client supporting the encryption mode, it multicasts the Information-request message to the DHCPv6 servers. The Information-request message MUST NOT include any option which may reveal the private information of the client, such as the client identifier option. The client MUST include an Option Request option to request the encryption public key option. When the DHCPv6 client receives the Reply messages, the client MUST discard the those that do not contain the encryption public key option or the sever identifier option. Upon the receipt of the Reply message, the DHCPv6 client records the server's DUID as well as the corresponding public key. If the client receives multiple Reply messages, the client selects one DHCPv6 server for the following Cui, et al. Expires April 20, 2016 [Page 5] Internet-Draft DHCPv6 Encryption October 2015 network parameters configuration. Once the server's public key is informed, the DHCPv6 client sends the Encrypted-Query message to the DHCPv6 server. The Encrypted-Query message is constructed with the encrypted-message option and server identifier option. The encrypted-message option contains the DHCPv6 message that is encrypted using the selected server's public key. The server identifier option is externally visible to avoid extra cost by those unselected servers. The Solicit/Information-request message MUST contain the public key option for the client's public key exchange. For the received Encrypted-Response message, the client extracts the encrypted-message option and decrypts it using its private key to obtain the original DHCPv6 message. Then it handles the message as per [RFC3315]. If the client fails to get the proper parameters from the chosen server, it sends the Encrypted-Query message to another authenticated server for parameters configuration until the client obtains the proper parameters. 5. Relay Agent Behavior When a DHCPv6 relay agent receives an Encrypted-query or Encrypted- response message, it may not recognize this message. The unknown messages MUST be forwarded as describes in [RFC7283]. When a DHCPv6 relay agent recognizes the Encrypted-query and Encrypted-response messages, it forwards the message according to section 20 of [RFC3315]. 6. Server Behavior When the DHCPv6 server receives the Information-request message with encryption public key option request, it replies the Reply message to the client, which includes the encryption public key option and server identifier option. Upon the receipt of Encrypted-Query message, the server checks the server identifier option. It decrypts the encrypted-message option using its private key if it is the target server. The DHCPv6 server drops the message that is not for it, thus not paying cost to decrypt the message. If the decrypted message is the Solicit/Information- request message, the server MSUT discard the decrypted message that does not include the encryption public key option. The server is informed of the client's public through the encryption public key option contained in the Solicit/Information-request message. After the server is informed of the client's public key, the DHCPv6 Cui, et al. Expires April 20, 2016 [Page 6] Internet-Draft DHCPv6 Encryption October 2015 messages, which is sent from server to client, is encrypted using the client's public key. The encrypted DHCPv6 message is encapsulated into the encrypted-message option. The Encrypted-Response message contains the encrypted-message option. 7. New DHCPv6 Messages There are two DHCPv6 messages defined: Encrypted-Query and Encrypted- Response. Both DHCPv6 messages defined in this document share the following format: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | msg-type | transaction-id | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | . options . . (variable) . | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 1: The format of New DHCPv6 Messages msg-type ENCRYPTED-QUERY (TBA1), ENCRYPTED-RESPONSE (TBA2). transaction-id The transaction ID for this message exchange. options Options carried in this message. 8. New DHCPv6 Options 8.1. Encrypted-message Option The encrypted-message option carries the encrypted DHCPv6 message with the recipient's public key. The format of the encrypted-message option is: Cui, et al. Expires April 20, 2016 [Page 7] Internet-Draft DHCPv6 Encryption October 2015 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | option-code | option-len | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | . encrypted DHCPv6 message . . (variable) . . . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 2: encrypted-message Option Format option-code OPTION_ENCRYPTED_MSG (TBA3). option-len Length of the encrypted DHCPv6 message. encrypted DHCPv6 message A variable length field containing the encrypted DHCPv6 message sent by the client or server. In Encrypted-Query message, it contains encrypted DHCPv6 message sent by a client. In Encrypted-response message, it contains encrypted DHCPv6 message sent by a server. 8.2. Encryption Public Key Option The encryption public key option is defined to carry the sender's public key. The format of the encryption public key option is: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | option-code | option-len | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | . encryption public key . . (variable length) . . . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 3: Encryption Public Key Option Format option-code OPTION_ENCRYPTION_PUBLIC_KEY (TBA4). option-len Length of the encryption public key. encryption public key A variable length field containing the Cui, et al. Expires April 20, 2016 [Page 8] Internet-Draft DHCPv6 Encryption October 2015 sender's public key. The sender's public key is used for the following messages encryption. 9. Security Considerations TBD 10. IANA Considerations There are two new DHCPv6 messages defined and two new DHCPv6 options defined. The IANA is requested to assign values for these two messages and two options. The two messages are: o ENCRYPTED-QUERY (TBA1). o ENCRYPTED-RESPONSE (TBA2). The two options are: o OPTION_ENCRYPTED_MSG (TBA3) o OPTION_ENCRYPTION_PUBLIC_KEY (TBA4) 11. Contributors The authors would like to thank Bernie Volz, Tomek Mrugalski, Ralph Droms, Randy Bush, Stephen Farrell, Christian Huitema, Nico Williams, Erik Kline, Alan DeKok, Bernard Aboba, Sam Hartman, Qi Sun, Zilong Liu and Cong Liu. 12. References 12.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC3315] Droms, R., Ed., Bound, J., Volz, B., Lemon, T., Perkins, C., and M. Carney, "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", RFC 3315, DOI 10.17487/RFC3315, July 2003, . Cui, et al. Expires April 20, 2016 [Page 9] Internet-Draft DHCPv6 Encryption October 2015 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, . [RFC7283] Cui, Y., Sun, Q., and T. Lemon, "Handling Unknown DHCPv6 Messages", RFC 7283, DOI 10.17487/RFC7283, July 2014, . [RFC7435] Dukhovni, V., "Opportunistic Security: Some Protection Most of the Time", RFC 7435, DOI 10.17487/RFC7435, December 2014, . 12.2. Informative References [I-D.ietf-dhc-anonymity-profile] Huitema, C., Mrugalski, T., and S. Krishnan, "Anonymity profile for DHCP clients", draft-ietf-dhc-anonymity- profile-04 (work in progress), October 2015. [I-D.ietf-dhc-dhcpv6-privacy] Krishnan, S., Mrugalski, T., and S. Jiang, "Privacy considerations for DHCPv6", draft-ietf-dhc- dhcpv6-privacy-01 (work in progress), August 2015. [I-D.ietf-dhc-sedhcpv6] Jiang, S., Shen, S., Zhang, D., and T. Jinmei, "Secure DHCPv6", draft-ietf-dhc-sedhcpv6-08 (work in progress), June 2015. [RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258, May 2014, . Authors' Addresses Yong Cui Tsinghua University Beijing 100084 P.R.China Phone: +86-10-6260-3059 Email: yong@csnet1.cs.tsinghua.edu.cn Cui, et al. Expires April 20, 2016 [Page 10] Internet-Draft DHCPv6 Encryption October 2015 Lishan Li Tsinghua University Beijing 100084 P.R.China Phone: +86-15201441862 Email: lilishan9248@126.com Jianping Wu Tsinghua University Beijing 100084 P.R.China Phone: +86-10-6278-5983 Email: jianping@cernet.edu.cn Yiu Lee Comcast Philadelphia 19103 USA Email: yiu_lee@cable.comcast.com Cui, et al. Expires April 20, 2016 [Page 11]