HTTP/1.1 200 OK Date: Tue, 09 Apr 2002 01:43:37 GMT Server: Apache/1.3.20 (Unix) Last-Modified: Fri, 14 Aug 1998 13:07:00 GMT ETag: "2ed6c9-6410-35d43674" Accept-Ranges: bytes Content-Length: 25616 Connection: close Content-Type: text/plain DHC Working Grop Michael Patrick Motorola ISG August 3, 1998 DHCP Relay Agent Information Option Status of this Memo This document is an Internet Draft. Internet Drafts are working documents of the Internet Engineering Task Force (IETF), its Areas, and its Working Groups. Note that other groups may also distribute working documents as Internet Drafts. Internet Drafts are draft documents valid for a maximum of six months. Internet Drafts may be updated, replaced, or obsoleted by other documents at any time. It is not appropriate to use Internet Drafts as reference material or to cite them other than as a "working draft" or "work in progress." Please check the "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe), munnari.oz.au (Pacific Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast). Abstract Newer high-speed public Internet access technologies call for a high-speed modem to have a LAN attachment to one or more user hosts. It is advantageous to use DHCP to assign user host IP addresses in this environment, but a number of security and scaling problems arise with such "public" DHCP use. This draft calls for the definition of a "DHCP Relay Agent Information" option that is appended to a DHCP packet forwarded from a client to a server by a relay agent. The Server may or may not use the information in the the Relay Agent Information option; in either case, it echoes back the option verbatim in server-to-client replies. The "Relay Agent Information" option contains sub-options that convey information known by the relay agent. The initial sub-options are defined for a relay agent that is co-located in a public circuit access unit. These include a "circuit ID" for the incoming circuit and a "remote ID" which provides a trusted identifier for the remote high-speed modem. Expires January 1999 [Page 1] August 3, 1998 Table of Contents 1 Introduction........................................... 2 1.1 High-Speed Circuit Switched Data Networks.............. 3 1.2 DHCP Relay Agent in the Circuit Access Equipment....... 4 2.0 Relay Agent Information Option......................... 5 2.1 Agent Operation........................................ 6 2.1.1 Reforwarding......................................... 7 2.2 Server Operation....................................... 7 3.0 Relay Agent Information Suboptions..................... 8 3.1 Agent Circuit ID....................................... 8 3.2 Agent Remote ID........................................ 9 3.3 Agent Subnet Mask...................................... 10 4.0 Issues Resolved........................................ 10 5.0 Security Considerations................................ 11 6.0 References............................................. 12 7.0 Glossary............................................... 12 8.0 Author's Address....................................... 12 Revision History Rev Date Description --- -------- ----------- -04 08/03/98 -Remove 576 byte limit -Remove "nested" relay agent operation -Add Agent Subnet Mask sub-option -Clarify agent options not on RENEWING packets 1 Introduction 1.1 High-Speed Circuit Switched Data Networks Public Access to the Internet is usually via a circuit switched data network. Today, this is primarily implemented with dial-up modems connecting to a Remote Access Server. But higher speed circuit access networks also include ISDN, ATM, Frame Relay, and Cable Data Networks. All of these networks can be characterized as a "star" topology where multiple users connect to a "circuit access unit" via switched or permanent circuits. With dial-up modems, only a single host PC attempts to connect to the central point. The PPP protocol is widely used to assign IP Expires January 1999 [Page 2] August 3, 1998 addresses to be used by the single host PC. The newer high-speed circuit technologies, however, frequently provide a LAN interface (especially Ethernet) to one or more host PCs. It is desirable to support centralized assignment of the IP addresses of host computers connecting on such circuits via DHCP. The DHCP server can be, but usually is not, co-implemented with the centralized circuit concentration access device. The DHCP server is often connected as a separate server on the "Central LAN" to which the central access device (or devices) attach. A common physical model for high-speed Internet circuit access is shown in Figure 1, below. +---------------+ | Central | Circuit |-- ckt 1--- Modem1-- Host-|- Host A LAN | | Access | Lan |- Host B | | Unit 1 | |- Host C |-----| |-- | | |(relay agent) |... +---------+ | +---------------+ | DHCP |--| | Server | | +---------+ | | | +---------------+ +---------+ | | Circuit |-- ckt 1--- Modem2-- Host--- Host D | Other | | | Access | Lan | Servers |--|-----| Unit 2 | | (Web, | | | |-- ckt 2--- Modem3-- Host--- Host E | DNS) | | |(relay agent) |... Lan | | +---------------+ +---------+ Figure 1: DHCP High Speed Circuit Access Model Note that in this model, the "modem" connects to a LAN at the user site, rather than to a single host. Multiple hosts are implemented at this site. Although it is certainly possible to implement a full IP router at the user site, this requires a relatively expensive piece of equipment (compared to typical modem costs). Furthermore, a router requires an IP address not only for every host, but for the router itself. Finally, a user-side router requires a dedicated Logical IP Subnet (LIS) for each user. While this model is appropriate for relatively small corporate networking environments, Expires January 1999 [Page 3] August 3, 1998 it is not appropriate for large, public accessed networks. In this scenario, it is advantageous to implement an IP networking model that does not allocate an IP address for the modem (or other networking equipment device at the user site), and especially not an entire LIS for the user side LAN. 1.2 DHCP Relay Agent in the Circuit Access Unit It is desirable to use DHCP to assign the IP addresses for public high-speed circuit access. A number of circuit access units (e.g. RAS's, cable modem termination systems, ADSL access units, etc) connect to a LAN (or local internet) to which is attached a DHCP server. For scaling and security reasons, it is advantageous to implement a "router hop" at the circuit access unit, much like high-capacity RAS's do today. The circuit access equipment acts as both a router to the circuits and as the DHCP relay agent. The advantages of co-locating the DHCP relay agent with the circuit access equipment are: DHCP broadcast replies can be routed to only the proper circuit, avoiding, say, the replication of the DCHP reply broadcast onto thousands of access circuits; The same mechanism used to identify the remote connection of the circuit (e.g. a user ID requested by a Remote Access Server acting as the circuit access equipment) may be used as a host identifier by DHCP, and used for parameter assignment. This includes centralized assignment of IP addresses to hosts. This provides a secure remote ID from a trusted source -- the relay agent. A number of issues arise when forwarding DHCP requests from hosts connecting publicly accessed high-speed circuits with LAN connections at the host. Many of these are security issues arising from DHCP client requests from untrusted sources. How does the relay agent know to which circuit to forward replies? How does the system prevent DHCP IP exhaustion attacks? This is when an attacker requests all available IP addresses from a DHCP server by sending requests with fabricated client MAC addresses. How can an IP address or LIS be permanently assigned to a particular user or modem? How does one prevent "spoofing" of client identifer fields used to assign IP addresses? How does one prevent denial of service by "spoofing" other client's MAC addresses? All of these issues may be addressed by having the circuit access equipment, which is a trusted component, add information to DHCP Expires January 1999 [Page 4] August 3, 1998 client requests that it forwards to the DHCP server. 2.0 Relay Agent Information Option This document defines a new DHCP Option called the Relay Agent Information Option. It is a "container" option for specific agent- supplied sub-options. The format of the Relay Agent Information option is: Code Len Agent Information Field +------+------+------+------+------+------+--...-+------+ | 82 | N | i1 | i2 | i3 | i4 | | iN | +------+------+------+------+------+------+--...-+------+ The length N gives the total number of octets in the Agent Information Field. The Agent Information field consists of a sequence of SubOpt/Length/Value tuples for each sub-option, encoded in the following manner: SubOpt Len Sub-option Value +------+------+------+------+------+------+--...-+------+ | 1 | N | s1 | s2 | s3 | s4 | | sN | +------+------+------+------+------+------+--...-+------+ SubOpt Len Sub-option Value +------+------+------+------+------+------+--...-+------+ | 2 | N | i1 | i2 | i3 | i4 | | iN | +------+------+------+------+------+------+--...-+------+ No "pad" sub-option is defined, and the Information field shall NOT be terminated with a 255 sub-option. The length N of the DHCP Agent Information Option shall include all bytes of the sub-option code/length/value tuples. Since at least one sub-option must be defined, the minimum Relay Agent Information length is two (2). The length N of the sub-options shall be the number of octets in only that sub-option's value field. A sub-option length may be zero. The sub-options need not appear in sub-option code order. Expires January 1999 [Page 5] August 3, 1998 Sub-option codes shall be assigned by IANA. The initial assignment shall be as follows: DHCP Agent Sub-Option Descrption Sub-option Code --------------- ---------------------- 1 Agent Circuit ID Sub-option 2 Agent Remote ID Sub-option 3 Agent Subnet Mask Future drafts may define additional Relay Agent Information sub- options. 2.1 Agent Operation Overall adding of the DHCP relay agent option SHOULD be configurable, and SHOULD be disabled by default. Relay agents SHOULD have separate configurables for each sub-option to control whether it is added to client-to-server packets. A DHCP relay agent adding a Relay Agent Information field SHALL add it as the last DHCP agent option in the DHCP options field of any recognized DHCP packet forwarded from a client to a server. Such additions shall be made for only those packets recognized as DHCP; BOOTP-only packets shall not be affected. Relay agents receiving a DHCP packet with giaddr set to zero (indicating that they are the first-hop router) but with a Relay Agent Information option already present in the packet SHALL discard the packet and increment an error count. Relay agents MAY have a configurable for the maximum size of the DHCP packet to be created after appending the Agent Information option. Packets which, after appending the Relay Agent Information option, would exceed this configured maximum size shall be forwarded WITHOUT adding the Agent Information option. An error counter SHOULD be incremented in this case. In the absence of this configurable, the agent SHALL NOT increase a forwarded DHCP packet size to exceed the MTU of the interface on which it is forwarded. The Relay Agent Information option echoed by a server SHOULD be removed by the agent when forwarding a server-to-client response back to the client. The agent MAY choose to not remove the option when, for example, the Relay Agent Information field is not the last option in the server-to-client response. Expires January 1999 [Page 6] August 3, 1998 The agent SHALL NOT add an "Option Overload" option to the packet or use the "file" or "sname" fields for adding Relay Agent Information option. It SHALL NOT parse or remove Relay Agent Information options that may appear in the sname or file fields of a server-to-client packet forwarded through the agent. The operation of relay agents for specific sub-options is specified with that sub-option. Relay agents are NOT required to monitor or modify client-originated DHCP packets addressed to a server unicast address. This includes the DHCP-REQUEST sent when entering the RENEWING state. 2.1.1 Reforwarded DHCP requests A DHCP relay agent may receive a client DHCP packet forwarded from a BOOTP/DHCP relay agent closer to the client. Such a packet will have giaddr as non-zero, and may or may not already have a DHCP Relay Agent option in it. Relay agents configured to add a Relay Agent option which receive a client DHCP packet with a nonzero giaddr SHALL discard the packet if the giaddr spoofs a giaddr address implemented by the local agent itself. Otherwise, the relay agent SHALL forward any received DHCP packet with a valid non-zero giaddr WITHOUT adding any relay agent options. Per RFC 2131, it shall also NOT modify the giaddr value. 2.2 Server Operation DHCP servers unaware of the Relay Agent Information option will ignore the option upon receive and will not echo it back on responses. This is the specified server behavior for unknown options. DHCP servers claiming to support the Relay Agent Information option SHALL echo the entire contents of the Relay Agent Information option in all replies. Servers SHOULD copy the Relay Agent Information option as the last DHCP option in the response. Servers SHALL NOT place the echoed Relay Agent Information option in the overloaded sname or file fields. If a server is unable to copy a full Relay Agent Information field into a response, it SHALL send the response without the Relay Information Field, and SHOULD increment an error counter for the situation. Servers using the DHCP Authentication option SHALL exclude the Expires January 1999 [Page 7] August 3, 1998 entirety of the Relay Agent Information option (including Code, Length, and Information fields) from the MAC authentication code calculation. The operation of DHCP servers for specific sub-options is specified with that sub-option. Note that since DHCP relay agents are not required to monitor unicasts between client and server, the relay agent options may not appear in the unicast DHCP-REQUESTs from renewing clients. Relay agent options are intended for use with new leases. 3.0 Relay Agent Information Sub-options 3.1 Agent Circuit ID Sub-option This sub-option MAY be added by DHCP relay agents which terminate switched or permanent circuits. It encodes an agent-local identifier of the circuit from which a DHCP client-to-server packet was received. It is intended for use by agents in relaying DHCP responses back to the proper circuit. Possible uses of this field include - Router interface number - Switching Hub port number - Remote Access Server port number - Frame Relay DLCI - ATM virtual circuit number - Cable Data virtual circuit number The format of the Agent Circuit ID may be further standardized by IETF working groups responsible for IP communication on that type of circuit. In the absence of such standardization, the format may proprietary to the relay agent vendor. Servers MAY use the Circuit ID for IP and other parameter assignment policies. The Circuit ID SHOULD be considered an opaque value, with policies based on exact string match only; that is, the Circuit ID SHOULD NOT be internally parsed by the server. The DHCP server SHOULD report the Agent Circuit ID value of current leases in statistical reports (including its MIB) and in logs. Since the Circuit ID is local only to a particular relay agent, a circuit ID should be qualified with the giaddr value that identifies the relay agent. Expires January 1999 [Page 8] August 3, 1998 SubOpt Len Circuit ID +------+------+------+------+------+------+------+------+-- | 1 | n | c1 | c2 | c3 | c4 | c5 | c6 | ... +------+------+------+------+------+------+------+------+-- 3.2 Agent Remote ID Sub-option This sub-option MAY be added by DHCP relay agents which terminate switched or permanent circuits and have mechanisms to identify the remote host end of the circuit. The Remote ID field may be used to encode, for instance: -- a "caller ID" telephone number for dial-up connection -- a "user name" prompted for by a Remote Access Server -- a remote caller ATM address -- a "modem ID" of a cable data modem -- the remote IP address of a point-to-point link -- a remote X.25 address for X.25 connections The format of the Agent Remote ID will depend on the type of circuit connected to the relay agent, and further specification of this field may be standardized by the IETF working groups responsible for IP communications on those circuit types. The only requirement is that the remote ID be administered as globally unique. DHCP servers MAY use this option to select parameters specific to particular users, hosts, or subscriber modems. The option SHOULD be considered an opaque value, with policies based on exact string match only; that is, the option SHOULD NOT be internally parsed by the server. The relay agent MAY use this field in addition to or instead of the Agent Circuit ID field to select the circuit on which to forward the DHCP reply (e.g. Offer, Ack, or Nak). DHCP servers SHOULD report this value in any reports or MIBs associated with a particular client. SubOpt Len Agent Remote ID +------+------+------+------+------+------+------+------+-- | 2 | n | r1 | r2 | r3 | r4 | r5 | r6 | ... +------+------+------+------+------+------+------+------+-- Expires January 1999 [Page 9] August 3, 1998 3.3 Agent Subnet Mask This sub-option MAY be added by DHCP relay agents to identify the subnet mask of the Logical IP Subnet (LIS) from which the client DHCP packet was received. The LIS of the client is defined as the subnet formed by the giaddr ANDed with the Agent Subnet Mask. Servers MAY use this mask field to automatically create scopes of assignable IP addresses. Use of this field avoids the need to have identical configuration of the logical IP subnets on which clients reside in both the relaying routers and the DHCP server. In this case, the router configuration defines the LISs, and the DHCP servers automatically discover the LISs from the relay agent options of forwarded client DHCP requests. SubOpt Len Agent Subnet Mask +------+------+------+------+------+------+ | 3 | 4 | m1 | m2 | m3 | m4 | +------+------+------+------+------+------+ 4.0 Issues Resolved Broadcast Forwarding The circuit access equipment forwards the normally broadcasted DHCP response only on the circuit indicated in the Agent Circuit ID. DHCP Address Exhaustion In general, the DHCP server may be extended to maintain a database with the "triplet" of (client IP address, client MAC address, client remote ID) The DHCP server SHOULD implement policies that restrict the number of IP addresses to be assigned to a single remote ID. Expires January 1999 [Page 10] August 3, 1998 Static Assignment The DHCP server may use the remote ID to select the IP address to be assigned. It may permit static assignment of IP addresses to particular remote IDs, and disallow an address request from an unauthorized remote ID. IP Spoofing The circuit access device may associate the IP address assigned by a DHCP server in a forwarded DHCP Ack packet with the circuit to which it was forwarded. The circuit access device MAY prevent forwarding of IP packets with source IP addresses -other than- those it has associated with the receiving circuit. This prevents simple IP spoofing attacks on the Central Lan, and IP spoofing of other hosts. Client Identifer Spoofing By using the agent-supplied Agent Remote ID option, the untrusted and as-yet unstandardized client identifer field need not be used by the DHCP server. MAC Address Spoofing By associating a MAC address with an Agent Remote ID, the DHCP server can prevent offering an IP address to an attacker spoofing the same MAC address on a different remote ID. 5.0 Security Considerations DHCP per se currently provides no authentication or security mechanisms. Potential exposures to attack are discussed in section 7 of the DHCP protocol specification [1]. This document introduces mechanisms to address several security attacks on the operation of IP address assignment, including IP spoofing, Client ID spoofing, MAC address spoofing, and DHCP server address exhaustion. It relies on an implied trusted relationship between the DHCP Relay Agent and the DHCP server, with an assumed untrusted DHCP client. It introduces a new identifer, the "Remote ID", that is also assumed to be trusted. The Remote ID is provided by the access network or modem and not by client premise equipment. Cryptographic or other techniques to authenticate the remote ID are certainly possible and encouraged, but are beyond the scope of this document. Expires January 1999 [Page 11] August 3, 1998 6.0 References [1] Droms, R. "Dynamic Host Configuration Protocol", RFC 2131, Bucknell University, March 1997. [2] Alexander,S. and Droms, R., "DHCP Options and BOOTP Vendor Extension" RFC 2132. 7.0 Glossary IANA Internet Assigned Numbers Authority LIS Logical IP Subnet MAC Message Authentication Code RAS Remote Access Server 8.0 Author's Address Michael Patrick Motorola Information Systems Group 20 Cabot Blvd., MS M4-30 Mansfield, MA 02048 Phone: (508) 261-5707 Email: mpatrick@dma.isg.mot.com Expires January 1999 [Page 12]