Internet DRAFT - draft-ietf-dhc-relay-server-security

draft-ietf-dhc-relay-server-security







Network Working Group                                            B. Volz
Internet-Draft                                             Cisco Systems
Intended status: Standards Track                                  Y. Pal
Expires: October 21, 2017                            Cisco Systems, Inc.
                                                          April 19, 2017


    Security of Messages Exchanged Between Servers and Relay Agents
              draft-ietf-dhc-relay-server-security-05.txt

Abstract

   The Dynamic Host Configuration Protocol for IPv4 (DHCPv4) has no
   guidance for how to secure messages exchanged between servers and
   relay agents.  The Dynamic Host Configuration Protocol for IPv6
   (DHCPv6) states that IPsec should be used to secure messages
   exchanged between servers and relay agents, but does not require
   encryption.  And, with recent concerns about pervasive monitoring and
   other attacks, it is appropriate to require securing relay to relay
   and relay to server communication for DHCPv6 and relay to server
   communication for DHCPv4.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on October 21, 2017.

Copyright Notice

   Copyright (c) 2017 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents



Volz & Pal              Expires October 21, 2017                [Page 1]

Internet-Draft         DHCP Relay/Server Security             April 2017


   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

   This document may contain material from IETF Documents or IETF
   Contributions published or made publicly available before November
   10, 2008.  The person(s) controlling the copyright in some of this
   material may not have granted the IETF Trust the right to allow
   modifications of such material outside the IETF Standards Process.
   Without obtaining an adequate license from the person(s) controlling
   the copyright in such materials, this document may not be modified
   outside the IETF Standards Process, and derivative works of it may
   not be created outside the IETF Standards Process, except to format
   it for publication as an RFC or to translate it into languages other
   than English.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Requirements Language and Terminology . . . . . . . . . . . .   3
   3.  Security of Messages Exchanged Between Servers and Relay
       Agents  . . . . . . . . . . . . . . . . . . . . . . . . . . .   3
   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   5
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   5
   6.  Acknowledgments . . . . . . . . . . . . . . . . . . . . . . .   6
   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   6
     7.1.  Normative References  . . . . . . . . . . . . . . . . . .   6
     7.2.  Informative References  . . . . . . . . . . . . . . . . .   6
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   8

1.  Introduction

   The Dynamic Host Configuration Protocol for IPv4 (DHCPv4) [RFC2131]
   and [RFC1542] has no guidance for how to secure messages exchanged
   between servers and relay agents.  The Dynamic Host Configuration
   Protocol for IPv6 (DHCPv6) [RFC3315] states that IPsec should be used
   to secure messages exchanged between servers and relay agents, but
   does not recommend encryption.  And, with recent concerns about
   pervasive monitoring [RFC7258], it is appropriate to require use of
   IPsec with encryption for relay to server communication for DHCPv4
   and require use of IPsec with encryption for relay to relay and relay
   to server communication for DHCPv6.

   This document specifies the optional requirements for relay agent and
   server implementations to support IPsec authentication and encryption
   and recommends operators enable this IPsec support.



Volz & Pal              Expires October 21, 2017                [Page 2]

Internet-Draft         DHCP Relay/Server Security             April 2017


2.  Requirements Language and Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119] when they
   appear in ALL CAPS.  When these words are not in ALL CAPS (such as
   "should" or "Should"), they have their usual English meanings, and
   are not to be interpreted as [RFC2119] key words.

   This document uses terminology from [RFC1542], [RFC2131], and
   [RFC3315].

3.  Security of Messages Exchanged Between Servers and Relay Agents

   For DHCPv6 [RFC3315], this specification REQUIRES relay and server
   implementations to support IPsec encryption of relay to relay and
   relay to server communication as documented below (this replaces the
   text in RFC3315 Section 21.1).

   For DHCPv4 [RFC2131], this specification REQUIRES relay and server
   implementations to support IPsec encryption of relay to server
   communication as documented below.

   This specification RECOMMENDS that operators enable IPsec for this
   communication.

   By using IPsec with encryption for this communication, the
   potentially sensitive client message and relay included information,
   such as the DHCPv4 relay-agent information option (82) [RFC3046],
   vendor-specific information (for example, [CableLabs-DHCP]), and
   Access-Network-Identifier Option(s) [RFC7839], are protected from
   pervasive monitoring and other attacks.

   Relay agents and servers MUST be able to exchange messages using the
   IPsec mechanisms described in [RFC4301] and with the conditions
   below.  If a client message is relayed through multiple relay agents
   (relay chain), each of the relay agents MUST have an established
   independent, pairwise trust relationships.  That is, if messages from
   client C will be relayed by relay agent A to relay agent B and then
   to the server, relay agents A and B MUST be configured to use IPsec
   for the messages they exchange, and relay agent B and the server MUST
   be configured to use IPsec for the messages they exchange.

   Relay agents and servers use IPsec with the following conditions:

   Selectors               Relay agents are manually configured with the
                           addresses of the relay agent or server to
                           which DHCP messages are to be forwarded.



Volz & Pal              Expires October 21, 2017                [Page 3]

Internet-Draft         DHCP Relay/Server Security             April 2017


                           Each relay agent and server that will be
                           using IPsec for securing DHCP messages MUST
                           also be configured with a list of the relay
                           agents to which messages will be returned.
                           The selectors for the relay agents and
                           servers will be the pairs of addresses
                           defining relay agents and servers and the
                           direction of DHCP message exchange on DHCPv4
                           UDP port 67 or DHCPv6 UDP port 547.

   Mode                    Relay agents and servers MUST use IPsec in
                           transport mode and Encapsulating Security
                           Payload (ESP).

   Encryption and authentication algorithms
                           This document REQUIRES combined mode
                           algorithms for ESP authenticated encryption,
                           ESP encryption algorithms, and ESP
                           authentication algorithms as per Sections
                           2.1, 2.2, and 2.3 of [RFC7321] respectively.
                           Encryption is required as relay agents may
                           forward unencrypted client messages as well
                           as include additional sensitive information,
                           such as vendor-specific information (for
                           example, [CableLabs-DHCP]) and [RFC7839].

   Key management          Because both relay agents and servers tend to
                           be managed by a single organizational entity,
                           public key schemes MAY be optional.  Manually
                           configured key management MAY suffice, but
                           does not provide defense against replayed
                           messages.  Accordingly, IKEv2 [RFC7296] with
                           pre-shared secrets SHOULD be supported.
                           IKEv2 with public keys MAY be supported.
                           Additional information on manual vs automated
                           key management and when one should be used
                           over the other can be found in [RFC4107].

   Security policy         DHCP messages between relay agents and
                           servers MUST only be accepted from DHCP peers
                           as identified in the local configuration.

   Authentication          Shared keys, indexed to the source IP address
                           of the received DHCP message, are adequate in
                           this application.






Volz & Pal              Expires October 21, 2017                [Page 4]

Internet-Draft         DHCP Relay/Server Security             April 2017


   Note: As using IPsec with multicast has additional complexities (see
   [RFC5374]), relay agents SHOULD be configured to forward DHCP
   messages to unicast addresses.

4.  Security Considerations

   The security model specified in this document is hop-by-hop.  For
   DHCPv6, there could be multiple relay agents between a client and
   server and each of these hops needs to be secured.  For DHCPv4, there
   is no support for multiple relays.

   As this document only mandates securing messages exchanged between
   relay agents and servers, the message exchanges between clients and
   the first hop relay agent or server are not secured.  Clients may
   follow the recommendations in [RFC7844] to minimize what information
   they expose or make use of [I-D.ietf-dhc-sedhcpv6] to secure
   communication between the client and server.

   As mentioned in [RFC4552] Section 14, the following are known
   limitations of the usage of manual keys:

   o  As the sequence numbers cannot be negotiated, replay protection
      cannot be provided.  This leaves DHCP insecure against all the
      attacks that can be performed by replaying DHCP packets.

   o  Manual keys are usually long lived (changing them often is a
      tedious task).  This gives an attacker enough time to discover the
      keys.

   It should be noted if the requirements in this document are followed,
   while the DHCP traffic on the wire between relays and servers is
   encrypted, the unencrypted data may still be available through other
   attacks on the DHCP servers, relays, and related systems.  Securing
   these systems and the data in databases and logs also needs to be
   considered - on the systems themselves and if transferred over a
   network (i.e., to network attached storage, for backups, or to
   operational support systems).

   Use of IPsec as described herein is also applicable to Lightweight
   DHCPv6 Relay Agents [RFC6221], as they have a link-local address
   which can be used to secure communication with their next hop
   relay(s).

5.  IANA Considerations

   This document has no requests of the fantastic IANA team.





Volz & Pal              Expires October 21, 2017                [Page 5]

Internet-Draft         DHCP Relay/Server Security             April 2017


6.  Acknowledgments

   The motivation for this document was several IESG discusses on recent
   DHCP relay agent options.

   Thanks to Kim Kinnear, Jinmei Tatuya, Francis Dupont, and Tomek
   Mrugalski for reviewing drafts and helping to improve the document.
   And, thanks to the authors of [RFC3315] for the original Section 21.1
   text.

7.  References

7.1.  Normative References

   [RFC1542]  Wimer, W., "Clarifications and Extensions for the
              Bootstrap Protocol", RFC 1542, DOI 10.17487/RFC1542,
              October 1993, <http://www.rfc-editor.org/info/rfc1542>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <http://www.rfc-editor.org/info/rfc2119>.

   [RFC2131]  Droms, R., "Dynamic Host Configuration Protocol",
              RFC 2131, DOI 10.17487/RFC2131, March 1997,
              <http://www.rfc-editor.org/info/rfc2131>.

   [RFC3315]  Droms, R., Ed., Bound, J., Volz, B., Lemon, T., Perkins,
              C., and M. Carney, "Dynamic Host Configuration Protocol
              for IPv6 (DHCPv6)", RFC 3315, DOI 10.17487/RFC3315, July
              2003, <http://www.rfc-editor.org/info/rfc3315>.

   [RFC4301]  Kent, S. and K. Seo, "Security Architecture for the
              Internet Protocol", RFC 4301, DOI 10.17487/RFC4301,
              December 2005, <http://www.rfc-editor.org/info/rfc4301>.

   [RFC7321]  McGrew, D. and P. Hoffman, "Cryptographic Algorithm
              Implementation Requirements and Usage Guidance for
              Encapsulating Security Payload (ESP) and Authentication
              Header (AH)", RFC 7321, DOI 10.17487/RFC7321, August 2014,
              <http://www.rfc-editor.org/info/rfc7321>.

7.2.  Informative References

   [CableLabs-DHCP]
              "CableLabs' DHCP Options Registry",
              <http://www.cablelabs.com/specification/
              cablelabs-dhcp-options-registry-2/>.



Volz & Pal              Expires October 21, 2017                [Page 6]

Internet-Draft         DHCP Relay/Server Security             April 2017


   [I-D.ietf-dhc-sedhcpv6]
              Li, L., Jiang, S., Cui, Y., Jinmei, T., Lemon, T., and D.
              Zhang, "Secure DHCPv6", draft-ietf-dhc-sedhcpv6-21 (work
              in progress), February 2017.

   [RFC3046]  Patrick, M., "DHCP Relay Agent Information Option",
              RFC 3046, DOI 10.17487/RFC3046, January 2001,
              <http://www.rfc-editor.org/info/rfc3046>.

   [RFC4107]  Bellovin, S. and R. Housley, "Guidelines for Cryptographic
              Key Management", BCP 107, RFC 4107, DOI 10.17487/RFC4107,
              June 2005, <http://www.rfc-editor.org/info/rfc4107>.

   [RFC4552]  Gupta, M. and N. Melam, "Authentication/Confidentiality
              for OSPFv3", RFC 4552, DOI 10.17487/RFC4552, June 2006,
              <http://www.rfc-editor.org/info/rfc4552>.

   [RFC5374]  Weis, B., Gross, G., and D. Ignjatic, "Multicast
              Extensions to the Security Architecture for the Internet
              Protocol", RFC 5374, DOI 10.17487/RFC5374, November 2008,
              <http://www.rfc-editor.org/info/rfc5374>.

   [RFC6221]  Miles, D., Ed., Ooghe, S., Dec, W., Krishnan, S., and A.
              Kavanagh, "Lightweight DHCPv6 Relay Agent", RFC 6221,
              DOI 10.17487/RFC6221, May 2011,
              <http://www.rfc-editor.org/info/rfc6221>.

   [RFC7258]  Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an
              Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258, May
              2014, <http://www.rfc-editor.org/info/rfc7258>.

   [RFC7296]  Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T.
              Kivinen, "Internet Key Exchange Protocol Version 2
              (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October
              2014, <http://www.rfc-editor.org/info/rfc7296>.

   [RFC7839]  Bhandari, S., Gundavelli, S., Grayson, M., Volz, B., and
              J. Korhonen, "Access-Network-Identifier Option in DHCP",
              RFC 7839, DOI 10.17487/RFC7839, June 2016,
              <http://www.rfc-editor.org/info/rfc7839>.

   [RFC7844]  Huitema, C., Mrugalski, T., and S. Krishnan, "Anonymity
              Profiles for DHCP Clients", RFC 7844,
              DOI 10.17487/RFC7844, May 2016,
              <http://www.rfc-editor.org/info/rfc7844>.






Volz & Pal              Expires October 21, 2017                [Page 7]

Internet-Draft         DHCP Relay/Server Security             April 2017


Authors' Addresses

   Bernie Volz
   Cisco Systems, Inc.
   1414 Massachusetts Ave
   Boxborough, MA  01719
   USA

   Email: volz@cisco.com


   Yogendra Pal
   Cisco Systems, Inc.
   Cessna Business Park,
   Varthur Hobli, Outer Ring Road,
   Bangalore, Karnataka  560103
   India

   Email: yogpal@cisco.com
































Volz & Pal              Expires October 21, 2017                [Page 8]