DHC Working Group Kim Kinnear Internet Draft Richard Johnson Updates: 3046 Mark Stapp Intended Status: Standards Track Cisco Systems Expires: May 15, 2012 Jay Kumarasamy November 15, 2011 Virtual Subnet Selection Options for DHCPv4 and DHCPv6 Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Copyright Notice Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Kinnear, et. al. Expires May 2012 [Page 1] Internet Draft Virtual Subnet Selection Options November 2012 This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English. Abstract This memo defines a Virtual Subnet Selection (VSS) option for each of DHCPv4 and DHCPv6, and a VSS sub-option carried in the DHCPv4 relay- agent-information option. These are intended for use by DHCP clients, relay agents, and proxy clients in situations where VSS information needs to be passed to the DHCP server for proper address or prefix allocation to take place. For the DHCPv4 option and relay-agent-information sub-option, this memo documents existing usage as per RFC 3942 [RFC3942]. This memo updates RFC 3046 [RFC3046] regarding details relating to copying of sub-options (see Section 8). Table of Contents 1. Introduction................................................. 3 2. Terminology.................................................. 4 3. Virtual Subnet Selection Option and Sub-Options Definitions.. 5 3.1. DHCPv4 Virtual Subnet Selection Option..................... 5 3.2. DHCPv4 Virtual Subnet Selection Sub-Option................. 6 3.3. DHCPv4 Virtual Subnet Selection Control Sub-Option......... 6 3.4. DHCPv6 Virtual Subnet Selection Option..................... 7 3.5. Virtual Subnet Selection Type and Information.............. 7 4. Overview of Virtual Subnet Selection Usage................... 8 4.1. VPN assignment by the DHCP relay agent..................... 9 4.2. VPN assignment by the DHCP server.......................... 12 4.3. Required Support........................................... 14 4.4. Alternative VPN assignment approaches...................... 14 5. Relay Agent Behavior......................................... 14 5.1. VPN assignment by the DHCP server.......................... 16 5.2. DHCP Leasequery............................................ 17 6. Client Behavior.............................................. 17 7. Server Behavior.............................................. 18 Kinnear, et. al. Expires May 2012 [Page 2] Internet Draft Virtual Subnet Selection Options November 2012 7.1. Returning the DHCPv4 or DHCPv6 Option...................... 19 7.2. Returning the DHCPv4 Sub-Option............................ 20 7.3. Making sense of conflicting VSS information................ 21 8. Updates to RFC 3046.......................................... 21 9. Security..................................................... 22 10. IANA Considerations......................................... 23 11. Acknowledgments............................................. 23 12. References.................................................. 24 12.1. Normative References...................................... 24 12.2. Informative References.................................... 24 1. Introduction There is a growing use of Virtual Private Network (VPN) configurations. The growth comes from many areas; individual client systems needing to appear to be on the home corporate network even when traveling, ISPs providing extranet connectivity for customer companies, etc. In some of these cases there is a need for the DHCP server to know the VPN (hereafter called a "Virtual Subnet Selector" or "VSS") from which an address, and other resources, should be allocated. This memo defines a Virtual Subnet Selection (VSS) option for each of DHCPv4 and DHCPv6, and a VSS sub-option carried in the DHCPv4 relay- agent-information option. These are intended for use by DHCP clients, relay agents, and proxy clients in situations where VSS information needs to be passed to the DHCP server for proper address or prefix allocation to take place. If the receiving DHCP server understands the VSS option or sub-option, this information may be used in conjunction with other information in determining the subnet on which to select an address as well as other information such as DNS server, default router, etc. If the allocation is being done through a DHCPv4 relay, then the relay sub-option defined here should be included. In some cases, however, an IP address is being sought by a DHCPv4 proxy on behalf of a client (which may be assigned the address via a different protocol). In this case, there is a need to include VSS information relating to the client as a DHCPv4 option. If the allocation is being done through a DHCPv6 relay, then the DHCPv6 VSS option defined in this document should be included in the Relay-forward and Relay-reply message going between the DHCPv6 relay and server. In some cases, addresses or prefixes are being sought by a DHCPv6 proxy on behalf of a client. In this case, there is a need for the client itself to supply the VSS information using the DHCPv6 VSS option in the messages that it sends to the DHCPv6 server. Kinnear, et. al. Expires May 2012 [Page 3] Internet Draft Virtual Subnet Selection Options November 2012 In the remaining text of this document, when a DHCPv6 address is indicated the same information applies to DHCPv6 Prefix Delegation [RFC3633] as well. In the remaining text of this document, when the term VSS sub-option is used, it refers to the VSS sub-option carried in the DHCPv4 relay-agent-information option. 2. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. This document uses the following terms: o "DHCP client" A DHCP client is a host using DHCP to obtain configuration parameters such as a network address. o "DHCP proxy" A DHCP proxy is a DHCP client which acquires IP addresses not for its own use, but rather on behalf of another entity. There are a variety of ways that a DHCP proxy can supply the addresses it acquires to other entities that need them. o "DHCP relay agent" A DHCP relay agent is an agent that transfers BOOTP and DHCP messages between clients and servers residing on different subnets, per [RFC951], [RFC1542], and [RFC3315]. o "DHCP server" A DHCP server is a host that returns configuration parameters to DHCP clients. o "DHCPv4 option" An option used to implement a capability defined by the DHCPv4 RFCs [RFC2131][RFC2132]. These options have one-octet code and size fields. o "DHCPv4 sub-option" Kinnear, et. al. Expires May 2012 [Page 4] Internet Draft Virtual Subnet Selection Options November 2012 As used in this document, a DHCPv4 sub-option refers to a sub- option of the relay-agent-information option [RFC3046]. These sub-options have one-octet code and size fields. o "DHCPv6 option" An option used to implement a capability defined by the DHCPv6 RFC [RFC3315]. These options have two-octet code and size fields. o "Global VPN" Indicates that the address being described belongs to the set of addresses not part of any VPN. In other words, the normal address space operated on by DHCP. This includes private addresses, for example the 10.x.x.x addresses as well as the other private subnets that are not routed on the open internet. o "VSS information" Information about a VPN necessary to allocate an address to a DHCP client on that VPN and necessary to forward a DHCP reply packet to a DHCP client on that VPN. o "VPN" Virtual private network. A network which appears to the client to be a private network. o "VPN Identifier" The VPN-ID is defined by [RFC2685] to be a sequence of 7 octets. 3. Virtual Subnet Selection Option and Sub-Options Definitions The Virtual Subnet Selection options and sub-options contain a generalized way to specify the VSS information about a VPN. There are two options and two sub-options defined in this section. The actual VSS information is identical both options and one of the two sub-options. 3.1. DHCPv4 Virtual Subnet Selection Option The format of the option is: Kinnear, et. al. Expires May 2012 [Page 5] Internet Draft Virtual Subnet Selection Options November 2012 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Length | Type | VSS Info ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Code The option code (221). Length The option length, minimum 1 octets. Type and VSS Information -- see Section 3.5 3.2. DHCPv4 Virtual Subnet Selection Sub-Option This is a sub-option of the relay-agent-information option [RFC3046]. The format of the sub-option is: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Length | Type | VSS Info. ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Code The sub-option code (151). Length The sub-option length, minimum 1 octets. Type and VSS Information -- see Section 35. 3.3. DHCPv4 Virtual Subnet Selection Control Sub-Option This is a sub-option of the relay-agent-information option [RFC3046]. The format of the sub-option is: Kinnear, et. al. Expires May 2012 [Page 6] Internet Draft Virtual Subnet Selection Options November 2012 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Code The sub-option code (TBD). Length The sub-option length, 0. This sub-option only only appears in the DHCPv4 relay-agent- information option. In a DHCP request, it indicates that a DHCPv4 VSS sub-option is also present in the relay-agent-information option. In a DHCP reply, if it appears in the relay-agent-information option, it indicates that the DHCP server did not understand any DHCPv4 VSS sub-option that also appears in the relay-agent-information option. 3.4. DHCPv6 Virtual Subnet Selection Option The format of the DHCPv6 Virtual Subnet Selection option is shown below. This option may be included by a client or relay-agent (or both). 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | OPTION_VSS | option-len | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | VSS Information ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ option-code OPTION_VSS (TBD). option-len The number of octets in the option, minimum 1. Type and VSS Information -- see Section 3.5 3.5. Virtual Subnet Selection Type and Information All of the (sub)options defined above carry identical payloads, consisting of a type and additional VSS information as follows: Kinnear, et. al. Expires May 2012 [Page 7] Internet Draft Virtual Subnet Selection Options November 2012 Type VSS Information format: 0 NVT ASCII VPN identifier 1 RFC2685 VPN-ID 2-254 Reserved 255 Global, default VPN. o Type 0 -- NVT ASCII VPN identifier Indicates that the VSS information consists of a NVT ASCII string. It MUST NOT be terminated with a zero byte. o Type 1 -- RFC2685 VPN-ID Indicates that the VSS information consists of an RFC2685 VPN-ID [RFC2685], which is defined to be 7 octets in length. o Type 255 -- Global, default VPN Indicates that there is no explicit, non-default VSS information but rather that this option references the normal, global, default address space. In this case, there MUST NOT be any VSS Information included in the VSS option or sub-option and the length of the MUST be 1. All other values of the Type field are reserved. 4. Overview of Virtual Subnet Selection Usage At the highest level, the VSS option or sub-option determines the VPN on which a DHCP client is supposed to receive an IP address. How the option or sub-option is entered and processed is discussed below, but the point of all of the discussion is to determine the VPN on which the DHCP client resides. This will affect a relay agent, in that it will have to ensure that DHCP packets sent to and received from the DHCP client flow over the correct VPN. This will affect the DHCP server in that it determines the IP address space used for the IP address allocation. A DHCP server has as part of its configuration some IP address space from which it allocates IP addresses to DHCP clients. These allocations are typically for a limited time, and thus the DHCP client gets a lease on the IP address. In the absence of any VPN information, the IP address space is in the global or default VPN used throughout the Internet. When a DHCP server deals with VPN Kinnear, et. al. Expires May 2012 [Page 8] Internet Draft Virtual Subnet Selection Options November 2012 information, each VPN defines a new address space inside the server, one distinct from the global or default IP address space. A server which supports the VSS option or sub-option thereby supports allocation of IP addresses from multiple different VPNs. Supporting IP address allocation from multiple different VPNs means that the DHCP server must be prepared to configure multiple different address spaces (one per distinct VPN) and allocate IP addresses from these different address spaces. These address spaces are typically independent, so that the same IP address (consisting of the same string of bytes) could be allocated to one client in the global, default VPN, and to a different client residing in a different VPN. There is no conflict in this allocation, since the clients have essentially different addresses, even though these addresses consist of the same string of bytes, because the IPv4 or IPv6 address is qualified by the VPN. Thus a VSS option or sub-option is a way of signaling the use of a VPN other than the global or default VPN. The next question is: who decides what VPN a DHCP client should be using? There are three entities which can either insert a VSS option or sub-option into a DHCPv4 packet or DHCPv6 message; a DHCP client, a relay agent, or a DHCPv4 or DHCPv6 server. While all of these entities could include a different VSS option or sub-option in every request or response, this situation is neither typical nor useful. There are two known paradigms for use of the VSS option or sub- option, which are discussed below. 4.1. VPN assignment by the DHCP relay agent The typical use of the VSS option or sub-option is for the relay agent to know the VPN on which the DHCP client is operating. The DHCP client itself does not, in this approach, know the VPN on which it resides. The relay agent is responsible for mediating the access between the VPN on which the DHCP client resides and the DHCP server. In this situation, the relay agent will insert two DHCPv4 relay- agent-information sub-options (one VSS sub-option, and one VSS- Control sub-option) into the relay-agent-information option or a DHCPv6 VSS option into the Relay-forward message of every request it forwards from the DHCP client. The server will use the DHCPv6 VSS option or DHCPv4 VSS sub-option to determine the VPN on which the client resides, and use that VPN information to select the address space within its configuration from which to allocate an IP address to the DHCP client. When, using this approach, a DHCPv4 relay agent inserts a VSS sub- option into the relay-agent-information option it MUST also insert a Kinnear, et. al. Expires May 2012 [Page 9] Internet Draft Virtual Subnet Selection Options November 2012 VSS-Control sub-option into the relay-agent-information-option. This is to allow determination of whether or not the DHCPv4 server actually processes the VSS information provided by the DHCPv4 relay agent. If the DHCPv4 server supports the VSS capabilities described in this document, it will remove the VSS-Control sub-option from the relay-agent-information option that it returns to the DHCPv4 relay agent. See Section 5 for more information. In this approach, the relay agent might also send a VSS option or sub-option in either a DHCPv4 or DHCPv6 Leasequery request, but in this case, it would use the VSS option in the Leasequery request to select the correct address space for the Leasequery. In this approach, the relay agent would be acting as a DHCP client from a Leasequery standpoint, but it would not be as if a DHCP client were sending in a VSS option in a standard DHCP address allocation request, say a DHCPDISCOVER. In this approach, only one relay agent would mediate the VPN access for the DHCP client to the DHCP server, and it would be the relay agent which inserts the VSS information into the request packet and would remove it prior to forwarding the response packet on. In the diagram below is an example of a DHCPv4 client, DHCPv4 relay agent, and DHCPv4 server. The DHCPv6 situation is similar, but uses the DHCPv6 VSS option. Kinnear, et. al. Expires May 2012 [Page 10] Internet Draft Virtual Subnet Selection Options November 2012 DHCPv4 DHCPv4 Relay DHCPv4 Client Agent Server | | | | >--DHCPDISCOVER--> | | | on VRF "abc" | | | | >--DHCPDISCOVER----> | | | relay-agent-info: | | | VSS type VRF:"abc"| | | VSS-Control | | | | | | <----DHCPOFFER-----< | | | relay-agent-info: | | | VSS type VRF:"abc"| | | | | <---DHCPOFFER----< | | | on VRF "abc" | | | | | | >--DHCPREQUEST---> | | | on VRF "abc" | | | | >--DHCPREQUEST-----> | | | relay-agent-info: | | | VSS type VRF:"abc"| | | VSS-Control | | | | | | <----DHCPACK-------< | | | relay-agent-info: | | | VSS type VRF:"abc"| | | | | <---DHCPACK------< | | | on VRF "abc" | | | | | ... ... ... Figure 4.1-1: DHCPv4 - Relay Agent knows VPN The DHCP server would know that it should respond to VPN information specified in a VSS option or sub-option, and it would be configured with appropriate VPN address spaces to service the projected client requirements. Thus, in this common approach, the DHCP client knows nothing of any VPN access, the relay agent has been configured in some way that allows it to determine the VPN of the DHCP client and transmit that using a VSS option or sub-option to the DHCP server, and the DHCP server responds to the VPN specified by the relay agent. There is no conflict between different entities trying to specify Kinnear, et. al. Expires May 2012 [Page 11] Internet Draft Virtual Subnet Selection Options November 2012 different VSS information -- each entity knows its role through policy or configuration external to this document. If any mis-configuration exists, it SHOULD result in a DHCP client being unable to acquire an IP address. For instance, a relay agent which supports VPN access SHOULD couple transmission of VSS options or sub-options to the configuration of VPN support, and not allow one without the other. It is important to ensure that the relay agent and DHCP server both support the VSS option and sub-option (for DHCPv4) or the VSS option (for DHCPv6). Deploying DHCPv4 relay agents which support and emit VSS sub-options in concert with DHCPv4 servers which do not support the VSS option or sub-option as defined in this document SHOULD NOT be done, as such an ensemble will not operate correctly. Should this situation occur, however, the relay agent can detect the problem (since the VSS-Control sub-option will appear in the packets it receives from the DHCPv4 server, indicating the server did not effectively process the VSS sub-option), and it can issue appropriate diagnostic messages. 4.2. VPN assignment by the DHCP server In this approach, the DHCP server would be configured in some way to know the VPN on which a particular DHCP client should be given access. The DHCP server would in this case include the VSS sub- option in the relay-agent-information option for DHCPv4 or the VSS option in the Relay-reply message for DHCPv6. The relay agent responsible for mediating VPN access would use this information to select the correct VPN for the DHCP client. In the unusal event that there were more than one relay agent involved in this transaction, some external configuration or policy would be needed to inform the DHCPv6 server into which Relay-reply message the VSS option should go. Once the relay agent has placed the DHCP client into the proper VPN, it SHOULD begin including VSS information in requests that it forwards to the DHCP server. Since this information does not conflict with the DHCP server's idea of the proper VPN for the client, everything works correctly. The diagram below shows this approach using DHCPv4. The DHCPv6 situation is similar, but uses the DHCPv6 VSS option instead. Kinnear, et. al. Expires May 2012 [Page 12] Internet Draft Virtual Subnet Selection Options November 2012 DHCPv4 DHCPv4 Relay DHCPv4 Client Agent Server | | | | >--DHCPDISCOVER--> | | | on unknown VPN | | | | >--DHCPDISCOVER----> | | | | | | <----DHCPOFFER-----< | | | relay-agent-info: | | | VSS type VRF:"abc"| | | | | <---DHCPOFFER----< | | | on VRF "abc" | | | | | | >--DHCPREQUEST---> | | | on VRF "abc" | | | | >--DHCPREQUEST-----> | | | relay-agent-info: | | | VSS type VRF:"abc"| | | VSS-Control | | | | | | <----DHCPACK-------< | | | relay-agent-info: | | | VSS type VRF:"abc"| | | | | <---DHCPACK------< | | | on VRF "abc" | | | | | | | | ... ... ... Figure 4.2-1: DHCPv4 - DHCPv4 Server knows VPN In this approach, the DHCP client is again unaware of any VPN activity. In this case, however, the DHCP server knows the VPN for the client, and the relay agent responds to the VSS information specified by the DHCP server. Similar to the previous approach, each entity knows its role through a means external to this document and no two entities try to specify VSS information in conflict. It is important that both the relay agent as well as the DHCP server both support the VSS option and sub-option (for DHCPv4) and the VSS option (for DHCPv6). Deploying and configuring VPN support in one element and not in the other is not a practical approach. Kinnear, et. al. Expires May 2012 [Page 13] Internet Draft Virtual Subnet Selection Options November 2012 4.3. Required Support DHCP relay agents and servers MUST support the approach discussed in Section 4.1. DHCP relay agents and server SHOULD support the approach discussed in Section 4.2. DHCP relay agents and servers SHOULD NOT be configured to operate with both approaches simultaneously. 4.4. Alternative VPN assignment approaches There are many other approaches which can be created with multiple relay agents each inserting VSS information into different Relay- forward messages, relay agent VSS information conflicting with client VSS information, or DHCP server VSS information conflicting with relay agent and client VSS information. Since these approaches do not describe situations that are useful today, specifying precisely how to resolve all of these conflicts is unlikely to be valuable in the event that these approaches actually become practical in the future. The current use of the VSS option and sub-option require that each entity knows the part that it plays in dealing with VPN data. Each entity -- client, relay agent or agents, and server -- SHOULD know through some policy or configuration beyond the scope of this document whether it is responsible for specifying VPN information using the VSS option or sub-option or responsible for responding to VSS information specified by another entity, or simply ignoring any VSS information which it might see. Some simple conflict resolution approaches are discussed below, in the hopes that they will cover simple cases that may arise from situations beyond those envisioned today. However, for more complex situations, or simple situations where appropriate conflict resolution strategies differ from those discussed in this document, a document detailing the usage situations and appropriate conflict resolution strategies SHOULD be created and submitted for discussion and approval. 5. Relay Agent Behavior A relay agent which receives a DHCP request from a DHCP client on a VPN SHOULD include Virtual Subnet Selection information in the DHCP packet prior to forwarding the packet on to the DHCP server unless inhibited from doing so by configuration information or policy to the contrary. In this situation, a DHCPv4 relay agent MUST include a DHCPv4 VSS sub-option in a relay-agent-information option [RFC3046], while a Kinnear, et. al. Expires May 2012 [Page 14] Internet Draft Virtual Subnet Selection Options November 2012 DHCPv6 relay agent MUST include a DHCPv6 VSS option in the Relay- forward message. The value placed in the Virtual Subnet Selection sub-option or option would typically be sufficient for the relay agent to properly route any DHCP reply packet returned from the DHCP server to the DHCP client for which it is destined. In some cases, the information in the VSS sub-option or option might be an index into some internal table held in the relay agent, though this document places no requirement on a relay agent to have any such internal state. A DHCPv4 relay agent MUST, in addition, include a DHCPv4 VSS-Control sub-option (which has a length of zero) in the relay-agent- information option [RFC3046] whenever it includes a VSS sub-option in the relay-agent-information option. The inclusion of the VSS sub- option and the VSS-Control sub-option in the relay-agent-information option will allow the DHCPv4 relay agent to determine whether the DHCPv4 server actually processed the information in the VSS sub- option when it receives the relay-agent-information option in the reply from the DHCPv4 server. The reason to include this additional VSS DHCPv4 sub-option is that [RFC3046] specifies (essentially) that a DHCPv4 server should copy all sub-options that it receives in a relay-agent-information option in a request into a corresponding relay-agent-information option in the response. Thus, a server that didn't support the DHCPv4 VSS sub-option would normally just copy it to the response packet, leaving the relay agent to wonder if in fact the DHCPv4 server actually used the VSS information when processing the request. To alleviate this potential confusion, a DHCPvr4 relay agent instead sends in two sub-options: one VSS sub-option, and one VSS-Control sub-option. If both sub-options appear in the response from the DHCPv4 server, then the DHCPv4 relay agent MUST assume that the DHCPv4 server did not act on the VSS information in the VSS sub- option. If only the VSS sub-option appears in the response from the DHCPv4 server and no VSS-Control sub-option appears in the response from the DHCPv4 server, then the relay agent SHOULD assume that the DHCPv4 server acted successfully on the VSS sub-option. Anytime a relay agent places a VSS option or sub-option in a DHCP request, it SHOULD send it only to a DHCP server which supports the VSS option or sub-option, and it MUST check the response to determine if the DHCP server actually honored the requested VSS information. In the DHCPv6 case, the appearance of the option in the Relay-reply packet indicates that the DHCPv6 server understood and acted upon the contents of the VSS option in the Relay-forward packet. In the Kinnear, et. al. Expires May 2012 [Page 15] Internet Draft Virtual Subnet Selection Options November 2012 DHCPv4 case, as discussed above, the appearance of the VSS sub-option without the appearance of a VSS-Control sub-option indicates that the DHCPv4 server successfully acted upon the VSS sub-option. This document does not create a requirement that a relay agent remember the contents of a VSS DHCPv4 sub-option or VSS DHCPv6 option sent to a DHCP server. In many cases, the relay agent may simply use the value of the VSS returned by the DHCP server to forward the response to the DHCP client. If the VSS information, the IP address allocated, and the VPN capabilities of the relay agent all interoperate correctly, then the DHCP client will receive a working IP address. Alternatively, if any of these items don't interoperate with the others, the DHCP client will not receive a working address. Note that in some environments a relay agent may choose to always place a VSS option or sub-option into packets and messages that it forwards in order to forestall any attempt by a relay agent closer to the client or the client itself to specify VSS information. In this case, a type field of 255 is used to denote the global, default VPN. When the type field of 255 is used, there MUST NOT be any additional VSS information in the VSS option or sub-option. In the DHCPv4 case, an additional VSS-Control sub-option, as discussed above. 5.1. VPN assignment by the DHCP server In some cases, a DHCP server may use the Virtual Subnet Selection sub-option or option to inform a relay agent that a particular DHCP client is associated with a particular VPN. It does this by sending the Virtual Subnet Selection sub-option or option with the appropriate information to the relay agent in the relay-agent- information option for DHCPv4 or the Relay-reply message in DHCPv6. If the relay agent cannot respond correctly to the DHCP server's requirement to place the DHCP client into that VPN (perhaps because it has not been configured with a VPN that matches the VSS information received from the DHCP server) it MUST drop the packet and not send it to the DHCP client. In this situation, once the relay agent has placed the DHCP client into the VPN specified by the DHCP server, it will insert a VSS option or sub-option when forwarding packets from the client. The DHCP server in normal operation will echo this VSS information into the outgoing replies. In the event that the relay agent doesn't include VSS information on subsequent requests after the DHCP server has included VSS information in a reply to the relay agent, the DHCP server can conclude that the relay agent doesn't support VSS processing, and the DHCP server SHOULD stop processing this transaction and not respond Kinnear, et. al. Expires May 2012 [Page 16] Internet Draft Virtual Subnet Selection Options November 2012 to the request. 5.2. DHCP Leasequery Sometimes a relay-agent needs to submit a DHCP Leasequery [RFC4388] [RFC5007] packet to the DHCP server in order to recover information about existing DHCP allocated IP addresses on other than the normal, global VPN. In the context of a DHCP Leasequery the relay agent is a direct client of the DHCP server and is not relaying a packet for another DHCP client. Thus, the instructions in Section 6 on Client Behavior should be followed to include the necessary VSS information. 6. Client Behavior Typically, DHCPv4 and DHCPv6 clients have no interaction with VSS options or sub-options. The VSS information is handled by exchanges between a DHCPv4 or DHCPv6 relay agent and the corresponding DHCPv4 or DHCPv6 server. However, there are times when an entity is acting as a DHCPv4 or DHCPv6 client in that it is communicating directly with a DHCPv4 or DHCPv6 server. In these instances -- where communications is occurring without employing the DHCPv4 relay-agent-information option or the DHCPv6 Relay-forward or Relay-reply messages, the entity is acting as a DHCPv4 or DHCPv6 client with regard to its communication with the DHCPv4 or DHCPv6 server, but not necessarily as a DHCP client who is requesting a DHCPv4 or DHCPv6 address for its own use. The client, in this context, may be requesting an IP address for another entity, thus acting as a DHCP proxy. The client may be requesting information about another client-to-address binding, using the DHCPv4 [RFC4388] or DHCPv6 [RFC5007] Leasequery protocol. In the rest of this section, the term "client" refers to an entity communicating VSS information directly to a DHCPv4 or DHCPv6 server without using the DHCPv4 relay-agent-information option or the DHCPv6 Relay-forward or Relay-reply messages, and there is no requirement that such a client is a traditional DHCPv4 or DHCPv6 client requesting an IP address binding for itself. A DHCPv4 or DHCPv6 client will employ the VSS option to communicate VSS information to their respective servers. This information MUST be included in every message concerning any IP address on a different VPN than the global or default VPN. A DHCPv4 client will place the DHCPv4 VSS option in its packets, and a DHCPv6 client will place the DHCPv6 VSS option in its messages. A DHCPv6 client that needs to place a VSS option into a DHCPv6 Kinnear, et. al. Expires May 2012 [Page 17] Internet Draft Virtual Subnet Selection Options November 2012 message SHOULD place a single VSS option into the DHCPv6 message at the same level as the Client Identifier option. A DHCPv6 client MUST NOT include different VSS options in the same DHCPv6 message. Note that, as mentioned in Section 1, throughout this document when a DHCPv6 address is indicated the same information applies to DHCPv6 Prefix Delegation [RFC3633] as well. Since this option is placed in the packet in order to change the VPN on which an IP address is allocated for a particular DHCP client, one presumes that an allocation on that VPN is necessary for correct operation. Thus, a client which places this option in a packet and doesn't receive it or receives a different value in a returning packet SHOULD drop the packet since the IP address that was allocated will not be in the requested VPN. Clients should be aware that some DHCP servers will return a VSS option with different values than that which was sent in. In addition, a client may receive a response from a DHCP server with a VSS option when none was sent in by the Client. Note that when sending a DHCP Leasequery request, a relay agent is acting as a DHCP client and so it SHOULD include the respective DHCPv4 or DHCPv6 VSS option in its DHCPv4 or DHCPv6 Leasequery packet if the DHCP Leasequery request is generated for other than the default, global VPN. It SHOULD NOT include a DHCPv4 sub-option in this case. 7. Server Behavior A DHCP server receiving the VSS option or sub-option SHOULD allocate an IP address (or use the VSS information to access an already allocated IP address) from the VPN specified by the included VSS information. In the case where the type field of the VSS option or sub-option is 255, the VSS option denotes the global, default VPN. In this case, there is no explicit VSS information beyond the type field. This document does not prescribe any particular address allocation policy. A DHCP server may choose to attempt to allocate an address using the VSS information and, if this is impossible, to not allocate an address. Alternatively, a DHCP server may choose to attempt address allocation based on the VSS information and, if that is not possible, it may fall back to allocating an address on the global or default VPN. This, of course, is also the apparent behavior of any DHCP server which doesn't implement support for the VSS option and sub-option. Thus, DHCP clients and relay agents SHOULD be prepared Kinnear, et. al. Expires May 2012 [Page 18] Internet Draft Virtual Subnet Selection Options November 2012 for either of these alternatives. In some cases, a DHCP server may use the Virtual Subnet Selection sub-option or option to inform a relay agent that a particular DHCP client is associated with a particular VPN. It does this by sending the Virtual Subnet Selection sub-option or option with the appropriate information to the relay agent in the relay-agent- information option for DHCPv4 or the Relay-reply message in DHCPv6. In this situation, the relay agent will place the client in the proper VPN, and then it will insert a VSS option or sub-option in subsequent forwarded requests. The DHCP server will see this VSS information and since it doesn't conflict in any way with the server's notion of the VPN on which the client is supposed to reside, it will process the requests based on the VPN specified in the VSS option or sub-option, and echo the same VSS information in the outgoing replies. The relay agent receiving a reply containing a VSS option should support the VSS option. Otherwise the relay agent will end up attempting to use the address as though it were a global address. Should this happen, the subsequent DHCPREQUEST will not contain any VSS information, in which case the DHCP server SHOULD NOT respond with a DHCPACK. If a server uses a different VPN than what was specified in the VSS option or sub-option, it SHOULD send back the VPN information using the same type as the received type. It MAY send back a different type if it is not possible to use the same type (such as the RFC2685 VPN- ID if no ASCII VPN identifier exists). A server which receives a VSS sub-option in the DHCPv4 relay-agent- information option and does not receive a VSS-Control sub-option in the relay-agent-information option MUST process the information specified in the VSS sub-option in the same fashion as it would have if it received both sub-options. 7.1. Returning the DHCPv4 or DHCPv6 Option DHCPv4 or DHCPv6 servers receiving a VSS option (for sub-option processing, see below) MUST return an instance of this option in the reply packet or message if the server successfully uses this option to allocate an IP address, and it MUST NOT include an instance of this option if the server is unable to support, is not configured to support, or does not implement support for VSS information in general or the requested VPN in particular. If they echo the option (based on the criteria above), servers SHOULD Kinnear, et. al. Expires May 2012 [Page 19] Internet Draft Virtual Subnet Selection Options November 2012 return an exact copy of the option unless they desire to change the VPN on which a client was configured. The appearance of the DHCPv4 VSS option code in the DHCPv4 Parameter Request List option [RFC2132] should not change the processing or decision to return or not return the VSS option as specified in this document. The appearance of the DHCPv6 VSS option in the OPTION_ORO [RFC3315] or the OPTION_ERO [RFC4994] should not change the processing or decision to return (or not to return) the VSS option as specified in this document. 7.2. Returning the DHCPv4 Sub-Option The case of the DHCPv4 sub-option is a bit more complicated. Note that [RFC3046] specifies that a DHCPv4 server which supports the relay-agent-information option SHALL copy all sub-options received in a relay-agent-information option into any outgoing relay-agent- information option. Thus, the default behavior for any DHCPv4 server is to return any VSS sub-option received to the relay agent whether or not the DHCPv4 server understands the VSS sub-option. In order to distinguish a DHCPv4 server which is simply copying relay-agent-information option sub-options from an incoming to an outgoing relay-agent-informaion option from one which successfully acted upon the information in the VSS sub-option, DHCPv4 relay agents MUST include a VSS-Control sub-option in the relay-agent-information any time that it includes a VSS sub-option in the relay-agent- information option. A DHCPv4 server which does not support the VSS sub-option will copy both sub-options into the outgoing relay-agent-information option, thus signalling to the DHCPv4 relay agent that it did not understand the VSS sub-option. A DHCPv4 server which supports the VSS sub-option: o MUST copy the VSS sub-option into the outgoing relay-agent- information option o MUST NOT copy the VSS-Control sub-option into the outgoing relay-agent-information option Moreover, if a server uses different VSS information to allocate an IP address than it receives in a particular DHCPv4 sub-option, it MUST include that alternative VSS information in the VSS sub-option that it returns to the DHCPv4 relay agent instead of the original VSS information it was given. Kinnear, et. al. Expires May 2012 [Page 20] Internet Draft Virtual Subnet Selection Options November 2012 If a DHCPv4 server supports this sub-option and for some reason (perhaps administrative control) does not honor this sub-option from the request then it MUST NOT echo either sub-option into the outgoing relay-agent-information option. 7.3. Making sense of conflicting VSS information It is possible for a DHCPv4 server to receive both a VSS option and VSS sub-options in the same packet. Likewise, a DHCPv6 server can receive multiple VSS options in nested Relay-forward messages as well as in the client message itself. In either of these cases, the VSS information from the relay agent closest to the DHCP server SHOULD be used in preference to all other VSS information received. In the DHCPv4 case, this means that the VSS sub-option takes precedence over the VSS option, and in the DHCPv6 case, this means that the VSS option from the outer-most Relay-forward message in which a VSS option appears takes precedence. The reasoning behind this approach is that the relay-agent closer to the DHCP server is almost certainly more trusted than the DHCP client or more distant relay agents, and therefore information in the relay-agent-information option or the Relay-forward message is more likely to be correct. In general, relay agents SHOULD be aware through configuration or policy external to this document whether or not they should be including VSS information in packets that they forward and so there should not be conflicts among relay agent specified VSS information. In these situations where multiple VSS option or sub-options appear in the incoming packet or message, when the DHCP server constructs the response to be sent to the DHCP client or relay agent, all existing VSS options or sub-options MUST be replicated in the appropriate places in the response and MUST contain only the VSS information that was used by the DHCP server to allocate the IP address (with, of course, the exception of a DHCPv4 relay-agent- information sub-option VSS-Control). 8. Updates to RFC 3046 This document updates the specification of the Relay Agent Information option in RFC 3046 as follows: Change the first sentence, second paragraph, section 2.2 of RFC 3046: o OLD: DHCP servers claiming to support the Relay Agent Information Kinnear, et. al. Expires May 2012 [Page 21] Internet Draft Virtual Subnet Selection Options November 2012 option SHALL echo the entire contents of the Relay Agent Information option in all replies. o NEW: DHCP servers claiming to support the Relay Agent Information option SHALL echo the entire contents of the Relay Agent Information option in all replies, except if otherwise specified in the definition of specific Relay Agent Information sub- options. 9. Security Message authentication in DHCPv4 for intradomain use where the out- of-band exchange of a shared secret is feasible is defined in [RFC3118]. Potential exposures to attack are discussed in Section 7 of the DHCP protocol specification in [RFC2131]. Implementations should consider using the DHCPv4 Authentication option [RFC3118] to protect DHCPv4 client access in order to provide a higher level of security if it is deemed necessary in their environment. Message authentication in DHCPv4 relay agents as defined in [RFC4030] should be considered for DHCPv4 relay agents employing this sub- option. Potential exposures to attack are discussed in Section 7 of the DHCP protocol specification in [RFC2131]. For DHCPv6 use of the VSS option, the "Security Considerations" Section of [RFC3315] details the general threats to DHCPv6, and thus to messages using the VSS option. The "Authentication of DHCP Messages" Section of [RFC3315] describes securing communication between relay agents and servers, as well as clients and servers. The VSS option could be used by a client in order to obtain an IP address from any VPN. This option would allow a client to perform a more complete address-pool exhaustion attack since the client would no longer be restricted to attacking address-pools on just its local subnet. A DHCP server that implements these options and sub-option should be aware of this possibility and use whatever techniques that can be devised to prevent such an attack. Information such as the giaddr in DHCPv4 or link address in the Relay-forward DHCPv6 message might be used to detect and prevent this sort of attack. One possible defense would be for the DHCP relay to insert a VSS option or sub-option to override the DHCP client's VSS option. Kinnear, et. al. Expires May 2012 [Page 22] Internet Draft Virtual Subnet Selection Options November 2012 Servers that implement the VSS option and sub-option MUST by default disable use of the feature; it must specifically be enabled through configuration. Moreover, a server SHOULD provide the ability to selectively enable use of the feature under restricted conditions, e.g., by enabling use of the option only from explicitly configured client-ids, enabling its use only by clients on a particular subnet, or restricting the VSSs from which addresses may be requested. 10. IANA Considerations IANA is requested to assign DHCPv4 option number 221 for the DHCPv4 VSS option defined in Section 3.1, in accordance with [RFC3942]. IANA is requested to assign sub-option number 151 for the DHCPv4 VSS sub-option defined in Section 3.2 from the DHCP Relay Agent Sub- options space [RFC3046], in accordance with the spirit of [RFC3942]. While [RFC3942] doesn't explicitly mention the sub-option space for the DHCP Relay Agent Information option [RFC3046], sub-option 151 is already in use by existing implementations of this sub-option and the current draft is essentially upward compatible with these current implementations. IANA is requested to assign the value of TBD for the DHCPv4 VSS- Control sub-option defined in Section 3.3. IANA is requested to assign the value of TBD for the DHCPv6 VSS option defined in Section 3.4 from the DHCPv6 option registry. The type byte defined in Section 3.5 defines a number space for which IANA is to create and maintain a new sub-registry entitled "VSS Type values". This sub-registry needs to be related to both the DHCPv4 and DHCPv6 VSS options and the DHCPv4 relay-agent-information option sub-option (all defined by this document), since the type byte in these two options and one sub-option MUST have identical definitions. New values for the type byte may only be defined by IETF Consensus, as described in [RFC5226]. Basically, this means that they are defined by RFCs approved by the IESG. 11. Acknowledgments Bernie Volz recommended consolidation of the DHCPv4 option and sub- option drafts after extensive review of the former drafts, and provided valuable assistance in structuring and reviewing this document. Alper Yegin expressed interest in the DHCPv6 VSS option, resulting in this combined draft covering all three areas. Alfred Hoenes provided assistance with editorial review as well as raising substantive protocol issues. David Hankins and Bernie Volz each Kinnear, et. al. Expires May 2012 [Page 23] Internet Draft Virtual Subnet Selection Options November 2012 raised important protocol issues which resulted in a clarified document. Josh Littlefield provided editorial assistance. Several IESG reviewers took the time to substantially review this document, resulting in much increased clarity. 12. References 12.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119, March 1997. [RFC2131] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, March 1997. [RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor Extensions", RFC 2132, March 1997. [RFC2685] Fox, B., Gleeson, B., "Virtual Private Networks Identifier", RFC 2685, September 1999. [RFC3046] Patrick, M., "DHCP Relay Agent Information Option", RFC 3046, January 2001. [RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., and M. Carney, "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", RFC 3315, July 2003. [RFC3633] Troan, O. and R. Droms, "IPv6 Prefix Options for Dynamic Host Configuration Protocol (DHCP) version 6", RFC 3633, December 2003. [RFC4994] Zeng, S., Volz, B., Kinnear, K. and J. Brzozowski, "DHCPv6 Relay Agent Echo Request Option", RFC 4994, September 2007. 12.2. Informative References [RFC951] Croft, B. and J. Gilmore, "Bootstrap Protocol", RFC 951, September 1985. [RFC1542] Wimer, W., "Clarifications and Extensions for the Bootstrap Protocol", RFC 1542, October 1993. [RFC3118] Droms, R. and W. Arbaugh, "Authentication for DHCP Kinnear, et. al. Expires May 2012 [Page 24] Internet Draft Virtual Subnet Selection Options November 2012 Messages", RFC 3118, June 2001. [RFC3942] Volz, B., "Reclassifying Dynamic Host Configuration Protocol version 4 (DHCPv4) Options", RFC 3942, November 2004. [RFC4030] Stapp, M. and T. Lemon, "The Authentication Suboption for the Dynamic Host Configuration Protocol (DHCP) Relay Agent Option", RFC 4030, March 2005. [RFC4388] Woundy, R. and K. Kinnear, "Dynamic Host Configuration Protocol (DHCP) Leasequery", RFC 4388, February 2006. [RFC5007] Brzozowski, J., Kinnear, K., Volz, B., and S. Zeng, "DHCPv6 Leasequery", RFC 5007, September 2007. [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 5226, May 2008. Authors' Addresses Kim Kinnear Cisco Systems 1414 Massachusetts Ave. Boxborough, Massachusetts 01719 Phone: (978) 936-0000 EMail: kkinnear@cisco.com Richard Johnson Cisco Systems 170 W. Tasman Dr. San Jose, CA 95134 Phone: (408) 526-4000 EMail: raj@cisco.com Mark Stapp Cisco Systems 1414 Massachusetts Ave. Boxborough, Massachusetts 01719 Phone: (978) 936-0000 Kinnear, et. al. Expires May 2012 [Page 25] Internet Draft Virtual Subnet Selection Options November 2012 EMail: mjs@cisco.com Jay Kumarasamy Kinnear, et. al. Expires May 2012 [Page 26]