Network Working Group                                         R. Johnson
Internet-Draft                                       Cisco Systems, Inc.
Expires: August 7, 2005                                 February 6, 2005


                    TFTP Server Address DHCP Option
                 draft-raj-dhc-tftp-addr-option-00.txt

Status of this Memo

   This document is an Internet-Draft and is subject to all provisions
   of section 3 of RFC 3667.  By submitting this Internet-Draft, each
   author represents that any applicable patent or other IPR claims of
   which he or she is aware have been or will be disclosed, and any of
   which he or she become aware will be disclosed, in accordance with
   RFC 3668.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as
   Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on August 7, 2005.

Copyright Notice

   Copyright (C) The Internet Society (2005).

Abstract

   This memo defines the "TFTP Server Address" option as it is currently
   in use by Cisco Systems.  The option number currently in use is 150.
   This memo documents the current usage of the option in agreement with
   RFC-3942 [7] , which declares that any pre-existing usages of option
   numbers in the range 128 - 223 should be documented and the working
   group will try to officially assign those numbers to those options.





Johnson                  Expires August 7, 2005                 [Page 1]

Internet-Draft      TFTP Server Address DHCP Option        February 2005


Table of Contents

   1.   Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
   2.   TFTP Server Address Option Definition  . . . . . . . . . . . . 4
   3.   Security Considerations  . . . . . . . . . . . . . . . . . . . 5
   4.   IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 6
   5.   References . . . . . . . . . . . . . . . . . . . . . . . . . . 6
        Author's Address . . . . . . . . . . . . . . . . . . . . . . . 6
        Intellectual Property and Copyright Statements . . . . . . . . 7










































Johnson                  Expires August 7, 2005                 [Page 2]

Internet-Draft      TFTP Server Address DHCP Option        February 2005


1.  Introduction

   Small devices, such as IP phones, have a need for downloading their
   configuration from a TFTP server on the network.  There are commonly
   accepted methods to discover this server via DHCP; the "sname" field
   in the DHCP header [2] , the "TFTP Server name" option (#66) [3] .
   Both of these sources of information, however, contain the TFTP
   server's hostname.  That hostname must then be translated to an IP
   address.  The usual method to accomplish this would be DNS.  [4] This
   means the firmware in a small "network appliance" device would need
   to implement the DNS protocol in order to perform this translation.
   This unacceptably increases the firmware code size.

   In order to keep the firmware in a small "network appliance" to a
   minimum, it was decided that it would be best to introduce the "TFTP
   Server Address" option (#150).  This option allows the DHCP server to
   pass the IP address of the TFTP server instead of the hostname, thus
   making the information directly usable by the "network appliance".

   In cases where both "sname" or "TFTP Server name" appear in a DHCP
   response packet along with the "TFTP Server address" option in the
   same packet, it is left to the device to decide which piece of
   information to use.




























Johnson                  Expires August 7, 2005                 [Page 3]

Internet-Draft      TFTP Server Address DHCP Option        February 2005


2.  TFTP Server Address Option Definition

   The TFTP Server Address option is a DHCP option [3].  The option
   contains the IPv4 address of the TFTP server which the client should
   use (if needed).

   The format of the option is:

    Code   Len   IPv4 TFTP Server Address(es)
   +-----+-----+-----+-----+-----+-----+
   | 150 |  n  |     IPv4 address      | ...
   +-----+-----+-----+-----+-----+-----+


                                Figure 1

   The option minimum length (n) is 4.

   The "Len" field must specify a length which is an integral multiple
   of 4 octets (4, 8, 12, etc.).  If an option is received where this is
   not the case, the option information SHOULD be ignored.  Dividing
   this "Len" value by 4 will give number of IPv4 TFTP server addresses
   which are specified in the option.

   The option SHOULD NOT be specified by the DHCP Client.

   Server addresses SHOULD be listed in order of preference.
























Johnson                  Expires August 7, 2005                 [Page 4]

Internet-Draft      TFTP Server Address DHCP Option        February 2005


3.  Security Considerations

   A rogue DHCP Server could use this option in order to coerce a Client
   into downloading configuration from an alternate TFTP and thus gain
   control of the device's configuration.  This is easier done with the
   TFTP Server Address option than it was with the TFTP Server Name
   option, because in the later case the attack would need to control
   DNS responses as well as inserting the rogue DHCP option information.
   If this may be a concern, then either DHCP Authentication may be
   used, or simply make use of the TFTP Server Name option instead.

   Message authentication in DHCP for intradomain use where the out-of-
   band exchange of a shared secret is feasible is defined in [5].
   Potential exposures to attack are discussed in section 7 of the DHCP
   protocol specification in [2].




































Johnson                  Expires August 7, 2005                 [Page 5]

Internet-Draft      TFTP Server Address DHCP Option        February 2005


4.  IANA Considerations

   This option is in current usage with the number 150.  As per
   RFC-3942, this already existing number assignment should simply be
   made "official" by IANA, unless there is a conflict with some other
   usage.

5  References

   [1]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
        Levels", RFC 2119, BCP 14, March 1997.

   [2]  Droms, R., "Dynamic Host Configuration Protocol", RFC 2131,
        March 1997.

   [3]  Droms, R. and S. Alexander, "DHCP Options and BOOTP Vendor
        Extensions", RFC 2132, March 1997.

   [4]  Mockapetris, P., "Domain Names - Concepts and Facilities", RFC
        1034, November 1987.

   [5]  Droms, R., "Authentication for DHCP Messages", RFC 3118, June
        2001.

   [6]  Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
        Considerations Section in RFCs", RFC 2434, October 1998.

   [7]  Volz, B., "Reclassifying Dynamic Host Configuration Protocol
        version 4 (DHCPv4) Options", RFC 3942, November 2004.


Author's Address

   Richard A. Johnson
   Cisco Systems, Inc.
   170 W. Tasman Dr.
   San Jose, CA  95134
   US

   Phone: +1 408 526 4000
   EMail: raj@cisco.com










Johnson                  Expires August 7, 2005                 [Page 6]

Internet-Draft      TFTP Server Address DHCP Option        February 2005


Intellectual Property Statement

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.


Disclaimer of Validity

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Copyright Statement

   Copyright (C) The Internet Society (2005).  This document is subject
   to the rights, licenses and restrictions contained in BCP 78, and
   except as set forth therein, the authors retain all their rights.


Acknowledgment

   Funding for the RFC Editor function is currently provided by the
   Internet Society.




Johnson                  Expires August 7, 2005                 [Page 7]