Network Working Group O. Troan Internet-Draft R. Droms Expires: August 14, 2002 Cisco Systems February 13, 2002 IPv6 Prefix Options for DHCPv6 draft-troan-dhcpv6-opt-prefix-delegation-00.txt Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on August 14, 2002. Copyright Notice Copyright (C) The Internet Society (2002). All Rights Reserved. Abstract The Prefix Delegation option and the Prefix Request option provide a mechanism for delegation of IPv6 prefixes using DHCP. Conceptually, IPv6 prefixes are assigned with these options in the same manner as IPv6 addresses. This prefix delegation mechanism is intended for simple prefix delegation from a delegating router to a requesting router, across an administrative boundary, where the delegating router does not require knowledge about the topology of the links in the network to which the prefixes will be assigned. Troan & Droms Expires August 14, 2002 [Page 1] Internet-Draft IPv6 Prefix Options for DHCPv6 February 2002 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . 3 4. Model and Applicability . . . . . . . . . . . . . . . . . . . 3 5. Prefix delegation options . . . . . . . . . . . . . . . . . . 6 5.1 IA Prefix option . . . . . . . . . . . . . . . . . . . . . . . 7 5.2 IA Prefix Request option . . . . . . . . . . . . . . . . . . . 8 6. Message Validation . . . . . . . . . . . . . . . . . . . . . . 8 7. Delegating Router Solicitation . . . . . . . . . . . . . . . . 8 7.1 Requesting router behavior . . . . . . . . . . . . . . . . . . 9 7.2 Delegating router behavior . . . . . . . . . . . . . . . . . . 9 8. Requesting-router-initiated prefix delegation . . . . . . . . 10 8.1 Requesting router behavior . . . . . . . . . . . . . . . . . . 10 8.2 Delegating Router Behavior . . . . . . . . . . . . . . . . . . 11 9. Delegating Router-initiated prefix delegation reconfiguration 11 9.1 Delegating Router behavior . . . . . . . . . . . . . . . . . . 11 9.2 Requesting Router behvaior . . . . . . . . . . . . . . . . . . 12 10. Relay agent behavior . . . . . . . . . . . . . . . . . . . . . 12 11. Security Considerations . . . . . . . . . . . . . . . . . . . 12 References . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 13 Full Copyright Statement . . . . . . . . . . . . . . . . . . . 14 Troan & Droms Expires August 14, 2002 [Page 2] Internet-Draft IPv6 Prefix Options for DHCPv6 February 2002 1. Introduction This document describes two new options for DHCP, which provide a mechanism for delegation of IPv6 prefixes. Through these options, an authorized delegating router can delegate prefixes to a requesting router. The prefix delegation mechanism described in this document is intended for simple delegation of prefixes from a delegating router to a requesting router. It is appropriate for situations in which the delegating router does not have knowledge about the topology of the networks to which the requesting router is attached, and the delegating router does not require other information aside from the identity of the requesting router to choose a prefix or prefixes for delegation. For example, the Prefix Delegation and Prefix Request options would be used by a service provider to assign a prefix to a CPE device acting as a router between the subscriber's internal network and the service provider's core network. 2. Terminology This document uses the terminology defined in RFC2460 [2] and DHCP [5]. In addition, this document uses the following terms: Requesting Router: The router that acts as a DHCP client and is requesting that a prefix be assigned Delegating Router: The router that acts as a DHCP server, and is responding to the prefix request 3. Requirements The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL, when they appear in this document, are to be interpreted as described in RFC 2119 [1]. 4. Model and Applicability The model of operation for prefix delegation is as follows. A delegating router is provided DHCPv6 prefixes to be delegated to requesting routers. Examples of ways in which the delegating router may be provided these prefixes are given in Section 8.2. A requesting router requests a prefix or prefixes from the delegating router, as described in Section 8.1. The delegating router chooses a prefix or prefixes for delegation, and returns those prefixes to the requesting router. The requesting router is then responsible for the delegated prefix or prefixes. For example, the requesting router Troan & Droms Expires August 14, 2002 [Page 3] Internet-Draft IPv6 Prefix Options for DHCPv6 February 2002 might assign a delegated prefix to a link to which the router has an interface, and begin sending router advertisements for the prefix on that link. Delegated prefixes are managed in the same way as assigned IPv6 addresses in DHCP. Each prefix has an associated lease, which constitutes an agreement about the length of time over which the requesting router is allowed to use the prefix. A requesting router can request an extension of the lease on a delegated prefix and is required to terminate the use of a delegated prefix if the lease on the prefix expires. For example, this prefix delegation mechanism would be appropriate for use by an ISP to delegate a prefix to a subscriber, where the delegated prefix would possibly be subnetted and assigned to the links within the subscriber's network. Troan & Droms Expires August 14, 2002 [Page 4] Internet-Draft IPv6 Prefix Options for DHCPv6 February 2002 Figure 1 illustrates a network architecture in which prefix delegation would be used. +--------+ \ | AAA | \ | server | \ +---+----+ | ___|__________________ | / \ | | ISP core network | | \__________ ___________/ | | | ISP +-------+-------+ | network | Aggregation | | | device | | | (delegating | | | router) | | +-------+-------+ | | / |DSL to subscriber / |premises / | +------+------+ \ | CPE | \ | (requesting | \ | router) | | +----+---+----+ | | | | Subscriber ---+-------------+-----+- -+-----+-------------+--- | network | | | | | +----+-----+ +-----+----+ +----+-----+ +-----+----+ | |Subscriber| |Subscriber| |Subscriber| |Subscriber| / | PC | | PC | | PC | | PC | / +----------+ +----------+ +----------+ +----------+ / Figure 1: An example of prefix delegation. In this example, the delegating router is configured with a prefix assigned to the customer at the time of subscription to the ISP service. The prefix delegation process begins when the requesting router requests configuration information through DHCP. The DHCP messages from the requesting router are received by the delegating router in the aggregation device. When the delegating router receives the request, it consults the AAA server to authenticate the identity of the requesting router. The AAA server returns an acknowledgment of the requesting router's identity to the delegating router. The delegating router locates the prefix that has been assigned to the subscriber and returns it to the requesting router. Troan & Droms Expires August 14, 2002 [Page 5] Internet-Draft IPv6 Prefix Options for DHCPv6 February 2002 In the case where the subscriber's network consists of a single internal link, the requesting router assigns the delegated prefix to the internal link. If there are multiple internal links, as shown in figure 1, the requesting router can subnet a single delegated prefix into longer prefixes and assign them to the internal links. Or, if the delegating router has delegated multiple prefixes, the requesting router can assign those prefixes to the internal links. The prefix delegation options can be used in conjunction with other DHCP options carrying other configuration information to the requesting router. The requesting router may, in turn, then provide DHCP service to hosts attached to the internal network. For example, the requesting router may obtain the addresses of DNS and NTP servers from the ISP delegating router, and then pass that configuration information on to the subscriber hosts through a delegating router in the requesting router. 5. Prefix delegation options Prefix delegation is accomlished with two options: IA Prefix option: Used to inform a requesting router of a delegated prefix Prefix Request option: Used by a requesting router to explicitly request a prefix or prefixes Troan & Droms Expires August 14, 2002 [Page 6] Internet-Draft IPv6 Prefix Options for DHCPv6 February 2002 5.1 IA Prefix option The format of the IA Prefix option is: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | OPTION_IAPREFIX | option-length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | lease-duration | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | prefix-length | IPv6-prefix | +-+-+-+-+-+-+-+-+ (variable length) | . . . . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ option-code: OPTION_IAPREFIX (TBD) option-length: See section 23 of the DHCP specification lease duration: The duration of the lease for the IPv6 prefix in the option prefix-length: Length for this prefix IPv6-prefix: An IPv6 prefix The lease-duration is expressed in seconds. The prefix-length gives the number of bits in the prefix carried in this option. To reduce the number of octets used for this option, the IPv6 prefix is represented in ceiling(prefix-length/8) octets. In a message sent by a requesting router to a delegating router, the value in the lease duration field indicates the requesting router's preference for those parameters. The requesting router may send 0 if it has no preference for the lease duration. An IA Prefix option MUST only appear in an IA option. One or more IA Prefix Options can appear anywhere in an IA option. Troan & Droms Expires August 14, 2002 [Page 7] Internet-Draft IPv6 Prefix Options for DHCPv6 February 2002 5.2 IA Prefix Request option The format of the IA Prefix Request option is: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | OPTION_PREFIXREQ | option-length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | prefix-length | num-global | num-site | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ option-code: OPTION_PREFIXREQ (TBD) option-len: See section 23 of the DHCP specification prefix-length: Prefix length for the requested global-scope prefixes. A value of zero (0) indicates that the requesting router will accept any prefix length provided by the delegating router. num-global: The number of global-scope prefixes requested. A value of 0 indicates that the requesting router is not requesting any prefixes. A value of -1 indicates that the requesting router does not indicate a preference. num-site: The number of site-scope prefixes requested. A value of 0 indicates that the requesting router is not requesting any prefixes. A value of -1 indicates that the requesting router does not indicate a preference. A Prefix Request option MUST only appear in an IA in a message from a requesting router. 6. Message Validation A requesting router or a delegating router MUST ignore any IA Prefix option or Prefix Request option that does not appear in an IA option in messages it receives. A requesting router MUST ignore any Prefix Request options in messages it receives. 7. Delegating Router Solicitation The requesting router locates and selects a delegating router in the same way as described in section "DHCP Server Solicitation" of the DHCP specification. The details of the solicitation process are Troan & Droms Expires August 14, 2002 [Page 8] Internet-Draft IPv6 Prefix Options for DHCPv6 February 2002 described in this section. 7.1 Requesting router behavior The requesting router creates and transmits a Solicit message as described in sections "Creation of Solicit Messages" and "Transmission of Solicit Messages" of the DHCP specification. The requesting router MUST include at least one IA in which the delegating router will list any prefixes it advertises that it will delegate to the requesting router. The requesting router MAY include a Prefix Request option to indicate the requesting router's preferences about prefixes it is requesting. The requesting router processes any received Advertise messages as described in section "Receipt of Advertise Messages" in the DHCP specification. The requesting router MAY choose to consider the presence of advertised prefixes in its decision about which delegating router to respond to. 7.2 Delegating router behavior The delegating router processes Solicit messages from requesting routers in the same way as described in section "Receipt of Solicit messages" of the DHCP specification. If the message contains one or more IA options and the delegating router is configured to delegate a prefix or prefixes to the requesting router, the delegating router selects the prefix or prefixes to be delegated to the requesting router. The mechanism through which the delegating router selects prefixes for delegation is not specified in this document. Examples of ways in which the delegating router might select prefixes for a requesting router include: static assignment based on subscription to an ISP; dyanmic assignment from a pool of available prefixes; selection based on an external authority such as a RADIUS server. If the requesting router includes a Prefix Request option in its Solicit message, the delegating router MAY choose to use the information in that option to select the prefix or prefixes to be delegated to the requesting router. The delegating router sends an Advertise message to the requesting router in the same way as described in section "Creation and transmission of Advertise messages" in the DHCP specification. The delegating router MUST include an IA Prefix option or options identifying any prefix or prefixes that the delegating router will delegate to the requesting router in an IA option or options in the Advertise message. Troan & Droms Expires August 14, 2002 [Page 9] Internet-Draft IPv6 Prefix Options for DHCPv6 February 2002 8. Requesting-router-initiated prefix delegation A requesting router uses the same message exchanges as described in section "DHCP Client-Initiated Configuration Exchange" of the DHCP specification to obtain or update delegated prefixes from a delegating router. The requesting router and the delegating router use the IA Prefix option to exchange information about prefixes in much the same way IA Address options are used for assigned addresses. 8.1 Requesting router behavior To obtain prefixes from the delegating router, the requesting router MUST include IA Prefix options (in IA options) identifying the prefix or prefixes sent from the delegating router to the requesting router in the Advertise message received by the requesting router. The requesting router MUST include IA Prefix options (in IA options) identifying the prefix or prefixes that have previously delegated from the delegating router in any Confirm, Renew, or Rebind messages send by the requesting router. Each prefix has an associated lease whose duration is specified in the IA Prefix option for that prefix. The requesting router uses Renew and Rebind messages to request the extension of the lease on a delegated prefix. The requesting router uses a Release message to return a delegated prefix to a delegating router. The requesting router extracts any delegated prefixes as identified in IA Prefix options in Reply messages it receives. The way in which the requesting router uses delegated prefixes is not specified in this document. As an example, the requesting router might subnet a delegated prefix and assign the longer prefixes to the internal links in the subscriber network shown in Figure 1. If the requesting router subnets a delegated prefix, it must assign additional bits to the prefix to generate unique, longer prefixes. For example, if the requesting router were delegated DEAD:BEEF:CAFE:0::/48, it might generate DEAD:BEEF:CAFE:0001::/64 and DEAD:BEEF:CAFE:0002::/64 for assignment to the two links in the subscriber network. If the requesting router assigns a delegated prefix to a link to which the router is attached, and begins to send router advertisements for the prefix on the link, the requesting router MUST set the valid lifetime and the preferred lifetime for that prefix to Troan & Droms Expires August 14, 2002 [Page 10] Internet-Draft IPv6 Prefix Options for DHCPv6 February 2002 expire no later than the expiration of the lease on the prefix. 8.2 Delegating Router Behavior When a delegating router receives a Request message from a requesting router that contains one or more IA options and the delegating router is authorized to delegate a prefix or prefixes to the requesting router, the delegating router selects the prefix or prefixes to be delegated to the requesting router. If the requesting router includes a Prefix Request option in its Solicit message, the delegating router MAY choose to use the information in that option to select the prefix or prefixes to be delegated to the requesting router. The mechanism through which the delegating router selects prefixes for delegation is not specified in this document. Section 7.2 gives examples of ways in which a delegating router might select prefixes to be delegated to a requesting router. A delegating router examines the prefixes identified in IA Prefix options in Confirm, Renew and Rebind messages and responds according to the current status of the prefix. The delegating router returns an IA Prefix option with an updated lease duration for each valid prefix in the message from the requesting router. Upon the receipt of a valid Decline message, the delegating router examines the IA options and the IA Prefix options for validity. If the IAs in the message are in a binding for the requesting router and the prefixes in the IAs have been assigned by the delegating router to those IA, the delegating router deletes the prefix(es) from the IAs. The delegating router MAY choose to make a notification that prefixes were declined. A delegating router marks any prefixes in IA Prefix options in a Release message as "available". The delegating router MUST include an IA Prefix option or options in an IA option or options identifying any delegated prefixes in Reply messages sent to a requesting router. 9. Delegating Router-initiated prefix delegation reconfiguration This section describes prefix delegation in Reconfigure message exchanges. 9.1 Delegating Router behavior The delegating router initiates a configuration message exchange with a requesting router in the same way as a DHCP server, as described in the section "DHCP Server-Initiated Configuration Exchange" of the Troan & Droms Expires August 14, 2002 [Page 11] Internet-Draft IPv6 Prefix Options for DHCPv6 February 2002 DHCP specification. The delegating router specifies the IA option in the Option Request option to cause the requesting router to include an IA option to obtain new information about delegated prefixes. 9.2 Requesting Router behvaior The requesting router responds to a Reconfigure message received from a delegating router in the same way as a DHCP client, as described in the DHCP specification. The requesting router MUST include IA Prefix options for any prefixes that have been delegated to the requesting router by the delegating router from which the Reconfigure message was received. 10. Relay agent behavior A relay agent forwards messages containing prefix delegation options in the same way as described in section "Relay Behavior" of the DHCP specification. 11. Security Considerations Security considerations in DHCP are described in the section "Security Considerations" of the DHCP specification. Prefix delegation can be used to mount a denial of service attack or a man-in-the-middle attack against an organization by delegating invalid prefixes to a requesting router, causing the requesting router to forward outbound datagrams to an invalid destination or to an intruder's destination host. An intruder requesting router may be able to mount a denial of service attack by repeated requests for delegated prefixes that exhaust the delegating router's available prefixes. To guard against attacks through prefix delegation, requesting routers and delegating routers SHOULD use DHCP authentication as described in section "Authentication of DHCP messages" in the DHCP specification. References [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [2] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", RFC 2460, December 1998. [3] Hinden, R. and S. Deering, "IP Version 6 Addressing Troan & Droms Expires August 14, 2002 [Page 12] Internet-Draft IPv6 Prefix Options for DHCPv6 February 2002 Architecture", RFC 2373, July 1998. [4] Thomson, S. and T. Narten, "IPv6 Stateless Address Autoconfiguration", RFC 2462, December 1998. [5] Bound, J., Carney, M., Perkins, C., Lemon, T., Volz, B. and R. Droms (ed.), "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", draft-ietf-dhc-dhcpv6-23 (work in progress), February 2002. Authors' Addresses Ole Troan Cisco Systems 4 The Square Stockley Park Uxbridge UB11 1BN United Kingdom Phone: +44 20 8756 8666 EMail: ot@cisco.com Ralph Droms Cisco Systems 300 Apollo Drive Chelmsford, MA 01824 USA Phone: +1 978 497 4733 EMail: rdroms@cisco.com Troan & Droms Expires August 14, 2002 [Page 13] Internet-Draft IPv6 Prefix Options for DHCPv6 February 2002 Full Copyright Statement Copyright (C) The Internet Society (2002). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society. Troan & Droms Expires August 14, 2002 [Page 14]