Internet DRAFT - draft-bi-dhc-sec-option

draft-bi-dhc-sec-option



 



DHC Working Group                                                  E. Bi
Internet-draft                                                S. Manning
Intended Status: Standards Track                                 M. Wong
Expires: Janurary 17, 2013                                        Y. Cui
                                                                  Huawei
                                                           July 16, 2012


                  Security option extensions for DHCP
                       draft-bi-dhc-sec-option-02


Abstract

   This document defines a new option that can be used by DHCP servers
   to provision with DHCP clients specific security configuration
   information. It has been known that DHCP protocol typically works at
   the very beginning stage of the access to networks, thus lack of
   security protection. However, although it is difficult to set up some
   security mechanism for DHCP protocol solely, it is able to play a key
   role for DHCP server to provide configuration information to help
   building security mechanism within those pre-configured DHCP clients
   and devices. This new option defines a simple extension to current
   standard format and benefits to those who need to activate security
   mechanism in an early stage and interoperate within devices from
   multiple vendors.

Status of this Memo

   This Internet-Draft is submitted to IETF in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as
   Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/1id-abstracts.html

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html

 


E. Bi et al.            Expires January 17, 2012                [Page 1]

Internet draft      DHCP security options extensions           July 2012


Copyright and License Notice

   Copyright (c) 2011 IETF Trust and the persons identified as the
   document authors. All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document. Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document. Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.





Table of Contents

   1  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . .  3
     1.1 Applicability  . . . . . . . . . . . . . . . . . . . . . . .  3
   2  Terminology Used in This Document . . . . . . . . . . . . . . .  4
   3  DHCP Security Specific Configuration Option . . . . . . . . . .  4
   4  Security Considerations . . . . . . . . . . . . . . . . . . . .  6
   5  IANA Considerations . . . . . . . . . . . . . . . . . . . . . .  6
   6  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . .  6
   7  References  . . . . . . . . . . . . . . . . . . . . . . . . . .  6
     7.1  Normative References  . . . . . . . . . . . . . . . . . . .  6
     7.2  Informative References  . . . . . . . . . . . . . . . . . .  7
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . .  7
















 


E. Bi et al.            Expires January 17, 2012                [Page 2]

Internet draft      DHCP security options extensions           July 2012


1  Introduction

   DHCP provides a framework for passing network configuration
   information to hosts on a TCP/IP network.  Some configuration
   parameters and control information can be carried in DHCP options
   which are defined in [RFC2132], [RFC3046], [RFC3118], [RFC4030], etc.
   When a host that acts as a DHCP client booting up, it can be
   configured with some security policy. Such as, due to the security
   concern, all the IP packets to and from a client may be required to
   be protected by a secure mechanism, which is typically an IPsec
   channel or transport layer security established with the server or
   administrator.

   These security mechanisms require the configuration information can
   be provisioned to the DHCP client at the early stage when it is
   connected to the network. In particular, the DHCP client should be
   notified the crucial security configuration information as early as
   possible. DHCP is essential for users who want to connect to IP
   networks before they can communicate with other hosts. Among a number
   of indispensable Internet protocols, it provides the most convenient
   way to make configuration extension, which eliminates the manual task
   by a network administrator and duplicate resource assignments. Thus,
   in addition to the essential IP address and network boot servers,
   security configuration information is expected to be included in DHCP
   extension, as well.

1.1 Applicability

   Some scenarios that require this kind of provisioning secure
   configuration information are when DHCP clients in wireless base
   stations are attaching to a wireless network infrastructure. As
   defined in [3GPP.33.310], for establishing security link with
   operator's network, wireless base station shall connect to the PKI
   server and SeGW. If secure configuration information (address of PKI
   server, address of SeGW, etc.) is unavailable on the wireless base
   stations, the wireless base stations cannot connect to the network. 
   So it is important for the host to obtain a set of security
   configuration information, which is configured in the DHCP server
   prior to the establishment of the security tunnel.  Currently, some
   implementations exchange this security information through DHCP
   vendor-specific options, i.e. OPTION 43.  However, this has the usual
   limitations of requiring the client and server to understand these
   vendor-specific extensions.  Since most of the security configuration
   information are common across most clients and servers, having a
   standardized set of options and procedures would be a huge benefit to
   interoperability.  This document defines a new security DHCP option
   used to exchange the security configuration information.

 


E. Bi et al.            Expires January 17, 2012                [Page 3]

Internet draft      DHCP security options extensions           July 2012


   The newly defined option is as follows:

   Option: DHCP security specific configuration option

2  Terminology Used in This Document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

3  DHCP Security Specific Configuration Option

   A DHCP server can use this option to indicate to the DHCP client
   specific configuration information, such as the address of the
   security gateway that is used to establish IPsec tunnel within the
   enterprise network, the address of the PKI server which is used to
   issue certificate to the DHCP client. 

   This option may be used wherever DHCP options are available, as
   specified in [RFC2131] and [RFC2132].  It is most meaningful in the
   messages between DHCP client and DHCP server, such as, DHCPOFFER and
   DHCPACK.  The format of the option is as follows:

        Opt-ID | opt-length | attribute 1 | attribute 2| ......

   where Opt-ID denotes the new option ID, opt-length denotes the bit
   length of following attributes, and attributes 1,2... can be extended
   correspondingly to various use cases.

   For example, in the above use case of 3GPP standards [3GPP.33.310],
   the addresses (IP or FQDN) of Se-GW and PKI server are needed to know
   for DHCP client (wireless base station), the DHCP option could be as
   follows, where attributes 1 and 2 denote Se-GW and PKI server,
   respectively.

      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |  Attribute 1  | data-len1   |          Security-GW ID         |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                                                               |
     +                  Security-GW IP Address Data                  |
     /                                                               /
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |  Attribute 2  | data-len2   |          PKI Server ID          |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                                                               |
     +                  PKI Server IP Address Data                   |
     /                                                               /
 


E. Bi et al.            Expires January 17, 2012                [Page 4]

Internet draft      DHCP security options extensions           July 2012


     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                      other attributes                         |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Figure 1.  The format of DHCP security specific configuration option

   This option contains the information corresponding to one or more
   security-specific code number.  Multiple instances of this option may
   be present and must be concatenated in accordance with [RFC3396]. The
   definition of the information carried in this option is defined
   uniformly.  The security-specific attribute information indicated the
   security information type.  For example, a DHCP client indicates
   security configuration information with the same code number that can
   be interpreted by different DHCP servers.  As the security-specific
   code is uniform and standard, no ambiguity interpretation can occur. 
   A security-specific code number is unique and only occur once in the
   option and should be treated independently.  This option can also
   contains one or more encapsulated options that defined in [RFC4361].

   DHCP client can request the configuration information from DHCP
   server by sending DHCP request message.  DHCP server allocates the
   configuration information to DHCP client according to the client ID.
   i.e., DHCP server can know whether this connecting client needs to be
   configured by client ID, which can be carried in option 60 specified
   in [RFC4361].  If the security configuration information is needed,
   the defined security-specific option will be sent back to the client
   from DHCP server in DHCPOFFER.  If this option is used, different
   DHCP clients implemented by different vendors have good
   interoperability.  The DHCP server needs only to support one
   standardized format which reduces complexity and enhances
   performance.

   If the DHCP client is configured with a security policy, all of the
   attributes listed in the figure MUST be carried in the newly defined
   option in DHCPDISCOVER or DHCPREQUESTmessages.  And DHCP server MUST
   allocate all the requested configuration attributes according to the
   received attribute type and format in the DHCP response messages.

   Use of security-specific information allows enhanced operation,
   utilizing additional features in a DHCP implementation.  Servers not
   equipped to interpret the security-specific information sent by a
   client MUST ignore it.  Clients that do not receive desired security-
   specific information MUST ignore it and initiate another DHCP
   operation.

   Finally, it is also desired to extend this option to IPv6, which is
   left to be improved.

 


E. Bi et al.            Expires January 17, 2012                [Page 5]

Internet draft      DHCP security options extensions           July 2012


4  Security Considerations

   This document defines a new security option used by DHCP servers and
   DHCP clients to provision security configuration information.
   However, the security mechanism itself does not need to rely on the
   security of DHCP, i.e. the configuration information provided by DHCP
   server can hardly guarantee their own validity, since DHCP originally
   is lack of protection. 

   Therefore, the new option proposed in this document is not aimed to
   solve the security of DHCP, but try to make use of DHCP to provide
   configuration information for those who have already equipped with
   security mechanism, and that security cannot be harmed by potentially
   invalid information provisioned.

5  IANA Considerations

   There may be IANA consideration for taking additional value for the
   option.  The value of the protocol field needed to be assigned from
   the numbering space.

6  Acknowledgements

   Thanks to Eric Chen, Xiangsong Cui and Rock Xie who contributed
   actively to this document.

7  References

7.1  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2131]  Droms, R., "Dynamic Host Configuration Protocol",
              RFC 2131, March 1997.

   [RFC2132]  Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor
              Extensions", RFC 2132, March 1997.

   [RFC3118]  Droms, R., Ed., and W. Arbaugh, Ed., "Authentication for
              DHCP Messages", RFC 3118, June 2001.

   [RFC4361]  Lemon, T. and B. Sommerfeld, "Node-specific Client
              Identifiers for Dynamic Host Configuration Protocol
              Version Four (DHCPv4)", RFC 4361, February 2006.



 


E. Bi et al.            Expires January 17, 2012                [Page 6]

Internet draft      DHCP security options extensions           July 2012


7.2  Informative References

   [3GPP.33.310]                                                   
              3GPP, "Network Domain Security (NDS); Authentication
              Framework (AF)", 3GPP TS 33.310 10.3.0, June 2011.

   [RFC3046]  Patrick, M., "DHCP Relay Agent Information Option",
              RFC 3046, January 2001.

   [RFC3396]  Lemon, T. and S. Cheshire, "Encoding Long Options in the
              Dynamic Host Configuration Protocol (DHCPv4)", RFC 3396,
              November 2002.

   [RFC4030]  Stapp, M. and T. Lemon, "The Authentication Suboption for
              the Dynamic Host Configuration Protocol (DHCP) Relay Agent
              Option", RFC 4030, March 2005.


Authors' Addresses

   Emily Bi
   Huawei Technologies
   Beijing, China
   Email: bixiaoyu@huawei.com


   Serge Manning
   Huawei Technologies
   TX, U.S.
   Email: serge.manning@huawei.com


   Marcus Wong
   NJ, U.S.
   Huawei Technologies
   Email: mwong@huawei.com


   Yang Cui
   Huawei Technologies
   Beijing, China
   Email: cuiyang@huawei.com









E. Bi et al.            Expires January 17, 2012                [Page 7]