Internet DRAFT - draft-xu-dhc-authen
draft-xu-dhc-authen
<DHC> Y. Xu
W. Hao
J. Xie
Internet Draft Huawei Technologies
Expires: December 2021 June 4, 2021
Account based authentication for DHCP
draft-xu-dhc-authen-00.txt
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with
the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as
reference material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
This Internet-Draft will expire on December 4, 2021.
Abstract
This document describes the mutual authentication between DHCP
server and DHCP client based on account information to mitigate the
security risk caused by rogue DHCP server, and the problem of
illegal DHCP client exhausting DHCP server address.
Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC-2119 [1].
Xu, et al Expires December 4, 2021 [Page 1]
Internet-Draft Account based dhcp authen June 2021
This document uses the terms "DHCP server" (or "server") and "DHCP
client" (or "client") as defined in RFC-2131 [2]. The term "DHCP
relay agent" refers to a "BOOTP relay agent" as defined in RFC-2131
[2].
Table of Contents
1. Introduction ................................................ 3
2. Format of new options........................................ 3
2.1. User Name Option........................................ 3
2.2. Authentication Information Option....................... 3
2.2.1. Algorithm ......................................... 4
3. Two Keys .................................................... 5
3.1. Account key ............................................ 5
3.2. Share key .............................................. 5
4. Client side processing....................................... 5
4.1. INIT state ............................................. 5
4.2. INIT-REBOOT state....................................... 6
4.3. RENEWING state ......................................... 6
4.4. REBINDING state......................................... 6
4.5. DHCPINFORM message...................................... 6
4.6. DHCPRELEASE message..................................... 6
4.7. General considerations.................................. 6
5. Server considerations........................................ 7
5.1. General considerations.................................. 7
5.2. After receiving a DHCPDISCOVER message.................. 7
5.3. After receiving a DHCPREQUEST message................... 7
5.4. After receiving a DHCPINFORM message.................... 7
6. Security Considerations...................................... 7
7. IANA Considerations ......................................... 8
8. Acknowledgments ............................................. 8
8.1. Normative References.................................... 9
8.2. Informative References.................................. 9
Author's Addresses ............................................. 9
Copyright, Disclaimer, and Additional IPR Provisions........... 10
Xu, et al Expires December 4, 2021 [Page 2]
Internet-Draft Account based dhcp authen June 2021
1. Introduction
This document describes the mutual authentication between DHCP
server and DHCP client based on account information like username
instead of Secret ID that is described in [RFC 3118] section5.2 to
mitigate the security risk caused by rogue DHCP server and the
problem of exhausting DHCP server address caused by illegal DHCP
client.
Compared with [RFC 3118], by leveraging username or other account
information for authentication, the following advantages could be
achieved:
1. Facilitate to manage the DHCP Client accounts on the DHCP server.
2. Better integrate the authentication process between DHCP server
and authentication server using the protocol of Radius, Active
Directory, and etc.
2. Format of new options
2.1. User Name Option
The following diagram defines the format of the user name option:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Length | User Name ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
User Name Option
code: user name option.
length: Length of the 'User Name' field in octets; variable.
User Name: the user name of the DHCP Client.
2.2. Authentication Information Option
Compared with [RFC 3118], the Secret ID is removed in the option and
the format of this option will be changed into the following:
Xu, et al Expires December 4, 2021 [Page 3]
Internet-Draft Account based dhcp authen June 2021
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Length | Algorithm |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| RSV | RDM | Replay Detection(64bits) ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Replay Detection cont. ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ ... | Authentication Information ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Authentication Information Option
Code: authentication Information option.
Length: The length field includes the lengths of the algorithm, the
RSV, the RDM, the Replay Detection, the Replay Detection cont, the
Authentication information fields in octets.
Algorithm: The Algorithm field defines the algorithm used to
generate the authentication information.
RSV: Four bits are reserved for future use. These bits SHOULD be
set to zero and MUST NOT be used when the option is processed.
RDM: The Replay Detection Method field defines the method used to
generate the Replay Detection Data.
Replay Detection: The Replay Detection field contains a value used
to detect replayed messages, which are interpreted according to the
RDM. Four bits.
Authentication Information: The Authentication Information field is
usually a digest of the data in the DHCP packet and is computed
using the HASH method that is specified through the Algorithm field.
2.2.1. Algorithm
Algorithm 1 is assigned to the HMAC protocol by using the SHA-256
[3] hash function.
All implementations MUST support Algorithm 1, the HMAC-SHA256[3]
algorithm. New separate algorithm number could be specified for the
future use of a different HASH technique.
Xu, et al Expires December 4, 2021 [Page 4]
Internet-Draft Account based dhcp authen June 2021
3. Two Keys
3.1. Account key
For the interaction between the DHCP server and the fixed DHCP
client, the key used is configured based on the user name on the
DHCP server, and the DHCP client configures the same user name and
key. This key is used to calculate authentication information for
all messages of DHCP client no matter the message is unicast,
broadcast or multicast, while for the DHCP server only the unicast
message to the client needs to be authenticated based on the key.
3.2. Share key
For the non-unicast messages sent by DHCP server to non-specific
clients, the shared key is used. DHCP server and DHCP client MUST
configure the same share key.
4. Client side processing
Similar to the authentication behavior defined in [RFC 3118], the
authentication behavior of a DHCP client based on account
information is described as below:
4.1. INIT state
When in INIT state, the client uses Account authentication as
follows:
1. The client MUST include the User Name option and Authentication
Information option in its DHCPDISCOVER message along with a client
identifier option [5] to identify itself uniquely to the server.
2. The client MUST perform the Message validation described in
[RFC3118] on any DHCPOFFER messages that include authentication
information. If one or more DHCPOFFER messages pass the validation,
the client chooses one of the offered DHCP server. If no DHCPOFFER
messages include authentication information or pass the validation
test, the processing of the client is the same as that of not
receiving DHCPOFFER.
3. The client replies with a DHCPREQUEST message that MUST include
the user name option and authentication information option.
4. If the client authenticated the DHCPOFFER it accepted, the client
MUST validate the DHCPACK message from the server. The client MUST
discard the DHCPACK if the message fails to pass validation and MAY
Xu, et al Expires December 4, 2021 [Page 5]
Internet-Draft Account based dhcp authen June 2021
log the validation failure. If the DHCPACK fails to pass
validation, the client MUST revert to INIT state and returns to step
1. If the client accepted a DHCPOFFER message that did not include
authentication information or did not pass the validation test, the
client MAY accept an unauthenticated DHCPACK message from the
server.
4.2. INIT-REBOOT state
When in INIT-REBOOT state, the client MUST include the user name
option and authentication information option in its DHCPREQUEST
message.
4.3. RENEWING state
When in RENEWING state, the client MUST include the user name option
and authentication information option in its DHCPREQUEST message.
4.4. REBINDING state
When in REBINDING state, the client MUST include the user name
option and authentication information option in its DHCPREQUEST
message.
4.5. DHCPINFORM message
The client MUST include the user name option and authentication
information option in its DHCPREQUEST message.
4.6. DHCPRELEASE message
The client MUST include the user name option and authentication
information option in its DHCPREQUEST message.
4.7. General considerations
Both the user name option and authentication information option must
be carried in all the messages sent by the DHCP client to the
server.
If there is only a user name without a password or only a password
without a user name, the user name option and authentication
information option are not carried, and the received message is not
verified.
When the client receives a broadcast or multicast message, the
client uses server share key as specified in section 3 to compute
Xu, et al Expires December 4, 2021 [Page 6]
Internet-Draft Account based dhcp authen June 2021
authentication information. If no share key is configured locally in
the client side, the authentication phase should be skipped.
5. Server considerations
Similar to the authentication behavior defined in [RFC 3118], the
authentication behavior of a DHCP server based on account
information is described as below:
5.1. General considerations
1. Each DHCP server maintains a list of account keys for each DHCP
client.
2. The unicast message sent by the DHCP server to a specific
client uses the account key of the client. If there is no account
key, there is no need to encapsulate the authentication information
option. If it is a broadcast and multicast message sent to a non-
specific client, the server's share key should be used. If there is
no share key, there is no need to further encapsulate the
authentication information option.
5.2. After receiving a DHCPDISCOVER message
When the server receives a DHCP DISCOVER message from the client,
firstly it finds the corresponding key according to the user name
option, then computes the authentication information based on the
key, and finally get the validation result for the message. If the
message is legal, it will respond to DHCPOFFER message and use the
same key to computes authentication information.
5.3. After receiving a DHCPREQUEST message
Compared with [RFC 3118] message validation process, the only
difference is that the server should validate the message based on
user name instead of secret ID.
5.4. After receiving a DHCPINFORM message
If the message fails to pass validation or the server did not get
the key corresponding to the user name, the server MUST discard the
message and MAY choose to log the validation failure.
6. Security Considerations
No additional security Considerations are introduced here besides
the corresponding description that is defined in [RFC 3118], it only
Xu, et al Expires December 4, 2021 [Page 7]
Internet-Draft Account based dhcp authen June 2021
provides an alternative DHCP authentication method to alleviate the
security risk of server counterfeiting, illegal client attack and
exhaustion of server address could be alleviated.
7. IANA Considerations
Two new number spaces for the Authentication information option's
'Algorithm' and 'Replay Detection Method' fields need to be newly
introduced.
8. Acknowledgments
The authors wish to acknowledge the important contributions of
Zengke Wei and Jian Wang.
Xu, et al Expires December 4, 2021 [Page 8]
Internet-Draft Account based dhcp authen June 2021
References
8.1. Normative References
[1] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[2] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131,
March 1997.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2234] Crocker, D. and Overell, P.(Editors), "Augmented BNF for
Syntax Specifications: ABNF", RFC 2234, Internet Mail
Consortium and Demon Internet Ltd., November 1997.
8.2. Informative References
[3] R. Droms, W. Arbaugh, “Authentication for DHCP Messages”, RFC
3118, June 2001
[4] National Institute of Standards and Technology, "Secure Hash
Standard", FIPS PUB 180-2, August 2002.
[5] Patrick, M., "DHCP Relay Agent Information Option", RFC
3046,January 2001.
[6] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor
Extensions", RFC 2132, March 1997.
Author's Addresses
Yibin Xu
Huawei Technologies
101 Software Avenue,
Nanjing 210012 China
Email: xuyibin@huawei.com
Weiguo Hao
Xu, et al Expires December 4, 2021 [Page 9]
Internet-Draft Account based dhcp authen June 2021
Huawei Technologies
101 Software Avenue,
Nanjing 210012 China
Email: haoweiguo@huawei.com
Jianping Xie
Huawei Technologies
101 Software Avenue,
Nanjing 210012 China
Email: xiejianping@huawei.com
Copyright, Disclaimer, and Additional IPR Provisions
Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this
document must include Simplified BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Simplified BSD License.
Xu, et al Expires December 4, 2021 [Page 10]
