draft-ietf-dhc-auth-suboption-04.txt   draft-ietf-dhc-auth-suboption-05.txt 
DHC Working Group M. Stapp DHC Working Group M. Stapp
Internet-Draft Cisco Systems, Inc. Internet-Draft Cisco Systems, Inc.
Expires: January 6, 2005 T. Lemon Expires: February 7, 2005 T. Lemon
Nominum, Inc. Nominum, Inc.
July 8, 2004 August 9, 2004
The Authentication Suboption for the DHCP Relay Agent Option The Authentication Suboption for the DHCP Relay Agent Option
<draft-ietf-dhc-auth-suboption-04.txt> <draft-ietf-dhc-auth-suboption-05.txt>
Status of this Memo Status of this Memo
By submitting this Internet-Draft, I certify that any applicable By submitting this Internet-Draft, I certify that any applicable
patent or other IPR claims of which I am aware have been disclosed, patent or other IPR claims of which I am aware have been disclosed,
and any of which I become aware will be disclosed, in accordance with and any of which I become aware will be disclosed, in accordance with
RFC 3667. RFC 3667.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that other Task Force (IETF), its areas, and its working groups. Note that other
skipping to change at page 1, line 34 skipping to change at page 1, line 34
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at http:// The list of current Internet-Drafts can be accessed at http://
www.ietf.org/ietf/1id-abstracts.txt. www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on January 6, 2005. This Internet-Draft will expire on February 7, 2005.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2004). All Rights Reserved. Copyright (C) The Internet Society (2004). All Rights Reserved.
Abstract Abstract
The DHCP Relay Agent Information Option (RFC 3046) conveys The DHCP Relay Agent Information Option (RFC 3046) conveys
information between a DHCP Relay Agent and a DHCP server. This information between a DHCP Relay Agent and a DHCP server. This
specification defines an authentication suboption for that option, specification defines an authentication suboption for that option,
skipping to change at page 2, line 14 skipping to change at page 2, line 14
Table of Contents Table of Contents
1. Requirements Terminology . . . . . . . . . . . . . . . . . . 3 1. Requirements Terminology . . . . . . . . . . . . . . . . . . 3
2. DHCP Terminology . . . . . . . . . . . . . . . . . . . . . . 3 2. DHCP Terminology . . . . . . . . . . . . . . . . . . . . . . 3
3. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
4. Suboption Format . . . . . . . . . . . . . . . . . . . . . . 4 4. Suboption Format . . . . . . . . . . . . . . . . . . . . . . 4
5. Replay Detection . . . . . . . . . . . . . . . . . . . . . . 5 5. Replay Detection . . . . . . . . . . . . . . . . . . . . . . 5
6. The Relay Identifier Field . . . . . . . . . . . . . . . . . 5 6. The Relay Identifier Field . . . . . . . . . . . . . . . . . 5
7. Computing Authentication Information . . . . . . . . . . . . 6 7. Computing Authentication Information . . . . . . . . . . . . 6
7.1 The HMAC-MD5 Algorithm . . . . . . . . . . . . . . . . . . . 6 7.1 The HMAC-SHA1 Algorithm . . . . . . . . . . . . . . . . . 6
8. Procedures for Sending Messages . . . . . . . . . . . . . . 7 8. Procedures for Sending Messages . . . . . . . . . . . . . . 7
8.1 Replay Detection . . . . . . . . . . . . . . . . . . . . . . 7 8.1 Replay Detection . . . . . . . . . . . . . . . . . . . . . 7
8.2 Packet Preparation . . . . . . . . . . . . . . . . . . . . . 8 8.2 Packet Preparation . . . . . . . . . . . . . . . . . . . . 8
8.3 Checksum Computation . . . . . . . . . . . . . . . . . . . . 8 8.3 Checksum Computation . . . . . . . . . . . . . . . . . . . 8
8.4 Sending the Message . . . . . . . . . . . . . . . . . . . . 8 8.4 Sending the Message . . . . . . . . . . . . . . . . . . . 8
9. Procedures for Processing Incoming Messages . . . . . . . . 8 9. Procedures for Processing Incoming Messages . . . . . . . . 8
9.1 Initial Examination . . . . . . . . . . . . . . . . . . . . 8 9.1 Initial Examination . . . . . . . . . . . . . . . . . . . 8
9.2 Replay Detection Check . . . . . . . . . . . . . . . . . . . 9 9.2 Replay Detection Check . . . . . . . . . . . . . . . . . . 9
9.3 Testing the Checksum . . . . . . . . . . . . . . . . . . . . 9 9.3 Testing the Checksum . . . . . . . . . . . . . . . . . . . 9
10. Relay Agent Behavior . . . . . . . . . . . . . . . . . . . . 9 10. Relay Agent Behavior . . . . . . . . . . . . . . . . . . . . 9
10.1 Receiving Messages from Other Relay Agents . . . . . . . . . 10 10.1 Receiving Messages from Other Relay Agents . . . . . . . 10
10.2 Sending Messages to Servers . . . . . . . . . . . . . . . . 10 10.2 Sending Messages to Servers . . . . . . . . . . . . . . 10
10.3 Receiving Messages from Servers . . . . . . . . . . . . . . 10 10.3 Receiving Messages from Servers . . . . . . . . . . . . 10
11. DHCP Server Behavior . . . . . . . . . . . . . . . . . . . . 10 11. DHCP Server Behavior . . . . . . . . . . . . . . . . . . . . 10
11.1 Receiving Messages from Relay Agents . . . . . . . . . . . . 10 11.1 Receiving Messages from Relay Agents . . . . . . . . . . 10
11.2 Sending Reply Messages to Relay Agents . . . . . . . . . . . 10 11.2 Sending Reply Messages to Relay Agents . . . . . . . . . 10
12. IANA Considerations . . . . . . . . . . . . . . . . . . . . 11 12. IANA Considerations . . . . . . . . . . . . . . . . . . . . 11
13. Security Considerations . . . . . . . . . . . . . . . . . . 11 13. Security Considerations . . . . . . . . . . . . . . . . . . 11
13.1 The Key ID Field . . . . . . . . . . . . . . . . . . . . . . 12 13.1 The Key ID Field . . . . . . . . . . . . . . . . . . . . 12
13.2 Protocol Vulnerabilities . . . . . . . . . . . . . . . . . . 12 13.2 Protocol Vulnerabilities . . . . . . . . . . . . . . . . 12
14. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 12 14. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 12
Normative References . . . . . . . . . . . . . . . . . . . . 13 Normative References . . . . . . . . . . . . . . . . . . . . 13
Informative References . . . . . . . . . . . . . . . . . . . 13 Informative References . . . . . . . . . . . . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 14 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 14
Intellectual Property and Copyright Statements . . . . . . . 15 Intellectual Property and Copyright Statements . . . . . . . 15
1. Requirements Terminology 1. Requirements Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
skipping to change at page 6, line 41 skipping to change at page 6, line 41
value may be changed in transmission. The value of the 'giaddr' field value may be changed in transmission. The value of the 'giaddr' field
MUST also be set to zero for the computation because it may be MUST also be set to zero for the computation because it may be
modified in networks where one relay agent adds the relay agent modified in networks where one relay agent adds the relay agent
option but another relay agent sets 'giaddr' (see RFC 3046, section option but another relay agent sets 'giaddr' (see RFC 3046, section
2.1). In addition, because the relay agent option itself is included 2.1). In addition, because the relay agent option itself is included
in the computation, the 'authentication information' field in the in the computation, the 'authentication information' field in the
Authentication suboption is set to all zeroes. The relay agent option Authentication suboption is set to all zeroes. The relay agent option
length, the Authentication suboption length and other Authentication length, the Authentication suboption length and other Authentication
suboption fields are all included in the computation. suboption fields are all included in the computation.
All implementations MUST support Algorithm 1, the HMAC-MD5 algorithm. All implementations MUST support Algorithm 1, the HMAC-SHA1
Additional algorithms may be defined in the future, following the algorithm. Additional algorithms may be defined in the future,
process described in Section 12. following the process described in Section 12.
7.1 The HMAC-MD5 Algorithm 7.1 The HMAC-SHA1 Algorithm
Algorithm 1 is assigned to the HMAC [3] protocol, using the MD5 [4] Algorithm 1 is assigned to the HMAC [3] protocol, using the SHA-1 [4]
hash function. This algorithm requires that a shared secret key be hash function. This algorithm requires that a shared secret key be
configured at the relay agent and the DHCP server. A 32-bit Key configured at the relay agent and the DHCP server. A 32-bit Key
Identifier is associated with each shared key, and this identifier is Identifier is associated with each shared key, and this identifier is
carried in the first 4 bytes of the Authentication Information field carried in the first 4 bytes of the Authentication Information field
of the Authentication suboption. The HMAC-MD5 computation generates a of the Authentication suboption. The HMAC-SHA1 computation generates
16-byte hash value, which is placed in the Authentication Information a 20-byte hash value, which is placed in the Authentication
field after the Key ID. Information field after the Key ID.
The format of the Authentication suboption when Algorithm 1 is used The format of the Authentication suboption when Algorithm 1 is used
is: is:
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | 34 |0 0 0 0 0 0 0 1| MBZ | RDM | | Code | 38 |0 0 0 0 0 0 0 1| MBZ | RDM |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Replay Detection (64 bits) | | Replay Detection (64 bits) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Replay Detection cont. | | Replay Detection cont. |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Relay Identifier | | Relay Identifier |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Key ID (32 bits) | | Key ID (32 bits) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
| HMAC-MD5 (128 bits) | | HMAC-SHA1 (160 bits) |
| | | |
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The suboption length is 34. The RDM and Replay Detection fields are The suboption length is 38. The RDM and Replay Detection fields are
as specified in Section 5. The Relay ID field is set as specified in as specified in Section 5. The Relay ID field is set as specified in
Section 6. The Key ID is set by the sender to the ID of the key used Section 6. The Key ID is set by the sender to the ID of the key used
in computing the checksum, as an integer value in network byte-order. in computing the checksum, as an integer value in network byte-order.
The HMAC result follows the Key ID. The HMAC result follows the Key ID.
The Key ID exists only to allow the sender and receiver to specify a The Key ID exists only to allow the sender and receiver to specify a
shared secret in cases where more than one secret is in use among a shared secret in cases where more than one secret is in use among a
network's relays and DHCP servers. The Key ID values are entirely a network's relays and DHCP servers. The Key ID values are entirely a
matter of local configuration; they only need to be locally unique. matter of local configuration; they only need to be locally unique.
This specification does not define any semantics or impose any This specification does not define any semantics or impose any
skipping to change at page 8, line 15 skipping to change at page 8, line 15
8.2 Packet Preparation 8.2 Packet Preparation
The sender sets the 'giaddr' field and the 'hops' field to all The sender sets the 'giaddr' field and the 'hops' field to all
zeroes. The sender appends the relay agent information option to the zeroes. The sender appends the relay agent information option to the
client's packet, including the Authentication suboption. The sender client's packet, including the Authentication suboption. The sender
selects an appropriate Replay Detection value. The sender places its selects an appropriate Replay Detection value. The sender places its
identifier into the Relay ID field, if necessary, or sets the field identifier into the Relay ID field, if necessary, or sets the field
to all zeroes. The sender sets the suboption length, places the to all zeroes. The sender sets the suboption length, places the
Replay Detection value into the Replay Detection field of the Replay Detection value into the Replay Detection field of the
suboption, and sets the algorithm to the algorithm number that it is suboption, and sets the algorithm to the algorithm number that it is
using. If the sender is using HMAC-MD5, it sets the Key ID field to using. If the sender is using HMAC-SHA1, it sets the Key ID field to
the appropriate value. The sender sets the field which will contain the appropriate value. The sender sets the field which will contain
the checksum to all zeroes. Other algorithms may specify additional the checksum to all zeroes. Other algorithms may specify additional
preparation steps. preparation steps.
8.3 Checksum Computation 8.3 Checksum Computation
The sender computes the checksum across the entire DHCP message, The sender computes the checksum across the entire DHCP message,
using the algorithm it has selected. The sender places the result of using the algorithm it has selected. The sender places the result of
the computation into the Authentication Information field of the the computation into the Authentication Information field of the
Authentication suboption. Authentication suboption.
skipping to change at page 11, line 25 skipping to change at page 11, line 25
Section 4 defines a new suboption for the DHCP relay agent option, Section 4 defines a new suboption for the DHCP relay agent option,
called the Authentication Suboption. IANA is requested to allocate a called the Authentication Suboption. IANA is requested to allocate a
new suboption code from the relay agent option suboption number new suboption code from the relay agent option suboption number
space. space.
This specification introduces two new number-spaces for the This specification introduces two new number-spaces for the
Authentication suboption's 'Algorithm' and 'Replay Detection Method' Authentication suboption's 'Algorithm' and 'Replay Detection Method'
fields. These number spaces are to be created and maintained by IANA. fields. These number spaces are to be created and maintained by IANA.
The Algorithm identifier is a one-byte value. Algorithm value 0 is The Algorithm identifier is a one-byte value. Algorithm value 0 is
reserved. Algorithm value 1 is assigned to the HMAC-MD5 keyed hash as reserved. Algorithm value 1 is assigned to the HMAC-SHA1 keyed hash
defined in Section 7.1. Additional algorithm values will be allocated as defined in Section 7.1. Additional algorithm values will be
and assigned through IETF consensus, as defined in RFC 2434 [5]. allocated and assigned through IETF consensus, as defined in RFC 2434
[5].
The RDM identifier is a four-bit value. RDM value 0 is reserved. RDM The RDM identifier is a four-bit value. RDM value 0 is reserved. RDM
value 1 is assigned to the use of a monotonically increasing counter value 1 is assigned to the use of a monotonically increasing counter
value as defined in Section 5. Additional RDM values will be value as defined in Section 5. Additional RDM values will be
allocated and assigned through IETF consensus, as defined in RFC 2434 allocated and assigned through IETF consensus, as defined in RFC 2434
[5]. [5].
13. Security Considerations 13. Security Considerations
This specification describes a protocol to add source authentication This specification describes a protocol to add source authentication
skipping to change at page 13, line 19 skipping to change at page 13, line 19
[1] Patrick, M., "DHCP Relay Agent Information Option", RFC 3046, [1] Patrick, M., "DHCP Relay Agent Information Option", RFC 3046,
January 2001. January 2001.
[2] Bradner, S., "Key words for use in RFCs to Indicate Requirement [2] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", RFC 2119, March 1997. Levels", RFC 2119, March 1997.
[3] Krawczyk, H., Bellare, M. and R. Canetti, "HMAC: Keyed-Hashing [3] Krawczyk, H., Bellare, M. and R. Canetti, "HMAC: Keyed-Hashing
for Message Authentication", RFC 2104, February 1997. for Message Authentication", RFC 2104, February 1997.
[4] Rivest, R., "The MD5 Message Digest Algorithm", RFC 1321, April [4] Eastlake, D. and P. Jones, "US Secure Hash Algorithm 1 (SHA1)",
1992. RFC 3174, September 2001.
[5] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA [5] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
Considerations Section in RFCs", RFC 2434, October 1998. Considerations Section in RFCs", RFC 2434, October 1998.
Informative References Informative References
[6] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, [6] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131,
March 1997. March 1997.
[7] Croft, B. and J. Gilmore, "Bootstrap Protocol", RFC 951, [7] Croft, B. and J. Gilmore, "Bootstrap Protocol", RFC 951,
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/