draft-ietf-dhc-sedhcpv6-15.txt   draft-ietf-dhc-sedhcpv6-16.txt 
DHC Working Group S. Jiang DHC Working Group S. Jiang
Internet-Draft Huawei Technologies Co., Ltd Internet-Draft Huawei Technologies Co., Ltd
Intended status: Standards Track L. Li Intended status: Standards Track L. Li
Expires: April 19, 2017 Y. Cui Expires: April 21, 2017 Y. Cui
Tsinghua University Tsinghua University
T. Jinmei T. Jinmei
Infoblox Inc. Infoblox Inc.
T. Lemon T. Lemon
Nominum, Inc. Nominum, Inc.
D. Zhang D. Zhang
October 16, 2016 October 18, 2016
Secure DHCPv6 Secure DHCPv6
draft-ietf-dhc-sedhcpv6-15 draft-ietf-dhc-sedhcpv6-16
Abstract Abstract
DHCPv6 includes no deployable security mechanism that can protect DHCPv6 includes no deployable security mechanism that can protect
end-to-end communication between DHCP clients and servers. This end-to-end communication between DHCP clients and servers. This
document describes a mechanism for using public key cryptography to document describes a mechanism for using public key cryptography to
provide such security. The mechanism provides encryption in all provide such security. The mechanism provides encryption in all
cases, and can be used for authentication based on pre-sharing of cases, and can be used for authentication based on pre-sharing of
authorized certificates. authorized certificates.
skipping to change at page 1, line 42 skipping to change at page 1, line 42
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 19, 2017. This Internet-Draft will expire on April 21, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 35 skipping to change at page 2, line 35
5.4. Caused change to RFC3315 . . . . . . . . . . . . . . . . 7 5.4. Caused change to RFC3315 . . . . . . . . . . . . . . . . 7
5.5. Applicability . . . . . . . . . . . . . . . . . . . . . . 8 5.5. Applicability . . . . . . . . . . . . . . . . . . . . . . 8
6. DHCPv6 Client Behavior . . . . . . . . . . . . . . . . . . . 8 6. DHCPv6 Client Behavior . . . . . . . . . . . . . . . . . . . 8
7. DHCPv6 Server Behavior . . . . . . . . . . . . . . . . . . . 12 7. DHCPv6 Server Behavior . . . . . . . . . . . . . . . . . . . 12
8. Relay Agent Behavior . . . . . . . . . . . . . . . . . . . . 14 8. Relay Agent Behavior . . . . . . . . . . . . . . . . . . . . 14
9. Processing Rules . . . . . . . . . . . . . . . . . . . . . . 14 9. Processing Rules . . . . . . . . . . . . . . . . . . . . . . 14
9.1. Increasing Number Check . . . . . . . . . . . . . . . . . 14 9.1. Increasing Number Check . . . . . . . . . . . . . . . . . 14
10. Extensions for Secure DHCPv6 . . . . . . . . . . . . . . . . 15 10. Extensions for Secure DHCPv6 . . . . . . . . . . . . . . . . 15
10.1. New DHCPv6 Options . . . . . . . . . . . . . . . . . . . 15 10.1. New DHCPv6 Options . . . . . . . . . . . . . . . . . . . 15
10.1.1. Certificate Option . . . . . . . . . . . . . . . . . 15 10.1.1. Certificate Option . . . . . . . . . . . . . . . . . 15
10.1.2. Signature option . . . . . . . . . . . . . . . . . . 16 10.1.2. Signature option . . . . . . . . . . . . . . . . . . 17
10.1.3. Increasing-number Option . . . . . . . . . . . . . . 18 10.1.3. Increasing-number Option . . . . . . . . . . . . . . 19
10.1.4. Encrypted-message Option . . . . . . . . . . . . . . 18 10.1.4. Encrypted-message Option . . . . . . . . . . . . . . 20
10.2. New DHCPv6 Messages . . . . . . . . . . . . . . . . . . 19 10.2. New DHCPv6 Messages . . . . . . . . . . . . . . . . . . 21
10.3. Status Codes . . . . . . . . . . . . . . . . . . . . . . 20 10.3. Status Codes . . . . . . . . . . . . . . . . . . . . . . 21
11. Security Considerations . . . . . . . . . . . . . . . . . . . 20 11. Security Considerations . . . . . . . . . . . . . . . . . . . 22
12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21 12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22
13. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 22 13. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 24
14. Change log [RFC Editor: Please remove] . . . . . . . . . . . 23 14. Change log [RFC Editor: Please remove] . . . . . . . . . . . 24
15. References . . . . . . . . . . . . . . . . . . . . . . . . . 25 15. References . . . . . . . . . . . . . . . . . . . . . . . . . 26
15.1. Normative References . . . . . . . . . . . . . . . . . . 25 15.1. Normative References . . . . . . . . . . . . . . . . . . 26
15.2. Informative References . . . . . . . . . . . . . . . . . 26 15.2. Informative References . . . . . . . . . . . . . . . . . 28
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 27 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 28
1. Introduction 1. Introduction
The Dynamic Host Configuration Protocol for IPv6 (DHCPv6, [RFC3315]) The Dynamic Host Configuration Protocol for IPv6 (DHCPv6, [RFC3315])
allows DHCPv6 servers to flexibly provide addressing and other allows DHCPv6 servers to flexibly provide addressing and other
configuration information relating to local network infrastructure to configuration information relating to local network infrastructure to
DHCP clients. The protocol provides no deployable security DHCP clients. The protocol provides no deployable security
mechanism, and consequently is vulnerable to various attacks. mechanism, and consequently is vulnerable to various attacks.
This document provides a brief summary of the security This document provides a brief summary of the security
skipping to change at page 6, line 29 skipping to change at page 6, line 29
| Encryption-Query | | Encryption-Query |
|----------------------------------------->| |----------------------------------------->|
| Encrypted-message option | | Encrypted-message option |
| Server Identifier option | | Server Identifier option |
| | | |
| Encryption-Response | | Encryption-Response |
|<-----------------------------------------| |<-----------------------------------------|
| Encrypted-message option | | Encrypted-message option |
| | | |
Secure DHCPv6 Procedure Figure 1: Secure DHCPv6 Procedure
5.2. New Components 5.2. New Components
The new components of the mechanism specified in this document are as The new components of the mechanism specified in this document are as
follows: follows:
o Servers and clients that use certificates first generate a public/ o Servers and clients that use certificates first generate a public/
private key pair and then obtain a certificate that signs the private key pair and then obtain a certificate that signs the
public key. The Certificate option is defined to carry the public key. The Certificate option is defined to carry the
certificate of the sender. certificate of the sender.
skipping to change at page 16, line 10 skipping to change at page 15, line 39
The Certificate option carries the certificate(s) of the client/ The Certificate option carries the certificate(s) of the client/
server. The format of the Certificate option is described as server. The format of the Certificate option is described as
follows: follows:
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| OPTION_CERTIFICATE | option-len | | OPTION_CERTIFICATE | option-len |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| EA-num | EA-id | EA-id | ... . . EA-id List .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Cert-len | |
+-+-+-+-+-+-+-+-+ .
. Certificate (variable length) .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Cert-len | |
+-+-+-+-+-+-+-+-+ .
. Certificate (variable length) .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
. ... . | |
. Certificate List(variable length) .
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
option-code OPTION_CERTIFICATE (TBA1). Figure 2: Certificate Option
option-len 1 + length of EA-id list + length of certificate o option-code: OPTION_CERTIFICATE (TBA1).
list in octets.
EA-num The number of the supported encryption algorithm. o option-len: length of EA-id List + length of Certificate List in
octets.
o EA-id List: The format of the EA-id List field is shown in
Figure 3.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| EA-num | EA-id |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
. ... .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| EA-id |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
EA-num The number of the following EA-ids.
EA-id Encryption Algorithm id. The encryption algorithm EA-id Encryption Algorithm id. The encryption algorithm
is used for the encrypted DHCPv6 configuration is used for the encrypted DHCPv6 configuration
process. This design is adopted in order to provide process. This design is adopted in order to provide
encryption algorithm agility. The value is from the encryption algorithm agility. The value is from the
Encryption Algorithm for Secure DHCPv6 registry in Encryption Algorithm for Secure DHCPv6 registry in
IANA. A registry of the initial assigned values IANA. A registry of the initial assigned values
is defined in Section 12. is defined in Section 12.
Figure 3: EA-id List Field
o Certificate List: The format of the Certificate List Field is
shown in Figure 4.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| cert-num | cert-len | certificate |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
. ...Certificate(variable length)(cont) .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
. .
. ... .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| cert-len | certificate |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
. ...certificate(variable length)(cont) .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
cert-num The number of the the following certificates.
cert-len The length of the certificate. cert-len The length of the certificate.
Certificate A variable-length field containing certificates. The Certificate A variable-length field containing certificates. The
encoding of certificate and certificate data MUST encoding of certificate and certificate data MUST
be in format as defined in Section 3.6, [RFC7296]. be in format as defined in Section 3.6, [RFC7296].
The support of X.509 certificate is mandatory. The support of X.509 certificate is mandatory.
Figure 4: Certificate List Field
10.1.2. Signature option 10.1.2. Signature option
The Signature option allows a signature that is signed by the private The Signature option allows a signature that is signed by the private
key to be attached to a DHCPv6 message. The Signature option could key to be attached to a DHCPv6 message. The Signature option could
be in any place within the DHCPv6 message while it is logically be in any place within the DHCPv6 message while it is logically
created after the entire DHCPv6 header and options. It protects the created after the entire DHCPv6 header and options. It protects the
entire DHCPv6 header and options, including itself. The format of entire DHCPv6 header and options, including itself. The format of
the Signature option is described as follows: the Signature option is described as follows:
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| OPTION_SIGNATURE | option-len | | OPTION_SIGNATURE | option-len |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| SA-num | SA-id | SA-id | ... | . SA-id List .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| HA-num | HA-id | HA-id | ... | . HA-id List .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
. Signature (variable length) . . Signature (variable length) .
. . . .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
option-code OPTION_SIGNATURE (TBA2). Figure 5: Signature Option
option-len 2 + length of SA-id list + length of HA-id list + o option-code: OPTION_SIGNATURE (TBA2).
length of Signature field in octets.
o option-len: length of SA-id list + length of HA-id list + length
of Signature field in octets.
o SA-id List: The format of the SA-id List field is shown in
Figure 6.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| SA-num | SA-id |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
. ... .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| SA-id |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
SA-num The number of the following SA-ids.
SA-id Signature Algorithm id. The signature algorithm is SA-id Signature Algorithm id. The signature algorithm is
used for computing the signature result. This used for computing the signature result. This
design is adopted in order to provide signature design is adopted in order to provide signature
algorithm agility. The value is from the Signature algorithm agility. The value is from the Signature
Algorithm for Secure DHCPv6 registry in IANA. The Algorithm for Secure DHCPv6 registry in IANA. The
support of RSASSA-PKCS1-v1_5 is mandatory. A support of RSASSA-PKCS1-v1_5 is mandatory. A
registry of the initial assigned values is defined registry of the initial assigned values is defined
in Section 12. in Section 12.
Figure 6: EA-id List Field
o HA-id List: The format of the HA-id List field is shown in
Figure 7.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| HA-num | HA-id |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
. ... .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| HA-id |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
HA-num The number of the following HA-ids.
HA-id Hash Algorithm id. The hash algorithm is used for HA-id Hash Algorithm id. The hash algorithm is used for
computing the signature result. This design is computing the signature result. This design is
adopted in order to provide hash algorithm agility. adopted in order to provide hash algorithm agility.
The value is from the Hash Algorithm for Secure The value is from the Hash Algorithm for Secure
DHCPv6 registry in IANA. The support of SHA-256 is DHCPv6 registry in IANA. The support of SHA-256 is
mandatory. A registry of the initial assigned values mandatory. A registry of the initial assigned values
is defined in Section 12. If the signature algorithm is defined in Section 12. If the signature algorithm
and hash algorithm cannot be separated, the HA-id and hash algorithm cannot be separated, the HA-id
field is zero. The hash algorithm is decided by the field is zero. The hash algorithm is decided by the
corresponding signature algorithm. corresponding signature algorithm.
Signature A variable-length field containing a digital Figure 7: HA-id List Field
signature. The signature value is computed with
the hash algorithm and the signature algorithm,
as described in HA-id and SA-id. The signature
constructed by using the sender's private key
protects the following sequence of octets:
1. The DHCPv6 message header.
2. All DHCPv6 options including the Signature
option (fill the Signature field with zeroes).
The Signature field MUST be padded, with all 0, to o Signature: A variable-length field containing a digital signature.
the next octet boundary if its size is not a The signature value is computed with the hash algorithm and the
multiple of 8 bits. The padding length depends on signature algorithm, as described in HA-id and SA-id. The
the signature algorithm, which is indicated in the Signature field MUST be padded, with all 0, to the next octet
SA-id field. boundary if its size is not a multiple of 8 bits. The padding
length depends on the signature algorithm, which is indicated in
the SA-id field.
Note: If Secure DHCPv6 is used, the DHCPv6 message is encrypted in a Note: If Secure DHCPv6 is used, the DHCPv6 message is encrypted in a
way that the authentication mechanism defined in RFC3315 does not way that the authentication mechanism defined in RFC3315 does not
understand. So the Authentication option SHOULD NOT be used if understand. So the Authentication option SHOULD NOT be used if
Secure DHCPv6 is applied. Secure DHCPv6 is applied.
10.1.3. Increasing-number Option 10.1.3. Increasing-number Option
The Increasing-number option carries the number which is higher than The Increasing-number option carries the number which is higher than
the local stored number on the client/server. It adds the anti- the local stored number on the client/server. It adds the anti-
skipping to change at page 18, line 43 skipping to change at page 20, line 23
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
option-code OPTION_INCREASING_NUM (TBA3). option-code OPTION_INCREASING_NUM (TBA3).
option-len 8, in octets. option-len 8, in octets.
IncreasingNum A strictly increasing number for the replay attack detection IncreasingNum A strictly increasing number for the replay attack detection
which is more than the local stored number. which is more than the local stored number.
Figure 8: Incresing-number Option
10.1.4. Encrypted-message Option 10.1.4. Encrypted-message Option
The Encrypted-message option carries the encrypted DHCPv6 message The Encrypted-message option carries the encrypted DHCPv6 message
with the recipient's public key. with the recipient's public key.
The format of the Encrypted-message option is: The format of the Encrypted-message option is:
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| option-code | option-len | | option-code | option-len |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
. encrypted DHCPv6 message . . encrypted DHCPv6 message .
. (variable) . . (variable) .
. . . .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1: Encrypted-message Option Format Figure 1: Encrypted-message Option
option-code OPTION_ENCRYPTED_MSG (TBA4). option-code OPTION_ENCRYPTED_MSG (TBA4).
option-len Length of the encrypted DHCPv6 message. option-len Length of the encrypted DHCPv6 message.
encrypted DHCPv6 message A variable length field containing the encrypted DHCPv6 message A variable length field containing the
encrypted DHCPv6 message sent by the client or the server. In encrypted DHCPv6 message sent by the client or the server. In
Encrypted-Query message, it contains encrypted DHCPv6 message sent Encrypted-Query message, it contains encrypted DHCPv6 message sent
by a client. In Encrypted-response message, it contains encrypted by a client. In Encrypted-response message, it contains encrypted
DHCPv6 message sent by a server. DHCPv6 message sent by a server.
skipping to change at page 23, line 7 skipping to change at page 24, line 27
Sean Turner, Stephen Farrell, Christian Huitema, Stephen Kent, Thomas Sean Turner, Stephen Farrell, Christian Huitema, Stephen Kent, Thomas
Huth, David Schumacher, Francis Dupont, Gang Chen, Suresh Krishnan, Huth, David Schumacher, Francis Dupont, Gang Chen, Suresh Krishnan,
Fred Templin, Robert Elz, Nico Williams, Erik Kline, Alan DeKok, Fred Templin, Robert Elz, Nico Williams, Erik Kline, Alan DeKok,
Bernard Aboba, Sam Hartman, Qi Sun, Zilong Liu and other members of Bernard Aboba, Sam Hartman, Qi Sun, Zilong Liu and other members of
the IETF DHC working group for their valuable comments. the IETF DHC working group for their valuable comments.
This document was produced using the xml2rfc tool [RFC2629]. This document was produced using the xml2rfc tool [RFC2629].
14. Change log [RFC Editor: Please remove] 14. Change log [RFC Editor: Please remove]
draft-ietf-dhc-sedhcpv6-15: Increasing number option only contains
the strictly increasing number; Add some description about why
encryption is needed in Security Issues of DHCPv6 part; For the
algorithm agility part, the provider can offer multiple EA-id, SA-id,
HA-id and then receiver choose one from the algorithm set.
draft-ietf-dhc-sedhcpv6-14: For the deployment part, Tofu is out of draft-ietf-dhc-sedhcpv6-14: For the deployment part, Tofu is out of
scope and take Opportunistic security into consideration; Increasing scope and take Opportunistic security into consideration; Increasing
number option is changed into 64 bits; Increasing number check is a number option is changed into 64 bits; Increasing number check is a
separate section; IncreasingnumFail error status code is changed into separate section; IncreasingnumFail error status code is changed into
ReplayDetected error status code; Add the section of "caused change ReplayDetected error status code; Add the section of "caused change
to RFC3315"; to RFC3315";
draft-ietf-dhc-sedhcpv6-13: Change the Timestamp option into draft-ietf-dhc-sedhcpv6-13: Change the Timestamp option into
Increasing-number option and the corresponding check method; Delete Increasing-number option and the corresponding check method; Delete
the OCSP stampling part for the certificate check; Add the scenario the OCSP stampling part for the certificate check; Add the scenario
 End of changes. 23 change blocks. 
54 lines changed or deleted 121 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/