draft-ietf-dhc-sedhcpv6-16.txt   draft-ietf-dhc-sedhcpv6-17.txt 
DHC Working Group S. Jiang DHC Working Group S. Jiang
Internet-Draft Huawei Technologies Co., Ltd Internet-Draft Huawei Technologies Co., Ltd
Intended status: Standards Track L. Li Intended status: Standards Track L. Li
Expires: April 21, 2017 Y. Cui Expires: April 23, 2017 Y. Cui
Tsinghua University Tsinghua University
T. Jinmei T. Jinmei
Infoblox Inc. Infoblox Inc.
T. Lemon T. Lemon
Nominum, Inc. Nominum, Inc.
D. Zhang D. Zhang
October 18, 2016 October 20, 2016
Secure DHCPv6 Secure DHCPv6
draft-ietf-dhc-sedhcpv6-16 draft-ietf-dhc-sedhcpv6-17
Abstract Abstract
DHCPv6 includes no deployable security mechanism that can protect DHCPv6 includes no deployable security mechanism that can protect
end-to-end communication between DHCP clients and servers. This end-to-end communication between DHCP clients and servers. This
document describes a mechanism for using public key cryptography to document describes a mechanism for using public key cryptography to
provide such security. The mechanism provides encryption in all provide such security. The mechanism provides encryption in all
cases, and can be used for authentication based on pre-sharing of cases, and can be used for authentication based on pre-sharing of
authorized certificates. authorized certificates.
skipping to change at page 1, line 42 skipping to change at page 1, line 42
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 21, 2017. This Internet-Draft will expire on April 23, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 17, line 8 skipping to change at page 17, line 8
is defined in Section 12. is defined in Section 12.
Figure 3: EA-id List Field Figure 3: EA-id List Field
o Certificate List: The format of the Certificate List Field is o Certificate List: The format of the Certificate List Field is
shown in Figure 4. shown in Figure 4.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| cert-num | cert-len | certificate | | cert-len | cert-data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
. ...Certificate(variable length)(cont) . . ...cert-data(variable length)(cont) .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
. . . .
. ... . . ... .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| cert-len | certificate | | cert-len | cert-data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
. ...certificate(variable length)(cont) . . ...cert-data(variable length)(cont) .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
cert-num The number of the the following certificates.
cert-len The length of the certificate. cert-len The length of the certificate.
Certificate A variable-length field containing certificates. The Cert-data A variable-length field containing certificates. The
encoding of certificate and certificate data MUST encoding of certificate and certificate data MUST
be in format as defined in Section 3.6, [RFC7296]. be in format as defined in Section 3.6, [RFC7296].
The support of X.509 certificate is mandatory. The support of X.509 certificate is mandatory.
Figure 4: Certificate List Field Figure 4: Certificate List Field
10.1.2. Signature option 10.1.2. Signature option
The Signature option allows a signature that is signed by the private The Signature option allows a signature that is signed by the private
key to be attached to a DHCPv6 message. The Signature option could key to be attached to a DHCPv6 message. The Signature option could
skipping to change at page 20, line 43 skipping to change at page 20, line 43
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| option-code | option-len | | option-code | option-len |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
. encrypted DHCPv6 message . . encrypted DHCPv6 message .
. (variable) . . (variable) .
. . . .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1: Encrypted-message Option Figure 9: Encrypted-message Option
option-code OPTION_ENCRYPTED_MSG (TBA4). option-code OPTION_ENCRYPTED_MSG (TBA4).
option-len Length of the encrypted DHCPv6 message. option-len Length of the encrypted DHCPv6 message.
encrypted DHCPv6 message A variable length field containing the encrypted DHCPv6 message A variable length field containing the
encrypted DHCPv6 message sent by the client or the server. In encrypted DHCPv6 message sent by the client or the server. In
Encrypted-Query message, it contains encrypted DHCPv6 message sent Encrypted-Query message, it contains encrypted DHCPv6 message sent
by a client. In Encrypted-response message, it contains encrypted by a client. In Encrypted-response message, it contains encrypted
DHCPv6 message sent by a server. DHCPv6 message sent by a server.
skipping to change at page 21, line 24 skipping to change at page 21, line 24
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| msg-type | transaction-id | | msg-type | transaction-id |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
. options . . options .
. (variable) . . (variable) .
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 2: The format of Encrypted-Query and Encrypted-Response Figure 10: The format of Encrypted-Query and Encrypted-Response
Messages Messages
msg-type Identifier of the message type. It can be either msg-type Identifier of the message type. It can be either
Encrypted-Query (TBA5) or DHCPv6-Response (TBA6). Encrypted-Query (TBA5) or DHCPv6-Response (TBA6).
transaction-id The transaction ID for this message exchange. transaction-id The transaction ID for this message exchange.
options The Encrypted-Query message MUST contain the options The Encrypted-Query message MUST contain the
Encrypted-message option and MUST contain the Server Encrypted-message option and MUST contain the Server
Identifier option if the message in the Encrypted- Identifier option if the message in the Encrypted-
 End of changes. 12 change blocks. 
13 lines changed or deleted 11 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/