DHC Working Group Y. Cui
Internet-Draft Q. Sun
Intended status: Standards Track Tsinghua University
Expires: December 28, 2013 T. Lemon
Nominum, Inc.
June 26, 2013
Handling Unknown DHCPv6 Messages
draft-ietf-dhc-dhcpv6-unknown-msg-01
Abstract
Dynamic Host Configuration Protocol version 6 (DHCPv6) isn't specific
about handling messages with unknown types. This memo describes the
problems and defines how a DHCPv6 function node should behave in this
case. This document updates RFC3315.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 28, 2013.
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
Cui, et al. Expires December 28, 2013 [Page 1]
Internet-Draft Handling Unknown DHCPv6 Messages June 2013
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Requirements Language . . . . . . . . . . . . . . . . . . . . . 3
3. Problem Statement . . . . . . . . . . . . . . . . . . . . . . . 3
4. Relay Agent Behavior Update . . . . . . . . . . . . . . . . . . 3
4.1. Definition of a Valid Message . . . . . . . . . . . . . . . 4
4.2. Relaying a Message towards Server . . . . . . . . . . . . . 4
4.3. Relaying a Message towards Client . . . . . . . . . . . . . 4
5. Client and Server Behavior Update . . . . . . . . . . . . . . . 5
6. Security Considerations . . . . . . . . . . . . . . . . . . . . 5
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6
8. Contributors List . . . . . . . . . . . . . . . . . . . . . . . 6
9. Normative References . . . . . . . . . . . . . . . . . . . . . 6
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 6
Cui, et al. Expires December 28, 2013 [Page 2]
Internet-Draft Handling Unknown DHCPv6 Messages June 2013
1. Introduction
Dynamic Host Configuration Protocol version 6 (DHCPv6) [RFC3315]
provides a framework for conveying IPv6 configuration information to
hosts on a TCP/IP network. But [RFC3315] is not specific about how
to deal with message with unrecognized types. This document describe
the problems and defines the behavior of a DHCPv6 function node when
handling unknown DHCPv6 messages. This document updates [RFC3315].
2. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
3. Problem Statement
The relay agent is bound to send a message either to the server or to
the client. But RFC3315 doesn't explicitly describe how the relay
agent can find out it should send a message towards the server or
towards the client.
Another issue is that, it's not specific in RFC3315 about what a
relay agent should do if it doesn't recognize the received messages.
The relay agent isn't required to relay the messages, nor advised to
drop them.
In addition, there is no specific requirement of the client or server
on dealing with an unknown message in RFC3315.
4. Relay Agent Behavior Update
A relay agent relays the message towards the server or the client
according to the message type. Relay-reply messages are sent toward
the client. The Relay-forward message and other types of message are
sent toward the server.
We say "toward the client" and "toward the server" because relay
agents may be chained together, so a relay message may be sent
through multiple relays along the path to its destination. Relay-
reply messages specify a destination address; the relay agent
extracts the encapsulated message and sends it to the specified
destination address. Any message other than a Relay-reply does not
have such a specified destination, so it follows the default
forwarding path configured on the relay agent, which is always toward
Cui, et al. Expires December 28, 2013 [Page 3]
Internet-Draft Handling Unknown DHCPv6 Messages June 2013
the server.
4.1. Definition of a Valid Message
Section 20.1 of [RFC3315] states that:
"When a relay agent receives a valid message to be relayed, it
constructs a new Relay-forward message."
It doesn't define what a valid message is. In this document, we
specify the definition: the message is valid for constructing a new
Relay-forward message if the recipient is a relay agent, the relay
agent does not identify itself as the intended recipient, and the
message is not a Relay-Reply message.
We state the definition in this way for the following reasons:
o Any message received by a client or server is clearly not a
candidate for forwarding.
o Any message received by the relay in response to a message it has
sent to the server-e.g., a RECONFIGURE-REPLY message-is also not a
candidate for forwarding.
o A standards-compliant DHCP server will never send a message to a
relay other than in response to a message from a relay, so there
should never be a case where a relay receives a message for which
it is the intended recipient, but is not able to recognize that it
is the intended recipient for the message.
o A Relay-Reply message is an encapsulation intended for the client
or for a relay agent closer to the client. It specifies a
destination, and hence is never to be encapsulated and sent back
to the server.
Any message that does not meet any of these criteria must therefore
be a message intended to be relayed to the DHCP server.
4.2. Relaying a Message towards Server
If the relay agent received a Relay-forward message, Section 20.1.2
of [RFC3315] defines the related behavior. If the relay agent
received messages other than Relay-forward and Relay-reply, it MUST
forward them as is described in Section 20.1.1 of [RFC3315].
4.3. Relaying a Message towards Client
If the relay agent received a Relay-reply message, it MUST unpack the
Cui, et al. Expires December 28, 2013 [Page 4]
Internet-Draft Handling Unknown DHCPv6 Messages June 2013
message and forward it as is defined in Section 20.2 of [RFC3315],
regardless of the message type in Relay Message Option.
5. Client and Server Behavior Update
There are chances that the client or server would receive DHCPv6
messages with unknown types. In this case, the client or server MUST
discard the unrecognized messages.
6. Security Considerations
As the relay agent will forward all unknown types of DHCPv6 messages,
a malicious attacker can interfere with the relaying function by
constructing fake DHCPv6 messages with arbitrary type code. The same
problem may happen in current DHCPv4 and DHCPv6 practice where the
attacker has to construct the fake DHCP message with an known type
code.
Clients and servers that implement this specification will discard
unknown DHCPv6 messages. Since RFC3315 did not specify either relay,
client or server behavior in the presence of unknown messages, it is
possible that some servers or clients that have not been updated to
conform to this specification might be made vulnerable to client
attacks through the relay agent.
For this reason, we recommend that relay agents, clients and servers
be updated to follow this new specification. However, in most
deployment scenarios, it will be much easier to attack clients
directly than through a relay; furthermore, attacks using unknown
message types are already possible on the local wire.
So in most cases, if clients are not upgraded there should be minimal
additional risk; at sites where only servers and relays can be
upgraded, the incremental benefit of doing so most likely exceeds any
risk due to vulnerable clients.
Nothing in this update should be construed to mean that relay agents
may not be administratively configurable to drop messages on the
basis of the message type, for security reasons (e.g., in a
firewall). The sole purpose of requiring relay agents to relay
unknown messages is to ensure that when legitimate new messages are
defined in the protocol, relay agents, even if they were manufactured
prior to the definition of these new messages, will, by default,
succeed in relaying such messages.
Cui, et al. Expires December 28, 2013 [Page 5]
Internet-Draft Handling Unknown DHCPv6 Messages June 2013
7. IANA Considerations
This document does not include an IANA request.
8. Contributors List
Many thanks for Bernie Volz, Cong Liu and Yuchi Chen's contributions
to the draft.
9. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C.,
and M. Carney, "Dynamic Host Configuration Protocol for
IPv6 (DHCPv6)", RFC 3315, July 2003.
Authors' Addresses
Yong Cui
Tsinghua University
Department of Computer Science, Tsinghua University
Beijing 100084
P.R.China
Phone: +86-10-6260-3059
Email: yong@csnet1.cs.tsinghua.edu.cn
Qi Sun
Tsinghua University
Department of Computer Science, Tsinghua University
Beijing 100084
P.R.China
Phone: +86-10-6278-5822
Email: sunqi@csnet1.cs.tsinghua.edu.cn
Ted Lemon
Nominum, Inc.
2000 Seaport Blvd
Redwood City, CA 94063
USA
Cui, et al. Expires December 28, 2013 [Page 6]
Internet-Draft Handling Unknown DHCPv6 Messages June 2013
Phone: +1-650-381-6000
Email: mellon@nominum.com
Cui, et al. Expires December 28, 2013 [Page 7]