DHC working group                                             S. Nalluri
Internet-Draft                                                  Ericsson
Intended status: Standards Track                       December 26, 2016
Expires: June 11, 2017


             DHCPv6 Options for LWM2M bootstrap information
          draft-nalluri-dhc-dhcpv6-lwm2m-bootstrap-options-00

Abstract

   This document defines Dynamic Host Configuration Protocol and Dynamic
   Host Configuration Protocol version 6 (DHCPv6) Options for LWM2M
   client bootstrap information, which are used to carry Uniform
   Resource Locater of LWM2M bootstrap server and certificate that
   validates the public key presented by server.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on June 11, 2017.

Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.



Nalluri                   Expires June 11, 2017                 [Page 1]


Internet-Draft          DHCPv6 Options for LWM2M           December 2016


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   2
   3.  LWM2M bootstrap server information through DHC  . . . . . . .   3
     3.1.  DHCPv6 option for LWM2M bootstrap server URI  . . . . . .   3
     3.2.  DHCPv6 option for LWM2M server certificate  . . . . . . .   3
     3.3.  DHCP option for LWM2M bootstrap server URI  . . . . . . .   4
     3.4.  DHCP option for LWM2M server certificate  . . . . . . . .   4
   4.  Appearance of Option  . . . . . . . . . . . . . . . . . . . .   5
     4.1.  Appearance of options in DHCPv6 control messages  . . . .   5
     4.2.  Appearance of options in DHCP control messages  . . . . .   6
   5.  Configuration Guidelines for the Server . . . . . . . . . . .   6
   6.  DHCP/DHCPv6 Client Behavior . . . . . . . . . . . . . . . . .   6
   7.  Relay agent Behavior  . . . . . . . . . . . . . . . . . . . .   7
   8.  Security Considerations . . . . . . . . . . . . . . . . . . .   7
   9.  Acknowledgement . . . . . . . . . . . . . . . . . . . . . . .   8
   10. IANA Considerations . . . . . . . . . . . . . . . . . . . . .   8
   11. Normative References  . . . . . . . . . . . . . . . . . . . .   8
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   9

1.  Introduction

   Light weight machine to machine (LWM2M) protocol is used to manage
   end device life cycle in machine to machine communication scenarios.
   LWM2M device bootstrap is an optional life cycle phase for devices to
   get needed information when starting up for first time.  Information
   gathered during bootstrapping might include management server details
   and security certificates required to establish connectivity with
   management server.  Information required to connect with bootstrap
   server might be hard coded during device manufacturing phase.

   Hard coding configuration by device manufacturer forces device
   operator to use same configuration as hard coded.  It is possible
   that reachability information of bootstrap server that is hard coded
   may be outdated and boot strap server reachability might fail during
   first use of device.  In such cases connectivity with bootstrap
   server is possible only through device software upgrade.

2.  Terminology

   This document makes use of the following terms:

   LWM2M:  Lightweight Machine to Machine is a protocol from Open Mobile
      alliance for device management in M2M or Internet of Things
      scenarios





Nalluri                   Expires June 11, 2017                 [Page 2]


Internet-Draft          DHCPv6 Options for LWM2M           December 2016


   LWM2M bootstrap server:  The server that provides LWM2M bootstrap
      interface which is used to optionally configure a LWM2M Client so
      that it can successfully register with a LWM2M management Server

   LWM2M management server:  The server that provides registration,
      device management and service enablement interface to manage a
      LWM2M client.

3.  LWM2M bootstrap server information through DHC

   LWM2M bootstrap server details like URI and security certificate can
   be collected during dynamic host configuration phase.  DHCP and
   DHCPv6 options can be extended to collect LWM2M bootstrap server
   information for IPv4 and IPv6 networks respectively.  DHCP or DHCPv6
   client requests LWM2M bootstrap server URI and LWM2M server
   certificate using new options proposed in sections below

3.1.  DHCPv6 option for LWM2M bootstrap server URI

   DHCPv6 option OPTION_LWM2M_BOOTSTRAP_URI conveys URI through which
   LWM2M client can reach LWM2M bootstrap server reachable through IPv6
   network.  The format of LWM2M bootstrap server URI option is as shown
   below:

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |  option-code                  |         option-len            |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                     LWM2M-bootstrap-URI                       |
   |                              ...                              |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


   option-code:  OPTION_LWM2M_BOOTSTRAP_URI

   option-len:  Length of the 'LWM2M-bootstrap-URI' field in octets

   LWM2M-bootstrap-URI:  This string is URI of LWM2M bootstrap server.
      The string is not null-terminated.

3.2.  DHCPv6 option for LWM2M server certificate

   DHCPv6 option OPTION_LWM2M_SERVER_CERTIFICATE conveys security
   certificate which can be used by LWM2M client to establish secure
   connection with LWM2M server reachable through IPv6 network.  The
   format of LWM2M server certificate option is as shown below:




Nalluri                   Expires June 11, 2017                 [Page 3]


Internet-Draft          DHCPv6 Options for LWM2M           December 2016


    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |          option-code          |         option-len            |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                     LWM2M-server-certificate                  |
   |                      (variable length data)                   |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   option-code:  OPTION_LWM2M_SERVER_CERTIFICATE

   option-len:  Length of the 'LWM2M-server-certificate' field in octets

   LWM2M-server-certificate:  Digital certificate of LWM2M server as
      defined in Section 3.6 of [RFC7296]

3.3.  DHCP option for LWM2M bootstrap server URI

   DHCP option OPTION_LWM2M_BOOTSTRAP_URI conveys URI through which
   LWM2M client can reach LWM2M bootstrap server reachable through IPv4
   network.  The format of LWM2M bootstrap server URI option is as shown
   below:

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |  option-code  |  option-len   |         Reserved              |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   |                    LWM2M-bootstrap-URI                        |
   |                           ...                                 |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   option-code:  OPTION_LWM2M_BOOTSTRAP_URI

   option-len:  Length of the 'LWM2M-bootstrap-URI' field in octets

   Reserved:  MUST be set to zero

   LWM2M-bootstrap-URI:  This string is URI of LWM2M bootstrap server.
      The string is not null-terminated.

3.4.  DHCP option for LWM2M server certificate

   DHCP option OPTION_LWM2M_SERVER_CERTIFICATE conveys security
   certificate which can be used by LWM2M client to establish secure




Nalluri                   Expires June 11, 2017                 [Page 4]


Internet-Draft          DHCPv6 Options for LWM2M           December 2016


   connection with LWM2M server reachable through IPv4 network.  The
   format of LWM2M server certificate option is as shown below:

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |  option-code  |   option-len  |    Sequence Number            |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   |                    LWM2M-server-certificate                   |
   |                     (variable length data)                    |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   option-code:  OPTION_LWM2M_SERVER_CERTIFICATE

   option-len:  Length of the 'LWM2M-server-certificate' field in octets

   Sequence Number:  Sequence number of OPTION_LWM2M_SERVER_CERTIFICATE
      in the scope of DHCP packet.  Sequence number starts with zero and
      incremented by 1 for every new OPTION_LWM2M_SERVER_CERTIFICATE
      option added to DHCP packet

   LWM2M-server-certificate:  Digital certificate of LWM2M server as
      defined in Section 3.6 of [RFC7296]

4.  Appearance of Option

4.1.  Appearance of options in DHCPv6 control messages

   The OPTION_LWM2M_BOOTSTRAP_URI and OPTION_LWM2M_SERVER_CERTIFICATE
   options MUST NOT appear in messages other than the following: SOLICIT
   (1), ADVERTISE (2), REQUEST (3),REPLY (4) RENEW (5), REBIND (6),
   INFORMATION-REQUEST (11).  If this option appears in messages other
   than those specified above, the receiver MUST ignore it.

   The option number for OPTION_LWM2M_BOOTSTRAP_URI and
   OPTION_LWM2M_SERVER_CERTIFICATE options MAY appear in the "Option
   Request" option [RFC3315] in the following messages: SOLICIT (1),
   REQUEST (3), RENEW (5), REBIND (6), INFORMATION-REQUEST (11) and
   RECONFIGURE (10).  If this option number appears in the "Option
   Request" option in messages other than those specified above, the
   receiver SHOULD ignore it.








Nalluri                   Expires June 11, 2017                 [Page 5]


Internet-Draft          DHCPv6 Options for LWM2M           December 2016


4.2.  Appearance of options in DHCP control messages

   The OPTION_LWM2M_BOOTSTRAP_URI and OPTION_LWM2M_SERVER_CERTIFICATE
   options MUST NOT appear in messages other than the following:
   DHCPDISCOVER (1), DHCPOFFER (2), DHCPREQUEST (3), DHCPACK (5) and
   DHCPINFORM (8).  If this option appears in messages other than those
   specified above, the receiver MUST ignore it.

   The option number for OPTION_LWM2M_BOOTSTRAP_URI and
   OPTION_LWM2M_SERVER_CERTIFICATE options MAY appear in the "Parameter
   Request List" option [RFC2132] in the following messages:
   DHCPDISCOVER (1), DHCPOFFER (2), DHCPREQUEST (3), DHCPACK (5) and
   DHCPINFORM (8).  If this option number appears in the "Parameter
   Request List" option in messages other than those specified above,
   the receiver SHOULD ignore it.

   Maximum possible value of DHCP "option-len" is 255.  LWM2M-server-
   certificate MAY be of length more than 255.  To accommodate larger
   certificate, it SHOULD be possible to include multiple
   OPTION_LWM2M_SERVER_CERTIFICATE options in same DHCP message.  DHCP
   server SHOULD be capable of including multiple
   OPTION_LWM2M_SERVER_CERTIFICATE options in same message.
   Certificates larger than 255 byte SHOULD be fragmented and adjusted
   in minimum possible number of OPTION_LWM2M_SERVER_CERTIFICATE
   options.  Each OPTION_LWM2M_SERVER_CERTIFICATE option is tagged with
   a sequence number which can be used by DHCP client to reassemble
   received certificate

5.  Configuration Guidelines for the Server

   DHCP or DHCPv6 server that supports OPTION_LWM2M_BOOTSTRAP_URI and
   OPTION_LWM2M_SERVER_CERTIFICATE SHOULD be configured with one and
   only one LWM2M bootstrap server URI, and one and only one certificate
   that validates bootstrap server's public key.

   In the absence of URI configuration, DHCP server SHOULD ignore option
   OPTION_LWM2M_BOOTSTRAP_URI, and SHOULD continue processing of DHCP
   control message

   In the absence of certificate configuration, DHCP server SHOULD
   ignore option OPTION_LWM2M_SERVER_CERTIFICATE, and SHOULD continue
   processing of DHCP control message

6.  DHCP/DHCPv6 Client Behavior

   DHCP or DHCPv6 client MAY decide need for inclusion of
   OPTION_LWM2M_BOOTSTRAP_URI and OPTION_LWM2M_SERVER_CERTIFICATE
   options in DHCP or DHCPv6 control messages if device is capable of



Nalluri                   Expires June 11, 2017                 [Page 6]


Internet-Draft          DHCPv6 Options for LWM2M           December 2016


   supporting LWM2M client functionality irrespective of state of LWM2M
   client.  It is possible that LWM2M client MAY not be active before
   DHCP or DHCPv6 message exchanges happens.  In such scenario, DHCP or
   DHCPv6 client MAY collect LWM2M bootstrap server URI and LWM2M server
   certificate and keep ready for LWM2M client initialization

   DHCP or DHCPv6 client MAY prefer collecting LWM2M bootstrap server
   URI and LWM2M server certificate by including
   OPTION_LWM2M_BOOTSTRAP_URI and OPTION_LWM2M_SERVER_CERTIFICATE
   options in DHCPINFORM or INFORMATION-REQUEST message which MAY be
   send during LWM2M client initialization

   LWM2M client devices running with IPv6 stack MAY use stateless auto
   address configuration to get IPv6 address.  Such clients MAY use
   DHCPv6 INFORMATION-REQUEST to get LWM2M bootstrap URI and LWM2M
   server server certificate through options OPTION_LWM2M_BOOTSTRAP_URI
   and OPTION_LWM2M_SERVER_CERTIFICATE

7.  Relay agent Behavior

   This draft does not impose any new requirements on DHCP or DHCPv6
   relay agent functionality

8.  Security Considerations

   OPTION_LWM2M_BOOTSTRAP_URI and OPTION_LWM2M_SERVER_CERTIFICAT options
   could be used by an intruder to advertise the URI of a malicious
   LWM2M bootstrap server and certificate and can alter the LWM2M
   management server details provided to LWM2M client.  The consequences
   of such an attack can be critical, because any data that is reported
   by LWM2M client MAY reach unwanted LWM2M management server.  As an
   example, an attacker could collect data from secure locations by
   deploying malicious servers.

   To prevent these attacks, it is strongly advisable to secure the use
   of this option by either:

   o  Using authenticated DHCP as described in [RFC3315], Section 21.

   o  Using options OPTION_LWM2M_BOOTSTRAP_URI and
      OPTION_LWM2M_SERVER_CERTIFICATE only with trusted DHCP server

   The security considerations documented in [RFC3315] are to be
   considered.







Nalluri                   Expires June 11, 2017                 [Page 7]


Internet-Draft          DHCPv6 Options for LWM2M           December 2016


9.  Acknowledgement

   Particular thanks to A.  Keraenen, J.  Jimenez, J.  Melen and S.
   Krishnan for the concept, inputs and review.

10.  IANA Considerations

   IANA is requested to assign new DHCPv6 option codes in the registry
   maintained in http://www.iana.org/assignments/dhcpv6-parameters:

             |       Option Name               |    Value |
             |---------------------------------+----------|
             | OPTION_LWM2M_BOOTSTRAP_URI      |     TBA  |
             | OPTION_LWM2M_SERVER_CERTIFICATE |     TBA  |

   IANA is requested to assign new DHCP option codes in the registry
   maintained in http://www.iana.org/assignments/bootp-dhcp-parameters:

             |       Option Name              |   Value |
             |--------------------------------+---------|
             | OPTION_LWM2M_BOOTSTRAP_URI     |    TBA  |
             | OPTION_LWM2M_SERVER_CERTIFICATE|    TBA  |

11.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <http://www.rfc-editor.org/info/rfc2119>.

   [RFC2131]  Droms, R., "Dynamic Host Configuration Protocol",
              RFC 2131, DOI 10.17487/RFC2131, March 1997,
              <http://www.rfc-editor.org/info/rfc2131>.

   [RFC2132]  Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor
              Extensions", RFC 2132, DOI 10.17487/RFC2132, March 1997,
              <http://www.rfc-editor.org/info/rfc2132>.

   [RFC3315]  Droms, R., Ed., Bound, J., Volz, B., Lemon, T., Perkins,
              C., and M. Carney, "Dynamic Host Configuration Protocol
              for IPv6 (DHCPv6)", RFC 3315, DOI 10.17487/RFC3315, July
              2003, <http://www.rfc-editor.org/info/rfc3315>.

   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
              Housley, R., and W. Polk, "Internet X.509 Public Key
              Infrastructure Certificate and Certificate Revocation List
              (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
              <http://www.rfc-editor.org/info/rfc5280>.



Nalluri                   Expires June 11, 2017                 [Page 8]


Internet-Draft          DHCPv6 Options for LWM2M           December 2016


   [RFC7227]  Hankins, D., Mrugalski, T., Siodelski, M., Jiang, S., and
              S. Krishnan, "Guidelines for Creating New DHCPv6 Options",
              BCP 187, RFC 7227, DOI 10.17487/RFC7227, May 2014,
              <http://www.rfc-editor.org/info/rfc7227>.

   [RFC7296]  Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T.
              Kivinen, "Internet Key Exchange Protocol Version 2
              (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October
              2014, <http://www.rfc-editor.org/info/rfc7296>.

Author's Address

   Srinivas Rao Nalluri
   Ericsson
   Bangalore
   India

   Email: srinivasa.rao.nalluri@ericsson.com

































Nalluri                   Expires June 11, 2017                 [Page 9]