DHC Working Group Y. Lee
Internet-Draft Comcast
Intended status: Informational Y. Cui
Expires: September 9, 2015 Z. Liu
L. Sun
Tsinghua University
March 8, 2015
Secure Access Mechanism for DHCPv6
draft-yiu-dhc-dhcpv6-sa-00
Abstract
DHCPv6 [RFC3315] provides configuration parameters such as IPv6
network addresses for hosts. The unencrypted nature and use of
various identifiers make its privacy and security become more
vulnerable. With appropriate protection mechanisms, the privacy and
security can be improved to some extent. This document specifies
such a mechanism that builds a trusted relationship between DHCPv6
clients and servers before solicitation. The mechanism enables a
valid client to find and access the legitimate server or reject and
blacklist a rogue server.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 9, 2015.
Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
Lee, et al. Expires September 9, 2015 [Page 1]
Internet-Draft Secure Access Mechanism for DHCPv6 March 2015
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Related Works . . . . . . . . . . . . . . . . . . . . . . . . 3
4. Overview of Secure Access Mechanism . . . . . . . . . . . . . 4
5. New DHCPv6 Messages . . . . . . . . . . . . . . . . . . . . . 5
6. Behaviour . . . . . . . . . . . . . . . . . . . . . . . . . . 6
6.1. Client Behaviour . . . . . . . . . . . . . . . . . . . . 6
6.2. Server Behaviour . . . . . . . . . . . . . . . . . . . . 7
6.3. Behaviour in Lightweight Mode . . . . . . . . . . . . . . 8
7. Further Protection Considerations . . . . . . . . . . . . . . 8
7.1. Unicast . . . . . . . . . . . . . . . . . . . . . . . . . 8
7.2. Encryption . . . . . . . . . . . . . . . . . . . . . . . 9
8. Security Considerations . . . . . . . . . . . . . . . . . . . 9
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 9
10.1. Normative References . . . . . . . . . . . . . . . . . . 10
10.2. Informative References . . . . . . . . . . . . . . . . . 10
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10
1. Introduction
[RFC3315] specifies the Dynamic Host Configuration Protocol for IPv6.
[I-D.ietf-dhc-dhcpv6-privacy] analyzes the DHCPv6 privacy issues and
discusses how various identifiers used in DHCPv6 could become a
source for gleaning additional information of an individual. Such
identifiers are included in various DHCPv6 messages. In other words,
there are important client information embedded in DHCPv6 messages.
If the messages are sent to a rogue server or an invalid third party,
end users' privacy and security may be compromised.
Current authentication models include secure DHCPv6
[I-D.ietf-dhc-sedhcpv6] and authentication mechanism defined in
[RFC3315]. Both share the primary goal of validating the identity of
message sender. They were not designed to protect client privacy.
DHCPv6 messages such as SOLICIT contains sensitive client
information, these messages are not protected. Further, current
authentication mechanisms focus more on the identity of clients, they
do not provide full authentication of the DHCPv6 server (e.g. server
Lee, et al. Expires September 9, 2015 [Page 2]
Internet-Draft Secure Access Mechanism for DHCPv6 March 2015
authentication in secure DHCPv6 is based on leap of faith). Current
authentication mechanisms aim to protect the DHCPv6 server by
preventing invalid clients from launching attacks such as DoS attack.
However when considered client privacy, the authenticity of server
really matters.
Hence there is a requirement to design a mechanism that sets up a
trusted relationship between a client and a server before starting
the DHCPv6 transaction (i.e. before DHCPv6 solicitation). In this
document, we propose such a peer entity authentication called Secure
Access by defining two new DHCPv6 messages. The Secure Access
mechanism makes use of server and client certificates and achieves
authentication through Public Key Infrastructure ([RFC5280]). With
the designed mechanism, a valid client can find and access the
legitimate server or reject and blacklist a rogue entity before
standard DHCPv6 process.
The Secure Access mechanism specified in this document does not
affect the current DHCP design. It is more like an alternative
extension, only the client who wants to improve the privacy will use
it. Another benefit is that further data protection solution such as
encryption can be based on the trusted relationship built by this
mechanism.
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
3. Related Works
This section briefly introduces the existed authentication models and
discusses their pros and cons when compared with the design in this
document.
Authentication mechanism defined in [RFC3315] provides a basic
verification of DHCPv6 messages sender and contents through using an
Authentication option. The Authentication option can be treated as a
symmetric key, which is a simple but limited authentication pattern.
Two specific protocol, Delayed Authentication Protocol and
Reconfigure Key Authentication Protocol, are proposed along with this
option. This authentication framework also allows future separate
authentication protocols to be put forward but it seems not to be
deployable.
Secure DHCPv6 ([I-D.ietf-dhc-sedhcpv6]) enhance the security of
DHCPv6 by using server's public/private key pairs and client's
Lee, et al. Expires September 9, 2015 [Page 3]
Internet-Draft Secure Access Mechanism for DHCPv6 March 2015
certificates to authenticate. To ease the pre-configuration of
authentication, the client make a leap of faith to trust the server.
While the server provide full authentication of client through
validating its certificate. Secure DHCPv6 also enables the recipient
to check the message integrity and offers anti-replay protection
using timestamps. Compared with authentication mechanism in
[RFC3315], secure DHCPv6 is more lightweight and provide better
protection when refers to the authentication of DHCPv6 clients.
4. Overview of Secure Access Mechanism
The Secure Access mechanism defined in this document is mainly based
on the server and client's certificates. Similar to secure DHCPv6,
we also make use of PKI (Public Key Infrastructure) to authenticate
relevant entities. Since both certificates of client and server are
required, a full bidirectional authentication between client and
server is available. The certificates used in this document are all
X.509 v3 certificates whose details can be found in [RFC5280].
If a client desires to improve privacy when using DHCPv6, it can
initiate the Secure Access process to achieve a peer entity
authentication. The client applies for its public key certificate
from a CA (Certificate Authority) which is signed by the CA's private
key. Then the client implements a new DHCPv6 message called
Authenticate and multicasts it to the servers. The Authenticate
message MUST carry the Certificate option defined in
[I-D.ietf-dhc-sedhcpv6] to provide server with client's public key
certificate. It is RECOMMENDED that the Authenticate message does
not carry options other than Certificate option for the privacy.
A legitimate server also needs to get its own certificate from CA as
the client does. The server receives the Authenticate message needs
to verify the client's certificate. Typically it uses the CA's
public key to validate whether the client is trusted or not.
Detailed process of the authentication is described in [RFC5280] and
is out of scope of this document. If the client is valid, the server
will respond a new DHCPv6 message called Authenticate-reply message
which contains a Certificate option (carry the server's public key
certificate) and a Server Unicast option. It is possible for the
server to carry more information (more options) in the Authenticate-
reply message (e.g. Server Unicast option).
The initiated client MAY receive more than one Authenticate-reply
messages from different servers. It verifies each Authenticate-reply
message by validating corresponding server certificate through PKI.
If the Authenticate-reply message does not contain a Certificate
option or the verification fails, the client will discard the message
and further blacklist the server. The client remember those servers
Lee, et al. Expires September 9, 2015 [Page 4]
Internet-Draft Secure Access Mechanism for DHCPv6 March 2015
who pass the verification as legitimated ones. In this way, the
client can find legitimate servers and trigger the normal DHCPv6
process in a more protected way (e.g. unicast or encryption).
This mechanism provides an end-to-end authentication between DHCPv6
clients and servers. When a relay agent is involved, the only
function it performs is forwarding. Also the relay agent does not
allowed to add any additional options.
The Secure Access mechanism also supports another lightweight mode
which only based on the server's certificate. Since it is uncommon
for a client to obtain a certificate from the CA, we have to make the
mechanism applied to such a scenario that only server certificate is
available. This may sacrifice the security of a DHCPv6 server to
some extent but will not do harm to the client privacy. Since the
server responses usually do not contain much client information. In
this lightweight mode, the server responds an Authenticate-reply
message as soon as it received a Authenticate message from the
client. Then the client performs the same process as the common mode
has described.
5. New DHCPv6 Messages
Two new DHCPv6 messages are defined to achieve the peer entity
authentication between clients and servers before standard DHCPv6
process. The Authenticate message is always sent by the client to
carry its certificate and the Authenticate-reply message is sent by
the server for client to validate its legitimacy. This section
describe the two new messages formats and structures.
Both Authenticate and Authenticate-reply message use the Client/
Server message formats described in Section 6 of [RFC3315]. Two new
message codes are defined in the following.
AUTHENTICATE (TBA1): The client multicasts an Authenticate message to
available servers to request for legitimate servers. The
Authenticate message contains client's certificate for server to
check its validity.
AUTHENTICATE-REPLY (TBA2): The server sends an Authenticate-reply
message to requesting client to prove its legitimacy by carrying the
Certificate option. It also needs to include a Server Unicast option
to provide the client with its address.
Lee, et al. Expires September 9, 2015 [Page 5]
Internet-Draft Secure Access Mechanism for DHCPv6 March 2015
6. Behaviour
This section describes the behaviour of DHCPv6 clients and servers
when Secure Access mechanism is deployed. It is suitable for the
clients who are concerned about their privacy and are eager to
improve it. All the behaviours are prior to the standard DHCPv6
process, that is to say the Secure Access mechanism will be finished
before the DHCPv6 Solicit message is sent to the server.
6.1. Client Behaviour
If a client wants to improve its privacy by finding a legitimate
server to communicate, it will be more reasonable that the requesting
client is also valid. In the context of this document, only valid
clients can obtain their certificates from a trusted CA. That would
require the CA to judge whether a client is valid or not. A common
and simple solution is to make the trusted CA handled by the ISP. In
this way, the trusted CA could easily achieve the verification
through ISP's registration data. While there could be more extra
solutions and the actual CA implementation is out of scope of this
document. A valid client can only have one certificate which is
signed by the trusted CA.
Once the client obtains its certificate, it can trigger the Secure
Access mechanism by multicasting the Authenticate message to the
servers (i.e. using the multicast addresses defined in [RFC3315]).
The client MUST insert only one Certificate option in the
Authenticate message. The Certificate option is used to carry the
client's certificate and is defined in [I-D.ietf-dhc-sedhcpv6]. In
order not to leak any client information in the Secure Access phase,
it is also RECOMMENDED that the Authenticate message does not include
any other options except for Certificate option.
After sending out the Authenticate message, the client is waiting for
servers' response. During this period, it will discard any DHCPv6
message that the message type is not AUTHENTICATE-REPLY. The client
is not allowed to send any other message whose message type is not
AUTHENTICATE until it finds an authenticated server.
On receipt of servers' Authenticate-reply messages, it first checks
the options field. The client simply discards the message if it
includes neither Certificate option nor Server Unicast option. If
the Authenticate-reply message include a Server Unicast option but
not a Certificate option, the client will blacklist this server as a
rogue server. If the Authenticate-reply message include a
Certificate option but not a Server Unicast option, the client will
also discard the received message. When both Certificate option and
Server Unicast option exist, the client extracts the Certificate
Lee, et al. Expires September 9, 2015 [Page 6]
Internet-Draft Secure Access Mechanism for DHCPv6 March 2015
options then verifies it through PKI. If the verification fails, the
client will blacklist the server. The client remembers servers who
pass the verification as legitimate servers and choose one to build
trusted relationship. Based on the trusted relationship, the client
can employ further protection means to initiate a standard DHCPv6
process. The further protection means are discussed in Section 7.
The client should implement a timer locally. If it has not received
any Authenticate-reply message when the timer expires, it will reset
the timer and resend its Authenticate message. If it still could not
receive any Authenticate-reply in the second expiration, the client
would treat this condition as a failure of authentication. There
could be various solutions for the failure such as reporting to the
user or starting standard DHCPv6 process that ignores the failure
condition. Which solution is employed is dependent on the client
side policy. The timer expiration and client side policy would vary
in different scenarios, hence their implementations are out of scope
of this document.
6.2. Server Behaviour
If a server is legitimate and support the Secure Access mechanism
defined in this document, it should obtain its certificate from the
same trusted CA when it is configured. Such server should provide
services for both standard DHCPv6 process and DHCPv6 with Secure
Access. When it receives a standard DHCPv6 message (e.g. Solicit),
it just follows the procedure defined in [RFC3315].
When the server receives an Authenticate message, it is an indication
that the client wishes to build a trusted relationship with a
legitimate server. The server who is willing to be accessed by such
a client extracts the Certificate option to validate the client
through PKI. If there is no Certificate option or the authentication
fails, the server will simply discard this message. If the client
can be proved to be valid (i.e. its certificate is trusted), the
server will respond an Authenticate-reply message to the valid
client. The Authenticate-reply message MUST include only one
Certificate option to carry server's certificate and one Server
Unicast option. It should be noted that the only function of Server
Unicast option is to provide the client with the server's IP address,
whether to unicast a message in the following process is depend on
the client side.
The server is allowed to add more options in the Authenticate-reply
message to provide any other information that it is willing to
present to the client. If the server receives an Authenticate
message twice, it will resend an Authenticate-reply message.
Lee, et al. Expires September 9, 2015 [Page 7]
Internet-Draft Secure Access Mechanism for DHCPv6 March 2015
If a server does not support the Secure Access mechanism defined in
this document, it will simply discard the received Authenticate
message and do nothing else.
6.3. Behaviour in Lightweight Mode
The Secure Access mechanism also supports a lightweight mode that the
authentication is only based on server certificates. Under this
circumstance, the server does not need to validate the client's
certificate. If a client wishes to start the Secure Access mechanism
in a lightweight mode, it will multicast the Authenticate message
without any option in it. If the server receives an Authenticate
message without any option, it is an indication that the lightweight
mode is employed. The server simply skips the process of validating
a client, responds the Authenticate-reply with the server
certificate. Then the client follows the same process after sending
out Authenticate message as described in section 6.1 to finish the
mechanism.
7. Further Protection Considerations
The Secure Access mechanism follows the peer entity authentication
principle defined in section 6.3, second bullet of [RFC6973]. With
the mechanism employed, it is possible for a client to find a
legitimate server and then build a trusted relationship with it. The
trusted relationship also makes further protection measures feasible.
This section briefly discusses such two further protection methods
that can be used to protect the later standard DHCPv6 process.
7.1. Unicast
In a typical DHCPv6 process, a client is always not aware of the
server's address when it sends the first message (i.e. Solicit
message). Thus DHCPv6 makes use of multicast to send the Solicit
message to any available server on the same link. The multicast
characteristic encourages more rogue servers or eavesdroppers to
appear. If the client could unicast message to the server, the
privacy could be improved effectively. Following the [RFC3315], a
client could unicast its message if it receives a Server Unicast
option from the server. However in the current design, it is
impossible to unicast a Solicit message or an Information-Request
message which also contains important client information. This is
due to both messages are always the first message in the standard
DHCPv6 transaction (Client-server Exchange Involving Two Messages and
Four Messages respectively).
With the Secure Access mechanism, the scenario that a Solicit message
or an Information-Request could not be unicast would be solved.
Lee, et al. Expires September 9, 2015 [Page 8]
Internet-Draft Secure Access Mechanism for DHCPv6 March 2015
Since the server includes a Server Unicast option in the
Authenticate-reply which is received before the standard DHCPv6
process. If the server can be proved as a legitimate server through
the Secure Access mechanism, the client could then use the server
address embedded in the Server Unicast option to unicast its Solicit
message or Information-request message. It should be noted that the
client may record multiple legitimate servers, it should choose one
to start unicast transaction based on a local policy. The detailed
policy is out of scope of this document.
7.2. Encryption
DHCPv6 message contains various identifiers that may expose important
client information. Confidentiality is always a better way to
improve the privacy since it can make the data secret from the
eavesdroppers. There are various encryption patterns could be used
to add confidentiality to the DHCPv6 process, but each of them would
require a pre-authentication to validate the identity of the two
endpoints.
The Secure Access mechanism just provides such an end-to-end
authentication to support the further encryption pattern. Encryption
also introduces some drawbacks such as more overhead, larger packet
size and so on. The encryption scheme for DHCPv6 should be
lightweight and do not need to be perfect. The further details of
DHCPv6 confidentiality is out of scope of this document and could be
defined in another separate document.
8. Security Considerations
TBD
9. IANA Considerations
This document defines two new DHCPv6 [RFC3315] messages. IANA is
requested to assign the following new DHCPv6 Message types in the
registry maintained in http://www.iana.org/assignments/
dhcpv6-parameters:
AUTHENTICATE
AUTHENTICATE-REPLY
10. References
Lee, et al. Expires September 9, 2015 [Page 9]
Internet-Draft Secure Access Mechanism for DHCPv6 March 2015
10.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C.,
and M. Carney, "Dynamic Host Configuration Protocol for
IPv6 (DHCPv6)", RFC 3315, July 2003.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, May 2008.
[RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J.,
Morris, J., Hansen, M., and R. Smith, "Privacy
Considerations for Internet Protocols", RFC 6973, July
2013.
10.2. Informative References
[I-D.ietf-dhc-dhcpv6-privacy]
Krishnan, S., Mrugalski, T., and S. Jiang, "Privacy
considerations for DHCPv6", draft-ietf-dhc-
dhcpv6-privacy-00 (work in progress), February 2015.
[I-D.ietf-dhc-sedhcpv6]
Jiang, S., Shen, S., Zhang, D., and T. Jinmei, "Secure
DHCPv6", draft-ietf-dhc-sedhcpv6-06 (work in progress),
February 2015.
Authors' Addresses
Yiu L. Lee
Comcast
One Comcast Center
Philadelphia, PA 19103
U.S.A
Email: yiu_lee@cable.comcast.com
Lee, et al. Expires September 9, 2015 [Page 10]
Internet-Draft Secure Access Mechanism for DHCPv6 March 2015
Yong Cui
Tsinghua University
Beijing 100084
P.R.China
Phone: +86-10-6260-3059
Email: yong@csnet1.cs.tsinghua.edu.cn
ZiLong Liu
Tsinghua University
Beijing 100084
P.R.China
Phone: +86-10-6278-5822
Email: liuzilong8266@163.com
Linhui Sun
Tsinghua University
Beijing 100084
P.R.China
Phone: +86-10-6278-5822
Email: lh.sunlinh@gmail.com
Lee, et al. Expires September 9, 2015 [Page 11]