The DHCPv4 Relay Agent Identifier Suboption
draft-ietf-dhc-relay-id-suboption-12
The information below is for an old version of the document.
Document | Type |
This is an older version of an Internet-Draft that was ultimately published as RFC 6925.
|
|
---|---|---|---|
Authors | Bharat Joshi , D.T.V. Ramakrishna Rao , Mark Stapp | ||
Last updated | 2013-01-15 | ||
RFC stream | Internet Engineering Task Force (IETF) | ||
Formats | |||
Reviews |
GENART Last Call review
(of
-11)
by Ben Campbell
Ready w/nits
|
||
Additional resources | Mailing list discussion | ||
Stream | WG state | WG Document | |
Document shepherd | (None) | ||
IESG | IESG state | Became RFC 6925 (Proposed Standard) | |
Consensus boilerplate | Unknown | ||
Telechat date |
(None)
Needs a YES. Needs 10 more YES or NO OBJECTION positions to pass. |
||
Responsible AD | Ralph Droms | ||
IESG note | ** No value found for 'doc.notedoc.note' ** | ||
Send notices to | dhc-chairs@tools.ietf.org, draft-ietf-dhc-relay-id-suboption@tools.ietf.org |
draft-ietf-dhc-relay-id-suboption-12
#x27; networks), for example, the role a device plays is often fixed and based on its location. Using manual address configuration is possible (and is common) but it would be beneficial if DHCP configuration could be applied to these networks. One way to provide connection-based identifiers for industrial networks is to have the network elements acting as DHCP relay agents supply information that a DHCP server could use as a client identifier. A straightforward way to form identifier information is to combine something that is unique within the scope of the network element, such as a port/slot value, with something that uniquely identifies that network element, such as a Relay Agent Identifier. 4. Suboption Format Format of the Relay Agent Identifier suboption: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |SUBOPT_RELAY_ID| length | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | . . . identifier (variable) . . . +---------------------------------------------------------------+ Where: SUBOPT_RELAY_ID [TBA] length the number of octets in the suboption (excluding the suboption ID and length fields); the minimum length is one. identifier the identifying data. 5. Identifier Stability If the relay identifier is to be meaningful it has to be stable. A relay agent SHOULD use a single identifier value consistently. The Joshi, et al. Expires July 19, 2013 [Page 4] Internet-Draft The Relay Agent Id Suboption January 2013 identifier used by a relay device SHOULD be committed to stable storage, unless the relay device can regenerate the value upon reboot. If the relay-id configured in a relay agent is not unique within its administrative domain, resource allocation problems may occur as the DHCP server attempts to allocate the same resource to devices behind two different relay agents. Therefore, relay-id configured in a relay agent MUST be unique within its administrative domain. To aid in ensuring uniqueness of relay-ids, relay agents SHOULD make their relay identifiers visible to their administrators via their user interface, through a log entry, through a MIB field, or through some other mechanism. Implementors of relay agents should note that the identifier needs to be present in all DHCP message types where its value is being used by the DHCP server. The relay agent may not be able to add the Relay Agent Information option to all messages - such as RENEW messages sent as IP unicasts. In some deployments that might mean that the server has to be willing to continue to associate the relay identifier it has last seen with a lease that is being RENEWed. Other deployments may prefer to use the Server Identifier Override suboption [RFC5107] to permit the relay device to insert the Relay Agent Information option into all relayed messages. Handling situations where a relay agent device is replaced is another aspect of stability. One of the use-cases for the relay identifier is to permit a server to associate clients' lease bindings with the relay device connected to the clients. If the relay device is replaced, because it has failed or been upgraded, it may be desirable for the new device to continue to provide the same relay identifier as the old device. Therefore if a relay agent supports relay-id, the relay-id should be administratively configurable. DISCUSSION: Administrators should take special care to ensure that relay-ids configured in their relay agents are not duplicated. Some implementation advice is offered to administrators with regard to configuration of relay-ids, detection and consequences of duplicate relay-ids. Configuration of Relay-IDs: Various strategies may be used to configure relay-ids. Any proposed strategy should be evaluated in terms of whether it can ensure unique relay-ids in the administrative domain. It should Joshi, et al. Expires July 19, 2013 [Page 5] Internet-Draft The Relay Agent Id Suboption January 2013 be noted that relay-ids configured using the strategy must also satisfy requirements as stated in the rest of this document (especially Section 5). One strategy that may be used is relay-id on a relay agent may re-use an existing identifier or set of identifiers that are already guaranteed to be unique (e.g., UUID [RFC4122] or IP address). Consequences and Detection of Duplication of Relay-IDs: This document only defines relay-id suboption but not its use-cases. Consequences of duplication of relay-ids depend on how relay-ids are used. Administrators should create mechanisms to detect duplication of relay-ids. Some mechanisms to detect duplication can be created based on use-cases of relay-id. For example, DHCP servers use various decision criteria during allocation of IP addresses and other resources. If relay-id is part of the decision criteria, DHCP server will attempt, but fail, to allocate the same resource (typically an IP address) to two devices on the opposite side of the two relay agents with duplicate IDs. In most cases this won't happen, because the DHCP server isn't configured that way; in the cases where it does happen, DHCP server should log the failure. It should be emphasized that these mechanisms may not be fool-proof at indicating duplication of relay-ids as the cause (the failures may be caused because of other reasons as well.) But they serve as a first step in the analysis towards detection of duplication relay-ids. In contrast, the following approach is suggested as a general mechanism to detect duplication of relay-ids. Network management systems collect various types of information from the devices under their control. As part of this, they should also collect relay-id configured for each relay-agent (it becomes easy to do if relay-id is exposed as a MIB field). At the network management subsystem that has visibility into the entire administrative domain, it should have back-end tools to check for duplicate relay ids in the collected information. 6. Security Considerations Security issues with the Relay Agent Information option and its use by servers in address assignment are discussed in [RFC3046] and [RFC4030]. The DHCP Relay Agent Information option depends on a trusted relationship between the DHCP relay agent and the DHCP Joshi, et al. Expires July 19, 2013 [Page 6] Internet-Draft The Relay Agent Id Suboption January 2013 server, as described in Section 5 of RFC 3046. While the introduction of fraudulent DHCP relay agent information options can be prevented by a perimeter defense that blocks these options unless the DHCP relay agent is trusted, a deeper defense using the authentication suboption for DHCP relay agent information option [RFC4030] SHOULD be deployed as well. It also helps in avoiding duplication of relay identifiers by malicious entities. However, implementation of authentication suboption for DHCP relay agent information option [RFC4030] is not a must to support relay-id suboption. 7. IANA Considerations We request that IANA assign a new suboption code from the registry of DHCP Agent Sub-Option Codes maintained in http://www.iana.org/assignments/bootp-dhcp-parameters. Relay Agent Identifier Suboption [TBA] 8. Acknowledgments Thanks to Bernie Volz, David W. Hankins, Pavan Kurapati and Ted Lemon for providing valuable suggestions. 9. References 9.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2131] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, March 1997. [RFC3046] Patrick, M., "DHCP Relay Agent Information Option", RFC 3046, January 2001. [RFC4030] Stapp, M. and T. Lemon, "The Authentication Suboption for the Dynamic Host Configuration Protocol (DHCP) Relay Agent Option", RFC 4030, March 2005. Joshi, et al. Expires July 19, 2013 [Page 7] Internet-Draft The Relay Agent Id Suboption January 2013 9.2. Informative References [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally Unique IDentifier (UUID) URN Namespace", RFC 4122, July 2005. [RFC4388] Woundy, R. and K. Kinnear, "Dynamic Host Configuration Protocol (DHCP) Leasequery", RFC 4388, February 2006. [RFC5107] Johnson, R., Kumarasamy, J., Kinnear, K., and M. Stapp, "DHCP Server Identifier Override Suboption", RFC 5107, February 2008. [I-D.ietf-dhc-dhcpv4-bulk-leasequery] Kinnear, K., Stapp, M., Joshi, B., and N. Russell, "Bulk DHCPv4 Lease Query", draft-ietf-dhc-dhcpv4-bulk-leasequery-07 (work in progress), October 2012. Authors' Addresses Bharat Joshi Infosys Ltd. 44 Electronics City, Hosur Road Bangalore 560 100 India Email: bharat_joshi@infosys.com URI: http://www.infosys.com/ D.T.V Ramakrishna Rao Infosys Ltd. 44 Electronics City, Hosur Road Bangalore 560 100 India Email: ramakrishnadtv@infosys.com URI: http://www.infosys.com/ Joshi, et al. Expires July 19, 2013 [Page 8] Internet-Draft The Relay Agent Id Suboption January 2013 Mark Stapp Cisco Systems, Inc. 1414 Massachusetts Ave. Boxborough, MA 01719 USA Phone: +1 978 936 0000 Email: mjs@cisco.com Joshi, et al. Expires July 19, 2013 [Page 9]