The DHCPv4 Relay Agent Identifier Suboption
draft-ietf-dhc-relay-id-suboption-12
The information below is for an old version of the document.
| Document | Type |
This is an older version of an Internet-Draft that was ultimately published as RFC 6925.
|
|
|---|---|---|---|
| Authors | Bharat Joshi , D.T.V. Ramakrishna Rao , Mark Stapp | ||
| Last updated | 2013-01-15 | ||
| RFC stream | Internet Engineering Task Force (IETF) | ||
| Formats | |||
| Reviews |
GENART Last Call review
(of
-11)
by Ben Campbell
Ready w/nits
|
||
| Additional resources | Mailing list discussion | ||
| Stream | WG state | WG Document | |
| Document shepherd | (None) | ||
| IESG | IESG state | Became RFC 6925 (Proposed Standard) | |
| Consensus boilerplate | Unknown | ||
| Telechat date |
(None)
Needs a YES. Needs 10 more YES or NO OBJECTION positions to pass. |
||
| Responsible AD | Ralph Droms | ||
| IESG note | ** No value found for 'doc.notedoc.note' ** | ||
| Send notices to | dhc-chairs@tools.ietf.org, draft-ietf-dhc-relay-id-suboption@tools.ietf.org |
draft-ietf-dhc-relay-id-suboption-12
#x27; networks),
for example, the role a device plays is often fixed and based on its
location. Using manual address configuration is possible (and is
common) but it would be beneficial if DHCP configuration could be
applied to these networks.
One way to provide connection-based identifiers for industrial
networks is to have the network elements acting as DHCP relay agents
supply information that a DHCP server could use as a client
identifier. A straightforward way to form identifier information is
to combine something that is unique within the scope of the network
element, such as a port/slot value, with something that uniquely
identifies that network element, such as a Relay Agent Identifier.
4. Suboption Format
Format of the Relay Agent Identifier suboption:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|SUBOPT_RELAY_ID| length | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
. .
. identifier (variable) .
. .
+---------------------------------------------------------------+
Where:
SUBOPT_RELAY_ID [TBA]
length the number of octets in the suboption
(excluding the suboption ID and length fields);
the minimum length is one.
identifier the identifying data.
5. Identifier Stability
If the relay identifier is to be meaningful it has to be stable. A
relay agent SHOULD use a single identifier value consistently. The
Joshi, et al. Expires July 19, 2013 [Page 4]
Internet-Draft The Relay Agent Id Suboption January 2013
identifier used by a relay device SHOULD be committed to stable
storage, unless the relay device can regenerate the value upon
reboot.
If the relay-id configured in a relay agent is not unique within its
administrative domain, resource allocation problems may occur as the
DHCP server attempts to allocate the same resource to devices behind
two different relay agents. Therefore, relay-id configured in a
relay agent MUST be unique within its administrative domain. To aid
in ensuring uniqueness of relay-ids, relay agents SHOULD make their
relay identifiers visible to their administrators via their user
interface, through a log entry, through a MIB field, or through some
other mechanism.
Implementors of relay agents should note that the identifier needs to
be present in all DHCP message types where its value is being used by
the DHCP server. The relay agent may not be able to add the Relay
Agent Information option to all messages - such as RENEW messages
sent as IP unicasts. In some deployments that might mean that the
server has to be willing to continue to associate the relay
identifier it has last seen with a lease that is being RENEWed.
Other deployments may prefer to use the Server Identifier Override
suboption [RFC5107] to permit the relay device to insert the Relay
Agent Information option into all relayed messages.
Handling situations where a relay agent device is replaced is another
aspect of stability. One of the use-cases for the relay identifier
is to permit a server to associate clients' lease bindings with the
relay device connected to the clients. If the relay device is
replaced, because it has failed or been upgraded, it may be desirable
for the new device to continue to provide the same relay identifier
as the old device. Therefore if a relay agent supports relay-id, the
relay-id should be administratively configurable.
DISCUSSION:
Administrators should take special care to ensure that relay-ids
configured in their relay agents are not duplicated. Some
implementation advice is offered to administrators with regard
to configuration of relay-ids, detection and consequences of
duplicate relay-ids.
Configuration of Relay-IDs:
Various strategies may be used to configure relay-ids. Any
proposed strategy should be evaluated in terms of whether it can
ensure unique relay-ids in the administrative domain. It should
Joshi, et al. Expires July 19, 2013 [Page 5]
Internet-Draft The Relay Agent Id Suboption January 2013
be noted that relay-ids configured using the strategy must also
satisfy requirements as stated in the rest of this document
(especially Section 5). One strategy that may be used is relay-id
on a relay agent may re-use an existing identifier or set of
identifiers that are already guaranteed to be unique (e.g.,
UUID [RFC4122] or IP address).
Consequences and Detection of Duplication of Relay-IDs:
This document only defines relay-id suboption but not its
use-cases. Consequences of duplication of relay-ids depend on
how relay-ids are used. Administrators should create mechanisms
to detect duplication of relay-ids.
Some mechanisms to detect duplication can be created based on
use-cases of relay-id. For example, DHCP servers use various
decision criteria during allocation of IP addresses and other
resources. If relay-id is part of the decision criteria, DHCP
server will attempt, but fail, to allocate the same resource
(typically an IP address) to two devices on the opposite side
of the two relay agents with duplicate IDs. In most cases this
won't happen, because the DHCP server isn't configured that way;
in the cases where it does happen, DHCP server should log the
failure.
It should be emphasized that these mechanisms may not be
fool-proof at indicating duplication of relay-ids as the cause
(the failures may be caused because of other reasons as well.)
But they serve as a first step in the analysis towards detection
of duplication relay-ids.
In contrast, the following approach is suggested as a general
mechanism to detect duplication of relay-ids. Network management
systems collect various types of information from the devices
under their control. As part of this, they should also collect
relay-id configured for each relay-agent (it becomes easy to do
if relay-id is exposed as a MIB field). At the network management
subsystem that has visibility into the entire administrative
domain, it should have back-end tools to check for duplicate
relay ids in the collected information.
6. Security Considerations
Security issues with the Relay Agent Information option and its use
by servers in address assignment are discussed in [RFC3046] and
[RFC4030]. The DHCP Relay Agent Information option depends on a
trusted relationship between the DHCP relay agent and the DHCP
Joshi, et al. Expires July 19, 2013 [Page 6]
Internet-Draft The Relay Agent Id Suboption January 2013
server, as described in Section 5 of RFC 3046. While the
introduction of fraudulent DHCP relay agent information options can
be prevented by a perimeter defense that blocks these options unless
the DHCP relay agent is trusted, a deeper defense using the
authentication suboption for DHCP relay agent information option
[RFC4030] SHOULD be deployed as well. It also helps in avoiding
duplication of relay identifiers by malicious entities. However,
implementation of authentication suboption for DHCP relay agent
information option [RFC4030] is not a must to support relay-id
suboption.
7. IANA Considerations
We request that IANA assign a new suboption code from the registry of
DHCP Agent Sub-Option Codes maintained in
http://www.iana.org/assignments/bootp-dhcp-parameters.
Relay Agent Identifier Suboption [TBA]
8. Acknowledgments
Thanks to Bernie Volz, David W. Hankins, Pavan Kurapati and Ted Lemon
for providing valuable suggestions.
9. References
9.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2131] Droms, R., "Dynamic Host Configuration Protocol",
RFC 2131, March 1997.
[RFC3046] Patrick, M., "DHCP Relay Agent Information Option",
RFC 3046, January 2001.
[RFC4030] Stapp, M. and T. Lemon, "The Authentication Suboption for
the Dynamic Host Configuration Protocol (DHCP) Relay Agent
Option", RFC 4030, March 2005.
Joshi, et al. Expires July 19, 2013 [Page 7]
Internet-Draft The Relay Agent Id Suboption January 2013
9.2. Informative References
[RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally
Unique IDentifier (UUID) URN Namespace", RFC 4122,
July 2005.
[RFC4388] Woundy, R. and K. Kinnear, "Dynamic Host Configuration
Protocol (DHCP) Leasequery", RFC 4388, February 2006.
[RFC5107] Johnson, R., Kumarasamy, J., Kinnear, K., and M. Stapp,
"DHCP Server Identifier Override Suboption", RFC 5107,
February 2008.
[I-D.ietf-dhc-dhcpv4-bulk-leasequery]
Kinnear, K., Stapp, M., Joshi, B., and N. Russell, "Bulk
DHCPv4 Lease Query",
draft-ietf-dhc-dhcpv4-bulk-leasequery-07 (work in
progress), October 2012.
Authors' Addresses
Bharat Joshi
Infosys Ltd.
44 Electronics City, Hosur Road
Bangalore 560 100
India
Email: bharat_joshi@infosys.com
URI: http://www.infosys.com/
D.T.V Ramakrishna Rao
Infosys Ltd.
44 Electronics City, Hosur Road
Bangalore 560 100
India
Email: ramakrishnadtv@infosys.com
URI: http://www.infosys.com/
Joshi, et al. Expires July 19, 2013 [Page 8]
Internet-Draft The Relay Agent Id Suboption January 2013
Mark Stapp
Cisco Systems, Inc.
1414 Massachusetts Ave.
Boxborough, MA 01719
USA
Phone: +1 978 936 0000
Email: mjs@cisco.com
Joshi, et al. Expires July 19, 2013 [Page 9]