draft-ietf-dhc-sedhcpv6-15.txt | draft-ietf-dhc-sedhcpv6-16.txt | |||
---|---|---|---|---|
DHC Working Group S. Jiang | DHC Working Group S. Jiang | |||
Internet-Draft Huawei Technologies Co., Ltd | Internet-Draft Huawei Technologies Co., Ltd | |||
Intended status: Standards Track L. Li | Intended status: Standards Track L. Li | |||
Expires: April 19, 2017 Y. Cui | Expires: April 21, 2017 Y. Cui | |||
Tsinghua University | Tsinghua University | |||
T. Jinmei | T. Jinmei | |||
Infoblox Inc. | Infoblox Inc. | |||
T. Lemon | T. Lemon | |||
Nominum, Inc. | Nominum, Inc. | |||
D. Zhang | D. Zhang | |||
October 16, 2016 | October 18, 2016 | |||
Secure DHCPv6 | Secure DHCPv6 | |||
draft-ietf-dhc-sedhcpv6-15 | draft-ietf-dhc-sedhcpv6-16 | |||
Abstract | Abstract | |||
DHCPv6 includes no deployable security mechanism that can protect | DHCPv6 includes no deployable security mechanism that can protect | |||
end-to-end communication between DHCP clients and servers. This | end-to-end communication between DHCP clients and servers. This | |||
document describes a mechanism for using public key cryptography to | document describes a mechanism for using public key cryptography to | |||
provide such security. The mechanism provides encryption in all | provide such security. The mechanism provides encryption in all | |||
cases, and can be used for authentication based on pre-sharing of | cases, and can be used for authentication based on pre-sharing of | |||
authorized certificates. | authorized certificates. | |||
skipping to change at page 1, line 42 ¶ | skipping to change at page 1, line 42 ¶ | |||
Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
This Internet-Draft will expire on April 19, 2017. | This Internet-Draft will expire on April 21, 2017. | |||
Copyright Notice | Copyright Notice | |||
Copyright (c) 2016 IETF Trust and the persons identified as the | Copyright (c) 2016 IETF Trust and the persons identified as the | |||
document authors. All rights reserved. | document authors. All rights reserved. | |||
This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
(http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
publication of this document. Please review these documents | publication of this document. Please review these documents | |||
skipping to change at page 2, line 35 ¶ | skipping to change at page 2, line 35 ¶ | |||
5.4. Caused change to RFC3315 . . . . . . . . . . . . . . . . 7 | 5.4. Caused change to RFC3315 . . . . . . . . . . . . . . . . 7 | |||
5.5. Applicability . . . . . . . . . . . . . . . . . . . . . . 8 | 5.5. Applicability . . . . . . . . . . . . . . . . . . . . . . 8 | |||
6. DHCPv6 Client Behavior . . . . . . . . . . . . . . . . . . . 8 | 6. DHCPv6 Client Behavior . . . . . . . . . . . . . . . . . . . 8 | |||
7. DHCPv6 Server Behavior . . . . . . . . . . . . . . . . . . . 12 | 7. DHCPv6 Server Behavior . . . . . . . . . . . . . . . . . . . 12 | |||
8. Relay Agent Behavior . . . . . . . . . . . . . . . . . . . . 14 | 8. Relay Agent Behavior . . . . . . . . . . . . . . . . . . . . 14 | |||
9. Processing Rules . . . . . . . . . . . . . . . . . . . . . . 14 | 9. Processing Rules . . . . . . . . . . . . . . . . . . . . . . 14 | |||
9.1. Increasing Number Check . . . . . . . . . . . . . . . . . 14 | 9.1. Increasing Number Check . . . . . . . . . . . . . . . . . 14 | |||
10. Extensions for Secure DHCPv6 . . . . . . . . . . . . . . . . 15 | 10. Extensions for Secure DHCPv6 . . . . . . . . . . . . . . . . 15 | |||
10.1. New DHCPv6 Options . . . . . . . . . . . . . . . . . . . 15 | 10.1. New DHCPv6 Options . . . . . . . . . . . . . . . . . . . 15 | |||
10.1.1. Certificate Option . . . . . . . . . . . . . . . . . 15 | 10.1.1. Certificate Option . . . . . . . . . . . . . . . . . 15 | |||
10.1.2. Signature option . . . . . . . . . . . . . . . . . . 16 | 10.1.2. Signature option . . . . . . . . . . . . . . . . . . 17 | |||
10.1.3. Increasing-number Option . . . . . . . . . . . . . . 18 | 10.1.3. Increasing-number Option . . . . . . . . . . . . . . 19 | |||
10.1.4. Encrypted-message Option . . . . . . . . . . . . . . 18 | 10.1.4. Encrypted-message Option . . . . . . . . . . . . . . 20 | |||
10.2. New DHCPv6 Messages . . . . . . . . . . . . . . . . . . 19 | 10.2. New DHCPv6 Messages . . . . . . . . . . . . . . . . . . 21 | |||
10.3. Status Codes . . . . . . . . . . . . . . . . . . . . . . 20 | 10.3. Status Codes . . . . . . . . . . . . . . . . . . . . . . 21 | |||
11. Security Considerations . . . . . . . . . . . . . . . . . . . 20 | 11. Security Considerations . . . . . . . . . . . . . . . . . . . 22 | |||
12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21 | 12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22 | |||
13. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 22 | 13. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 24 | |||
14. Change log [RFC Editor: Please remove] . . . . . . . . . . . 23 | 14. Change log [RFC Editor: Please remove] . . . . . . . . . . . 24 | |||
15. References . . . . . . . . . . . . . . . . . . . . . . . . . 25 | 15. References . . . . . . . . . . . . . . . . . . . . . . . . . 26 | |||
15.1. Normative References . . . . . . . . . . . . . . . . . . 25 | 15.1. Normative References . . . . . . . . . . . . . . . . . . 26 | |||
15.2. Informative References . . . . . . . . . . . . . . . . . 26 | 15.2. Informative References . . . . . . . . . . . . . . . . . 28 | |||
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 27 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 28 | |||
1. Introduction | 1. Introduction | |||
The Dynamic Host Configuration Protocol for IPv6 (DHCPv6, [RFC3315]) | The Dynamic Host Configuration Protocol for IPv6 (DHCPv6, [RFC3315]) | |||
allows DHCPv6 servers to flexibly provide addressing and other | allows DHCPv6 servers to flexibly provide addressing and other | |||
configuration information relating to local network infrastructure to | configuration information relating to local network infrastructure to | |||
DHCP clients. The protocol provides no deployable security | DHCP clients. The protocol provides no deployable security | |||
mechanism, and consequently is vulnerable to various attacks. | mechanism, and consequently is vulnerable to various attacks. | |||
This document provides a brief summary of the security | This document provides a brief summary of the security | |||
skipping to change at page 6, line 29 ¶ | skipping to change at page 6, line 29 ¶ | |||
| Encryption-Query | | | Encryption-Query | | |||
|----------------------------------------->| | |----------------------------------------->| | |||
| Encrypted-message option | | | Encrypted-message option | | |||
| Server Identifier option | | | Server Identifier option | | |||
| | | | | | |||
| Encryption-Response | | | Encryption-Response | | |||
|<-----------------------------------------| | |<-----------------------------------------| | |||
| Encrypted-message option | | | Encrypted-message option | | |||
| | | | | | |||
Secure DHCPv6 Procedure | Figure 1: Secure DHCPv6 Procedure | |||
5.2. New Components | 5.2. New Components | |||
The new components of the mechanism specified in this document are as | The new components of the mechanism specified in this document are as | |||
follows: | follows: | |||
o Servers and clients that use certificates first generate a public/ | o Servers and clients that use certificates first generate a public/ | |||
private key pair and then obtain a certificate that signs the | private key pair and then obtain a certificate that signs the | |||
public key. The Certificate option is defined to carry the | public key. The Certificate option is defined to carry the | |||
certificate of the sender. | certificate of the sender. | |||
skipping to change at page 16, line 10 ¶ | skipping to change at page 15, line 39 ¶ | |||
The Certificate option carries the certificate(s) of the client/ | The Certificate option carries the certificate(s) of the client/ | |||
server. The format of the Certificate option is described as | server. The format of the Certificate option is described as | |||
follows: | follows: | |||
0 1 2 3 | 0 1 2 3 | |||
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| OPTION_CERTIFICATE | option-len | | | OPTION_CERTIFICATE | option-len | | |||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| EA-num | EA-id | EA-id | ... . | . EA-id List . | |||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
| Cert-len | | | ||||
+-+-+-+-+-+-+-+-+ . | ||||
. Certificate (variable length) . | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
| Cert-len | | | ||||
+-+-+-+-+-+-+-+-+ . | ||||
. Certificate (variable length) . | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
. ... . | | | | |||
. Certificate List(variable length) . | ||||
| | | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
option-code OPTION_CERTIFICATE (TBA1). | Figure 2: Certificate Option | |||
option-len 1 + length of EA-id list + length of certificate | o option-code: OPTION_CERTIFICATE (TBA1). | |||
list in octets. | ||||
EA-num The number of the supported encryption algorithm. | o option-len: length of EA-id List + length of Certificate List in | |||
octets. | ||||
o EA-id List: The format of the EA-id List field is shown in | ||||
Figure 3. | ||||
0 1 2 3 | ||||
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
| EA-num | EA-id | | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
. ... . | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
| EA-id | | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
EA-num The number of the following EA-ids. | ||||
EA-id Encryption Algorithm id. The encryption algorithm | EA-id Encryption Algorithm id. The encryption algorithm | |||
is used for the encrypted DHCPv6 configuration | is used for the encrypted DHCPv6 configuration | |||
process. This design is adopted in order to provide | process. This design is adopted in order to provide | |||
encryption algorithm agility. The value is from the | encryption algorithm agility. The value is from the | |||
Encryption Algorithm for Secure DHCPv6 registry in | Encryption Algorithm for Secure DHCPv6 registry in | |||
IANA. A registry of the initial assigned values | IANA. A registry of the initial assigned values | |||
is defined in Section 12. | is defined in Section 12. | |||
Figure 3: EA-id List Field | ||||
o Certificate List: The format of the Certificate List Field is | ||||
shown in Figure 4. | ||||
0 1 2 3 | ||||
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
| cert-num | cert-len | certificate | | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
. ...Certificate(variable length)(cont) . | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
. . | ||||
. ... . | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
| cert-len | certificate | | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
. ...certificate(variable length)(cont) . | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
cert-num The number of the the following certificates. | ||||
cert-len The length of the certificate. | cert-len The length of the certificate. | |||
Certificate A variable-length field containing certificates. The | Certificate A variable-length field containing certificates. The | |||
encoding of certificate and certificate data MUST | encoding of certificate and certificate data MUST | |||
be in format as defined in Section 3.6, [RFC7296]. | be in format as defined in Section 3.6, [RFC7296]. | |||
The support of X.509 certificate is mandatory. | The support of X.509 certificate is mandatory. | |||
Figure 4: Certificate List Field | ||||
10.1.2. Signature option | 10.1.2. Signature option | |||
The Signature option allows a signature that is signed by the private | The Signature option allows a signature that is signed by the private | |||
key to be attached to a DHCPv6 message. The Signature option could | key to be attached to a DHCPv6 message. The Signature option could | |||
be in any place within the DHCPv6 message while it is logically | be in any place within the DHCPv6 message while it is logically | |||
created after the entire DHCPv6 header and options. It protects the | created after the entire DHCPv6 header and options. It protects the | |||
entire DHCPv6 header and options, including itself. The format of | entire DHCPv6 header and options, including itself. The format of | |||
the Signature option is described as follows: | the Signature option is described as follows: | |||
0 1 2 3 | 0 1 2 3 | |||
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| OPTION_SIGNATURE | option-len | | | OPTION_SIGNATURE | option-len | | |||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| SA-num | SA-id | SA-id | ... | | . SA-id List . | |||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| HA-num | HA-id | HA-id | ... | | . HA-id List . | |||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | | | | | |||
. Signature (variable length) . | . Signature (variable length) . | |||
. . | . . | |||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
option-code OPTION_SIGNATURE (TBA2). | Figure 5: Signature Option | |||
option-len 2 + length of SA-id list + length of HA-id list + | o option-code: OPTION_SIGNATURE (TBA2). | |||
length of Signature field in octets. | ||||
o option-len: length of SA-id list + length of HA-id list + length | ||||
of Signature field in octets. | ||||
o SA-id List: The format of the SA-id List field is shown in | ||||
Figure 6. | ||||
0 1 2 3 | ||||
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
| SA-num | SA-id | | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
. ... . | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
| SA-id | | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
SA-num The number of the following SA-ids. | ||||
SA-id Signature Algorithm id. The signature algorithm is | SA-id Signature Algorithm id. The signature algorithm is | |||
used for computing the signature result. This | used for computing the signature result. This | |||
design is adopted in order to provide signature | design is adopted in order to provide signature | |||
algorithm agility. The value is from the Signature | algorithm agility. The value is from the Signature | |||
Algorithm for Secure DHCPv6 registry in IANA. The | Algorithm for Secure DHCPv6 registry in IANA. The | |||
support of RSASSA-PKCS1-v1_5 is mandatory. A | support of RSASSA-PKCS1-v1_5 is mandatory. A | |||
registry of the initial assigned values is defined | registry of the initial assigned values is defined | |||
in Section 12. | in Section 12. | |||
Figure 6: EA-id List Field | ||||
o HA-id List: The format of the HA-id List field is shown in | ||||
Figure 7. | ||||
0 1 2 3 | ||||
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
| HA-num | HA-id | | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
. ... . | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
| HA-id | | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
HA-num The number of the following HA-ids. | ||||
HA-id Hash Algorithm id. The hash algorithm is used for | HA-id Hash Algorithm id. The hash algorithm is used for | |||
computing the signature result. This design is | computing the signature result. This design is | |||
adopted in order to provide hash algorithm agility. | adopted in order to provide hash algorithm agility. | |||
The value is from the Hash Algorithm for Secure | The value is from the Hash Algorithm for Secure | |||
DHCPv6 registry in IANA. The support of SHA-256 is | DHCPv6 registry in IANA. The support of SHA-256 is | |||
mandatory. A registry of the initial assigned values | mandatory. A registry of the initial assigned values | |||
is defined in Section 12. If the signature algorithm | is defined in Section 12. If the signature algorithm | |||
and hash algorithm cannot be separated, the HA-id | and hash algorithm cannot be separated, the HA-id | |||
field is zero. The hash algorithm is decided by the | field is zero. The hash algorithm is decided by the | |||
corresponding signature algorithm. | corresponding signature algorithm. | |||
Signature A variable-length field containing a digital | Figure 7: HA-id List Field | |||
signature. The signature value is computed with | ||||
the hash algorithm and the signature algorithm, | ||||
as described in HA-id and SA-id. The signature | ||||
constructed by using the sender's private key | ||||
protects the following sequence of octets: | ||||
1. The DHCPv6 message header. | ||||
2. All DHCPv6 options including the Signature | ||||
option (fill the Signature field with zeroes). | ||||
The Signature field MUST be padded, with all 0, to | o Signature: A variable-length field containing a digital signature. | |||
the next octet boundary if its size is not a | The signature value is computed with the hash algorithm and the | |||
multiple of 8 bits. The padding length depends on | signature algorithm, as described in HA-id and SA-id. The | |||
the signature algorithm, which is indicated in the | Signature field MUST be padded, with all 0, to the next octet | |||
SA-id field. | boundary if its size is not a multiple of 8 bits. The padding | |||
length depends on the signature algorithm, which is indicated in | ||||
the SA-id field. | ||||
Note: If Secure DHCPv6 is used, the DHCPv6 message is encrypted in a | Note: If Secure DHCPv6 is used, the DHCPv6 message is encrypted in a | |||
way that the authentication mechanism defined in RFC3315 does not | way that the authentication mechanism defined in RFC3315 does not | |||
understand. So the Authentication option SHOULD NOT be used if | understand. So the Authentication option SHOULD NOT be used if | |||
Secure DHCPv6 is applied. | Secure DHCPv6 is applied. | |||
10.1.3. Increasing-number Option | 10.1.3. Increasing-number Option | |||
The Increasing-number option carries the number which is higher than | The Increasing-number option carries the number which is higher than | |||
the local stored number on the client/server. It adds the anti- | the local stored number on the client/server. It adds the anti- | |||
skipping to change at page 18, line 43 ¶ | skipping to change at page 20, line 23 ¶ | |||
| | | | | | |||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
option-code OPTION_INCREASING_NUM (TBA3). | option-code OPTION_INCREASING_NUM (TBA3). | |||
option-len 8, in octets. | option-len 8, in octets. | |||
IncreasingNum A strictly increasing number for the replay attack detection | IncreasingNum A strictly increasing number for the replay attack detection | |||
which is more than the local stored number. | which is more than the local stored number. | |||
Figure 8: Incresing-number Option | ||||
10.1.4. Encrypted-message Option | 10.1.4. Encrypted-message Option | |||
The Encrypted-message option carries the encrypted DHCPv6 message | The Encrypted-message option carries the encrypted DHCPv6 message | |||
with the recipient's public key. | with the recipient's public key. | |||
The format of the Encrypted-message option is: | The format of the Encrypted-message option is: | |||
0 1 2 3 | 0 1 2 3 | |||
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| option-code | option-len | | | option-code | option-len | | |||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | | | | | |||
. encrypted DHCPv6 message . | . encrypted DHCPv6 message . | |||
. (variable) . | . (variable) . | |||
. . | . . | |||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
Figure 1: Encrypted-message Option Format | Figure 1: Encrypted-message Option | |||
option-code OPTION_ENCRYPTED_MSG (TBA4). | option-code OPTION_ENCRYPTED_MSG (TBA4). | |||
option-len Length of the encrypted DHCPv6 message. | option-len Length of the encrypted DHCPv6 message. | |||
encrypted DHCPv6 message A variable length field containing the | encrypted DHCPv6 message A variable length field containing the | |||
encrypted DHCPv6 message sent by the client or the server. In | encrypted DHCPv6 message sent by the client or the server. In | |||
Encrypted-Query message, it contains encrypted DHCPv6 message sent | Encrypted-Query message, it contains encrypted DHCPv6 message sent | |||
by a client. In Encrypted-response message, it contains encrypted | by a client. In Encrypted-response message, it contains encrypted | |||
DHCPv6 message sent by a server. | DHCPv6 message sent by a server. | |||
skipping to change at page 23, line 7 ¶ | skipping to change at page 24, line 27 ¶ | |||
Sean Turner, Stephen Farrell, Christian Huitema, Stephen Kent, Thomas | Sean Turner, Stephen Farrell, Christian Huitema, Stephen Kent, Thomas | |||
Huth, David Schumacher, Francis Dupont, Gang Chen, Suresh Krishnan, | Huth, David Schumacher, Francis Dupont, Gang Chen, Suresh Krishnan, | |||
Fred Templin, Robert Elz, Nico Williams, Erik Kline, Alan DeKok, | Fred Templin, Robert Elz, Nico Williams, Erik Kline, Alan DeKok, | |||
Bernard Aboba, Sam Hartman, Qi Sun, Zilong Liu and other members of | Bernard Aboba, Sam Hartman, Qi Sun, Zilong Liu and other members of | |||
the IETF DHC working group for their valuable comments. | the IETF DHC working group for their valuable comments. | |||
This document was produced using the xml2rfc tool [RFC2629]. | This document was produced using the xml2rfc tool [RFC2629]. | |||
14. Change log [RFC Editor: Please remove] | 14. Change log [RFC Editor: Please remove] | |||
draft-ietf-dhc-sedhcpv6-15: Increasing number option only contains | ||||
the strictly increasing number; Add some description about why | ||||
encryption is needed in Security Issues of DHCPv6 part; For the | ||||
algorithm agility part, the provider can offer multiple EA-id, SA-id, | ||||
HA-id and then receiver choose one from the algorithm set. | ||||
draft-ietf-dhc-sedhcpv6-14: For the deployment part, Tofu is out of | draft-ietf-dhc-sedhcpv6-14: For the deployment part, Tofu is out of | |||
scope and take Opportunistic security into consideration; Increasing | scope and take Opportunistic security into consideration; Increasing | |||
number option is changed into 64 bits; Increasing number check is a | number option is changed into 64 bits; Increasing number check is a | |||
separate section; IncreasingnumFail error status code is changed into | separate section; IncreasingnumFail error status code is changed into | |||
ReplayDetected error status code; Add the section of "caused change | ReplayDetected error status code; Add the section of "caused change | |||
to RFC3315"; | to RFC3315"; | |||
draft-ietf-dhc-sedhcpv6-13: Change the Timestamp option into | draft-ietf-dhc-sedhcpv6-13: Change the Timestamp option into | |||
Increasing-number option and the corresponding check method; Delete | Increasing-number option and the corresponding check method; Delete | |||
the OCSP stampling part for the certificate check; Add the scenario | the OCSP stampling part for the certificate check; Add the scenario | |||
End of changes. 23 change blocks. | ||||
54 lines changed or deleted | 121 lines changed or added | |||
This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |