draft-ietf-dhc-authentication-14.txt

DHCP服务器源码

Network Working Group                                   R. Droms, Editor
INTERNET DRAFT                                       Bucknell University
Obsoletes: draft-ietf-dhc-authentication-13.txt       W. Arbaugh, Editor
                                                  University of Maryland
                                                               July 2000
                                                   Expires December 2000


                    Authentication for DHCP Messages
                 <draft-ietf-dhc-authentication-14.txt>

Status of this memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026. Internet-Drafts are working
   documents of the Internet Engineering Task Force (IETF), its areas,
   and its working groups. Note that other groups may also distribute
   working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet- Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt, and the list of
   Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.


Abstract

   The Dynamic Host Configuration Protocol (DHCP) provides a framework
   for passing configuration information to hosts on a TCP/IP network.
   In some situations, network administrators may wish to constrain the
   allocation of addresses to authorized hosts.  Additionally, some
   network administrators may wish to provide for authentication of the
   source and contents of DHCP messages.  This document defines a new
   DHCP option through which authorization tickets can be easily
   generated and newly attached hosts with proper authorization can be
   automatically configured from an authenticated DHCP server.

1. Introduction

   DHCP [1] transports protocol stack configuration parameters from
   centrally administered servers to TCP/IP hosts.  Among those
   parameters are an IP address.  DHCP servers can be configured to
   dynamically allocate addresses from a pool of addresses, eliminating



Droms, Arbaugh                                                  [Page 1]

DRAFT               Authentication for DHCP Messages          March 2000


   a manual step in configuration of TCP/IP hosts.

   Some network administrators may wish to provide authentication of the
   source and contents of DHCP messages.  For example, clients may be
   subject to denial of service attacks through the use of bogus DHCP
   servers, or may simply be misconfigured due to unintentionally
   instantiated DHCP servers.  Network administrators may wish to
   constrain the allocation of addresses to authorized hosts to avoid
   denial of service attacks in "hostile" environments where the network
   medium is not physically secured, such as wireless networks or
   college residence halls.

   This document defines a technique that can provide both entity
   authentication and message authentication.

   DISCUSSION:

      This draft combines the original Schiller-Huitema-Droms
      authentication mechanism defined in a previous Internet Draft with
      the "delayed authentication" proposal developed by Bill Arbaugh.

1.1 DHCP threat model

   The threat to DHCP is inherently an insider threat (assuming a
   properly configured network where BOOTP ports are blocked on the
   enterprise's perimeter gateways.)  Regardless of the gateway
   configuration, however, the potential attacks by insiders and
   outsiders are the same.

   The attack specific to a DHCP client is the possibility of the
   establishment of a "rogue" server with the intent of providing
   incorrect configuration information to the client. The motivation for
   doing so may be to establish a "man in the middle" attack or it may
   be for a "denial of service" attack.

   There is another threat to DHCP clients from mistakenly or
   accidentally configured DHCP servers that answer DHCP client requests
   with unintentionally incorrect configuration parameters.

   The threat specific to a DHCP server is an invalid client
   masquerading as a valid client. The motivation for this may be for
   "theft of service", or to circumvent auditing for any number of
   nefarious purposes.

   The threat common to both the client and the server is the resource
   "denial of service" (DoS) attack. These attacks typically involve the
   exhaustion of valid addresses, or the exhaustion of CPU or network
   bandwidth, and are present anytime there is a shared resource. In



Droms, Arbaugh                                                  [Page 2]

DRAFT               Authentication for DHCP Messages          March 2000


   current practice, redundancy mitigates DoS attacks the best.

1.2 Design goals

   These are the goals that were used in the development of the
   authentication protocol, listed in order of importance:

   1. Address the threats presented in Section 1.1.
   2. Avoid changing the current protocol.
   3. Limit state required by the server.
   4. Limit complexity (complexity breeds design and implementation
      errors).

1.3 Requirements Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY" and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [5].

1.4 DHCP Terminology

   This document uses the following terms:

      o "DHCP client"

        A DHCP client or "client" is an Internet host using DHCP to obtain
        configuration parameters such as a network address.

      o "DHCP server"

        A DHCP server or "server" is an Internet host that returns
        configuration parameters to DHCP clients.

2. Format of the authentication option

   The following diagram defines the format of the DHCP
   authentication option:


   0                   1                   2                   3
   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |     Code      |    Length     |  Protocol     |   Algorithm   |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |     RDM       | Replay Detection (64 bits)                    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |  Replay cont. |                                               |
   +-+-+-+-+-+-+-+-+                                               |



Droms, Arbaugh                                                  [Page 3]

DRAFT               Authentication for DHCP Messages          March 2000


   |                                                               |
   |           Authentication Information                          |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+



   The code for the authentication option is TBD, and the length field
   contains the length of the protocol, RDM, algorithm, Replay Detection
   fields and authentication information fields in octets.

   The protocol field defines the particular technique for
   authentication used in the option.  New protocols are defined as
   described in Section 6.

   The algorithm field defines the specific algorithm within the
   technique identified by the protocol field.

   The Replay Detection field is per the RDM, and the authentication
   information field is per the protocol in use.

   The Replay Detection Method (RDM) field determines the type of replay
   detection used in the Replay Detection field.

      If the RDM field contains 0x00, the replay detection field MUST be
      set to the value of a monotonically increasing counter.  Using a
      counter value such as the current time of day (e.g., an NTP-format
      timestamp [4]) can reduce the danger of replay attacks. This
      method MUST be supported by all protocols.

      Other values of the RDM field are reserved for future definition
      according to the procedures described in section 6.

   This document defines two protocols in sections 4 and 5, encoded with
   protocol field values 0 and 1.  Protocol field values 2-254 are
   reserved for future use.  Other protocols may be defined according to
   the procedure described in section 6.

3. Interaction with Relay Agents

   Because a DHCP relay agent may alter the values of the 'giaddr' and
    'hops' fields in the DHCP message, the contents of those two fields
   MUST be set to zero for the computation of any hash function over the
   message header. Additionally, a relay agent may append the DHCP relay
   agent information option 82 [7] as the last option in a message to
   servers. If a server finds option 82 included in a received message,
   the server MUST compute any hash function as if the option were NOT
   included in the message without changing the order of options.



Droms, Arbaugh                                                  [Page 4]

DRAFT               Authentication for DHCP Messages          March 2000


   Whenever the server sends back option 82 to a relay agent, the server
   MUST not include the option in the computation of any hash function
   over the message.


4. Protocol 0

   If the protocol field is 0, the authentication information field
   holds a simple authentication token:


   0                   1                   2                   3
   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |     Code      |    Length     |0 0 0 0 0 0 0 0|0 0 0 0 0 0 0 0|
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |0 0 0 0 0 0 0 0| Replay Detection (64 bits)                    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |  Replay cont. |                                               |
   +-+-+-+-+-+-+-+-+                                               |
   |                                                               |
   |           Authentication Information                          |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


   The authentication token is an opaque, unencoded value known to both
   the sender and receiver.  The sender inserts the authentication token
   in the DHCP message and the receiver matches the token from the
   message to the shared token.  If the authentication option is present
   and the token from the message does not match the shared token, the
   receiver MUST discard the message.

   Protocol 0 may be used to pass a plain-text password and provides
   only weak entity authentication and no message authentication.  This
   protocol is only useful for rudimentary protection against
   inadvertently instantiated DHCP servers.

   DISCUSSION:

      The intent here is to pass a constant, non-computed token such as
      a plain-text password.  Other types of entity authentication using
      computed tokens such as Kerberos tickets or one-time passwords
      will be defined as separate protocols.


5. Protocol 1




Droms, Arbaugh                                                  [Page 5]

DRAFT               Authentication for DHCP Messages          March 2000


   If the protocol field is 1, the message is using the "delayed
   authentication" mechanism.  In delayed authentication, the client
   requests authentication in its DHCPDISCOVER message and the server
   replies with a DHCPOFFER message that includes authentication
   information. This authentication information contains a nonce value
   generated by the source as a message authentication code (MAC) to
   provide message authentication and entity authentication.

   This document defines the use of a particular technique based on the
   HMAC protocol [3] using the MD5 hash [2].

5.1 Management Issues

   The "delayed authentication" protocol does not attempt to address
   situations where a client may roam from one administrative domain to
   another, i.e. interdomain roaming.  This protocol is focused on
   solving the intradomain problem where the out-of-band exchange of a
   shared secret is feasible.