rfc3046.txt

RFC 的详细文档！

Network Working Group                                         M. Patrick
Request for Comments: 3046                                  Motorola BCS
Category: Standards Track                                   January 2001


                  DHCP Relay Agent Information Option

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2001).  All Rights Reserved.

Abstract

   Newer high-speed public Internet access technologies call for a
   high-speed modem to have a local area network (LAN) attachment to one
   or more customer premise hosts.  It is advantageous to use the
   Dynamic Host Configuration Protocol (DHCP) as defined in RFC 2131 to
   assign customer premise host IP addresses in this environment.
   However, a number of security and scaling problems arise with such
   "public" DHCP use.  This document describes a new DHCP option to
   address these issues.  This option extends the set of DHCP options as
   defined in RFC 2132.

   The new option is called the Relay Agent Information option and is
   inserted by the DHCP relay agent when forwarding client-originated
   DHCP packets to a DHCP server.  Servers recognizing the Relay Agent
   Information option may use the information to implement IP address or
   other parameter assignment policies.  The DHCP Server echoes the
   option back verbatim to the relay agent in server-to-client replies,
   and the relay agent strips the option before forwarding the reply to
   the client.

   The "Relay Agent Information" option is organized as a single DHCP
   option that contains one or more "sub-options" that convey
   information known by the relay agent.  The initial sub-options are
   defined for a relay agent that is co-located in a public circuit
   access unit.  These include a "circuit ID" for the incoming circuit,
   and a "remote ID" which provides a trusted identifier for the remote
   high-speed modem.




Patrick                     Standards Track                     [Page 1]

RFC 3046          DHCP Relay Agent Information Option       January 2001


Table of Contents

   1   Introduction...........................................  2
   1.1 High-Speed Circuit Switched Data Networks..............  2
   1.2 DHCP Relay Agent in the Circuit Access Equipment.......  4
   2.0 Relay Agent Information Option.........................  5
   2.1 Agent Operation........................................  6
   2.1.1 Reforwarded DHCP requests............................  7
   2.2 Server Operation.......................................  7
   3.0 Relay Agent Information Suboptions.....................  8
   3.1 Agent Circuit ID.......................................  8
   3.2 Agent Remote ID........................................  9
   4.0 Issues Resolved........................................  9
   5.0 Security Considerations................................ 10
   6.0 IANA Considerations.................................... 11
   7.0 Intellectual Property Notice........................... 12
   8.0 References............................................. 12
   9.0 Glossary............................................... 13
   10.0 Author's Address...................................... 13
   11.0 Full Copyright Statement ............................. 14

1   Introduction

1.1 High-Speed Circuit Switched Data Networks

   Public Access to the Internet is usually via a circuit switched data
   network.  Today, this is primarily implemented with dial-up modems
   connecting to a Remote Access Server.  But higher speed circuit
   access networks also include ISDN, ATM, Frame Relay, and Cable Data
   Networks.  All of these networks can be characterized as a "star"
   topology where multiple users connect to a "circuit access unit" via
   switched or permanent circuits.

   With dial-up modems, only a single host PC attempts to connect to the
   central point.  The PPP protocol is widely used to assign IP
   addresses to be used by the single host PC.

   The newer high-speed circuit technologies, however, frequently
   provide a LAN interface (especially Ethernet) to one or more host
   PCs.  It is desirable to support centralized assignment of the IP
   addresses of host computers connecting on such circuits via DHCP.
   The DHCP server can be, but usually is not, co-implemented with the
   centralized circuit concentration access device.  The DHCP server is
   often connected as a separate server on the "Central LAN" to which
   the central access device (or devices) attach.






Patrick                     Standards Track                     [Page 2]

RFC 3046          DHCP Relay Agent Information Option       January 2001


   A common physical model for high-speed Internet circuit access is
   shown in Figure 1, below.

                   +---------------+                          |
     Central       |   Circuit     |-- ckt 1--- Modem1-- Host-|- Host A
     LAN     |     |   Access      |                     Lan  |- Host B
             |     |   Unit 1      |                          |- Host C
             |-----|               |--                        |
             |     |(relay agent)  |...
+---------+  |     +---------------+
|  DHCP   |--|
| Server  |  |
+---------+  |
             |
             |     +---------------+
+---------+  |     |   Circuit     |-- ckt 1--- Modem2-- Host--- Host D
| Other   |  |     |   Access      |                     Lan
| Servers |--|-----|   Unit 2      |
|  (Web,  |  |     |               |-- ckt 2--- Modem3-- Host--- Host E
|   DNS)  |  |     |(relay agent)  |...                  Lan
|         |        +---------------+
+---------+

         Figure 1:  DHCP High Speed Circuit Access Model

   Note that in this model, the "modem" connects to a LAN at the user
   site, rather than to a single host.  Multiple hosts are implemented
   at this site.  Although it is certainly possible to implement a full
   IP router at the user site, this requires a relatively expensive
   piece of equipment (compared to typical modem costs).  Furthermore, a
   router requires an IP address not only for every host, but for the
   router itself.  Finally, a user-side router requires a dedicated
   Logical IP Subnet (LIS) for each user.  While this model is
   appropriate for relatively small corporate networking environments,
   it is not appropriate for large, public accessed networks.  In this
   scenario, it is advantageous to implement an IP networking model that
   does not allocate an IP address for the modem (or other networking
   equipment device at the user site), and especially not an entire LIS
   for the user side LAN.

   Note that using this method to obtain IP addresses means that IP
   addresses can only be obtained while communication to the central
   site is available.  Some host lan installations may use a local DHCP
   server or other methods to obtain IP addresses for in-house use.







Patrick                     Standards Track                     [Page 3]

RFC 3046          DHCP Relay Agent Information Option       January 2001


1.2 DHCP Relay Agent in the Circuit Access Unit

   It is desirable to use DHCP to assign the IP addresses for public
   high-speed circuit access.  A number of circuit access units (e.g.,
   RAS's, cable modem termination systems, ADSL access units, etc)
   connect to a LAN (or local internet) to which is attached a DHCP
   server.

   For scaling and security reasons, it is advantageous to implement a
   "router hop" at the circuit access unit, much like high-capacity
   RAS's do today.  The circuit access equipment acts as both a router
   to the circuits and as the DHCP relay agent.

   The advantages of co-locating the DHCP relay agent with the circuit
   access equipment are:

   DHCP broadcast replies can be routed to only the proper circuit,
   avoiding, say, the replication of the DCHP reply broadcast onto
   thousands of access circuits;

   The same mechanism used to identify the remote connection of the
   circuit (e.g., a user ID requested by a Remote Access Server acting
   as the circuit access equipment) may be used as a host identifier by
   DHCP, and used for parameter assignment.  This includes centralized
   assignment of IP addresses to hosts.  This provides a secure remote
   ID from a trusted source -- the relay agent.

   A number of issues arise when forwarding DHCP requests from hosts
   connecting publicly accessed high-speed circuits with LAN connections
   at the host.  Many of these are security issues arising from DHCP
   client requests from untrusted sources.  How does the relay agent
   know to which circuit to forward replies?  How does the system
   prevent  DHCP IP exhaustion attacks?  This is when an attacker
   requests all available IP addresses from a DHCP server by sending
   requests with fabricated client MAC addresses.  How can an IP address
   or LIS be permanently assigned to a particular user or modem?  How
   does one prevent "spoofing" of client identifier fields used to
   assign IP addresses?  How does one prevent denial of service by
   "spoofing" other client's MAC addresses?

   All of these issues may be addressed by having the circuit access
   equipment, which is a trusted component, add information to DHCP
   client requests that it forwards to the DHCP server.








Patrick                     Standards Track                     [Page 4]

RFC 3046          DHCP Relay Agent Information Option       January 2001


2.0 Relay Agent Information Option

   This document defines a new DHCP Option called the Relay Agent
   Information Option.  It is a "container" option for specific agent-
   supplied sub-options.  The format of the Relay Agent Information
   option is:

          Code   Len     Agent Information Field
         +------+------+------+------+------+------+--...-+------+
         |  82  |   N  |  i1  |  i2  |  i3  |  i4  |      |  iN  |
         +------+------+------+------+------+------+--...-+------+

   The length N gives the total number of octets in the Agent
   Information Field.  The Agent Information field consists of a
   sequence of SubOpt/Length/Value tuples for each sub-option, encoded
   in the following manner:

          SubOpt  Len     Sub-option Value
         +------+------+------+------+------+------+--...-+------+
         |  1   |   N  |  s1  |  s2  |  s3  |  s4  |      |  sN  |
         +------+------+------+------+------+------+--...-+------+
          SubOpt  Len     Sub-option Value
         +------+------+------+------+------+------+--...-+------+
         |  2   |   N  |  i1  |  i2  |  i3  |  i4  |      |  iN  |
         +------+------+------+------+------+------+--...-+------+

   No "pad" sub-option is defined, and the Information field shall NOT
   be terminated with a 255 sub-option.  The length N of the DHCP Agent
   Information Option shall include all bytes of the sub-option
   code/length/value tuples.  Since at least one sub-option must be
   defined, the minimum Relay Agent Information length is two (2).  The
   length N of the sub-options shall be the number of octets in only
   that sub-option's value field.  A sub-option length may be zero.  The