📄 rfc3046.txt
字号:
sub-options need not appear in sub-option code order.
The initial assignment of DHCP Relay Agent Sub-options is as follows:
DHCP Agent Sub-Option Description
Sub-option Code
--------------- ----------------------
1 Agent Circuit ID Sub-option
2 Agent Remote ID Sub-option
Patrick Standards Track [Page 5]
RFC 3046 DHCP Relay Agent Information Option January 2001
2.1 Agent Operation
Overall adding of the DHCP relay agent option SHOULD be configurable,
and SHOULD be disabled by default. Relay agents SHOULD have separate
configurables for each sub-option to control whether it is added to
client-to-server packets.
A DHCP relay agent adding a Relay Agent Information field SHALL add
it as the last option (but before 'End Option' 255, if present) in
the DHCP options field of any recognized BOOTP or DHCP packet
forwarded from a client to a server.
Relay agents receiving a DHCP packet from an untrusted circuit with
giaddr set to zero (indicating that they are the first-hop router)
but with a Relay Agent Information option already present in the
packet SHALL discard the packet and increment an error count. A
trusted circuit may contain a trusted downstream (closer to client)
network element (bridge) between the relay agent and the client that
MAY add a relay agent option but not set the giaddr field. In this
case, the relay agent does NOT add a "second" relay agent option, but
forwards the DHCP packet per normal DHCP relay agent operations,
setting the giaddr field as it deems appropriate.
The mechanisms for distinguishing between "trusted" and "untrusted"
circuits are specific to the type of circuit termination equipment,
and may involve local administration. For example, a Cable Modem
Termination System may consider upstream packets from most cable
modems as "untrusted", but an ATM switch terminating VCs switched
through a DSLAM may consider such VCs as "trusted" and accept a relay
agent option added by the DSLAM.
Relay agents MAY have a configurable for the maximum size of the DHCP
packet to be created after appending the Agent Information option.
Packets which, after appending the Relay Agent Information option,
would exceed this configured maximum size shall be forwarded WITHOUT
adding the Agent Information option. An error counter SHOULD be
incremented in this case. In the absence of this configurable, the
agent SHALL NOT increase a forwarded DHCP packet size to exceed the
MTU of the interface on which it is forwarded.
The Relay Agent Information option echoed by a server MUST be removed
by either the relay agent or the trusted downstream network element
which added it when forwarding a server-to-client response back to
the client.
Patrick Standards Track [Page 6]
RFC 3046 DHCP Relay Agent Information Option January 2001
The agent SHALL NOT add an "Option Overload" option to the packet or
use the "file" or "sname" fields for adding Relay Agent Information
option. It SHALL NOT parse or remove Relay Agent Information options
that may appear in the sname or file fields of a server-to-client
packet forwarded through the agent.
The operation of relay agents for specific sub-options is specified
with that sub-option.
Relay agents are NOT required to monitor or modify client-originated
DHCP packets addressed to a server unicast address. This includes
the DHCP-REQUEST sent when entering the RENEWING state.
Relay agents MUST NOT modify DHCP packets that use the IPSEC
Authentication Header or IPSEC Encapsulating Security Payload [6].
2.1.1 Reforwarded DHCP requests
A DHCP relay agent may receive a client DHCP packet forwarded from a
BOOTP/DHCP relay agent closer to the client. Such a packet will have
giaddr as non-zero, and may or may not already have a DHCP Relay
Agent option in it.
Relay agents configured to add a Relay Agent option which receive a
client DHCP packet with a nonzero giaddr SHALL discard the packet if
the giaddr spoofs a giaddr address implemented by the local agent
itself.
Otherwise, the relay agent SHALL forward any received DHCP packet
with a valid non-zero giaddr WITHOUT adding any relay agent options.
Per RFC 2131, it shall also NOT modify the giaddr value.
2.2 Server Operation
DHCP servers unaware of the Relay Agent Information option will
ignore the option upon receive and will not echo it back on
responses. This is the specified server behavior for unknown
options.
DHCP servers claiming to support the Relay Agent Information option
SHALL echo the entire contents of the Relay Agent Information option
in all replies. Servers SHOULD copy the Relay Agent Information
option as the last DHCP option in the response. Servers SHALL NOT
place the echoed Relay Agent Information option in the overloaded
sname or file fields. If a server is unable to copy a full Relay
Agent Information field into a response, it SHALL send the response
without the Relay Information Field, and SHOULD increment an error
counter for the situation.
Patrick Standards Track [Page 7]
RFC 3046 DHCP Relay Agent Information Option January 2001
The operation of DHCP servers for specific sub-options is specified
with that sub-option.
Note that DHCP relay agents are not required to monitor unicast DHCP
messages sent directly between the client and server (i.e., those
that aren't sent via a relay agent). However, some relay agents MAY
chose to do such monitoring and add relay agent options.
Consequently, servers SHOULD be prepared to handle relay agent
options in unicast messages, but MUST NOT expect them to always be
there.
3.0 Relay Agent Information Sub-options
3.1 Agent Circuit ID Sub-option
This sub-option MAY be added by DHCP relay agents which terminate
switched or permanent circuits. It encodes an agent-local identifier
of the circuit from which a DHCP client-to-server packet was
received. It is intended for use by agents in relaying DHCP
responses back to the proper circuit. Possible uses of this field
include:
- Router interface number
- Switching Hub port number
- Remote Access Server port number
- Frame Relay DLCI
- ATM virtual circuit number
- Cable Data virtual circuit number
Servers MAY use the Circuit ID for IP and other parameter assignment
policies. The Circuit ID SHOULD be considered an opaque value, with
policies based on exact string match only; that is, the Circuit ID
SHOULD NOT be internally parsed by the server.
The DHCP server SHOULD report the Agent Circuit ID value of current
leases in statistical reports (including its MIB) and in logs. Since
the Circuit ID is local only to a particular relay agent, a circuit
ID should be qualified with the giaddr value that identifies the
relay agent.
SubOpt Len Circuit ID
+------+------+------+------+------+------+------+------+--
| 1 | n | c1 | c2 | c3 | c4 | c5 | c6 | ...
+------+------+------+------+------+------+------+------+--
Patrick Standards Track [Page 8]
RFC 3046 DHCP Relay Agent Information Option January 2001
3.2 Agent Remote ID Sub-option
This sub-option MAY be added by DHCP relay agents which terminate
switched or permanent circuits and have mechanisms to identify the
remote host end of the circuit. The Remote ID field may be used to
encode, for instance:
-- a "caller ID" telephone number for dial-up connection
-- a "user name" prompted for by a Remote Access Server
-- a remote caller ATM address
-- a "modem ID" of a cable data modem
-- the remote IP address of a point-to-point link
-- a remote X.25 address for X.25 connections
The remote ID MUST be globally unique.
DHCP servers MAY use this option to select parameters specific to
particular users, hosts, or subscriber modems. The option SHOULD be
considered an opaque value, with policies based on exact string match
only; that is, the option SHOULD NOT be internally parsed by the
server.
The relay agent MAY use this field in addition to or instead of the
Agent Circuit ID field to select the circuit on which to forward the
DHCP reply (e.g., Offer, Ack, or Nak). DHCP servers SHOULD report
this value in any reports or MIBs associated with a particular
client.
SubOpt Len Agent Remote ID
+------+------+------+------+------+------+------+------+--
| 2 | n | r1 | r2 | r3 | r4 | r5 | r6 | ...
+------+------+------+------+------+------+------+------+--
4.0 Issues Resolved
The DHCP relay agent option resolves several issues in an environment
in which untrusted hosts access the internet via a circuit based
public network. This resolution assumes that all DHCP protocol
traffic by the public hosts traverse the DHCP relay agent and that
the IP network between the DHCP relay agent and the DHCP server is
uncompromised.
Broadcast Forwarding
The circuit access equipment forwards the normally broadcasted
DHCP response only on the circuit indicated in the Agent Circuit
ID.
Patrick Standards Track [Page 9]
RFC 3046 DHCP Relay Agent Information Option January 2001
DHCP Address Exhaustion
In general, the DHCP server may be extended to maintain a database
with the "triplet" of
(client IP address, client MAC address, client remote ID)
The DHCP server SHOULD implement policies that restrict the number
of IP addresses to be assigned to a single remote ID.
Static Assignment
The DHCP server may use the remote ID to select the IP address to
be assigned. It may permit static assignment of IP addresses to
particular remote IDs, and disallow an address request from an
unauthorized remote ID.
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -