📄 rfc3046.txt
字号:
IP Spoofing
The circuit access device may associate the IP address assigned by
a DHCP server in a forwarded DHCP Ack packet with the circuit to
which it was forwarded. The circuit access device MAY prevent
forwarding of IP packets with source IP addresses -other than-
those it has associated with the receiving circuit. This prevents
simple IP spoofing attacks on the Central LAN, and IP spoofing of
other hosts.
Client Identifier Spoofing
By using the agent-supplied Agent Remote ID option, the untrusted
and as-yet unstandardized client identifier field need not be used
by the DHCP server.
MAC Address Spoofing
By associating a MAC address with an Agent Remote ID, the DHCP
server can prevent offering an IP address to an attacker spoofing
the same MAC address on a different remote ID.
5.0 Security Considerations
DHCP as currently defined provides no authentication or security
mechanisms. Potential exposures to attack are discussed in section 7
of the DHCP protocol specification in RFC 2131 [1].
This document introduces mechanisms to address several security
attacks on the operation of IP address assignment, including IP
spoofing, Client ID spoofing, MAC address spoofing, and DHCP server
Patrick Standards Track [Page 10]
RFC 3046 DHCP Relay Agent Information Option January 2001
address exhaustion. It relies on an implied trusted relationship
between the DHCP Relay Agent and the DHCP server, with an assumed
untrusted DHCP client. It introduces a new identifer, the "Remote
ID", that is also assumed to be trusted. The Remote ID is provided
by the access network or modem and not by client premise equipment.
Cryptographic or other techniques to authenticate the remote ID are
certainly possible and encouraged, but are beyond the scope of this
document.
This option is targeted towards environments in which the network
infrastructure -- the relay agent, the DHCP server, and the entire
network in which those two devices reside -- is trusted and secure.
As used in this document, the word "trusted" implies that
unauthorized DHCP traffic cannot enter the trusted network except
through secured and trusted relay agents and that all devices
internal to the network are secure and trusted. Potential deployers
of this option should give careful consideration to the potential
security vulnerabilities that are present in this model before
deploying this option in actual networks.
Note that any future mechanisms for authenticating DHCP client to
server communications must take care to omit the DHCP Relay Agent
option from server authentication calculations. This was the
principal reason for organizing the DHCP Relay Agent Option as a
single option with sub-options, and for requiring the relay agent to
remove the option before forwarding to the client.
While it is beyond the scope of this document to specify the general
forwarding algorithm of public data circuit access units, note that
automatic reforwarding of IP or ARP broadcast packets back downstream
exposes serious IP security risks. For example, if an upstream
broadcast DHCP-DISCOVER or DHCP-REQUEST were re-broadcast back
downstream, any public host may easily spoof the desired DHCP server.
6.0 IANA Considerations
IANA is required to maintain a new number space of "DHCP Relay Agent
Sub-options", located in the BOOTP-DHCP Parameters Registry. The
initial sub-options are described in section 2.0 of this document.
IANA assigns future DHCP Relay Agent Sub-options with a "IETF
Consensus" policy as described in RFC 2434 [3]. Future proposed
sub-options are to be referenced symbolically in the Internet-Drafts
that describe them, and shall be assigned numeric codes by IANA when
approved for publication as an RFC.
Patrick Standards Track [Page 11]
RFC 3046 DHCP Relay Agent Information Option January 2001
7.0 Intellectual Property Notices
This section contains two notices as required by [5] for standards
track documents.
The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it
has made any effort to identify any such rights. Information on the
IETF's procedures with respect to rights in standards-track and
standards-related documentation can be found in BCP-11. Copies of
claims of rights made available for publication and any assurances of
licenses to be made available, or the result of an attempt made to
obtain a general license or permission for the use of such
proprietary rights by implementors or users of this specification can
be obtained from the IETF Secretariat.
The IETF has been notified of intellectual property rights claimed in
regard to some or all of the specification contained in this
document. For more information consult the online list of claimed
rights.
8.0 References
[1] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131,
March 1997.
[2] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor
Extension", RFC 2132, March 1997.
[3] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
[4] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.
[5] Bradner, S., "The Internet Standards Process -- Revision 3", BCP
9, RFC 2026, October 1996.
[6] Kent, S. and R. Atkinson, "Security Architecture for the
Internet Protocol", RFC 2401, November 1998.
Patrick Standards Track [Page 12]
RFC 3046 DHCP Relay Agent Information Option January 2001
9.0 Glossary
DSLAM Digital Subscriber Link Access Multiplexer
IANA Internet Assigned Numbers Authority
LIS Logical IP Subnet
MAC Message Authentication Code
RAS Remote Access Server
10.0 Author's Address
Michael Patrick
Motorola Broadband Communications Sector
20 Cabot Blvd., MS M4-30
Mansfield, MA 02048
Phone: (508) 261-5707
EMail: michael.patrick@motorola.com
Patrick Standards Track [Page 13]
RFC 3046 DHCP Relay Agent Information Option January 2001
11.0 Full Copyright Statement
Copyright (C) The Internet Society (2001). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Patrick Standards Track [Page 14]
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -