DHC WG D. Miles Internet-Draft Alcatel-Lucent Intended status: Standards Track W. Dec Expires: September 9, 2009 Cisco Systems J. Bristow Swisscom Schweiz AG R. Maglione Telecom Italia March 8, 2009 Forcerenew Key Authentication draft-miles-dhc-forcerenew-key-01 Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on September 9, 2009. Copyright Notice Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents in effect on the date of publication of this document (http://trustee.ietf.org/license-info). Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Miles, et al. Expires September 9, 2009 [Page 1] Internet-Draft Forcerenew Key Authentication March 2009 Abstract DHCP Forcerenew allows for the reconfiguration of a single host by forcing the DHCP client into a Renew state on a trigger from the DHCP server. In Forcerenew Key Authentication the server exchanges a key with the client on the initial DHCP ACK that is used for subsequent validation of a Forcerenew message. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 2. Message authentication . . . . . . . . . . . . . . . . . . . . 3 2.1. Forcerenew Key Authentication . . . . . . . . . . . . . . 3 2.1.1. Forcerenew Key Protocol Capability Option . . . . . . 4 2.1.2. Forcerenew Key Protocol . . . . . . . . . . . . . . . 6 2.1.3. Server considerations for Forcerenew Key Authentication . . . . . . . . . . . . . . . . . . . . 7 2.1.4. Client considerations for Forcerenew Key Authentication . . . . . . . . . . . . . . . . . . . . 8 3. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 9 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 5. Security Considerations . . . . . . . . . . . . . . . . . . . 9 5.1. Protocol vulnerabilities . . . . . . . . . . . . . . . . . 9 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10 6.1. Normative References . . . . . . . . . . . . . . . . . . . 10 6.2. Informative References . . . . . . . . . . . . . . . . . . 10 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10 Miles, et al. Expires September 9, 2009 [Page 2] Internet-Draft Forcerenew Key Authentication March 2009 1. Introduction This document defines extensions to Authentication for DHCP(v4) Messages [RFC3118] to create a new authentication protocol for DHCPv4 Forcerenew [RFC3203] messages. Authentication for DHCP [RFC3118] is mandatory for Forcerenew, however as it is currently defined [RFC3118] requires distribution of constant token or shared-secret out-of-band to DHCP clients. The Forcerenew Key is exchanged between server and client on initial DHCP ACK and is used for verification of any subsequent Forcerenew message. Forcerenew Key Authentication follows the model set forward in DHCPv6 [RFC3315] as the Reconfigure Key Authentication Protocol. 1.1. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. 2. Message authentication The FORCERENEW message must be authenticated using either [RFC3118] or the proposed Forcerenew Key Authentication protocol. 2.1. Forcerenew Key Authentication The Forcerenew key authentication protocol provides protection against misconfiguration of a client caused by a Forcerenew message sent by a malicious DHCP server. In this protocol, a DHCP server sends a Forcerenew Key to the client in the initial exchange of DHCP messages. The client records the Forcerenew Key for use in authenticating subsequent Forcerenew messages from that server. The server then includes an HMAC computed from the Forcerenew Key in subsequent Forcerenew messages. Both the Forcerenew Key sent from the server to the client and the HMAC in subsequent Forcerenew messages are carried as the Authentication information in a DHCP Authentication option. The format of the Authentication information is defined in the following section. The Forcerenew Key protocol is used (initiated by the server) only if the client and server are not using any other authentication protocol and the client and server have negotiated to use the Forcerenew Key Authentication protocol. Miles, et al. Expires September 9, 2009 [Page 3] Internet-Draft Forcerenew Key Authentication March 2009 2.1.1. Forcerenew Key Protocol Capability Option A DHCP client indicates DHCP Forcerenew Key Protocol capability by including a FORCERENEW_KEY_CAPABLE() option in DHCP Discover and Request messages sent to the server. A DHCP server that does not support Forcerenew Key Protocol authentication should ignore the FORCERENEW_KEY_CAPABLE() option. A DHCP server indicates DHCP Forcerenew Key Protocol preference by including a FORCERENEW_KEY_CAPABLE() option in any DHCP Offer messages sent to the client. A DHCP client MUST NOT send DHCP messages with authentication options where the protocol value is Forcerenew Key Authentication(). The FORCERENEW_KEY_CAPABLE option is a zero length option with code of and format as follows: Code Len +-----+-----+ | TBD | 0 | +-----+-----+ The client would indicate that it supports the functionality by inserting the FORCERENEW_KEY_CAPABLE option in the DHCP Discover and Request messages. If the server supports Forcerenew Key authentication and is configured to require Forcerenew Key authentication, it will insert the FORCERENEW_KEY_CAPABLE option in the DHCP Offer message. Server Client Server (not selected) (selected) v v v | | | | Begins initialization | | | | | _____________/|\____________ | |/DHCPDISCOVER | DHCPDISCOVER \| | w/Forcerenew- | w/Forcerenew- | | Key-Capable | Key-Capable | | | | Determines | Determines configuration | configuration | | | |\ | /| | \_________ | _________/ | | DHCPOFFER\ | /DHCPOFFER | |w/Forcerenew\ | /w/Forcerenew| | Key-Capable \ | / Key-Capable| Miles, et al. Expires September 9, 2009 [Page 4] Internet-Draft Forcerenew Key Authentication March 2009 | | | | Collects replies | | | | | Selects configuration | | | | | _____________/|\____________ | |/ DHCPREQUEST | DHCPREQUEST\ | | w/Forcerenew- | w/Forcerenew- | | Key-Capable | Key-Capable | | | | | | Commits configuration | | | | |Creates 128-bit Forcerenew Key | | | | | _____________/| | |/ DHCPACK | | | w/Auth-Proto= | | | Forcerenew-Key| | | | | Client stores Forcerenew Key | | | | | Initialization complete | | | | . . . . . . | | | | Forcerenew | | | _____________/| | |/ DHCPFORCE | | | w/Auth-Proto= | | | Forcerenew- | | | Digest(HMAC)| | | | | Client checks HMAC digest | | using stored Forcerenew Key | | | | | |\____________ | | | DHCPREQUEST\ | | | w/Forcerenew- | | | Key-Capable | | | | | | Commits configuration | | | | |Creates 128-bit Forcerenew Key | | | | | _____________/| | |/ DHCPACK | | | w/Auth-Proto= | Miles, et al. Expires September 9, 2009 [Page 5] Internet-Draft Forcerenew Key Authentication March 2009 | | Forcerenew-Key| | | | | | | | | | . . . . . . | | | | Graceful shutdown | | | | | |\ ____________ | | | DHCPRELEASE \| | | | | | Discards lease | | | v v v 2.1.2. Forcerenew Key Protocol [RFC3118] defined an extensible DHCPv4 authentication option which supports multiple protocols. The Forcerenew Key Protocol makes use of the DHCP authentication option defined in [RFC3118] re-using the option format. The following fields are set in an DHCP authentication option for the Forcerenew Key Authentication Protocol: protocol algorithm 1 RDM 0 The format of the Authentication information for the Forcerenew Key Authentication Protocol is: Miles, et al. Expires September 9, 2009 [Page 6] Internet-Draft Forcerenew Key Authentication March 2009 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Value (128 bits) | +-+-+-+-+-+-+-+-+ | . . . . . +-+-+-+-+-+-+-+-+ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type Type of data in Value field carried in this option: 1 Forcerenew Key value (used in ACK message). 2 HMAC-MD5 digest of the message (FORCERENEW message). Value Data as defined by field. 2.1.3. Server considerations for Forcerenew Key Authentication The use of Forcerenew Key Protocol is dependent on the client indicating its capability through the FORCERENEW_KEY_CAPABLE() DHCP option in any DHCP Discover or Request messages. The DHCP Discovery or Request message from the client MUST contain the FORCERENEW_KEY_CAPABLE() option if the Forcerenew Key Protocol is to be used by the server. The absence of the FORCERENEW_KEY_CAPABLE() option indicates to the server that the Forcerenew Key Authentication protocol is not supported and thus the server MUST NOT include a Forcerenew Key Protocol Authentication option in the DHCP Ack. The server indicates its support of the Forcerenew Key Protocol authentication by including the DHCP FORCERENEW_KEY_CAPABLE() option in the DHCP Offer message. The server SHOULD NOT include this option unless the client has indicated its capability in a DHCP Discovery message . The presence of the FORCERENEW_KEY_CAPABLE() option in the DHCP offer may be used by clients to prefer Forcerenew Key Protocol authentication-capable DHCP servers over those servers which do not support such capability. The server selects a Forcerenew Key for a client only during Request/ Ack message exchange. The server records the Forcerenew Key and transmits that key to the client in an Authentication option in the DHCP Ack message. The Forcerenew Key is 128 bits long, and MUST be a cryptographically Miles, et al. Expires September 9, 2009 [Page 7] Internet-Draft Forcerenew Key Authentication March 2009 strong random or pseudo-random number that cannot easily be predicted. The key is imbedded as a 128-bit value of the Authentication information where type is set to 1 (Forcerenew Key Value). To provide authentication for a Forcerenew message, the server selects a replay detection value according to the RDM selected by the server, and computes an HMAC-MD5 of the Forcerenew message using the Forcerenew Key for the client. The server computes the HMAC-MD5 over the entire DHCP Forcerenew message, including the Authentication option; the HMAC-MD5 field in the Authentication option is set to zero for the HMAC-MD5 computation. The server includes the HMAC-MD5 in the authentication information field in an Authentication option included in the Forcerenew message sent to the client with type set to 2 (HMAC-MD5 digest). 2.1.4. Client considerations for Forcerenew Key Authentication The client MUST indicate Forcerenew Key Capability by including the FORCERENEW_KEY_CAPABLE() DHCP option (Section 2.1.1) in all DHCP Discover and Request messages. DHCP servers that support Forcerenew Key Protocol authentication MUST include the DHCP Forcerenew Key protocol authentication option in DHCP Offers with type set to zero(0), allowing the client to use this capability in selecting DHCP servers should multiple Offers arrive. A DHCP server has indicates its support through the inclusion of the FORCERENEW_KEY_CAPABLE() option in the DHCP Offer. The client MUST validate the DHCP Ack message contains a Forcerenew Key in a DHCP authentication option. If the server has indicated capability for Forcerenew Key Protocol authentication in the DHCP Offer and a subsequent Ack omits a valid DHCP authentication option for the Forcerenew Key Protocol, the client MUST send a DHCP Decline message and return to the DHCP Init state. The client will receive a Forcerenew Key from the server in the initial DHCP Ack message from the server. The client records the Forcerenew Key for use in authenticating subsequent Forcerenew messages. To authenticate a Forcerenew message, the client computes an HMAC-MD5 over the DHCP Forcerenew message, using the Forcerenew Key received from the server. If this computed HMAC-MD5 matches the value in the Authentication option, the client accepts the Forcerenew message. Miles, et al. Expires September 9, 2009 [Page 8] Internet-Draft Forcerenew Key Authentication March 2009 3. Contributors Comments are solicited and should be addressed to the DHC WG mailing list (dhcwg@ietf.org) and/or the authors. This contribution is based on work by Vitali Vinokour. Major sections of this draft use modified text from [RFC3315]. The authors wish to thank Ted Lemon and Bernie Volz for their support. 4. IANA Considerations This document requests IANA to allocate an option code for the newly defined DHCP option FORCERENEW_KEY_CAPABALE as described in the text. This document requests IANA to allocate a DHCP Authentication Option(90) protocol number be assigned for Forcerenew Key Authentication, per [RFC3118]. This document requests IANA to create a new namespace associated with the Forcerenew Key Authentication protocol: algorithm, per [RFC3118]. 5. Security Considerations As in some network environments FORCERENEW can be used to snoop and spoof traffic, the FORCERENEW message MUST be authenticated using the procedures as described in [RFC3118] or this proposal. FORCERENEW messages failing the authentication should be silently discarded by the client. 5.1. Protocol vulnerabilities The mechanism described in this document is vulnerable to a denial of service attack through flooding a client with bogus FORCERENEW messages. The calculations involved in authenticating the bogus FORECERENEW messages may overwhelm the device on which the client is running. The mechanism described provides protection against the use of a FORCERENEW message by a malicious DHCP server to mount a denial of service or man-in-the-middle attack on a client. This protocol can be compromised by an attacker that can intercept the initial message in which the DHCP server sends the key to the client. 6. References Miles, et al. Expires September 9, 2009 [Page 9] Internet-Draft Forcerenew Key Authentication March 2009 6.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119, March 1997. [RFC2131] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, March 1997. [RFC3118] Droms, R. and B. Arbaugh, "Authentication for DHCP Messages", RFC 3118, June 2001. [RFC3203] T'joens, Y., Hublet, C., and P. De Schrijver, "DHCP reconfigure extension", RFC 3203, December 2001. 6.2. Informative References [RFC3315] Droms, R., "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", RFC 3315, July 2003. Authors' Addresses David Miles Alcatel-Lucent L3 / 215 Spring St Melbourne, Victoria 3000 Australia Phone: +61 3 9664 3308 Email: david.miles@alcatel-lucent.com Wojciech Dec Cisco Systems Haarlerbergpark Haarlerbergweg 13-19 Amsterdam, NOORD-HOLLAND 1101 CH Netherlands Phone: Email: wdec@cisco.com Miles, et al. Expires September 9, 2009 [Page 10] Internet-Draft Forcerenew Key Authentication March 2009 James Bristow Swisscom Schweiz AG Zentweg 9 Bern, 3050 Switzerland Phone: Email: James.Bristow@swisscom.com Roberta Maglione Telecom Italia Via Reiss Romoli 274 Torino, 10148 Italy Phone: Email: roberta.maglione@telecomitalia.it Miles, et al. Expires September 9, 2009 [Page 11]