Network Working Group M. Patrick Request for Comments: 3046 Motorola BCS Category: Standards Track January 2001
Network Working Group M. Patrick Request for Comments: 3046 Motorola BCS Category: Standards Track January 2001
DHCP Relay Agent Information Option
DHCP中继代理信息选项
Status of this Memo
本备忘录的状况
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2001). All Rights Reserved.
版权所有(C)互联网协会(2001年)。版权所有。
Abstract
摘要
Newer high-speed public Internet access technologies call for a high-speed modem to have a local area network (LAN) attachment to one or more customer premise hosts. It is advantageous to use the Dynamic Host Configuration Protocol (DHCP) as defined in RFC 2131 to assign customer premise host IP addresses in this environment. However, a number of security and scaling problems arise with such "public" DHCP use. This document describes a new DHCP option to address these issues. This option extends the set of DHCP options as defined in RFC 2132.
较新的高速公共互联网接入技术要求高速调制解调器将局域网(LAN)连接到一个或多个用户端主机。使用RFC 2131中定义的动态主机配置协议(DHCP)在该环境中分配客户场所主机IP地址是有利的。然而,这种“公共”DHCP使用会产生许多安全和扩展问题。本文档介绍了解决这些问题的新DHCP选项。此选项扩展了RFC 2132中定义的DHCP选项集。
The new option is called the Relay Agent Information option and is inserted by the DHCP relay agent when forwarding client-originated DHCP packets to a DHCP server. Servers recognizing the Relay Agent Information option may use the information to implement IP address or other parameter assignment policies. The DHCP Server echoes the option back verbatim to the relay agent in server-to-client replies, and the relay agent strips the option before forwarding the reply to the client.
新选项称为中继代理信息选项,在将源自客户端的DHCP数据包转发到DHCP服务器时由DHCP中继代理插入。识别中继代理信息选项的服务器可以使用该信息来实现IP地址或其他参数分配策略。DHCP服务器在服务器到客户端的回复中逐字地将选项回传给中继代理,中继代理在将回复转发给客户端之前删除该选项。
The "Relay Agent Information" option is organized as a single DHCP option that contains one or more "sub-options" that convey information known by the relay agent. The initial sub-options are defined for a relay agent that is co-located in a public circuit access unit. These include a "circuit ID" for the incoming circuit, and a "remote ID" which provides a trusted identifier for the remote high-speed modem.
“中继代理信息”选项被组织为单个DHCP选项,其中包含一个或多个“子选项”,用于传递中继代理已知的信息。初始子选项是为位于公共电路访问单元中的中继代理定义的。这些包括输入电路的“电路ID”和为远程高速调制解调器提供可信标识符的“远程ID”。
Table of Contents
目录
1 Introduction........................................... 2 1.1 High-Speed Circuit Switched Data Networks.............. 2 1.2 DHCP Relay Agent in the Circuit Access Equipment....... 4 2.0 Relay Agent Information Option......................... 5 2.1 Agent Operation........................................ 6 2.1.1 Reforwarded DHCP requests............................ 7 2.2 Server Operation....................................... 7 3.0 Relay Agent Information Suboptions..................... 8 3.1 Agent Circuit ID....................................... 8 3.2 Agent Remote ID........................................ 9 4.0 Issues Resolved........................................ 9 5.0 Security Considerations................................ 10 6.0 IANA Considerations.................................... 11 7.0 Intellectual Property Notice........................... 12 8.0 References............................................. 12 9.0 Glossary............................................... 13 10.0 Author's Address...................................... 13 11.0 Full Copyright Statement ............................. 14
1 Introduction........................................... 2 1.1 High-Speed Circuit Switched Data Networks.............. 2 1.2 DHCP Relay Agent in the Circuit Access Equipment....... 4 2.0 Relay Agent Information Option......................... 5 2.1 Agent Operation........................................ 6 2.1.1 Reforwarded DHCP requests............................ 7 2.2 Server Operation....................................... 7 3.0 Relay Agent Information Suboptions..................... 8 3.1 Agent Circuit ID....................................... 8 3.2 Agent Remote ID........................................ 9 4.0 Issues Resolved........................................ 9 5.0 Security Considerations................................ 10 6.0 IANA Considerations.................................... 11 7.0 Intellectual Property Notice........................... 12 8.0 References............................................. 12 9.0 Glossary............................................... 13 10.0 Author's Address...................................... 13 11.0 Full Copyright Statement ............................. 14
1 Introduction
1导言
Public Access to the Internet is usually via a circuit switched data network. Today, this is primarily implemented with dial-up modems connecting to a Remote Access Server. But higher speed circuit access networks also include ISDN, ATM, Frame Relay, and Cable Data Networks. All of these networks can be characterized as a "star" topology where multiple users connect to a "circuit access unit" via switched or permanent circuits.
公众通常通过电路交换数据网络访问互联网。今天,这主要是通过连接到远程访问服务器的拨号调制解调器来实现的。但高速电路接入网也包括ISDN、ATM、帧中继和有线数据网。所有这些网络都可以被描述为“星形”拓扑,其中多个用户通过交换或永久电路连接到“电路接入单元”。
With dial-up modems, only a single host PC attempts to connect to the central point. The PPP protocol is widely used to assign IP addresses to be used by the single host PC.
使用拨号调制解调器时,只有一台主机PC尝试连接到中心点。PPP协议广泛用于分配单主机PC使用的IP地址。
The newer high-speed circuit technologies, however, frequently provide a LAN interface (especially Ethernet) to one or more host PCs. It is desirable to support centralized assignment of the IP addresses of host computers connecting on such circuits via DHCP. The DHCP server can be, but usually is not, co-implemented with the centralized circuit concentration access device. The DHCP server is often connected as a separate server on the "Central LAN" to which the central access device (or devices) attach.
然而,较新的高速电路技术经常向一台或多台主机PC提供LAN接口(尤其是以太网)。希望支持通过DHCP在此类电路上连接的主机IP地址的集中分配。DHCP服务器可以(但通常不是)与集中式电路集中访问设备共同实现。DHCP服务器通常作为一个单独的服务器连接在“中央LAN”上,中央访问设备(或多个设备)连接到该LAN。
A common physical model for high-speed Internet circuit access is shown in Figure 1, below.
高速互联网电路接入的通用物理模型如下图1所示。
+---------------+ | Central | Circuit |-- ckt 1--- Modem1-- Host-|- Host A LAN | | Access | Lan |- Host B | | Unit 1 | |- Host C |-----| |-- | | |(relay agent) |... +---------+ | +---------------+ | DHCP |--| | Server | | +---------+ | | | +---------------+ +---------+ | | Circuit |-- ckt 1--- Modem2-- Host--- Host D | Other | | | Access | Lan | Servers |--|-----| Unit 2 | | (Web, | | | |-- ckt 2--- Modem3-- Host--- Host E | DNS) | | |(relay agent) |... Lan | | +---------------+ +---------+
+---------------+ | Central | Circuit |-- ckt 1--- Modem1-- Host-|- Host A LAN | | Access | Lan |- Host B | | Unit 1 | |- Host C |-----| |-- | | |(relay agent) |... +---------+ | +---------------+ | DHCP |--| | Server | | +---------+ | | | +---------------+ +---------+ | | Circuit |-- ckt 1--- Modem2-- Host--- Host D | Other | | | Access | Lan | Servers |--|-----| Unit 2 | | (Web, | | | |-- ckt 2--- Modem3-- Host--- Host E | DNS) | | |(relay agent) |... Lan | | +---------------+ +---------+
Figure 1: DHCP High Speed Circuit Access Model
图1:DHCP高速电路访问模型
Note that in this model, the "modem" connects to a LAN at the user site, rather than to a single host. Multiple hosts are implemented at this site. Although it is certainly possible to implement a full IP router at the user site, this requires a relatively expensive piece of equipment (compared to typical modem costs). Furthermore, a router requires an IP address not only for every host, but for the router itself. Finally, a user-side router requires a dedicated Logical IP Subnet (LIS) for each user. While this model is appropriate for relatively small corporate networking environments, it is not appropriate for large, public accessed networks. In this scenario, it is advantageous to implement an IP networking model that does not allocate an IP address for the modem (or other networking equipment device at the user site), and especially not an entire LIS for the user side LAN.
请注意,在此型号中,“调制解调器”连接到用户站点的LAN,而不是连接到单个主机。此站点上实现了多个主机。虽然在用户站点上实现一个完整的IP路由器当然是可能的,但这需要相对昂贵的设备(与典型的调制解调器成本相比)。此外,路由器不仅需要每个主机的IP地址,还需要路由器本身的IP地址。最后,用户端路由器需要为每个用户提供一个专用的逻辑IP子网(LIS)。虽然此模型适用于相对较小的公司网络环境,但不适用于大型公共访问网络。在该场景中,有利的是实现不为调制解调器(或用户站点上的其他网络设备设备)分配IP地址的IP网络模型,尤其是不为用户侧LAN分配整个LIS。
Note that using this method to obtain IP addresses means that IP addresses can only be obtained while communication to the central site is available. Some host lan installations may use a local DHCP server or other methods to obtain IP addresses for in-house use.
请注意,使用此方法获取IP地址意味着只能在与中心站点的通信可用时获取IP地址。某些主机lan安装可能使用本地DHCP服务器或其他方法获取IP地址以供内部使用。
It is desirable to use DHCP to assign the IP addresses for public high-speed circuit access. A number of circuit access units (e.g., RAS's, cable modem termination systems, ADSL access units, etc) connect to a LAN (or local internet) to which is attached a DHCP server.
希望使用DHCP为公共高速电路访问分配IP地址。许多电路接入单元(例如,RAS、电缆调制解调器终端系统、ADSL接入单元等)连接到连接有DHCP服务器的LAN(或本地internet)。
For scaling and security reasons, it is advantageous to implement a "router hop" at the circuit access unit, much like high-capacity RAS's do today. The circuit access equipment acts as both a router to the circuits and as the DHCP relay agent.
出于可扩展性和安全性的原因,在电路访问单元上实现“路由器跃点”是有利的,就像今天的高容量RAS一样。电路访问设备充当电路的路由器和DHCP中继代理。
The advantages of co-locating the DHCP relay agent with the circuit access equipment are:
将DHCP中继代理与电路访问设备共同定位的优点是:
DHCP broadcast replies can be routed to only the proper circuit, avoiding, say, the replication of the DCHP reply broadcast onto thousands of access circuits;
DHCP广播应答只能路由到适当的电路,从而避免(比如)将DCHP应答广播复制到数千个接入电路上;
The same mechanism used to identify the remote connection of the circuit (e.g., a user ID requested by a Remote Access Server acting as the circuit access equipment) may be used as a host identifier by DHCP, and used for parameter assignment. This includes centralized assignment of IP addresses to hosts. This provides a secure remote ID from a trusted source -- the relay agent.
用于识别电路的远程连接的相同机制(例如,由充当电路接入设备的远程接入服务器请求的用户ID)可被DHCP用作主机标识符,并用于参数分配。这包括将IP地址集中分配给主机。这提供了来自可信源(中继代理)的安全远程ID。
A number of issues arise when forwarding DHCP requests from hosts connecting publicly accessed high-speed circuits with LAN connections at the host. Many of these are security issues arising from DHCP client requests from untrusted sources. How does the relay agent know to which circuit to forward replies? How does the system prevent DHCP IP exhaustion attacks? This is when an attacker requests all available IP addresses from a DHCP server by sending requests with fabricated client MAC addresses. How can an IP address or LIS be permanently assigned to a particular user or modem? How does one prevent "spoofing" of client identifier fields used to assign IP addresses? How does one prevent denial of service by "spoofing" other client's MAC addresses?
当从连接公共访问的高速电路和主机上的LAN连接的主机转发DHCP请求时,会出现许多问题。其中许多是由来自不可信来源的DHCP客户端请求引起的安全问题。中继代理如何知道将应答转发到哪个电路?系统如何防止DHCP IP耗尽攻击?这是指攻击者通过使用伪造的客户端MAC地址发送请求,从DHCP服务器请求所有可用的IP地址。如何将IP地址或LIS永久分配给特定用户或调制解调器?如何防止“欺骗”用于分配IP地址的客户端标识符字段?如何通过“欺骗”其他客户端的MAC地址来防止拒绝服务?
All of these issues may be addressed by having the circuit access equipment, which is a trusted component, add information to DHCP client requests that it forwards to the DHCP server.
所有这些问题都可以通过让电路访问设备(这是一个受信任的组件)向DHCP客户端请求添加信息来解决,并将其转发到DHCP服务器。
This document defines a new DHCP Option called the Relay Agent Information Option. It is a "container" option for specific agent-supplied sub-options. The format of the Relay Agent Information option is:
本文档定义了一个新的DHCP选项,称为中继代理信息选项。它是特定代理提供的子选项的“容器”选项。中继代理信息选项的格式为:
Code Len Agent Information Field +------+------+------+------+------+------+--...-+------+ | 82 | N | i1 | i2 | i3 | i4 | | iN | +------+------+------+------+------+------+--...-+------+
Code Len Agent Information Field +------+------+------+------+------+------+--...-+------+ | 82 | N | i1 | i2 | i3 | i4 | | iN | +------+------+------+------+------+------+--...-+------+
The length N gives the total number of octets in the Agent Information Field. The Agent Information field consists of a sequence of SubOpt/Length/Value tuples for each sub-option, encoded in the following manner:
长度N表示代理信息字段中的八位字节总数。代理信息字段由每个子选项的SubOpt/Length/Value元组序列组成,编码方式如下:
SubOpt Len Sub-option Value +------+------+------+------+------+------+--...-+------+ | 1 | N | s1 | s2 | s3 | s4 | | sN | +------+------+------+------+------+------+--...-+------+ SubOpt Len Sub-option Value +------+------+------+------+------+------+--...-+------+ | 2 | N | i1 | i2 | i3 | i4 | | iN | +------+------+------+------+------+------+--...-+------+
SubOpt Len Sub-option Value +------+------+------+------+------+------+--...-+------+ | 1 | N | s1 | s2 | s3 | s4 | | sN | +------+------+------+------+------+------+--...-+------+ SubOpt Len Sub-option Value +------+------+------+------+------+------+--...-+------+ | 2 | N | i1 | i2 | i3 | i4 | | iN | +------+------+------+------+------+------+--...-+------+
No "pad" sub-option is defined, and the Information field shall NOT be terminated with a 255 sub-option. The length N of the DHCP Agent Information Option shall include all bytes of the sub-option code/length/value tuples. Since at least one sub-option must be defined, the minimum Relay Agent Information length is two (2). The length N of the sub-options shall be the number of octets in only that sub-option's value field. A sub-option length may be zero. The sub-options need not appear in sub-option code order.
未定义“pad”子选项,信息字段不得以255子选项终止。DHCP代理信息选项的长度N应包括子选项代码/长度/值元组的所有字节。由于必须至少定义一个子选项,中继代理信息的最小长度为两(2)。子选项的长度N应为仅该子选项值字段中的八位字节数。子选项长度可以为零。子选项不必按子选项代码顺序显示。
The initial assignment of DHCP Relay Agent Sub-options is as follows:
DHCP中继代理子选项的初始分配如下所示:
DHCP Agent Sub-Option Description Sub-option Code --------------- ---------------------- 1 Agent Circuit ID Sub-option 2 Agent Remote ID Sub-option
DHCP Agent Sub-Option Description Sub-option Code --------------- ---------------------- 1 Agent Circuit ID Sub-option 2 Agent Remote ID Sub-option
Overall adding of the DHCP relay agent option SHOULD be configurable, and SHOULD be disabled by default. Relay agents SHOULD have separate configurables for each sub-option to control whether it is added to client-to-server packets.
DHCP中继代理选项的整体添加应该是可配置的,并且默认情况下应该禁用。中继代理应该为每个子选项提供单独的配置程序,以控制是否将其添加到客户端到服务器的数据包中。
A DHCP relay agent adding a Relay Agent Information field SHALL add it as the last option (but before 'End Option' 255, if present) in the DHCP options field of any recognized BOOTP or DHCP packet forwarded from a client to a server.
添加中继代理信息字段的DHCP中继代理应将其添加为从客户端转发到服务器的任何已识别BOOTP或DHCP数据包的DHCP选项字段中的最后一个选项(但在“结束选项”255之前,如果存在)。
Relay agents receiving a DHCP packet from an untrusted circuit with giaddr set to zero (indicating that they are the first-hop router) but with a Relay Agent Information option already present in the packet SHALL discard the packet and increment an error count. A trusted circuit may contain a trusted downstream (closer to client) network element (bridge) between the relay agent and the client that MAY add a relay agent option but not set the giaddr field. In this case, the relay agent does NOT add a "second" relay agent option, but forwards the DHCP packet per normal DHCP relay agent operations, setting the giaddr field as it deems appropriate.
从giaddr设置为零(表示它们是第一跳路由器)但数据包中已存在中继代理信息选项的不受信任电路接收DHCP数据包的中继代理应丢弃该数据包并增加错误计数。可信电路可包含中继代理和客户端之间的可信下游(更靠近客户端)网元(网桥),该网元可添加中继代理选项,但不设置giaddr字段。在这种情况下,中继代理不添加“第二个”中继代理选项,而是按照正常的DHCP中继代理操作转发DHCP数据包,并在其认为合适时设置giaddr字段。
The mechanisms for distinguishing between "trusted" and "untrusted" circuits are specific to the type of circuit termination equipment, and may involve local administration. For example, a Cable Modem Termination System may consider upstream packets from most cable modems as "untrusted", but an ATM switch terminating VCs switched through a DSLAM may consider such VCs as "trusted" and accept a relay agent option added by the DSLAM.
区分“受信任”和“不受信任”电路的机制特定于电路终端设备的类型,可能涉及本地管理。例如,电缆调制解调器终端系统可以考虑来自大多数电缆调制解调器的上行分组为“不可信”,但是通过DSLAM切换的终止VCS的ATM交换机可以认为这样的VCS是“可信的”并且接受DSLAM添加的中继代理选项。
Relay agents MAY have a configurable for the maximum size of the DHCP packet to be created after appending the Agent Information option. Packets which, after appending the Relay Agent Information option, would exceed this configured maximum size shall be forwarded WITHOUT adding the Agent Information option. An error counter SHOULD be incremented in this case. In the absence of this configurable, the agent SHALL NOT increase a forwarded DHCP packet size to exceed the MTU of the interface on which it is forwarded.
中继代理可能具有一个可配置的配置,用于在附加代理信息选项后创建的DHCP数据包的最大大小。附加中继代理信息选项后,将超过此配置最大大小的数据包应在不添加代理信息选项的情况下转发。在这种情况下,错误计数器应递增。在没有这种可配置的情况下,代理不应增加转发的DHCP数据包大小,使其超过转发接口的MTU。
The Relay Agent Information option echoed by a server MUST be removed by either the relay agent or the trusted downstream network element which added it when forwarding a server-to-client response back to the client.
服务器回显的中继代理信息选项必须由中继代理或在将服务器到客户端响应转发回客户端时添加它的受信任下游网元删除。
The agent SHALL NOT add an "Option Overload" option to the packet or use the "file" or "sname" fields for adding Relay Agent Information option. It SHALL NOT parse or remove Relay Agent Information options that may appear in the sname or file fields of a server-to-client packet forwarded through the agent.
代理不得向数据包添加“选项过载”选项,或使用“文件”或“sname”字段添加中继代理信息选项。它不应解析或删除中继代理信息选项,这些选项可能出现在通过代理转发的服务器到客户端数据包的sname或文件字段中。
The operation of relay agents for specific sub-options is specified with that sub-option.
特定子选项的中继代理操作由该子选项指定。
Relay agents are NOT required to monitor or modify client-originated DHCP packets addressed to a server unicast address. This includes the DHCP-REQUEST sent when entering the RENEWING state.
中继代理不需要监视或修改发往服务器单播地址的客户端DHCP数据包。这包括进入续订状态时发送的DHCP-REQUEST。
Relay agents MUST NOT modify DHCP packets that use the IPSEC Authentication Header or IPSEC Encapsulating Security Payload [6].
中继代理不得修改使用IPSEC身份验证标头或IPSEC封装安全负载的DHCP数据包[6]。
A DHCP relay agent may receive a client DHCP packet forwarded from a BOOTP/DHCP relay agent closer to the client. Such a packet will have giaddr as non-zero, and may or may not already have a DHCP Relay Agent option in it.
DHCP中继代理可以接收从靠近客户端的BOOTP/DHCP中继代理转发的客户端DHCP数据包。这样的数据包将giaddr设置为非零,并且可能有也可能没有DHCP中继代理选项。
Relay agents configured to add a Relay Agent option which receive a client DHCP packet with a nonzero giaddr SHALL discard the packet if the giaddr spoofs a giaddr address implemented by the local agent itself.
配置为添加中继代理选项的中继代理接收具有非零giaddr的客户端DHCP数据包时,如果giaddr欺骗本地代理自身实现的giaddr地址,则应丢弃该数据包。
Otherwise, the relay agent SHALL forward any received DHCP packet with a valid non-zero giaddr WITHOUT adding any relay agent options. Per RFC 2131, it shall also NOT modify the giaddr value.
否则,中继代理应转发任何接收到的具有有效非零giaddr的DHCP数据包,而无需添加任何中继代理选项。根据RFC 2131,也不得修改giaddr值。
DHCP servers unaware of the Relay Agent Information option will ignore the option upon receive and will not echo it back on responses. This is the specified server behavior for unknown options.
不知道中继代理信息选项的DHCP服务器将在接收时忽略该选项,并且不会在响应时回显该选项。这是未知选项的指定服务器行为。
DHCP servers claiming to support the Relay Agent Information option SHALL echo the entire contents of the Relay Agent Information option in all replies. Servers SHOULD copy the Relay Agent Information option as the last DHCP option in the response. Servers SHALL NOT place the echoed Relay Agent Information option in the overloaded sname or file fields. If a server is unable to copy a full Relay Agent Information field into a response, it SHALL send the response without the Relay Information Field, and SHOULD increment an error counter for the situation.
声称支持中继代理信息选项的DHCP服务器应在所有回复中回显中继代理信息选项的全部内容。服务器应将中继代理信息选项复制为响应中的最后一个DHCP选项。服务器不得在过载的sname或文件字段中放置回显中继代理信息选项。如果服务器无法将完整的中继代理信息字段复制到响应中,则应发送不带中继信息字段的响应,并应针对这种情况增加一个错误计数器。
The operation of DHCP servers for specific sub-options is specified with that sub-option.
特定子选项的DHCP服务器操作由该子选项指定。
Note that DHCP relay agents are not required to monitor unicast DHCP messages sent directly between the client and server (i.e., those that aren't sent via a relay agent). However, some relay agents MAY chose to do such monitoring and add relay agent options. Consequently, servers SHOULD be prepared to handle relay agent options in unicast messages, but MUST NOT expect them to always be there.
请注意,DHCP中继代理不需要监视直接在客户端和服务器之间发送的单播DHCP消息(即,未通过中继代理发送的消息)。但是,某些中继代理可能会选择执行此类监视并添加中继代理选项。因此,服务器应该准备好处理单播消息中的中继代理选项,但不能期望它们总是在那里。
This sub-option MAY be added by DHCP relay agents which terminate switched or permanent circuits. It encodes an agent-local identifier of the circuit from which a DHCP client-to-server packet was received. It is intended for use by agents in relaying DHCP responses back to the proper circuit. Possible uses of this field include:
此子选项可由终止交换或永久电路的DHCP中继代理添加。它对接收DHCP客户端到服务器数据包的电路的代理本地标识符进行编码。它用于代理将DHCP响应中继回正确的电路。该字段的可能用途包括:
- Router interface number - Switching Hub port number - Remote Access Server port number - Frame Relay DLCI - ATM virtual circuit number - Cable Data virtual circuit number
- 路由器接口号-交换集线器端口号-远程访问服务器端口号-帧中继DLCI-ATM虚拟电路号-电缆数据虚拟电路号
Servers MAY use the Circuit ID for IP and other parameter assignment policies. The Circuit ID SHOULD be considered an opaque value, with policies based on exact string match only; that is, the Circuit ID SHOULD NOT be internally parsed by the server.
服务器可以将电路ID用于IP和其他参数分配策略。电路ID应被视为不透明值,策略仅基于精确的字符串匹配;也就是说,服务器不应在内部解析电路ID。
The DHCP server SHOULD report the Agent Circuit ID value of current leases in statistical reports (including its MIB) and in logs. Since the Circuit ID is local only to a particular relay agent, a circuit ID should be qualified with the giaddr value that identifies the relay agent.
DHCP服务器应在统计报告(包括其MIB)和日志中报告当前租约的代理电路ID值。由于电路ID仅对特定中继代理本地,因此电路ID应使用标识中继代理的giaddr值进行限定。
SubOpt Len Circuit ID +------+------+------+------+------+------+------+------+-- | 1 | n | c1 | c2 | c3 | c4 | c5 | c6 | ... +------+------+------+------+------+------+------+------+--
SubOpt Len Circuit ID +------+------+------+------+------+------+------+------+-- | 1 | n | c1 | c2 | c3 | c4 | c5 | c6 | ... +------+------+------+------+------+------+------+------+--
This sub-option MAY be added by DHCP relay agents which terminate switched or permanent circuits and have mechanisms to identify the remote host end of the circuit. The Remote ID field may be used to encode, for instance:
此子选项可由DHCP中继代理添加,该代理终止交换或永久电路,并具有识别电路远程主机端的机制。远程ID字段可用于编码,例如:
-- a "caller ID" telephone number for dial-up connection -- a "user name" prompted for by a Remote Access Server -- a remote caller ATM address -- a "modem ID" of a cable data modem -- the remote IP address of a point-to-point link -- a remote X.25 address for X.25 connections
-- a "caller ID" telephone number for dial-up connection -- a "user name" prompted for by a Remote Access Server -- a remote caller ATM address -- a "modem ID" of a cable data modem -- the remote IP address of a point-to-point link -- a remote X.25 address for X.25 connections
The remote ID MUST be globally unique.
远程ID必须是全局唯一的。
DHCP servers MAY use this option to select parameters specific to particular users, hosts, or subscriber modems. The option SHOULD be considered an opaque value, with policies based on exact string match only; that is, the option SHOULD NOT be internally parsed by the server.
DHCP服务器可以使用此选项选择特定于特定用户、主机或用户调制解调器的参数。该选项应被视为不透明值,策略仅基于精确的字符串匹配;也就是说,该选项不应由服务器进行内部解析。
The relay agent MAY use this field in addition to or instead of the Agent Circuit ID field to select the circuit on which to forward the DHCP reply (e.g., Offer, Ack, or Nak). DHCP servers SHOULD report this value in any reports or MIBs associated with a particular client.
中继代理可以使用该字段作为代理电路ID字段的补充或替代,以选择转发DHCP应答的电路(例如,Offer、Ack或Nak)。DHCP服务器应在与特定客户端关联的任何报告或MIB中报告此值。
SubOpt Len Agent Remote ID +------+------+------+------+------+------+------+------+-- | 2 | n | r1 | r2 | r3 | r4 | r5 | r6 | ... +------+------+------+------+------+------+------+------+--
SubOpt Len Agent Remote ID +------+------+------+------+------+------+------+------+-- | 2 | n | r1 | r2 | r3 | r4 | r5 | r6 | ... +------+------+------+------+------+------+------+------+--
The DHCP relay agent option resolves several issues in an environment in which untrusted hosts access the internet via a circuit based public network. This resolution assumes that all DHCP protocol traffic by the public hosts traverse the DHCP relay agent and that the IP network between the DHCP relay agent and the DHCP server is uncompromised.
DHCP中继代理选项解决了不受信任的主机通过基于电路的公共网络访问internet的环境中的几个问题。此解决方案假设公共主机的所有DHCP协议流量都通过DHCP中继代理,并且DHCP中继代理和DHCP服务器之间的IP网络不受影响。
Broadcast Forwarding
广播转发
The circuit access equipment forwards the normally broadcasted DHCP response only on the circuit indicated in the Agent Circuit ID.
电路接入设备仅在代理电路ID中指示的电路上转发正常广播的DHCP响应。
DHCP Address Exhaustion
DHCP地址耗尽
In general, the DHCP server may be extended to maintain a database with the "triplet" of
通常,DHCP服务器可以扩展以维护一个数据库,其“三元组”为
(client IP address, client MAC address, client remote ID)
(客户端IP地址、客户端MAC地址、客户端远程ID)
The DHCP server SHOULD implement policies that restrict the number of IP addresses to be assigned to a single remote ID.
DHCP服务器应实施限制分配给单个远程ID的IP地址数量的策略。
Static Assignment
静态赋值
The DHCP server may use the remote ID to select the IP address to be assigned. It may permit static assignment of IP addresses to particular remote IDs, and disallow an address request from an unauthorized remote ID.
DHCP服务器可以使用远程ID选择要分配的IP地址。它可能允许将IP地址静态分配给特定的远程ID,并且不允许来自未经授权的远程ID的地址请求。
IP Spoofing
要有抵抗地址冒认
The circuit access device may associate the IP address assigned by a DHCP server in a forwarded DHCP Ack packet with the circuit to which it was forwarded. The circuit access device MAY prevent forwarding of IP packets with source IP addresses -other than-those it has associated with the receiving circuit. This prevents simple IP spoofing attacks on the Central LAN, and IP spoofing of other hosts.
电路接入设备可以将转发的DHCP Ack分组中由DHCP服务器分配的IP地址与它被转发到的电路相关联。电路接入设备可防止具有源IP地址的IP分组的转发,而不是其与接收电路相关联的IP地址。这可以防止对中央LAN的简单IP欺骗攻击以及对其他主机的IP欺骗。
Client Identifier Spoofing
客户端标识符欺骗
By using the agent-supplied Agent Remote ID option, the untrusted and as-yet unstandardized client identifier field need not be used by the DHCP server.
通过使用代理提供的代理远程ID选项,DHCP服务器无需使用不受信任且尚未标准化的客户端标识符字段。
MAC Address Spoofing
MAC地址欺骗
By associating a MAC address with an Agent Remote ID, the DHCP server can prevent offering an IP address to an attacker spoofing the same MAC address on a different remote ID.
通过将MAC地址与代理远程ID关联,DHCP服务器可以防止向攻击者提供IP地址,从而在不同的远程ID上欺骗相同的MAC地址。
DHCP as currently defined provides no authentication or security mechanisms. Potential exposures to attack are discussed in section 7 of the DHCP protocol specification in RFC 2131 [1].
当前定义的DHCP不提供身份验证或安全机制。RFC 2131[1]中DHCP协议规范的第7节讨论了潜在的攻击风险。
This document introduces mechanisms to address several security attacks on the operation of IP address assignment, including IP spoofing, Client ID spoofing, MAC address spoofing, and DHCP server
本文档介绍了几种针对IP地址分配操作的安全攻击的机制,包括IP欺骗、客户端ID欺骗、MAC地址欺骗和DHCP服务器
address exhaustion. It relies on an implied trusted relationship between the DHCP Relay Agent and the DHCP server, with an assumed untrusted DHCP client. It introduces a new identifer, the "Remote ID", that is also assumed to be trusted. The Remote ID is provided by the access network or modem and not by client premise equipment. Cryptographic or other techniques to authenticate the remote ID are certainly possible and encouraged, but are beyond the scope of this document.
解决疲劳问题。它依赖于DHCP中继代理和DHCP服务器之间的隐含信任关系,假定DHCP客户端不受信任。它引入了一个新的标识符,即“远程ID”,它也被认为是可信的。远程ID由接入网络或调制解调器提供,而不是由客户端设备提供。对远程ID进行身份验证的加密或其他技术当然是可能的,并受到鼓励,但超出了本文档的范围。
This option is targeted towards environments in which the network infrastructure -- the relay agent, the DHCP server, and the entire network in which those two devices reside -- is trusted and secure. As used in this document, the word "trusted" implies that unauthorized DHCP traffic cannot enter the trusted network except through secured and trusted relay agents and that all devices internal to the network are secure and trusted. Potential deployers of this option should give careful consideration to the potential security vulnerabilities that are present in this model before deploying this option in actual networks.
此选项针对网络基础结构(中继代理、DHCP服务器和这两个设备所在的整个网络)受信任且安全的环境。如本文档中所使用的,“受信任”一词意味着未经授权的DHCP通信不能进入受信任的网络,除非通过安全和受信任的中继代理,并且网络内部的所有设备都是安全和受信任的。在实际网络中部署此选项之前,此选项的潜在部署者应仔细考虑此模型中存在的潜在安全漏洞。
Note that any future mechanisms for authenticating DHCP client to server communications must take care to omit the DHCP Relay Agent option from server authentication calculations. This was the principal reason for organizing the DHCP Relay Agent Option as a single option with sub-options, and for requiring the relay agent to remove the option before forwarding to the client.
请注意,将来用于验证DHCP客户端到服务器通信的任何机制都必须注意在服务器验证计算中忽略DHCP中继代理选项。这是将DHCP中继代理选项组织为带有子选项的单个选项,并要求中继代理在转发到客户端之前删除该选项的主要原因。
While it is beyond the scope of this document to specify the general forwarding algorithm of public data circuit access units, note that automatic reforwarding of IP or ARP broadcast packets back downstream exposes serious IP security risks. For example, if an upstream broadcast DHCP-DISCOVER or DHCP-REQUEST were re-broadcast back downstream, any public host may easily spoof the desired DHCP server.
虽然指定公共数据电路访问单元的通用转发算法超出了本文件的范围,但请注意,自动将IP或ARP广播数据包重新转发回下游会暴露严重的IP安全风险。例如,如果上游广播DHCP-DISCOVER或DHCP-REQUEST被重新广播回下游,则任何公共主机都可能很容易欺骗所需的DHCP服务器。
IANA is required to maintain a new number space of "DHCP Relay Agent Sub-options", located in the BOOTP-DHCP Parameters Registry. The initial sub-options are described in section 2.0 of this document.
IANA需要维护位于BOOTP-DHCP参数注册表中的“DHCP中继代理子选项”的新编号空间。本文件第2.0节描述了初始子选项。
IANA assigns future DHCP Relay Agent Sub-options with a "IETF Consensus" policy as described in RFC 2434 [3]. Future proposed sub-options are to be referenced symbolically in the Internet-Drafts that describe them, and shall be assigned numeric codes by IANA when approved for publication as an RFC.
IANA使用RFC 2434[3]中所述的“IETF共识”策略分配未来的DHCP中继代理子选项。未来提议的子选项将在描述它们的互联网草案中以符号方式引用,并在批准作为RFC发布时由IANA分配数字代码。
This section contains two notices as required by [5] for standards track documents.
本节包含[5]要求的标准跟踪文件的两个通知。
The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the IETF Secretariat.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何努力来确定任何此类权利。有关IETF在标准跟踪和标准相关文件中权利的程序信息,请参见BCP-11。可从IETF秘书处获得可供发布的权利声明副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果。
The IETF has been notified of intellectual property rights claimed in regard to some or all of the specification contained in this document. For more information consult the online list of claimed rights.
IETF已收到关于本文件所含部分或全部规范的知识产权声明。有关更多信息,请查阅在线权利主张列表。
[1] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, March 1997.
[1] Droms,R.,“动态主机配置协议”,RFC 2131,1997年3月。
[2] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor Extension", RFC 2132, March 1997.
[2] Alexander,S.和R.Droms,“DHCP选项和BOOTP供应商扩展”,RFC 21321997年3月。
[3] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
[3] Narten,T.和H.Alvestrand,“在RFCs中编写IANA注意事项部分的指南”,BCP 26,RFC 2434,1998年10月。
[4] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[4] Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[5] Bradner, S., "The Internet Standards Process -- Revision 3", BCP 9, RFC 2026, October 1996.
[5] Bradner,S.,“互联网标准过程——第3版”,BCP 9,RFC 2026,1996年10月。
[6] Kent, S. and R. Atkinson, "Security Architecture for the Internet Protocol", RFC 2401, November 1998.
[6] Kent,S.和R.Atkinson,“互联网协议的安全架构”,RFC 2401,1998年11月。
DSLAM Digital Subscriber Link Access Multiplexer IANA Internet Assigned Numbers Authority LIS Logical IP Subnet MAC Message Authentication Code RAS Remote Access Server
DSLAM数字用户链路访问多路复用器IANA Internet分配号码管理局LIS逻辑IP子网MAC消息认证码RAS远程访问服务器
Michael Patrick Motorola Broadband Communications Sector 20 Cabot Blvd., MS M4-30 Mansfield, MA 02048
马萨诸塞州曼斯菲尔德市卡博特大道20号迈克尔·帕特里克·摩托罗拉宽带通信区,邮编:02048
Phone: (508) 261-5707 EMail: michael.patrick@motorola.com
电话:(508)261-5707电子邮件:迈克尔。patrick@motorola.com
Copyright (C) The Internet Society (2001). All Rights Reserved.
版权所有(C)互联网协会(2001年)。版权所有。
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。