Internet Engineering Task Force (IETF) P. Kurapati Request for Comments: 6148 Juniper Networks Updates: 4388 R. Desetti Category: Standards Track B. Joshi ISSN: 2070-1721 Infosys Technologies Ltd. February 2011
Internet Engineering Task Force (IETF) P. Kurapati Request for Comments: 6148 Juniper Networks Updates: 4388 R. Desetti Category: Standards Track B. Joshi ISSN: 2070-1721 Infosys Technologies Ltd. February 2011
DHCPv4 Lease Query by Relay Agent Remote ID
通过中继代理远程ID的DHCPv4租约查询
Abstract
摘要
Some relay agents extract lease information from the DHCP messages exchanged between the client and DHCP server. This lease information is used by relay agents for various purposes like antispoofing and prevention of flooding. RFC 4388 defines a mechanism for relay agents to retrieve the lease information from the DHCP server when this information is lost. The existing lease query mechanism is data-driven, which means that a relay agent can initiate the lease query only when it starts receiving data to and from the clients. In certain scenarios, this model is not scalable. This document first looks at issues in the existing mechanism and then proposes a new query type, query by Remote ID, to address these issues.
一些中继代理从客户端和DHCP服务器之间交换的DHCP消息中提取租约信息。中继代理将此租约信息用于各种目的,如防泄洪和防止洪水。RFC 4388为中继代理定义了一种机制,当这些信息丢失时,中继代理可以从DHCP服务器检索租赁信息。现有的租赁查询机制是数据驱动的,这意味着中继代理只有在开始接收客户机之间的数据时才能启动租赁查询。在某些情况下,此模型是不可伸缩的。本文首先研究现有机制中的问题,然后提出一种新的查询类型,即按远程ID查询,以解决这些问题。
Status of This Memo
关于下段备忘
This is an Internet Standards Track document.
这是一份互联网标准跟踪文件。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6148.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6148.
Copyright Notice
版权公告
Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2011 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English.
本文件可能包含2008年11月10日之前发布或公开的IETF文件或IETF贡献中的材料。控制某些材料版权的人员可能未授予IETF信托允许在IETF标准流程之外修改此类材料的权利。在未从控制此类材料版权的人员处获得充分许可的情况下,不得在IETF标准流程之外修改本文件,也不得在IETF标准流程之外创建其衍生作品,除了将其格式化以RFC形式发布或将其翻译成英语以外的其他语言。
Table of Contents
目录
1. Introduction ....................................................3 2. Terminology .....................................................4 3. Motivation ......................................................6 4. Protocol Details ................................................7 4.1. Sending the DHCPLEASEQUERY Message .........................7 4.2. Responding to the DHCPLEASEQUERY Message ...................8 4.3. Building a DHCPLEASEACTIVE or DHCPLEASEUNKNOWN Message .....8 4.4. Determining the IP Address to Be Used in Response ..........9 4.5. Sending a DHCPLEASEACTIVE or DHCPLEASEUNKNOWN Message ......9 4.6. Receiving a DHCPLEASEACTIVE or DHCPLEASEUNKNOWN Message ....9 4.7. Receiving No Response to the DHCPLEASEQUERY Message .......10 4.8. Lease-Binding Data Storage Requirements ...................10 4.9. Using the DHCPLEASEQUERY Message with Multiple DHCP Servers ..............................................10 5. RFC 4388 Considerations ........................................11 6. Security Considerations ........................................11 7. Acknowledgments ................................................11 8. References .....................................................12 8.1. Normative References ......................................12 8.2. Informative References ....................................12
1. Introduction ....................................................3 2. Terminology .....................................................4 3. Motivation ......................................................6 4. Protocol Details ................................................7 4.1. Sending the DHCPLEASEQUERY Message .........................7 4.2. Responding to the DHCPLEASEQUERY Message ...................8 4.3. Building a DHCPLEASEACTIVE or DHCPLEASEUNKNOWN Message .....8 4.4. Determining the IP Address to Be Used in Response ..........9 4.5. Sending a DHCPLEASEACTIVE or DHCPLEASEUNKNOWN Message ......9 4.6. Receiving a DHCPLEASEACTIVE or DHCPLEASEUNKNOWN Message ....9 4.7. Receiving No Response to the DHCPLEASEQUERY Message .......10 4.8. Lease-Binding Data Storage Requirements ...................10 4.9. Using the DHCPLEASEQUERY Message with Multiple DHCP Servers ..............................................10 5. RFC 4388 Considerations ........................................11 6. Security Considerations ........................................11 7. Acknowledgments ................................................11 8. References .....................................................12 8.1. Normative References ......................................12 8.2. Informative References ....................................12
DHCP relay agents snoop DHCP messages and append a Relay Agent Information option before relaying them to the configured DHCP server. In this process, some relay agents also glean the lease information sent by the server and maintain this locally. This information is used to prevent spoofing attempts from clients and also sometimes to install routing information. When a relay agent reboots, this information is lost. RFC 4388 [RFC4388] has defined a mechanism to retrieve this lease information from the DHCP server. The existing query types defined by RFC 4388 [RFC4388] are data-driven. When a client sends data upstream, the relay agent can query the server about the related lease information, based on the source MAC/IP address. These mechanisms do not scale well when there are thousands of clients connected to the relay agent. In the data-driven model, lease query does not provide the full and consolidated active lease information associated with a given connection/circuit, which will result in inefficient anti-spoofing. The relay agent also has to contend with considerable resources for negative caching, especially under spoofing attacks.
DHCP中继代理嗅探DHCP消息,并在将其中继到配置的DHCP服务器之前附加中继代理信息选项。在此过程中,一些中继代理还收集服务器发送的租约信息,并在本地进行维护。此信息用于防止来自客户端的欺骗尝试,有时还用于安装路由信息。中继代理重新启动时,此信息将丢失。RFC 4388[RFC4388]定义了一种从DHCP服务器检索此租约信息的机制。RFC 4388[RFC4388]定义的现有查询类型是数据驱动的。当客户端向上游发送数据时,中继代理可以根据源MAC/IP地址向服务器查询相关的租约信息。当有数千个客户端连接到中继代理时,这些机制无法很好地扩展。在数据驱动模型中,租约查询不提供与给定连接/电路相关的完整和整合的活动租约信息,这将导致低效的反欺骗。中继代理还必须与大量资源进行反向缓存,特别是在欺骗攻击下。
We need a mechanism for a relay agent to retrieve the consolidated lease information for a given connection/circuit before upstream traffic is sent by the clients.
我们需要一种机制,让中继代理在客户端发送上游流量之前检索给定连接/电路的合并租约信息。
+--------+ | DHCP | +--------------+ | Server |-...-| DSLAM | | | | Relay Agent | +--------+ +--------------+ | | +------+ +------+ |Modem1| |Modem2| +------+ +------+ | | | +-----+ +-----+ +-----+ |Node1| |Node2| |Node3| +-----+ +-----+ +-----+
+--------+ | DHCP | +--------------+ | Server |-...-| DSLAM | | | | Relay Agent | +--------+ +--------------+ | | +------+ +------+ |Modem1| |Modem2| +------+ +------+ | | | +-----+ +-----+ +-----+ |Node1| |Node2| |Node3| +-----+ +-----+ +-----+
Figure 1
图1
For example, when a DSLAM (Digital Subscriber Line Access Multiplexer) acting as a relay agent is rebooted, it should query the server for the lease information for all the connections/circuits. Also, as shown in the above figure, there could be multiple clients on one DSL circuit. The relay agent should get the lease information of all the clients connected to a DSL circuit. This is possible by introducing a new query type based on the Remote ID sub-option of the Relay Agent Information option. This document talks about the motivation for the new query type and the method to perform it.
例如,当作为中继代理的DSLAM(数字用户线路接入多路复用器)重新启动时,它应该向服务器查询所有连接/电路的租约信息。此外,如上图所示,一个DSL电路上可能有多个客户端。中继代理应获取连接到DSL电路的所有客户端的租约信息。这可以通过引入基于中继代理信息选项的远程ID子选项的新查询类型来实现。本文讨论了新查询类型的动机和执行方法。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].
本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照RFC 2119[RFC2119]中所述进行解释。
This document uses the following terms:
本文件使用以下术语:
o Access Concentrator
o 访问集中器
An access concentrator is a router or switch at the broadband access provider's edge of a public broadband access network. This document assumes that the access concentrator includes the DHCP relay agent functionality.
接入集中器是位于公共宽带接入网络的宽带接入提供商边缘的路由器或交换机。本文档假设访问集中器包含DHCP中继代理功能。
o DHCP client
o DHCP客户端
A DHCP client is an Internet node using DHCP to obtain configuration parameters such as a network address.
DHCP客户端是使用DHCP获取配置参数(如网络地址)的Internet节点。
o DHCP relay agent
o DHCP 中继代理
A DHCP relay agent is a third-party agent that transfers Bootstrap Protocol (BOOTP) and DHCP messages between clients and servers residing on different subnets, per RFC 951 [RFC951] and RFC 1542 [RFC1542].
DHCP中继代理是第三方代理,根据RFC 951[RFC951]和RFC 1542[RFC1542],在位于不同子网上的客户端和服务器之间传输引导协议(BOOTP)和DHCP消息。
o DHCP server
o DHCP服务器
A DHCP server is an Internet node that returns configuration parameters to DHCP clients.
DHCP服务器是向DHCP客户端返回配置参数的Internet节点。
o Fast path
o 快车道
Fast path refers to data transfer that happens through a network processor or an Application Specific Integrated Circuit (ASIC) programmed to forward the data at very high speeds.
快速路径是指通过网络处理器或特定于应用的集成电路(ASIC)进行的数据传输,该集成电路被编程为以非常高的速度转发数据。
o Gleaning
o 搜集
Gleaning is the extraction of location information from DHCP messages as the messages are forwarded by the DHCP relay agent function.
收集是在DHCP中继代理功能转发消息时从DHCP消息中提取位置信息。
o Location information
o 位置信息
Location information is information needed by the access concentrator to forward traffic to a broadband-accessible node. This information includes knowledge of the node's hardware address, the port or virtual circuit that leads to the node, and/or the hardware address of the intervening subscriber modem.
位置信息是接入集中器将业务转发到宽带接入节点所需的信息。此信息包括节点的硬件地址、通向节点的端口或虚拟电路和/或介入用户调制解调器的硬件地址。
o MAC address
o MAC地址
In the context of a DHCP packet, a MAC address consists of the following fields: hardware type ("htype"), hardware length ("hlen"), and client hardware address ("chaddr").
在DHCP数据包的上下文中,MAC地址由以下字段组成:硬件类型(“htype”)、硬件长度(“hlen”)和客户端硬件地址(“chaddr”)。
o Slow path
o 慢路
Slow path refers to data transfer that happens through the control plane. This has very limited buffers to store data, and the speeds are very low compared to the fast path data transfer.
慢路径是指通过控制平面进行的数据传输。这有非常有限的缓冲区来存储数据,与快速路径数据传输相比,速度非常低。
o Upstream
o 上游
Upstream is the direction from the broadband subscriber towards the access concentrator.
上行是从宽带用户到接入集中器的方向。
Consider an access concentrator (e.g., DSLAM) working also as a DHCP relay agent. A "fast path" and a "slow path" generally exist in most networking boxes. Fast path processing is done in a network processor or an ASIC. Slow path processing is done in a normal processor. As much as possible, regular data forwarding should be done in the fast path. Slow path processing should be reduced, as it may become a bottleneck.
考虑作为DHCP中继代理工作的接入集中器(例如DSLAM)。“快速路径”和“慢速路径”通常存在于大多数网络盒中。快速路径处理在网络处理器或ASIC中完成。慢路径处理是在普通处理器中完成的。应尽可能在快速路径中进行常规数据转发。应减少慢路径处理,因为它可能成为瓶颈。
For an access concentrator having multiple access ports, multiple IP addresses may be assigned to a single port using DHCP, and the number of clients on a port may be unknown. The access concentrator may also not know the network portions of the IP addresses that are assigned to its DHCP clients.
对于具有多个接入端口的接入集中器,可以使用DHCP将多个IP地址分配给单个端口,并且端口上的客户端数量可能未知。接入集中器也可能不知道分配给其DHCP客户端的IP地址的网络部分。
The access concentrator gleans IP address or other information from DHCP negotiations for antispoofing and other purposes. The antispoofing itself is done in the fast path. The access concentrator keeps track of only one list of IP addresses: the list of IP addresses that are assigned by the DHCP servers; upstream traffic from all other IP addresses is dropped. If a client starts its data transfer after its DHCP negotiations have been gleaned by the access concentrator, no legitimate packets will be dropped because of antispoofing. In other words, antispoofing is effective (no legitimate packets are dropped, and all spoofed packets are dropped) and efficient (antispoofing is done in the fast path). The intention is to achieve similar effective and efficient antispoofing in the lease query scenario also, when an access concentrator loses its gleaned information (for example, because of a reboot).
访问集中器从DHCP协商中收集IP地址或其他信息,用于反垃圾邮件和其他目的。反吹扫本身是在快速路径中完成的。访问集中器只跟踪一个IP地址列表:DHCP服务器分配的IP地址列表;来自所有其他IP地址的上游流量将被丢弃。如果客户端在访问集中器收集到其DHCP协商后开始数据传输,则不会因为反屏蔽而丢弃任何合法数据包。换句话说,反垃圾邮件是有效的(没有合法的数据包被丢弃,所有伪造的数据包都被丢弃)和有效的(反垃圾邮件是在快速路径中完成的)。其目的是在访问集中器丢失其收集到的信息(例如,由于重新启动)时,在租约查询场景中也实现类似的有效和高效的反垃圾邮件。
After a deep analysis, we found that the three existing query types supported by RFC 4388 [RFC4388] do not provide effective and efficient antispoofing for the above scenario, and a new mechanism is required.
经过深入分析,我们发现RFC 4388[RFC4388]支持的现有三种查询类型并没有为上述场景提供有效的反扫频,需要一种新的机制。
The existing query types necessitate a data-driven approach: the lease queries can only be performed when the access concentrator receives data. This results in
现有的查询类型需要数据驱动的方法:只有在访问集中器接收数据时才能执行租赁查询。这导致
o increased outage time for clients
o 增加了客户端的停机时间
o excessive negative caching, consuming a lot of resources under a spoofing attack
o 过度负面缓存,在欺骗攻击下消耗大量资源
o antispoofing being done in the slow path instead of the fast path
o 在慢速路径而不是快速路径中进行防喷
This section talks about the protocol details for query by Remote ID. Most of the message handling is similar to RFC 4388 [RFC4388], and this section highlights only the differences. Readers are advised to go through RFC 4388 [RFC4388] before going through this section for complete understanding of the protocol.
本节讨论通过远程ID进行查询的协议细节。大多数消息处理与RFC 4388[RFC4388]类似,本节仅强调不同之处。在阅读本节之前,建议读者先阅读RFC 4388[RFC4388],以完全理解协议。
When used in this document, the unqualified term "DHCPLEASEQUERY" indicates a lease query by Remote ID, unless otherwise specified.
除非另有规定,否则在本文档中使用的非限定术语“DHCPLEASEQUERY”表示通过远程ID进行的租赁查询。
RFC 3046 [RFC3046] defines two sub-options for the Relay Agent Information option. Sub-option 1 corresponds to the Circuit ID that identifies the local circuit of the access concentrator. This sub-option is unique to the relay agent. Sub-option 2 corresponds to the Remote ID that identifies the remote node connected to the access concentrator. The Remote ID is globally unique in the network and is configured per circuit/connection in the relay agent.
RFC 3046[RFC3046]为中继代理信息选项定义了两个子选项。子选项1对应于识别接入集中器本地电路的电路ID。此子选项对于中继代理是唯一的。子选项2对应于标识连接到接入集中器的远程节点的远程ID。远程ID在网络中是全局唯一的,并且在中继代理中根据电路/连接进行配置。
This document defines a new query type based on the Remote ID sub-option. Suppose that the access concentrator (e.g., DSLAM) lost the lease information when it was rebooted. When the access concentrator comes up, it initiates (for each connection/circuit) a DHCP lease query by Remote ID as defined in this section. For this query, the requester supplies an option 82 that includes only a Remote ID sub-option in the DHCPLEASEQUERY message. The Remote ID is normally pre-provisioned in the access concentrator per circuit/ connection and hence will remain available to the access concentrator after reboot.
此文档基于“远程ID”子选项定义新的查询类型。假设访问集中器(例如DSLAM)在重新启动时丢失了租约信息。当访问集中器启动时,它根据本节中定义的远程ID启动(针对每个连接/电路)DHCP租约查询。对于该查询,请求者提供选项82,该选项82在DHCPLEASEQUERY消息中仅包括远程ID子选项。远程ID通常在每个电路/连接的访问集中器中预先设置,因此在重新启动后将保持对访问集中器可用。
The DHCP server MUST reply with a DHCPLEASEACTIVE message if there is an active lease corresponding to the Remote ID that is present in the DHCPLEASEQUERY message. Otherwise, the server MUST reply with a DHCPLEASEUNKNOWN message. Servers that do not implement DHCP lease query based on Remote ID SHOULD simply not respond.
如果存在与DHCPLEASEQUERY消息中存在的远程ID对应的活动租约,则DHCP服务器必须使用DHCPLEASEACTIVE消息进行回复。否则,服务器必须回复一条未知消息。不实现基于远程ID的DHCP租约查询的服务器不应响应。
The lease query defined in this document will mostly be used by access concentrators, but it may also be used by other authorized elements in the network. The DHCPLEASEQUERY message uses the DHCP message format as described in RFC 2131 [RFC2131], and uses message number 10 in the DHCP Message Type option (option 53). The DHCPLEASEQUERY message has the following pertinent message contents:
本文档中定义的租约查询主要由访问集中器使用,但也可由网络中的其他授权元素使用。DHCPLEASEQUERY消息使用RFC 2131[RFC2131]中所述的DHCP消息格式,并在DHCP消息类型选项(选项53)中使用消息编号10。DHCPLEASEQUERY消息具有以下相关消息内容:
o There MUST be a Relay Agent Information option (option 82) with only a Remote ID sub-option (sub-option 2) in the DHCPLEASEQUERY message.
o DHCPLEASEQUERY消息中必须有一个中继代理信息选项(选项82),其中只有一个远程ID子选项(子选项2)。
o The Parameter Request List option [RFC2132] MUST be populated by the access concentrator with the Associated-IP option code. The giaddr field and other option codes listed in the Parameter Request List option are set as explained in Section 6.2 of RFC 4388 [RFC4388].
o 参数请求列表选项[RFC2132]必须由访问集中器使用相关的IP选项代码填充。参数请求列表选项中列出的giaddr字段和其他选项代码如RFC 4388[RFC4388]第6.2节所述进行设置。
o The ciaddr field MUST be set to zero.
o ciaddr字段必须设置为零。
o The values of htype, hlen, and chaddr MUST be set to zero.
o htype、hlen和chaddr的值必须设置为零。
o The Client Identifier option (option 61) MUST NOT appear in the packet.
o 客户端标识符选项(选项61)不得出现在数据包中。
The DHCPLEASEQUERY message SHOULD be sent to a DHCP server that is known to possess authoritative information concerning the Remote ID. The DHCPLEASEQUERY message MAY be sent to more than one DHCP server, and in the absence of information concerning which DHCP server might possess authoritative information concerning the Remote ID, it SHOULD be sent to all DHCP servers configured for the associated relay agent (if any are known).
DHCPLEASEQUERY消息应发送至已知拥有关于远程ID的权威信息的DHCP服务器。DHCPLEASEQUERY消息可发送至多个DHCP服务器,并且在没有关于哪个DHCP服务器可能拥有关于远程ID的权威信息的信息的情况下,应将其发送到为关联中继代理配置的所有DHCP服务器(如果已知)。
There are two possible responses to a DHCPLEASEQUERY message:
对DHCPLEASEQUERY消息有两种可能的响应:
o DHCPLEASEUNKNOWN
o DHCPL未知
The DHCPLEASEUNKNOWN message indicates that the client associated with the Remote ID sub-option of the DHCPLEASEQUERY message is not allocated any lease or it is not managed by the server.
DHCPLEASEUNKNOWN消息表示与DHCPLEASEQUERY消息的Remote ID子选项关联的客户端未分配任何租约或未由服务器管理。
o DHCPLEASEACTIVE
o DHCPlaseActive
The DHCPLEASEACTIVE message indicates that the server not only knows the client specified in the DHCPLEASEQUERY message, but also knows that there is an active lease for that client.
DHCPLEASEACTIVE消息表示服务器不仅知道DHCPLEASEQUERY消息中指定的客户端,还知道该客户端存在活动租约。
A DHCPLEASEACTIVE message is built by populating information pertaining to the client associated with the IP address specified in the ciaddr field.
DHCPLEASEACTIVE消息是通过填充与ciaddr字段中指定的IP地址关联的客户机相关的信息构建的。
In the case where more than one IP address has been involved in a DHCP message exchange with the client specified by the Remote ID, then the list of all those IP addresses MUST be returned in the Associated-IP option, whether or not that option was requested as part of the Parameter Request List option. This is intended for maintaining backwards compatibility with RFC 4388 [RFC4388].
如果与远程ID指定的客户端进行DHCP消息交换时涉及多个IP地址,则必须在关联的IP选项中返回所有这些IP地址的列表,无论该选项是否作为参数请求列表选项的一部分被请求。这是为了保持与RFC 4388[RFC4388]的向后兼容性。
All other options specified in the Parameter Request List [RFC2132] are processed as mentioned in Section 6.4.2 of RFC 4388 [RFC4388].
参数请求列表[RFC2132]中规定的所有其他选项均按照RFC 4388[RFC4388]第6.4.2节中所述进行处理。
In a DHCPLEASEUNKNOWN response message, the DHCP server MUST echo the option 82 received in the DHCPLEASEQUERY message. No other option is included in the message.
在DHCPLEASEUNKNOWN响应消息中,DHCP服务器必须回显DHCPLEASEQUERY消息中接收到的选项82。消息中不包括其他选项。
The IP address placed in the ciaddr field of a DHCPLEASEACTIVE message MUST be the IP address with the latest client-last-transaction-time associated with the client described by the Remote ID specified in the DHCPLEASEQUERY message.
放置在DHCPLEASEACTIVE消息的ciaddr字段中的IP地址必须是与DHCPLEASEQUERY消息中指定的远程ID所描述的客户端关联的最新客户端上次事务时间的IP地址。
If there is only a single IP address that fulfills this criteria, then it MUST be placed in the ciaddr field of the DHCPLEASEACTIVE message.
如果只有一个IP地址满足此条件,则必须将其置于DHCPLEASEACTIVE消息的ciaddr字段中。
In the case where more than one IP address has been accessed by the client specified by the Remote ID, then the DHCP server MUST return the IP address returned to the client in the most recent transaction with the client, unless the DHCP server has been configured by the server administrator to use some other preference mechanism.
如果远程ID指定的客户端访问了多个IP地址,则DHCP服务器必须返回在最近与客户端的事务中返回给客户端的IP地址,除非服务器管理员已将DHCP服务器配置为使用某些其他首选项机制。
The server unicasts the DHCPLEASEACTIVE or DHCPLEASEUNKNOWN message to the address specified in the giaddr field of the DHCPLEASEQUERY message.
服务器将DHCPLEASEACTIVE或DHCPLEASEUNKNOWN消息单播到DHCPLEASEQUERY消息的giaddr字段中指定的地址。
When a DHCPLEASEACTIVE message is received in response to the DHCPLEASEQUERY message, it means that there is currently an active lease associated with the Remote ID in the DHCP server. The access concentrator SHOULD use the information in the htype, hlen, and chaddr fields of the DHCPLEASEACTIVE message as well as the Relay
当接收到响应DHCPLEASEQUERY消息的DHCPLEASEACTIVE消息时,表示当前存在与DHCP服务器中的远程ID相关联的活动租约。访问集中器应使用DHCPLEASEACTIVE消息的htype、hlen和chaddr字段中的信息以及中继
Agent Information option included in the packet to refresh its location information for this IP address. An access concentrator is likely to query by IP address for all the IP addresses specified in the Associated-IP option in the response, if any, at this point in time.
数据包中包含的代理信息选项,用于刷新此IP地址的位置信息。访问集中器可能会按IP地址查询响应中关联的IP选项中指定的所有IP地址(如果有的话)。
When a DHCPLEASEUNKNOWN message is received by an access concentrator that had sent out a DHCPLEASEQUERY message, it means that the DHCP server does not have definitive information concerning the DHCP client specified in the Remote ID sub-option of the DHCPLEASEQUERY message. The access concentrator MAY store this information for future use. However, another DHCPLEASEQUERY message to the same DHCP server SHOULD NOT be attempted with the same Remote ID sub-option.
当发送DHCPLEASEQUERY消息的访问集中器接收到DHCPLEASEUNKNOWN消息时,这意味着DHCP服务器没有关于DHCPLEASEQUERY消息的远程ID子选项中指定的DHCP客户端的确定信息。接入集中器可存储该信息以供将来使用。但是,不应使用相同的远程ID子选项尝试向同一DHCP服务器发送另一条DHCPLEASEQUERY消息。
For lease query by Remote ID, the impact of negative caching is greatly reduced, as the response leads to "definitive" information on all the nodes connected behind the connection. Note that in the case of the data-driven approach [RFC4388], a node spoofing several IP addresses can lead to negative caching of greater magnitude. Another important change that this document brings is the removal of periodic lease queries generated from negative caching caused by DHCPLEASEUNKNOWN messages. Since the information obtained through query by Remote ID is complete, there is no need to attempt lease query again for the same connection.
对于通过远程ID进行的租约查询,负面缓存的影响会大大降低,因为响应会在连接后面连接的所有节点上产生“确定”信息。请注意,在数据驱动方法[RFC4388]的情况下,节点欺骗多个IP地址可能导致更大程度的负缓存。本文档带来的另一个重要变化是删除了由未知消息引起的负缓存生成的定期租约查询。由于通过远程ID查询获得的信息已完成,因此无需再次尝试对同一连接进行租赁查询。
The condition of an access concentrator receiving no response to a DHCPLEASEQUERY message is handled in the same manner as suggested in RFC 4388 [RFC4388].
访问集中器未收到对DHCPLEASEQUERY消息的响应的情况以RFC 4388[RFC4388]中建议的相同方式处理。
Implementation Note:
实施说明:
To generate replies for a lease query by Remote ID efficiently, a DHCP server should index the lease-binding data structures using Remote ID.
为了有效地通过远程ID生成租约查询的答复,DHCP服务器应该使用远程ID对租约绑定数据结构进行索引。
This scenario is handled in the same way it is done in RFC 4388 [RFC4388].
该场景的处理方式与RFC 4388[RFC4388]中的处理方式相同。
This document is compatible with RFC 4388-based [RFC4388] implementations, which means that a client that supports this extension can work with a server not supporting this document, provided it uses RFC 4388-defined query types. Also, a server supporting this document can work with a client not supporting this query type. However, there are some changes that this document proposes with respect to RFC 4388 [RFC4388]. Implementers extending RFC 4388 [RFC4388] implementations to support this document should take note of the following points:
此文档与基于RFC 4388的[RFC4388]实现兼容,这意味着支持此扩展的客户端可以与不支持此文档的服务器一起工作,前提是它使用RFC 4388定义的查询类型。此外,支持此文档的服务器可以与不支持此查询类型的客户端一起工作。然而,本文件对RFC 4388[RFC4388]提出了一些修改。扩展RFC 4388[RFC4388]实现以支持本文档的实施者应注意以下几点:
o There may be cases where a query by IP address/MAC address/Client Identifier has an option 82 containing a Remote ID. In that case, the query will still be recognized as a query by IP address/MAC address/Client Identifier as specified by RFC 4388 [RFC4388].
o 在某些情况下,按IP地址/MAC地址/客户端标识符进行的查询可能有一个包含远程ID的选项82。在这种情况下,查询仍将被识别为按RFC 4388[RFC4388]指定的IP地址/MAC地址/客户端标识符进行的查询。
o Section 6.4 of RFC 4388 [RFC4388] suggests that a DHCPLEASEUNKNOWN message MUST NOT have any other option present. But for a query by Remote ID, option 82 MUST be present in the reply.
o RFC 4388[RFC4388]第6.4节建议,DHCPLEASEUNKNOWN消息不得存在任何其他选项。但对于通过远程ID进行的查询,选项82必须出现在回复中。
This document inherits the security concerns present in the original lease query protocol specification (RFC 4388 [RFC4388]).
本文档继承了原始租约查询协议规范(RFC 4388[RFC4388])中存在的安全问题。
This specification introduces one additional issue, beyond those described in RFC 4388 [RFC4388]. A query by Remote ID will result in the server replying with consolidated lease-binding information. Such a query, if done from an unauthorized source, may lead to a leak of lease-binding information. It is critical to deploy authentication techniques mentioned in RFC 3118 [RFC3118] to prevent such unauthorized lease queries.
除了RFC 4388[RFC4388]中描述的问题外,本规范还引入了一个附加问题。按远程ID进行的查询将导致服务器使用合并的租约绑定信息进行响应。如果从未经授权的来源进行此类查询,可能会导致租赁绑定信息泄漏。部署RFC 3118[RFC3118]中提到的身份验证技术以防止此类未经授权的租赁查询是至关重要的。
Copious amounts of text in this document are derived from RFC 4388 [RFC4388]. Kim Kinnear, Damien Neil, Stephen Jacob, Ted Lemon, Ralph Droms, and Alfred Hoenes provided valuable feedback on this document.
本文件中大量文本源自RFC 4388[RFC4388]。Kim Kinnear、Damien Neil、Stephen Jacob、Ted Lemon、Ralph Droms和Alfred Hoenes就本文件提供了宝贵的反馈。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC4388] Woundy, R. and K. Kinnear, "Dynamic Host Configuration Protocol (DHCP) Leasequery", RFC 4388, February 2006.
[RFC4388]Woundy,R.和K.Kinnear,“动态主机配置协议(DHCP)租赁”,RFC 4388,2006年2月。
[RFC2131] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, March 1997.
[RFC2131]Droms,R.,“动态主机配置协议”,RFC21311997年3月。
[RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor Extensions", RFC 2132, March 1997.
[RFC2132]Alexander,S.和R.Droms,“DHCP选项和BOOTP供应商扩展”,RFC 21321997年3月。
[RFC3046] Patrick, M., "DHCP Relay Agent Information Option", RFC 3046, January 2001.
[RFC3046]Patrick,M.,“DHCP中继代理信息选项”,RFC3046,2001年1月。
[RFC3118] Droms, R., Ed. and W. Arbaugh, Ed., "Authentication for DHCP Messages", RFC 3118, June 2001.
[RFC3118]Droms,R.,Ed.和W.Arbaugh,Ed.,“DHCP消息的身份验证”,RFC31182001年6月。
[RFC951] Croft, B. and J. Gilmore, "Bootstrap Protocol (BOOTP)", RFC 951, September 1985.
[RFC951]Croft,B.和J.Gilmore,“引导协议(BOOTP)”,RFC9511985年9月。
[RFC1542] Wimer, W., "Clarifications and Extensions for the Bootstrap Protocol", RFC 1542, October 1993.
[RFC1542]Wimer,W.“引导协议的澄清和扩展”,RFC 1542,1993年10月。
Authors' Addresses
作者地址
Pavan Kurapati Juniper Networks Embassy Prime Buildings, C.V. Raman Nagar Bangalore 560 093 India
Pavan Kurapati Juniper Networks大使馆主楼,C.V.Raman Nagar Bangalore 560093印度
EMail: kurapati@juniper.net URI: http://www.juniper.net/
EMail: kurapati@juniper.net URI: http://www.juniper.net/
D.T.V Ramakrishna Rao Infosys Technologies Ltd. 44 Electronics City, Hosur Road Bangalore 560 100 India
印度班加罗尔霍苏尔路电子城44号罗摩克里希纳·拉奥信息系统技术有限公司D.T.V.560 100
EMail: ramakrishnadtv@infosys.com URI: http://www.infosys.com/
EMail: ramakrishnadtv@infosys.com URI: http://www.infosys.com/
Bharat Joshi Infosys Technologies Ltd. 44 Electronics City, Hosur Road Bangalore 560 100 India
印度班加罗尔霍苏尔路44号电子城Bharat Joshi Infosys Technologies Ltd.560 100
EMail: bharat_joshi@infosys.com URI: http://www.infosys.com/
EMail: bharat_joshi@infosys.com URI: http://www.infosys.com/