Internet Engineering Task Force (IETF)                          D. Miles
Request for Comments: 6704                                        Google
Updates: 3203                                                     W. Dec
Category: Standards Track                                  Cisco Systems
ISSN: 2070-1721                                               J. Bristow
                                                     Swisscom Schweiz AG
                                                             R. Maglione
                                                          Telecom Italia
                                                             August 2012
        
Internet Engineering Task Force (IETF)                          D. Miles
Request for Comments: 6704                                        Google
Updates: 3203                                                     W. Dec
Category: Standards Track                                  Cisco Systems
ISSN: 2070-1721                                               J. Bristow
                                                     Swisscom Schweiz AG
                                                             R. Maglione
                                                          Telecom Italia
                                                             August 2012
        

Forcerenew Nonce Authentication

强制更新临时身份验证

Abstract

摘要

Dynamic Host Configuration Protocol (DHCP) FORCERENEW allows for the reconfiguration of a single host by forcing the DHCP client into a Renew state on a trigger from the DHCP server. In the Forcerenew Nonce Authentication protocol, the server sends a nonce to the client in the initial DHCP ACK that is used for subsequent validation of a FORCERENEW message. This document updates RFC 3203.

动态主机配置协议(DHCP)FORCERENEW允许通过在DHCP服务器的触发器上强制DHCP客户端进入续订状态来重新配置单个主机。在Forcerenew Nonce身份验证协议中,服务器在初始DHCP ACK中向客户端发送一个Nonce,用于后续验证Forcerenew消息。本文档更新了RFC 3203。

Status of This Memo

关于下段备忘

This is an Internet Standards Track document.

这是一份互联网标准跟踪文件。

This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741.

本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 5741第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6704.

有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6704.

Copyright Notice

版权公告

Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2012 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。

Table of Contents

目录

   1. Introduction ....................................................2
   2. Requirements Language ...........................................3
   3. Message Authentication ..........................................3
      3.1. Forcerenew Nonce Authentication ............................3
           3.1.1. Forcerenew Nonce Protocol Capability Option .........4
           3.1.2. Forcerenew Nonce Authentication Protocol ............6
           3.1.3. Server Considerations for Forcerenew Nonce
                  Authentication ......................................8
           3.1.4. Client Considerations for Forcerenew Nonce
                  Authentication ......................................9
   4. IANA Considerations ............................................10
   5. Security Considerations ........................................10
      5.1. Protocol Vulnerabilities ..................................11
   6. Acknowledgements ...............................................11
   7. Normative References ...........................................11
        
   1. Introduction ....................................................2
   2. Requirements Language ...........................................3
   3. Message Authentication ..........................................3
      3.1. Forcerenew Nonce Authentication ............................3
           3.1.1. Forcerenew Nonce Protocol Capability Option .........4
           3.1.2. Forcerenew Nonce Authentication Protocol ............6
           3.1.3. Server Considerations for Forcerenew Nonce
                  Authentication ......................................8
           3.1.4. Client Considerations for Forcerenew Nonce
                  Authentication ......................................9
   4. IANA Considerations ............................................10
   5. Security Considerations ........................................10
      5.1. Protocol Vulnerabilities ..................................11
   6. Acknowledgements ...............................................11
   7. Normative References ...........................................11
        
1. Introduction
1. 介绍

The DHCP reconfigure extension defined in [RFC3203] is a useful mechanism allowing dynamic reconfiguration of a single host triggered by the DHCP server. Its application is currently limited by a requirement that a Forcerenew message is always authenticated using procedures as described in [RFC3118]. Authentication for DHCP [RFC3118] is mandatory for FORCERENEW; however, as it is currently defined, [RFC3118] requires distribution of constant token or shared-secret out-of-band to DHCP clients.

[RFC3203]中定义的DHCP重新配置扩展是一种有用的机制,允许动态重新配置DHCP服务器触发的单个主机。其应用目前受到以下要求的限制:Forcerenew消息始终使用[RFC3118]中所述的程序进行身份验证。FORCERENEW必须对DHCP[RFC3118]进行身份验证;然而,正如目前定义的,[RFC3118]需要将恒定令牌或共享密钥带外分发给DHCP客户端。

The motivation for making authentication mandatory in DHCP FORCERENEW was to prevent an off-network attacker from taking advantage of DHCP FORCERENEW to accurately predict the timing of a DHCP renewal. Without DHCP FORCERENEW, DHCP renewal timing is under the control of

在DHCP FORCERENEW中强制进行身份验证的动机是防止网络外攻击者利用DHCP FORCERENEW准确预测DHCP续订的时间。没有DHCP FORCERENEW,DHCP续订时间由

the client, and an off-network attacker has no way of predicting when it will happen, since it doesn't have access to the exchange between the DHCP client and DHCP server.

客户端和脱离网络的攻击者无法预测何时会发生这种情况,因为他们无法访问DHCP客户端和DHCP服务器之间的交换。

However, the requirement to use the DHCP authentication described in [RFC3118] is more stringent than is required for this use case and has limited adoption of DHCP FORCERENEW. [RFC3315] defines an authentication protocol using a nonce to prevent off-network attackers from successfully causing clients to renew. Since the off-network attacker doesn't have access to the nonce, it can't trick the client into renewing at a time of its choosing.

然而,[RFC3118]中描述的使用DHCP身份验证的要求比本用例要求的更严格,并且限制了DHCP的采用。[RFC3315]使用nonce定义身份验证协议,以防止网络外攻击者成功导致客户端续订。由于脱离网络的攻击者无法访问nonce,因此无法诱使客户端在其选择的时间续订。

This document defines extensions to Authentication for DHCPv4 Messages [RFC3118] to create a new authentication protocol for DHCPv4 FORCERENEW [RFC3203] messages; this method does not require out-of-band key distribution to DHCP clients. The Forcerenew Nonce is exchanged between server and client on initial DHCP ACK and is used for verification of any subsequent FORCERENEW message. This document updates [RFC3203].

本文档定义了DHCPv4消息[RFC3118]的身份验证扩展,以创建DHCPv4 FORCERENEW[RFC3203]消息的新身份验证协议;此方法不需要向DHCP客户端分发带外密钥。Forcerenew Nonce在初始DHCP ACK时在服务器和客户端之间交换,并用于验证任何后续Forcerenew消息。本文件更新了[RFC3203]。

2. Requirements Language
2. 需求语言

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].

本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。

3. Message Authentication
3. 消息身份验证

The Forcerenew message MUST be authenticated using either [RFC3118] or the proposed Forcerenew Nonce Authentication protocol.

必须使用[RFC3118]或建议的Forcerenew Nonce身份验证协议对Forcerenew消息进行身份验证。

3.1. Forcerenew Nonce Authentication
3.1. 强制更新临时身份验证

The Forcerenew Nonce Authentication protocol provides protection against misconfiguration of a client caused by a Forcerenew message sent by a malicious DHCP server. In this protocol, a DHCP server sends a Forcerenew Nonce to the client in the initial exchange of DHCP messages. The client records the Forcerenew Nonce for use in authenticating subsequent Forcerenew messages from that server. The server then includes a Hashed Message Authentication Code (HMAC) computed from the Forcerenew nonce in subsequent Forcerenew messages.

Forcerenew Nonce身份验证协议可防止恶意DHCP服务器发送的Forcerenew消息导致客户端配置错误。在此协议中,DHCP服务器在DHCP消息的初始交换中向客户端发送Forcerenew Nonce。客户端记录Forcerenew Nonce以用于验证来自该服务器的后续Forcerenew消息。然后,服务器在后续的Forcerenew消息中包含根据Forcerenew nonce计算的哈希消息身份验证码(HMAC)。

Both the Forcerenew Nonce sent from the server to the client and the HMAC in subsequent Forcerenew messages are carried as the Authentication information in a DHCP Authentication option. The format of the Authentication information is defined in the following section.

从服务器发送到客户端的Forcerenew Nonce和后续Forcerenew消息中的HMAC都作为DHCP身份验证选项中的身份验证信息携带。认证信息的格式在下一节中定义。

The Forcerenew Nonce Authentication protocol is used (initiated by the server) only if the client and server are not using the authentication mechanism specified in [RFC3118] and the client and server have negotiated to use the Forcerenew Nonce Authentication protocol.

仅当客户端和服务器未使用[RFC3118]中指定的身份验证机制且客户端和服务器已协商使用Forcerenew Nonce身份验证协议时,才使用Forcerenew Nonce身份验证协议(由服务器启动)。

3.1.1. Forcerenew Nonce Protocol Capability Option
3.1.1. Forcerenew Nonce协议功能选项

A DHCP client indicates DHCP Forcerenew Nonce Protocol capability by including a FORCERENEW_NONCE_CAPABLE (145) option in DHCP Discover and Request messages sent to the server.

DHCP客户端通过在发送到服务器的DHCP发现和请求消息中包含Forcerenew_Nonce_CAPABLE(145)选项来指示DHCP Forcerenew Nonce协议能力。

A DHCP server that does not support Forcerenew Nonce Authentication protocol authentication SHOULD ignore the FORCERENEW_NONCE_CAPABLE (145) option. A DHCP server indicates DHCP Forcerenew Nonce Protocol preference by including a FORCERENEW_NONCE_CAPABLE (145) option in any DHCP Offer messages sent to the client.

不支持Forcerenew Nonce身份验证协议身份验证的DHCP服务器应忽略Forcerenew Nonce CAPABLE(145)选项。DHCP服务器通过在发送到客户端的任何DHCP提供消息中包含Forcerenew_Nonce_CAPABLE(145)选项来指示DHCP Forcerenew Nonce协议首选项。

A DHCP client MUST NOT send DHCP messages with authentication options where the protocol value is Forcerenew Nonce Authentication.

当协议值为Forcerenew Nonce authentication时,DHCP客户端不得发送带有身份验证选项的DHCP消息。

The FORCERENEW_NONCE_CAPABLE option contains code 145, length n, and a sequence of algorithms the client supports:

FORCERENEW_NONCE_-CAPABLE选项包含代码145、长度n和客户端支持的一系列算法:

             Code   Len   Algorithms
            +-----+-----+----+----+----+
            | 145 |  n  | A1 | A2 | A3 | ....
            +-----+-----+----+----+----+
        
             Code   Len   Algorithms
            +-----+-----+----+----+----+
            | 145 |  n  | A1 | A2 | A3 | ....
            +-----+-----+----+----+----+
        

Figure 1: FORCERENEW_NONCE_CAPABLE Option

图1:FORCERENEW\u NONCE\u功能选项

In this document, Section 3.1.2 defines the Forcerenew Nonce Authentication protocol for algorithm equal to 1 and type equal to 2; future documents will specify the other values for algorithm !=1 and type !=2, allowing a different algorithm to be used with shorter/ longer values.

在本文件中,第3.1.2节定义了算法为1且类型为2的Forcerenew Nonce认证协议;未来的文档将指定算法的其他值=1和类型=2,允许对较短/较长的值使用不同的算法。

The client would indicate that it supports the functionality by inserting the FORCERENEW_NONCE_CAPABLE option in the DHCP Discover and Request messages. If the server supports Forcerenew nonce authentication and requires Forcerenew nonce authentication, it will insert the FORCERENEW_NONCE_CAPABLE option in the DHCPOFFER.

客户端将通过在DHCP发现和请求消息中插入FORCERENEW\u NONCE\u-CAPABLE选项来表示它支持该功能。如果服务器支持Forcerenew nonce身份验证并需要Forcerenew nonce身份验证,则它将在DHCPOFFER中插入支持Forcerenew_nonce_的选项。

Server Client Server (not selected) (selected)

服务器客户端服务器(未选择)(已选择)

                       v               v               v
                       |               |               |
                       |     Begins initialization     |
                       |               |               |
                       | _____________/|\____________  |
                       |/DHCPDISCOVER  | DHCPDISCOVER \|
                       | w/FORCERENEW- | w/FORCERENEW- |
                       | NONCE-CAPABLE | NONCE-CAPABLE |
                       |               |               |
                   Determines          |          Determines
                  configuration        |         configuration
                       |               |               |
                       |\              |              /|
                       | \__________   |    _________/ |
                       |  DHCPOFFER \  |   /DHCPOFFER  |
                       |w/FORCERENEW \ |  /w/FORCERENEW|
                       |NONCE-CAPABLE \| /NONCE-CAPABLE|
                       |               |               |
                       |       Collects replies        |
                       |               |               |
                       |     Selects configuration     |
                       |               |               |
                       | _____________/|\____________  |
                       |/ DHCPREQUEST  |  DHCPREQUEST\ |
                       | w/Forcerenew- | w/Forcerenew- |
                       | Nonce-Capable | Nonce-Capable |
                       |               |               |
                       |               |     Commits configuration
                       |               |               |
                       |               |Creates 128-bit Forcerenew Nonce
                       |               |               |
                       |               | _____________/|
                       |               |/ DHCPACK      |
                       |               | w/Auth-Proto= |
                       |               | Forcerenew-   |
                       |               |        Nonce  |
                       |               |               |
                       |Client stores Forcerenew Nonce |
                       |               |               |
                       |    Initialization complete    |
                       |               |               |
                       .               .               .
                       .               .               .
                       |               |               |
                       |          Forcerenew           |
        
                       v               v               v
                       |               |               |
                       |     Begins initialization     |
                       |               |               |
                       | _____________/|\____________  |
                       |/DHCPDISCOVER  | DHCPDISCOVER \|
                       | w/FORCERENEW- | w/FORCERENEW- |
                       | NONCE-CAPABLE | NONCE-CAPABLE |
                       |               |               |
                   Determines          |          Determines
                  configuration        |         configuration
                       |               |               |
                       |\              |              /|
                       | \__________   |    _________/ |
                       |  DHCPOFFER \  |   /DHCPOFFER  |
                       |w/FORCERENEW \ |  /w/FORCERENEW|
                       |NONCE-CAPABLE \| /NONCE-CAPABLE|
                       |               |               |
                       |       Collects replies        |
                       |               |               |
                       |     Selects configuration     |
                       |               |               |
                       | _____________/|\____________  |
                       |/ DHCPREQUEST  |  DHCPREQUEST\ |
                       | w/Forcerenew- | w/Forcerenew- |
                       | Nonce-Capable | Nonce-Capable |
                       |               |               |
                       |               |     Commits configuration
                       |               |               |
                       |               |Creates 128-bit Forcerenew Nonce
                       |               |               |
                       |               | _____________/|
                       |               |/ DHCPACK      |
                       |               | w/Auth-Proto= |
                       |               | Forcerenew-   |
                       |               |        Nonce  |
                       |               |               |
                       |Client stores Forcerenew Nonce |
                       |               |               |
                       |    Initialization complete    |
                       |               |               |
                       .               .               .
                       .               .               .
                       |               |               |
                       |          Forcerenew           |
        
                       |               | _____________/|
                       |               |/ DHCPFORCE    |
                       |               | w/Auth-Proto= |
                       |               | Forcerenew-   |
                       |               |   Digest(HMAC)|
                       |               |               |
                       | Client checks HMAC digest     |
                       | using stored Forcerenew Nonce |
                       |               |               |
                       |               |\____________  |
                       |               |  DHCPREQUEST\ |
                       |               | w/FORCERENEW- |
                       |               | NONCE-CAPABLE |
                       |               |               |
                       |               |     Commits configuration
                       |               |               |
                       |               |Creates 128-bit Forcerenew Nonce
                       |               |               |
                       |               | _____________/|
                       |               |/ DHCPACK      |
                       |               | w/Auth-Proto= |
                       |               |   Forcerenew- |
                       |               |         Nonce |
                       |               |               |
                       |               |               |
                       |               |               |
                       .               .               .
                       .               .               .
                       |               |               |
                       |      Graceful shutdown        |
                       |               |               |
                       |               |\ ____________ |
                       |               | DHCPRELEASE  \|
                       |               |               |
                       |               |        Discards lease
                       |               |               |
                       v               v               v
        
                       |               | _____________/|
                       |               |/ DHCPFORCE    |
                       |               | w/Auth-Proto= |
                       |               | Forcerenew-   |
                       |               |   Digest(HMAC)|
                       |               |               |
                       | Client checks HMAC digest     |
                       | using stored Forcerenew Nonce |
                       |               |               |
                       |               |\____________  |
                       |               |  DHCPREQUEST\ |
                       |               | w/FORCERENEW- |
                       |               | NONCE-CAPABLE |
                       |               |               |
                       |               |     Commits configuration
                       |               |               |
                       |               |Creates 128-bit Forcerenew Nonce
                       |               |               |
                       |               | _____________/|
                       |               |/ DHCPACK      |
                       |               | w/Auth-Proto= |
                       |               |   Forcerenew- |
                       |               |         Nonce |
                       |               |               |
                       |               |               |
                       |               |               |
                       .               .               .
                       .               .               .
                       |               |               |
                       |      Graceful shutdown        |
                       |               |               |
                       |               |\ ____________ |
                       |               | DHCPRELEASE  \|
                       |               |               |
                       |               |        Discards lease
                       |               |               |
                       v               v               v
        

Figure 2: Timeline Diagram of Messages Exchanged between DHCP Client and Servers Using the Forcerenew Nonce Authentication Protocol

图2:使用Forcerenew Nonce身份验证协议在DHCP客户端和服务器之间交换的消息的时间线图

3.1.2. Forcerenew Nonce Authentication Protocol
3.1.2. 强制更新Nonce身份验证协议

The Forcerenew Nonce Authentication protocol makes use of both the DHCP authentication option defined in [RFC3118] reusing the option format and of the Reconfigure Key Authentication Protocol defined in [RFC3315].

Forcerenew Nonce身份验证协议利用[RFC3118]中定义的DHCP身份验证选项重用选项格式和[RFC3315]中定义的重新配置密钥身份验证协议。

The following diagram defines the format of the DHCP authentication option:

下图定义了DHCP身份验证选项的格式:

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Code      |    Length     |  Protocol     |   Algorithm   |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     RDM       | Replay Detection (64 bits)                    |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |  Replay cont.                                                 |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |  Replay cont. |                                               |
      +-+-+-+-+-+-+-+-+                                               |
      |                                                               |
      |           Authentication Information                          |
      |                                                               |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        
       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Code      |    Length     |  Protocol     |   Algorithm   |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     RDM       | Replay Detection (64 bits)                    |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |  Replay cont.                                                 |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |  Replay cont. |                                               |
      +-+-+-+-+-+-+-+-+                                               |
      |                                                               |
      |           Authentication Information                          |
      |                                                               |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        

Figure 3: Format of the DHCP Authentication Option

图3:DHCP身份验证选项的格式

The following fields are set in an DHCP authentication option for the Forcerenew Nonce Authentication protocol.

以下字段在Forcerenew Nonce身份验证协议的DHCP身份验证选项中设置。

Code: 90 (Authentication) per [RFC3118]

代码:90(认证)符合[RFC3118]

Length: contains the length of the protocol

长度:包含协议的长度

Protocol: 3 (Reconfigure Key) per [RFC3118]

协议:3(重新配置密钥)符合[RFC3118]

Algorithm: 1 (HMAC-MD5) per [RFC3118] and [RFC3315]

算法:每[RFC3118]和[RFC3315]1(HMAC-MD5)

Replay Detection: per the Replay Detection Method (RDM)

回放检测:根据回放检测方法(RDM)

Replay Detection Method (RDM): 0

重播检测方法(RDM):0

Authentication Information: specified below

身份验证信息:在下面指定

The format of the Authentication Information for the Forcerenew Nonce Authentication Protocol is as follows:

Forcerenew Nonce身份验证协议的身份验证信息格式如下:

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Type      |                 Value (128 bits)              |
      +-+-+-+-+-+-+-+-+                                               |
      .                                                               .
      .                                                               .
      .                                               +-+-+-+-+-+-+-+-+
      |                                               |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        
       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Type      |                 Value (128 bits)              |
      +-+-+-+-+-+-+-+-+                                               |
      .                                                               .
      .                                                               .
      .                                               +-+-+-+-+-+-+-+-+
      |                                               |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        

Figure 4: Format of the Authentication Information

图4:身份验证信息的格式

Type: The type of data in Value field carried in this option:

类型:此选项中携带的值字段中的数据类型:

1 Forcerenew nonce Value (used in ACK message)

1强制更新当前值(用于确认消息)

2 HMAC-MD5 digest of the message (Forcerenew message)

2 HMAC-MD5信息摘要(强制更新信息)

Value: The message authentication code generated by applying MD5 to the DHCP message

值:通过将MD5应用于DHCP消息而生成的消息身份验证代码

3.1.3. Server Considerations for Forcerenew Nonce Authentication
3.1.3. Forcerenew Nonce身份验证的服务器注意事项

The use of Forcerenew Nonce Authentication protocol is dependent on the client indicating its capability through the FORCERENEW_NONCE_CAPABLE (145) DHCP option in any DHCP Discover or Request messages. The DHCP Discovery or Request message from the client MUST contain the FORCERENEW_NONCE_CAPABLE (145) option if the Forcerenew Nonce Protocol is to be used by the server. The absence of the FORCERENEW_NONCE_CAPABLE (145) option indicates to the server that the Forcerenew Nonce Authentication protocol is not supported; thus, the server MUST NOT include a Forcerenew Nonce Protocol Authentication option in the DHCP ACK.

Forcerenew Nonce身份验证协议的使用取决于客户端通过任何DHCP发现或请求消息中的Forcerenew Nonce CAPABLE(145)DHCP选项指示其能力。如果服务器要使用FORCERENEW NONCE协议,则来自客户端的DHCP发现或请求消息必须包含FORCERENEW NONCE CAPABLE(145)选项。缺少FORCERENEW_NONCE_CAPABLE(145)选项向服务器指示不支持FORCERENEW NONCE认证协议;因此,服务器不得在DHCP ACK中包含Forcerenew Nonce协议身份验证选项。

The server indicates its support of the Forcerenew Nonce Authentication protocol by including the DHCP FORCERENEW_NONCE_CAPABLE (145) option in the DHCPOFFER. The server SHOULD NOT include this option unless the client has indicated its capability in a DHCP Discovery message. The presence of the FORCERENEW_NONCE_CAPABLE (145) option in the DHCP offer may be used by clients to prefer DHCP servers that are Forcerenew Nonce Authentication protocol capable over those servers that do not support such capability.

服务器通过在DHCPOFFER中包含DHCP Forcerenew_Nonce_CAPABLE(145)选项来表示其对Forcerenew Nonce身份验证协议的支持。服务器不应包括此选项,除非客户端已在DHCP发现消息中指示其功能。DHCP服务中存在FORCERENEW_NONCE_-CAPABLE(145)选项可供客户端使用,以偏好支持FORCERENEW NONCE身份验证协议的DHCP服务器,而不是不支持该功能的服务器。

If a capable server receives a DISCOVER or REQUEST (any type) that indicates the client is capable, and the server has no previous nonce recorded, it MUST generate a nonce and include it in the ACK.

如果有能力的服务器接收到表明客户端有能力的发现或请求(任何类型),并且服务器没有记录以前的nonce,则必须生成nonce并将其包含在ACK中。

The server selects a Forcerenew Nonce for a client only during Request/ACK message exchange. The server records the Forcerenew nonce and transmits that nonce to the client in an Authentication option in the DHCP ACK message.

服务器仅在请求/确认消息交换期间为客户端选择Forcerenew Nonce。服务器记录Forcerenew nonce,并在DHCP ACK消息中的身份验证选项中将该nonce传输给客户端。

The server SHOULD NOT include the nonce in an ACK when responding to a renew unless a new nonce was generated. This minimizes the number of times the nonce is sent over the wire.

在响应续订时,服务器不应在ACK中包含nonce,除非生成了新的nonce。这可以最大限度地减少通过导线发送nonce的次数。

If the server to which the DHCP Request message was sent at time T1 has not responded, the client enters the REBINDING state and attempts to contact any server. The new Server receiving the DHCP message MUST generate a new nonce.

如果在T1时间向其发送DHCP请求消息的服务器没有响应,则客户端将进入重新绑定状态并尝试联系任何服务器。接收DHCP消息的新服务器必须生成新的nonce。

The Forcerenew nonce is 128 bits long, and it MUST be a cryptographically strong random or pseudo-random number that cannot easily be predicted. The nonce is embedded as a 128-bit value of the Authentication information where type is set to 1 (Forcerenew nonce Value).

Forcerenew nonce的长度为128位,必须是一个加密的强随机数或伪随机数,不容易预测。nonce作为身份验证信息的128位值嵌入,其中type设置为1(Forcerenew nonce value)。

To provide authentication for a Forcerenew message, the server selects a replay detection value according to the RDM selected by the server and computes an HMAC-MD5 of the Forcerenew message, based on the procedure specified in Section 21.5 of [RFC3315], using the Forcerenew Nonce for the client. The server computes the HMAC-MD5 over the entire DHCP Forcerenew message, including the Authentication option; the HMAC-MD5 field in the Authentication option is set to zero for the HMAC-MD5 computation

为了为Forcerenew消息提供身份验证,服务器根据服务器选择的RDM选择重播检测值,并根据[RFC3315]第21.5节中规定的过程,使用客户端的Forcerenew Nonce计算Forcerenew消息的HMAC-MD5。服务器通过整个DHCP Forcerenew消息(包括身份验证选项)计算HMAC-MD5;对于HMAC-MD5计算,身份验证选项中的HMAC-MD5字段设置为零

3.1.4. Client Considerations for Forcerenew Nonce Authentication
3.1.4. Forcerenew Nonce身份验证的客户端注意事项

A client that supports this mechanism MUST indicate Forcerenew nonce Capability by including the FORCERENEW_NONCE_CAPABLE (145) DHCP option defined in Section 3.1.1 in all DHCP Discover and Request messages. DHCP servers that support Forcerenew nonce Protocol authentication MUST include the FORCERENEW_NONCE_CAPABLE (145) DHCP option in all DHCP Offers, allowing the client to use this capability in selecting DHCP servers should multiple Offers arrive.

支持此机制的客户端必须通过在所有DHCP发现和请求消息中包含第3.1.1节中定义的Forcerenew_nonce_CAPABLE(145)DHCP选项来指示Forcerenew nonce功能。支持Forcerenew nonce协议身份验证的DHCP服务器必须在所有DHCP提供中包括Forcerenew nonce能力(145)DHCP选项,允许客户端在多个提供到达时使用此功能选择DHCP服务器。

The client MUST validate the DHCP ACK message contains a Forcerenew Nonce in a DHCP authentication option. If the server has indicated capability for Forcerenew Nonce Authentication protocol in the DHCP OFFER and the subsequent ACK received by the client while in the selecting state omits a valid DHCP authentication option for the

客户端必须验证DHCP ACK消息是否包含DHCP身份验证选项中的Forcerenew Nonce。如果服务器在DHCP提供中指示了Forcerenew Nonce身份验证协议的功能,并且客户端在处于选择状态时接收到的后续ACK将忽略该服务器的有效DHCP身份验证选项

Forcerenew Nonce Authentication protocol, the client MUST discard the message and return to the INIT state.

强制续订Nonce身份验证协议时,客户端必须放弃该消息并返回到INIT状态。

The client MUST record the Forcerenew Nonce from any valid ACK it receives, if the ACK contains one.

如果ACK包含一个有效ACK,则客户端必须从收到的任何有效ACK中记录Forcerenew Nonce。

To authenticate a Forcerenew message, the client computes an HMAC-MD5, based on the procedure specified in Section 21.5 of [RFC3315], over the DHCP Forcerenew message (after setting the HMAC-MD5 field in the Authentication option to zero), using the Forcerenew Nonce received from the server. If this computed HMAC-MD5 matches the value in the Authentication option, the client accepts the FORCERENEW message.

为了验证Forcerenew消息,客户端根据[RFC3315]第21.5节中指定的过程,通过DHCP Forcerenew消息计算HMAC-MD5(在将身份验证选项中的HMAC-MD5字段设置为零后),使用从服务器接收的Forcerenew Nonce。如果此计算的HMAC-MD5与身份验证选项中的值匹配,则客户端接受FORCERENEW消息。

4. IANA Considerations
4. IANA考虑

IANA has assigned the following new DHCPv4 option code from the registry "BOOTP Vendor Extensions and DHCP Options" maintained at http://www.iana.org/assignments/bootp-dhcp-parameters:

IANA已从位于的注册表“BOOTP供应商扩展和DHCP选项”中分配了以下新的DHCPv4选项代码http://www.iana.org/assignments/bootp-dhcp-parameters:

Tag: 145

标签:145

Name: FORCERENEW_NONCE_CAPABLE

名称:FORCERENEW\u NONCE\u-CAPABLE

Data length: 1

数据长度:1

Description: Forcerenew Nonce Capable

描述:Forcerenew Nonce支持

Reference: this document

参考:本文件

5. Security Considerations
5. 安全考虑

As in some network environments FORCERENEW can be used to snoop and spoof traffic, the FORCERENEW message MUST be authenticated using the procedures as described in [RFC3118] or the mechanism described in this document.

由于在某些网络环境中,FORCERENEW可用于监听和欺骗流量,因此必须使用[RFC3118]中所述的程序或本文档中所述的机制对FORCERENEW消息进行身份验证。

The mechanism in [RFC3315] for DHCPv6, which this document mirrors for DHCPv4, uses a nonce to prevent an off-link attacker from successfully triggering a renewal on a client by sending DHCPFORCERENEW; since the attacker is off-link, it doesn't have the nonce, and can't force a renewal.

用于DHCPv6的[RFC3315]中的机制(本文档针对DHCPv4对其进行了镜像)使用nonce来防止断开链接的攻击者通过发送DHCPFORCERENEW成功触发客户端上的续订;由于攻击者处于断开链接状态,因此它没有nonce,并且无法强制续订。

An on-link attacker can always simply watch the DHCP renewal message go out and respond to it, so this mechanism is useless for preventing on-link attacks; hence, the security of the nonce in the case of on-link attacks isn't relevant. Therefore, HMAC-MD5 is, by definition, adequate for the purpose, and there is no need for an extensible HMAC

链路上的攻击者总是可以简单地监视DHCP续订消息并对其作出响应,因此这种机制对于防止链路上的攻击毫无用处;因此,在链路攻击的情况下,nonce的安全性是不相关的。因此,根据定义,HMAC-MD5足以满足此目的,并且不需要可扩展的HMAC

mechanism. FORCERENEW messages failing the authentication should be silently discarded by the client.

机械装置未通过身份验证的FORCERENEW消息应由客户端自动丢弃。

5.1. Protocol Vulnerabilities
5.1. 协议漏洞

The mechanism described in this document is vulnerable to a denial-of-service (DoS) attack through flooding a client with bogus FORCERENEW messages. The calculations involved in authenticating the bogus FORECERENEW messages may overwhelm the device on which the client is running.

本文档中描述的机制容易受到拒绝服务(DoS)攻击,因为它会向客户端发送虚假的FORCERENEW消息。验证虚假FORECERENEW消息所涉及的计算可能会淹没运行客户端的设备。

The mechanism described provides protection against the use of a FORCERENEW message by a malicious DHCP server to mount a DoS or man-in-the-middle attack on a client. This protocol can be compromised by an attacker that can intercept the initial message in which the DHCP server sends the nonce to the client.

所述机制可防止恶意DHCP服务器使用FORCERENEW消息在客户端上装载DoS或中间人攻击。攻击者可以截获DHCP服务器向客户端发送nonce的初始消息,从而破坏该协议。

6. Acknowledgements
6. 致谢

This contribution is based on work by Vitali Vinokour. Major sections of this document use modified text from [RFC3315]. The authors wish to thank Ted Lemon, Matthew Ryan, and Bernie Volz for their support.

这一贡献基于Vitali Vinokour的工作。本文件的主要章节使用[RFC3315]中的修改文本。作者要感谢Ted Lemon、Matthew Ryan和Bernie Volz的支持。

7. Normative References
7. 规范性引用文件

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。

[RFC3118] Droms, R. and W. Arbaugh, "Authentication for DHCP Messages", RFC 3118, June 2001.

[RFC3118]Droms,R.和W.Arbaugh,“DHCP消息的身份验证”,RFC31182001年6月。

[RFC3203] T'Joens, Y., Hublet, C., and P. De Schrijver, "DHCP reconfigure extension", RFC 3203, December 2001.

[RFC3203]T'Joens,Y.,Hublet,C.,和P.De Schrijver,“DHCP重新配置扩展”,RFC32032001年12月。

[RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., and M. Carney, "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", RFC 3315, July 2003.

[RFC3315]Droms,R.,Bound,J.,Volz,B.,Lemon,T.,Perkins,C.,和M.Carney,“IPv6的动态主机配置协议(DHCPv6)”,RFC3315,2003年7月。

Authors' Addresses

作者地址

David Miles Google

大卫·迈尔斯谷歌

   EMail: davidmiles@google.com
        
   EMail: davidmiles@google.com
        

Wojciech Dec Cisco Systems Haarlerbergpark Haarlerbergweg 13-19 Amsterdam, NOORD-HOLLAND 1101 CH Netherlands

Wojciech Dec思科系统哈勒贝格公园哈勒贝格韦格13-19阿姆斯特丹,荷兰诺德1101 CH荷兰

   EMail: wdec@cisco.com
        
   EMail: wdec@cisco.com
        

James Bristow Swisscom Schweiz AG Zentweg 9 Bern, 3050, Switzerland

James Bristow Swisscom Schweiz AG Zentweg 9 Bern,3050,瑞士

   EMail: James.Bristow@swisscom.com
        
   EMail: James.Bristow@swisscom.com
        

Roberta Maglione Telecom Italia Via Reiss Romoli 274 Torino 10148 Italy

罗伯塔·马格里奥尼意大利电信公司Via Reiss Romoli 274都灵10148意大利

   EMail: roberta.maglione@telecomitalia.it
        
   EMail: roberta.maglione@telecomitalia.it