| rfc9445v2.txt | rfc9445.txt | |||
|---|---|---|---|---|
| skipping to change at line 302 ¶ | skipping to change at line 302 ¶ | |||
| (Section 8.4.2). | (Section 8.4.2). | |||
| The DHCPv4-Options Attribute is associated with the following | The DHCPv4-Options Attribute is associated with the following | |||
| identifier: 245.4. | identifier: 245.4. | |||
| 4. Passing RADIUS DHCP Options Attributes by DHCP Relay Agents to DHCP | 4. Passing RADIUS DHCP Options Attributes by DHCP Relay Agents to DHCP | |||
| Servers | Servers | |||
| 4.1. Context | 4.1. Context | |||
| The RADIUS Attributes suboption [RFC4014] enables a DHCPv4 relay | The RADIUS Attributes DHCP suboption [RFC4014] enables a DHCPv4 relay | |||
| agent to pass identification and authorization attributes received | agent to pass identification and authorization attributes received | |||
| during RADIUS authentication to a DHCPv4 server. However, [RFC4014] | during RADIUS authentication to a DHCPv4 server. However, [RFC4014] | |||
| defines a frozen set of RADIUS attributes that can be included in | defines a frozen set of RADIUS attributes that can be included in | |||
| such a suboption. This limitation is suboptimal in contexts where | such a suboption. This limitation is suboptimal in contexts where | |||
| new services are deployed (e.g., support of encrypted DNS [DNR]). | new services are deployed (e.g., support of encrypted DNS [DNR]). | |||
| Section 4.2 updates [RFC4014] by relaxing that constraint and | Section 4.2 updates [RFC4014] by relaxing that constraint and | |||
| allowing additional RADIUS attributes to be tagged as permitted in | allowing additional RADIUS attributes to be tagged as permitted in | |||
| the RADIUS Attributes DHCP suboption. The permitted attributes are | the RADIUS Attributes DHCP suboption. The permitted attributes are | |||
| registered in the new "RADIUS Attributes Permitted in RADIUS | registered in the new "RADIUS Attributes Permitted in RADIUS | |||
| Attributes Suboption" registry (Section 8.3). | Attributes DHCP Suboption" registry (Section 8.3). | |||
| 4.2. Updates to RFC 4014 | 4.2. Updates to RFC 4014 | |||
| 4.2.1. Section 3 of RFC 4014 | 4.2.1. Section 3 of RFC 4014 | |||
| This document updates Section 3 of [RFC4014] as follows: | This document updates Section 3 of [RFC4014] as follows: | |||
| OLD: | OLD: | |||
| | To avoid dependencies between the address allocation and other | | To avoid dependencies between the address allocation and other | |||
| skipping to change at line 344 ¶ | skipping to change at line 344 ¶ | |||
| | 26 Vendor-Specific (RFC 2865) | | 26 Vendor-Specific (RFC 2865) | |||
| | 27 Session-Timeout (RFC 2865) | | 27 Session-Timeout (RFC 2865) | |||
| | 88 Framed-Pool (RFC 2869) | | 88 Framed-Pool (RFC 2869) | |||
| | 100 Framed-IPv6-Pool (RFC 3162 [7]) | | 100 Framed-IPv6-Pool (RFC 3162 [7]) | |||
| NEW: | NEW: | |||
| | To avoid dependencies between the address allocation and other | | To avoid dependencies between the address allocation and other | |||
| | state information between the RADIUS server and the DHCP server, | | state information between the RADIUS server and the DHCP server, | |||
| | the DHCP relay agent SHOULD only include the attributes in the | | the DHCP relay agent SHOULD only include the attributes in the | |||
| | "RADIUS Attributes Permitted in RADIUS Attributes Suboption" | | "RADIUS Attributes Permitted in RADIUS Attributes DHCP Suboption" | |||
| | registry (Section 8.3 of [RFC9445]) in an instance of the RADIUS | | registry (Section 8.3 of [RFC9445]) in an instance of the RADIUS | |||
| | Attributes suboption. The DHCP relay agent may support a | | Attributes DHCP suboption. The DHCP relay agent may support a | |||
| | configuration parameter to control the attributes in a RADIUS | | configuration parameter to control the attributes in a RADIUS | |||
| | Attributes suboption. | | Attributes DHCP suboption. | |||
| 4.2.2. Section 4 of RFC 4014 | 4.2.2. Section 4 of RFC 4014 | |||
| This document updates Section 4 of [RFC4014] as follows: | This document updates Section 4 of [RFC4014] as follows: | |||
| OLD: | OLD: | |||
| | If the relay agent relays RADIUS attributes not included in the | | If the relay agent relays RADIUS attributes not included in the | |||
| | table in Section 4, the DHCP server SHOULD ignore them. | | table in Section 4, the DHCP server SHOULD ignore them. | |||
| NEW: | NEW: | |||
| | If the relay agent relays RADIUS attributes not included in the | | If the relay agent relays RADIUS attributes not included in the | |||
| | "RADIUS Attributes Permitted in RADIUS Attributes Suboption" | | "RADIUS Attributes Permitted in RADIUS Attributes DHCP Suboption" | |||
| | registry (Section 8.3 of [RFC9445]) and explicit configuration is | | registry (Section 8.3 of [RFC9445]) and explicit configuration is | |||
| | absent, the DHCP server SHOULD ignore them. | | absent, the DHCP server SHOULD ignore them. | |||
| 5. An Example: Applicability to Encrypted DNS Provisioning | 5. An Example: Applicability to Encrypted DNS Provisioning | |||
| Typical deployment scenarios are similar to those described, for | Typical deployment scenarios are similar to those described, for | |||
| instance, in Section 2 of [RFC6911]. For illustration purposes, | instance, in Section 2 of [RFC6911]. For illustration purposes, | |||
| Figure 1 shows an example where a Customer Premises Equipment (CPE) | Figure 1 shows an example where a Customer Premises Equipment (CPE) | |||
| is provided with an encrypted DNS resolver. This example assumes | is provided with an encrypted DNS resolver. This example assumes | |||
| that the Network Access Server (NAS) embeds both RADIUS client and | that the Network Access Server (NAS) embeds both RADIUS client and | |||
| skipping to change at line 405 ¶ | skipping to change at line 405 ¶ | |||
| DHCPv6 RADIUS | DHCPv6 RADIUS | |||
| Figure 1: An Example of RADIUS IPv6 Encrypted DNS Exchange | Figure 1: An Example of RADIUS IPv6 Encrypted DNS Exchange | |||
| Upon receipt of the DHCPv6 Solicit message from a CPE, the NAS sends | Upon receipt of the DHCPv6 Solicit message from a CPE, the NAS sends | |||
| a RADIUS Access-Request message to the Authentication, Authorization, | a RADIUS Access-Request message to the Authentication, Authorization, | |||
| and Accounting (AAA) server. Once the AAA server receives the | and Accounting (AAA) server. Once the AAA server receives the | |||
| request, it replies with an Access-Accept message (possibly after | request, it replies with an Access-Accept message (possibly after | |||
| having sent a RADIUS Access-Challenge message and assuming the CPE is | having sent a RADIUS Access-Challenge message and assuming the CPE is | |||
| entitled to connect to the network) that carries a list of parameters | entitled to connect to the network) that carries a list of parameters | |||
| to be used for this session, and which include the encrypted DNS | to be used for this session, which includes the encrypted DNS | |||
| information. Such information is encoded as OPTION_V6_DNR (144) | information. Such information is encoded as OPTION_V6_DNR (144) | |||
| instances [DNR] in the RADIUS DHCPv6-Options Attribute. These | instances [DNR] in the RADIUS DHCPv6-Options Attribute. These | |||
| instances are then used by the NAS to complete the DHCPv6 procedure | instances are then used by the NAS to complete the DHCPv6 procedure | |||
| that the CPE initiated to retrieve information about the encrypted | that the CPE initiated to retrieve information about the encrypted | |||
| DNS service to use. The Discovery of Network-designated Resolvers | DNS service to use. The Discovery of Network-designated Resolvers | |||
| (DNR) procedure defined in [DNR] is then followed between the DHCPv6 | (DNR) procedure defined in [DNR] is then followed between the DHCPv6 | |||
| client and the DHCPv6 server. | client and the DHCPv6 server. | |||
| Should any encrypted DNS-related information (e.g., Authentication | Should any encrypted DNS-related information (e.g., Authentication | |||
| Domain Name (ADN) and IPv6 address) change, the RADIUS server sends a | Domain Name (ADN) and IPv6 address) change, the RADIUS server sends a | |||
| skipping to change at line 502 ¶ | skipping to change at line 502 ¶ | |||
| of [RFC7037] should be taken into account in deployments where DHCP | of [RFC7037] should be taken into account in deployments where DHCP | |||
| relay agents pass the DHCP*-Options Attributes to DHCP servers. | relay agents pass the DHCP*-Options Attributes to DHCP servers. | |||
| Additional considerations specific to the use of Reconfigure messages | Additional considerations specific to the use of Reconfigure messages | |||
| are discussed in Section 9 of [RFC6977]. | are discussed in Section 9 of [RFC6977]. | |||
| 7. Table of Attributes | 7. Table of Attributes | |||
| The following table provides a guide as to what type of RADIUS | The following table provides a guide as to what type of RADIUS | |||
| packets may contain these attributes and in what quantity. | packets may contain these attributes and in what quantity. | |||
| +================+=======+=======+===========+=====+================+ | +=============+=======+=========+===========+=====+================+ | |||
| | Access- |Access-|Access-| Challenge |# | Attribute | | | Access- |Access-| Access- | Challenge |# | Attribute | | |||
| | Request |Accept |Reject | | | | | | Request |Accept | Reject | | | | | |||
| +================+=======+=======+===========+=====+================+ | +=============+=======+=========+===========+=====+================+ | |||
| | 0+ |0+ |0 | 0 |245.3| DHCPv6-Options | | | 0+ |0+ | 0 | 0 |245.3| DHCPv6-Options | | |||
| +----------------+-------+-------+-----------+-----+----------------+ | +-------------+-------+---------+-----------+-----+----------------+ | |||
| | 0+ |0+ |0 | 0 |245.4| DHCPv4-Options | | | 0+ |0+ | 0 | 0 |245.4| DHCPv4-Options | | |||
| +================+=======+=======+===========+=====+================+ | +=============+=======+=========+===========+=====+================+ | |||
| | Acct.Request |CoA- |CoA-ACK| CoA-NACK |# | Attribute | | | Accounting- |CoA- | CoA-ACK | CoA-NACK |# | Attribute | | |||
| | |Request| | | | | | | Request |Request| | | | | | |||
| +================+=======+=======+===========+=====+================+ | +=============+=======+=========+===========+=====+================+ | |||
| | 0+ |0+ |0 | 0 |245.3| DHCPv6-Options | | | 0+ |0+ | 0 | 0 |245.3| DHCPv6-Options | | |||
| +----------------+-------+-------+-----------+-----+----------------+ | +-------------+-------+---------+-----------+-----+----------------+ | |||
| | 0+ |0+ |0 | 0 |245.4| DHCPv4-Options | | | 0+ |0+ | 0 | 0 |245.4| DHCPv4-Options | | |||
| +----------------+-------+-------+-----------+-----+----------------+ | +-------------+-------+---------+-----------+-----+----------------+ | |||
| Table 1: Table of Attributes | Table 1: Table of Attributes | |||
| Notation for Table 1: | Notation for Table 1: | |||
| 0 This attribute MUST NOT be present in packet. | 0 This attribute MUST NOT be present in packet. | |||
| 0+ Zero or more instances of this attribute MAY be present in | 0+ Zero or more instances of this attribute MAY be present in | |||
| packet. | packet. | |||
| 8. IANA Considerations | 8. IANA Considerations | |||
| skipping to change at line 548 ¶ | skipping to change at line 548 ¶ | |||
| +-------+----------------+-----------+-----------+ | +-------+----------------+-----------+-----------+ | |||
| | 245.4 | DHCPv4-Options | string | RFC 9445 | | | 245.4 | DHCPv4-Options | string | RFC 9445 | | |||
| +-------+----------------+-----------+-----------+ | +-------+----------------+-----------+-----------+ | |||
| Table 2: New RADIUS Attributes | Table 2: New RADIUS Attributes | |||
| 8.2. New RADIUS Attribute Permitted in DHCPv6 RADIUS Option | 8.2. New RADIUS Attribute Permitted in DHCPv6 RADIUS Option | |||
| IANA has added the following entry to the "RADIUS Attributes | IANA has added the following entry to the "RADIUS Attributes | |||
| Permitted in DHCPv6 RADIUS Option" subregistry in the "Dynamic Host | Permitted in DHCPv6 RADIUS Option" subregistry in the "Dynamic Host | |||
| Configuration Protocol for IPv6 (DHCPv6)" registry [DHCP-RADIUS]: | Configuration Protocol for IPv6 (DHCPv6)" registry [DHCPv6]: | |||
| +===========+================+===========+ | +===========+================+===========+ | |||
| | Type Code | Attribute | Reference | | | Type Code | Attribute | Reference | | |||
| +===========+================+===========+ | +===========+================+===========+ | |||
| | 245.3 | DHCPv6-Options | RFC 9445 | | | 245.3 | DHCPv6-Options | RFC 9445 | | |||
| +-----------+----------------+-----------+ | +-----------+----------------+-----------+ | |||
| Table 3: New RADIUS Attribute | Table 3: New RADIUS Attribute | |||
| Permitted in DHCPv6 RADIUS Option | Permitted in DHCPv6 RADIUS Option | |||
| 8.3. RADIUS Attributes Permitted in RADIUS Attributes DHCP Suboption | 8.3. RADIUS Attributes Permitted in RADIUS Attributes DHCP Suboption | |||
| IANA has created a new subregistry entitled "RADIUS Attributes | IANA has created a new subregistry entitled "RADIUS Attributes | |||
| Permitted in RADIUS Attributes Suboption" in the "Dynamic Host | Permitted in RADIUS Attributes DHCP Suboption" in the "Dynamic Host | |||
| Configuration Protocol (DHCP) and Bootstrap Protocol (BOOTP) | Configuration Protocol (DHCP) and Bootstrap Protocol (BOOTP) | |||
| Parameters" registry [BOOTP]. | Parameters" registry [BOOTP]. | |||
| The allocation policy of this new subregistry is "Expert Review" | The allocation policy of this new subregistry is "Expert Review" | |||
| (Section 4.5 of [RFC8126]). Designated experts should carefully | (Section 4.5 of [RFC8126]). Designated experts should carefully | |||
| consider the security implications of allowing a relay agent to | consider the security implications of allowing a relay agent to | |||
| include new RADIUS attributes in this subregistry. Additional | include new RADIUS attributes in this subregistry. Additional | |||
| considerations are provided in Section 8.4.3. | considerations are provided in Section 8.4.3. | |||
| The initial contents of this subregistry are listed in Table 4. The | The initial contents of this subregistry are listed in Table 4. The | |||
| skipping to change at line 596 ¶ | skipping to change at line 596 ¶ | |||
| +-----------+------------------+-----------+ | +-----------+------------------+-----------+ | |||
| | 88 | Framed-Pool | [RFC2869] | | | 88 | Framed-Pool | [RFC2869] | | |||
| +-----------+------------------+-----------+ | +-----------+------------------+-----------+ | |||
| | 100 | Framed-IPv6-Pool | [RFC3162] | | | 100 | Framed-IPv6-Pool | [RFC3162] | | |||
| +-----------+------------------+-----------+ | +-----------+------------------+-----------+ | |||
| | 245.4 | DHCPv4-Options | RFC 9445 | | | 245.4 | DHCPv4-Options | RFC 9445 | | |||
| +-----------+------------------+-----------+ | +-----------+------------------+-----------+ | |||
| Table 4: Initial Contents of RADIUS | Table 4: Initial Contents of RADIUS | |||
| Attributes Permitted in RADIUS | Attributes Permitted in RADIUS | |||
| Attributes Suboption Registry | Attributes DHCP Suboption Registry | |||
| 8.4. DHCP Options Permitted in the RADIUS DHCP*-Options Attributes | 8.4. DHCP Options Permitted in the RADIUS DHCP*-Options Attributes | |||
| 8.4.1. DHCPv6 | 8.4.1. DHCPv6 | |||
| IANA has created a new subregistry entitled "DHCPv6 Options Permitted | IANA has created a new subregistry entitled "DHCPv6 Options Permitted | |||
| in the RADIUS DHCPv6-Options Attribute" in the "Dynamic Host | in the RADIUS DHCPv6-Options Attribute" in the "Dynamic Host | |||
| Configuration Protocol for IPv6 (DHCPv6)" registry [DHCP-RADIUS]. | Configuration Protocol for IPv6 (DHCPv6)" registry [DHCPv6]. | |||
| The registration policy for this new subregistry is "Expert Review" | The registration policy for this new subregistry is "Expert Review" | |||
| (Section 4.5 of [RFC8126]). See more details in Section 8.4.3. | (Section 4.5 of [RFC8126]). See more details in Section 8.4.3. | |||
| The initial content of this subregistry is listed in Table 5. The | The initial content of this subregistry is listed in Table 5. The | |||
| Value and Description fields echo those of [DHCPv6]. The Reference | Value and Description fields echo those in the "Option Codes" | |||
| field includes the document that registers or specifies the option. | subregistry of [DHCPv6]. The Reference field includes the document | |||
| that registers or specifies the option. | ||||
| +=======+===============+===========+ | +=======+===============+===========+ | |||
| | Value | Description | Reference | | | Value | Description | Reference | | |||
| +=======+===============+===========+ | +=======+===============+===========+ | |||
| | 144 | OPTION_V6_DNR | RFC 9445 | | | 144 | OPTION_V6_DNR | RFC 9445 | | |||
| +-------+---------------+-----------+ | +-------+---------------+-----------+ | |||
| Table 5: Initial Content of | Table 5: Initial Content of | |||
| DHCPv6 Options Permitted in the | DHCPv6 Options Permitted in the | |||
| RADIUS DHCPv6-Options Attribute | RADIUS DHCPv6-Options Attribute | |||
| skipping to change at line 635 ¶ | skipping to change at line 636 ¶ | |||
| IANA has created a new subregistry entitled "DHCP Options Permitted | IANA has created a new subregistry entitled "DHCP Options Permitted | |||
| in the RADIUS DHCPv4-Options Attribute" in the "Dynamic Host | in the RADIUS DHCPv4-Options Attribute" in the "Dynamic Host | |||
| Configuration Protocol (DHCP) and Bootstrap Protocol (BOOTP) | Configuration Protocol (DHCP) and Bootstrap Protocol (BOOTP) | |||
| Parameters" registry [BOOTP]. | Parameters" registry [BOOTP]. | |||
| The registration policy for this new subregistry is Expert Review | The registration policy for this new subregistry is Expert Review | |||
| (Section 4.5 of [RFC8126]). See more details in Section 8.4.3. | (Section 4.5 of [RFC8126]). See more details in Section 8.4.3. | |||
| The initial content of this subregistry is listed in Table 6. The | The initial content of this subregistry is listed in Table 6. The | |||
| Tag and Name fields echo those of [BOOTP]. The Reference field | Tag and Name fields echo those in the "BOOTP Vendor Extensions and | |||
| includes the document that registers or specifies the option. | DHCP Options" subregistry of [BOOTP]. The Reference field includes | |||
| the document that registers or specifies the option. | ||||
| +=====+===============+===========+ | +=====+===============+===========+ | |||
| | Tag | Name | Reference | | | Tag | Name | Reference | | |||
| +=====+===============+===========+ | +=====+===============+===========+ | |||
| | 162 | OPTION_V4_DNR | RFC 9445 | | | 162 | OPTION_V4_DNR | RFC 9445 | | |||
| +-----+---------------+-----------+ | +-----+---------------+-----------+ | |||
| Table 6: Initial Content of | Table 6: Initial Content of | |||
| DHCPv4 Options Permitted in the | DHCPv4 Options Permitted in the | |||
| RADIUS DHCPv4-Options Attribute | RADIUS DHCPv4-Options Attribute | |||
| skipping to change at line 726 ¶ | skipping to change at line 728 ¶ | |||
| "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", | "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", | |||
| RFC 8415, DOI 10.17487/RFC8415, November 2018, | RFC 8415, DOI 10.17487/RFC8415, November 2018, | |||
| <https://www.rfc-editor.org/info/rfc8415>. | <https://www.rfc-editor.org/info/rfc8415>. | |||
| 9.2. Informative References | 9.2. Informative References | |||
| [BOOTP] IANA, "Dynamic Host Configuration Protocol (DHCP) and | [BOOTP] IANA, "Dynamic Host Configuration Protocol (DHCP) and | |||
| Bootstrap Protocol (BOOTP) Parameters", | Bootstrap Protocol (BOOTP) Parameters", | |||
| <https://www.iana.org/assignments/bootp-dhcp-parameters>. | <https://www.iana.org/assignments/bootp-dhcp-parameters>. | |||
| [DHCP-RADIUS] | [DHCPv6] IANA, "Dynamic Host Configuration Protocol for IPv6 | |||
| IANA, "Dynamic Host Configuration Protocol for IPv6 | ||||
| (DHCPv6)", | (DHCPv6)", | |||
| <https://www.iana.org/assignments/dhcpv6-parameters>. | <https://www.iana.org/assignments/dhcpv6-parameters>. | |||
| [DHCPv6] IANA, "Option Codes", | ||||
| <https://www.iana.org/assignments/dhcpv6-parameters>. | ||||
| [DNR] Boucadair, M., Ed., Reddy.K, T., Ed., Wing, D., Cook, N., | [DNR] Boucadair, M., Ed., Reddy.K, T., Ed., Wing, D., Cook, N., | |||
| and T. Jensen, "DHCP and Router Advertisement Options for | and T. Jensen, "DHCP and Router Advertisement Options for | |||
| the Discovery of Network-designated Resolvers (DNR)", Work | the Discovery of Network-designated Resolvers (DNR)", Work | |||
| in Progress, Internet-Draft, draft-ietf-add-dnr-16, 27 | in Progress, Internet-Draft, draft-ietf-add-dnr-16, 27 | |||
| April 2023, <https://datatracker.ietf.org/doc/html/draft- | April 2023, <https://datatracker.ietf.org/doc/html/draft- | |||
| ietf-add-dnr-16>. | ietf-add-dnr-16>. | |||
| [RADIUS-Types] | [RADIUS-Types] | |||
| IANA, "RADIUS Types", | IANA, "RADIUS Types", | |||
| <http://www.iana.org/assignments/radius-types>. | <http://www.iana.org/assignments/radius-types>. | |||
| End of changes. 17 change blocks. | ||||
| 36 lines changed or deleted | 34 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||