rfc9445.original   rfc9445.txt 
opsawg M. Boucadair Internet Engineering Task Force (IETF) M. Boucadair
Internet-Draft Orange Request for Comments: 9445 Orange
Updates: 4014 (if approved) T. Reddy Updates: 4014 T. Reddy.K
Intended status: Standards Track Nokia Category: Standards Track Nokia
Expires: 27 September 2023 A. DeKok ISSN: 2070-1721 A. DeKok
FreeRADIUS FreeRADIUS
26 March 2023 August 2023
RADIUS Extensions for DHCP Configured Services RADIUS Extensions for DHCP-Configured Services
draft-ietf-opsawg-add-encrypted-dns-12
Abstract Abstract
This document specifies two new Remote Authentication Dial-In User This document specifies two new Remote Authentication Dial-In User
Service (RADIUS) attributes that carry DHCP options. The Service (RADIUS) attributes that carry DHCP options. The
specification is generic and can be applicable to any service that specification is generic and can be applicable to any service that
relies upon DHCP. Both DHCPv4 and DHCPv6 configured services are relies upon DHCP. Both DHCPv4- and DHCPv6-configured services are
covered. covered.
Also, this document updates RFC 4014 by relaxing a constraint on Also, this document updates RFC 4014 by relaxing a constraint on
permitted RADIUS Attributes in the RADIUS Attributes DHCP suboption. permitted RADIUS attributes in the RADIUS Attributes DHCP suboption.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This is an Internet Standards Track document.
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
This Internet-Draft will expire on 27 September 2023. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc9445.
Copyright Notice Copyright Notice
Copyright (c) 2023 IETF Trust and the persons identified as the Copyright (c) 2023 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents
license-info) in effect on the date of publication of this document. (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
Please review these documents carefully, as they describe your rights carefully, as they describe your rights and restrictions with respect
and restrictions with respect to this document. Code Components to this document. Code Components extracted from this document must
extracted from this document must include Revised BSD License text as include Revised BSD License text as described in Section 4.e of the
described in Section 4.e of the Trust Legal Provisions and are Trust Legal Provisions and are provided without warranty as described
provided without warranty as described in the Revised BSD License. in the Revised BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology
3. DHCP Options RADIUS Attributes . . . . . . . . . . . . . . . 4 3. RADIUS DHCP Options Attributes
3.1. DHCPv6-Options Attribute . . . . . . . . . . . . . . . . 5 3.1. DHCPv6-Options Attribute
3.2. DHCPv4-Options Attribute . . . . . . . . . . . . . . . . 6 3.2. DHCPv4-Options Attribute
4. Passing DHCP Options RADIUS Attributes by DHCP Relay Agents to 4. Passing RADIUS DHCP Options Attributes by DHCP Relay Agents to
DHCP Servers . . . . . . . . . . . . . . . . . . . . . . 7 DHCP Servers
4.1. Context . . . . . . . . . . . . . . . . . . . . . . . . . 7 4.1. Context
4.2. Updates to RFC 4014 . . . . . . . . . . . . . . . . . . . 7 4.2. Updates to RFC 4014
4.2.1. Section 3 of RFC 4014 . . . . . . . . . . . . . . . . 7 4.2.1. Section 3 of RFC 4014
4.2.2. Section 4 of RFC 4014 . . . . . . . . . . . . . . . . 8 4.2.2. Section 4 of RFC 4014
5. An Example: Applicability to Encrypted DNS Provisioning . . . 8 5. An Example: Applicability to Encrypted DNS Provisioning
6. Security Considerations . . . . . . . . . . . . . . . . . . . 10 6. Security Considerations
7. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 11 7. Table of Attributes
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 8. IANA Considerations
8.1. New RADIUS Attributes . . . . . . . . . . . . . . . . . . 12 8.1. New RADIUS Attributes
8.2. New RADIUS Attribute Permitted in DHCPv6 RADIUS Option . 12 8.2. New RADIUS Attribute Permitted in DHCPv6 RADIUS Option
8.3. RADIUS Attributes Permitted in RADIUS Attributes DHCP 8.3. RADIUS Attributes Permitted in RADIUS Attributes DHCP
Sub-option . . . . . . . . . . . . . . . . . . . . . . . 12 Suboption
8.4. DHCP Options Permitted in the RADIUS DHCP*-Options 8.4. DHCP Options Permitted in the RADIUS DHCP*-Options
Attribute . . . . . . . . . . . . . . . . . . . . . . . . 13 Attributes
8.4.1. DHCPv6 . . . . . . . . . . . . . . . . . . . . . . . 13 8.4.1. DHCPv6
8.4.2. DHCPv4 . . . . . . . . . . . . . . . . . . . . . . . 14 8.4.2. DHCPv4
8.4.3. Guidelines for the Designated Experts . . . . . . . . 14 8.4.3. Guidelines for the Designated Experts
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 15 9. References
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 15 9.1. Normative References
10.1. Normative References . . . . . . . . . . . . . . . . . . 15 9.2. Informative References
10.2. Informative References . . . . . . . . . . . . . . . . . 16 Acknowledgements
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 Authors' Addresses
1. Introduction 1. Introduction
In the context of broadband services, Internet Service Providers In the context of broadband services, Internet Service Providers
(ISPs) usually provide DNS resolvers to their customers. To that (ISPs) usually provide DNS resolvers to their customers. To that
aim, ISPs deploy dedicated mechanisms (e.g., DHCP [RFC2132] aim, ISPs deploy dedicated mechanisms (e.g., DHCP [RFC2132] [RFC8415]
[RFC8415], IPv6 Router Advertisement [RFC4861]) to advertise a list and IPv6 Router Advertisement [RFC4861]) to advertise a list of DNS
of DNS recursive servers to their customers. Typically, the recursive servers to their customers. Typically, the information
information used to populate DHCP messages and/or IPv6 Router used to populate DHCP messages and/or IPv6 Router Advertisements
Advertisements relies upon specific Remote Authentication Dial-In relies upon specific Remote Authentication Dial-In User Service
User Service (RADIUS) [RFC2865] attributes, such as the DNS-Server- (RADIUS) [RFC2865] attributes, such as the DNS-Server-IPv6-Address
IPv6-Address Attribute specified in [RFC6911]. Attribute specified in [RFC6911].
With the advent of encrypted DNS (e.g., DNS-over-HTTPS (DoH) With the advent of encrypted DNS (e.g., DNS over HTTPS (DoH)
[RFC8484], DNS-over-TLS (DoT) [RFC7858], or DNS-over-QUIC (DoQ) [RFC8484], DNS over TLS (DoT) [RFC7858], or DNS over QUIC (DoQ)
[RFC9250]), additional means are required to provision hosts with [RFC9250]), additional means are required to provision hosts with
network-designated encrypted DNS. To fill that void, network-designated encrypted DNS. To fill that void, [DNR] leverages
[I-D.ietf-add-dnr] leverages existing protocols such as DHCP to existing protocols such as DHCP to provide hosts with the required
provide hosts with the required information to connect to an information to connect to an encrypted DNS resolver. However, there
encrypted DNS resolver. However, there are no RADIUS attributes that are no RADIUS attributes that can be used to populate the discovery
can be used to populate the discovery messages discussed in messages discussed in [DNR]. The same concern is likely to be
[I-D.ietf-add-dnr]. The same concern is likely to be encountered for encountered for future services that are configured using DHCP.
future services that are configured using DHCP.
This document specifies two new RADIUS attributes: DHCPv6-Options This document specifies two new RADIUS attributes: DHCPv6-Options
(Section 3.1) and DHCPv4-Options (Section 3.2) Attributes. These (Section 3.1) and DHCPv4-Options (Section 3.2). These attributes can
attributes can include DHCP options that are listed under the IANA include DHCP options that are listed in the "DHCPv6 Options Permitted
registries that are created in Sections 8.4.1 and 8.4.2. These two in the RADIUS DHCPv6-Options Attribute" registry (Section 8.4.1) and
attributes are specified in order to accommodate both IPv4 and IPv6 the "DHCP Options Permitted in the RADIUS DHCPv4-Options Attribute"
deployment contexts while taking into account the constraints in registry (Section 8.4.2). These two attributes are specified in
Section 3.4 of [RFC6158]. order to accommodate both IPv4 and IPv6 deployment contexts while
taking into account the constraints in Section 3.4 of [RFC6158].
The mechanism specified in this document is a generic mechanism and The mechanism specified in this document is a generic mechanism and
might be employed in network scenarios where the DHCP server and the might be employed in network scenarios where the DHCP server and the
RADIUS client are located in the same device. The new attributes can RADIUS client are located in the same device. The new attributes can
also be used in deployments that rely upon the mechanisms defined in also be used in deployments that rely upon the mechanisms defined in
[RFC4014] or [RFC7037], which allow a DHCP relay agent that is [RFC4014] or [RFC7037], which allow a DHCP relay agent that is
collocated with a RADIUS client to pass attributes obtained from a collocated with a RADIUS client to pass attributes obtained from a
RADIUS server to a DHCP server. However, an update to [RFC4014] is RADIUS server to a DHCP server. However, an update to [RFC4014] is
required so that a DHCP relay agent can pass the DHCPv4-Options required so that a DHCP relay agent can pass the DHCPv4-Options
Attribute obtained from a RADIUS server to a DHCP server (Section 4). Attribute obtained from a RADIUS server to a DHCP server (Section 4).
DHCP options that are included in the new RADIUS attributes can be DHCP options that are included in the new RADIUS attributes can be
controlled by a deployment specific policy. Discussing such a policy controlled by a deployment-specific policy. Discussing such a policy
is out of scope. is out of scope.
This document adheres to [RFC8044] for defining the new attributes. This document adheres to [RFC8044] for defining the new attributes.
A sample deployment usage of the DHCPv6-Options and DHCPv4-Options A sample deployment usage of the RADIUS DHCPv6-Options and
RADIUS attributes is described in Section 5. DHCPv4-Options Attributes is described in Section 5.
2. Terminology 2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in
14 [RFC2119] [RFC8174] when, and only when, they appear in all BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
This document makes use of the terms defined in [RFC2865], [RFC8415], This document makes use of the terms defined in [RFC2865], [RFC8415],
and [RFC8499]. The following additional terms are used: and [RFC8499]. The following additional terms are used:
DHCP: refers to both DHCPv4 [RFC2132] and DHCPv6 [RFC8415]. DHCP: refers to both DHCPv4 [RFC2132] and DHCPv6 [RFC8415].
Encrypted DNS: refers to a scheme where DNS exchanges are Encrypted DNS: refers to a scheme where DNS exchanges are
transported over an encrypted channel. Examples of encrypted DNS transported over an encrypted channel. Examples of encrypted DNS
are DoT, DoH, and DoQ. are DoT, DoH, and DoQ.
Encrypted DNS resolver: refers to a resolver (Section 6 of Encrypted DNS resolver: refers to a resolver (Section 6 of
[RFC8499]) that supports encrypted DNS. [RFC8499]) that supports encrypted DNS.
DHCP*-Options: refers to DHCPv4-Options and DHCPv6-Options DHCP*-Options: refers to the DHCPv4-Options and DHCPv6-Options
Attributes (Section 3). Attributes (Section 3).
3. DHCP Options RADIUS Attributes 3. RADIUS DHCP Options Attributes
This section specifies two new RADIUS attributes for RADIUS clients This section specifies two new RADIUS attributes for RADIUS clients
and servers to exchange DHCP-encoded data. This data is then used to and servers to exchange DHCP-encoded data. This data is then used to
feed the DHCP procedure between a DHCP client and a DHCP server. feed the DHCP procedure between a DHCP client and a DHCP server.
Both DHCPv4-Options and DHCPv6-Options Attributes use the "Long Both the DHCPv4-Options and DHCPv6-Options Attributes use the "Long
Extended Type" format (Section 2.2 of [RFC6929]). The description of Extended Type" format (Section 2.2 of [RFC6929]). The description of
the fields is provided in Sections 3.1 and 3.2. the fields is provided in Sections 3.1 and 3.2.
These attributes use the "Long Extended Type" format in order to These attributes use the "Long Extended Type" format in order to
permit the transport of attributes encapsulating more than 253 octets permit the transport of attributes encapsulating more than 253 octets
of data. DHCP options that can be included in the DHCP*-Options of data. DHCP options that can be included in the RADIUS DHCP*-
RADIUS attributes are limited by the maximum packet size of 4096 Options Attributes are limited by the maximum packet size of 4096
bytes (Section 3 of [RFC2865]). In order to accommodate deployments bytes (Section 3 of [RFC2865]). In order to accommodate deployments
with large DHCP options, RADIUS implementations are RECOMMENDED to with large DHCP options, RADIUS implementations are RECOMMENDED to
support a packet size up to 65535 bytes. Such a recommendation can support a packet size up to 65535 bytes. Such a recommendation can
be met if RADIUS implementations support a mechanism that relaxes the be met if RADIUS implementations support a mechanism that relaxes the
4096 bytes limit (e.g., [RFC7499] or [RFC7930]). limit of 4096 bytes (e.g., the mechanisms described in [RFC7499] or
[RFC7930]).
The value fields of DHCP*-Options Attributes are encoded in clear and The Value fields of the DHCP*-Options Attributes are encoded in the
not encrypted as, for example, Tunnel-Password Attribute [RFC2868]. clear and not encrypted like, for example, the Tunnel-Password
Attribute [RFC2868].
RADIUS implementations may support a configuration parameter to RADIUS implementations may support a configuration parameter to
control the DHCP options that can be included in a DHCP*-Options control the DHCP options that can be included in a RADIUS DHCP*-
RADIUS attribute. Likewise, DHCP server implementations may support Options Attribute. Likewise, DHCP server implementations may support
a configuration parameter to control the permitted DHCP options in a a configuration parameter to control the permitted DHCP options in a
DHCP*-Options RADIUS attribute. Absent explicit configuration, RADIUS DHCP*-Options Attribute. Absent explicit configuration,
RADIUS implementations and DHCP server implementations SHOULD ignore RADIUS implementations and DHCP server implementations SHOULD ignore
non-permitted DHCP options received in a DHCP*-Options RADIUS non-permitted DHCP options received in a RADIUS DHCP*-Options
attribute. Attribute.
RADIUS supplied data is specific configuration data that is returned RADIUS-supplied data is specific configuration data that is returned
as a function of authentication and authorization checks. As such, as a function of authentication and authorization checks. As such,
absent any explicit configuration on the DHCP server, RADIUS supplied absent any explicit configuration on the DHCP server, RADIUS-supplied
data by means of DHCP*-Options Attributes take precedence over any data by means of the DHCP*-Options Attributes take precedence over
local configuration. any local configuration.
These attributes are defined with globally unique names. The naming These attributes are defined with globally unique names. The naming
of the attributes follows the guidelines in Section 2.7.1 of of the attributes follows the guidelines in Section 2.7.1 of
[RFC6929]. Invalid attributes are handled as per Section 2.8 of [RFC6929]. Invalid attributes are handled as per Section 2.8 of
[RFC6929]. [RFC6929].
3.1. DHCPv6-Options Attribute 3.1. DHCPv6-Options Attribute
This attribute is of type "string" as defined in Section 3.5 of This attribute is of type "string" as defined in Section 3.5 of
[RFC8044]. [RFC8044].
skipping to change at page 5, line 38 skipping to change at line 224
The DHCPv6-Options Attribute MAY appear in a RADIUS Accounting- The DHCPv6-Options Attribute MAY appear in a RADIUS Accounting-
Request packet. Request packet.
The DHCPv6-Options Attribute MUST NOT appear in any other RADIUS The DHCPv6-Options Attribute MUST NOT appear in any other RADIUS
packet. packet.
The DHCPv6-Options Attribute is structured as follows: The DHCPv6-Options Attribute is structured as follows:
Type Type
245 245
Length Length
This field indicates the total length, in octets, of all fields of This field indicates the total length, in octets, of all fields of
this attribute, including the Type, Length, Extended-Type, and this attribute, including the Type, Length, Extended-Type, and
"Value". Value fields.
Extended-Type Extended-Type
3 (see Section 8.1)
TBA1 (see Section 8.1).
Value Value
This field contains a list of DHCPv6 options (Section 21 of This field contains a list of DHCPv6 options (Section 21 of
[RFC8415]). Multiple instances of the same DHCPv6 option MAY be [RFC8415]). Multiple instances of the same DHCPv6 option MAY be
included. If an option appears multiple times, each instance is included. If an option appears multiple times, each instance is
considered separate and the data areas of the options MUST NOT be considered separate, and the data areas of the options MUST NOT be
concatenated or otherwise combined. Consistent with Section 17 of concatenated or otherwise combined. Consistent with Section 17 of
[RFC7227], this document does not impose any option order when [RFC7227], this document does not impose any option order when
multiple options are present. multiple options are present.
Permitted DHCPv6 options in the DHCPv6-Options Attribute are The permitted DHCPv6 options are listed in the "DHCPv6 Options
maintained by IANA in the registry created in Section 8.4.1. Permitted in the RADIUS DHCPv6-Options Attribute" registry
(Section 8.4.1).
The DHCPv6-Options Attribute is associated with the following The DHCPv6-Options Attribute is associated with the following
identifier: 245.TBA1. identifier: 245.3.
3.2. DHCPv4-Options Attribute 3.2. DHCPv4-Options Attribute
This attribute is of type "string" as defined in Section 3.5 of This attribute is of type "string" as defined in Section 3.5 of
[RFC8044]. [RFC8044].
The DHCPv4-Options Attribute MAY appear in a RADIUS Access-Accept The DHCPv4-Options Attribute MAY appear in a RADIUS Access-Accept
packet. It MAY also appear in a RADIUS Access-Request packet as a packet. It MAY also appear in a RADIUS Access-Request packet as a
hint to the RADIUS server to indicate a preference. However, the hint to the RADIUS server to indicate a preference. However, the
server is not required to honor such a preference. server is not required to honor such a preference.
skipping to change at page 6, line 40 skipping to change at line 272
The DHCPv4-Options Attribute MAY appear in a RADIUS Accounting- The DHCPv4-Options Attribute MAY appear in a RADIUS Accounting-
Request packet. Request packet.
The DHCPv4-Options Attribute MUST NOT appear in any other RADIUS The DHCPv4-Options Attribute MUST NOT appear in any other RADIUS
packet. packet.
The DHCPv4-Options Attribute is structured as follows: The DHCPv4-Options Attribute is structured as follows:
Type Type
245 245
Length Length
This field indicates the total length, in octets, of all fields of This field indicates the total length, in octets, of all fields of
this attribute, including the Type, Length, Extended-Type, and this attribute, including the Type, Length, Extended-Type, and
"Value". Value fields.
Extended-Type Extended-Type
TBA2 (see Section 8.1). 4 (see Section 8.1)
Value Value
This field contains a list of DHCPv4 options. Multiple instances This field contains a list of DHCPv4 options. Multiple instances
of the same DHCPv4 option MAY be included, especially for of the same DHCPv4 option MAY be included, especially for
concatenation-requiring options that exceed the maximum DHCPv4 concatenation-requiring options that exceed the maximum DHCPv4
option size of 255 octets. The mechanism specified in [RFC3396] option size of 255 octets. The mechanism specified in [RFC3396]
MUST be used for splitting and concatenating the instances of a MUST be used for splitting and concatenating the instances of a
concatenation-requiring option. concatenation-requiring option.
Permitted DHCPv4 options in the DHCPv4-Options Attribute are The permitted DHCPv4 options are listed in the "DHCP Options
maintained by IANA in the registry created in Section 8.4.2. Permitted in the RADIUS DHCPv4-Options Attribute" registry
(Section 8.4.2).
The DHCPv4-Options Attribute is associated with the following The DHCPv4-Options Attribute is associated with the following
identifier: 245.TBA2. identifier: 245.4.
4. Passing DHCP Options RADIUS Attributes by DHCP Relay Agents to DHCP 4. Passing RADIUS DHCP Options Attributes by DHCP Relay Agents to DHCP
Servers Servers
4.1. Context 4.1. Context
The RADIUS Attributes suboption [RFC4014] enables a DHCPv4 relay The RADIUS Attributes DHCP suboption [RFC4014] enables a DHCPv4 relay
agent to pass identification and authorization attributes received agent to pass identification and authorization attributes received
during RADIUS authentication to a DHCPv4 server. However, [RFC4014] during RADIUS authentication to a DHCPv4 server. However, [RFC4014]
defines a frozen set of RADIUS attributes that can be included in defines a frozen set of RADIUS attributes that can be included in
such a suboption. This limitation is suboptimal in contexts where such a suboption. This limitation is suboptimal in contexts where
new services are deployed (e.g., support of encrypted DNS new services are deployed (e.g., support of encrypted DNS [DNR]).
[I-D.ietf-add-dnr]).
Section 4.2 updates [RFC4014] by relaxing that constraint and Section 4.2 updates [RFC4014] by relaxing that constraint and
allowing to tag additional RADIUS attributes as permitted in the allowing additional RADIUS attributes to be tagged as permitted in
RADIUS Attributes DHCP suboption. Section 8.3 creates a new IANA the RADIUS Attributes DHCP suboption. The permitted attributes are
registry to maintain the set of permitted attributes in the RADIUS registered in the new "RADIUS Attributes Permitted in RADIUS
Attributes DHCP suboption. Attributes DHCP Suboption" registry (Section 8.3).
4.2. Updates to RFC 4014 4.2. Updates to RFC 4014
4.2.1. Section 3 of RFC 4014 4.2.1. Section 3 of RFC 4014
This document updates Section 3 of [RFC4014] as follows: This document updates Section 3 of [RFC4014] as follows:
OLD: OLD:
To avoid dependencies between the address allocation and other | To avoid dependencies between the address allocation and other
state information between the RADIUS server and the DHCP server, | state information between the RADIUS server and the DHCP server,
the DHCP relay agent SHOULD include only the attributes in the | the DHCP relay agent SHOULD include only the attributes in the
table below in an instance of the RADIUS Attributes suboption. | table below in an instance of the RADIUS Attributes suboption.
The table, based on the analysis in RFC 3580 [8], lists attributes | The table, based on the analysis in RFC 3580 [8], lists attributes
that MAY be included: | that MAY be included:
|
# Attribute | # Attribute
--- --------- | --- ---------
1 User-Name (RFC 2865 [3]) | 1 User-Name (RFC 2865 [3])
6 Service-Type (RFC 2865) | 6 Service-Type (RFC 2865)
26 Vendor-Specific (RFC 2865) | 26 Vendor-Specific (RFC 2865)
27 Session-Timeout (RFC 2865) | 27 Session-Timeout (RFC 2865)
88 Framed-Pool (RFC 2869) | 88 Framed-Pool (RFC 2869)
100 Framed-IPv6-Pool (RFC 3162 [7]) | 100 Framed-IPv6-Pool (RFC 3162 [7])
NEW: NEW:
To avoid dependencies between the address allocation and other
state information between the RADIUS server and the DHCP server, | To avoid dependencies between the address allocation and other
the DHCP relay agent SHOULD include only the attributes in the | state information between the RADIUS server and the DHCP server,
IANA-maintained registry (Section 8.3 of [This-Document]) in an | the DHCP relay agent SHOULD only include the attributes in the
instance of the RADIUS Attributes suboption. The DHCP relay agent | "RADIUS Attributes Permitted in RADIUS Attributes DHCP Suboption"
may support a configuration parameter to control the attributes in | registry (Section 8.3 of [RFC9445]) in an instance of the RADIUS
a RADIUS Attributes suboption. | Attributes DHCP suboption. The DHCP relay agent may support a
| configuration parameter to control the attributes in a RADIUS
| Attributes DHCP suboption.
4.2.2. Section 4 of RFC 4014 4.2.2. Section 4 of RFC 4014
This document updates Section 4 of [RFC4014] as follows: This document updates Section 4 of [RFC4014] as follows:
OLD: OLD:
If the relay agent relays RADIUS attributes not included in the
table in Section 4, the DHCP server SHOULD ignore them. | If the relay agent relays RADIUS attributes not included in the
| table in Section 4, the DHCP server SHOULD ignore them.
NEW: NEW:
If the relay agent relays RADIUS attributes not included in the
IANA-maintained registry (Section 8.3 of [This-Document]), and | If the relay agent relays RADIUS attributes not included in the
absent explicit configuration, the DHCP server SHOULD ignore them. | "RADIUS Attributes Permitted in RADIUS Attributes DHCP Suboption"
| registry (Section 8.3 of [RFC9445]) and explicit configuration is
| absent, the DHCP server SHOULD ignore them.
5. An Example: Applicability to Encrypted DNS Provisioning 5. An Example: Applicability to Encrypted DNS Provisioning
Typical deployment scenarios are similar to those described, for Typical deployment scenarios are similar to those described, for
instance, in Section 2 of [RFC6911]. For illustration purposes, instance, in Section 2 of [RFC6911]. For illustration purposes,
Figure 1 shows an example where a Customer Premises Equipment (CPE) Figure 1 shows an example where a Customer Premises Equipment (CPE)
is provided with an encrypted DNS resolver. This example assumes is provided with an encrypted DNS resolver. This example assumes
that the Network Access Server (NAS) embeds both RADIUS client and that the Network Access Server (NAS) embeds both RADIUS client and
DHCPv6 server capabilities. DHCPv6 server capabilities.
+-------------+ +-------------+ +-------+ +-------------+ +-------------+ +-------+
| CPE | | NAS | | AAA | | CPE | | NAS | | AAA |
|DHCPv6 client| |DHCPv6 server| |Server | |DHCPv6 Client| |DHCPv6 Server| |Server |
| | |RADIUS client| | | | | |RADIUS Client| | |
+------+------+ +------+------+ +---+---+ +------+------+ +------+------+ +---+---+
| | | | | |
o-----DHCPv6 Solicit----->| | o-----DHCPv6 Solicit----->| |
| o----Access-Request ---->| | o----Access-Request ---->|
| | | | | |
| |<----Access-Accept------o | |<----Access-Accept------o
| | DHCPv6-Options | | | DHCPv6-Options |
|<----DHCPv6 Advertise----o (OPTION_V6_DNR) | |<----DHCPv6 Advertise----o (OPTION_V6_DNR) |
| (OPTION_V6_DNR) | | | (OPTION_V6_DNR) | |
| | | | | |
skipping to change at page 9, line 35 skipping to change at line 405
DHCPv6 RADIUS DHCPv6 RADIUS
Figure 1: An Example of RADIUS IPv6 Encrypted DNS Exchange Figure 1: An Example of RADIUS IPv6 Encrypted DNS Exchange
Upon receipt of the DHCPv6 Solicit message from a CPE, the NAS sends Upon receipt of the DHCPv6 Solicit message from a CPE, the NAS sends
a RADIUS Access-Request message to the Authentication, Authorization, a RADIUS Access-Request message to the Authentication, Authorization,
and Accounting (AAA) server. Once the AAA server receives the and Accounting (AAA) server. Once the AAA server receives the
request, it replies with an Access-Accept message (possibly after request, it replies with an Access-Accept message (possibly after
having sent a RADIUS Access-Challenge message and assuming the CPE is having sent a RADIUS Access-Challenge message and assuming the CPE is
entitled to connect to the network) that carries a list of parameters entitled to connect to the network) that carries a list of parameters
to be used for this session, and which include the encrypted DNS to be used for this session, which includes the encrypted DNS
information. Such an information is encoded as OPTION_V6_DNR (144) information. Such information is encoded as OPTION_V6_DNR (144)
instances ([I-D.ietf-add-dnr]) in the DHCPv6-Options RADIUS instances [DNR] in the RADIUS DHCPv6-Options Attribute. These
attribute. These instances are then used by the NAS to complete the instances are then used by the NAS to complete the DHCPv6 procedure
DHCPv6 procedure that the CPE initiated to retrieve information about that the CPE initiated to retrieve information about the encrypted
the encrypted DNS service to use. The Discovery of Network- DNS service to use. The Discovery of Network-designated Resolvers
designated Resolvers (DNR) procedure defined in [I-D.ietf-add-dnr] is (DNR) procedure defined in [DNR] is then followed between the DHCPv6
then followed between the DHCPv6 client and the DHCPv6 server. client and the DHCPv6 server.
Should any encrypted DNS-related information (e.g., Authentication Should any encrypted DNS-related information (e.g., Authentication
Domain Name (ADN), IPv6 address) change, the RADIUS server sends a Domain Name (ADN) and IPv6 address) change, the RADIUS server sends a
RADIUS Change-of-Authorization (CoA) message [RFC5176] that carries RADIUS Change-of-Authorization (CoA) message [RFC5176] that carries
the DHCPv6-Options Attribute with the updated OPTION_V6_DNR the DHCPv6-Options Attribute with the updated OPTION_V6_DNR
information to the NAS. Once that message is received and validated information to the NAS. Once that message is received and validated
by the NAS, it replies with a RADIUS CoA ACK message. The NAS by the NAS, it replies with a RADIUS CoA ACK message. The NAS
replaces the old encrypted DNS resolver information with the new one replaces the old encrypted DNS resolver information with the new one
and sends a DHCPv6 Reconfigure message which leads the DHCPv6 client and sends a DHCPv6 Reconfigure message, which leads the DHCPv6 client
to initiate a Renew/Reply message exchange with the DHCPv6 server. to initiate a Renew/Reply message exchange with the DHCPv6 server.
In deployments where the NAS behaves as a DHCPv6 relay agent, the In deployments where the NAS behaves as a DHCPv6 relay agent, the
procedure discussed in Section 3 of [RFC7037] can be followed. To procedure discussed in Section 3 of [RFC7037] can be followed. To
that aim, Section 8.2 updates the "RADIUS Attributes Permitted in that aim, the "RADIUS Attributes Permitted in DHCPv6 RADIUS Option"
DHCPv6 RADIUS Option" registry ([DHCP-RADIUS]). CoA-Requests can be registry has been updated (Section 8.2). CoA-Requests can be used
used following the procedure specified in [RFC6977]. following the procedure specified in [RFC6977].
Figure 2 shows another example where a CPE is provided with an Figure 2 shows another example where a CPE is provided with an
encrypted DNS resolver, but the CPE uses DHCPv4 to retrieve its encrypted DNS resolver, but the CPE uses DHCPv4 to retrieve its
encrypted DNS resolver. encrypted DNS resolver.
+-------------+ +-------------+ +-------+ +-------------+ +-------------+ +-------+
| CPE | | NAS | | AAA | | CPE | | NAS | | AAA |
|DHCPv4 client| |DHCPv4 server| |Server | |DHCPv4 Client| |DHCPv4 Server| |Server |
| | |RADIUS client| | | | | |RADIUS Client| | |
+------+------+ +------+------+ +---+---+ +------+------+ +------+------+ +---+---+
| | | | | |
o------DHCPDISCOVER------>| | o------DHCPDISCOVER------>| |
| o----Access-Request ---->| | o----Access-Request ---->|
| | | | | |
| |<----Access-Accept------o | |<----Access-Accept------o
| | DHCPv4_Options | | | DHCPv4-Options |
|<-----DHCPOFFER----------o (OPTION_V4_DNR) | |<-----DHCPOFFER----------o (OPTION_V4_DNR) |
| (OPTION_V4_DNR) | | | (OPTION_V4_DNR) | |
| | | | | |
o-----DHCPREQUEST-------->| | o-----DHCPREQUEST-------->| |
| (OPTION_V4_DNR) | | | (OPTION_V4_DNR) | |
| | | | | |
|<-------DHCPACK----------o | |<-------DHCPACK----------o |
| (OPTION_V4_DNR) | | | (OPTION_V4_DNR) | |
| | | | | |
DHCPv4 RADIUS DHCPv4 RADIUS
Figure 2: An Example of RADIUS IPv4 Encrypted DNS Exchange Figure 2: An Example of RADIUS IPv4 Encrypted DNS Exchange
Other deployment scenarios can be envisaged, such as returning Other deployment scenarios can be envisaged, such as returning
customized service parameters (e.g., different DoH URI Templates) as customized service parameters (e.g., different DoH URI Templates) as
a function of the service/policies/preferences that are set by a a function of the service, policies, and preferences that are set by
network administrator. How an administrator indicates its a network administrator. How an administrator indicates its service,
service/policies/preferences to an AAA server is out of scope. policies, and preferences to an AAA server is out of scope.
6. Security Considerations 6. Security Considerations
RADIUS-related security considerations are discussed in [RFC2865]. RADIUS-related security considerations are discussed in [RFC2865].
DHCPv6-related security issues are discussed in Section 22 of DHCPv6-related security issues are discussed in Section 22 of
[RFC8415], while DHCPv4-related security issues are discussed in [RFC8415], while DHCPv4-related security issues are discussed in
Section 7 of [RFC2131]. Security considerations specific to the DHCP Section 7 of [RFC2131]. Security considerations specific to the DHCP
options that are carried in RADIUS are discussed in relevant options that are carried in RADIUS are discussed in relevant
documents that specify these options. For example, security documents that specify these options. For example, security
considerations (including traffic theft) are discussed in Section 7 considerations (including traffic theft) are discussed in Section 7
of [I-D.ietf-add-dnr]. of [DNR].
RADIUS servers have conventionally tolerated the input of arbitrary RADIUS servers have conventionally tolerated the input of arbitrary
data via the "string" data type (Section 3.5 of [RFC8044]). This data via the "string" data type (Section 3.5 of [RFC8044]). This
practice allows RADIUS servers to support newer standards without practice allows RADIUS servers to support newer standards without
software upgrades, by allowing administrators to manually create software upgrades, by allowing administrators to manually create
complex attribute content and, then, to pass that content to a RADIUS complex attribute content and then pass that content to a RADIUS
server as opaque strings. While this practice is useful, it is server as opaque strings. While this practice is useful, it is
RECOMMENDED that RADIUS servers that implement the present RECOMMENDED that RADIUS servers that implement the present
specification are updated to understand the format and encoding of specification are updated to understand the format and encoding of
DHCP options. Administrators can, thus, enter the DHCP options as DHCP options. Administrators can thus enter the DHCP options as
options instead of manually-encoded opaque strings. This options instead of manually encoded opaque strings. This
recommendation increases security and interoperability by ensuring recommendation increases security and interoperability by ensuring
that the options are encoded correctly. It also increases usability that the options are encoded correctly. It also increases usability
for administrators. for administrators.
The considerations discussed in Section 7 of [RFC4014] and Section 8 The considerations discussed in Section 7 of [RFC4014] and Section 8
of [RFC7037] should be taken into account in deployments where DHCP of [RFC7037] should be taken into account in deployments where DHCP
relay agents pass the DHCP*-Options Attributes to DHCP servers. relay agents pass the DHCP*-Options Attributes to DHCP servers.
Additional considerations specific to the use of Reconfigure messages Additional considerations specific to the use of Reconfigure messages
are discussed in Section 9 of [RFC6977]. are discussed in Section 9 of [RFC6977].
7. Table of Attributes 7. Table of Attributes
The following table provides a guide as what type of RADIUS packets The following table provides a guide as to what type of RADIUS
that may contain these attributes, and in what quantity. packets may contain these attributes and in what quantity.
Access- Access- Access- Challenge Acct. # Attribute +=============+=======+=========+===========+=====+================+
Request Accept Reject Request | Access- |Access-| Access- | Challenge |# | Attribute |
0+ 0+ 0 0 0+ 245.TBA1 DHCPv6-Options | Request |Accept | Reject | | | |
0+ 0+ 0 0 0+ 245.TBA2 DHCPv4-Options +=============+=======+=========+===========+=====+================+
| 0+ |0+ | 0 | 0 |245.3| DHCPv6-Options |
+-------------+-------+---------+-----------+-----+----------------+
| 0+ |0+ | 0 | 0 |245.4| DHCPv4-Options |
+=============+=======+=========+===========+=====+================+
| Accounting- |CoA- | CoA-ACK | CoA-NACK |# | Attribute |
| Request |Request| | | | |
+=============+=======+=========+===========+=====+================+
| 0+ |0+ | 0 | 0 |245.3| DHCPv6-Options |
+-------------+-------+---------+-----------+-----+----------------+
| 0+ |0+ | 0 | 0 |245.4| DHCPv4-Options |
+-------------+-------+---------+-----------+-----+----------------+
CoA-Request CoA-ACK CoA-NACK # Attribute Table 1: Table of Attributes
0+ 0 0 245.TBA1 DHCPv6-Options
0+ 0 0 245.TBA2 DHCPv4-Options
The following table defines the meaning of the above table entries: Notation for Table 1:
0 This attribute MUST NOT be present in packet. 0 This attribute MUST NOT be present in packet.
0+ Zero or more instances of this attribute MAY be present in packet.
0+ Zero or more instances of this attribute MAY be present in
packet.
8. IANA Considerations 8. IANA Considerations
8.1. New RADIUS Attributes 8.1. New RADIUS Attributes
IANA is requested to assign two new RADIUS attribute types from the IANA has assigned two new RADIUS attribute types in the "Radius
IANA registry "Radius Attribute Types" [RADIUS-Types]: Attribute Types" [RADIUS-Types] registry:
+==========+================+===========+===============+ +=======+================+===========+===========+
| Value | Description | Data Type | Reference | | Value | Description | Data Type | Reference |
+==========+================+===========+===============+ +=======+================+===========+===========+
| 245.TBA1 | DHCPv6-Options | string | This-Document | | 245.3 | DHCPv6-Options | string | RFC 9445 |
+----------+----------------+-----------+---------------+ +-------+----------------+-----------+-----------+
| 245.TBA2 | DHCPv4-Options | string | This-Document | | 245.4 | DHCPv4-Options | string | RFC 9445 |
+----------+----------------+-----------+---------------+ +-------+----------------+-----------+-----------+
Table 1: New RADIUS Attributes Table 2: New RADIUS Attributes
8.2. New RADIUS Attribute Permitted in DHCPv6 RADIUS Option 8.2. New RADIUS Attribute Permitted in DHCPv6 RADIUS Option
IANA is requested to add the following entry to the "RADIUS IANA has added the following entry to the "RADIUS Attributes
Attributes Permitted in DHCPv6 RADIUS Option" subregistry in the Permitted in DHCPv6 RADIUS Option" subregistry in the "Dynamic Host
"Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" registry Configuration Protocol for IPv6 (DHCPv6)" registry [DHCPv6]:
[DHCP-RADIUS]:
+===========+================+===============+ +===========+================+===========+
| Type Code | Attribute | Reference | | Type Code | Attribute | Reference |
+===========+================+===============+ +===========+================+===========+
| 245.TBA1 | DHCPv6-Options | This-Document | | 245.3 | DHCPv6-Options | RFC 9445 |
+-----------+----------------+---------------+ +-----------+----------------+-----------+
Table 2: New RADIUS Attribute Permitted in Table 3: New RADIUS Attribute
DHCPv6 RADIUS Option Permitted in DHCPv6 RADIUS Option
8.3. RADIUS Attributes Permitted in RADIUS Attributes DHCP Sub-option 8.3. RADIUS Attributes Permitted in RADIUS Attributes DHCP Suboption
IANA is requested to create a new sub-registry entitled "RADIUS IANA has created a new subregistry entitled "RADIUS Attributes
Attributes Permitted in RADIUS Attributes Sub-option" in the "Dynamic Permitted in RADIUS Attributes DHCP Suboption" in the "Dynamic Host
Host Configuration Protocol (DHCP) and Bootstrap Protocol (BOOTP) Configuration Protocol (DHCP) and Bootstrap Protocol (BOOTP)
Parameters" registry [BOOTP]. Parameters" registry [BOOTP].
The allocation policy of this new sub-registry is Expert Review The allocation policy of this new subregistry is "Expert Review"
(Section 4.5 of [RFC8126]). Designated experts should carefully (Section 4.5 of [RFC8126]). Designated experts should carefully
consider the security implications of allowing the relay agent to consider the security implications of allowing a relay agent to
include new RADIUS attributes to this registry. Additional include new RADIUS attributes in this subregistry. Additional
considerations are provided in Section 8.4.3. considerations are provided in Section 8.4.3.
The initial content of this sub-registry is listed in Table 3. The The initial contents of this subregistry are listed in Table 4. The
reference may include the document that registers or specifies the Reference field includes the document that registers or specifies the
Attribute. attribute.
+===========+==================+===============+ +===========+==================+===========+
| Type Code | Attribute | Reference | | Type Code | Attribute | Reference |
+===========+==================+===============+ +===========+==================+===========+
| 1 | User-Name | [RFC2865] | | 1 | User-Name | [RFC2865] |
+-----------+------------------+---------------+ +-----------+------------------+-----------+
| 6 | Service-Type | [RFC2865] | | 6 | Service-Type | [RFC2865] |
+-----------+------------------+---------------+ +-----------+------------------+-----------+
| 26 | Vendor-Specific | [RFC2865] | | 26 | Vendor-Specific | [RFC2865] |
+-----------+------------------+---------------+ +-----------+------------------+-----------+
| 27 | Session-Timeout | [RFC2865] | | 27 | Session-Timeout | [RFC2865] |
+-----------+------------------+---------------+ +-----------+------------------+-----------+
| 88 | Framed-Pool | [RFC2869] | | 88 | Framed-Pool | [RFC2869] |
+-----------+------------------+---------------+ +-----------+------------------+-----------+
| 100 | Framed-IPv6-Pool | [RFC3162] | | 100 | Framed-IPv6-Pool | [RFC3162] |
+-----------+------------------+---------------+ +-----------+------------------+-----------+
| 245.TBA2 | DHCPv4-Options | This-Document | | 245.4 | DHCPv4-Options | RFC 9445 |
+-----------+------------------+---------------+ +-----------+------------------+-----------+
Table 3: RADIUS Attributes Permitted in Table 4: Initial Contents of RADIUS
RADIUS Attributes DHCP Suboption Attributes Permitted in RADIUS
Attributes DHCP Suboption Registry
8.4. DHCP Options Permitted in the RADIUS DHCP*-Options Attribute 8.4. DHCP Options Permitted in the RADIUS DHCP*-Options Attributes
8.4.1. DHCPv6 8.4.1. DHCPv6
IANA is requested to create a new sub-registry entitled "DHCPv6 IANA has created a new subregistry entitled "DHCPv6 Options Permitted
Options Permitted in the RADIUS DHCPv6-Options Attribute" in the in the RADIUS DHCPv6-Options Attribute" in the "Dynamic Host
"Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" registry Configuration Protocol for IPv6 (DHCPv6)" registry [DHCPv6].
[DHCP-RADIUS].
The registration policy for this new sub-registry is Expert Review The registration policy for this new subregistry is "Expert Review"
(Section 4.5 of [RFC8126]). See more details in Section 8.4.3. (Section 4.5 of [RFC8126]). See more details in Section 8.4.3.
The initial content of this sub-registry is listed in Table 4. The The initial content of this subregistry is listed in Table 5. The
Value and Description fields echo those of [DHCPv6]. The reference Value and Description fields echo those in the "Option Codes"
may include the document that registers the option or the document subregistry of [DHCPv6]. The Reference field includes the document
that specifies the option. that registers or specifies the option.
+=======+===============+===============+ +=======+===============+===========+
| Value | Description | Reference | | Value | Description | Reference |
+=======+===============+===============+ +=======+===============+===========+
| 144 | OPTION_V6_DNR | This-Document | | 144 | OPTION_V6_DNR | RFC 9445 |
+-------+---------------+---------------+ +-------+---------------+-----------+
Table 4: Initial DHCPv6 Options Table 5: Initial Content of
Permitted in the RADIUS DHCPv6 Options Permitted in the
DHCPv6-Options Attribute RADIUS DHCPv6-Options Attribute
Registry
8.4.2. DHCPv4 8.4.2. DHCPv4
IANA is requested to create a new sub-registry entitled "DHCP Options IANA has created a new subregistry entitled "DHCP Options Permitted
Permitted in the RADIUS DHCPv4-Options Attribute" in the "Dynamic in the RADIUS DHCPv4-Options Attribute" in the "Dynamic Host
Host Configuration Protocol (DHCP) and Bootstrap Protocol (BOOTP) Configuration Protocol (DHCP) and Bootstrap Protocol (BOOTP)
Parameters" registry [BOOTP]. Parameters" registry [BOOTP].
The registration policy for this new sub-registry is Expert Review The registration policy for this new subregistry is Expert Review
(Section 4.5 of [RFC8126]). See more details in Section 8.4.3. (Section 4.5 of [RFC8126]). See more details in Section 8.4.3.
The initial content of this sub-registry is listed in Table 5. The The initial content of this subregistry is listed in Table 6. The
Tag and Name fields echo those of [BOOTP]. The reference may include Tag and Name fields echo those in the "BOOTP Vendor Extensions and
the document that registers the option or the document that specifies DHCP Options" subregistry of [BOOTP]. The Reference field includes
the option. the document that registers or specifies the option.
+=====+===============+===============+ +=====+===============+===========+
| Tag | Name | Reference | | Tag | Name | Reference |
+=====+===============+===============+ +=====+===============+===========+
| 162 | OPTION_V4_DNR | This-Document | | 162 | OPTION_V4_DNR | RFC 9445 |
+-----+---------------+---------------+ +-----+---------------+-----------+
Table 5: Initial DHCPv4 Options Table 6: Initial Content of
Permitted in the RADIUS DHCPv4 Options Permitted in the
DHCPv4-Options Attribute RADIUS DHCPv4-Options Attribute
Registry
8.4.3. Guidelines for the Designated Experts 8.4.3. Guidelines for the Designated Experts
It is suggested that multiple designated experts be appointed for It is suggested that multiple designated experts be appointed for
registry change requests. registry change requests.
Criteria that should be applied by the designated experts include Criteria that should be applied by the designated experts include
determining whether the proposed registration duplicates existing determining whether the proposed registration duplicates existing
entries and whether the registration description is clear and fits entries and whether the registration description is clear and fits
the purpose of this registry. the purpose of this registry.
Registration requests are to be sent to radius-dhcp-review@ietf.org Registration requests are to be sent to <radius-dhcp-review@ietf.org>
and are evaluated within a three-week review period on the advice of and are evaluated within a three-week review period on the advice of
one or more designated experts. Within the review period, the one or more designated experts. Within the review period, the
designated experts will either approve or deny the registration designated experts will either approve or deny the registration
request, communicating this decision to the review list and IANA. request, communicating this decision to the review list and IANA.
Denials should include an explanation and, if applicable, suggestions Denials should include an explanation and, if applicable, suggestions
as to how to make the request successful. as to how to make the request successful.
9. Acknowledgements 9. References
Thanks to Christian Jacquenet, Neil Cook, Joe Clarke, Qin Wu, Dirk
von-Hugo, Tom Petch, and Chongfeng Xie for the review and
suggestions.
Thanks to Ben Schwartz and Bernie Volz for the comments.
Thanks to Rob Wilton for the careful AD review.
Thanks to Ralf Weber for the dnsdir reviews, Robert Sparks for genart
review, and Tatuya Jinmei for the int-dir review.
Thanks to Eric Vyncke, Paul Wouters, and Warren Kumari for the IESG
review.
10. References
10.1. Normative References 9.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
"Remote Authentication Dial In User Service (RADIUS)", "Remote Authentication Dial In User Service (RADIUS)",
RFC 2865, DOI 10.17487/RFC2865, June 2000, RFC 2865, DOI 10.17487/RFC2865, June 2000,
<https://www.rfc-editor.org/info/rfc2865>. <https://www.rfc-editor.org/info/rfc2865>.
skipping to change at page 16, line 33 skipping to change at line 722
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8415] Mrugalski, T., Siodelski, M., Volz, B., Yourtchenko, A., [RFC8415] Mrugalski, T., Siodelski, M., Volz, B., Yourtchenko, A.,
Richardson, M., Jiang, S., Lemon, T., and T. Winters, Richardson, M., Jiang, S., Lemon, T., and T. Winters,
"Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)",
RFC 8415, DOI 10.17487/RFC8415, November 2018, RFC 8415, DOI 10.17487/RFC8415, November 2018,
<https://www.rfc-editor.org/info/rfc8415>. <https://www.rfc-editor.org/info/rfc8415>.
10.2. Informative References 9.2. Informative References
[BOOTP] IANA, "Dynamic Host Configuration Protocol (DHCP) and [BOOTP] IANA, "Dynamic Host Configuration Protocol (DHCP) and
Bootstrap Protocol (BOOTP) Parameters", Bootstrap Protocol (BOOTP) Parameters",
<https://www.iana.org/assignments/bootp-dhcp-parameters/ <https://www.iana.org/assignments/bootp-dhcp-parameters>.
bootp-dhcp-parameters.xhtml>.
[DHCP-RADIUS]
IANA, "Dynamic Host Configuration Protocol for IPv6
(DHCPv6)", <https://www.iana.org/assignments/dhcpv6-
parameters/dhcpv6-parameters.xhtml>.
[DHCPv6] IANA, "Dynamic Host Configuration Protocol for IPv6 [DHCPv6] IANA, "Dynamic Host Configuration Protocol for IPv6
(DHCPv6), Option Codes", (DHCPv6)",
<https://www.iana.org/assignments/dhcpv6-parameters/ <https://www.iana.org/assignments/dhcpv6-parameters>.
dhcpv6-parameters.xhtml#dhcpv6-parameters-2>.
[I-D.ietf-add-dnr] [DNR] Boucadair, M., Ed., Reddy.K, T., Ed., Wing, D., Cook, N.,
Boucadair, M., Reddy.K, T., Wing, D., Cook, N., and T. and T. Jensen, "DHCP and Router Advertisement Options for
Jensen, "DHCP and Router Advertisement Options for the the Discovery of Network-designated Resolvers (DNR)", Work
Discovery of Network-designated Resolvers (DNR)", Work in in Progress, Internet-Draft, draft-ietf-add-dnr-16, 27
Progress, Internet-Draft, draft-ietf-add-dnr-14, 13 March April 2023, <https://datatracker.ietf.org/doc/html/draft-
2023, <https://datatracker.ietf.org/doc/html/draft-ietf- ietf-add-dnr-16>.
add-dnr-14>.
[RADIUS-Types] [RADIUS-Types]
IANA, "RADIUS Types", IANA, "RADIUS Types",
<http://www.iana.org/assignments/radius-types>. <http://www.iana.org/assignments/radius-types>.
[RFC2131] Droms, R., "Dynamic Host Configuration Protocol", [RFC2131] Droms, R., "Dynamic Host Configuration Protocol",
RFC 2131, DOI 10.17487/RFC2131, March 1997, RFC 2131, DOI 10.17487/RFC2131, March 1997,
<https://www.rfc-editor.org/info/rfc2131>. <https://www.rfc-editor.org/info/rfc2131>.
[RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor [RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor
skipping to change at page 18, line 47 skipping to change at line 822
[RFC8499] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS [RFC8499] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS
Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499, Terminology", BCP 219, RFC 8499, DOI 10.17487/RFC8499,
January 2019, <https://www.rfc-editor.org/info/rfc8499>. January 2019, <https://www.rfc-editor.org/info/rfc8499>.
[RFC9250] Huitema, C., Dickinson, S., and A. Mankin, "DNS over [RFC9250] Huitema, C., Dickinson, S., and A. Mankin, "DNS over
Dedicated QUIC Connections", RFC 9250, Dedicated QUIC Connections", RFC 9250,
DOI 10.17487/RFC9250, May 2022, DOI 10.17487/RFC9250, May 2022,
<https://www.rfc-editor.org/info/rfc9250>. <https://www.rfc-editor.org/info/rfc9250>.
Acknowledgements
Thanks to Christian Jacquenet, Neil Cook, Joe Clarke, Qin Wu, Dirk
von-Hugo, Tom Petch, and Chongfeng Xie for the review and
suggestions.
Thanks to Ben Schwartz and Bernie Volz for the comments.
Thanks to Rob Wilton for the careful AD review.
Thanks to Ralf Weber for the dnsdir reviews, Robert Sparks for the
genart review, and Tatuya Jinmei for the intdir review.
Thanks to Éric Vyncke, Paul Wouters, and Warren Kumari for the IESG
review.
Authors' Addresses Authors' Addresses
Mohamed Boucadair Mohamed Boucadair
Orange Orange
35000 Rennes 35000 Rennes
France France
Email: mohamed.boucadair@orange.com Email: mohamed.boucadair@orange.com
Tirumaleswar Reddy Tirumaleswar Reddy.K
Nokia Nokia
India India
Email: kondtir@gmail.com Email: kondtir@gmail.com
Alan DeKok Alan DeKok
FreeRADIUS FreeRADIUS
Email: aland@freeradius.org Email: aland@freeradius.org
 End of changes. 102 change blocks. 
312 lines changed or deleted 315 lines changed or added

This html diff was produced by rfcdiff 1.48.