Network Working Group R. Droms Internet-Draft Cisco Systems Expires: November 12, 2002 May 14, 2002 DHCP Auto-configure Option (Option code 116) Deprecated draft-droms-rfc2563-deprecate-00.txt Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on November 12, 2002. Copyright Notice Copyright (C) The Internet Society (2002). All Rights Reserved. Abstract 1. Introduction RFC2563 defines the DHCP Auto-configure option, which controls whether a DHCP client uses address auto-configuration. Because of the potential threat of a denial of service attack, the use of RFC2563 is deprecated. 2. Requirements The key words MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL in this document are to be Droms Expires November 12, 2002 [Page 1] Internet-Draft DHCP Auto-configure Option Deprecated May 2002 interpreted as described in RFC2119 [1]. 3. Deprecation of DHCP Auto-configure option RFC2563 [2] defines the Auto-configure option (option code 116) for DHCP [3]. This option is sent from a DHCP server to a DHCP client. When the option value is 0, the DHCP client does not perform address autoconfiguration. Because DHCP does not enforce any authentication of servers, a DHCP server can mount a denial of service attack on DHCP clients. A DHCP server on an isolated link with no attached routers can respond to DHCP clients with an Auto-configure option instructing the clients not to use address auto-configuration. Those clients will then not have an IP address and not be able to exchange datagrams with other hosts on the same link. The DHC working group knows of no current or planned implementations of the DHCP Auto-configure option. Representatives from several vendors of DHCP implementations have said that the DHCP Auto- configure option has no known application, presents an opportunity for a denial of service attack and that they will never consider implementing it. 4. IANA Considerations IANA is asked to mark the DHCP Auto-configure option (option code 116) as "Deprecated" in its reference list of DHCP options. 5. Security considerations The DHCP Auto-configure option may be used to moutn a denial of service attack on DHCP clients. The use of the DHCP Auto-configure option is deprecated. 6. Acknowledgments Stuart Cheshire, Bernard Aboba and Myron Hattig, among others, have noted the security threat posed by the DHCP Auto-configure option. References [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [2] Troll, R., "DHCP Option to Disable Stateless Auto-Configuration in IPv4 Clients", RFC 2563, May 1999. Droms Expires November 12, 2002 [Page 2] Internet-Draft DHCP Auto-configure Option Deprecated May 2002 [3] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, March 1997. Author's Address Ralph Droms Cisco Systems 250 Apollo Drive Chelmsford, MA 01824 USA Phone: +1 978 497 4733 EMail: rdroms@cisco.com Droms Expires November 12, 2002 [Page 3] Internet-Draft DHCP Auto-configure Option Deprecated May 2002 Full Copyright Statement Copyright (C) The Internet Society (2002). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society. Droms Expires November 12, 2002 [Page 4]