Network Working GroupS. Drach
Request for Comments: 2485Sun Microsystems, Inc.
Category: Standards TrackJanuary 1999

DHCP Option for The Open Group's User Authentication Protocol

Status of this Memo

This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the “Internet Official Protocol Standards” (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.

Copyright Notice

Copyright © The Internet Society (1999). All Rights Reserved.


This document defines a DHCP [RFC2131] (Droms, R., “Dynamic Host Configuration Protocol,” March 1997.) option that contains a list of pointers to User Authentication Protocol servers that provide user authentication services for clients that conform to The Open Group Network Computing Client Technical Standard [_XREF_2] (The Open Group, “Technical Standard: Network Computing Client,” October 1998.).


Table of Contents

1.  User Authentication Protocol Option
2.  Security Considerations
3.  References
§  Author's Address
§  Intellectual Property and Copyright Statements


1.  User Authentication Protocol Option

This option specifies a list of URLs, each pointing to a user authentication service that is capable of processing authentication requests encapsulated in the User Authentication Protocol (UAP). UAP servers can accept either HTTP 1.1 or SSLv3 connections. If the list includes a URL that does not contain a port component, the normal default port is assumed (i.e., port 80 for http and port 443 for https). If the list includes a URL that does not contain a path component, the path /uap is assumed.

   0                   1                   2                   3
   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   |     Code      |    Length     |   URL list

      Code            98

      Length          The length of the data field (i.e., URL list) in

      URL list        A list of one or more URLs separated by the ASCII
                      space character (0x20).


2.  Security Considerations

DHCP currently provides no authentication or security mechanisms. Potential exposures to attack are discussed in section 7 of the DHCP protocol specification.

The User Authentication Protocol does not have a means to detect whether or not the client is communicating with a rogue authentication service that the client contacted because it received a forged or otherwise compromised UAP option from a DHCP service whose security was compromised. Even secure authentication does not provide relief from this type of attack. This security exposure is mitigated by the environmental assumptions documented in the Network Computing Client Technical Standard.


3. References

[RFC2131] Droms, R., “Dynamic Host Configuration Protocol,” RFC 2131, March 1997 (TXT, HTML, XML).
[_XREF_2] The Open Group, “Technical Standard: Network Computing Client,” October 1998.
[RFC2068] Fielding, R., Gettys, J., Mogul, J., Nielsen, H., and T. Berners-Lee, “Hypertext Transfer Protocol -- HTTP/1.1,” RFC 2068, January 1997 (TXT).
[_XREF_4] Freier, A., Karlton, P., and P. Kocher, “The SSL Protocol, Version 3.0,” November 1996.
[RFC1738] Berners-Lee, T., Masinter, L., and M. McCahill, “Uniform Resource Locators (URL),” RFC 1738, December 1994 (TXT).
[RFC2132] Alexander, S. and R. Droms, “DHCP Options and BOOTP Vendor Extensions,” RFC 2132, March 1997 (TXT, HTML, XML).


Author's Address

  Steve Drach
  Sun Microsystems, Inc.
  901 San Antonio Road
  Palo Alto, CA 94303
Phone:  +1 650 960 1300
Email:  drach@sun.com


Full Copyright Statement

Intellectual Property