[master] Merged trac4015 (secure DHCPv6 definitions)

be2350d5 · Francis Dupont · ee52a28f · 1860ab2b · be2350d5 · be2350d5
Commit be2350d5 authored Sep 25, 2015 by Francis Dupont
5 changed files
--- a/doc/guide/dhcp6-srv.xml
+++ b/doc/guide/dhcp6-srv.xml
@@ -860,6 +860,11 @@ temporarily override a list of interface names and listen on all interfaces.
      structures. "Type" designates the format of the data: the meanings of
      the various types is given in <xref linkend="dhcp-types"/>.
    </para>
+    <para>
+      Experimental options (like standard options but with a code
+      which was not assigned by IANA) are listed in
+      <xref linkend="dhcp6-exp-options-list"/>.
+    </para>
    <para>
      Some options are designated as arrays, which means that more than one
      value is allowed in such an option. For example the option dns-servers
@@ -956,6 +961,27 @@ temporarily override a list of interface names and listen on all interfaces.
        </tgroup>
      </table>
    </para>
+
+    <para>
+      <table frame="all" id="dhcp6-exp-options-list">
+        <title>List of experimental DHCPv6 options</title>
+        <tgroup cols='4'>
+        <colspec colname='name'/>
+        <colspec colname='code' align='center'/>
+        <colspec colname='type' align='center'/>
+        <colspec colname='array' align='center'/>
+        <thead>
+          <row><entry>Name</entry><entry>Code</entry><entry>Type</entry><entry>Array?</entry></row>
+        </thead>
+        <tbody>
+<row><entry>public-key</entry><entry>701</entry><entry>binary</entry><entry>false</entry></row>
+<row><entry>certificate</entry><entry>702</entry><entry>binary</entry><entry>false</entry></row>
+<row><entry>signature</entry><entry>703</entry><entry>record</entry><entry>false</entry></row>
+<row><entry>timestamp</entry><entry>704</entry><entry>binary</entry><entry>false</entry></row>
+        </tbody>
+        </tgroup>
+      </table>
+    </para>
    </section>

    <section id="dhcp6-custom-options">

--- a/src/lib/dhcp/dhcp4.h
+++ b/src/lib/dhcp/dhcp4.h
@@ -36,6 +36,13 @@

 #include <stdint.h>

+/// @note Code points in comments are those assigned by IANA
+/// but not yet implemented in Kea.
+/// To implement a standard option, remove the comment characters,
+/// add an entry in std_option_defs.h, add a stdOptionDefs4 unit test
+/// in tests/libdhcp++_unittest.cc and update dhcp4-std-options-list-part2
+/// in the dhcp4-srv.xml source file of the user guide.
+
 namespace isc {
 namespace dhcp {


--- a/src/lib/dhcp/dhcp6.h
+++ b/src/lib/dhcp/dhcp6.h
-// Copyright (C) 2006-2011  Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2006-2011, 2015  Internet Systems Consortium, Inc. ("ISC")
 //
 // Permission to use, copy, modify, and/or distribute this software for any
 // purpose with or without fee is hereby granted, provided that the above
@@ -15,6 +15,13 @@
 #ifndef DHCP6_H
 #define DHCP6_H

+/// @note Code points in comments are those assigned by IANA
+/// but not yet implemented in Kea.
+/// To implement a standard option, remove the comment characters,
+/// add an entry in std_option_defs.h, add a stdOptionDefs6 unit test
+/// in tests/libdhcp++_unittest.cc and update dhcp6-std-options-list in
+/// the dhcp6-srv.xml source file of the user guide.
+
 /* DHCPv6 Option codes: */

 #define D6O_CLIENTID                            1 /* RFC3315 */
@@ -65,24 +72,102 @@
 #define D6O_CLT_TIME                            46 /* RFC5007 */
 #define D6O_LQ_RELAY_DATA                       47 /* RFC5007 */
 #define D6O_LQ_CLIENT_LINK                      48 /* RFC5007 */
+//#define D6O_MIP6_HNIDF                          49 /* RFC6610 */
+//#define D6O_MIP6_VDINF                          50 /* RFC6610 */
+//#define D6O_V6_LOST                             51 /* RFC5223 */
+//#define D6O_CAPWAP_AC_V6                        52 /* RFC5417 */
+//#define D6O_RELAY_ID                            53 /* RFC5460 */
+//#define D6O_IPV6_ADDRESS_MOS                    54 /* RFC5678 */
+//#define D6O_IPV6_FQDN_MOS                       55 /* RFC5678 */
+//#define D6O_NTP_SERVER                          56 /* RFC5908 */
+//#define D6O_V6_ACCESS_DOMAIN                    57 /* RFC5986 */
+//#define D6O_SIP_UA_CS_LIST                      58 /* RFC6011 */
+//#define D6O_BOOTFILE_URL                        59 /* RFC5970 */
+//#define D6O_BOOTFILE_PARAM                      60 /* RFC5970 */
+//#define D6O_CLIENT_ARCH_TYPE                    61 /* RFC5970 */
+//#define D6O_NII                                 62 /* RFC5970 */
+//#define D6O_GEOLOCATION                         63 /* RFC6225 */
+//#define D6O_AFTR_NAME                           64 /* RFC6334 */
 #define D6O_ERP_LOCAL_DOMAIN_NAME               65 /* RFC6440 */
 #define D6O_RSOO                                66 /* RFC6422 */
+//#define D6O_PD_EXCLUDE                          67 /* RFC6603 */
+//#define D6O_VSS                                 68 /* RFC6607 */
+//#define D6O_MIP6_IDINF                          69 /* RFC6610 */
+//#define D6O_MIP6_UDINF                          70 /* RFC6610 */
+//#define D6O_MIP6_HNP                            71 /* RFC6610 */
+//#define D6O_MIP6_HAA                            72 /* RFC6610 */
+//#define D6O_MIP6_HAF                            73 /* RFC6610 */
+//#define D6O_RDNSS_SELECTION                     74 /* RFC6731 */
+//#define D6O_KRB_PRINCIPAL_NAME                  75 /* RFC6784 */
+//#define D6O_KRB_REALM_NAME                      76 /* RFC6784 */
+//#define D6O_KRB_DEFAULT_REALM_NAME              77 /* RFC6784 */
+//#define D6O_KRB_KDC                             78 /* RFC6784 */
 #define D6O_CLIENT_LINKLAYER_ADDR               79 /* RFC6939 */
+//#define D6O_LINK_ADDRESS                        80 /* RFC6977 */
+//#define D6O_RADIUS                              81 /* RFC7037 */
+//#define D6O_SOL_MAX_RT                          82 /* RFC7083 */
+//#define D6O_INF_MAX_RT                          83 /* RFC7083 */
+//#define D6O_ADDRSEL                             84 /* RFC7078 */
+//#define D6O_ADDRSEL_TABLE                       85 /* RFC7078 */
+//#define D6O_V6_PCP_SERVER                       86 /* RFC7291 */
+//#define D6O_DHCPV4_MSG                          87 /* RFC7341 */
+//#define D6O_DHCPV4_O_DHCPV6_SERVER              88 /* RFC7341 */
+//#define D6O_S46_RULE                            89 /* RFC7598 */
+//#define D6O_S46_BR                              90 /* RFC7598 */
+//#define D6O_S46_DMR                             91 /* RFC7598 */
+//#define D6O_S46_V4V6BIND                        92 /* RFC7598 */
+//#define D6O_S46_PORTPARAMS                      93 /* RFC7598 */
+//#define D6O_S46_CONT_MAPE                       94 /* RFC7598 */
+//#define D6O_S46_CONT_MAPT                       95 /* RFC7598 */
+//#define D6O_S46_CONT_LW                         96 /* RFC7598 */
+//#define D6O_4RD                                 97 /* RFC7600 */
+//#define D6O_4RD_MAP_RULE                        98 /* RFC7600 */
+//#define D6O_4RD_NON_MAP_RULE                    99 /* RFC7600 */
+/* draft-ietf-dhc-dhcpv6-active-leasequery-04 */
+//#define D6O_LQ_BASE_TIME                       100
+//#define D6O_LQ_START_TIME                      101
+//#define D6O_LQ_END_TIME                        102
+/* 103-142 unassigned */
+//#define D6O_IPV6_ADDRESS_ANDSF                 143 /* RFC6153 */
+
+// The following are EXPERIMENTAL and may change when IANA assigns official
+// values.
+/* secure DHCPv6 (draft-ietf-dhc-sedhcpv6-08) */
+/* temporary values for hackathon 93 */
+#define D6O_PUBLIC_KEY                         701
+#define D6O_CERTIFICATE                        702
+#define D6O_SIGNATURE                          703
+#define D6O_TIMESTAMP                          704

 /*
- * Status Codes, from RFC 3315 section 24.4, and RFC 3633, 5007.
+ * Status Codes, from RFC 3315 section 24.4, and RFC 3633, 5007, 5460.
 */
-#define STATUS_Success           0
-#define STATUS_UnspecFail        1
-#define STATUS_NoAddrsAvail      2
-#define STATUS_NoBinding         3
-#define STATUS_NotOnLink         4
-#define STATUS_UseMulticast      5
-#define STATUS_NoPrefixAvail     6
-#define STATUS_UnknownQueryType  7
-#define STATUS_MalformedQuery    8
-#define STATUS_NotConfigured     9
-#define STATUS_NotAllowed       10
+#define STATUS_Success                   0
+#define STATUS_UnspecFail                1
+#define STATUS_NoAddrsAvail              2
+#define STATUS_NoBinding                 3
+#define STATUS_NotOnLink                 4
+#define STATUS_UseMulticast              5
+#define STATUS_NoPrefixAvail             6
+#define STATUS_UnknownQueryType          7
+#define STATUS_MalformedQuery            8
+#define STATUS_NotConfigured             9
+#define STATUS_NotAllowed               10
+//#define STATUS_QueryTerminated          11
+/* draft-ietf-dhc-dhcpv6-active-leasequery-04 */
+//#define STATUS_DataMissing              12
+//#define STATUS_CatchUpComplete          13
+//#define STATUS_NotSupported             14
+//#define STATUS_TLSConnectionRefused     15
+
+// The following are EXPERIMENTAL and may change when IANA assigns official
+// values.
+/* secure DHCPv6 (draft-ietf-dhc-sedhcpv6-08) */
+/* temporary values for hackathon 93 */
+#define STATUS_AlgorithmNotSupported   705
+#define STATUS_AuthenticationFail      706
+#define STATUS_TimestampFail           707
+#define STATUS_SignatureFail           708

 /*
 * DHCPv6 message types, defined in section 5.3 of RFC 3315
@@ -100,8 +185,21 @@
 #define DHCPV6_INFORMATION_REQUEST 11
 #define DHCPV6_RELAY_FORW          12
 #define DHCPV6_RELAY_REPL          13
+/* RFC 5007 */
 #define DHCPV6_LEASEQUERY          14
 #define DHCPV6_LEASEQUERY_REPLY    15
+/* RFC 5460 */
+//#define DHCPV6_LEASEQUERY_DONE     16
+//#define DHCPV6_LEASEQUERY_DATA     17
+/* RFC 6977 */
+//#define DHCPV6_RECONFIGURE_REQUEST 18
+//#define DHCPV6_RECONFIGURE_REPLY   19
+/* RFC 7341 */
+//#define DHCPV6_DHCPV4_QUERY        20
+//#define DHCPV6_DHCPV4_RESPONSE     21
+/* draft-ietf-dhc-dhcpv6-active-leasequery-04 */
+//#define DHCPV6_ACTIVELEASEQUERY    22
+//#define DHCPV6_STARTTLS            23

 extern const char *dhcpv6_type_names[];
 extern const int dhcpv6_type_name_max;
@@ -114,6 +212,14 @@ extern const int dhcpv6_type_name_max;
 #define HWTYPE_ETHERNET    0x0001
 #define HWTYPE_INFINIBAND  0x0020

+// The following are EXPERIMENTAL and may change when IANA assigns official
+// values.
+// Secure DHCPv6 (draft-ietf-dhc-sedhcpv6-08.txt)
+// (can't use an enum because HashAlgorithm name is already taken)
+#define SHA_256                 1
+#define SHA_512                 2
+#define RSASSA_PKCS1v1_5        1
+
 // Taken from http://www.iana.org/assignments/enterprise-numbers
 #define ENTERPRISE_ID_ISC 2495

@@ -172,10 +278,13 @@ extern const int dhcpv6_type_name_max;
 #define LQ6_MAX_RT       10
 #define LQ6_MAX_RC        5

-/* Leasequery query-types (RFC 5007) */
+/* Leasequery query-types (RFC 5007, RFC 5460) */

 #define LQ6QT_BY_ADDRESS        1
 #define LQ6QT_BY_CLIENTID       2
+//#define LQ6QT_BY_RELAY_ID       3
+//#define LQ6QT_BY_LINK_ADDRESS   4
+//#define LQ6QT_BY_REMOTE_ID      5

 /*
 * DUID time starts 2000-01-01.

--- a/src/lib/dhcp/std_option_defs.h
+++ b/src/lib/dhcp/std_option_defs.h
@@ -236,6 +236,9 @@ RECORD_DECL(REMOTE_ID_RECORDS, OPT_UINT32_TYPE, OPT_BINARY_TYPE);
 RECORD_DECL(STATUS_CODE_RECORDS, OPT_UINT16_TYPE, OPT_STRING_TYPE);
 // vendor-class
 RECORD_DECL(VENDOR_CLASS_RECORDS, OPT_UINT32_TYPE, OPT_BINARY_TYPE);
+// sedhcpv6 signature
+RECORD_DECL(SIGNATURE_RECORDS, OPT_UINT8_TYPE, OPT_UINT8_TYPE,
+            OPT_BINARY_TYPE);

 /// Standard DHCPv6 option definitions.
 ///
@@ -330,7 +333,15 @@ const OptionDefParams OPTION_DEF_PARAMS6[] = {
      NO_RECORD_DEF, "" },
    { "rsoo", D6O_RSOO, OPT_EMPTY_TYPE, false, NO_RECORD_DEF, "rsoo-opts" },
    { "client-linklayer-addr", D6O_CLIENT_LINKLAYER_ADDR, OPT_BINARY_TYPE, false,
-        NO_RECORD_DEF, "" }
+      NO_RECORD_DEF, "" },
+    { "public-key", D6O_PUBLIC_KEY, OPT_BINARY_TYPE, false,
+      NO_RECORD_DEF, "" },
+    { "certificate", D6O_CERTIFICATE, OPT_BINARY_TYPE, false,
+      NO_RECORD_DEF, "" },
+    { "signature", D6O_SIGNATURE, OPT_RECORD_TYPE, false,
+      RECORD_DEF(SIGNATURE_RECORDS), "" },
+    { "timestamp", D6O_TIMESTAMP, OPT_BINARY_TYPE, false,
+      NO_RECORD_DEF, "" }

    // @todo There is still a bunch of options for which we have to provide
    // definitions but we don't do it because they are not really

--- a/src/lib/dhcp/tests/libdhcp++_unittest.cc
+++ b/src/lib/dhcp/tests/libdhcp++_unittest.cc
@@ -1168,6 +1168,18 @@ TEST_F(LibDhcpTest, stdOptionDefs6) {
    LibDhcpTest::testStdOptionDefs6(D6O_ERP_LOCAL_DOMAIN_NAME,
                                    fqdn_buf.begin(), fqdn_buf.end(),
                                    typeid(OptionCustom));
+
+    LibDhcpTest::testStdOptionDefs6(D6O_PUBLIC_KEY, begin, end,
+                                    typeid(Option));
+
+    LibDhcpTest::testStdOptionDefs6(D6O_CERTIFICATE, begin, end,
+                                    typeid(Option));
+
+    LibDhcpTest::testStdOptionDefs6(D6O_SIGNATURE, begin, end,
+                                    typeid(OptionCustom));
+
+    LibDhcpTest::testStdOptionDefs6(D6O_TIMESTAMP, begin, begin + 8,
+                                    typeid(Option));
 }

 // This test checks if the DHCPv6 option definition can be searched by