RFC 3634 (rfc3634) - Page 2 of 7
Key Distribution Center (KDC) Server Address Sub-option for the Dynamic Host Configuration Protocol (DHCP) CableLabs Client Configuration (CCC) Option
Alternative Format: Original Text Document
RFC 3634 KDC Server Address Sub-option December 2003
Configuration of a class of CableLabs client devices described in [2]
and [3] will require a DHCP sub-option to provide the client with the
network address of a KDC server in the cable operator's data network.
The class of devices assumed in [2] and [3] is unlike the class of
devices considered in [1], which perform a DNS lookup of the Kerberos
Realm name to find the KDC server network address.
This document proposes a sub-option of the CCC DHCP option code for
use with CableLabs client devices. The proposed sub-option encodes
an identifier for the network address of each of one or more Key
Distribution Center servers with which the CableLabs client device
exchanges security information.
The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT" and "MAY" in
this document are to be interpreted as described in BCP 14, RFC 2119
[4].
2. Key Distribution Center IP Address Sub-option
CableHome specifications will specify the Key Distribution Center
network address encoding as a sub-option of the CCC DHCP Option code.
This field will be used to inform the client device of the network
address of one or more Key Distribution Center servers.
The encoding of the KDC Server Address sub-option will adhere to the
format of an IPv4 address. The minimum length for this option is 4
octets, and the length MUST always be a multiple of 4. If multiple
KDC Servers are listed, they MUST be listed in decreasing order of
priority. The format of the KDC Server Address sub-option of the CCC
option code is as shown below:
SubOpt Len Address 1 Address 2
+------+-----+-----+-----+-----+-----+-----+-----+--
| 10 | n | a1 | a2 | a3 | a4 | a1 | a2 | ...
+------+-----+-----+-----+-----+-----+-----+-----+--
3. Security Considerations
This document relies upon the DHCP protocol [5] for authentication
and security, i.e., it does not provide security in excess of what
DHCP is (or will be) providing. Potential exposures to attack in the
DHCP protocol are discussed in section 7 of the DHCP protocol
specification [5] and in Authentication for DHCP Messages [6].
The CCC option can be used to misdirect network traffic by providing
incorrect DHCP server addresses, incorrect provisioning server
addresses, and incorrect Kerberos realm names to a CableLabs client
Luehrs, et al. Standards Track