RFC 3634 (rfc3634) - Page 2 of 7


Key Distribution Center (KDC) Server Address Sub-option for the Dynamic Host Configuration Protocol (DHCP) CableLabs Client Configuration (CCC) Option



Alternative Format: Original Text Document



RFC 3634             KDC Server Address Sub-option         December 2003


   Configuration of a class of CableLabs client devices described in [2]
   and [3] will require a DHCP sub-option to provide the client with the
   network address of a KDC server in the cable operator's data network.

   The class of devices assumed in [2] and [3] is unlike the class of
   devices considered in [1], which perform a DNS lookup of the Kerberos
   Realm name to find the KDC server network address.

   This document proposes a sub-option of the CCC DHCP option code for
   use with CableLabs client devices.  The proposed sub-option encodes
   an identifier for the network address of each of one or more Key
   Distribution Center servers with which the CableLabs client device
   exchanges security information.

   The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT" and "MAY" in
   this document are to be interpreted as described in BCP 14, RFC 2119
   [4].

2.  Key Distribution Center IP Address Sub-option

   CableHome specifications will specify the Key Distribution Center
   network address encoding as a sub-option of the CCC DHCP Option code.
   This field will be used to inform the client device of the network
   address of one or more Key Distribution Center servers.

   The encoding of the KDC Server Address sub-option will adhere to the
   format of an IPv4 address.  The minimum length for this option is 4
   octets, and the length MUST always be a multiple of 4.  If multiple
   KDC Servers are listed, they MUST be listed in decreasing order of
   priority.  The format of the KDC Server Address sub-option of the CCC
   option code is as shown below:

    SubOpt  Len      Address 1               Address 2
   +------+-----+-----+-----+-----+-----+-----+-----+--
   |  10  |  n  |  a1 |  a2 |  a3 |  a4 |  a1 |  a2 |  ...
   +------+-----+-----+-----+-----+-----+-----+-----+--

3.  Security Considerations

   This document relies upon the DHCP protocol [5] for authentication
   and security, i.e., it does not provide security in excess of what
   DHCP is (or will be) providing.  Potential exposures to attack in the
   DHCP protocol are discussed in section 7 of the DHCP protocol
   specification [5] and in Authentication for DHCP Messages [6].

   The CCC option can be used to misdirect network traffic by providing
   incorrect DHCP server addresses, incorrect provisioning server
   addresses, and incorrect Kerberos realm names to a CableLabs client



Luehrs, et al.              Standards Track