The DHCP protocol (RFC 2131) [1] provides a framework for providing configuration parameters to hosts on the Internet and similar networks, including mobile networks. DHCP is basically built on a client-server model, where designated DHCP server hosts allocate network addresses and deliver such configuration parameters to dynamically configured DHCP clients. A DHCP client is thus a host that uses DHCP to obtain configuration parameters such as a network address, and a DHCP server is a host that returns configuration parameters to DHCP clients. DHCP servers are normally configured by a system administrator. The basic DHCP protocol supports three mechanisms for address allocation. In automatic allocation, DHCP allocates a permanent address to a DHCP client. In dynamic allocation, an address is allocated to a client for a limited period of time (or until the client releases the address). In manual allocation, an address is allocated by the network administrator, and DHCP is simply used to convey the allocated address to the DHCP client. After obtaining parameters (e.g. TCP/IP stack parameters) via DHCP, a DHCP client should be able to exchange packets with any other host in the considered network.
In accordance with the DHCP protocol of RFC2131, a client 130 that needs DHCP configuration broadcasts a DHCP DISCOVER message. DHCP servers 125 may then each respond with a DHCP OFFER message that includes an available network address and other optional configuration parameters (FIG. 1). The client 130 thus receives DHCP OFFER messages from a number of DHCP servers 125, and chooses one of the servers to be used for the actual DHCP configuration. The client subsequently broadcasts a DHCP REQUEST message indicating the selected DHCP server. The selected server commits the configuration and finally responds with a DHCPACK message containing the configuration parameters for the requesting client. The DHCP-server discovery phase (DHCP DISCOVER and DHCP OFFER) illustrated in FIG. 1 is required to inform the DHCP client of the DHCP servers that can be of service for DHCP configuration, and is a quite cumbersome process.
Furthermore, the basic DHCP protocol (RFC2131) does not include any explicit security mechanisms and is generally considered as quite insecure.
DHCP authentication extension (RFC3118) [2] is the DHCP authentication protocol that defines how to authenticate various DHCP messages to increase the security. Unfortunately, DHCP authentication extension (RFC 3118) does not support roaming clients, and cannot be widely deployed due to lack of an out-of-band key agreement protocol for DHCP clients and servers.
To date, there have been proposals in IETF that outline how EAP-based network access authentication mechanisms can be used to establish a local trust relation and generate keys that can be used in conjunction with RFC3118.
For example, reference [3] proposes that the DHCP client gains network access by utilizing an EAP authentication method that generates session keys. As part of the network access process, the DHCP client and the authentication agent (NAS; AAA client) communicate their intention to create a DHCP security association (SA) and exchange the required parameters (e.g., nonce, key ID, etc.). The required information exchange is handled by the EAP lower-layer, which also carries EAP.
Along these lines, reference [4] proposes additional payloads that are required within PANA in order to bootstrap RFC3118. This reference [4] also proposes that a DHCP SA is generated based on the PANA SA after successful PANA authentication.
There are cases where EAP lower-layers will not be able to support the required information exchange for bootstrapping RFC3118. For example, if the EAP lower-layers are PPP, IEEE 802.1x, or legacy PANA protocols. Requiring EAP lower-layers support also means that the AAA Clients must understand RFC3118 bootstrapping requirements and must be aware of the contents of the exchanges between the DHCP client and server.
There is thus a general need for improved underlying support for Dynamic Host Configuration Protocol (DHCP) services.