draft-ietf-softwire-dslite-radius-ext-04.txt   draft-ietf-softwire-dslite-radius-ext-05.txt 
softwire R. Maglione softwire R. Maglione
Internet-Draft Telecom Italia Internet-Draft Telecom Italia
Intended status: Standards Track A. Durand Intended status: Standards Track A. Durand
Expires: January 28, 2012 Juniper Networks Expires: February 11, 2012 Juniper Networks
July 27, 2011 August 10, 2011
RADIUS Extensions for Dual-Stack Lite RADIUS Extensions for Dual-Stack Lite
draft-ietf-softwire-dslite-radius-ext-04 draft-ietf-softwire-dslite-radius-ext-05
Abstract Abstract
Dual-Stack Lite is a solution to offer both IPv4 and IPv6 Dual-Stack Lite is a solution to offer both IPv4 and IPv6
connectivity to customers which are addressed only with an IPv6 connectivity to customers which are addressed only with an IPv6
prefix. DS-Lite requires to pre-configure the DS-Lite Address Family prefix. Dual-Stack Lite requires to pre-configure the Dual-Stack
Transition Router tunnel information on the Basic Bridging BroadBand Lite Address Family Transition Router (AFTR) tunnel information on
element. In many networks, the customer profile information may be the Basic Bridging BroadBand (B4) element. In many networks, the
stored in AAA servers while client configurations are mainly provided customer profile information may be stored in Authentication
through DHC protocol. This document specifies a new RADIUS attribute Authorization and Accounting (AAA) servers while client
to carry Dual-Stack Lite Address Family Transition Router Tunnel configurations are mainly provided through Dynamic Host Configuration
name; the RADIUS attribute is defined based on the equivalent DHCPv6 Protocol (DHCP). This document specifies a new Remote Authentication
OPTION_AFTR_NAME option. This RADIUS attribute is meant to be used Dial In User Service (RADIUS) attribute to carry Dual-Stack Lite
between the RADIUS Server and the NAS, it is not intended to be used Address Family Transition Router Tunnel name; the RADIUS attribute is
directly between the B4 element and the RADIUS Server. defined based on the equivalent DHCPv6 OPTION_AFTR_NAME option. This
RADIUS attribute is meant to be used between the RADIUS Server and
the Network Access Server (NAS), it is not intended to be used
directly between the Basic Bridging BroadBand element and the RADIUS
Server.
Status of this Memo Status of this Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 28, 2012. This Internet-Draft will expire on February 11, 2012.
Copyright Notice Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
skipping to change at page 4, line 7 skipping to change at page 4, line 7
5. Table of attributes . . . . . . . . . . . . . . . . . . . . . 9 5. Table of attributes . . . . . . . . . . . . . . . . . . . . . 9
6. Security Considerations . . . . . . . . . . . . . . . . . . . 10 6. Security Considerations . . . . . . . . . . . . . . . . . . . 10
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
8.1. Normative References . . . . . . . . . . . . . . . . . . . 10 8.1. Normative References . . . . . . . . . . . . . . . . . . . 10
8.2. Informative References . . . . . . . . . . . . . . . . . . 11 8.2. Informative References . . . . . . . . . . . . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11
1. Introduction 1. Introduction
Dual-Stack Lite [I-D.ietf-softwire-dual-stack-lite] is a solution to Dual-Stack Lite [RFC6333] is a solution to offer both IPv4 and IPv6
offer both IPv4 and IPv6 connectivity to customers which are connectivity to customers which are addressed only with an IPv6
addressed only with an IPv6 prefix (no IPv4 address is assigned to prefix (no IPv4 address is assigned to the attachment device). One
the attachment device). One of its key components is an IPv4-over- of its key components is an IPv4-over-IPv6 tunnel, but a Dual-Stack-
IPv6 tunnel, but a DS-Lite Basic Bridging BroadBand (B4) will not Lite Basic Bridging BroadBand (B4) will not know if the network it is
know if the network it is attached to offers Dual-Stack Lite support, attached to offers Dual-Stack Lite support, and if it did, would not
and if it did, would not know the remote end of the tunnel to know the remote end of the tunnel to establish a connection.
establish a connection.
To inform the B4 of the AFTR's location, a Fully Qualified Domain To inform the Basic Bridging BroadBand (B4) of the Address Family
Name (FQDN) may be used. Once this information is conveyed, the Transition Router's (AFTR) location, a Fully Qualified Domain Name
presence of the configuration indicating the AFTR's location also (FQDN) may be used. Once this information is conveyed, the presence
informs a host to initiate Dual-Stack Lite (DS-Lite) service and of the configuration indicating the AFTR's location also informs a
become a Softwire Initiator. host to initiate Dual-Stack Lite (DS-Lite) service and become a
Softwire Initiator.
[I-D.ietf-softwire-ds-lite-tunnel-option] specifies a DHCPv6 option [RFC6334] specifies a DHCPv6 option which is meant to be used by a
which is meant to be used by a Dual-Stack Lite client (Basic Bridging Dual-Stack Lite client (Basic Bridging BroadBand element, B4) to
BroadBand element, B4) to discover its Address Family Transition discover its Address Family Transition Router (AFTR) name. In order
Router (AFTR) name. In order to be able to populate such option the to be able to populate such option the DHCPv6 Server must be pre-
DHCPv6 Server must be pre-provisioned with the Address Family provisioned with the Address Family Transition Router (AFTR) name.
Transition Router (AFTR) name.
In Broadband environments, customer profile may be managed by AAA In Broadband environments, customer profile may be managed by AAA
servers, together with user Authentication, Authorization, and servers, together with user Authentication, Authorization, and
Accounting (AAA). RADIUS protocol [RFC2865] is usually used by AAA Accounting (AAA). Remote Authentication Dial In User Service
Servers to communicate with network elements. (RADIUS) protocol [RFC2865] is usually used by AAA Servers to
[I-D.ietf-radext-ipv6-access] describes a typical broadband network communicate with network elements. [I-D.ietf-radext-ipv6-access]
scenario in which the Network Access Server (NAS) acts as the access describes a typical broadband network scenario in which the Network
gateway for the users (hosts or CPEs) and the NAS embeds a DHCPv6 Access Server (NAS) acts as the access gateway for the users (hosts
Server function that allows it to locally handle any DHCPv6 requests or CPEs) and the NAS embeds a DHCPv6 Server function that allows it
issued by the clients. to locally handle any DHCPv6 requests issued by the clients.
Since the DS-Lite AFTR information can be stored in AAA servers and Since the DS-Lite AFTR information can be stored in AAA servers and
the client configuration is mainly provided through DHC protocol the client configuration is mainly provided through Dynamic Host
running between the NAS and the requesting clients, a new RADIUS Configuration Protocol (DHCP) running between the NAS and the
attribute is needed to send AFTR information from AAA server to the requesting clients, a new RADIUS attribute is needed to send AFTR
NAS. information from AAA server to the NAS.
This document aims at defining a new RADIUS attribute to be used for This document aims at defining a new RADIUS attribute to be used for
carrying the DS-Lite Tunnel Name, based on the equivalent DHCPv6 carrying the DS-Lite Tunnel Name, based on the equivalent DHCPv6
option already specified in [I-D.ietf-softwire-ds-lite-tunnel-option] option already specified in [RFC6334]
2. Terminology 2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
The terms DS-Lite Basic Bridging BroadBand element (B4) and the DS- The terms DS-Lite Basic Bridging BroadBand element (B4) and the DS-
Lite Address Family Transition Router element (AFTR) are defined in Lite Address Family Transition Router element (AFTR) are defined in
[I-D.ietf-softwire-dual-stack-lite] [RFC6333]
3. DS-Lite Configuration with RADIUS and DHCPv6 3. DS-Lite Configuration with RADIUS and DHCPv6
The Figure 1 illustrates how the RADIUS protocol and DHCPv6 work The Figure 1 illustrates how the RADIUS protocol and DHCPv6 work
together to accomplish DS-Lite configuration on the B4 element when a together to accomplish DS-Lite configuration on the B4 element when a
PPP Session is used to provide connectivity to the user. PPP Session is used to provide connectivity to the user.
The Network Access Server (NAS) operates as a client of RADIUS and as The Network Access Server (NAS) operates as a client of RADIUS and as
DHCP Server for DHC protocol. The NAS initially sends a RADIUS DHCP Server for DHC protocol. The NAS initially sends a RADIUS
Access Request message to the RADIUS server, requesting Access Request message to the RADIUS server, requesting
skipping to change at page 8, line 13 skipping to change at page 8, line 13
This section specifies the format of the new RADIUS attribute. This section specifies the format of the new RADIUS attribute.
4.1. DS-Lite-Tunnel-Name 4.1. DS-Lite-Tunnel-Name
Description Description
The DS-Lite-Tunnel-Name RADIUS attribute contains a Fully Qualified The DS-Lite-Tunnel-Name RADIUS attribute contains a Fully Qualified
Domain Name that refers to the AFTR the client is requested to Domain Name that refers to the AFTR the client is requested to
establish a connection with. The NAS SHALL use the name returned in establish a connection with. The NAS SHALL use the name returned in
the RADIUS DS-Lite-Tunnel-Name attribute to populate the DHCPv6 the RADIUS DS-Lite-Tunnel-Name attribute to populate the DHCPv6
OPTION_AFTR_NAME option [I-D.ietf-softwire-ds-lite-tunnel-option] OPTION_AFTR_NAME option [RFC6334]
This attribute MAY be used in Access-Accept packets as a hint to the This attribute MAY be used in Access-Request packets as a hint to the
RADIUS server; for example if the NAS is pre-configured with a RADIUS server; for example if the NAS is pre-configured with a
default tunnel name, this name MAY be inserted in the attribute. The default tunnel name, this name MAY be inserted in the attribute. The
RADIUS server MAY ignore the hint sent by the NAS and it MAY assign a RADIUS server MAY ignore the hint sent by the NAS and it MAY assign a
different AFTR tunnel name. different AFTR tunnel name.
If the NAS includes the DS-Lite-Tunnel-Name attribute, but the AAA If the NAS includes the DS-Lite-Tunnel-Name attribute, but the AAA
server does not recognize it, this attribute MUST be ignored by the server does not recognize it, this attribute MUST be ignored by the
AAA Server. AAA Server.
If the NAS does not receive DS-Lite-Tunnel-Name attribute in the If the NAS does not receive DS-Lite-Tunnel-Name attribute in the
Access-Accept it MAY fallback to a pre-configured default tunnel Access-Accept it MAY fallback to a pre-configured default tunnel
name, if any. If the NAS does not have any pre-configured default name, if any. If the NAS does not have any pre-configured default
tunnel name, the tunnel can not be established. tunnel name, the tunnel can not be established.
If the NAS is pre-provisioned with a default AFTR tunnel name and the If the NAS is pre-provisioned with a default AFTR tunnel name and the
AFTR tunnel name received in Access-Accept is different from the AFTR tunnel name received in Access-Accept is different from the
configured default, then the AFTR tunnel name received from the AAA configured default, then the AFTR tunnel name received in the Access-
server MUST overwrite the pre-configured default on the NAS. Accept message MUST be used for the session.
When the Access-request is triggered by a DHCPv6 Rebind message if If the NAS cannot support the received AFTR tunnel name for any
reason, the tunnel should not be established.
When the Access-Request is triggered by a DHCPv6 Rebind message if
the AFTR tunnel name received in the Access-Accept is different from the AFTR tunnel name received in the Access-Accept is different from
the currently used one, the NAS MUST force the B4 to re-establish the the currently used one for that session, the NAS MUST force the B4 to
tunnel with new AFTR received from the AAA server. re-establish the tunnel using the new AFTR name received in the
Access-Accept message.
The Change-of-Authorization (CoA) message [RFC5176] can be used to If an implementation includes the Change-of-Authorization (CoA)
modify the current established DS-Lite tunnel. When the NAS receives messages [RFC5176], they could be used to modify the current
a CoA message containing the DS-Lite-Tunnel-Name attribute, the NAS established DS-Lite tunnel. When the NAS receives a CoA Request
MUST send a Reconfigure message to a B4 to inform the B4 that the NAS message containing the DS-Lite-Tunnel-Name attribute, the NAS MUST
has new or updated configuration parameters and that the B4 is to send a Reconfigure message to a B4 to inform the B4 that the NAS has
new or updated configuration parameters and that the B4 is to
initiate a Renew/Reply or Information-request/Reply transaction with initiate a Renew/Reply or Information-request/Reply transaction with
the NAS in order to receive the updated information. Upon receiving the NAS in order to receive the updated information.
the new AFTR tunnel name the B4 MUST terminate the current DS-Lite
tunnel and the B4 MUST establish a new DS-LITE tunnel with specified Upon receiving an AFTR tunnel name different from the currently used
AFTR. one, the B4 MUST terminate the current DS-Lite tunnel and the B4 MUST
establish a new DS-LITE tunnel with the specified AFTR.
The DS-Lite-Tunnel-Name RADIUS attribute MAY be present in The DS-Lite-Tunnel-Name RADIUS attribute MAY be present in
Accounting-Request records where the Acct-Status-Type is set to Accounting-Request records where the Acct-Status-Type is set to
Start, Stop or Interim-Update. The DS-Lite-Tunnel-Name RADIUS Start, Stop or Interim-Update. The DS-Lite-Tunnel-Name RADIUS
attribute and MUST NOT appear more than once in a message. attribute MUST NOT appear more than once in a message.
A summary of the DS-Lite-Tunnel-Name RADIUS attribute format is shown A summary of the DS-Lite-Tunnel-Name RADIUS attribute format is shown
below. The fields are transmitted from left to right. below. The fields are transmitted from left to right.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | DS-Lite-Tunnel-Name (FQDN) | | Type | Length | DS-Lite-Tunnel-Name(FQDN)...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| DS-Lite-Tunnel-Name (FQDN) (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type: Type:
TBA1 for DS-Lite-Tunnel-Name. TBA1 for DS-Lite-Tunnel-Name.
Length: Length:
This field indicates the total length in octets of this This field indicates the total length in octets of this
attribute including the Type, the Length fields and the length attribute including the Type, the Length fields and the length
in octets of the DS-Lite-Tunnel-Name field in octets of the DS-Lite-Tunnel-Name field
DS-Lite-Tunnel-Name: DS-Lite-Tunnel-Name:
A single Fully Qualified Domain Name of the remote tunnel A single Fully Qualified Domain Name of the remote tunnel
endpoint, located at the DS-Lite AFTR. endpoint, located at the DS-Lite AFTR.
As the DS-Lite-Tunnel-Name attribute is used to populate the DHCPv6
OPTION_AFTR_NAME option, the DS-Lite-Tunnel-Name field is formatted
as required in DHCPv6 (Section 8 of [RFC3315] "Representation and Use
of Domain Names"). Briefly, the format described is using a single
octet noting the length of one DNS label (limited to at most 63
octets), followed by the label contents. This repeats until all
labels in the FQDN are exhausted, including a terminating zero-length
label. Any updates to Section 8 of [RFC3315] also apply to encoding
of this field.
5. Table of attributes 5. Table of attributes
The following tables provide a guide to which attributes may be found The following tables provide a guide to which attributes may be found
in which kinds of packets, and in what quantity. in which kinds of packets, and in what quantity.
Access- Access- Access- Challenge Accounting # Attribute Access- Access- Access- Challenge Accounting # Attribute
Request Accept Reject Request Request Accept Reject Request
0-1 0-1 0 0 0-1 TBA1 DS-Lite-Tunnel-Name 0-1 0-1 0 0 0-1 TBA1 DS-Lite-Tunnel-Name
CoA-Request CoA-ACK CoA-NACK # Attribute CoA-Request CoA-ACK CoA-NACK # Attribute
0-1 0 0 TBA1 DS-Lite-Tunnel-Name 0-1 0 0 TBA1 DS-Lite-Tunnel-Name
The following table defines the meaning of the above table entries. The following table defines the meaning of the above table entries.
0 This attribute MUST NOT be present in packet. 0 This attribute MUST NOT be present in packet.
0+ Zero or more instances of this attribute MAY be present in 0+ Zero or more instances of this attribute MAY be present in
packet. packet.
0-1 Zero or one instance of this attribute MAY be present in packet. 0-1 Zero or one instance of this attribute MAY be present in packet.
The data type of DS-Lite-Tunnel-Name is a string.
6. Security Considerations 6. Security Considerations
This document has no additional security considerations beyond those This document has no additional security considerations beyond those
already identified in [RFC2865] already identified in [RFC2865]
[I-D.ietf-softwire-dual-stack-lite] discusses DS-Lite related [RFC6333] discusses Dual-Stack Lite related security issues.
security issues.
7. IANA Considerations 7. IANA Considerations
This document requests the allocation of a new Radius attribute types This document requests the allocation of a new Radius attribute types
from the IANA registry "Radius Attribute Types" located at from the IANA registry "Radius Attribute Types" located at
http://www.iana.org/assignments/radius-types http://www.iana.org/assignments/radius-types
DS-Lite-Tunnel-Name - TBA1 DS-Lite-Tunnel-Name - TBA1
8. References 8. References
8.1. Normative References 8.1. Normative References
[I-D.ietf-softwire-ds-lite-tunnel-option]
Hankins, D. and T. Mrugalski, "Dynamic Host Configuration
Protocol for IPv6 (DHCPv6) Option for Dual- Stack Lite",
draft-ietf-softwire-ds-lite-tunnel-option-10 (work in
progress), March 2011.
[I-D.ietf-softwire-dual-stack-lite]
Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual-
Stack Lite Broadband Deployments Following IPv4
Exhaustion", draft-ietf-softwire-dual-stack-lite-11 (work
in progress), May 2011.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
"Remote Authentication Dial In User Service (RADIUS)", "Remote Authentication Dial In User Service (RADIUS)",
RFC 2865, June 2000. RFC 2865, June 2000.
[RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., [RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C.,
and M. Carney, "Dynamic Host Configuration Protocol for and M. Carney, "Dynamic Host Configuration Protocol for
IPv6 (DHCPv6)", RFC 3315, July 2003. IPv6 (DHCPv6)", RFC 3315, July 2003.
[RFC5176] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B. [RFC6333] Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual-
Aboba, "Dynamic Authorization Extensions to Remote Stack Lite Broadband Deployments Following IPv4
Authentication Dial In User Service (RADIUS)", RFC 5176, Exhaustion", RFC 6333, August 2011.
January 2008.
[RFC6334] Hankins, D. and T. Mrugalski, "Dynamic Host Configuration
Protocol for IPv6 (DHCPv6) Option for Dual-Stack Lite",
RFC 6334, August 2011.
8.2. Informative References 8.2. Informative References
[I-D.ietf-radext-ipv6-access] [I-D.ietf-radext-ipv6-access]
Lourdelet, B., Dec, W., Sarikaya, B., Zorn, G., and D. Lourdelet, B., Dec, W., Sarikaya, B., Zorn, G., and D.
Miles, "RADIUS attributes for IPv6 Access Networks", Miles, "RADIUS attributes for IPv6 Access Networks",
draft-ietf-radext-ipv6-access-05 (work in progress), draft-ietf-radext-ipv6-access-05 (work in progress),
July 2011. July 2011.
[RFC5176] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B.
Aboba, "Dynamic Authorization Extensions to Remote
Authentication Dial In User Service (RADIUS)", RFC 5176,
January 2008.
Authors' Addresses Authors' Addresses
Roberta Maglione Roberta Maglione
Telecom Italia Telecom Italia
Via Reiss Romoli 274 Via Reiss Romoli 274
Torino 10148 Torino 10148
Italy Italy
Phone: Phone:
Email: roberta.maglione@telecomitalia.it Email: roberta.maglione@telecomitalia.it
 End of changes. 27 change blocks. 
87 lines changed or deleted 96 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/