RADIUS Extensions for Port Control Protocol
draft-maglione-pcp-radius-ext-05
The information below is for an old version of the document.
| Document | Type |
This is an older version of an Internet-Draft whose latest revision state is "Expired".
|
|
|---|---|---|---|
| Authors | Roberta Maglione , Dean Cheng , Mohamed Boucadair | ||
| Last updated | 2012-10-16 | ||
| RFC stream | (None) | ||
| Formats | |||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-maglione-pcp-radius-ext-05
pcp R. Maglione
Internet-Draft Telecom Italia
Intended status: Standards Track D. Cheng
Expires: April 19, 2013 Huawei Technologies
M. Boucadair
France Telecom
October 16, 2012
RADIUS Extensions for Port Control Protocol
draft-maglione-pcp-radius-ext-05
Abstract
This memo specifies a new Remote Authentication Dial In User Service
(RADIUS) attribute to carry one or a list of Port Control Protocol
(PCP) Server Names. This attribute can be configured on a RADIUS
server so that the information can be conveyed to Network Access
Server (NAS) via RADIUS protocol, and the co-located Dynamic Host
Configuration Protocol (DHCP/DHCPv6) server can then populate the
information to PCP client.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 19, 2013.
Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
Maglione, et al. Expires April 19, 2013 [Page 1]
Internet-Draft PCP RADIUS Extensions October 2012
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. PCP Server Configuration using RADIUS and DHCPv4/DHCPv6 . . . 4
4. RADIUS Attribute . . . . . . . . . . . . . . . . . . . . . . . 8
5. Table of attributes . . . . . . . . . . . . . . . . . . . . . 9
6. Security Considerations . . . . . . . . . . . . . . . . . . . 10
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 10
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
9.1. Normative References . . . . . . . . . . . . . . . . . . . 10
9.2. Informative References . . . . . . . . . . . . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11
Maglione, et al. Expires April 19, 2013 [Page 2]
Internet-Draft PCP RADIUS Extensions October 2012
1. Introduction
Port Control Protocol (PCP) [I-D.ietf-pcp-base] provides a mechanism
to control how incoming packets are forwarded by upstream devices
such as NATs and firewalls. PCP is a client-server protocol where a
PCP client may reside on a host, a Customer Premises Equipment (CPE),
etc., which communicates with a PCP server that may reside anywhere
in a network.
[I-D.ietf-pcp-base] defines a procedure for the PCP client to
communicate with its PCP Server. The IP address of the PCP Server(s)
can be configured to the PCP Client; if not the PCP Client assumes
its default router as being its PCP Server.
[I-D.ietf-pcp-dhcp] defines DHCPv6 and DHCPv4 options which are meant
to be used by a PCP client to discover a PCP server name. However,
provisioning for name of the PCP server is required on a DHCPv4/
DHCPv6 server before it can populate this information.
Auto-configuration on a DHCPv4/DHCPv6 is possible in a broadband
network, where typically, user profile is maintained on a Remote
Authentication Dial In User Service (RADIUS) server and RADIUS
protocol [RFC2865] is used to convey user-related information to
other network elements including a host and CPE.
[I-D.ietf-radext-ipv6-access] describes a typical broadband network
scenario in which the Network Access Server (NAS) acts as the access
gateway for the users (hosts or CPEs) and the NAS embeds a DHCPv6
Server function that allows it to locally handle any DHCPv6 requests
issued by the clients.
In such environment, PCP server's name can be configured on a RADIUS
server, which then passes the information to a NAS that co-locates
with the DHCPv4/DHCPv6 server, which in turn populates the location
of the PCP server.
This memo defines a new RADIUS attribute that can be used to carry
one or a list of PCP server names. As defined in
[I-D.ietf-pcp-dhcp], a PCP Server Name can be a DNS name, IP literals
strings, etc. This document is designed to allow for configuring PCP
Server name(s) which can be a DNS name, IP literals or any strings
which may be passed to a local name resolution library on the PCP
client side. Operational considerations related to the configuration
of PCP Server names are similar to those discussed in Section 4 and
Section 7 of [I-D.ietf-pcp-dhcp]. The proposed RADIUS option is
designed to accommodate various deployment contexts (e.g., dedicated
option per IP connectivity context, single option for dual-stack
access, etc.).
Maglione, et al. Expires April 19, 2013 [Page 3]
Internet-Draft PCP RADIUS Extensions October 2012
The approach described above is already used for providing the FQDN
of the AFTR in the DS-Lite scenario [RFC6333] and the equivalent
RADIUS attribute for the DS-Lite Tunnel Name is defined [RFC6519].
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
The following terms are defined in [I-D.ietf-pcp-base]:
- Port forwarding
- PCP
- PCP client
- PCP Server
The following term is defined in [I-D.ietf-pcp-dhcp]:
- PCP Server Name
3. PCP Server Configuration using RADIUS and DHCPv4/DHCPv6
Figure 1 illustrates an example of how RADIUS protocol works together
with DHCPv6, to allow a host to learn automatically the name of a PCP
server in case of a PPP session that carries IPv6 traffic.
The Network Access Server (NAS) operates as a client of RADIUS and
co-locates with a DHCPv6 Server for DHCPv6. The NAS initially sends
a RADIUS Access Request message to the RADIUS server, requesting
authentication. Once the RADIUS server receives the request, it
validates the sending client and if the request is approved, the
RADIUS server replies with an Access Accept message including a list
of attribute-value pairs that describe the parameters to be used for
this session. This list MAY also contain the name of a PCP server.
When the co-located DHCPv6 server receives a DHCPv6 message
containing the PCP Server Option, it SHALL use the name returned in
the RADIUS attribute as defined in this memo to populate the DHCPv6
PCP Server option defined in [I-D.ietf-pcp-dhcp]
Maglione, et al. Expires April 19, 2013 [Page 4]
Internet-Draft PCP RADIUS Extensions October 2012
PCP/DHCPv6 NAS AAA
Client DHCPv6 Server Server
| | |
|----PPP LCP Config Request------> | |
| | |
| |----Access-Request ---->|
| | |
| |<-Access-Accept---------|
| | (PCP-server-name) |
|<-----PPP LCP Config ACK ----- | |
| | |
| | |
|------ PPP IPv6CP Config Req ---->| |
| | |
|<----- PPP IPv6CP Config ACK -----| |
| | |
|------- DHCPv6 Solicit -------->| |
| | |
|<-------DHCPv6 Advertisement------| |
| (PCP server Name DHCPv6 Option) | |
| | |
|------- DHCPv6 Request -------->| |
| (PCP server Name DHCPv6 Option) | |
| | |
|<-------- DHCPv6 Reply --------- | |
| (PCP server Name DHCPv6 Option) | |
| | |
DHCPv6 RADIUS
Figure 1: RADIUS and DHCPv6 Message Flow for a PPP Session
The Figure 2 illustrates how the RADIUS protocol and DHCPv6 work
together to accomplish PCP client configuration when DHCPv6 is used
to provide connectivity to a requesting host.
The difference between this message flow and previous one is that in
this scenario the interaction between NAS and AAA/ RADIUS Server is
triggered by the DHCPv6 Solicit message received by the NAS from the
DHCPv6 client, while in case of a PPP Session the trigger is the PPP
LCP Config Request message received by the NAS.
Maglione, et al. Expires April 19, 2013 [Page 5]
Internet-Draft PCP RADIUS Extensions October 2012
PCP/DHCPv6 NAS AAA
Client DHCPv6 Server Server
| | |
|------ DHCPv6 Solicit ---------> | |
| | |
| |----Access-Request ---->|
| | |
| |<-Access-Accept---------|
| | (PCP-server-name) |
| | |
|<-------DHCPv6 Advertisement------| |
| (PCP server Name DHCPv6 Option) | |
| | |
|------- DHCPv6 Request -------->| |
| (PCP server Name DHCPv6 Option) | |
| | |
| <-------- DHCPv6 Reply --------- | |
| (PCP server Name DHCPv6 Option) | |
DHCPv6 RADIUS
Figure 2: RADIUS and DHCPv6 Message Flow for an IP Session
In the scenario depicted in Figure 2 the Access-Request packet
contains a Service-Type attribute with the value Authorize Only (17),
thus according to [RFC5080] the Access-Request packet MUST contain a
State attribute.
A similar message flow also applies to the IPv4 scenario when DHCPv4
is used to provide connectivity to the user (Figure 3).
Maglione, et al. Expires April 19, 2013 [Page 6]
Internet-Draft PCP RADIUS Extensions October 2012
PCP/DHCPv4 NAS AAA
Client DHCPv4 Server Server
| | |
|-------- DHCP Discovery --------> | |
| | |
| |----Access-Request ---->|
| | |
| |<-Access-Accept---------|
| | (PCP-server-name) |
| | |
|<--------- DHCP Offer ------------| |
| (PCP server Name Sub-Option) | |
| | |
|--------- DHCP Request -------->| |
| (PCP server Name Sub-Option) | |
| | |
| <--------- DHCP Ack -------------| |
| (PCP server Name Sub-Option) | |
DHCPv4 RADIUS
Figure 3: RADIUS and DHCPv4 Message Flow for an IP Session
After receiving the PCP server name in the initial Access-Accept the
NAS MUST store the received PCP Server Name locally. When the PCP
Client sends a DHCPv4 message to request an extension of the
lifetimes for the assigned address or prefix, the NAS does not have
to initiate a new Access-Request towards the AAA server to request
the PCP server name. The NAS retrieves the previously stored PCP
Server name and uses it in its reply.
If the DHCPv4 server to which the DHCP Renew message was sent at time
T1 has not responded, the DHCPv4 client initiates a Rebind/Reply
exchange with any available server. In this scenario the NAS MUST
initiate a new Access-Request towards the AAA server, after the co-
located DHCPv4 server receives the DHCP message. The NAS MAY include
the PCP Server Name attribute in its Access-Request.
If the NAS does not receive the PCP server name attribute in the
Access-Accept it MAY fallback to a pre-configured default tunnel
name, if any. If the NAS does not have any pre-configured default
tunnel name or if the NAS receives an Access-Reject, the PCP client
can not be configured by the NAS.
The scenario with PPP Session and IPv4 only connectivity does not
require DHCPv4: the whole configuration of the client is performed by
PPP. This case is out of scope of this document because in order to
complete the configuration of the PCP client a new PPP IPC option
Maglione, et al. Expires April 19, 2013 [Page 7]
Internet-Draft PCP RADIUS Extensions October 2012
would be required.
4. RADIUS Attribute
A new RADIUS attribute, called PCP-Server-Name, along with its format
is defined below.
Description
The PCP-server-name attribute contains a name or a list of names that
refers to a PCP server the client requests to establish a connection
to for PCP related service. The NAS shall use the name returned in
the RADIUS PCP-server-name attribute to populate the PCP Server Name
DHCP Sub-Option in IPv4 addressing context, or the PCP Server Name
DHCPv6 Option in IPv6 addressing context, as determined by the DHCP
server [I-D.ietf-pcp-dhcp]. The same or distinct PCP Server Names
may be configured; it is out of scope of this document to elaborate
on this point. Nevertheless, the PCP-server-name attribute conveys
an indication for the deployment context.
The PCP-server-name attribute MAY appear in an Access-Accept packet.
This attribute MAY be used in Access-Request packets as a hint to the
RADIUS server; for example if the NAS is pre-configured with a
default PCP server name, this name MAY be inserted in the attribute.
The RADIUS server MAY ignore the hint sent by the NAS and it MAY
assign a different PCP Server name. If the NAS includes the PCP
Server Name attribute, but the AAA server does not recognize it, this
attribute MUST be ignored by the AAA Server. If the NAS does not
receive PCP Server Name attribute in the Access-Accept it MAY
fallback to a pre-configured default PCP server name, if any. If the
NAS is pre-provisioned with a default PCP server name and the PCP
server name received in Access-Accept is different from the
configured default, then the PCP server name received in the Access-
Accept message MUST be used for the session.
The PCP server Name RADIUS attribute MAY be present in Accounting-
Request records where the Acct-Status-Type is set to Start, Stop or
Interim-Update. The PCP Server Name RADIUS attribute MUST NOT appear
more than once in a message.
A summary of the PCP-Server-Name RADIUS attribute format is shown
below. The fields are transmitted from left to right.
Maglione, et al. Expires April 19, 2013 [Page 8]
Internet-Draft PCP RADIUS Extensions October 2012
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | PCP-Server-Name ....
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Context |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type:
TBA1 for PCP-Server-Name.
Length:
This field indicates the total length in octets of this
attribute including the Type, the Length fields and the length
in octets of the PCP-Server-Name field
PCP-Server-Name:
One or a list of PCP Server Name(s). The domain name is encoded
as specified in [I-D.ietf-pcp-dhcp]
Context:
This field indicates the IP connectivity context:
0: Dual-Stack. The same option is provided for both DHCPv4
and DHCPv6 requesting hosts
1: This option is provided for DHCPv4 requesting hosts
2: This option is provided for DHCPv6 requesting hosts
The data type of PCP Server Name is a string with opaque
encapsulation, according to section 2.1 of [RFC6158]
5. Table of attributes
The following table provides a guide to which attributes may be found
in which kinds of packets, and in what quantity.
Request Accept Reject Challenge Accounting # Attribute
Request
0-1 0-1 0 0 0-1 TBA1 PCP-Server-Name
The following table defines the meaning of the above table entries.
Maglione, et al. Expires April 19, 2013 [Page 9]
Internet-Draft PCP RADIUS Extensions October 2012
0 This attribute MUST NOT be present in packet.
0+ Zero or more instances of this attribute MAY be present in
packet.
0-1 Zero or one instance of this attribute MAY be present in packet.
6. Security Considerations
This document has no additional security considerations beyond those
already identified in [RFC2865].
7. IANA Considerations
This document requests the allocation of a new Radius attribute types
from the IANA registry "Radius Attribute Types" located at
http://www.iana.org/assignments/radius-types
PCP-Server-Name - TBA1
8. Acknowledgments
The authors would like to thank Mohamed Boucadair and Mario Ullio for
their valuable comments.
9. References
9.1. Normative References
[I-D.ietf-pcp-base]
Wing, D., Cheshire, S., Boucadair, M., Penno, R., and P.
Selkirk, "Port Control Protocol (PCP)",
draft-ietf-pcp-base-28 (work in progress), October 2012.
[I-D.ietf-pcp-dhcp]
Boucadair, M., Penno, R., and D. Wing, "DHCP Options for
the Port Control Protocol (PCP)", draft-ietf-pcp-dhcp-05
(work in progress), September 2012.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
"Remote Authentication Dial In User Service (RADIUS)",
RFC 2865, June 2000.
Maglione, et al. Expires April 19, 2013 [Page 10]
Internet-Draft PCP RADIUS Extensions October 2012
[RFC5080] Nelson, D. and A. DeKok, "Common Remote Authentication
Dial In User Service (RADIUS) Implementation Issues and
Suggested Fixes", RFC 5080, December 2007.
[RFC6158] DeKok, A. and G. Weber, "RADIUS Design Guidelines",
BCP 158, RFC 6158, March 2011.
[RFC6519] Maglione, R. and A. Durand, "RADIUS Extensions for Dual-
Stack Lite", RFC 6519, February 2012.
9.2. Informative References
[I-D.ietf-radext-ipv6-access]
Dec, W., Sarikaya, B., Zorn, G., Miles, D., and B.
Lourdelet, "RADIUS attributes for IPv6 Access Networks",
draft-ietf-radext-ipv6-access-11 (work in progress),
August 2012.
[RFC6333] Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual-
Stack Lite Broadband Deployments Following IPv4
Exhaustion", RFC 6333, August 2011.
Authors' Addresses
Roberta Maglione
Telecom Italia
Via Reiss Romoli 274
Torino 10148
Italy
Phone:
Email: roberta.maglione@telecomitalia.it
Dean Cheng
Huawei Technologies
2330 Central Expressway
Santa Clara, CA 95050
USA
Phone: +1 408 330 4754
Fax:
Email: Chengd@huawei.com
URI:
Maglione, et al. Expires April 19, 2013 [Page 11]
Internet-Draft PCP RADIUS Extensions October 2012
Mohamed Boucadair
France Telecom
Rennes, 35000
France
Phone:
Fax:
Email: mohamed.boucadair@orange.com
URI:
Maglione, et al. Expires April 19, 2013 [Page 12]