Skip to main content

Authorization Option for DHCPv6 Relay Agents on Broadband Access Server
draft-yeh-dhc-dhcpv6-authorization-opt-00

The information below is for an old version of the document.
Document Type Active Internet-Draft (individual)
Author Leaf Yeh
Last updated 2012-03-05
Stream (None)
Formats plain text htmlized pdfized bibtex
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date (None)
Responsible AD (None)
Send notices to (None)
draft-yeh-dhc-dhcpv6-authorization-opt-00
DHC Working Group                                            L. Yeh, Ed.
Internet-Draft                                       Huawei Technologies
Intended status: Standards Track                           March 5, 2012
Expires: September 6, 2012

Authorization Option for DHCPv6 Relay Agents on Broadband Access Server
               draft-yeh-dhc-dhcpv6-authorization-opt-00

Abstract

   The DHCPv6 authorization option provides a communication mechanism
   between relay agent and the server.  This mechanism can help the
   centralized DHCPv6 server to select the right configuration for the
   client based on the authorization information got from the
   centralized RADIUS server which is not located at the same place of
   DHCPv6 server in the case when the NAS works as DHCPv6 relay agent
   and RADIUS client simultaneously.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on September 6, 2012.

Copyright Notice

   Copyright (c) 2012 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of

Yeh                     Expires September 6, 2012               [Page 1]
Internet-Draft         DHCPv6 Authorization Option            March 2012

   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 3
   2.  Terminology and Language  . . . . . . . . . . . . . . . . . . . 3
   3.  Network Scenario  . . . . . . . . . . . . . . . . . . . . . . . 4
   4.  Option_Authorization  . . . . . . . . . . . . . . . . . . . . . 5
   5.  Sub-options of Option_Authorization . . . . . . . . . . . . . . 6
     5.1.  Option_Pool_Name  . . . . . . . . . . . . . . . . . . . . . 6
     5.2.  Option_Address_Prefix_Auth  . . . . . . . . . . . . . . . . 6
   6.  Relay Agent Behavior  . . . . . . . . . . . . . . . . . . . . . 7
   7.  Server Behavior . . . . . . . . . . . . . . . . . . . . . . . . 7
   8.  Client Behavior . . . . . . . . . . . . . . . . . . . . . . . . 8
   9.  Security Considerations . . . . . . . . . . . . . . . . . . . . 8
   10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 8
   11. Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . 8
   12. References  . . . . . . . . . . . . . . . . . . . . . . . . . . 8
     12.1. Normative References  . . . . . . . . . . . . . . . . . . . 8
     12.2. Informative References  . . . . . . . . . . . . . . . . . . 9
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . . . 9

Yeh                     Expires September 6, 2012               [Page 2]
Internet-Draft         DHCPv6 Authorization Option            March 2012

1.  Introduction

   DHCPv6 has been designed for the server to provide, assign or
   delegate both stateful and stateless configuration parameters to the
   clients.  The stateful configuration parameters include IPv6 address
   [RFC3315], IPv6 prefix [RFC3633], and etc.  The stateless
   configuration parameters include DNS [RFC3646], and etc [RFC3736].
   The server could always be deployed as a centralized one in the ISP
   network.

   Essentially as a stateless protocol, RADIUS [RFC2865] has been widely
   used as the centralized authentication, authorization and user
   management method for the service provision in Broadband access
   network.  [RFC3162], [RFC4818] and [ietf-radext-ipv6-access-06] has
   specified some attributes to support the service provision for IPv6
   access, which authorize NAS to assign IPv6 address or prefix from the
   indicated pool, or assign IPv6 address or prefix with the explicitly
   indicated value, for the users which also acts as a DHCPv6 client.

   These mechanism can work fine with the deployment scenarios when NAS
   acts as the distributed DHCPv6 server, NAS can execute the indication
   shown in the attributes of the Access-Accept message of RADIUS.  It
   also might be fine with the network architecture when the centralized
   DHCPv6 server locates in the same place with the RADIUS server, where
   they could share the same database of the users.  But when NAS acts
   as the relay agent and RADIUS client simultaneously, and the
   centralized DHCPv6 server is not located in the same place with
   RADIUS server, a new communication mechanism is need for the relay
   agent to transfer the authorization information got from the RADIUS
   attributes to the DHCPv6 server.

2.  Terminology and Language

   This document specified a DHCPv6 option for Relay Agent to provide
   the information got from RADIUS attributes to the DHCPv6 server.
   This document should be read in conjunction with the following
   specifications, [RFC2865], [RFC2869], [RFC3315] and [RFC4818] for
   understanding the complete mechanism of DHCPv6 and RADIUS with the
   service provision of IPv6.  Definitions for terms and acronyms not
   specified in this document are defined in [RFC2865], [RFC2869],
   [RFC3315] and [RFC4818].

   The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD,
   SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL, when they appear in this
   document, are to be interpreted as described in BCP 14, [RFC2119].

Yeh                     Expires September 6, 2012               [Page 3]
Internet-Draft         DHCPv6 Authorization Option            March 2012

3.  Network Scenario

   Figure 1 shows the typical network scenario where to adopt the
   communication mechanism introduced in this document.  In this
   Scenario, the centralized DHCPv6 server is not located in the same
   place with RADIUS server but in the same administrative domain; and
   NAS acts as the relay agent and RADIUS client simultaneously.  On the
   other hand, Figure 1 also shows the message sequence of DHCPv6 and
   RADIUS messages when to employ the communication mechanism introduced
   in this document.

   +-------+                   +-------+                    +-------+
   |DHCPv6 |   Access Mode:    |  NAS  |                    |Radius |
   |Client |   PPPoE or IPoE   |(DHCPv6|                    |Server |
   |       |                   | Relay)|                    |       |
   +-------+                   +-------+                    +-------+
       |                           |                            |
       |---Solicit---------------->|                            |
                                   |---Access-Request---------->|
                                   |<--Access-Accept------------|
                                   |   (e.g. Framed-Pool)
                                   |   (e.g. Delegated-IPv6-Prefix)

              DHCPv6 messages             RADIUS messages

                                   |                        +-------+
                                   |                        |DHCPv6 |
                                   |                        |Server |
                                   |                        |       |
                                   |                        +-------+
                                   |---Relay-Forward----------->|
                                   |   (Option_Authorization)
                                   |<--Relay-Reply -------------|
       |<--Advertise---------------|
           (e.g. Prefix, Address)  |
       |---Request---------------->|
           (e.g. Prefix, Address)  |
                                   |---Relay-Forward----------->|
                                   |   (Option_Authorization)
                                   |<--Relay-Reply -------------|
       |<--Reply-------------------|
           (e.g. Prefix, Address)  |

              DHCPv6 messages             DHCPv6 messages

      Figure 1: Network Scenario and message sequence when employing
                      Authorization option of DHCPv6

Yeh                     Expires September 6, 2012               [Page 4]
Internet-Draft         DHCPv6 Authorization Option            March 2012

4.  Option_Authorization

   The Option_Authorization is a stateless DHCPv6 option, which is used
   to carry the information got from the RADDIUS attributes.  Those
   RADIUS attributes may include but not only Framed-Pool (88) defined
   in [RFC2869], Delegated-IPv6-Prefix (123) defined in [RFC4818],
   Framed-IPv6-Address, Stateful-IPv6-Address-Pool, Delegated-IPv6-
   Prefix-Pool defined in [ietf-radext-ipv6-access-06], and etc.

   The format of the Option_Authorization is defined as follows:

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |     Option_Authorization      |         option-length         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |         Authorization-options or RADIUS Attributes...
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   option-code      Option_Authorization (TBD)
   option-length    Length of the option-data in Octets
   option-data      sub-options associated with Option_Authorization

   Discussion: The option-data of Option_Authorization may have 2 kinds
   of alternative presentation: one is to define the associated
   stateless sub-option as usual in the container option; the other is
   to adopt the same method of [RFC4014], which directly includes the
   RADIUS attributes into the option-data of Option_Authorization.

   Design-1: Sub-option as option-data of Option_Authorization

      Pros: 1. define the new sub-option to meet the new requirement as
      usual, new requirement today is limited for the address & prefix
      assignment; 2. might have some kind of liberty, no much dependence
      on the development progress of RADIUS, to develop its own option
      within the DHCPv6 protocol;

      Cons: but need new parser for each new option.

   Section 5 adopts Design-1.

   Design-2: RADIUS attributes as option-data of Option_Authorization

      Pros: reuse the parser codes of RADIUS attributes;

      Cons: but need DHCPv6 server to support the parser codes of RADIUS
      for a list of attributes associated with DHCPv6.

Yeh                     Expires September 6, 2012               [Page 5]
Internet-Draft         DHCPv6 Authorization Option            March 2012

   Design-2 is for the further discussion.

5.  Sub-options of Option_Authorization

5.1.  Option_Pool_Name

   The Option_Pool_Name is used to carry the name of IPv6 address or
   prefix pool got from the RADIUS attributes, including Framed-Pool
   (88) defined in [RFC2869], Stateful-IPv6-Address-Pool, Delegated-
   IPv6-Prefix-Pool defined in [ietf-radext-ipv6-access-06], from which
   the client's IPv6 address or prefix is assigned.  Option_Pool_Name is
   the sub-option of Option_Authorization, one or more Option_Pool_Name
   may in the same container Option_Authorization.  The format of the
   Option_Pool_Name is defined as follows:

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |        Option_Pool_Name       |         option-length         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                           Pool Name...
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   option-code      Option_Pool_Name (TBD)
   option-length    Length of the field 'Pool Name' in Octets
   option-data      String data type, contains the name of address
                    pool or prefix pool configured on the DHCPv6
                    server.

   Discussion: There are 3 RADIUS attributes in string data type are
   associated with the IPv6 address and IPv6 prefix assignment through
   DHCPv6.  They are Framed-Pool (88) defined in [RFC2869], Stateful-
   IPv6-Address-Pool, Delegated-IPv6-Prefix-Pool defined in
   [ietf-radext-ipv6-access-06].  Does it need a 'Type' field in the
   Option_Pool_Name?

5.2.  Option_Address_Prefix_Auth

   The Option_Address_Prefix_Auth is used to carry the IPv6 address or
   prefix specified for the clients according to the user information
   got from the RADIUS attributes, including Delegated-IPv6-Prefix (123)
   defined in [RFC4818], Framed-IPv6-Address defined in [ietf-radext-
   ipv6-access-06].  Option_Address_Prefix_Auth is the sub-option of
   Option_Authorization.  The format of the Option_Address_Prefix_Auth
   is defined as follows:

Yeh                     Expires September 6, 2012               [Page 6]
Internet-Draft         DHCPv6 Authorization Option            March 2012

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |  Option_Address_Prefix_Auth   |         option-length         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   | prefix-length |                                               |
   +-+-+-+-+-+-+-+-+                                               |
   |                      ipv6-prefix-address                      |
   |                          (16 octets)                          |
   |                                                               |
   |               +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
   |               |
   +-+-+-+-+-+-+-+-+

   option-code            Option_Address_Prefix_Auth (TBD)
   option-length          17 in Octets
   prefix-length          Length of the prefix in bits; if the
                          prefix-length is 128, then the value in
                          the following 'ipv6-prefix-address' field
                          means an IPv6 address
   ipv6-prefix-address    A specified delegated IPv6 prefix or an
                          assigned IPv6 address

6.  Relay Agent Behavior

   The DHCPv6 relay agent must include Option_Authorization in the
   relay-forward (12) message according to the authorization information
   on the specified pool configured, address assigned or prefix
   delegated in the Access-Accept message of RADIUS.  When the value in
   the attributes of Framed-Pool (88), Stateful-IPv6-Address-Pool and
   Delegated-IPv6-Prefix-Pool included in the Access-Accept message
   replied from RADIUS server is valid, the relay agent shall include
   Option_Pool_Name in the container Option_Authorization; when the
   value in the attributes of Delegated-IPv6-Prefix (123) and Framed-
   IPv6-Address included in the Access-Accept message replied from
   RADIUS server is valid, the relay agent shall include
   Option_Address_Prefix_Auth in the container Option_Authorization.

7.  Server Behavior

   The DHCPv6 sever must delegate IPv6 prefix or assign IPv6 address to
   the DHCPv6 client according to the information got from
   Option_Authorization.

Yeh                     Expires September 6, 2012               [Page 7]
Internet-Draft         DHCPv6 Authorization Option            March 2012

8.  Client Behavior

   Option_Authorization is only exchanged between the relay agents and
   the servers, so clients are never aware of its use.

9.  Security Considerations

   Known security vulnerabilities of the DHCPv6 protocol may apply to
   its options.  Security issues related DHCPv6 are described in section
   23 of [RFC3315]

10.  IANA Considerations

   IANA is requested to assign the option code to Option_Authorization
   and its sub-options of Option_Pool_Name, Option_Address_Prefix_Auth
   from the "DHCPv6 and DHCPv6 options" registry (http://www.iana.org/
   assignments/dhcpv6-parameters/dhcpv6-parameters.xml).

11.  Acknowledgements

   TBD

12.  References

12.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2865]  Rigney, C., Willens, S., Rubens, A., and W. Simpson,
              "Remote Authentication Dial In User Service (RADIUS)",
              RFC 2865, June 2000.

   [RFC2869]  Rigney, C., Willats, W., and P. Calhoun, "RADIUS
              Extensions", RFC 2869, June 2000.

   [RFC3162]  Aboba, B., Zorn, G., and D. Mitton, "RADIUS and IPv6",
              RFC 3162, August 2001.

   [RFC3315]  Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C.,
              and M. Carney, "Dynamic Host Configuration Protocol for
              IPv6 (DHCPv6)", RFC 3315, July 2003.

   [RFC3633]  Troan, O. and R. Droms, "IPv6 Prefix Options for Dynamic

Yeh                     Expires September 6, 2012               [Page 8]
Internet-Draft         DHCPv6 Authorization Option            March 2012

              Host Configuration Protocol (DHCP) version 6", RFC 3633,
              December 2003.

   [RFC3646]  Droms, R., "DNS Configuration options for Dynamic Host
              Configuration Protocol for IPv6 (DHCPv6)", RFC 3646,
              December 2003.

   [RFC3736]  Droms, R., "Stateless Dynamic Host Configuration Protocol
              (DHCP) Service for IPv6", RFC 3736, April 2004.

   [RFC4014]  Droms, R. and J. Schnizlein, "Remote Authentication
              Dial-In User Service (RADIUS) Attributes Suboption for the
              Dynamic Host Configuration Protocol (DHCP) Relay Agent
              Information Option", RFC 4014, February 2005.

   [RFC4818]  Salowey, J. and R. Droms, "RADIUS Delegated-IPv6-Prefix
              Attribute", RFC 4818, April 2007.

12.2.  Informative References

   [ietf-radext-ipv6-access-06]
              Lourdelet, B., Dec, W., Sarikaya, B., Zorn, G., and D.
              Miles, "RADIUS attributes for IPv6 Access Networks",
              July 2011.

Author's Address

   Leaf Y. Yeh (editor)
   Huawei Technologies
   Shenzhen
   P. R. China

   Phone: +86-755-28978851
   Email: leaf.y.yeh@huawei.com

Yeh                     Expires September 6, 2012               [Page 9]