Network Working Group                                       M. Boucadair
Internet-Draft                                              C. Jacquenet
Intended status: Standards Track                                  Orange
Expires: July 22, 2016                                  January 19, 2016


      RADIUS Extensions for Network-Assisted Multipath TCP (MPTCP)
                    draft-boucadair-mptcp-radius-00

Abstract

   One of the promising deployment scenarios for Multipath TCP (MPTCP)
   is to enable a Customer Premises Equipment (CPE) that is connected to
   multiple networks (e.g., DSL, LTE, WLAN) to optimize the usage of its
   network attachments.  Because of the lack of MPTCP support at the
   server side, some service providers consider a network-assisted model
   that relies upon the activation of a dedicated function called: MPTCP
   Concentrator.

   This document specifies a new Remote Authentication Dial-In User
   Service (RADIUS) attribute that carries the list of IP addresses that
   allow CPE devices to reach one or multiple MPTCP Concentrators.

Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on July 22, 2016.






Boucadair & Jacquenet     Expires July 22, 2016                 [Page 1]


Internet-Draft              RADIUS for MPTCP                January 2016


Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  MPTCP RADIUS Attribute  . . . . . . . . . . . . . . . . . . .   4
   3.  Sample Use Case . . . . . . . . . . . . . . . . . . . . . . .   5
   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   7
   5.  Table of Attributes . . . . . . . . . . . . . . . . . . . . .   7
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   7
   7.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   7
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   7
     8.1.  Normative References  . . . . . . . . . . . . . . . . . .   8
     8.2.  Informative References  . . . . . . . . . . . . . . . . .   8
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   9

1.  Introduction

   One of the promising deployment scenarios for Multipath TCP (MPTCP,
   [RFC6824]) is to enable a Customer Premises Equipment (CPE) that is
   connected to multiple networks (e.g., DSL, LTE, WLAN) to optimize the
   usage of such resources, see for example [RFC4908].  This deployment
   scenario relies on MPTCP proxies located on both the CPE and network
   sides (Figure 1).  MPTCP Proxies deployed in the network play the
   role of traffic concentrator.













Boucadair & Jacquenet     Expires July 22, 2016                 [Page 2]


Internet-Draft              RADIUS for MPTCP                January 2016


                         IP Network #1
    +------------+        _--------_    +------------+
    |            |       (e.g., LTE )   |            |
    |   CPE      +======================+            |
    | (MPTCP     |       (_        _)   |Concentrator|
    |  Proxy)    |         (_______)    | (MPTCP     |
    |            |                      |  Proxy)    |------> Internet
    |            |                      |            |
    |            |        IP Network #2 |            |
    |            |        _--------_    |            |
    |            |       ( e.g., DSL )  |            |
    |            +======================+            |
    |            |       (_        _)   |            |
    +-----+------+        (_______)     +------------+
          |
   ----CPE network----
          |
       end-nodes

                 Figure 1: "Network-Assisted" MPTCP Design

   Within this document, an MPTCP Concentrator (or concentrator) refers
   to a functional element that is responsible for aggregating the
   traffic originated by a group of CPEs.  This element is located in
   the network.  One or multiple concentrators can be deployed in the
   network to assist MPTCP-enabled CPEs to establish MPTCP connections
   via their available network attachments.  On the uplink path, the
   concentrator terminates the MPTCP connections [RFC6824] received from
   its customer-facing interfaces and transforms these connections into
   legacy TCP connections [RFC0793] towards upstream servers.  On the
   downlink path, the concentrator turns the legacy server's TCP
   connection into MPTCP connections towards its customer-facing
   interfaces.

   Both implicit (where a CPE has no specific knowledge of any
   concentrator deployed in the network) and explicit modes are
   considered to steer traffic towards an MPTCP Concentrator.  This
   document focuses on the explicit mode that consists in explicitly
   configuring a CPE with the reachability information of a MPTCP
   concentrator.

   This document specifies a new Remote Authentication Dial-In User
   Service (RADIUS, [RFC2865]) attribute that carries the MPTCP
   Concentrator IP address list (Section 2).  A sample use case is
   described in Section 3.  In order to accommodate both IPv4 and IPv6
   deployment contexts, the same attribute is used to convey an IPv4 or
   IPv6 address.  Note that one or multiple IPv4 and/or IPv6 addresses
   may be returned to a requesting CPE.



Boucadair & Jacquenet     Expires July 22, 2016                 [Page 3]


Internet-Draft              RADIUS for MPTCP                January 2016


   This document assumes that the MPTCP concentrator(s) reachability
   information can be stored in Authentication, Authorization, and
   Accounting (AAA) servers while the CPE configuration is usually
   provided by means of DHCP ([RFC2131][RFC3315]).

   This specification assumes an MPTCP Concentrator is reachable through
   one or multiple IP addresses.  As such, a list of IP addresses can be
   communicated via RADIUS.  Also, it assumes the various network
   attachments provided to an MPTCP-enabled CPE are managed by the same
   administrative entity.

2.  MPTCP RADIUS Attribute

   The RADIUS MPTCP-Concentrator attribute contains the IP address of an
   MPTCP Concentrator that is assigned to a CPE.  Because multiple MPTCP
   Concentrator IP addresses may be provisioned to an authorised CPE
   (that is a CPE entitled to solicit the resources of a concentrator to
   establish MPTCP connections), multiple instances of the MPTCP-
   Concentrator attribute MAY be included; each instance of the
   attribute carries a distinct IP address.

   The format of the MPTCP-Concentrator attribute is shown in Figure 2.
   The fields are transmitted from left to right.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Type      |     Length    |          ip-address ...
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      //      ... ip-address          |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                                 Figure 2

   The description of the fields is as follows:

   o  Type: TBA (see Section 6).

   o  Length: 6 or 18.

   o  ip-address: This field may include an IPv4 address (32 bits) or an
      IPv6 address (128 bit) of the MPTCP concentrator.

   The MPTCP-Concentrator attribute MUST NOT include multicast and host
   loopback addresses [RFC6890].  Anycast addresses are allowed to be
   included in an MPTCP-Concentrator attribute.





Boucadair & Jacquenet     Expires July 22, 2016                 [Page 4]


Internet-Draft              RADIUS for MPTCP                January 2016


   The MPTCP-Concentrator Attribute MAY appear in a RADIUS Access-Accept
   packet.  It MAY also appear in a RADIUS Access-Request packet as a
   hint to the RADIUS server to indicate a preference, although the
   server is not required to honor such a hint.

   The MPTCP-Concentrator Attribute MAY appear in a CoA-Request packet.

   The MPTCP-Concentrator Attribute MAY appear in a RADIUS Accounting-
   Request packet.

   The MPTCP-Concentrator Attribute MUST NOT appear in any other RADIUS
   packet.

3.  Sample Use Case

   This section does not aim to provide an exhaustive list of deployment
   scenarios where the use of the RADIUS MPTCP-Concentrator attribute
   can be helpful.  Typical deployment scenarios are described, for
   instance, in [RFC6911].

   Figure 3 shows an example where a CPE is assigned an MPTCP
   Concentrator.  This example assumes that the Network Access Server
   (NAS) embeds both RADIUS client and DHCPv6 server capabilities.

        CPE                               NAS                      AAA
    DHCPv6 client                      DHCPv6 server              server
         |                                  |                        |
         |---------DHCPv6 Solicit---------->|                        |
         |                                  |----Access-Request ---->|
         |                                  |                        |
         |                                  |<----Access-Accept------|
         |                                  | (MPTCP-Concentrator)   |
         |<-------DHCPv6 Advertisement------|                        |
         |        (OPTION_V6_MPTCP)         |                        |
         |                                  |                        |
         |---------DHCPv6 Request---------->|                        |
         |                                  |                        |
         |<---------DHCPv6 Reply------------|                        |
         |       (OPTION_V6_MPTCP)          |                        |

                      DHCPv6                          RADIUS

                     Figure 3: Sample Flow Example (1)

   Upon receipt of the DHCPv6 Solicit message from a CPE, the NAS sends
   a RADIUS Access-Request message to the AAA server.  Once the AAA
   server receives the request, it replies with an Access-Accept message
   (possibly after having sent a RADIUS Access-Challenge message and



Boucadair & Jacquenet     Expires July 22, 2016                 [Page 5]


Internet-Draft              RADIUS for MPTCP                January 2016


   assuming the CPE is entitled to connect to the network) that carries
   a list of parameters to be used for this session, and which include
   MPTCP-Concentrator reachability information (namely a list of IP
   addresses).

   The content of the MPTCP-Concentrator attribute is then used by the
   NAS to complete the DHCPv6 procedure that the CPE initiated to
   retrieve information about the MPTCP Concentrator it has been
   assigned.

   Upon change of the MPTCP Concentrator assigned to a CPE, the RADIUS
   server sends a RADIUS CoA message [RFC5176] that carries the RADIUS
   MPTCP-Concentrator attribute to the NAS.  Once that message is
   accepted by the NAS, it replies with a RADIUS CoA ACK message.  The
   NAS replaces the old MPTCP Concentrator with the new one.

   Figure 4 shows another example where a CPE is assigned an MPTCP
   Concentrator, but the CPE uses DHCPv6 to retrieve a list of IP
   addresses of an MPTCP concentrator.

        CPE                               NAS                      AAA
    DHCPv4 client                      DHCPv4 server              server
         |                                  |                        |
         |-----------DHCPDISCOVER---------->|                        |
         |                                  |----Access-Request ---->|
         |                                  |                        |
         |                                  |<----Access-Accept------|
         |                                  | (MPTCP-Concentrator)   |
         |<------------DHCPOFFER------------|                        |
         |         (OPTION_V4_MPTCP)        |                        |
         |                                  |                        |
         |------------DHCPREQUEST---------->|                        |
         |         (OPTION_V4_MPTCP)        |                        |
         |                                  |                        |
         |<-----------DHCPACK---------------|                        |
         |        (OPTION_V4_MPTCP)         |                        |

                       DHCPv4                         RADIUS

                     Figure 4: Sample Flow Example (2)

   Some deployments may rely on the mechanisms defined in [RFC4014] or
   [RFC7037], which allows a NAS to pass attributes obtained from a
   RADIUS server to a DHCP server.







Boucadair & Jacquenet     Expires July 22, 2016                 [Page 6]


Internet-Draft              RADIUS for MPTCP                January 2016


4.  Security Considerations

   RADIUS-related security considerations are discussed in [RFC2865].

   MPTCP-related security considerations are discussed in [RFC6824] and
   [RFC6181].

   Traffic theft is a risk if an illegitimate concentrator is inserted
   in the path.  Indeed, inserting an illegitimate concentrator in the
   forwarding path allows to intercept traffic and can therefore provide
   access to sensitive data issued by or destined to a host.  To
   mitigate this threat, secure means to discover a concentrator should
   be enabled.

5.  Table of Attributes

   The following table provides a guide as what type of RADIUS packets
   that may contain these attributes, and in what quantity.

    Access- Access- Access-  Challenge Accounting #   Attribute
    Request Accept  Reject             Request
    0+      0+      0        0         0+         TBA MPTCP-Concentrator

    CoA-Request CoA-ACK CoA-NACK #   Attribute
    0+          0       0        TBA MPTCP-Concentrator

   The following table defines the meaning of the above table entries:

   0  This attribute MUST NOT be present in packet.
   0+ Zero or more instances of this attribute MAY be present in packet.

6.  IANA Considerations

   IANA is requested to assign a new RADIUS attribute type from the IANA
   registry "Radius Attribute Types" located at
   http://www.iana.org/assignments/radius-types:

      MPTCP-Concentrator (TBA)

7.  Acknowledgements

   To be completed.

8.  References







Boucadair & Jacquenet     Expires July 22, 2016                 [Page 7]


Internet-Draft              RADIUS for MPTCP                January 2016


8.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <http://www.rfc-editor.org/info/rfc2119>.

   [RFC2865]  Rigney, C., Willens, S., Rubens, A., and W. Simpson,
              "Remote Authentication Dial In User Service (RADIUS)",
              RFC 2865, DOI 10.17487/RFC2865, June 2000,
              <http://www.rfc-editor.org/info/rfc2865>.

   [RFC6890]  Cotton, M., Vegoda, L., Bonica, R., Ed., and B. Haberman,
              "Special-Purpose IP Address Registries", BCP 153,
              RFC 6890, DOI 10.17487/RFC6890, April 2013,
              <http://www.rfc-editor.org/info/rfc6890>.

8.2.  Informative References

   [RFC0793]  Postel, J., "Transmission Control Protocol", STD 7,
              RFC 793, DOI 10.17487/RFC0793, September 1981,
              <http://www.rfc-editor.org/info/rfc793>.

   [RFC2131]  Droms, R., "Dynamic Host Configuration Protocol",
              RFC 2131, DOI 10.17487/RFC2131, March 1997,
              <http://www.rfc-editor.org/info/rfc2131>.

   [RFC3315]  Droms, R., Ed., Bound, J., Volz, B., Lemon, T., Perkins,
              C., and M. Carney, "Dynamic Host Configuration Protocol
              for IPv6 (DHCPv6)", RFC 3315, DOI 10.17487/RFC3315, July
              2003, <http://www.rfc-editor.org/info/rfc3315>.

   [RFC4014]  Droms, R. and J. Schnizlein, "Remote Authentication Dial-
              In User Service (RADIUS) Attributes Suboption for the
              Dynamic Host Configuration Protocol (DHCP) Relay Agent
              Information Option", RFC 4014, DOI 10.17487/RFC4014,
              February 2005, <http://www.rfc-editor.org/info/rfc4014>.

   [RFC4908]  Nagami, K., Uda, S., Ogashiwa, N., Esaki, H., Wakikawa,
              R., and H. Ohnishi, "Multi-homing for small scale fixed
              network Using Mobile IP and NEMO", RFC 4908,
              DOI 10.17487/RFC4908, June 2007,
              <http://www.rfc-editor.org/info/rfc4908>.








Boucadair & Jacquenet     Expires July 22, 2016                 [Page 8]


Internet-Draft              RADIUS for MPTCP                January 2016


   [RFC5176]  Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B.
              Aboba, "Dynamic Authorization Extensions to Remote
              Authentication Dial In User Service (RADIUS)", RFC 5176,
              DOI 10.17487/RFC5176, January 2008,
              <http://www.rfc-editor.org/info/rfc5176>.

   [RFC6181]  Bagnulo, M., "Threat Analysis for TCP Extensions for
              Multipath Operation with Multiple Addresses", RFC 6181,
              DOI 10.17487/RFC6181, March 2011,
              <http://www.rfc-editor.org/info/rfc6181>.

   [RFC6824]  Ford, A., Raiciu, C., Handley, M., and O. Bonaventure,
              "TCP Extensions for Multipath Operation with Multiple
              Addresses", RFC 6824, DOI 10.17487/RFC6824, January 2013,
              <http://www.rfc-editor.org/info/rfc6824>.

   [RFC6911]  Dec, W., Ed., Sarikaya, B., Zorn, G., Ed., Miles, D., and
              B. Lourdelet, "RADIUS Attributes for IPv6 Access
              Networks", RFC 6911, DOI 10.17487/RFC6911, April 2013,
              <http://www.rfc-editor.org/info/rfc6911>.

   [RFC7037]  Yeh, L. and M. Boucadair, "RADIUS Option for the DHCPv6
              Relay Agent", RFC 7037, DOI 10.17487/RFC7037, October
              2013, <http://www.rfc-editor.org/info/rfc7037>.

Authors' Addresses

   Mohamed Boucadair
   Orange
   Rennes  35000
   France

   Email: mohamed.boucadair@orange.com


   Christian Jacquenet
   Orange
   Rennes
   France

   Email: christian.jacquenet@orange.com










Boucadair & Jacquenet     Expires July 22, 2016                 [Page 9]