Network Working Group K. Chowdhury
Internet-Draft Nortel Networks
Expires: January 10, 2005 A. Lior
Bridgewater Systems
July 12, 2004
RADIUS Attributes for Mobile IPv6 bootstrapping
draft-chowdhury-mip6-bootstrap-radius-00.txt
Status of this Memo
By submitting this Internet-Draft, I certify that any applicable
patent or other IPR claims of which I am aware have been disclosed,
and any of which I become aware will be disclosed, in accordance with
RFC 3668.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as
Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on January 10, 2005.
Copyright Notice
Copyright (C) The Internet Society (2004). All Rights Reserved.
Abstract
This document defines new attributes to facilitate Mobile IPv6
bootstrapping via a RADIUS infrastructure. In an access network
where the user attaches to get IPv6 access, there may be a Network
Access Server (NAS) or an Access Gateway that will require
authentication and authorization. In some cases, this type of access
authentication takes place via RADIUS infrastructure. As part of the
authentication setup the NAS may receive useful configuration
information from the home RADIUS server of the user. In case of
Chowdhury & Lior Expires January 10, 2005 [Page 1]
Internet-Draft July 2004
Mobile IPv6 access, the Home RADIUS server may assign various
information relevant to the user's device for bootstrapping.
Table of Contents
1. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1 Home Agent or a List of Home Agents . . . . . . . . . . . 4
2.2 Home Link Prefix or a list of Home Link prefixes . . . . . 5
2.3 Home Address . . . . . . . . . . . . . . . . . . . . . . . 5
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 6
4. RADIUS attributes to carry Mobile IPv6 parameters . . . . . . 7
4.1 Home Agent Attribute . . . . . . . . . . . . . . . . . . . 7
4.2 Home Link Prefix Attribute . . . . . . . . . . . . . . . . 7
4.3 Home Address . . . . . . . . . . . . . . . . . . . . . . . 8
5. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 10
6. Security Considerations . . . . . . . . . . . . . . . . . . . 11
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 13
9. Normative References . . . . . . . . . . . . . . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 13
Intellectual Property and Copyright Statements . . . . . . . . 14
Chowdhury & Lior Expires January 10, 2005 [Page 2]
Internet-Draft July 2004
1. Motivation
Mobile IPv6 specification [RFC3775] requires a Mobile Node (MN) to
perform registration with a Home Agent with information about its
current point of attachment (Care-of Address). The Home Agent
creates and maintains binding between the MN's Home Address and the
MN's Care-of Address.
In order to register with a Home Agent, the MN needs to know
information such as, the Home Link prefix, the Home Agent Address,
the Home Address, the Home Link prefix Length etc. Moreover during
normal operation of the Mobile IPv6 session, the MN needs to know the
lifetime of the Home Address.
The aforementioned set of information may be statically provisioned
in the MN. However, static provisioning of this information has its
drawbacks. It increases provisioning and network maintenance burden
for the operator. Moreover, static provisioning does not allow load
balancing, failover, opportunistic home link assignment etc. For
example, the user may be accessing the network from a location that
may be geographically far away from the preconfigured home link; or
the cost of the link between the NAS and the Home Link is too great.
In these situations static provisioning may not be desirable.
Dynamic assignment of Mobile IPv6 home registration information is a
desirable feature for ease of deployment and network maintenance.
For this purpose, the Home RADIUS server, which is used for access
authentication, can be leveraged to assign some or all of the
necessary parameters. The Home RADIUS server may return these
parameters to the NAS.
The NAS may convey the received information to the MN using various
techniques. One such technique may utilize the role of the NAS as a
relay agent for Dynamic Host Configuration Protocol. In this case,
upon receiving the information from the Home RADIUS server, the NAS
forwards the set of parameters to the DHCP server. The DHCP server
attaches the information in new DHCP options while responding to an
information-request from the MN. The part where the NAS acts as a
DHCP relay agent and forwards the received information to the DHCP
server is outside the scope of this document.
Chowdhury & Lior Expires January 10, 2005 [Page 3]
Internet-Draft July 2004
2. Overview
|
Visited Network | Home Network
|
+-------+ | +-------+
| | | | |
|Visited|----------|--------| Home |
|RADIUS | | |RADIUS |
| | | | |
+-------+ | +-------+
| |
| |
| +------+ |
| +---| DHCP | |
| | |Server| |
| | +------+ |
| | |
+-----+ | +-----+
+----+ | | | | Home|
| MN |--------------| NAS/| | |Agent|
+----+ |Relay| | | |
+-----+ | +-----+
In the typical Mobile IPv6 access scenario as shown above, the MN
attaches in a visited network. During this attach procedure, the NAS
authenticates and authorizes the MN for IPv6 access service. In the
scenario shown, the authentication and authorization happens via
RADIUS infrastructure.
At the time of authorizing the user for IPv6 access, the Home RADIUS
server detects that the user is authorized for Mobile IPv6 access.
Based on Home network policy, the Home RADIUS server may allocate
several parameters to the MN for use during the subsequent Mobile
IPv6 Binding Update. A list of such parameters is described in the
following sub sections.
2.1 Home Agent or a List of Home Agents
The Home network provider may decide to assign a Home Agent to the MN
that is in close proximity to the point of attachment (e.g.
determined by the NAS-ID). There may be other reasons for assigning
Home Agents to the MN, e.g. load sharing in the network. The Home
network may also assign a list of Home Agents for the MN to choose
from.
Chowdhury & Lior Expires January 10, 2005 [Page 4]
Internet-Draft July 2004
2.2 Home Link Prefix or a list of Home Link prefixes
For the same reason as HA assignment, the Home network may assign a
Home Link that is in close proximity to the point of attachment
(NAS-ID). The Home RADIUS server may also assign a list of Home Link
prefixes to the MN and allow the MN to choose one. The MN can
perform [RFC3775] specific procedures to discover other information
for Mobile IPv6 registration. The length of the assigned prefix(es)
can be included as well.
2.3 Home Address
The Home RADIUS server may assign a Home Address to the MN. This
allows the network operator to support mobile devices that are not
configured with static addresses. The lifetime of the Home Address
can be indicated along with the address.
Chowdhury & Lior Expires January 10, 2005 [Page 5]
Internet-Draft July 2004
3. Terminology
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in
this document are to be interpreted as described in RFC 2119.
Chowdhury & Lior Expires January 10, 2005 [Page 6]
Internet-Draft July 2004
4. RADIUS attributes to carry Mobile IPv6 parameters
This section defines format and syntax for the attribute that carries
the Mobile IPv6 parameters described in section 2.
The attributes MAY be present in Access-Accept, Accounting-Request.
4.1 Home Agent Attribute
This attribute is sent by the RADIUS server to the NAS in an
Access-Accept message. The attribute carries one or more assigned
Home Agent addresses to the NAS.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| IPv6 address of assigned HA-1 |
| ... |
| IPv6 address of assigned HA-n |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type:
ASSIGNED-HA-TYPE to be defined by IANA.
Length:
>= 20 octets
Reserved:
Reserved for future use. All bits set to 0.
IPv6 address of assigned HA-1 to HA-n:
128-bit IPv6 address of one or more assigned Home Agents. The
addresses appear in the order of preference.
4.2 Home Link Prefix Attribute
This attribute is sent by the RADIUS server to the NAS in an
Access-Accept message. The attribute carries the assigned Home Link
prefix or a list of assigned Home Link Prefixes. to the NAS.
Chowdhury & Lior Expires January 10, 2005 [Page 7]
Internet-Draft July 2004
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | HL Length | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| IPv6 address of assigned HL-1 |
| ... |
| IPv6 address of assigned HL-n ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type:
ASSIGNED-HL-TYPE to be defined by IANA.
Length:
>= 4 octets + the minimum length of a prefix.
HL Length:
8-bit unsigned integer, representing the length in octets of
the Home Link Prefix(es).
Reserved:
Reserved for future use. All bits set to 0.
IPv6 address of assigned HL-1 to HL-n:
Home Link prefixes (upper order bits) of the assigned Home
Links where the MN should send binding update. The Home Link
prefixes appear in the order of preference.
4.3 Home Address
This attribute is sent by the RADIUS server to the NAS in an
Access-Accept message. The attribute carries the assigned Home IPv6
Address for the MN.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Lifetime |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
Chowdhury & Lior Expires January 10, 2005 [Page 8]
Internet-Draft July 2004
| |
| Assigned IPv6 Home Address |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type:
ASSIGNED-HOA-TYPE to be defined by IANA.
Length:
>= 20 octets.
Lifetime:
16-bit unsigned integer. The number of time units remaining
before the IPv6 Home Address MUST be considered expired. A
value of zero indicates that the IPv6 Home Address has expired.
One time unit is 4 seconds.
Assigned IPv6 Home Address:
IPv6 Home Address that is assigned to the MN.
Chowdhury & Lior Expires January 10, 2005 [Page 9]
Internet-Draft July 2004
5. Table of Attributes
The following table provides a guide to which attributes may be found
in RADIUS message and in what number.
Request Accept Reject Challenge # Attribute
0 0-1 0 0 TBD Home Agent
0 0-1 0 0 TBD Home Link Prefix
0 0-1 0 0 TBD Home Address
The following table defines the meaning of the above table entries.
0 This attribute MUST NOT be present.
0-1 Zero or one instance of this attribute MAY be present.
Chowdhury & Lior Expires January 10, 2005 [Page 10]
Internet-Draft July 2004
6. Security Considerations
Assignment of these values to a user should be based on successful
authentication of the user's access at the NAS. The Home RADIUS
server should only assign these values to an user who is authorized
for Mobile IPv6 service (this check could be performed with user's
subscription profile in the Home Network).
The NAS to the Home RADIUS server transactions must be adequately
secured. Otherwise there is a possibility that the user may receive
fraudulent values from a rogue RADIUS server potentially hijacking
the user's Mobile IPv6 session.
These new attributes do not introduce additional security threats
besides the one identified in [RFC2865].
Chowdhury & Lior Expires January 10, 2005 [Page 11]
Internet-Draft July 2004
7. IANA Considerations
The RADIUS attribute types: ASSIGNED-HA-TYPE, ASSIGNED-HL-TYPE,
ASSIGNED-HOA-TYPE Must be assigned by IANA.
Chowdhury & Lior Expires January 10, 2005 [Page 12]
Internet-Draft July 2004
8. Acknowledgements
Thanks to the following individuals for their review and constructive
comments during the development of this document:
Mark Watson, Jayshree Bharatia.
9 Normative References
[RFC2865] Rigney, C., Willens, S., Rubens, A. and W. Simpson,
"Remote Authentication Dial In User Service (RADIUS)", RFC
2865, June 2000.
[RFC3775] Johnson, D., Perkins, C. and J. Arkko, "Mobility Support
in IPv6", RFC 3775, June 2004.
Authors' Addresses
Kuntal Chowdhury
Nortel Networks
2221 Lakeside Blvd.
Richardson, TX 75082
US
Phone: +1 972-685-7788
EMail: chowdury@nortelnetworks.com
Avi Lior
Bridgewater Systems
303 Terry Fox Drive, Suite 100
Ottawa, Ontario
Canada K2K 3J1
Phone: +1 613-591-6655
EMail: avi@bridgewatersystems.com
Chowdhury & Lior Expires January 10, 2005 [Page 13]
Internet-Draft July 2004
Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Disclaimer of Validity
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement
Copyright (C) The Internet Society (2004). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
Acknowledgment
Funding for the RFC Editor function is currently provided by the
Internet Society.
Chowdhury & Lior Expires January 10, 2005 [Page 14]