Internet Engineering Task Force Juha Heinanen
INTERNET DRAFT TutPro Inc.
Expires December 2003 June, 2003
Using Radius for PE-Based VPN Discovery
<draft-heinanen-radius-pe-discovery-04.txt>
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC 2026.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet- Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Abstract
This document describes how in PE-based VPNs a PE of a VPN can use
Radius to authenticate its CEs and discover the other PEs of the VPN.
1. Introduction
This document describes how in PE-based VPNs a PE of a VPN can use
Radius [1-2] to authenticate its CEs and discover the other PEs of
the VPN. In Radius terms, the CEs are users and PEs are Network
Access Servers (NAS) implementing Radius client function.
A VPN can span multiple Autonomous Systems (AS) and multiple
providers. Each PE, however, only needs to be a Radius client to
Radius of the "local" provider. In case of a CE belongs to a
"foreign" VPN, Radius of the local provider acts as a proxy client to
Radius of the foreign provider.
Heinanen Using Radius for PE-Based VPN Discovery [Page 1]
INTERNET DRAFT June, 2003
2. Site Identification
Each CE (a VPN site) is identified by a "user name" of the form
[provider/]site@vpn
"provider" identifier, if present, denotes a provider that is the
administrative owner of the VPN. It is needed only if a CE connects
to a VPN at a PE that does not belong to the owner of the VPN and is
then used by Radius of the PE to proxy requests to Radius of the
owner of the VPN.
"site" identifier denotes a site in a VPN identified by "vpn". As an
example,
providerX/atlanta@vpnY.domainZ.net
could denote a CE called "atlanta" in a VPN identified by
"vpnY.domainZ.net", which is owned by providerX.
3. Radius Configuration
Each "provider" has a single Radius that stores all information
regarding VPNs that belong to the provider. For reliable operation
of this protocol, each Radius should consist of more than one
physical Radius server. For correct operation of this protocol, all
these physical servers MUST at all times share the same database
content.
For each VPN, Radius of the provider to which the VPN belongs to MUST
at all times be configured with a set of "users" that correspond to
the potential CEs of the VPN, i.e., CEs that are currently allowed to
be connected to the VPN at some PE. User information includes site
identifier, password, and VPN identifier:
<site, password, vpn>
User information MAY also include other information, such as a list
of PEs to which the CE is allowed to connect to and QoS information
regarding the CE's connection to the VPN.
In addition to the above manually configured information, Radius
keeps dynamically track of the PEs and CEs of a VPN in a database
table that has the following fields:
<vpn, PE IP address, site, timestamp>
Heinanen Using Radius for PE-Based VPN Discovery [Page 2]
INTERNET DRAFT June, 2003
received from the PE any Radius request:
<PE IP address, timestamp>
Timestamp tells the most recent time when the PE has authenticated
the site to the VPN. It is used by Radius to detect if a PE has
failed for a longer period of time or has been taken improperly out
of use, and if so, to clean up the site and PE from its database.
The PEs MAY also have pre-configured attributes telling, for example,
that a PE is a hub of a VPN.
If dynamic PE discovery capability of this protocol is not used,
Radius MUST be configured for each VPN with a list of its PEs. Such
a degenerate use of this protocol is not discussed further in this
memo.
In order to allow queries about CEs that are connected PEs of a
"foreign" provider, the Radius servers of this foreign provider MUST
be configured as clients in the Radius of the VPN owner.
4. PE Configuration
Each PE MUST be configured with the information about the Radius
servers of local Radius to which to send requests to. For
reliability reasons, each PE SHOULD have available more than one
physical Radius server.
5. Protocol Operation
5.1 Connecting a CE to a VPN at a PE
When a CE is to be connected to a VPN at a PE, the PE issues a Radius
Access-Request using the user name and password of the CE. The PE
has either learned this information from the CE via an authentication
protocol, for example, 802.1x/EAP, or it has been configured in the
PE.
Service-Type of the Access-Request is VPN-Login (value TBD).
If authentication succeeds and possible other (VPN or provider)
specific preconditions are met (for example, the CE is allowed to
connect to the particular PE and it is not already connected to some
other PE), Radius inserts a
<vpn, PE IP address, site, timestamp>
record in its database (replacing a possible earlier record that only
Heinanen Using Radius for PE-Based VPN Discovery [Page 3]
INTERNET DRAFT June, 2003
differs by the timestamp value) and responds with an Access-Accept.
Access-Accept includes as reply items a Session-Timeout attribute and
one or more PE-List attributes that contain all unique PE IP
addresses in the set
<vpn, *, *>
and possibly other CE specific information, e.g., QoS parameters.
Session-Timeout attribute tells to the PE for how long time Radius
considers the CE as connected to the VPN at the PE unless the PE re-
authenticates the CE. The value of the timestamp in
<vpn, PE IP address, site, timestamp>
record is the time of the Access-Accept plus the number of seconds in
the Session-Timeout attribute.
PE-List attribute contains a list of PE IP addresses. It is only
used in Access-Accept packets and has the following format:
0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
| Type | Length | String ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type
TBD for PE-List
Length
16 + N * 4 bytes, where 1 <= N <= 63.
String
N IP Addresses of PEs (the most significant octet first in each
address).
After receiving the Access-Accept, the PE considers the CE as
connected to the VPN and issues a Start Accounting-Request.
If authentication fails or some pre-conditions are not met, Radius
responds with Access-Reject.
If a PE wants for some reason to get from Radius an up-to-date list
of PEs in a particular VPN, it can at any time issue a new Access-
Heinanen Using Radius for PE-Based VPN Discovery [Page 4]
INTERNET DRAFT June, 2003
Request for any one of its CEs that belongs to the VPN. In order to
keep the CE connected to the VPN at the PE, the PE MUST issue a new
Access-Request before the number of seconds returned by Radius in
Session-Timeout attribute of the most recent Access-Accept has
elapsed.
Note that this document does not define any protocol mechanisms by
which the other PEs of the VPN would be notified that a new CE was
connected to the VPN at the PE or that a new PE became associated
with the VPN. Such mechanisms belong to the VPN solution documents
that utilize the discovery protocol defined in this memo.
5.2 Disconnecting a CE from a VPN at a PE
When a CE is to be disconnected from the VPN at a PE, the PE issues a
Stop Accounting-Request. After receiving the request, Radius removes
the
<vpn, PE IP address, site>
record from its database and responds with an Accounting-Response.
The PE considers the CE as disconnected from the VPN at the PE when
it has received the Accounting-Response.
Note that this document does not define any protocol mechanisms by
which the other PEs of the VPN would be notified that a CE was
disconnected from the VPN at the PE or that the PE is not anymore
associated with the VPN. Such mechanisms belong to the VPN solution
documents that utilize the PE discovery protocol defined in this
memo.
5.3 PE Failure Detection and Recovery
When a PE recovers from a failure, it re-authenticates all CEs
connected to it in all VPNs and thus re-discovers all other PEs in
all those VPNs.
6. Scaling Limits
Since Radius protocol operates over UDP, the maximum UDP payload size
available for Radius attributes is limited to about 1500 - 40 = 1460
octets assuming that UDP fragmentation is not supported. The most
space consuming message is Access-Accept response, which contains a
list of IP addresses of the PEs of a VPN. This limits the number of
PEs in a VPN to about 350.
Besides the packet size, another factor limiting scalability of this
protocol might be the periodic re-authentication of CEs as required
Heinanen Using Radius for PE-Based VPN Discovery [Page 5]
INTERNET DRAFT June, 2003
by the Session-Timeout reply attribute. For example, if a provider
has 3600 VPN sites and uses a Session-Timeout value of 1 hour, then
Radius will get on the average of 1 Access-Requests per second.
7. Security Considerations
Security of Radius based VPN discovery depends on the security of
Radius that is covered in [1] and [2]. In multi-provider operation,
secure tunnels SHOULD be used to carry Radius traffic between
providers.
8. Compliance with PPVPN L2 Requirements
This document covers a PE discovery and CE authentication solution
for provider based VPNs. Thus only a small subset of the complete
PPVPN L2 requirements listed in [3] are applicable to this document.
The solution described in this document fulfills all the requirements
of section 6.3 of [3] on "Discovering L2VPN Related Information". In
particular:
(1) Radius based discovery allows PEs to dynamically discover
information about other PEs of a VPN with minimal or even with
no configuration in the PEs.
(2) Unauthorized access to the VPN can be prevented by
authentication that is an integral part of Radius.
(3) VPN membership information is only distributed to the PEs that
have sites that are members of the VPN.
Other aspects mentioned on section 6.3 of [3], such as propagation of
membership changes in a "timely manner" and no manual reconfiguration
of the other PEs, are not directly covered in this document. They
belong to VPN solution specifications that apply Radius based PE
discovery and CE authentication, such as the one described in [4].
The Radius based solution described in this document also complies
with all applicable generic requirements listed in [3]. In
particular:
(1) The PEs of a VPN can be associated with topology and tunneling
protocol information.
(2) VPN sites can be associated with QoS and access control
information.
(3) Radius has been widely implemented by existing PEs and has
Heinanen Using Radius for PE-Based VPN Discovery [Page 6]
INTERNET DRAFT June, 2003
very good interoperability record.
(4) Multi-provider/multi-AS VPNs are readily supported without any
extra complications.
(5) CEs of a VPN require either no configuration or minimal
configuration (user name/password).
(6) There is no practical limit on the number of VPNs and, with
hierarchical implementation, each VPN can have a very large
number of PEs and CEs.
(7) Radius based provisioning systems are readily available and are
easily adaptable to PE discovery.
In summary, Radius provides a good directory based alternative to
PPVPN PE discovery and a natural means to authenticate VPN CEs.
Acknowledgements
I would like to thank Mark Duffy, Joel Halpern, and Mark Townsley for
their constructive comments on earlier versions of this memo.
References
[1] C. Rigney, et al., "Remote Authentication Dial In User Service
(RADIUS)". RFC 2865, June 2000.
[2] C. Rigney, "RADIUS Accounting". RFC 2866, June 2000.
[3] W. Augustun, Y. Serbest, "Service Requirements for Layer 2
Provider Provisioned Virtual Private Networks". draft-augustyn-
ppvpn-l2vpn-requirements-02.txt, February 2003.
[4] J. Heinanen, "Radius/L2TP Based VPLS". draft-heinanen-radius-
l2tp-vpls-00.txt, February 2003.
Author's Address
Juha Heinanen
TutPro Inc.
Utsjoki, Finland
Email: jh@tutpro.com
Full Copyright
Copyright (C) The Internet Society (2000). All Rights Reserved.
Heinanen Using Radius for PE-Based VPN Discovery [Page 7]
INTERNET DRAFT June, 2003
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it or
assist in its implementation may be prepared, copied, published and
distributed, in whole or in part, without restriction of any kind,
provided that the above copyright notice and this paragraph are included
on all such copies and derivative works. However, this document itself
may not be modified in any way, such as by removing the copyright notice
or references to the Internet Society or other Internet organizations,
except as needed for the purpose of developing Internet standards in
which case the procedures for copyrights defined in the Internet
Standards process must be followed, or as required to translate it into
languages other than English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an "AS
IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK
FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT
LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT
INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR PURPOSE.
Heinanen Using Radius for PE-Based VPN Discovery [Page 8]