Radext Working Group B. Lourdelet
Internet-Draft W. Dec, Ed.
Intended status: Standards Track Cisco Systems, Inc.
Expires: July 14, 2011 B. Sarikaya
Huawei USA
G. Zorn
Network Zen
D. Miles
Alcatel-Lucent
January 10, 2011
RADIUS attributes for IPv6 Access Networks
draft-ietf-radext-ipv6-access-03.txt
Abstract
This document specifies IPv6 RADIUS attributes, which complement
those of RFC3162, and are intended to be used in residential
broadband networks, where specific user configuration information is
expected to be passed as part of the AAA process between a NAS and an
AAA server. The attributes cover the assignment or reporting of the
following; a specific host IPv6 address; a recursive DNS IPv6 server
address; a specific IPv6 route announced to a host; a named IPv6
delegated prefix pool to be used for assignments to an accessing
host.
Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
Lourdelet, et al. Expires July 14, 2011 [Page 1]
Internet-Draft RADIUS IPv6 Access January 2011
This Internet-Draft will expire on July 14, 2011.
Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
This document may contain material from IETF Documents or IETF
Contributions published or made publicly available before November
10, 2008. The person(s) controlling the copyright in some of this
material may not have granted the IETF Trust the right to allow
modifications of such material outside the IETF Standards Process.
Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other
than English.
Lourdelet, et al. Expires July 14, 2011 [Page 2]
Internet-Draft RADIUS IPv6 Access January 2011
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Deployment Scenarios . . . . . . . . . . . . . . . . . . . . . 4
2.1. IPv6 Address Assignment . . . . . . . . . . . . . . . . . 5
2.2. Recursive DNS Servers . . . . . . . . . . . . . . . . . . 6
2.3. IPv6 Route Information . . . . . . . . . . . . . . . . . . 6
2.4. Delegated IPv6 Prefix Pool . . . . . . . . . . . . . . . . 6
3. Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.1. Framed-IPv6-Address . . . . . . . . . . . . . . . . . . . 7
3.2. DNS-Server-IPv6-Address . . . . . . . . . . . . . . . . . 8
3.3. Route-IPv6-Information . . . . . . . . . . . . . . . . . . 9
3.4. Delegated-IPv6-Prefix-Pool . . . . . . . . . . . . . . . . 10
3.5. Table of attributes . . . . . . . . . . . . . . . . . . . 10
3.6. RFC3162 Attribute coexistance . . . . . . . . . . . . . . 11
4. Diameter Considerations . . . . . . . . . . . . . . . . . . . 11
5. Security Considerations . . . . . . . . . . . . . . . . . . . 11
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 12
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 12
8.1. Normative References . . . . . . . . . . . . . . . . . . . 12
8.2. Informative References . . . . . . . . . . . . . . . . . . 12
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 13
Lourdelet, et al. Expires July 14, 2011 [Page 3]
Internet-Draft RADIUS IPv6 Access January 2011
1. Introduction
In IPv6 deployments DHCPv6 and/or ICMPv6 Router Advertisements can be
used to convey configuration information by a NAS towards accessing
hosts. Such information typically needs to be provisioned on the NAS
and may be done so on a per host or user basis using the AAA process.
This document specifies IPv6 RADIUS attributes used to support
configuration information allowed for by DHCPv6 and/or ICMPv6, which
complement the existing set defined in [RFC3162] and [RFC4818].
Specifically, attributes supporting the following information in
Radius are covered by this draft:
o The assignment or reporting of specific IPv6 addresses assigned to
hosts (where host address assignmenet takes place via DHCPv6)
o The passing by the NAS of IPv6 recursive DNS server addresses to a
host (where the NAS and accessing host use DHCPv6 or [RFC5006])
o The passing of IPv6 Route information by the NAS intended to be
advertised to the host (where the NAS and accessing host use
[RFC4191] or equivalent mechanisms).
o The assignment of a named prefix pool intended for Prefix
Delegation to a host (where the NAS and accessing host use
[RFC3633]).
2. Deployment Scenarios
A common broadband network scenario is illustrated in Figure 1. It
is composed of a IP Routing Residential Gateway (RG) or host, a Layer
2 Access-Node (e.g. a DSLAM), one or more IP Network Access Servers
(NASes), and an AAA server. The RG or host are expected to be multi
homed at Layer 2 to both NASes. Layer 2 Connectivity between the
host and NAS can be either via PPPoE or IP over Ethernet, and
established dynamically.
Lourdelet, et al. Expires July 14, 2011 [Page 4]
Internet-Draft RADIUS IPv6 Access January 2011
+-----+
(Radius) | AAA |
...........>| |
. +--+--+
v ^
+---+---+ .
| NAS | .(Radius)
| | .
+---+---+ v
+------+ | +---+---+
+------+ | AN | | | NAS |
| RG/ +-------| +-----------+----------+ |
| host | | | | |
+------+ (DSL) +------+ (Ethernet) +-------+
Figure 1
In the illustrated deployment scenario the NASes are assumed to embed
a DHCPv6 server function that allows them to locally handle any
DHCPv6 requests issued by RGs/hosts. This scenario is particularly
useful in illustrating the possible interaction between RADIUS and
DHCPv6, however the options defined in this document are not
restricted to be used only in the presence of such embedded
functionality.
The NAS interfaces to the AAA server by means of the RADIUS protocol.
The AAA server is expected to authenticate each accessing RG/host and
to return to the NAS per host authorization and network configuration
information that can comprise of: One or more IP addresses Recursive
DNS servers intended to be announced to the host; specific IP routes
to be announced to the host by a NAS; an explicit 128 bit IPv6
address that is to be statefuly assigned to a given RG/host. The NAS
can also report some of this information back to the AAA server in
accounting messages.
The known methods by which the NAS can communicate the above
information to RG/hosts are explained in each of the following sub-
sections.
2.1. IPv6 Address Assignment
DHCPv6 [RFC3315] provides a mechanism to assign one or more or non-
temporary IPv6 addresses to nodes complementing the ICMPv6 stateless
(SLAAC) method [RFC4862]. Simplistically, using SLAAC the NAS
announces to a host a /64 IPv6 prefix from which the host construct
its full 128 bit IPv6 address by appending an 64-bit interface-
identifier. By providing one or more hosts with only a /64 prefix,
network operators are have to rely on extra processes or procedures
Lourdelet, et al. Expires July 14, 2011 [Page 5]
Internet-Draft RADIUS IPv6 Access January 2011
to determine the exact IPv6 address that is being used by a host.
Such procedures typically involve processing of two existing
[RFC3162] attributes. In contrast to SLAAC, DHCPv6 allows for an
operator to uniquely assign a non-temporary address to a give host.
This document specifies a single RADIUS attribute intended to be used
for the assignment or accounting of a full 128-bit IPv6 addresses to
a host (typically via DHCPv6), without overloading or modifying the
implementations associated to the existing attributes.
2.2. Recursive DNS Servers
DHCPv6 provides an option for recursive DNS servers to hosts, as does
ICMPv6 with Router Advertisements supporting the experimental
[RFC5006] option. Existing IETF Radius attributes convey DNS as 32-
bit IPv4 addresses and cannot support a 128-bit IPv6 address. This
document specifies the RADIUS attribute to convey a list of IPv6 DNS
Recursive name server addresses, from an AAA server, which can that
can be conveyed by a NAS to a host.
2.3. IPv6 Route Information
In scenarios where Stateless Address Autoconfiguration (SLAAC)
[RFC4862] is used for address assignment, an ICMPv6 Router
Advertisement is multicast by the NAS with one or more Prefix
Information Options with the autonomous-bit set to true. In such
cases, the Prefix Information Option, is a /64 prefix to which a host
appends its locally-generated Interface Id to create a unique 128-bit
IPv6 address. [RFC3162] currently defines a Radius Framed-IPv6-
Prefix attribute that can be used by a NAS to advertise such on-link
prefixes in Router Advertisement messages. An IPv6 Route Information
option, defined in [RFC4191] is almost the inverse. It is intended
to be used to inform a host connected to the NAS that a specific
route is reachable via the NAS. This is particularly desirable in
cases where the RG or host are multi-homed to different NASes as
shown in Figure 1.
This document specifies the RADIUS attribute that allows the AAA
system to provision the announcement by the NAS of a specific Route
Information Option to an accessing host. The NAS may advertise this
route using the method defined in [RFC4191] or using other equivalent
methods.
2.4. Delegated IPv6 Prefix Pool
The use of DHCPv6 Prefix Delegation [RFC3633] involves a delegating
router selecting a prefix and delegating it on a temporary basis to a
requesting router. The delegating router may implement a number of
strategies as to how it chooses what prefix is to be delegated to a
Lourdelet, et al. Expires July 14, 2011 [Page 6]
Internet-Draft RADIUS IPv6 Access January 2011
requesting router, one of them being the use of a local named prefix
pool. The Delegated IPv6 Prefix Pool attribute is intended to allow
the AAA system to convey the selected prefix pool name to a NAS
hosting a DHCPv6-PD server and acting as a delegating router. While
similar in principle, this attribute is not to be confused with the
[RFC3162]Framed-IPv6-Pool attribute, which is intended for selecting
an address from a pool for assignment to a user interface nor with
[RFC4818] that conveys a specific prefix.
3. Attributes
The fields shown in the diagrams below are transmitted from left to
right.
3.1. Framed-IPv6-Address
This Attribute indicates an IPv6 Address that is assigned to the NAS-
facing interface of the RG/host. It MAY be used in Access-Accept
packets, and MAY appear multiple times. It MAY be used in an Access-
Request packet as a hint by the NAS to the server that it would
prefer these IPv6 address(es), but the server is not required to
honor the hint. Since it is assumed that the NAS will add a route
corresponding to the address, it is not necessary for the server to
also send a host Framed-IPv6-Route attribute for the same address.
This Attribute can be used by a DHCPv6 process on the NAS to assign a
unique IPv6 address to the RG/host, or it can be used for
a-posteriori validation or announcement of an auto configured address
to the AAA server.
A summary of the Framed-IPv6-Address Attribute format is shown below.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Address
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Address (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Address (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Address (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Address (cont.) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Lourdelet, et al. Expires July 14, 2011 [Page 7]
Internet-Draft RADIUS IPv6 Access January 2011
Type
TBA1 for Framed-IPv6-Address
Length
18
Address
The Address field contains a 128-bit IPv6 address.
3.2. DNS-Server-IPv6-Address
The DNS-Server-IPv6-Address Attribute contains the IPv6 address of a
recursive DNS server. This attribute MAY be included multiple times
in Access-Accept packets, when the intention is for a NAS to announce
more than one recursive DNS address to an RG/host.
The content of this attribute can be inserted in a Router
Advertisement as specified in [RFC5006] or mapped to the matching
DHCPv6 option.
A summary of the DNS-Server-IPv6-Address Attribute format is given
below.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Address
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Address (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Address (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Address (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Address (cont.) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
TBA2 for DNS-Server-IPv6-Address
Length
18
Lourdelet, et al. Expires July 14, 2011 [Page 8]
Internet-Draft RADIUS IPv6 Access January 2011
Address
The 128-bit IPv6 address of a DNS server.
3.3. Route-IPv6-Information
This Attribute specifies a prefix (and corresponding route) to be
authorized for announcement towards the user by the NAS, with the
reachable by means of routing towards the NAS. It is used in the
Access-Accept packet and can appear multiple times. It may also be
used in the Access-Request packet as hint to the server.
A summary of the Route-IPv6-Information attribute format is shown
below. The route information option defined in [RFC4191] is captured
in this and following two attributes.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Reserved | Prefix-Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
. Prefix (variable) .
. .
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
TBA3 for Route-IPv6-Information
Length
Length in bytes. At least 4 and no larger than 20; typically 12
or less.
Prefix Length
The length of the prefix, in bits; at least 0 and no more than
128; typically 64 or less.
Prefix
Variable-length field containing an IP prefix. The Prefix Length
field contains the number of valid leading bits in the prefix.
The bits in the prefix after the prefix length (if any) up to the
byte boundary are reserved and MUST be initialized to zero by the
Lourdelet, et al. Expires July 14, 2011 [Page 9]
Internet-Draft RADIUS IPv6 Access January 2011
sender and ignored by the receiver.
3.4. Delegated-IPv6-Prefix-Pool
This Attribute contains the name of an assigned pool that SHOULD be
used to select an IPv6 delegated prefix for the user. If a NAS does
not support multiple prefix pools, the NAS MUST ignore this
Attribute.
A summary of the Delegated-IPv6-Prefix-Pool Attribute format is shown
below. The fields are transmitted from left to right.
0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | String...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
TBA4 for Delegated-IPv6-Prefix-Pool
Length
Length in bytes. At least 4.
String
The string field contains the name of an assigned IPv6 prefix pool
configured on the NAS. The field is not NULL (hex 00) terminated.
3.5. Table of attributes
The following table provides a guide to which attributes may be found
in which kinds of packets, and in what quantity.
Request Accept Reject Challenge Accounting # Attribute
Request
0+ 0+ 0 0 0+ TBA1 Framed-IPv6-Address
0+ 0+ 0 0 0+ TBA2 DNS-Server-IPv6-Address
0 0+ 0 0 0+ TBA3 Route-IPv6-Information
0 0-1 0 0 0-1 TBA4 Delegated-IPv6-Prefix-Pool
Lourdelet, et al. Expires July 14, 2011 [Page 10]
Internet-Draft RADIUS IPv6 Access January 2011
3.6. RFC3162 Attribute coexistance
Syntactically, the Framed-IPv6-Address and the [RFC3162] Framed-IPv6-
Prefix attributes are identical. In terms of their applied
semantics, however the former represents a full 128-bit IPv6 address
while the latter a /64 prefix intended to be applied with SLAAC on a
NAS access interface. These attributes are envisaged to co-exist in
Radius messages and given existing NAS applications for the Framed-
IPv6-Prefix it is recommended that each attribute be used for its
intended purposes. A functional substitution of one attribute for
the other may however be an optional configuration feature of a
Radius client and server.
4. Diameter Considerations
Given that the Attributes defined in this document are allocated from
the standard RADIUS type space (see Section 6), no special handling
is required by Diameter entities.
5. Security Considerations
This document describes the use of RADIUS for the purposes of
authentication, authorization and accounting in IPv6-enabled
networks. In such networks, the RADIUS protocol may run either over
IPv4 or over IPv6. Known security vulnerabilities of the RADIUS
protocol apply to the attributes defined in this document. Since
IPSEC is natively defined for IPv6, it is expected that running
RADIUS implementations supporting IPv6 may want to run over IPSEC.
Where RADIUS is run over IPSEC and where certificates are used for
authentication, it may be desirable to avoid management of RADIUS
shared secrets, so as to leverage the improved scalability of public
key infrastructure.
6. IANA Considerations
This document requires the assignment of three new RADIUS Attribute
Types in the "Radius Types" registry (currently located at
http://www.iana.org/assignments/radius-types for the following
attributes:
o Framed-IPv6-Address
o DNS-Server-IPv6-Address
Lourdelet, et al. Expires July 14, 2011 [Page 11]
Internet-Draft RADIUS IPv6 Access January 2011
o Route-IPv6-Information
o Delegated-IPv6-Prefix-Pool
IANA should allocate these numbers from the standard RADIUS
Attributes space using the "IETF Review" policy [RFC5226].
7. Acknowledgements
The authors would like to thank Alfred Hines, Alan DeKok, Peter
Deacon and Mark Smith for their help and comments in reviewing this
document.
8. References
8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless
Address Autoconfiguration", RFC 4862, September 2007.
8.2. Informative References
[RFC3162] Aboba, B., Zorn, G., and D. Mitton, "RADIUS and IPv6",
RFC 3162, August 2001.
[RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C.,
and M. Carney, "Dynamic Host Configuration Protocol for
IPv6 (DHCPv6)", RFC 3315, July 2003.
[RFC3633] Troan, O. and R. Droms, "IPv6 Prefix Options for Dynamic
Host Configuration Protocol (DHCP) version 6", RFC 3633,
December 2003.
[RFC4191] Draves, R. and D. Thaler, "Default Router Preferences and
More-Specific Routes", RFC 4191, November 2005.
[RFC4818] Salowey, J. and R. Droms, "RADIUS Delegated-IPv6-Prefix
Attribute", RFC 4818, April 2007.
[RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
"Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
September 2007.
Lourdelet, et al. Expires July 14, 2011 [Page 12]
Internet-Draft RADIUS IPv6 Access January 2011
[RFC5006] Jeong, J., Park, S., Beloeil, L., and S. Madanapalli,
"IPv6 Router Advertisement Option for DNS Configuration",
RFC 5006, September 2007.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 5226,
May 2008.
Authors' Addresses
Benoit Lourdelet
Cisco Systems, Inc.
Village ent. GreenSide, Bat T3,
400, Av de Roumanille,
06410 BIOT - Sophia-Antipolis Cedex
France
Phone: +33 4 97 23 26 23
Email: blourdel@cisco.com
Wojciech Dec (editor)
Cisco Systems, Inc.
Haarlerbergweg 13-19
Amsterdam , NOORD-HOLLAND 1101 CH
Netherlands
Email: wdec@cisco.com
Behcet Sarikaya
Huawei USA
1700 Alma Dr. Suite 500
Plano, TX
US
Phone: +1 972-509-5599
Email: sarikaya@ieee.org
Lourdelet, et al. Expires July 14, 2011 [Page 13]
Internet-Draft RADIUS IPv6 Access January 2011
Glen Zorn
Network Zen
1310 East Thomas Street
Seattle, WA
US
Email: gwz@net-zen.net
David Miles
Alcatel-Lucent
L3 / 215 Spring St
Melbourne, Victoria 3000,
Australia
Phone:
Fax:
Email: David.Miles@alcatel-lucent.com
URI:
Lourdelet, et al. Expires July 14, 2011 [Page 14]