Network Working Group                                  B. Lourdelet, Ed.
Internet-Draft                                               W. Dec, Ed.
Intended status: Standards Track                     Cisco Systems, Inc.
Expires: June 20, 2010                                       B. Sarikaya
                                                              Huawei USA
                                                                 G. Zorn
                                                             Network Zen
                                                                D. Miles
                                                          Alcatel-Lucent
                                                       December 17, 2009


               RADIUS attributes for IPv6 Access Networks
               draft-lourdelet-radext-ipv6-access-02.txt

Abstract

   IPv6 nodes can have configuration information provided to them using
   DHCPv6 and/or Router Advertisements.  This document specifies RADIUS
   attributes that complement RFC3162 for use with DHCPv6 and/or Router
   Advertisements (SLAAC) for use in network access scenarios.

Status of this Memo

   This Internet-Draft is submitted to IETF in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on June 20, 2010.

Copyright Notice

   Copyright (c) 2009 IETF Trust and the persons identified as the



Lourdelet, et al.         Expires June 20, 2010                 [Page 1]


Internet-Draft             RADIUS IPv6 Access              December 2009


   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the BSD License.

   This document may contain material from IETF Documents or IETF
   Contributions published or made publicly available before November
   10, 2008.  The person(s) controlling the copyright in some of this
   material may not have granted the IETF Trust the right to allow
   modifications of such material outside the IETF Standards Process.
   Without obtaining an adequate license from the person(s) controlling
   the copyright in such materials, this document may not be modified
   outside the IETF Standards Process, and derivative works of it may
   not be created outside the IETF Standards Process, except to format
   it for publication as an RFC or to translate it into languages other
   than English.




























Lourdelet, et al.         Expires June 20, 2010                 [Page 2]


Internet-Draft             RADIUS IPv6 Access              December 2009


Table of Contents

   1.  Requirements Language . . . . . . . . . . . . . . . . . . . . . 3
   2.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 3
   3.  Deployment Scenarios  . . . . . . . . . . . . . . . . . . . . . 3
     3.1.  IPv6 Address Assignment . . . . . . . . . . . . . . . . . . 3
     3.2.  Recursive DNS Servers . . . . . . . . . . . . . . . . . . . 3
     3.3.  IPv6 Route Information  . . . . . . . . . . . . . . . . . . 4
   4.  Attributes  . . . . . . . . . . . . . . . . . . . . . . . . . . 4
     4.1.  Framed-IPv6-Address . . . . . . . . . . . . . . . . . . . . 4
     4.2.  IPv6-DNS-Server-Address . . . . . . . . . . . . . . . . . . 5
     4.3.  IPv6-Route-Information  . . . . . . . . . . . . . . . . . . 6
     4.4.  Table of attributes . . . . . . . . . . . . . . . . . . . . 7
   5.  Diameter Considerations . . . . . . . . . . . . . . . . . . . . 8
   6.  Security Considerations . . . . . . . . . . . . . . . . . . . . 8
   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 8
   8.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . 8
   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . . . 9
     9.1.  Normative References  . . . . . . . . . . . . . . . . . . . 9
     9.2.  Informative References  . . . . . . . . . . . . . . . . . . 9
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . . . 9






























Lourdelet, et al.         Expires June 20, 2010                 [Page 3]


Internet-Draft             RADIUS IPv6 Access              December 2009


1.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].


2.  Introduction

   This document specifies new IPv6 RADIUS attributes used to support
   IPv6 network access.  As IPv6 specifies two configuration mechanisms
   (DHCP and SLAAC) the attributes defined in this document may apply to
   DHCPv6, SLAAC or both with the new attributes are targeted at both
   protocols when it makes sense.  The RADIUS attributes defined in
   [RFC3162]and [RFC4818] do not define methods for assignment of IPv6
   addresses to hosts (via DHCPv6) or IPv6 recursive DNS servers (via
   DHCPv6 or [[RFC5006]), nor the passing of route prefix info (via
   [RFC4191].  The Radius options to do so are the subject of this
   draft.


3.  Deployment Scenarios

3.1.  IPv6 Address Assignment

   DHCPv6 [RFC3315] provides a mechanism to assign one or more or non-
   temporary IPv6 addresses to nodes.  In IPv6, both SLAAC and DHCPv6
   can be used for address assignment.  While SLAAC provides a host with
   a /64 IPv6 prefix from which to construct its address, the host is
   free to construct a 64-bit Interface ID that when concatenated with
   the /64 prefix provides a unique address.  By providing a host only a
   /64 network operators are unaware of the exact IP addresses in use by
   a device.  To contrast SLAAC, DHCPv6 requires a host explicitly
   request non-temporary addresses from a DHCPv6 server permitting an
   operator control over address assignment.  This document specifies a
   new RADIUS attribute for the assignment of non-temporary IPv6
   addresses to a host via DHCPv6.  Other DHCPv6 parameters such as
   preferred and valid address lifetimes are provided for by the NAS and
   not through RADIUS attributes.  As a DHCPv6 client may request an
   address at any time, a RADIUS server may be required to service
   additional RADIUS Access-Requests for a single network access
   session.

3.2.  Recursive DNS Servers

   DHCPv6 provides an option for recursive DNS servers to hosts, as does
   a Router Advertisement supporting the experimental [RFC5006].
   Existing DHCPv4 options only convey DNS as 32-bit IPv4 addresses and



Lourdelet, et al.         Expires June 20, 2010                 [Page 4]


Internet-Draft             RADIUS IPv6 Access              December 2009


   cannot support a 128-bit IPv6 address.  In the current RADIUS
   specifications there are no IETF/IANA defined attributes for
   recursive DNS and many NAS implement vendor specific attributes
   (e.g.: Ascend-Primary-DNS).  In some operator environments a network
   access session may be configured with a specific set of one or more
   recursive DNS.  This document specifies a new RADIUS attribute to
   convey a list of IPv6 addresses that can be used for a host for
   domain name service.  Best current practice is to configure hosts
   with more than one recursive domain name server, this is achieved in
   the RADIUS environment by returning multiple IPv6-DNS-Server-Address
   options within an Access-Accept.  The NAS shall use the addresses
   returned in the RADIUS IPv6-DNS-Server-Address attribute for the
   DHCPv6 DNS-Servers option [RFC3646], the Router Advertisement
   Recursive DNS Server Option [RFC5006], or both.

3.3.  IPv6 Route Information

   In scenarios where Stateless Address Autoconfiguration (SLAAC)
   [RFC4862] is used for address assignment, a Router Advertisement is
   multicast with one or more Prefix Information Options with the
   autonomous-bit set to true.  A Prefix Information Option, when used
   for SLAAC, is a /64 prefix to which a host appends its locally-
   generated Interface Id to create a unique 128-bit IPv6 address.
   [RFC3162] currently defines a Framed-IPv6-Prefix which can be used by
   a NAS to advertise on-link prefixes in a Router Advertisement Prefix
   Information Option [RFC4861].  The IPv6 Route Information attribute
   is almost the inverse; it is intended to be used to instruct a host
   connected to the NAS that a specific route is reachable via the NAS/
   router.  [RFC4191] defines an ICMPv6 Route Information Option for
   this purpose, ie to convey route information from a router to a host.
   The Route Information Option is used in environments where multiple
   advertising routers are present.  It directs a host to which router
   each specific route should be the next-hop to.  For each IPv6-Prefix-
   Information attribute, the NAS may advertise a unique [RFC4191] Route
   Information Option.


4.  Attributes

   The fields shown in the diagrams below are transmitted from left to
   right.

4.1.  Framed-IPv6-Address

   This Attribute indicates an IPv6 Address that is assigned to the
   uplink NAS-facing interface of the user equipment.  It MAY be used in
   Access-Accept packets, and can appear multiple times.  It MAY be used
   in an Access-Request packet as a hint by the NAS to the server that



Lourdelet, et al.         Expires June 20, 2010                 [Page 5]


Internet-Draft             RADIUS IPv6 Access              December 2009


   it would prefer these IPv6 address(es), but the server is not
   required to honor the hint.  Since it is assumed that the NAS, when
   necessary, will add a route corresponding to the address it is not
   necessary for the server to also send a host Framed-IPv6-Route
   attribute for the same address.

   This Attribute can be used by DHCPv6 to offer a unique IPv6 address
   or can be used for a-posteriori validation or announcment of an
   autoconfigured address.

   A summary of the Framed-IPv6-Address Attribute format is shown below.

     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |     Type      |     Length    |            Address
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                              Address (cont)
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                              Address (cont)
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                              Address (cont)
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
             Address (cont.)        |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type

      TBA1 for Framed-IPv6-Address

   Length

      18

   Address

      The Address field contains a 128-bit IPv6 address.

4.2.  IPv6-DNS-Server-Address

   The IPv6-DNS-Server-Address Attribute contains the IPv6 address of a
   DNS server.  This attribute MAY be included multiple times in Access-
   Accept packets.

   The content of this attribute can be inserted in a Router
   Advertisement as specified in [RFC5006] or mapped to the matching
   DHCPv6 option.




Lourdelet, et al.         Expires June 20, 2010                 [Page 6]


Internet-Draft             RADIUS IPv6 Access              December 2009


   A summary of the IPv6-DNS-Server-Address Attribute format is given
   below.

     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |     Type      |     Length    |            Address
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                              Address (cont)
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                              Address (cont)
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                              Address (cont)
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
             Address (cont.)        |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type

      TBA2 for IPv6-DNS-Server-Address

   Length

      18

   Address

      The 128-bit IPv6 address of a DNS server.

4.3.  IPv6-Route-Information

   This Attribute specifies a prefix (and corresponding route) to be
   authorized for announcement towards the user by the NAS, with the
   reachable by means of routing towards the NAS.  It is used in the
   Access-Accept packet and can appear multiple times.  It may also be
   used in the Access-Request packet.

   A summary of the IPv6-Route-Information attribute format is shown
   below.  The route information option defined in [RFC4191] is captured
   in this and following two attributes.











Lourdelet, et al.         Expires June 20, 2010                 [Page 7]


Internet-Draft             RADIUS IPv6 Access              December 2009


        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |     Type      |    Length     |   Reserved    | Prefix-Length |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                                                               |
       .                        Prefix (variable)                      .
       .                                                               .
       |                                                               |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


   Type

      TBA3 for IPv6-Route-Information

   Length

      Length in bytes.  At least 4 and no larger than 20; typically 12
      or less.

   Prefix Length

      The length of the prefix, in bits; at least 0 and no more than
      128; typically 64 or less.

   Prefix

      Variable-length field containing an IP prefix.  The Prefix Length
      field contains the number of valid leading bits in the prefix.
      The bits in the prefix after the prefix length (if any) up to the
      byte boundary are reserved and MUST be initialized to zero by the
      sender and ignored by the receiver.

4.4.  Table of attributes

   The following table provides a guide to which attributes may be found
   in which kinds of packets, and in what quantity.


 Request Accept Reject Challenge Accounting  #  Attribute
                                    Request
 0+      0+     0      0         0+        TBA1  Framed-IPv6-Address
 0+      0+     0      0         0+        TBA2  IPv6-DNS-Server-Address
 0       0+     0      0         0+        TBA3  IPv6-Route-Information






Lourdelet, et al.         Expires June 20, 2010                 [Page 8]


Internet-Draft             RADIUS IPv6 Access              December 2009


5.  Diameter Considerations

   Since the Attributes defined in this document are allocated from the
   standard RADIUS type space (see Section 7), no special handling is
   required by Diameter entities.


6.  Security Considerations

   This document describes the use of RADIUS for the purposes of
   authentication, authorization and accounting in IPv6-enabled
   networks.  In such networks, the RADIUS protocol may run either over
   IPv4 or over IPv6.  Known security vulnerabilities of the RADIUS
   protocol apply to the attributes defined in this document.  Since
   IPSEC is natively defined for IPv6, it is expected that running
   RADIUS implementations supporting IPv6 may want to run over IPSEC.
   Where RADIUS is run over IPSEC and where certificates are used for
   authentication, it may be desirable to avoid management of RADIUS
   shared secrets, so as to leverage the improved scalability of public
   key infrastructure.


7.  IANA Considerations

   This document requires the assignment of three new RADIUS Attribute
   Types in the "Radius Types" registry (currently located at
   http://www.iana.org/assignments/radius-types for the following
   attributes:

   o  Framed-IPv6-Address

   o  IPv6-DNS-Server-Address

   o  IPv6-Prefix-Information

   IANA should allocate these numbers from the standard RADIUS
   Attributes space using the "IETF Review" policy [RFC5226].


8.  Acknowledgements

   The authors would like to thank Alfred Hines for his contributions
   and comments to this document.


9.  References





Lourdelet, et al.         Expires June 20, 2010                 [Page 9]


Internet-Draft             RADIUS IPv6 Access              December 2009


9.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC4862]  Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless
              Address Autoconfiguration", RFC 4862, September 2007.

9.2.  Informative References

   [RFC2868]  Zorn, G., Leifer, D., Rubens, A., Shriver, J., Holdrege,
              M., and I. Goyret, "RADIUS Attributes for Tunnel Protocol
              Support", RFC 2868, June 2000.

   [RFC3162]  Aboba, B., Zorn, G., and D. Mitton, "RADIUS and IPv6",
              RFC 3162, August 2001.

   [RFC3315]  Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C.,
              and M. Carney, "Dynamic Host Configuration Protocol for
              IPv6 (DHCPv6)", RFC 3315, July 2003.

   [RFC3646]  Droms, R., "DNS Configuration options for Dynamic Host
              Configuration Protocol for IPv6 (DHCPv6)", RFC 3646,
              December 2003.

   [RFC4191]  Draves, R. and D. Thaler, "Default Router Preferences and
              More-Specific Routes", RFC 4191, November 2005.

   [RFC4818]  Salowey, J. and R. Droms, "RADIUS Delegated-IPv6-Prefix
              Attribute", RFC 4818, April 2007.

   [RFC4861]  Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
              "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
              September 2007.

   [RFC5006]  Jeong, J., Park, S., Beloeil, L., and S. Madanapalli,
              "IPv6 Router Advertisement Option for DNS Configuration",
              RFC 5006, September 2007.

   [RFC5226]  Narten, T. and H. Alvestrand, "Guidelines for Writing an
              IANA Considerations Section in RFCs", BCP 26, RFC 5226,
              May 2008.









Lourdelet, et al.         Expires June 20, 2010                [Page 10]


Internet-Draft             RADIUS IPv6 Access              December 2009


Authors' Addresses

   Benoit Lourdelet (editor)
   Cisco Systems, Inc.
   Village ent. GreenSide, Bat T3,
   400, Av de Roumanille,
   06410 BIOT - Sophia-Antipolis Cedex
   France

   Phone: +33 4 97 23 26 23
   Email: blourdel@cisco.com


   Wojciech Dec (editor)
   Cisco Systems, Inc.
   Haarlerbergweg 13-19
   Amsterdam , NOORD-HOLLAND 1101 CH
   Netherlands

   Email: wdec@cisco.com


   Behcet Sarikaya
   Huawei USA
   1700 Alma Dr. Suite 500
   Plano, TX
   US

   Phone: +1 972-509-5599
   Email: sarikaya@ieee.org


   Glen Zorn
   Network Zen
   1310 East Thomas Street
   Seattle, WA
   US

   Email: gwz@net-zen.net












Lourdelet, et al.         Expires June 20, 2010                [Page 11]


Internet-Draft             RADIUS IPv6 Access              December 2009


   David Miles
   Alcatel-Lucent
   L3 / 215 Spring St
   Melbourne, Victoria 3000,
   Australia

   Phone:
   Fax:
   Email: David.Miles@alcatel-lucent.com
   URI:









































Lourdelet, et al.         Expires June 20, 2010                [Page 12]