| PCP WG | R. Maglione |
| Internet-Draft | |
| Intended status: Standards Track | D. Cheng |
| Expires: September 13, 2013 | Huawei Technologies |
| M. Boucadair | |
| France Telecom | |
| March 12, 2013 |
RADIUS Extensions for Port Control Protocol (PCP)
draft-maglione-pcp-radius-ext-06
This document specifies a new Remote Authentication Dial In User Service (RADIUS) attribute to carry a Port Control Protocol (PCP) Server Names. This attribute can be configured on a RADIUS server so that the information can be conveyed to Network Access Server (NAS) via RADIUS protocol, and the co-located Dynamic Host Configuration Protocol (DHCP/DHCPv6) server can then populate the information to PCP client.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 13, 2013.
Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
Port Control Protocol (PCP) [I-D.ietf-pcp-base] provides a mechanism to control how incoming packets are forwarded by upstream devices such as NATs and firewalls. PCP is a client/server protocol where a PCP client may reside on a host, a Customer Premises Equipment (CPE), etc., which communicates with a PCP server that may reside anywhere in a network.
[I-D.ietf-pcp-base] defines a procedure for the PCP client to communicate with its PCP Server. The IP address of the PCP Server(s) can be configured to the PCP client; if not the PCP client assumes its default router as being its PCP server.
[I-D.ietf-pcp-dhcp] defines DHCPv6 and DHCPv4 options which are meant to be used by a PCP client to discover a PCP server name. However, provisioning for name of the PCP server is required on a DHCPv4/DHCPv6 server before it can populate this information.
Auto-configuration on a DHCPv4/DHCPv6 is possible in a broadband network, where typically, user profile is maintained on a Remote Authentication Dial In User Service (RADIUS) server and RADIUS protocol [RFC2865] is used to convey user-related information to other network elements including a host and CPE. [I-D.ietf-radext-ipv6-access] describes a typical broadband network scenario in which the Network Access Server (NAS) acts as the access gateway for the users (hosts or CPEs) and the NAS embeds a DHCPv6 Server function that allows it to locally handle any DHCPv6 requests issued by the clients.
In such environment, PCP server's name can be configured on a RADIUS server, which then passes the information to a NAS that co-locates with the DHCPv4/DHCPv6 server, which in turn populates the location of the PCP server.
This document defines a new RADIUS attribute that can be used to carry a PCP server name. As defined in [I-D.ietf-pcp-dhcp], a PCP Server Name can be a DNS name, IP literals strings, etc. This document is designed to allow for configuring PCP Server name which can be a DNS name, IP literals or any strings which may be passed to a local name resolution library on the PCP client side. Multiple occurrences of the PCP server name RADIUS attribute is supported.
The proposed RADIUS attribute is designed to accommodate various deployment contexts (e.g., dedicated option per IP connectivity context, single option for dual-stack access, etc.).
The approach described above is already used for providing the FQDN of the AFTR in the DS-Lite scenario [RFC6333] and the equivalent RADIUS attribute for the DS-Lite Tunnel Name is defined [RFC6519].
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
The following terms are defined in [I-D.ietf-pcp-base]:
The following term is defined in
Figure 1 illustrates an example of how RADIUS protocol works together with DHCPv6, to allow a host to learn automatically the name of a PCP server in case of a PPP session that carries IPv6 traffic.
The Network Access Server (NAS) operates as a client of RADIUS and co-locates with a DHCPv6 Server for DHCPv6. The NAS initially sends a RADIUS Access Request message to the RADIUS server, requesting authentication. Once the RADIUS server receives the request, it validates the sending client and if the request is approved, the RADIUS server replies with an Access Accept message including a list of attribute-value pairs that describe the parameters to be used for this session. This list MAY also contain the name of a PCP server. When the co-located DHCPv6 server receives a DHCPv6 message containing the PCP Server Option, it SHALL use the name returned in the RADIUS attribute as defined in this memo to populate the DHCPv6 PCP Server option defined in [I-D.ietf-pcp-dhcp].
PCP/DHCPv6 NAS AAA
Client DHCPv6 Server Server
| | |
|----PPP LCP Config Request------> | |
| |----Access-Request ---->|
| | |
| |<-Access-Accept---------|
| | (PCP-Server-Name) |
|<-----PPP LCP Config ACK ----- | |
| | |
|------ PPP IPv6CP Config Req ---->| |
| | |
|<----- PPP IPv6CP Config ACK -----| |
| | |
|------- DHCPv6 Solicit -------->| |
| | |
|<-------DHCPv6 Advertisement------| |
| (PCP server Name DHCPv6 Option) | |
| | |
|------- DHCPv6 Request -------->| |
| (PCP server Name DHCPv6 Option) | |
| | |
|<-------- DHCPv6 Reply --------- | |
| (PCP server Name DHCPv6 Option) | |
DHCPv6 RADIUS
Figure 1: RADIUS and DHCPv6 Message Flow for a PPP Session
The Figure 2 illustrates how the RADIUS protocol and DHCPv6 work together to accomplish PCP client configuration when DHCPv6 is used to provide connectivity to a requesting host.
The difference between this message flow and previous one is that in this scenario the interaction between NAS and AAA/ RADIUS Server is triggered by the DHCPv6 Solicit message received by the NAS from the DHCPv6 client, while in case of a PPP Session the trigger is the PPP LCP Config Request message received by the NAS.
PCP/DHCPv6 NAS AAA
Client DHCPv6 Server Server
| | |
|------ DHCPv6 Solicit ---------> | |
| | |
| |----Access-Request ---->|
| | |
| |<-Access-Accept---------|
| | (PCP-Server-Name) |
| | |
|<-------DHCPv6 Advertisement------| |
| (PCP Server Name DHCPv6 Option) | |
| | |
|------- DHCPv6 Request -------->| |
| (PCP Server Name DHCPv6 Option) | |
| | |
| <-------- DHCPv6 Reply --------- | |
| (PCP Server Name DHCPv6 Option) | |
DHCPv6 RADIUS
Figure 2: RADIUS and DHCPv6 Message Flow for an IP Session
In the scenario depicted in Figure 2 the Access-Request packet contains a Service-Type attribute with the value Authorize Only (17), thus according to [RFC5080] the Access-Request packet MUST contain a State attribute.
A similar message flow also applies to the IPv4 scenario when DHCPv4 is used to provide connectivity to the user (Figure 3).
PCP/DHCPv4 NAS AAA
Client DHCPv4 Server Server
| | |
|-------- DHCP Discovery --------> | |
| | |
| |----Access-Request ---->|
| | |
| |<-Access-Accept---------|
| | (PCP-Server-Name) |
| | |
|<--------- DHCP Offer ------------| |
| (PCP server Name Sub-Option) | |
| | |
|--------- DHCP Request -------->| |
| (PCP server Name Sub-Option) | |
| | |
| <--------- DHCP Ack -------------| |
| (PCP server Name Sub-Option) | |
DHCPv4 RADIUS
Figure 3: RADIUS and DHCPv4 Message Flow for an IP Session
After receiving the PCP server name in the initial Access-Accept the NAS MUST store the received PCP Server Name locally. When the PCP Client sends a DHCPv4 message to request an extension of the lifetimes for the assigned address or prefix, the NAS does not have to initiate a new Access-Request towards the AAA server to request the PCP server name. The NAS retrieves the previously stored PCP Server name and uses it in its reply.
If the DHCPv4 server to which the DHCP Renew message was sent at time T1 has not responded, the DHCPv4 client initiates a Rebind/Reply exchange with any available server. In this scenario the NAS MUST initiate a new Access-Request towards the AAA server, after the co-located DHCPv4 server receives the DHCP message. The NAS MAY include the PCP Server Name attribute in its Access-Request.
If the NAS does not receive the PCP server name attribute in the Access-Accept it MAY fallback to a pre-configured default tunnel name, if any. If the NAS does not have any pre-configured default tunnel name or if the NAS receives an Access-Reject, the PCP client can not be configured by the NAS.
The scenario with PPP Session and IPv4 only connectivity does not require DHCPv4: the whole configuration of the client is performed by PPP. This case is out of scope of this document because in order to complete the configuration of the PCP client a new PPP IPC option would be required.
A new RADIUS attribute, called PCP-Server-Name, along with its format is defined below.
Description
A summary of the PCP-Server-Name RADIUS attribute format is shown below. The fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Context |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| PCP-Server-Name ....
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The description of the fields is as follows:
Type:
Length:
Context:
PCP-Server-Name:
This attribute is type of complex [RFC6158].
The following table provides a guide to which attributes may be found in which kinds of packets, and in what quantity.
Request Accept Reject Challenge Accounting # Attribute
Request
0+ 0+ 0 0 0+ TBA1 PCP-Server-Name
The following table defines the meaning of the above table entries.
0 This attribute MUST NOT be present in packet.
0+ Zero or more instances of this attribute MAY be present in
packet.
0-1 Zero or one instance of this attribute MAY be present in packet.
This document has no additional security considerations beyond those already identified in [RFC2865].
This document requests the allocation of a new Radius attribute types from the IANA registry "Radius Attribute Types" located at http://www.iana.org/assignments/radius-types:
The authors would like to thank Mario Ullio and Alan Dekok for their valuable comments.
| [I-D.ietf-pcp-base] | Wing, D., Cheshire, S., Boucadair, M., Penno, R. and P. Selkirk, "Port Control Protocol (PCP)", Internet-Draft draft-ietf-pcp-base-29, November 2012. |
| [I-D.ietf-pcp-dhcp] | Boucadair, M., Penno, R. and D. Wing, "DHCP Options for the Port Control Protocol (PCP)", Internet-Draft draft-ietf-pcp-dhcp-13, April 2014. |
| [RFC2119] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997. |
| [RFC2865] | Rigney, C., Willens, S., Rubens, A. and W. Simpson, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, DOI 10.17487/RFC2865, June 2000. |
| [RFC3629] | Yergeau, F., "UTF-8, a transformation format of ISO 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November 2003. |
| [RFC5080] | Nelson, D. and A. DeKok, "Common Remote Authentication Dial In User Service (RADIUS) Implementation Issues and Suggested Fixes", RFC 5080, DOI 10.17487/RFC5080, December 2007. |
| [RFC6158] | DeKok, A. and G. Weber, "RADIUS Design Guidelines", BCP 158, RFC 6158, DOI 10.17487/RFC6158, March 2011. |
| [RFC6519] | Maglione, R. and A. Durand, "RADIUS Extensions for Dual-Stack Lite", RFC 6519, DOI 10.17487/RFC6519, February 2012. |
| [I-D.ietf-radext-ipv6-access] | Dec, W., Sarikaya, B., Zorn, G., Miles, D. and B. Lourdelet, "RADIUS attributes for IPv6 Access Networks", Internet-Draft draft-ietf-radext-ipv6-access-16, February 2013. |
| [RFC6333] | Durand, A., Droms, R., Woodyatt, J. and Y. Lee, "Dual-Stack Lite Broadband Deployments Following IPv4 Exhaustion", RFC 6333, DOI 10.17487/RFC6333, August 2011. |