Internet DRAFT - draft-dekok-radius-ipfix
draft-dekok-radius-ipfix
Network Working Group A. DeKok
INTERNET-DRAFT FreeRADIUS
Category: Experimental S. Winter
<draft-dekok-radius-ipfix-00.txt> RESTENA
Expires: April 5, 2013
8 October 2012
RADIUS accounting via IPFIX
draft-dekok-radius-ipfix
Abstract
The Remote Authentication Dial In User Server (RADIUS) Protocol
provides for a number of simple session-based metrics. There is a
need to increase the number of metrics, and to add metrics for
individual flows within a session. This document leverages IP Flow
Information Export (IPFIX) to address both needs.
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with
the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other
documents at any time. It is inappropriate to use Internet-Drafts
as reference material or to cite them other than as "work in
progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on April 12, 2011
Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved.
DeKok, Alan Experimental [Page 1]
INTERNET-DRAFT RADIUS Accounting via IPFIX 8 October 2012
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info/) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this
document must include Simplified BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Simplified BSD License.
DeKok, Alan Experimental [Page 2]
INTERNET-DRAFT RADIUS Accounting via IPFIX 8 October 2012
Table of Contents
1. Introduction ............................................. 4
1.1. Terminology ......................................... 4
1.2. Requirements Language ............................... 4
2. IPFIX in RADIUS .......................................... 5
2.1. IPFIX-Container Attribute ........................... 5
2.2. IPFIX to RADIUS Data Type Mappings .................. 6
2.3. IPFIX ElementID to RADIUS TLV Mapping ............... 7
2.4. Summary of the Mappings ............................. 8
3. IPFIX-Container in RADIUS Packets ........................ 8
3.1. IPFIX-Container in Access-Accept .................... 8
3.2. IPFIX-Container in Accounting-Request ............... 9
3.3. Administratively Configured Flows ................... 9
4. Caveats .................................................. 10
5. Examples ................................................. 10
5.1. Access-Accept ....................................... 10
5.2. Accounting-Request .................................. 11
6. Security Considerations .................................. 11
7. IANA Considerations ...................................... 11
8. References ............................................... 11
8.1. Normative References ................................ 11
8.2. Informative References .............................. 12
Appendix A - XML to RADIUS Dictionary Converter .............. 13
Appendix A.1 - Code for XML to RADIUS Dictionary Converter ... 14
DeKok, Alan Experimental [Page 3]
INTERNET-DRAFT RADIUS Accounting via IPFIX 8 October 2012
1. Introduction
The Remote Authentication Dial In User Server (RADIUS) Protocol
defines in [RFC2866] and others metrics for transporting session-
based accounting. We wish to extend those capabilities, while having
a specification that satisfies the following criteria:
* follows the RADIUS data model as defined in [RFC6158],
and [EXTEN],
* allows for an increased number of metrics per session,
* allows for metrics for individual flows within a session,
* can describe flows in an Access-Accept, for later accounting
in an Accounting-Request,
* requires minimal work from the RADEXT working group to define
new metrics
We believe this document satisifies those criteria. We propose to do
this by leveraging IP Flow Information Export (IPFIX) entries,
defined in [IPFIX]. The benefits of this approach are many. We
leverage existing expertise and work, we do not create a new standard
to exchange the same information, etc.
1.1. Terminology
This document uses the following terms:
RADIUS client
A device that provides an access service for a user to a network.
Also referred to as a Network Access Server, or NAS.
RADIUS server
A device that provides one or more of authentication,
authorization, and/or accounting (AAA) services to a NAS.
RADIUS proxy
A RADIUS proxy acts as a RADIUS server to the NAS, and a RADIUS
client to the RADIUS server.
1.2. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
DeKok, Alan Experimental [Page 4]
INTERNET-DRAFT RADIUS Accounting via IPFIX 8 October 2012
2. IPFIX in RADIUS
This section defines how IPFIX information is carried inside of
RADIUS attributes.
2.1. IPFIX-Container Attribute
We define a new attribute, called IPFIX-Container. It leverages the
"Long Extended" type defined in [EXTEN] Section X.Y. A summary of
the Attribute format is shown below. The fields are transmitted from
left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Extended-Type |M| Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Value ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
TBD - IANA allocation from the "long extended" type space
Length
The Length of the attribute, as previously defined in [RFC2865]
Section 5. Permitted values are between 5 and 255. If a client
or server receives an IPFIX-Containter attribute with a Length of
2, 3, or 4, then that Attribute MUST be considered to be an
"invalid attribute", and be handled as per [EXTEN] Section 2.7.
Extended-Type
TBD - IANA allocation from the "long extended" type space
M (More)
The More field is one (1) bit in length, and indicates whether or
not the current attribute contains "more" than 251 octets of data.
The More field MUST be clear (0) if the Length field has value
less than 255. The More field MAY be set (1) if the Length field
has value of 255.
If the More field is set (1), it indicates that the Value field
has been fragmented across multiple RADIUS attributes. When the
More field is set (1), the attribute SHOULD have a Length field of
value 255; it MUST NOT have a length Field of value 4; there MUST
DeKok, Alan Experimental [Page 5]
INTERNET-DRAFT RADIUS Accounting via IPFIX 8 October 2012
be an attribute following this one; and the next attribute MUST
have both the same Type and Extended Type. That is, multiple
fragments of the same value MUST be in order and MUST be
consecutive attributes in the packet, and the last attribute in a
packet MUST NOT have the More field set (1).
When the Length field of an attribute has value less than 255, the
More field SHOULD be clear (0).
If a client or server receives an attribute fragment with the
"More" field set (1), but for which no subsequent fragment can be
found, then the fragmented attribute is considered to be an
"invalid attribute", and handled as per [EXTEN] Section 2.7.
Reserved
This field is 7 bits long, and is reserved for future use.
Implementations MUST set it to zero (0) when encoding an attribute
for sending in a packet. The contents SHOULD be ignored on
reception.
Value
The value is a series of Type-Length-Values (TLVs), which are the
IPFIX information elements as defined in [IPFIX]. One flow MUST
be encapsulated in one IPFIX-Container attribute. An IPFIX-
Container attribute MUST NOT contain zero, or multiple flows.
2.2. IPFIX to RADIUS Data Type Mappings
The IPFIX specification defines a number of data types. Some can be
mapped to RADIUS, others cannot. We document those mappings here.
Where a data type is not mapped, IPFIX information elements using
that data type MUST NOT appear in a RADIUS packet.
We use the RADIUS data types as defined in [RFC6158]. The following
table defines the mappings.
Mapping Table
IPFIX RADIUS
----- -------
unsigned8 integer
unsigned16 integer
unsigned32 integer
unsigned64' integer64
ipv4Address IP Address
ipv6Address IPv6 Address
string text
DeKok, Alan Experimental [Page 6]
INTERNET-DRAFT RADIUS Accounting via IPFIX 8 October 2012
octetArray string
dateTimeSeconds date
dateTimeMilliseconds integer64
dateTimeMicroseconds integer64
dateTimeNanoseconds integer64
macAddress string
boolean integer
RADIUS does not permit eight (8) or sixteen (16) bit data types, so
IPFIX "integer" types of those sizes are mapped to RADIUS 32-bit
integers.
We want to avoid creating new RADIUS data types. Therefore, the
IPFIX "dateTime" types are mapped to "integer64". The only exception
is "dateTimeSeconds", which maps to the RADIUS "date" data type.
RADIUS does not have a "MAC Address" data type. Therefore the IPFIX
"macAddress" data type maps to the RADIUS "string" data type.
2.3. IPFIX ElementID to RADIUS TLV Mapping
The IPFIX ElementIDs are fifteen (15) bits long, while the RADIUS
attribute IDs are eight (8) bits. We therefore need a mapping from
one to the other. The mapping involves allocating two layers of
TLVs, which allows for sixteen (16) bits of mapping. The mapping
function is as follows:
TLV1 = (ElementId >> 8) & 0xFF
TLV2 = ElementId & 0xFF
The resulting RADIUS attribute is then TBD.TLV1.TLV2. (IANA NOTE:
Replace TBD with the allocated "long extended" attribute, e.g.
245.1).
We do not allocate or name TBD.TLV1 in the RADIUS attribute space.
(IANA NOTE: Replace TBD with the allocated "long extended" attribute,
e.g. 245.1). It is simple a container which is never referenced by
itself.
We do not provide an exhaustive mapping of which IPFIX ElementID is
appropriate (or not) for inclusion in which RADIUS packet. We
instead provide general guidelines and recommendations.
IPFIX ElementIDs relating to counters and flow identification are
useful in RADIUS. Other ElementIDs are less useful, and SHOULD NOT
be used. ElementIDs related to security and packet signing MUST NOT
be used in RADIUS.
DeKok, Alan Experimental [Page 7]
INTERNET-DRAFT RADIUS Accounting via IPFIX 8 October 2012
2.4. Summary of the Mappings
The mapping from IPFIX Information Elements to RADIUS attributes is
simple and mechanical. New IPFIX Information Elements can be used by
RADIUS without requiring new specifications in the RADIUS space.
A short Perl program is available in Appendix A, below. It provides
an example of how the mapping can be done automatically. However, it
does not provide a standard of any kind.
3. IPFIX-Container in RADIUS Packets
The IPFIX-Container attribute is permitted in Access-Accept packets,
and in Accounting-Request packets. It MUST NOT occur in any other
kind of RADIUS packet.
3.1. IPFIX-Container in Access-Accept
The IPFIX-Container can be sent in an Access-Accept packet. This
indicates a request from the server that the NAS send Accounting-
Request packets containing the requested information. The NAS MAY
ignore this request, and send different information, or no
information.
The contents of the IPFIX-Container are ElementIDs which describe a
particular flow. Multiple IPFIX-Container attributes MAY be sent in
an Access-Accept.
The ElementIds which describe a particular flow are not enumerated
here. Instead, we suggest ElementIDs relating to IP addresses,
protocols, ports, etc. Where ElementIDs relating to flow
identification are omitted, the IPFIX-Container SHOULD be interpreted
as applying to all traffic.
The only restriction is that each IPFIX-Container attribute MUST
contain a flowID. It is RECOMMENDED that the RADIUS server allocate
these flowIDs through a robust process that generates globally and
temporally unique values. The method for doing so is not described
here.
An Access-Accept MUST NOT contain multiple IPFIX-Container attributes
with the same flowID.
This restriction comes about as a result of issues seen with Acct-
Session-Id. Deployment experience shows that many NAS
implementations choose repeating values for Acct-Session-Id. That
repetition makes it difficult for RADIUS servers to track individual
user sessions. Allowing for flow-based accounting would make that
DeKok, Alan Experimental [Page 8]
INTERNET-DRAFT RADIUS Accounting via IPFIX 8 October 2012
problem worse.
This document instead requires that flowIDs are allocated by the
RADIUS server. NAS implementations MUST NOT create flowIDs.
3.2. IPFIX-Container in Accounting-Request
The IPFIX-Container can be sent in an Accounting-Request packet.
This indicates that the NAS is sending accounting information about a
particular flow.
The contents of the IPFIX-Container are ElementIDs which describe a
the accounting data for a particular flow. Multiple IPFIX-Container
attributes MAY be sent in an Accounting-Request. The IPFIX-Container
MAY avoid sending ElementIDs which describe the flow. i.e.
ElementIDs which are sent in an Access-Accept. The flowID is
generally sufficient to uniquely describe a flow.
However, in situations where the flowIDs are administratively
configured, those ElementIDs which describe the flow MUST be included
in the IPFIX-Container attribute. This inclusion ensures that the
combination of flowID and flow description is unique.
The ElementIds which describe accounting for a particular flow are
not enumerated here. Instead, we suggest ElementIDs relating to
packet counting, octet counting, time, etc.
The only restriction is that each IPFIX-Container attribute MUST
contain a flowID. The NAS MUST use flowIDs taken from a
corresponding Access-Accept packet, or flowIDs which have been
administratively configured. It MUST NOT generate flowIDs by itself.
An Accounting-Request packet MUST NOT contain multiple IPFIX-
Container attributes with the same flowID.
3.3. Administratively Configured Flows
A NAS MAY permit an administrator to manually configure flows. In
that case, it can send flows in an Accounting-Request packet which
were not requested in an Accounting-Accept packet. In that case,
ElementIDs which describe the flow MUST be included in the IPFIX-
Container attribute. The flowID MUST also be configured by the
administrator, and not created by the NAS.
For administratively configured flows, a NAS MAY give the
administrator the choice of using incrementing flowIDs for each flow
in a session, starting from the value one (1).
DeKok, Alan Experimental [Page 9]
INTERNET-DRAFT RADIUS Accounting via IPFIX 8 October 2012
4. Caveats
The flows in IPFIX are unidirectional. RADIUS uses different
attributes to count data for each direction. As a result, where
RADIUS would use two attributes Acct-Input-Octets and Acct-Output-
Octets, we would require two IPFIX-Container attributes.
Not all of the IPFIX data types are mapped. We have no suggestions
for what to do with the more complex data types.
The IPFIX "basicList" data type appears to be unnecessary in RADIUS.
Instead of encapsulating multiple ports in a basicList, we can simply
send multiple port descriptions in one IPFIX-Container attribute.
Mapping eight and sixteen-bit IPFIX integers to a 32-bit RADIUS
integer type is suboptimal. However, it meets the requirements of
[RFC6158]. The major benefit of reusing the RADIUS data model
outweighs the minor benefit of a slightly more efficient packing.
IPFIX allows for sending data up to 64K in size. The multiple
encapsulations define here allows for only a maximum of 249 octets.
This limitation does not matter for the bulk of the ElementIDs which
are relevant to RADIUS. For the rest, we offer no suggestion other
than to administratively limit strings to a particular length.
Not all implementations will support this specification. Therefore,
the existing RADIUS accounting attributes SHOULD be sent in addition
to the IPFIX-Container attribute. Sending only IPFIX-Container is
NOT RECOMMENDED.
5. Examples
This section contains examples. We use names for the attributes
taken from the output of the Perl program in Appendix A. We show
only the IPFIX-Container attribute and the TLVs related to IPFIX
ElementIDs. We do not show intermediate TLVs.
5.1. Access-Accept
IPFIX-Container
IPFIX-flowId = 1
IPFIX-flowDirection = 0x00
IPFIX-Container
IPFIX-flowId = 2
IPFIX-flowDirection = 0x01
DeKok, Alan Experimental [Page 10]
INTERNET-DRAFT RADIUS Accounting via IPFIX 8 October 2012
5.2. Accounting-Request
Acct-Input-Octets = 1024
Acct-Output-Octets = 2048
Acct-Input-Packets = 10
Acct-Output-Packets = 20
IPFIX-Container
IPFIX-flowId = 1
IPFIX-flowDirection = 0x00
IPFIX-octetTotalCount = 1024
IPFIX-packetTotalCount = 10
IPFIX-Container
IPFIX-flowId = 2
IPFIX-flowDirection = 0x01
IPFIX-octetTotalCount = 2048
IPFIX-packetTotalCount = 20
6. Security Considerations
This document defines new RADIUS attributes, but makes no changes to
the RADIUS protocol. As such, there are no security considerations.
The IPFIX protocol defines security related ElementIDs such as
messageMD5Checksum. These ElementIDs MUST NOT appear in a RADIUS
packet. Existing RADIUS security is sufficient to protect the
packets.
7. IANA Considerations
This document requests the allocation of a new attribute, "IPFIX-
Container", from the "long extended" RADIUS attribute type space.
8. References
8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote
Authentication Dial In User Service (RADIUS)", RFC 2865, June
2000.
[IPFIX] http://www.iana.org/assignments/ipfix/
[EXTEN] DeKok, A, Lior, A, "Remote Authentication Dial In User Service
(RADIUS) Protocol Extensions", draft-ietf-radext-radius-
DeKok, Alan Experimental [Page 11]
INTERNET-DRAFT RADIUS Accounting via IPFIX 8 October 2012
extensions-05.txt, (work in progress)
8.2. Informative References
[RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000.
[RFC6158] DeKok, A., and Weber, G., "RADIUS Design Guidelines", RFC
6158, March 2011.
Acknowledgments
The initial suggestion to leverage IPFIX was from Benoit Claise.
DeKok, Alan Experimental [Page 12]
INTERNET-DRAFT RADIUS Accounting via IPFIX 8 October 2012
Appendix A - XML to RADIUS Dictionary Converter
The following page contains a simple Perl script which converts the
[IPFIX] XML registry to a RADIUS dictionary file. It is intended as
a guide to show that the conversion is mechanical. It does not
specify a standard, and implementors are free to use their own method
for converting the IPFIX registry to a RADIUS dictionary.
DeKok, Alan Experimental [Page 13]
INTERNET-DRAFT RADIUS Accounting via IPFIX 8 October 2012
Appendix A.1 - Code for XML to RADIUS Dictionary Converter
#!/usr/bin/env perl
use XML::Simple;
use Data::Dumper;
$prefix = "TBD"; # IANA - to be updated
print "ATTRIBUTE IPFIX-Container $prefix long-extended\n";
$map = {
'unsigned8' => 'integer',
'unsigned16' => 'integer',
'unsigned32' => 'integer',
'unsigned64' => 'integer64',
'ipv4Address' => 'ipaddr',
'ipv6Address' => 'ipv6ddr',
'string' => 'text',
'octetArray' => 'string',
'dateTimeSeconds' => 'date',
'dateTimeMilliseconds' => 'integer64',
'dateTimeMicroseconds' => 'integer64',
'dateTimeNanoseconds' => 'integer64',
'macAddress' => 'string',
'boolean' => 'integer',
};
$xml = new XML::Simple;
$data = $xml->XMLin("ipfix.xml");
$elements = $data->{registry}->{'ipfix-information-elements'}->{record};
foreach $record (@{$elements}) {
next if $record->{unassigned};
next if $record->{reserved};
$name = $record->{name};
$name =~ s/\s+//g;
$upper = 1 + (($record->{elementId} & ~0xff) >> 8);
$lower = $record->{elementId} & 0xff;
$oid = "$prefix.$upper.$lower";
$type = $record->{dataType};
if (!defined $map->{$type}) {
print "# ATTRIBUTE IPFix-$name $oid ", $type, "\n";
} else {
print "ATTRIBUTE IPFix-$name $oid ", $map->{$type}, "\n";
}
DeKok, Alan Experimental [Page 14]
INTERNET-DRAFT RADIUS Accounting via IPFIX 8 October 2012
}
Authors' Addresses
Alan DeKok
The FreeRADIUS Server Project
http://freeradius.org/
Email: aland@freeradius.org
Stefan Winter
Fondation RESTENA
6, rue Richard Coudenhove-Kalergi
Luxembourg 1359
Luxembourg
Phone: +352 424409 1
Fax: +352 422473
EMail: stefan.winter@restena.lu
URI: http://www.restena.lu
DeKok, Alan Experimental [Page 15]