idnits 2.17.1 draft-maglione-pcp-radius-ext-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 1 instance of lines with non-RFC2606-compliant FQDNs in the document. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (May 24, 2013) is 3983 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-13) exists of draft-ietf-pcp-dhcp-07 Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 PCP WG R. Maglione 3 Internet-Draft Cisco Systems 4 Intended status: Standards Track D. Cheng 5 Expires: November 25, 2013 Huawei Technologies 6 M. Boucadair 7 France Telecom 8 May 24, 2013 10 RADIUS Extensions for Port Control Protocol (PCP) 11 draft-maglione-pcp-radius-ext-08 13 Abstract 15 This document specifies a new Remote Authentication Dial In User 16 Service (RADIUS) attribute to carry a Port Control Protocol (PCP) 17 Server Names. This attribute can be configured on a RADIUS server so 18 that the information can be conveyed to Network Access Server (NAS) 19 via RADIUS protocol, and the co-located Dynamic Host Configuration 20 Protocol (DHCP/DHCPv6) server can then populate the information to 21 PCP client. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at http://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on November 25, 2013. 40 Copyright Notice 42 Copyright (c) 2013 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (http://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 59 3. PCP Server Configuration using RADIUS and DHCPv4/DHCPv6 . . . 4 60 4. PCP-Server-Name RADIUS Attribute . . . . . . . . . . . . . . 7 61 5. Table of attributes . . . . . . . . . . . . . . . . . . . . . 9 62 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 63 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 64 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 9 65 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 66 9.1. Normative References . . . . . . . . . . . . . . . . . . 9 67 9.2. Informative References . . . . . . . . . . . . . . . . . 10 68 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 70 1. Introduction 72 Port Control Protocol (PCP) [RFC6887] provides a mechanism to control 73 how incoming packets are forwarded by upstream devices such as NATs 74 and firewalls. PCP is a client/server protocol where a PCP client 75 may reside on a host, a Customer Premises Equipment (CPE), etc., 76 which communicates with a PCP server that may reside anywhere in a 77 network. 79 [RFC6887] defines a procedure for the PCP client to communicate with 80 its PCP Server. The IP address of the PCP Server(s) can be 81 configured to the PCP client; if not the PCP client assumes its 82 default router as being its PCP server. 84 [I-D.ietf-pcp-dhcp] defines DHCPv6 and DHCPv4 options which are meant 85 to be used by a PCP client to discover a PCP server name. However, 86 provisioning for name of the PCP server is required on a DHCPv4/ 87 DHCPv6 server before it can populate this information. 89 Auto-configuration on a DHCPv4/DHCPv6 is possible in a broadband 90 network, where typically, user profile is maintained on a Remote 91 Authentication Dial In User Service (RADIUS) server and RADIUS 92 protocol [RFC2865] is used to convey user-related information to 93 other network elements including a host and CPE. [RFC6911] describes 94 a typical broadband network scenario in which the Network Access 95 Server (NAS) acts as the access gateway for the users (hosts or CPEs) 96 and the NAS embeds a DHCPv6 Server function that allows it to locally 97 handle any DHCPv6 requests issued by the clients. 99 In such environment, PCP server's name can be configured on a RADIUS 100 server, which then passes the information to a NAS that co-locates 101 with the DHCPv4/DHCPv6 server, which in turn populates the location 102 of the PCP server. 104 This document defines a new RADIUS attribute that can be used to 105 carry a PCP server name. As defined in [I-D.ietf-pcp-dhcp], a PCP 106 Server Name can be a DNS name, IP literals strings, etc. This 107 document is designed to allow for configuring PCP Server name which 108 can be a DNS name, IP literals or any strings which may be passed to 109 a local name resolution library on the PCP client side. Multiple 110 occurrences of the PCP server name RADIUS attribute is supported. 112 The proposed RADIUS attribute is designed to accommodate various 113 deployment contexts (e.g., dedicated option per IP connectivity 114 context, single option for dual-stack access, etc.). 116 The approach described above is already used for providing the FQDN 117 of the AFTR in the DS-Lite scenario [RFC6333] and the equivalent 118 RADIUS attribute for the DS-Lite Tunnel Name is defined [RFC6519]. 120 2. Terminology 122 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 123 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 124 document are to be interpreted as described in [RFC2119]. 126 The following terms are defined in [RFC6887]: 128 - Port forwarding 129 - PCP 130 - PCP client 131 - PCP Server 133 The following term is defined in [I-D.ietf-pcp-dhcp]: 135 - PCP Server Name 137 3. PCP Server Configuration using RADIUS and DHCPv4/DHCPv6 139 Figure 1 illustrates an example of how RADIUS protocol works together 140 with DHCPv6, to allow a host to learn automatically the name of a PCP 141 server in case of a PPP session that carries IPv6 traffic. 143 The Network Access Server (NAS) operates as a client of RADIUS and 144 co-locates with a DHCPv6 Server for DHCPv6. The NAS initially sends 145 a RADIUS Access Request message to the RADIUS server, requesting 146 authentication. Once the RADIUS server receives the request, it 147 validates the sending client and if the request is approved, the 148 RADIUS server replies with an Access Accept message including a list 149 of attribute-value pairs that describe the parameters to be used for 150 this session. This list MAY also contain the name of a PCP server. 151 When the co-located DHCPv6 server receives a DHCPv6 message from a 152 client containing the PCP Server Option, it SHALL use the name 153 returned in the RADIUS attribute as defined in this memo to populate 154 the DHCPv6 PCP Server option defined in [I-D.ietf-pcp-dhcp]. 156 PCP/DHCPv6 NAS AAA 157 Client DHCPv6 Server Server 158 | | | 159 |----PPP LCP Config Request------> | | 160 | |----Access-Request ---->| 161 | | | 162 | |<-Access-Accept---------| 163 | | (PCP-Server-Name) | 164 |<-----PPP LCP Config ACK ----- | | 165 | | | 166 |------ PPP IPv6CP Config Req ---->| | 167 | | | 168 |<----- PPP IPv6CP Config ACK -----| | 169 | | | 170 |------- DHCPv6 Solicit -------->| | 171 | | | 172 |<-------DHCPv6 Advertisement------| | 173 | (PCP server Name DHCPv6 Option) | | 174 | | | 175 |------- DHCPv6 Request -------->| | 176 | (PCP server Name DHCPv6 Option) | | 177 | | | 178 |<-------- DHCPv6 Reply --------- | | 179 | (PCP server Name DHCPv6 Option) | | 181 DHCPv6 RADIUS 183 Figure 1: RADIUS and DHCPv6 Message Flow for a PPP Session 185 The Figure 2 illustrates how the RADIUS protocol and DHCPv6 work 186 together to accomplish PCP client configuration when DHCPv6 is used 187 to provide connectivity to a requesting host. 189 The difference between this message flow and previous one is that in 190 this scenario the interaction between NAS and AAA/ RADIUS Server is 191 triggered by the DHCPv6 Solicit message received by the NAS from the 192 DHCPv6 client, while in case of a PPP Session the trigger is the PPP 193 LCP Config Request message received by the NAS. 195 PCP/DHCPv6 NAS AAA 196 Client DHCPv6 Server Server 197 | | | 198 |------ DHCPv6 Solicit ---------> | | 199 | | | 200 | |----Access-Request ---->| 201 | | | 202 | |<-Access-Accept---------| 203 | | (PCP-Server-Name) | 204 | | | 205 |<-------DHCPv6 Advertisement------| | 206 | (PCP Server Name DHCPv6 Option) | | 207 | | | 208 |------- DHCPv6 Request -------->| | 209 | (PCP Server Name DHCPv6 Option) | | 210 | | | 211 | <-------- DHCPv6 Reply --------- | | 212 | (PCP Server Name DHCPv6 Option) | | 214 DHCPv6 RADIUS 216 Figure 2: RADIUS and DHCPv6 Message Flow for an IP Session 218 In the scenario depicted in Figure 2 the Access-Request packet SHOULD 219 contain a Service-Type attribute (6) with the value Authorize Only 220 (17); thus, according to [RFC5080], the Access-Request packet MUST 221 contain a State attribute that it obtains from the previous 222 authentication process. 224 In both scenaiors mentioned above, Message-Authenticator (type 80) 225 according to [RFC2869] SHOULD be used to protect both Access-Request 226 and Access-Accept Messages. 228 In case that the PCP server name is re-configured, the RADIUS server 229 must send a RADIUS CoA message [RFC5176] that carries the RADIUS PCP 230 server name attribute to the NAS, which once accepts and sends back a 231 RADIUS CoA ACK message, the new PCP server name replaces the original 232 one and is then re-propulated by the DHCPv6 server. 234 A similar message flow also applies to the IPv4 scenario when DHCPv4 235 is used to provide connectivity to the user (Figure 3). 237 PCP/DHCPv4 NAS AAA 238 Client DHCPv4 Server Server 239 | | | 240 |-------- DHCP Discovery --------> | | 241 | | | 242 | |----Access-Request ---->| 243 | | | 244 | |<-Access-Accept---------| 245 | | (PCP-Server-Name) | 246 | | | 247 |<--------- DHCP Offer ------------| | 248 | (PCP server Name Sub-Option) | | 249 | | | 250 |--------- DHCP Request -------->| | 251 | (PCP server Name Sub-Option) | | 252 | | | 253 | <--------- DHCP Ack -------------| | 254 | (PCP server Name Sub-Option) | | 256 DHCPv4 RADIUS 258 Figure 3: RADIUS and DHCPv4 Message Flow for an IP Session 260 After receiving the PCP server name in the initial Access-Accept the 261 NAS MUST store the received PCP Server Name locally. When the PCP 262 Client sends a DHCPv4 message to request an extension of the 263 lifetimes for the assigned address or prefix, the NAS does not have 264 to initiate a new Access-Request towards the AAA server to request 265 the PCP server name. The NAS retrieves the previously stored PCP 266 Server name and uses it in its reply. 268 If the DHCPv4 server to which the DHCP Renew message was sent at time 269 T1 has not responded, the DHCPv4 client initiates a Rebind/Reply 270 exchange with any available server. In this scenario the NAS MUST 271 initiate a new Access-Request towards the AAA server, after the co- 272 located DHCPv4 server receives the DHCP message. The NAS MAY include 273 the PCP Server Name attribute in its Access-Request. 275 If the NAS does not receive the PCP server name attribute in the 276 Access-Accept it MAY fallback to a pre-configured default tunnel 277 name, if any. If the NAS does not have any pre-configured default 278 tunnel name or if the NAS receives an Access-Reject, the PCP client 279 can not be configured by the NAS. 281 The handling when the PCP server name is re-configured on the RADIUS 282 server is similar to that in IPv6 case, i.e., the new PCP server name 283 is conveyed to the NAS in a RADIUS CoA message, which if accepted, 284 the new PCP server name replaces the original one and is then re- 285 propulated by the DHCPv4 server. 287 The scenario with PPP Session and IPv4 only connectivity does not 288 require DHCPv4: the whole configuration of the client is performed by 289 PPP. This case is out of scope of this document because in order to 290 complete the configuration of the PCP client a new PPP IPCP option 291 would be required. 293 4. PCP-Server-Name RADIUS Attribute 295 A new RADIUS attribute, called PCP-Server-Name, along with its format 296 is defined below. 298 The PCP-Server-Name attribute contains a name that refers to a PCP 299 server the client requests to establish a connection to for PCP 300 related service. The NAS shall use the name(s) returned in the 301 RADIUS PCP-Server-Name attribute instance(s) to populate the PCP 302 Server Name DHCP Sub-Option in IPv4 addressing context, or the PCP 303 Server Name DHCPv6 Option in IPv6 addressing context, as determined 304 by the DHCP server [I-D.ietf-pcp-dhcp]. The same or distinct PCP 305 Server Names MAY be configured; it is out of scope of this document 306 to elaborate on this point. Nevertheless, the PCP-Server-Name 307 attribute conveys an indication for the deployment context. 309 The PCP-Server-Name attribute MAY appear in an Access-Accept packet. 310 This attribute MAY be used in Access-Request packets as a hint to the 311 RADIUS server; for example if the NAS is pre-configured with a 312 default PCP server name, this name MAY be inserted in the attribute. 313 The RADIUS server MAY ignore the hint sent by the NAS and it MAY 314 assign a different PCP Server name. If the NAS includes the PCP 315 Server Name attribute, but the AAA server does not recognize it, this 316 attribute MUST be ignored by the AAA Server. If the NAS does not 317 receive PCP Server Name attribute in the Access-Accept it MAY 318 fallback to a pre-configured default PCP server name, if any. If the 319 NAS is pre-provisioned with a default PCP server name and the PCP 320 server name received in Access-Accept is different from the 321 configured default, then the PCP server name received in the Access- 322 Accept message MUST be used for the session. 324 The PCP server Name RADIUS attribute MAY be present in Accounting- 325 Request records where the Acct-Status-Type is set to Start, Stop or 326 Interim-Update. 328 The PCP server name RADIUS attribute MAY be present in an CoA-Request 329 packet, when the PCP server name is re-configured. 331 The PCP Server Name RADIUS attribute MAY appear more than once in a 332 message. 334 A summary of the PCP-Server-Name RADIUS attribute format is shown 335 below. The fields are transmitted from left to right. 337 0 1 2 3 338 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 339 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 340 | Type | Length | Context | 341 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 342 | PCP-Server-Name .... 343 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 345 The description of the fields is as follows: 347 Type: 349 TBA1 for PCP-Server-Name. 351 Length: 353 This field indicates the total length in octets of this attribute 354 including the Type, the Length fields. 356 Context: 358 This field indicates the IP connectivity context: 360 0: Dual-Stack. The same option is provided for both DHCPv4 and 361 DHCPv6 requesting hosts. 362 1: This option is provided for DHCPv4 requesting hosts. 363 2: This option is provided for DHCPv6 requesting hosts. 365 PCP-Server-Name: 367 Includes a PCP Server Name. As defined in , PCP Server Name is a 368 UTF-8 [RFC3629] string that can be passed to getaddrinfo(), such 369 as a DNS name, address literals, etc. The name MUST NOT contain 370 spaces or nulls. 372 This attribute is type of complex [RFC6158]. 374 5. Table of attributes 376 The following table provides a guide to which attributes may be found 377 in which kinds of packets, and in what quantity. 379 Request Accept Reject Challenge Accounting # Attribute 380 Request 381 0+ 0+ 0 0 0+ TBA1 PCP-Server-Name 382 0-1 0-1 0 0 0-1 6 Service-Type 383 0-1 0-1 0-1 0-1 0-1 80 Message-Authenticator 385 The following table defines the meaning of the above table entries. 387 0 This attribute MUST NOT be present in packet. 388 0+ Zero or more instances of this attribute MAY be present in 389 packet. 390 0-1 Zero or one instance of this attribute MAY be present in packet. 392 6. Security Considerations 394 This document has no additional security considerations beyond those 395 already identified in [RFC2865]. 397 7. IANA Considerations 399 This document requests the allocation of a new Radius attribute types 400 from the IANA registry "Radius Attribute Types" located at http:// 401 www.iana.org/assignments/radius-types: 403 PCP-Server-Name - TBA1 405 8. Acknowledgments 407 The authors would like to thank Mario Ullio, Alan Dekok, Sheng Jiang 408 and Tassos Chatzithomaoglou for their valuable comments and 409 assistance. 411 9. References 413 9.1. Normative References 415 [I-D.ietf-pcp-dhcp] 416 Boucadair, M., Penno, R., and D. Wing, "DHCP Options for 417 the Port Control Protocol (PCP)", draft-ietf-pcp-dhcp-07 418 (work in progress), March 2013. 420 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 421 Requirement Levels", BCP 14, RFC 2119, March 1997. 423 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, 424 "Remote Authentication Dial In User Service (RADIUS)", RFC 425 2865, June 2000. 427 [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 428 10646", STD 63, RFC 3629, November 2003. 430 [RFC5080] Nelson, D. and A. DeKok, "Common Remote Authentication 431 Dial In User Service (RADIUS) Implementation Issues and 432 Suggested Fixes", RFC 5080, December 2007. 434 [RFC6158] DeKok, A. and G. Weber, "RADIUS Design Guidelines", BCP 435 158, RFC 6158, March 2011. 437 [RFC6519] Maglione, R. and A. Durand, "RADIUS Extensions for Dual- 438 Stack Lite", RFC 6519, February 2012. 440 [RFC6887] Wing, D., Cheshire, S., Boucadair, M., Penno, R., and P. 441 Selkirk, "Port Control Protocol (PCP)", RFC 6887, April 442 2013. 444 9.2. Informative References 446 [RFC2869] Rigney, C., Willats, W., and P. Calhoun, "RADIUS 447 Extensions", RFC 2869, June 2000. 449 [RFC5176] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B. 450 Aboba, "Dynamic Authorization Extensions to Remote 451 Authentication Dial In User Service (RADIUS)", RFC 5176, 452 January 2008. 454 [RFC6333] Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual- 455 Stack Lite Broadband Deployments Following IPv4 456 Exhaustion", RFC 6333, August 2011. 458 [RFC6911] Dec, W., Sarikaya, B., Zorn, G., Miles, D., and B. 459 Lourdelet, "RADIUS Attributes for IPv6 Access Networks", 460 RFC 6911, April 2013. 462 Authors' Addresses 463 Roberta Maglione 464 Cisco Systems 465 181 Bay Street 466 Toronto, ON M5J 2T3 467 Canada 469 Email: 'robmgl@cisco.com' 471 Dean Cheng 472 Huawei Technologies 473 2330 Central Expressway 474 Santa Clara, CA 95050 475 USA 477 Phone: +1 408 330 4754 478 Email: dean.cheng@huawei.com 480 Mohamed Boucadair 481 France Telecom 482 Rennes 35000 483 France 485 Email: mohamed.boucadair@orange.com