<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc toc="yes"?>
<?rfc tocompact="yes"?>
<?rfc tocdepth="3"?>
<?rfc tocindent="yes"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc compact="yes"?>
<?rfc subcompact="no"?>
<rfc category="std" docName="draft-boucadair-opsawg-tcpm-converter-01"
     ipr="trust200902">
  <front>
    <title abbrev="RADIUS for 0-RTT TCP Converters">RADIUS Extensions for
    0-RTT TCP Converters</title>

    <author fullname="Mohamed Boucadair" initials="M." surname="Boucadair">
      <organization>Orange</organization>

      <address>
        <postal>
          <street></street>

          <city>Rennes</city>

          <region></region>

          <code>35000</code>

          <country>France</country>
        </postal>

        <email>mohamed.boucadair@orange.com</email>
      </address>
    </author>

    <author fullname="Christian Jacquenet" initials="C." surname="Jacquenet">
      <organization>Orange</organization>

      <address>
        <postal>
          <street></street>

          <city>Rennes</city>

          <region></region>

          <country>France</country>
        </postal>

        <email>christian.jacquenet@orange.com</email>
      </address>
    </author>

    <date />

    <abstract>
      <t>Because of the lack of important TCP extensions, e.g., Multipath TCP
      support at the server side, some service providers now consider a
      network-assisted model that relies upon the activation of a dedicated
      function called Transport Converters. For example, network-assisted
      Multipath TCP deployment models are designed to facilitate the adoption
      of Multipath TCP for the establishment of multi-path communications
      without making any assumption about the support of Multipath TCP by the
      remote servers. Transport Converters located in the network are
      responsible for establishing multi-path communications on behalf of
      endpoints, thereby taking advantage of Multipath TCP capabilities to
      achieve different goals that include (but are not limited to)
      optimization of resource usage (e.g., bandwidth aggregation), of
      resiliency (e.g., primary/backup communication paths), and traffic
      offload management.</t>

      <t>This document specifies a new Remote Authentication Dial-In User
      Service (RADIUS) attributes that carry the IP addresses that will be
      returned to authorized users to reach one or multiple Converters.<!--
--></t>
    </abstract>
  </front>

  <middle>
    <section title="Introduction">
      <t>One of the promising deployment scenarios for Multipath TCP (MPTCP,
      <xref target="RFC6824"></xref>) is to enable a host or a Customer
      Premises Equipment (CPE) connected to multiple networks (e.g., DSL, LTE,
      WLAN) to optimize the usage of such resources. A deployment scenario
      relies on MPTCP Conversion Points (called, Transport Converters <xref
      target="I-D.ietf-tcpm-converters"></xref>). A Converter terminates the
      extended TCP (e.g., MPTCP, TCPinc) sessions established from a host,
      before redirecting traffic into a legacy TCP session. Further
      Network-Assisted MPTCP deployment and operational considerations are
      discussed in <xref
      target="I-D.nam-mptcp-deployment-considerations"></xref>.</t>

      <t><xref target="fig"></xref> shows a deployment example of the
      Converters to assist establishing MPTCP connections.</t>

      <t><figure align="center" anchor="fig"
          title="&ldquo;Network-Assisted&rdquo; MPTCP Design">
          <artwork><![CDATA[  +------------+        _--------_    +----------------+
  |            |       (    LTE   )   |                |
  |   Host     +=======+          +===+  Backbone      |
  |            |       (_        _)   |   Network      |
  |            |         (_______)    |+--------------+|
  |            |       IP Network #1  ||   Converter  ||------> Internet
  |            |                      ||              ||
  |            |                      |+--------------+|
  |            |       IP Network #2  |                |
  |            |        _--------_    |                |
  |            |       (    DSL    )  |                |
  |            +=======+           +==+                |
  |            |       (_        _)   |                |
  +------------+        (_______)     +----------------+

]]></artwork>
        </figure></t>

      <t><xref target="I-D.ietf-tcpm-converters"></xref> specifies the
      Converter as a function that is installed by a network operator to aid
      the deployment of TCP extensions and to provide the benefits of such
      extensions to clients. A Transport Converter supports one or more TCP
      extensions.</t>

      <t>Within this document, a Converter refers to a function that
      terminates a transport flow and relays all data received over it over
      another transport flow. This element is located upstream in the network.
      One or multiple Converters can be deployed in the network side. The
      Converter achieves the following:<list style="symbols">
          <t>Listen for client sessions;</t>

          <t>Receive from a client the address of the final target server;</t>

          <t>Setup a session to the final server;</t>

          <t>Relay control messages and data between the client and the
          server;</t>

          <t>Perform access controls according to local policies.</t>
        </list></t>

      <t>The Converter element is located in the network. One or multiple
      Converters can be deployed.</t>

      <t>This document specifies two new Remote Authentication Dial-In User
      Service (RADIUS, <xref target="RFC2865"></xref>) attributes that carry
      the Converter IP address list (<xref target="att"></xref>). In order to
      accommodate both IPv4 and IPv6 deployment contexts, and given the
      constraints in Section 3.4 of <xref target="RFC6158"></xref>, two
      attributes are specified. Note that one or multiple IPv4 and/or IPv6
      addresses may be returned to a requesting CPE. A sample use case is
      described in <xref target="uc"></xref>.</t>

      <t>This document assumes that the Converter(s) reachability information
      can be stored in Authentication, Authorization, and Accounting (AAA)
      servers while the CPE configuration is usually provided by means of DHCP
      (<xref target="RFC2131"></xref><xref target="RFC8415"></xref>). Further
      Network-Assisted MPTCP deployment and operational considerations are
      discussed in <xref
      target="I-D.nam-mptcp-deployment-considerations"></xref>.</t>

      <t>This specification assumes a Converter is reachable through one or
      multiple IP addresses. As such, a list of IP addresses can be
      communicated via RADIUS. Also, it assumes the various network
      attachments provided to an MPTCP-enabled host are managed by the same
      administrative entity.</t>

      <t>This document adheres to <xref target="RFC8044"></xref> for defining
      the new attributes.</t>
    </section>

    <section title="Terminology">
      <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
      "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
      "OPTIONAL" in this document are to be interpreted as described in BCP 14
      <xref target="RFC2119"></xref><xref target="RFC8174"></xref> when, and
      only when, they appear in all capitals, as shown here.</t>
    </section>

    <section anchor="att" title="CONVERT RADIUS Attributes">
      <t></t>

      <section title="CONVERT-IPv4">
        <t>Description<list style="empty">
            <t>The RADIUS CONVERT-IPv4 attribute contains the IPv4 address of
            a Converter that is assigned to a host. <vspace
            blankLines="1" />Because multiple Converters IP addresses may be
            provisioned to an authorised host (that is a host entitled to
            solicit the resources of a Converter), multiple instances of the
            CONVERT-IPv4 attribute MAY be included; each instance of the
            attribute carries a distinct IP address. <vspace
            blankLines="1" />CONVERT-IPv4, CONVERT-IPv6, and CONVERT-Port
            attributes MAY be present in a RADIUS message.</t>

            <t>The CONVERT-IPv4 Attribute MAY appear in a RADIUS Access-Accept
            packet. It MAY also appear in a RADIUS Access-Request packet as a
            hint to the RADIUS server to indicate a preference, although the
            server is not required to honor such a hint.</t>

            <t>The CONVERT-IPv4 Attribute MAY appear in a CoA-Request
            packet.</t>

            <t>The CONVERT-IPv4 Attribute MAY appear in a RADIUS
            Accounting-Request packet.</t>

            <t>The CONVERT-IPv4 Attribute MUST NOT appear in any other RADIUS
            packet.</t>
          </list>Type<list style="empty">
            <t>TBA1 (see <xref target="IANA"></xref>).</t>
          </list></t>

        <t>Length<list style="empty">
            <t>6</t>
          </list></t>

        <t>Data Type<list style="empty">
            <t>The attribute CONVERT-IPv4 is of type ip4addr (Section 3.3 of
            <xref target="RFC8044"></xref>).</t>
          </list></t>

        <t>Value<list style="empty">
            <t>This field includes an IPv4 address (32 bits) of the Converter.
            <vspace blankLines="1" />The CONVERT-IPv4 attribute MUST NOT
            include multicast and host loopback addresses <xref
            target="RFC6890"></xref>. Anycast addresses are allowed to be
            included in a CONVERT-IPv4 attribute.</t>
          </list></t>
      </section>

      <section title="CONVERT-IPv6">
        <t>Description<list style="empty">
            <t>The RADIUS CONVERT-IPv6 attribute contains the IPv6 address of
            a Converter that is assigned to a host. <vspace
            blankLines="1" />Because multiple Converter IP addresses may be
            provisioned to an authorised CPE (that is a host entitled to
            solicit the resources of a Converter), multiple instances of the
            CONVERT-IPv6 attribute MAY be included; each instance of the
            attribute carries a distinct IP address. <vspace
            blankLines="1" />CONVERT-IPv4, CONVERT-IPv6, and CONVERT-Port
            attributes MAY be present in a RADIUS message.</t>

            <t>The CONVERT-IPv6 Attribute MAY appear in a RADIUS Access-Accept
            packet. It MAY also appear in a RADIUS Access-Request packet as a
            hint to the RADIUS server to indicate a preference, although the
            server is not required to honor such a hint.</t>

            <t>The CONVERT-IPv6 Attribute MAY appear in a CoA-Request
            packet.</t>

            <t>The CONVERT-IPv6 Attribute MAY appear in a RADIUS
            Accounting-Request packet.</t>

            <t>The CONVERT-IPv6 Attribute MUST NOT appear in any other RADIUS
            packet.</t>
          </list>Type<list style="empty">
            <t>TBA2 (see <xref target="IANA"></xref>).</t>
          </list></t>

        <t>Length<list style="empty">
            <t>18</t>
          </list></t>

        <t>Data Type<list style="empty">
            <t>The attribute CONVERT-IPv6 is of type ip6addr (Section 3.9 of
            <xref target="RFC8044"></xref>).</t>
          </list></t>

        <t>Value<list style="empty">
            <t>This field includes an IPv6 address (128 bits) of the
            Converter. <vspace blankLines="1" />The CONVERT-IPv6 attribute
            MUST NOT include multicast and host loopback addresses <xref
            target="RFC6890"></xref>. Anycast addresses are allowed to be
            included in an CONVERT-IPv6 attribute.</t>
          </list></t>
      </section>

      <section title="CONVERT-Port">
        <t>Description<list style="empty">
            <t>The RADIUS CONVERT-Port attribute contains the port number on
            which a Converter listens to Convert messages. <vspace
            blankLines="1" />CONVERT-IPv4, CONVERT-IPv6, and CONVERT-Port
            attributes MAY be present in a RADIUS message.</t>

            <t>When both CONVERT-IPv4 and CONVERT-IPv6 are included, port
            number conveyed in CONVERT-Port MUST be used for all included IP
            addresses.</t>

            <t>The CONVERT-Port Attribute MAY appear in a RADIUS Access-Accept
            packet. It MAY also appear in a RADIUS Access-Request packet as a
            hint to the RADIUS server to indicate a preference, although the
            server is not required to honor such a hint.</t>

            <t>The CONVERT-Port Attribute MAY appear in a CoA-Request
            packet.</t>

            <t>The CONVERT-Port Attribute MAY appear in a RADIUS
            Accounting-Request packet.</t>

            <t>The CONVERT-Port Attribute MUST NOT appear in any other RADIUS
            packet.</t>
          </list>Type<list style="empty">
            <t>TBA3 (see <xref target="IANA"></xref>).</t>
          </list></t>

        <t>Length<list style="empty">
            <t>6</t>
          </list></t>

        <t>Data Type<list style="empty">
            <t>Integer</t>
          </list></t>

        <t>Value<list style="empty">
            <t>This field includes the port number used by the Converter,
            right justified, and unused bits MUST be set to zero.</t>
          </list></t>
      </section>
    </section>

    <section anchor="uc" title="Sample Use Case">
      <t>This section does not aim to provide an exhaustive list of deployment
      scenarios where the use of the RADIUS CONVERT-IPv6 and CONVERT-IPv4
      attributes can be helpful. Typical deployment scenarios are described,
      for instance, in <xref target="RFC6911"></xref>.</t>

      <t><xref target="ex"></xref> shows an example where a CPE is assigned a
      Converter. This example assumes that the Network Access Server (NAS)
      embeds both RADIUS client and DHCPv6 server capabilities.</t>

      <t><figure align="center" anchor="ex" title="Sample Flow Example (1)">
          <artwork><![CDATA[      CPE                             NAS                      AAA
  DHCPv6 client                    DHCPv6 server              server
       |                                |                        |
       |---------DHCPv6 Solicit-------->|                        |
       |                                |----Access-Request ---->|
       |                                |                        |
       |                                |<----Access-Accept------|
       |                                |    CONVERT-IPv6        |
       |                                |    CONVERT-Port        |
       |<-------DHCPv6 Advertisement----|                        |
       |        (OPTION_V6_CONVERT)     |                        |
       |                                |                        |
       |---------DHCPv6 Request-------->|                        |
       |                                |                        |
       |<---------DHCPv6 Reply----------|                        |
       |       (OPTION_V6_CONVERT)      |                        |

                    DHCPv6                          RADIUS]]></artwork>
        </figure></t>

      <t>Upon receipt of the DHCPv6 Solicit message from a CPE, the NAS sends
      a RADIUS Access-Request message to the AAA server. Once the AAA server
      receives the request, it replies with an Access-Accept message (possibly
      after having sent a RADIUS Access-Challenge message and assuming the CPE
      is entitled to connect to the network) that carries a list of parameters
      to be used for this session, and which include Converter reachability
      information (namely a list of IP addresses).</t>

      <t>The content of the CONVERT-IPv6 and CONVERT-Port attribute is then
      used by the NAS to complete the DHCPv6 procedure that the CPE initiated
      to retrieve information about the Converter it has been assigned.</t>

      <t>Upon change of the Converter assigned to a CPE, the RADIUS server
      sends a RADIUS CoA message <xref target="RFC5176"></xref> that carries
      the RADIUS CONVERT-IPv6 and/or CONVERT-Port attribute to the NAS. Once
      that message is accepted by the NAS, it replies with a RADIUS CoA ACK
      message. The NAS replaces the old Converter with the new one.</t>

      <t><xref target="ex2"></xref> shows another example where a CPE is
      assigned a Converter, but the CPE uses DHCPv6 to retrieve a list of IP
      addresses of a Converter.</t>

      <t><figure align="center" anchor="ex2" title="Sample Flow Example (2)">
          <artwork><![CDATA[      CPE                               NAS                      AAA
  DHCPv4 client                      DHCPv4 server              server
       |                                  |                        |
       |-----------DHCPDISCOVER---------->|                        |
       |                                  |----Access-Request ---->|
       |                                  |                        |
       |                                  |<----Access-Accept------|
       |                                  |    CONVERT-IPv4        |
       |                                  |    CONVERT-Port        |
       |<------------DHCPOFFER------------|                        |
       |         (OPTION_V4_CONVERT)      |                        |
       |                                  |                        |
       |------------DHCPREQUEST---------->|                        |
       |         (OPTION_V4_CONVERT)      |                        |
       |                                  |                        |
       |<-----------DHCPACK---------------|                        |
       |        (OPTION_V4_CONVERT)       |                        |

                     DHCPv4                         RADIUS]]></artwork>
        </figure></t>

      <t>Some deployments may rely on the mechanisms defined in <xref
      target="RFC4014"></xref> or <xref target="RFC7037"></xref>, which allows
      a NAS to pass attributes obtained from a RADIUS server to a DHCP
      server.</t>
    </section>

    <section anchor="Security" title="Security Considerations">
      <t>RADIUS-related security considerations are discussed in <xref
      target="RFC2865"></xref>.</t>

      <t>Generic Convert security considerations are discussed in <xref
      target="I-D.ietf-tcpm-converters"></xref>.</t>

      <t>MPTCP-related security considerations are discussed in <xref
      target="RFC6824"></xref> and <xref target="RFC6181"></xref>.</t>

      <t>Traffic theft is a risk if an illegitimate Converter is inserted in
      the path. Indeed, inserting an illegitimate Converter in the forwarding
      path allows to intercept traffic and can therefore provide access to
      sensitive data issued by or destined to a host. To mitigate this threat,
      secure means to discover a Converter should be enabled.</t>
    </section>

    <section title="Table of Attributes">
      <t>The following table provides a guide as what type of RADIUS packets
      that may contain these attributes, and in what quantity.</t>

      <t><figure>
          <artwork><![CDATA[Access- Access- Access-  Challenge Acct. # Attribute
Request Accept  Reject             Request 
 0+      0+      0        0         0+      TBA1 CONVERT-IPv4
 0+      0+      0        0         0+      TBA2 CONVERT-IPv6
 0-1     0-1     0        0         0-1     TBA1 CONVERT-Port

CoA-Request CoA-ACK CoA-NACK #   Attribute
  0+          0       0      TBA1 CONVERT-IPv4
  0+          0       0      TBA2 CONVERT-IPv6
  0-1         0       0      TBA1 CONVERT-Port
]]></artwork>
        </figure></t>

      <t>The following table defines the meaning of the above table
      entries:<figure>
          <artwork><![CDATA[   0  This attribute MUST NOT be present in packet.
   0+ Zero or more instances of this attribute MAY be present in packet.
]]></artwork>
        </figure></t>
    </section>

    <section anchor="IANA" title="IANA Considerations">
      <t>IANA is requested to assign two new RADIUS attribute types from the
      IANA registry "Radius Attribute Types" located at
      http://www.iana.org/assignments/radius-types:<list style="empty">
          <t>CONVERT-IPv4 (TBA1)</t>

          <t>CONVERT-IPv6 (TBA2)</t>

          <t>CONVERT-Port (TBA3)</t>
        </list></t>
    </section>

    <section anchor="Acknowledgements" title="Acknowledgements">
      <t>Thanks to Alan DeKok for the comments.</t>
    </section>
  </middle>

  <back>
    <references title="Normative References">
      <?rfc include="reference.RFC.2119"?>

      <?rfc include='reference.RFC.6890'?>

      <?rfc include='reference.RFC.2865'?>

      <?rfc include='reference.RFC.6158'?>

      <?rfc include='reference.RFC.8044'?>

      <?rfc include='reference.RFC.8174'?>

      <?rfc include='reference.I-D.ietf-tcpm-converters'?>
    </references>

    <references title="Informative References">
      <?rfc include='reference.RFC.4908'?>

      <?rfc include='reference.I-D.nam-mptcp-deployment-considerations'?>

      <?rfc include='reference.RFC.6911'?>

      <?rfc include='reference.RFC.8415'?>

      <?rfc include='reference.RFC.2131'?>

      <?rfc include='reference.RFC.6824'?>

      <?rfc include='reference.RFC.5176'?>

      <?rfc include='reference.RFC.6181'?>

      <?rfc include='reference.RFC.4014'?>

      <?rfc include='reference.RFC.7037'?>
    </references>
  </back>
</rfc>
