RADIUS Extensions for
0-RTT TCP ConvertersOrangeRennes35000Francemohamed.boucadair@orange.comOrangeRennesFrancechristian.jacquenet@orange.comBecause of the lack of important TCP extensions, e.g., Multipath TCP
support at the server side, some service providers now consider a
network-assisted model that relies upon the activation of a dedicated
function called Transport Converters. For example, network-assisted
Multipath TCP deployment models are designed to facilitate the adoption
of Multipath TCP for the establishment of multi-path communications
without making any assumption about the support of Multipath TCP by the
remote servers. Transport Converters located in the network are
responsible for establishing multi-path communications on behalf of
endpoints, thereby taking advantage of Multipath TCP capabilities to
achieve different goals that include (but are not limited to)
optimization of resource usage (e.g., bandwidth aggregation), of
resiliency (e.g., primary/backup communication paths), and traffic
offload management.This document specifies a new Remote Authentication Dial-In User
Service (RADIUS) attributes that carry the IP addresses that will be
returned to authorized users to reach one or multiple Converters.One of the promising deployment scenarios for Multipath TCP (MPTCP,
) is to enable a host or a Customer
Premises Equipment (CPE) connected to multiple networks (e.g., DSL, LTE,
WLAN) to optimize the usage of such resources. A deployment scenario
relies on MPTCP Conversion Points (called, Transport Converters ). A Converter terminates the
extended TCP (e.g., MPTCP, TCPinc) sessions established from a host,
before redirecting traffic into a legacy TCP session. Further
Network-Assisted MPTCP deployment and operational considerations are
discussed in . shows a deployment example of the
Converters to assist establishing MPTCP connections. specifies the
Converter as a function that is installed by a network operator to aid
the deployment of TCP extensions and to provide the benefits of such
extensions to clients. A Transport Converter supports one or more TCP
extensions.Within this document, a Converter refers to a function that
terminates a transport flow and relays all data received over it over
another transport flow. This element is located upstream in the network.
One or multiple Converters can be deployed in the network side. The
Converter achieves the following:Listen for client sessions;Receive from a client the address of the final target server;Setup a session to the final server;Relay control messages and data between the client and the
server;Perform access controls according to local policies.The Converter element is located in the network. One or multiple
Converters can be deployed.This document specifies two new Remote Authentication Dial-In User
Service (RADIUS, ) attributes that carry
the Converter IP address list (). In order to
accommodate both IPv4 and IPv6 deployment contexts, and given the
constraints in Section 3.4 of , two
attributes are specified. Note that one or multiple IPv4 and/or IPv6
addresses may be returned to a requesting CPE. A sample use case is
described in .This document assumes that the Converter(s) reachability information
can be stored in Authentication, Authorization, and Accounting (AAA)
servers while the CPE configuration is usually provided by means of DHCP
(). Further
Network-Assisted MPTCP deployment and operational considerations are
discussed in .This specification assumes a Converter is reachable through one or
multiple IP addresses. As such, a list of IP addresses can be
communicated via RADIUS. Also, it assumes the various network
attachments provided to an MPTCP-enabled host are managed by the same
administrative entity.This document adheres to for defining
the new attributes.The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP 14
when, and
only when, they appear in all capitals, as shown here.DescriptionThe RADIUS CONVERT-IPv4 attribute contains the IPv4 address of
a Converter that is assigned to a host. Because multiple Converters IP addresses may be
provisioned to an authorised host (that is a host entitled to
solicit the resources of a Converter), multiple instances of the
CONVERT-IPv4 attribute MAY be included; each instance of the
attribute carries a distinct IP address. CONVERT-IPv4, CONVERT-IPv6, and CONVERT-Port
attributes MAY be present in a RADIUS message.The CONVERT-IPv4 Attribute MAY appear in a RADIUS Access-Accept
packet. It MAY also appear in a RADIUS Access-Request packet as a
hint to the RADIUS server to indicate a preference, although the
server is not required to honor such a hint.The CONVERT-IPv4 Attribute MAY appear in a CoA-Request
packet.The CONVERT-IPv4 Attribute MAY appear in a RADIUS
Accounting-Request packet.The CONVERT-IPv4 Attribute MUST NOT appear in any other RADIUS
packet.TypeTBA1 (see ).Length6Data TypeThe attribute CONVERT-IPv4 is of type ip4addr (Section 3.3 of
).ValueThis field includes an IPv4 address (32 bits) of the Converter.
The CONVERT-IPv4 attribute MUST NOT
include multicast and host loopback addresses . Anycast addresses are allowed to be
included in a CONVERT-IPv4 attribute.DescriptionThe RADIUS CONVERT-IPv6 attribute contains the IPv6 address of
a Converter that is assigned to a host. Because multiple Converter IP addresses may be
provisioned to an authorised CPE (that is a host entitled to
solicit the resources of a Converter), multiple instances of the
CONVERT-IPv6 attribute MAY be included; each instance of the
attribute carries a distinct IP address. CONVERT-IPv4, CONVERT-IPv6, and CONVERT-Port
attributes MAY be present in a RADIUS message.The CONVERT-IPv6 Attribute MAY appear in a RADIUS Access-Accept
packet. It MAY also appear in a RADIUS Access-Request packet as a
hint to the RADIUS server to indicate a preference, although the
server is not required to honor such a hint.The CONVERT-IPv6 Attribute MAY appear in a CoA-Request
packet.The CONVERT-IPv6 Attribute MAY appear in a RADIUS
Accounting-Request packet.The CONVERT-IPv6 Attribute MUST NOT appear in any other RADIUS
packet.TypeTBA2 (see ).Length18Data TypeThe attribute CONVERT-IPv6 is of type ip6addr (Section 3.9 of
).ValueThis field includes an IPv6 address (128 bits) of the
Converter. The CONVERT-IPv6 attribute
MUST NOT include multicast and host loopback addresses . Anycast addresses are allowed to be
included in an CONVERT-IPv6 attribute.DescriptionThe RADIUS CONVERT-Port attribute contains the port number on
which a Converter listens to Convert messages. CONVERT-IPv4, CONVERT-IPv6, and CONVERT-Port
attributes MAY be present in a RADIUS message.When both CONVERT-IPv4 and CONVERT-IPv6 are included, port
number conveyed in CONVERT-Port MUST be used for all included IP
addresses.The CONVERT-Port Attribute MAY appear in a RADIUS Access-Accept
packet. It MAY also appear in a RADIUS Access-Request packet as a
hint to the RADIUS server to indicate a preference, although the
server is not required to honor such a hint.The CONVERT-Port Attribute MAY appear in a CoA-Request
packet.The CONVERT-Port Attribute MAY appear in a RADIUS
Accounting-Request packet.The CONVERT-Port Attribute MUST NOT appear in any other RADIUS
packet.TypeTBA3 (see ).Length6Data TypeIntegerValueThis field includes the port number used by the Converter,
right justified, and unused bits MUST be set to zero.This section does not aim to provide an exhaustive list of deployment
scenarios where the use of the RADIUS CONVERT-IPv6 and CONVERT-IPv4
attributes can be helpful. Typical deployment scenarios are described,
for instance, in . shows an example where a CPE is assigned a
Converter. This example assumes that the Network Access Server (NAS)
embeds both RADIUS client and DHCPv6 server capabilities.Upon receipt of the DHCPv6 Solicit message from a CPE, the NAS sends
a RADIUS Access-Request message to the AAA server. Once the AAA server
receives the request, it replies with an Access-Accept message (possibly
after having sent a RADIUS Access-Challenge message and assuming the CPE
is entitled to connect to the network) that carries a list of parameters
to be used for this session, and which include Converter reachability
information (namely a list of IP addresses).The content of the CONVERT-IPv6 and CONVERT-Port attribute is then
used by the NAS to complete the DHCPv6 procedure that the CPE initiated
to retrieve information about the Converter it has been assigned.Upon change of the Converter assigned to a CPE, the RADIUS server
sends a RADIUS CoA message that carries
the RADIUS CONVERT-IPv6 and/or CONVERT-Port attribute to the NAS. Once
that message is accepted by the NAS, it replies with a RADIUS CoA ACK
message. The NAS replaces the old Converter with the new one. shows another example where a CPE is
assigned a Converter, but the CPE uses DHCPv6 to retrieve a list of IP
addresses of a Converter.Some deployments may rely on the mechanisms defined in or , which allows
a NAS to pass attributes obtained from a RADIUS server to a DHCP
server.RADIUS-related security considerations are discussed in .Generic Convert security considerations are discussed in .MPTCP-related security considerations are discussed in and .Traffic theft is a risk if an illegitimate Converter is inserted in
the path. Indeed, inserting an illegitimate Converter in the forwarding
path allows to intercept traffic and can therefore provide access to
sensitive data issued by or destined to a host. To mitigate this threat,
secure means to discover a Converter should be enabled.The following table provides a guide as what type of RADIUS packets
that may contain these attributes, and in what quantity.The following table defines the meaning of the above table
entries:IANA is requested to assign two new RADIUS attribute types from the
IANA registry "Radius Attribute Types" located at
http://www.iana.org/assignments/radius-types:CONVERT-IPv4 (TBA1)CONVERT-IPv6 (TBA2)CONVERT-Port (TBA3)Thanks to Alan DeKok for the comments.