Network Working Group B. Lourdelet Internet-Draft W. Dec, Ed. Intended status: Standards Track Cisco Systems, Inc. Expires: September 15, 2011 B. Sarikaya Huawei USA G. Zorn Network Zen D. Miles Alcatel-Lucent March 14, 2011 RADIUS attributes for IPv6 Access Networks draft-ietf-radext-ipv6-access-04.txt Abstract This document specifies additional IPv6 RADIUS attributes useful in residential broadband network deployments. The attributes, which are used for authorization and accounting, enable assignment of a host IPv6 address and IPv6 DNS server address via DHCPv6; assignment of an IPv6 route announced via router advertisement, and assignment of a named IPv6 delegated prefix pool. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on September 15, 2011. Copyright Notice Lourdelet, et al. Expires September 15, 2011 [Page 1] Internet-Draft RADIUS IPv6 Access March 2011 Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English. Lourdelet, et al. Expires September 15, 2011 [Page 2] Internet-Draft RADIUS IPv6 Access March 2011 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Deployment Scenarios . . . . . . . . . . . . . . . . . . . . . 4 2.1. IPv6 Address Assignment . . . . . . . . . . . . . . . . . 5 2.2. Recursive DNS Servers . . . . . . . . . . . . . . . . . . 6 2.3. IPv6 Route Information . . . . . . . . . . . . . . . . . . 6 2.4. Delegated IPv6 Prefix Pool . . . . . . . . . . . . . . . . 6 3. Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.1. Framed-IPv6-Address . . . . . . . . . . . . . . . . . . . 7 3.2. DNS-Server-IPv6-Address . . . . . . . . . . . . . . . . . 8 3.3. Route-IPv6-Information . . . . . . . . . . . . . . . . . . 9 3.4. Delegated-IPv6-Prefix-Pool . . . . . . . . . . . . . . . . 10 3.5. Table of attributes . . . . . . . . . . . . . . . . . . . 10 4. Diameter Considerations . . . . . . . . . . . . . . . . . . . 10 5. Security Considerations . . . . . . . . . . . . . . . . . . . 11 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 11 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11 8.1. Normative References . . . . . . . . . . . . . . . . . . . 11 8.2. Informative References . . . . . . . . . . . . . . . . . . 12 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 12 Lourdelet, et al. Expires September 15, 2011 [Page 3] Internet-Draft RADIUS IPv6 Access March 2011 1. Introduction In IPv6 deployments DHCPv6 and/or ICMPv6 Router Advertisements can be used to convey configuration information by a NAS towards accessing hosts. Such information typically needs to be provisioned on the NAS and may be done so on a per host or user basis using the AAA process. This document specifies additional RADIUS attributes used to support configuration of DHCPv6 and/or ICMPv6 parameters on a per-user basis. The attributes, which complement those defined in [RFC3162] and [RFC4818], support the following: o The assignment or accounting of specific IPv6 addresses assigned to hosts. While [RFC3162] permits an IPv6 address to be specified via the combination of the Framed-Interface-Id and Framed-IPv6- Prefix attributes, this separation is more natural for use with IPv6CP than it is for use with DHCPv6, and the use of a single IPv6 address attribute makes for easier processing of accounting records. o Assignment of an IPv6 DNS server address, via DHCPv6 or [RFC5006] o Configuration of a route to be passed to the host via Router Advertisement [RFC4191] or other similar mechanisms (eg DHCPv6) o The assignment of a named delegated prefix pool for use with "IPv6 Prefix Options for DHCPv6" [RFC3633] 2. Deployment Scenarios A common broadband network scenario is illustrated in Figure 1. It is composed of a IP Routing Residential Gateway (RG) or host, a Layer 2 Access-Node (e.g. a DSLAM), one or more IP Network Access Servers (NASes), and an AAA server. The RG or host are expected to be multi homed to both NASes. Layer 2 Connectivity between the host and NAS can be either via PPPoE or IP over Ethernet, and established dynamically. Lourdelet, et al. Expires September 15, 2011 [Page 4] Internet-Draft RADIUS IPv6 Access March 2011 +-----+ (Radius) | AAA | ...........>| | . +--+--+ v ^ +---+---+ . | NAS | .(Radius) | | . +---+---+ v +------+ | +---+---+ +------+ | AN | | | NAS | | RG/ +-------| +-----------+----------+ | | host | | | | | +------+ (DSL) +------+ (Ethernet) +-------+ Figure 1 In this scenario the NASes may embed a DHCPv6 server to handle DHCPv6 requests issued by RGs/hosts, as well as acting as a router providing Router Advertisements. The RADIUS server authenticates each RG/host and returns to the NAS attributes used for authorization and accounting. These attributes can include a host IPv6 address to be configured via DHCPv6; the IPv6 address of a DNS server to configured via DHCPv6 or router advertisement; the name of a prefix pool to be used for DHCPv6 Prefix Delegation; or IPv6 routes to be announced to the host. The following sub-sections discuss how these uses in more detail. 2.1. IPv6 Address Assignment DHCPv6 [RFC3315] provides a mechanism to assign one or more or non- temporary IPv6 addresses to hosts. To provide a DHCPv6 server residing on a NAS with one or more IPv6 addresses to be assigned, this document specifies the Framed-IPv6-Address Attribute. Since DHCPv6 can be deployed on the same network as ICMPv6 stateless (SLAAC) [RFC4862], it is possible that the NAS will require both stateful and stateless configuration information. Therefore it is possible for the Framed-IPv6-Address, Framed-IPv6-Prefix and Framed- Interface-Id attributes [RFC3162] to be included within the same packet. To avoid ambiguity, the Framed-IPv6-Address attribute is only used for authorization and accounting of DHCPv6-assigned addresses and the Framed-IPv6-Prefix and Framed-Interface-Id attributes are used for authorization and accounting of addresses assigned via SLAAC. Lourdelet, et al. Expires September 15, 2011 [Page 5] Internet-Draft RADIUS IPv6 Access March 2011 2.2. Recursive DNS Servers DHCPv6 provides an option for recursive DNS servers to hosts, as does ICMPv6 with Router Advertisements supporting the experimental [RFC5006] option. Existing IETF RADIUS attributes convey DNS as 32- bit IPv4 addresses and cannot support a 128-bit IPv6 address. This document specifies the RADIUS attribute to convey a list of IPv6 DNS Recursive name server addresses, from an AAA server, which can that can be conveyed by a NAS to a host. 2.3. IPv6 Route Information An IPv6 Route Information option, defined in [RFC4191] is intended to be used to inform a host connected to the NAS that a specific route is reachable via the NAS. This is particularly desirable in cases where the RG or host are multi-homed to different NASes as shown in Figure 1. This document specifies the RADIUS attribute that allows the AAA system to provision the announcement by the NAS of a specific Route Information Option to an accessing host. The NAS may advertise this route using the method defined in [RFC4191] or using other equivalent methods. The distinction and separation between this attribute and the Framed- IPv6-Route attribute defined in [RFC3162] is needed due to the need to have the information carried by this attribute advertised (in binary format as per RFC4191) to an attaching client, rather than intended for the NAS itself. 2.4. Delegated IPv6 Prefix Pool DHCPv6 Prefix Delegation [RFC3633] involves a delegating router selecting a prefix and delegating it on a temporary basis to a requesting router. The delegating router may implement a number of strategies as to how it chooses what prefix is to be delegated to a requesting router, one of them being the use of a local named prefix pool. The Delegated-IPv6-Prefix-Pool Attribute allows the RADIUS server to convey a prefix pool name to a NAS hosting a DHCPv6-PD server and acting as a delegated router. Since DHCPv6 Prefix Delegation can conceivably be used on the same network as SLAAC, it is possible for the Delegated-IPv6-Prefix-Pool and Framed-IPv6-Pool attributes to be included within the same packet. To avoid ambiguity in this scenario, use of the Delegated- IPv6-Prefix-Pool attribute should be restricted to authorization and accounting of prefix pools used in DHCPv6 Prefix Delegation and the Framed-IPv6-Pool attribute should be used for authorization and Lourdelet, et al. Expires September 15, 2011 [Page 6] Internet-Draft RADIUS IPv6 Access March 2011 accounting of prefix pools used in SLAAC. 3. Attributes The fields shown in the diagrams below are transmitted from left to right. 3.1. Framed-IPv6-Address This Attribute indicates an IPv6 Address that is assigned to the NAS- facing interface of the RG/host. It MAY be used in Access-Accept packets, and MAY appear multiple times. It MAY be used in an Access- Request packet as a hint by the NAS to the server that it would prefer these IPv6 address(es), but the server is not required to honor the hint. Since it is assumed that the NAS will add a route corresponding to the address, it is not necessary for the server to also send a host Framed-IPv6-Route attribute for the same address. This Attribute can be used by a DHCPv6 process on the NAS to assign a unique IPv6 address to the RG/host. A summary of the Framed-IPv6-Address Attribute format is shown below. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Address +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Address (cont) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Address (cont) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Address (cont) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Address (cont.) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type TBA1 for Framed-IPv6-Address Length 18 Lourdelet, et al. Expires September 15, 2011 [Page 7] Internet-Draft RADIUS IPv6 Access March 2011 Address The IPv6 address field contains a 128-bit IPv6 address. 3.2. DNS-Server-IPv6-Address The DNS-Server-IPv6-Address Attribute contains the IPv6 address of a recursive DNS server. This attribute MAY be included multiple times in Access-Accept packets, when the intention is for a NAS to announce more than one recursive DNS address to an RG/host. The same order of the attributes is expected to be followed in the announcements to the client. The content of this attribute can be inserted in a DHCPv6 option as specified in [RFC3646] or mapped option. A summary of the DNS-Server-IPv6-Address Attribute format is given below. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Address +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Address (cont) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Address (cont) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Address (cont) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Address (cont.) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type TBA2 for DNS-Server-IPv6-Address Length 18 Address The 128-bit IPv6 address of a DNS server. Lourdelet, et al. Expires September 15, 2011 [Page 8] Internet-Draft RADIUS IPv6 Access March 2011 3.3. Route-IPv6-Information This Attribute specifies a prefix (and corresponding route) to be authorized for announcement towards the user by the NAS, with the reachable by means of routing towards the NAS. It is used in the Access-Accept packet and can appear multiple times. It may also be used in the Access-Request packet as hint to the server. A summary of the Route-IPv6-Information attribute format is shown below. The route information option defined in [RFC4191] is captured in this and following two attributes. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Reserved | Prefix-Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | . Prefix (variable) . . . | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type TBA3 for Route-IPv6-Information Length Length in bytes. At least 4 and no larger than 20; typically 12 or less. Prefix Length The length of the prefix, in bits; at least 0 and no more than 128; typically 64 or less. Prefix Variable-length field containing an IP prefix. The Prefix Length field contains the number of valid leading bits in the prefix. The bits in the prefix after the prefix length (if any) up to the byte boundary are reserved and MUST be initialized to zero by the sender and ignored by the receiver. Lourdelet, et al. Expires September 15, 2011 [Page 9] Internet-Draft RADIUS IPv6 Access March 2011 3.4. Delegated-IPv6-Prefix-Pool This Attribute contains the name of an assigned pool that SHOULD be used to select an IPv6 delegated prefix for the user. If a NAS does not support multiple prefix pools, the NAS MUST ignore this Attribute. A summary of the Delegated-IPv6-Prefix-Pool Attribute format is shown below. The fields are transmitted from left to right. 0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | String... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type TBA4 for Delegated-IPv6-Prefix-Pool Length Length in bytes. At least 4. String The string field contains the name of an assigned IPv6 prefix pool configured on the NAS. The field is not NULL (hex 00) terminated. 3.5. Table of attributes The following table provides a guide to which attributes may be found in which kinds of packets, and in what quantity. Request Accept Reject Challenge Accounting # Attribute Request 0+ 0+ 0 0 0+ TBA1 Framed-IPv6-Address 0+ 0+ 0 0 0+ TBA2 DNS-Server-IPv6-Address 0 0+ 0 0 0+ TBA3 Route-IPv6-Information 0 0-1 0 0 0-1 TBA4 Delegated-IPv6-Prefix-Pool 4. Diameter Considerations Given that the Attributes defined in this document are allocated from the standard RADIUS type space (see Section 6), no special handling is required by Diameter entities. Lourdelet, et al. Expires September 15, 2011 [Page 10] Internet-Draft RADIUS IPv6 Access March 2011 5. Security Considerations This document describes the use of RADIUS for the purposes of authentication, authorization and accounting in IPv6-enabled networks. In such networks, the RADIUS protocol may run either over IPv4 or over IPv6. Known security vulnerabilities of the RADIUS protocol apply to the attributes defined in this document. Since IPSEC is natively defined for IPv6, it is expected that running RADIUS implementations supporting IPv6 may want to run over IPSEC. Where RADIUS is run over IPSEC and where certificates are used for authentication, it may be desirable to avoid management of RADIUS shared secrets, so as to leverage the improved scalability of public key infrastructure. 6. IANA Considerations This document requires the assignment of three new RADIUS Attribute Types in the "Radius Types" registry (currently located at http://www.iana.org/assignments/radius-types for the following attributes: o Framed-IPv6-Address o DNS-Server-IPv6-Address o Route-IPv6-Information o Delegated-IPv6-Prefix-Pool 7. Acknowledgements The authors would like to thank Bernard Aboba, Alfred Hines, Alan DeKok, Peter Deacon, and Mark Smith for their help and comments in reviewing this document. 8. References 8.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless Address Autoconfiguration", RFC 4862, September 2007. Lourdelet, et al. Expires September 15, 2011 [Page 11] Internet-Draft RADIUS IPv6 Access March 2011 8.2. Informative References [RFC3162] Aboba, B., Zorn, G., and D. Mitton, "RADIUS and IPv6", RFC 3162, August 2001. [RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., and M. Carney, "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", RFC 3315, July 2003. [RFC3633] Troan, O. and R. Droms, "IPv6 Prefix Options for Dynamic Host Configuration Protocol (DHCP) version 6", RFC 3633, December 2003. [RFC3646] "". [RFC4191] Draves, R. and D. Thaler, "Default Router Preferences and More-Specific Routes", RFC 4191, November 2005. [RFC4818] Salowey, J. and R. Droms, "RADIUS Delegated-IPv6-Prefix Attribute", RFC 4818, April 2007. [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, September 2007. [RFC5006] Jeong, J., Park, S., Beloeil, L., and S. Madanapalli, "IPv6 Router Advertisement Option for DNS Configuration", RFC 5006, September 2007. [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 5226, May 2008. Authors' Addresses Benoit Lourdelet Cisco Systems, Inc. Village ent. GreenSide, Bat T3, 400, Av de Roumanille, 06410 BIOT - Sophia-Antipolis Cedex France Phone: +33 4 97 23 26 23 Email: blourdel@cisco.com Lourdelet, et al. Expires September 15, 2011 [Page 12] Internet-Draft RADIUS IPv6 Access March 2011 Wojciech Dec (editor) Cisco Systems, Inc. Haarlerbergweg 13-19 Amsterdam , NOORD-HOLLAND 1101 CH Netherlands Email: wdec@cisco.com Behcet Sarikaya Huawei USA 1700 Alma Dr. Suite 500 Plano, TX US Phone: +1 972-509-5599 Email: sarikaya@ieee.org Glen Zorn Network Zen 1310 East Thomas Street Seattle, WA US Email: gwz@net-zen.net David Miles Alcatel-Lucent L3 / 215 Spring St Melbourne, Victoria 3000, Australia Phone: Fax: Email: David.Miles@alcatel-lucent.com URI: Lourdelet, et al. Expires September 15, 2011 [Page 13]