<?xml version="1.0" encoding="US-ASCII"?>
<!-- This template is for creating an Internet Draft using xml2rfc, which is available here: http://xml.resource.org. -->
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY RFC2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY RFC2865 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2865.xml">
<!ENTITY RFC2869 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2869.xml">
<!ENTITY RFC3162 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3162.xml">
<!ENTITY RFC3315 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3315.xml">
<!ENTITY RFC3633 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3633.xml">
<!ENTITY RFC3646 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3646.xml">
<!ENTITY RFC3736 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3736.xml">
<!ENTITY RFC4014 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4014.xml">
<!ENTITY RFC4818 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4818.xml">
]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt'?>
<!-- used by XSLT processors -->
<!-- For a complete list and description of processing instructions (PIs), please see ttp://xml.resource.org/authoring/README.html. -->
<?rfc strict="yes"?>
<!-- give errors regarding ID-nits and DTD validation -->
<!-- control the table of contents (ToC) -->
<?rfc toc="yes"?>
<!-- generate a ToC -->
<?rfc tocdepth="4"?>
<!-- the number of levels of subsections in ToC. default: 3 -->
<!-- control references -->
<?rfc symrefs="yes"?>
<!-- use symbolic references tags, i.e, [RFC2119] instead of [1] -->
<?rfc sortrefs="yes" ?>
<!-- sort the reference entries alphabetically -->
<!-- control vertical white space (using these PIs as follows is recommended by the RFC Editor) -->
<?rfc compact="yes" ?>
<!-- do not start each main section on a new page -->
<?rfc subcompact="no" ?>
<!-- keep one blank line between list items -->
<!-- end of list of popular I-D processing instructions -->

<rfc category="std" docName="draft-yeh-dhc-dhcpv6-authorization-opt-01" ipr="trust200902">

<!-- category values: std, bcp, info, exp, and historic ipr values: trust200902, noModificationTrust200902, noDerivativesTrust200902, or pre5378Trust200902 you can add the attributes updates="NNNN" and obsoletes="NNNN" they will automatically be output with "(if approved)" -->


<!-- ***** FRONT MATTER ***** -->
<front>
<!-- The abbreviated title is used in the page header - it is only necessary if the full title is longer than 39 characters -->

  <title abbrev="DHCPv6 RADIUS Option"> RADIUS Option for DHCPv6 Relay Agents on Broadband Access Server</title>

    <author fullname="Leaf Y. Yeh" initials="L." role="editor" surname="Yeh">
      <organization>Huawei Technologies</organization>
      <address>
        <postal>
          <street></street>
          <city></city>
          <region></region>
          <code></code>
          <country>P. R. China</country>
        </postal>
        <email>leaf.y.yeh@huawei.com</email>
      </address>
    </author>
    
    <author fullname="Mohamed Boucadair" initials="M." surname="Boucadair">
      <organization>France Telecom</organization>
      <address>
        <postal>
          <street></street>
          <city></city>
          <region></region>
          <code></code>
          <country>France</country>
        </postal>
        <email>mohamed.boucadair@orange.com</email>
      </address>
    </author>    
   
   <author fullname="Ted Lemon" initials="T." surname="Lemon">
      <organization>Nominum, Inc </organization>
      <address>
        <postal>
          <street></street>
          <city></city>
          <region></region>
          <code></code>
          <country>USA</country>
        </postal>
        <email>Ted.Lemon@nominum.com</email>
      </address>
    </author>    
   
    <date year="2012" />
    
    <!-- Meta-data Declarations -->
    <area>Internet</area>
    <workgroup>DHC Working Group</workgroup>
    <keyword>DHCPv6</keyword>
    <keyword>RADIUS</keyword>
    <keyword>Authorization</keyword>


<abstract>
<t>The DHCPv6 RADIUS option provides a communication mechanism between relay agent and the server. This mechanism can help the centralized DHCPv6 server to select the right configuration for the client based on the authorization information received from a separate RADIUS server which is not located at the same place of DHCPv6 server in the cases where the NAS acts as DHCPv6 relay agent and RADIUS client simultaneously.</t>


</abstract>

</front>

<!-- ***** MIDDLE MATTER ***** -->

<middle>

  	
<section anchor="p1" title="Introduction">

<t>DHCPv6 provides a mechanism that allows the server to assign or delegate both stateful and stateless configuration parameters to the clients. The stateful configuration parameters include IPv6 address <xref target="RFC3315"/>, IPv6 prefix <xref target="RFC3633"/>, and etc. The stateless configuration parameters <xref target="RFC3736"/> include, for example, DNS <xref target="RFC3646"/>. The DHCPv6 server is typically deployed in the central part of an ISP network.</t>

<t>RADIUS <xref target="RFC2865"/>, an essentially stateless protocol, is used widely as the centralized authentication, authorization and user management mechanism for the service provision in Broadband access network. <xref target="RFC3162"/>, <xref target="RFC4818"/> and <xref target="ietf-radext-ipv6-access-06"/> specify attributes that supports the provision of service for IPv6 access. RADIUS authorizes that the NAS assigns an IPv6 address or prefix from the indicated pool, or assigns an IPv6 address or prefix with an explicitly indicated value in the attributes for the subscribers.</t>

<t>These mechanisms work well in the deployment scenario where the NAS acts as the distributed DHCPv6 server. In this case the NAS responds as the indication conveyed by the attributes in the Access-Accept message from the RADIUS server. These mechanisms also work in the scenario where the centralized DHCPv6 server is co-located with the RADIUS server, where they can share the same database of the users. But when the NAS acts as the relay agent and RADIUS client simultaneously, and the centralized DHCPv6 server is not located in the same place as the RADIUS server, a new communication mechanism is needed for the relay agent to transfer the authorization information indicated by the RADIUS attributes to the DHCPv6 server.</t>

</section>


<section anchor="p2" title="Terminology and Language">

<t>This document specifies a DHCPv6 option for the distributed Relay Agent to transfer the authorization information of RADIUS attributes received in the Access-Accept message to the centralized DHCPv6 server. This document should be read in conjunction with the following specifications: <xref target="RFC2865"/>, <xref target="RFC2869"/>, <xref target="RFC3315"/> and <xref target="RFC4818"/>. These specifications will help the reader to understand how DHCPv6 and RADIUS work together to provide IPv6 service. Definitions for terms and acronyms not specified in this document are defined in <xref target="RFC2865"/>, <xref target="RFC2869"/>, <xref target="RFC3315"/> and <xref target="RFC4818"/>.</t>

<t>The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL, when they appear in this document, are to be interpreted as described in BCP 14, <xref target="RFC2119"/>.</t>

</section>


<section anchor="p3" title="Network Scenarios">

<t>Figure 1 and Figure 2 shows the typical network scenarios where the communication mechanism introduced in this document is necessary. In these scenarios, the centralized DHCPv6 server is not co-located with the RADIUS server, but both of them are in the same administrative domain. The NAS acts as the relay agent and the RADIUS client simultaneously. Figure 1 shows the sequence of DHCPv6 and RADIUS messages for IPoE access mode. Figure 2 shows the sequence of DHCPv6 and RADIUS messages for PPPoE access mode.</t>

<figure anchor="f1" title="Network scenario and message sequence when employing DHCPv6 RADIUS option in IPoE access">
<artwork>
+-------+                   +-------+                    +-------+
|DHCPv6 |   Access Mode:    |  NAS  |                    |Radius |
|Client |       IPoE        |(DHCPv6|                    |Server |
|       |                   | Relay)|                    |       |
+-------+                   +-------+                    +-------+
    |                           |                            |
    |---Solicit---------------->|                            |
                                |---Access-Request---------->|
                                |&lt;--Access-Accept------------|
                                |   (e.g. Framed-Pool)
                                |   (e.g. Delegated-IPv6-Prefix)

           DHCPv6 messages             RADIUS messages

                                |                        +-------+
                                |                        |DHCPv6 |
                                |                        |Server |
                                |                        |       |
                                |                        +-------+
                                |---Relay-Forward----------->|
                                |   (OPTION_RADIUS)
                                |
                                |&lt;--Relay-Reply -------------|
    |&lt;--Advertise---------------|
        (e.g. Prefix, Address)  |
    |---Request---------------->|
        (e.g. Prefix, Address)  |
                                |---Relay-Forward----------->|
                                |   (OPTION_RADIUS)
                                |
                                |&lt;--Relay-Reply -------------|
    |&lt;--Reply-------------------|
        (e.g. Prefix, Address)  |

           DHCPv6 messages             DHCPv6 messages                                
</artwork>
</figure>

<figure anchor="f2" title="Network scenario and message sequence when employing DHCPv6 RADIUS option in PPPoE access">
<artwork>

+-------+                   +-------+                    +-------+
|DHCPv6 |   Access Mode:    |  NAS  |                    |Radius |
|Client |      PPPoE        |(DHCPv6|                    |Server |
|       |                   | Relay)|                    |       |
+-------+                   +-------+                    +-------+
    |                           |                            |
    |--PPP LCP Config-Request-->|                            |
                                |---Access-Request---------->|
                                |&lt;--Access-Accept------------|
                                |   (e.g. Framed-Pool)
                                |   (e.g. Delegated-IPv6-Prefix)
                                |
    |&lt;----PPP LCP Config-ACK----|

            PPP messages               RADIUS messages

                                |                        +-------+
                                |                        |DHCPv6 |
                                |                        |Server |
                                |                        |       |
                                |                        +-------+
    |---Solicit---------------->|                            |                                   
                                |---Relay-Forward----------->|
                                |   (OPTION_RADIUS)
                                |
                                |&lt;--Relay-Reply -------------|
    |&lt;--Advertise---------------|
        (e.g. Prefix, Address)  |
    |---Request---------------->|
        (e.g. Prefix, Address)  |
                                |---Relay-Forward----------->|
                                |   (OPTION_RADIUS)
                                |
                                |&lt;--Relay-Reply -------------|
    |&lt;--Reply-------------------|
        (e.g. Prefix, Address)  |

           DHCPv6 messages             DHCPv6 messages                          
</artwork>
</figure>

<t>If the authorization through RADIUS fails, the associated message sequences will stop. The DHCPv6 relay will not forward the message from the client to the server.</t>

</section>


<section anchor="p4" title="OPTION_RADIUS">

<t>The OPTION_RADIUS is a stateless DHCPv6 option, and is used by the relay agent to carry the authorization information of RADIUS attributes received in the Access-Accept message.</t>

<t>The format of the OPTION_RADIUS option is defined as follows:</t>

<figure><artwork>
 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|         OPTION_RADIUS         |         option-length         |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                       RADIUS Attributes...         
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+   

option-code      TBD
option-length    Length of the option-data in Octets
option-data      One or a list of RADIUS Attributes
</artwork></figure>

<t>The option-data of OPTION_RADIUS is one or a list of RADIUS attributes received in the Access-Accept message from the RADIUS server. As the same method in <xref target="RFC4014"/>, only the attributes listed in the table below may be included in the OPTION_RADIUS.</t>

<figure><artwork>
Type Code    Attribute                Reference
26           Vendor-Specific          [RFC2865]
88           Framed-Pool              [RFC2869]
123          Delegated-IPv6-Prefix    [RFC4818]
[TBD]        Framed-IPv6-Address      [ietf-radext-ipv6-access-06]
</artwork></figure>

<t>Note: The above table might have more attributes in the future.</t>

</section>


<section anchor="p5" title="Relay Agent Behavior">

<t>The DHCPv6 relay agent may include OPTION_RADIUS in the RELAY-FORW message. When the value in the attributes of Framed-Pool (88), (or Stateful-IPv6-Address-Pool, Delegated-IPv6-Prefix-Pool,) Delegated-IPv6-Prefix (123) and Framed-IPv6-Address in the Access-Accept message replied from RADIUS server are valid, the relay agent that supports OPTION_RADIUS SHOULD include these RADIUS attributes in the container option, OPTION_RADIUS. The relay agent MUST ignore OPTION_RADIUS if received.</t>

</section>


<section anchor="p6" title="Server Behavior">

<t>Upon receipt of the RELAY-FORW message with OPTION_RADIUS from a relay agent, the DHCPv6 server SHOULD extract and interpret the RADIUS attributes in the OPTION_RADIUS, and use that information in selecting configuration parameters for the requesting client. If the DHCPv6 server does not support OPTION_RADIUS, the DHCPv6 server SHOULD ignore this option. The DHCPv6 server MUST NOT include OPTION_RADIUS in RELAY-REPL messages.</t>

</section>


<section anchor="p7" title="Client Behavior">

<t>OPTION_RADIUS option is only exchanged between the relay agents and the servers. DHCPv6 clients are not aware of the usage of OPTION_RADIUS. DHCPv6 Client MUST NOT send OPTION_RADIUS, and MUST ignore OPTION_RADIUS if received.</t>

</section>


<section anchor="p8" title="Security Considerations">

<t>Known security vulnerabilities of the DHCPv6 and RADIUS protocol may apply to its options. Security issues related with DHCPv6 are described in section 23 of <xref target="RFC3315"/>. Security issues related with RADIUS are described in section 8 of <xref target="RFC2865"/>, section 5 of <xref target="RFC3162"/>.</t>

</section>


<section anchor="p9" title="IANA Considerations">

<t>The authors of this document request to assign a new DHCPv6 option code for OPTION_RADIUS.</t>

</section>


<section anchor="p10" title="Acknowledgements">

<t>Expert comments from Bernie Volz and Tomek Mrugalski for the discussion on the technology selection in the mailing list are appreciated.</t>

</section>



</middle>

<!-- ***** BACK MATTER ***** -->

<back>

<references title="Normative References">

  &RFC2119;
  &RFC2865;
  &RFC2869;
  &RFC3315;
  &RFC3736;
  &RFC4014;
  &RFC4818;

</references>

<references title="Informative References">

  &RFC3162;
  &RFC3633;
  &RFC3646;
  
  <reference anchor='ietf-radext-ipv6-access-06'>
	  <front>
	    <title>RADIUS attributes for IPv6 Access Networks</title> 
	    <author initials='B.' surname='Lourdelet' fullname='Benoit Lourdelet' />
	    <author initials='W.' surname='Dec' fullname='Wojciech Dec' />
	    <author initials='B.' surname='Sarikaya' fullname='Behcet Sarikaya' />
	    <author initials='G.' surname='Zorn' fullname='Glen Zorn' />
	    <author initials='D.' surname='Miles' fullname='David Miles' />
	    <date year='2011' month='July' />
	  </front>
  </reference>

</references>

</back>

</rfc>

