Network Working Group J. Heinanen Internet-Draft TutPro Inc. draft-ietf-l2vpn-radius-pe-discovery-00.txt G. Weber, Ed. Expires: August 2004 Cisco Systems February 2004 Using RADIUS for PE-Based VPN Discovery Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026 [1]. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Abstract This document describes how in PE-based VPNs, a PE of a VPN can use RADIUS to authenticate its CEs and discover the other PEs of the VPN. Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC-2119 [2]. Heinanen Expires - August 2004 [Page 1] Using RADIUS for PE-Based VPN Discovery February 2004 Table of Contents 1. Introduction...................................................2 2. Site Identification............................................2 3. RADIUS configuration...........................................3 4. PE Configuration...............................................4 5. Protocol Operation.............................................4 5.1 Connecting a CE to a VPN at a PE...........................4 5.2 Disconnecting a CE from a VPN at a PE......................5 5.3 PE Failure Detection and Recovery..........................6 6. Scaling Limits.................................................6 7. Compliance with PPVPN L2 Requirements..........................6 8. Security Considerations........................................7 9. References.....................................................7 10. Acknowledgments...............................................8 11. Author's Addresses............................................8 12. Full Copyright................................................8 1. Introduction This document describes how in PE-based VPNs a PE of a VPN can use Radius [3,4] to authenticate its CEs and discover the other PEs of the VPN. In Radius terms, the CEs are users and PEs are Network Access Servers (NAS) implementing Radius client function. A VPN can span multiple Autonomous Systems (AS) and multiple providers. Each PE, however, only needs to be a Radius client to Radius of the "local" provider. In case of a CE belongs to a "foreign" VPN, Radius of the local provider acts as a proxy client to Radius of the foreign provider. 2. Site Identification Each CE (a VPN site) is identified by a "user name" of the form [provider/]site@vpn "provider" identifier, if present, denotes a provider that is the administrative owner of the VPN. It is needed only if a CE connects to a VPN at a PE that does not belong to the owner of the VPN and is then used by Radius of the PE to proxy requests to Radius of the owner of the VPN. "site" identifier denotes a site in a VPN identified by "vpn". As an example, providerX/atlanta@vpnY.domainZ.net Heinanen Expires - August 2004 [Page 2] Using RADIUS for PE-Based VPN Discovery February 2004 could denote a CE called "atlanta" in a VPN identified by "vpnY.domainZ.net", which is owned by providerX. 3. RADIUS configuration Each "provider" has a single Radius that stores all information regarding VPNs that belong to the provider. For reliable operation of this protocol, each Radius should consist of more than one physical Radius server. For correct operation of this protocol, all these physical servers MUST at all times share the same database content. For each VPN, Radius of the provider to which the VPN belongs to MUST at all times be configured with a set of "users" that correspond to the potential CEs of the VPN, i.e., CEs that are currently allowed to be connected to the VPN at some PE. User information includes site identifier, password, and VPN identifier: User information MAY also include other information, such as a list of PEs to which the CE is allowed to connect to and QoS information regarding the CE's connection to the VPN. In addition to the above manually configured information, Radius keeps dynamically track of the PEs and CEs of a VPN in a database table that has the following fields: received from the PE any Radius request: Timestamp tells the most recent time when the PE has authenticated the site to the VPN. It is used by Radius to detect if a PE has failed for a longer period of time or has been taken improperly out of use, and if so, to clean up the site and PE from its database. The PEs MAY also have pre-configured attributes telling, for example, that a PE is a hub of a VPN. If dynamic PE discovery capability of this protocol is not used, Radius MUST be configured for each VPN with a list of its PEs. Such a degenerate use of this protocol is not discussed further in this memo. Heinanen Expires - August 2004 [Page 3] Using RADIUS for PE-Based VPN Discovery February 2004 In order to allow queries about CEs that are connected PEs of a "foreign" provider, the Radius servers of this foreign provider MUST be configured as clients in the Radius of the VPN owner. 4. PE Configuration Each PE MUST be configured with the information about the Radius servers of local Radius to which to send requests to. For reliability reasons, each PE SHOULD have available more than one physical Radius server. 5. Protocol Operation 5.1 Connecting a CE to a VPN at a PE When a CE is to be connected to a VPN at a PE, the PE issues a Radius Access-Request using the user name and password of the CE. The PE has either learned this information from the CE via an authentication protocol, for example, 802.1x/EAP, or it has been configured in the PE. Service-Type of the Access-Request is VPN-Login (value TBD). If authentication succeeds and possible other (VPN or provider) specific preconditions are met (for example, the CE is allowed to connect to the particular PE and it is not already connected to some other PE), Radius inserts a record in its database (replacing a possible earlier record that only differs by the timestamp value) and responds with an Access-Accept. Access-Accept includes as reply items a Session-Timeout attribute and one or more PE-List attributes that contain all unique PE IP addresses in the set and possibly other CE specific information, e.g., QoS parameters. Session-Timeout attribute tells to the PE for how long time Radius considers the CE as connected to the VPN at the PE unless the PE re- authenticates the CE. The value of the timestamp in record is the time of the Access-Accept plus the number of seconds in the Session-Timeout attribute. Heinanen Expires - August 2004 [Page 4] Using RADIUS for PE-Based VPN Discovery February 2004 PE-List attribute contains a list of PE IP addresses. It is only used in Access-Accept packets and has the following format: 0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | String ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Type TBD for PE-List Length 16 + N * 4 bytes, where 1 <= N <= 63. String N IP Addresses of PEs (the most significant octet first in each address). After receiving the Access-Accept, the PE considers the CE as connected to the VPN and issues a Start Accounting-Request. If authentication fails or some pre-conditions are not met, Radius responds with Access-Reject. If a PE wants for some reason to get from Radius an up-to-date list of PEs in a particular VPN, it can at any time issue a new Access- Request for any one of its CEs that belongs to the VPN. In order to keep the CE connected to the VPN at the PE, the PE MUST issue a new Access-Request before the number of seconds returned by Radius in Session-Timeout attribute of the most recent Access-Accept has elapsed. Note that this document does not define any protocol mechanisms by which the other PEs of the VPN would be notified that a new CE was connected to the VPN at the PE or that a new PE became associated with the VPN. Such mechanisms belong to the VPN solution documents that utilize the discovery protocol defined in this memo. 5.2 Disconnecting a CE from a VPN at a PE When a CE is to be disconnected from the VPN at a PE, the PE issues a Stop Accounting-Request. After receiving the request, Radius removes the Heinanen Expires - August 2004 [Page 5] Using RADIUS for PE-Based VPN Discovery February 2004 record from its database and responds with an Accounting-Response. The PE considers the CE as disconnected from the VPN at the PE when it has received the Accounting-Response. Note that this document does not define any protocol mechanisms by which the other PEs of the VPN would be notified that a CE was disconnected from the VPN at the PE or that the PE is not anymore associated with the VPN. Such mechanisms belong to the VPN solution documents that utilize the PE discovery protocol defined in this memo. 5.3 PE Failure Detection and Recovery When a PE recovers from a failure, it re-authenticates all CEs connected to it in all VPNs and thus re-discovers all other PEs in all those VPNs. 6. Scaling Limits Since Radius protocol operates over UDP, the maximum UDP payload size available for Radius attributes is limited to about 1500 - 40 = 1460 octets assuming that UDP fragmentation is not supported. The most space consuming message is Access-Accept response, which contains a list of IP addresses of the PEs of a VPN. This limits the number of PEs in a VPN to about 350. Besides the packet size, another factor limiting scalability of this protocol might be the periodic re-authentication of CEs as required by the Session-Timeout reply attribute. For example, if a provider has 3600 VPN sites and uses a Session-Timeout value of 1 hour, then Radius will get on the average of 1 Access-Requests per second. 7. Compliance with PPVPN L2 Requirements This document covers a PE discovery and CE authentication solution for provider based VPNs. Thus only a small subset of the complete PPVPN L2 requirements listed in [5] are applicable to this document. The solution described in this document fulfills all the requirements of section 6.3 of [5] on "Discovering L2VPN Related Information". In particular: (1) Radius based discovery allows PEs to dynamically discover information about other PEs of a VPN with minimal or even with no configuration in the PEs. (2) Unauthorized access to the VPN can be prevented by authentication that is an integral part of Radius. Heinanen Expires - August 2004 [Page 6] Using RADIUS for PE-Based VPN Discovery February 2004 (3) VPN membership information is only distributed to the PEs that have sites that are members of the VPN. Other aspects mentioned on section 6.3 of [5], such as propagation of membership changes in a "timely manner" and no manual reconfiguration of the other PEs, are not directly covered in this document. They belong to VPN solution specifications that apply Radius based PE discovery and CE authentication, such as the one described in [6]. The Radius based solution described in this document also complies with all applicable generic requirements listed in [5]. In particular: (1) The PEs of a VPN can be associated with topology and tunneling protocol information. (2) VPN sites can be associated with QoS and access control information. (3) Radius has been widely implemented by existing PEs and has very good interoperability record. (4) Multi-provider/multi-AS VPNs are readily supported without any extra complications. (5) CEs of a VPN require either no configuration or minimal configuration (user name/password). (6) There is no practical limit on the number of VPNs and, with hierarchical implementation, each VPN can have a very large number of PEs and CEs. (7) Radius based provisioning systems are readily available and are easily adaptable to PE discovery. In summary, Radius provides a good directory based alternative to PPVPN PE discovery and a natural means to authenticate VPN CEs. 8. Security Considerations Security of Radius based VPN discovery depends on the security of Radius that is covered in [3] and [4]. In multi-provider operation, secure tunnels SHOULD be used to carry Radius traffic between providers. 9. References Heinanen Expires - August 2004 [Page 7] Using RADIUS for PE-Based VPN Discovery February 2004 1 Bradner, S., "The Internet Standards Process -- Revision 3", BCP 9, RFC 2026, October 1996. 2 Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. 3 C. Rigney, et al., "Remote Authentication Dial In User Service (RADIUS)". RFC 2865, June 2000. 4 C. Rigney, "RADIUS Accounting". RFC 2866, June 2000. 5 W. Augustun, Y. Serbest, "Service Requirements for Layer 2 Provider Provisioned Virtual Private Networks". draft-augustyn- ppvpn-l2vpn-requirements-02.txt, February 2003. 6 J. Heinanen, "Radius/L2TP Based VPLS". draft-ietf-l2vpn-l2tp- radius-vpls-00.txt, January 2004. 10. Acknowledgments The authors would like to thank Mark Duffy, Joel Halpern, and Mark Townsley for their constructive comments on earlier versions of this memo. 11. Author's Addresses Juha Heinanen TutPro Inc. Utsjoki, Finland Email: jh@tutpro.com Greg Weber Cisco Systems San Jose, California Email: gdweber@cisco.com 12. Full Copyright Copyright (C) The Internet Society (2004). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing Heinanen Expires - August 2004 [Page 8] Using RADIUS for PE-Based VPN Discovery February 2004 the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Heinanen Expires - August 2004 [Page 9]