idnits 2.17.1 draft-boucadair-mptcp-radius-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (April 18, 2017) is 2558 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Obsolete informational reference (is this intentional?): RFC 793 (Obsoleted by RFC 9293) -- Obsolete informational reference (is this intentional?): RFC 3315 (Obsoleted by RFC 8415) -- Obsolete informational reference (is this intentional?): RFC 6824 (Obsoleted by RFC 8684) Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Boucadair 3 Internet-Draft C. Jacquenet 4 Intended status: Standards Track Orange 5 Expires: October 20, 2017 April 18, 2017 7 RADIUS Extensions for Network-Assisted Multipath TCP (MPTCP) 8 draft-boucadair-mptcp-radius-04 10 Abstract 12 Because of the lack of Multipath TCP (MPTCP) support at the server 13 side, some service providers now consider a network-assisted model 14 that relies upon the activation of a dedicated function called MPTCP 15 Conversion Point (MCP). Network-assisted MPTCP deployment models are 16 designed to facilitate the adoption of MPTCP for the establishment of 17 multi-path communications without making any assumption about the 18 support of MPTCP by the communicating peers. MCPs located in the 19 network are responsible for establishing multi-path communications on 20 behalf of endpoints, thereby taking advantage of MPTCP capabilities 21 to achieve different goals that include (but are not limited to) 22 optimization of resource usage (e.g., bandwidth aggregation), of 23 resiliency (e.g., primary/backup communication paths), and traffic 24 offload management. 26 This document specifies a new Remote Authentication Dial-In User 27 Service (RADIUS) attributes that carry the IP addresses that will be 28 returned to authorized users to reach one or multiple MCPs. 30 Requirements Language 32 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 33 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 34 document are to be interpreted as described in RFC 2119 [RFC2119]. 36 Status of This Memo 38 This Internet-Draft is submitted in full conformance with the 39 provisions of BCP 78 and BCP 79. 41 Internet-Drafts are working documents of the Internet Engineering 42 Task Force (IETF). Note that other groups may also distribute 43 working documents as Internet-Drafts. The list of current Internet- 44 Drafts is at http://datatracker.ietf.org/drafts/current/. 46 Internet-Drafts are draft documents valid for a maximum of six months 47 and may be updated, replaced, or obsoleted by other documents at any 48 time. It is inappropriate to use Internet-Drafts as reference 49 material or to cite them other than as "work in progress." 51 This Internet-Draft will expire on October 20, 2017. 53 Copyright Notice 55 Copyright (c) 2017 IETF Trust and the persons identified as the 56 document authors. All rights reserved. 58 This document is subject to BCP 78 and the IETF Trust's Legal 59 Provisions Relating to IETF Documents 60 (http://trustee.ietf.org/license-info) in effect on the date of 61 publication of this document. Please review these documents 62 carefully, as they describe your rights and restrictions with respect 63 to this document. Code Components extracted from this document must 64 include Simplified BSD License text as described in Section 4.e of 65 the Trust Legal Provisions and are provided without warranty as 66 described in the Simplified BSD License. 68 Table of Contents 70 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 71 2. MPTCP RADIUS Attributes . . . . . . . . . . . . . . . . . . . 4 72 2.1. MPTCP-MCP-IPv4 . . . . . . . . . . . . . . . . . . . . . 4 73 2.2. MPTCP-MCP-IPv6 . . . . . . . . . . . . . . . . . . . . . 5 74 3. Sample Use Case . . . . . . . . . . . . . . . . . . . . . . . 6 75 4. Security Considerations . . . . . . . . . . . . . . . . . . . 8 76 5. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 8 77 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 78 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9 79 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 80 8.1. Normative References . . . . . . . . . . . . . . . . . . 9 81 8.2. Informative References . . . . . . . . . . . . . . . . . 10 82 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 84 1. Introduction 86 One of the promising deployment scenarios for Multipath TCP (MPTCP, 87 [RFC6824]) is to enable a Customer Premises Equipment (CPE) that is 88 connected to multiple networks (e.g., DSL, LTE, WLAN) to optimize the 89 usage of such resources, see for example [RFC4908]. 91 Network-assisted MPTCP deployment models are designed to facilitate 92 the adoption of MPTCP for the establishment of multi-path 93 communications without making any assumption about the support of 94 MPTCP by the communicating peers. This deployment scenario relies on 95 MPTCP proxies located on both the CPE and network sides (Figure 1). 97 MPTCP proxies are responsible for establishing multi-path 98 communications on behalf of endpoints, thereby taking advantage of 99 MPTCP capabilities to optimize resource usage to achieve different 100 goals that include (but are not limited to) bandwidth aggregation, 101 primary/backup communication paths, and traffic offload management. 103 +------------+ _--------_ +----------------+ 104 | | ( LTE ) | | 105 | CPE +=======+ +===+ Backbone | 106 | (MCP) | (_ _) | Network | 107 | | (_______) |+--------------+| 108 | | IP Network #1 || Concentrator ||------> Internet 109 | | || (MCP) || 110 | | |+--------------+| 111 | | IP Network #2 | | 112 | | _--------_ | | 113 | | ( DSL ) | | 114 | +=======+ +==+ | 115 | | (_ _) | | 116 +-----+------+ (_______) +----------------+ 117 | 118 ---- LAN ---- 119 | 120 end-nodes 122 Figure 1: Network-Assisted MPTCP: Reference Architecture 124 Within this document, an MPTCP Conversion Point (MCP) refers to a 125 functional element that is responsible for aggregating the traffic 126 originated by a group of CPEs. This element is located in the 127 network. One or multiple MCPs can be deployed in the network to 128 assist MPTCP-enabled CPEs to establish MPTCP connections via their 129 available network attachments. On the uplink path, the MCP 130 terminates the MPTCP connections received from its customer-facing 131 interfaces and transforms these connections into legacy TCP 132 connections [RFC0793] towards upstream servers. On the downlink 133 path, the MCP turns the legacy server's TCP connection into MPTCP 134 connections towards its customer-facing interfaces. 136 This document specifies two new Remote Authentication Dial-In User 137 Service (RADIUS, [RFC2865]) attributes that carry the MCP IP address 138 list (Section 2). In order to accommodate both IPv4 and IPv6 139 deployment contexts, and given the constraints in Section 3.4 of 140 [RFC6158], two attributes are specified. Note that one or multiple 141 IPv4 and/or IPv6 addresses may be returned to a requesting CPE. A 142 sample use case is described in Section 3. 144 This document assumes that the MCP(s) reachability information can be 145 stored in Authentication, Authorization, and Accounting (AAA) servers 146 while the CPE configuration is usually provided by means of DHCP 147 ([RFC2131][RFC3315]). Further Network-Assisted MPTCP deployment and 148 operational considerations are discussed in 149 [I-D.nam-mptcp-deployment-considerations]. 151 This specification assumes an MCP is reachable through one or 152 multiple IP addresses. As such, a list of IP addresses can be 153 communicated via RADIUS. Also, it assumes the various network 154 attachments provided to an MPTCP-enabled CPE are managed by the same 155 administrative entity. 157 This document adheres to [RFC8044] for defining the new attributes. 159 2. MPTCP RADIUS Attributes 161 2.1. MPTCP-MCP-IPv4 163 Description 165 The RADIUS MPTCP-MCP-IPv4 attribute contains the IPv4 address of 166 an MCP that is assigned to a CPE. 168 Because multiple MCP IP addresses may be provisioned to an 169 authorised CPE (that is a CPE entitled to solicit the resources of 170 an MCP to establish MPTCP connections), multiple instances of the 171 MPTCP-MCP-IPv4 attribute MAY be included; each instance of the 172 attribute carries a distinct IP address. 174 Both MPTCP-MCP-IPv4 and MPTCP-MCP-IPv6 attributes MAY be present 175 in a RADIUS message. 177 The MPTCP-MCP-IPv4 Attribute MAY appear in a RADIUS Access-Accept 178 packet. It MAY also appear in a RADIUS Access-Request packet as a 179 hint to the RADIUS server to indicate a preference, although the 180 server is not required to honor such a hint. 182 The MPTCP-MCP-IPv4 Attribute MAY appear in a CoA-Request packet. 184 The MPTCP-MCP-IPv4 Attribute MAY appear in a RADIUS Accounting- 185 Request packet. 187 The MPTCP-MCP-IPv4 Attribute MUST NOT appear in any other RADIUS 188 packet. 190 Type 191 TBA (see Section 6). 193 Length 195 6 197 Data Type 199 The attribute MPTCP-MCP-IPv4 is of type ip4addr (Section 3.3 of 200 [RFC8044]). 202 Value 204 This field includes an IPv4 address (32 bits) of the MCP. 206 The MPTCP-MCP-IPv4 attribute MUST NOT include multicast and host 207 loopback addresses [RFC6890]. Anycast addresses are allowed to be 208 included in an MPTCP-MCP-IPv4 attribute. 210 2.2. MPTCP-MCP-IPv6 212 Description 214 The RADIUS MPTCP-MCP-IPv6 attribute contains the IPv6 address of 215 an MCP that is assigned to a CPE. 217 Because multiple MCP IP addresses may be provisioned to an 218 authorised CPE (that is a CPE entitled to solicit the resources of 219 an MCP to establish MPTCP connections), multiple instances of the 220 MPTCP-MCP-IPv6 attribute MAY be included; each instance of the 221 attribute carries a distinct IP address. 223 Both MPTCP-MCP-IPv4 and MPTCP-MCP-IPv6 attributes MAY be present 224 in a RADIUS message. 226 The MPTCP-MCP-IPv6 Attribute MAY appear in a RADIUS Access-Accept 227 packet. It MAY also appear in a RADIUS Access-Request packet as a 228 hint to the RADIUS server to indicate a preference, although the 229 server is not required to honor such a hint. 231 The MPTCP-MCP-IPv6 Attribute MAY appear in a CoA-Request packet. 233 The MPTCP-MCP-IPv6 Attribute MAY appear in a RADIUS Accounting- 234 Request packet. 236 The MPTCP-MCP-IPv6 Attribute MUST NOT appear in any other RADIUS 237 packet. 239 Type 241 TBA (see Section 6). 243 Length 245 18 247 Data Type 249 The attribute MPTCP-MCP-IPv6 is of type ip6addr (Section 3.9 of 250 [RFC8044]). 252 Value 254 This field includes an IPv6 address (128 bits) of the MCP. 256 The MPTCP-MCP-IPv6 attribute MUST NOT include multicast and host 257 loopback addresses [RFC6890]. Anycast addresses are allowed to be 258 included in an MPTCP-MCP-IPv6 attribute. 260 3. Sample Use Case 262 This section does not aim to provide an exhaustive list of deployment 263 scenarios where the use of the RADIUS MPTCP-MCP-IPv6 and MPTCP-MCP- 264 IPv4 attributes can be helpful. Typical deployment scenarios are 265 described, for instance, in [RFC6911]. 267 Figure 2 shows an example where a CPE is assigned an MCP. This 268 example assumes that the Network Access Server (NAS) embeds both 269 RADIUS client and DHCPv6 server capabilities. 271 CPE NAS AAA 272 DHCPv6 client DHCPv6 server server 273 | | | 274 |---------DHCPv6 Solicit-------->| | 275 | |----Access-Request ---->| 276 | | | 277 | |<----Access-Accept------| 278 | | MPTCP-MCP-IPv6 | 279 |<-------DHCPv6 Advertisement----| | 280 | (OPTION_V6_MPTCP) | | 281 | | | 282 |---------DHCPv6 Request-------->| | 283 | | | 284 |<---------DHCPv6 Reply----------| | 285 | (OPTION_V6_MPTCP) | | 287 DHCPv6 RADIUS 289 Figure 2: Sample Flow Example (1) 291 Upon receipt of the DHCPv6 Solicit message from a CPE, the NAS sends 292 a RADIUS Access-Request message to the AAA server. Once the AAA 293 server receives the request, it replies with an Access-Accept message 294 (possibly after having sent a RADIUS Access-Challenge message and 295 assuming the CPE is entitled to connect to the network) that carries 296 a list of parameters to be used for this session, and which include 297 MCP reachability information (namely a list of IP addresses). 299 The content of the MPTCP-MCP-IPv6 attribute is then used by the NAS 300 to complete the DHCPv6 procedure that the CPE initiated to retrieve 301 information about the MCP it has been assigned. 303 Upon change of the MCP assigned to a CPE, the RADIUS server sends a 304 RADIUS CoA message [RFC5176] that carries the RADIUS MPTCP-MCP-IPv6 305 attribute to the NAS. Once that message is accepted by the NAS, it 306 replies with a RADIUS CoA ACK message. The NAS replaces the old MCP 307 with the new one. 309 Figure 3 shows another example where a CPE is assigned an MCP, but 310 the CPE uses DHCPv6 to retrieve a list of IP addresses of an MCP. 312 CPE NAS AAA 313 DHCPv4 client DHCPv4 server server 314 | | | 315 |-----------DHCPDISCOVER---------->| | 316 | |----Access-Request ---->| 317 | | | 318 | |<----Access-Accept------| 319 | | MPTCP-MCP-IPv4 | 320 |<------------DHCPOFFER------------| | 321 | (OPTION_V4_MPTCP) | | 322 | | | 323 |------------DHCPREQUEST---------->| | 324 | (OPTION_V4_MPTCP) | | 325 | | | 326 |<-----------DHCPACK---------------| | 327 | (OPTION_V4_MPTCP) | | 329 DHCPv4 RADIUS 331 Figure 3: Sample Flow Example (2) 333 Some deployments may rely on the mechanisms defined in [RFC4014] or 334 [RFC7037], which allows a NAS to pass attributes obtained from a 335 RADIUS server to a DHCP server. 337 4. Security Considerations 339 RADIUS-related security considerations are discussed in [RFC2865]. 341 MPTCP-related security considerations are discussed in [RFC6824] and 342 [RFC6181]. 344 Traffic theft is a risk if an illegitimate MCP is inserted in the 345 path. Indeed, inserting an illegitimate MCP in the forwarding path 346 allows to intercept traffic and can therefore provide access to 347 sensitive data issued by or destined to a host. To mitigate this 348 threat, secure means to discover an MCP should be enabled. 350 5. Table of Attributes 352 The following table provides a guide as what type of RADIUS packets 353 that may contain these attributes, and in what quantity. 355 Access- Access- Access- Challenge Acct. # Attribute 356 Request Accept Reject Request 357 0+ 0+ 0 0 0+ TBA MPTCP-MCP-IPv4 358 0+ 0+ 0 0 0+ TBA MPTCP-MCP-IPv6 360 CoA-Request CoA-ACK CoA-NACK # Attribute 361 0+ 0 0 TBA MPTCP-MCP-IPv4 362 0+ 0 0 TBA MPTCP-MCP-IPv6 364 The following table defines the meaning of the above table entries: 366 0 This attribute MUST NOT be present in packet. 367 0+ Zero or more instances of this attribute MAY be present in packet. 369 6. IANA Considerations 371 IANA is requested to assign two new RADIUS attribute types from the 372 IANA registry "Radius Attribute Types" located at 373 http://www.iana.org/assignments/radius-types: 375 MPTCP-MCP-IPv4 (TBA) 377 MPTCP-MCP-IPv6 (TBA) 379 7. Acknowledgements 381 Thanks to Alan DeKok for the comments. 383 8. References 385 8.1. Normative References 387 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 388 Requirement Levels", BCP 14, RFC 2119, 389 DOI 10.17487/RFC2119, March 1997, 390 . 392 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, 393 "Remote Authentication Dial In User Service (RADIUS)", 394 RFC 2865, DOI 10.17487/RFC2865, June 2000, 395 . 397 [RFC6158] DeKok, A., Ed. and G. Weber, "RADIUS Design Guidelines", 398 BCP 158, RFC 6158, DOI 10.17487/RFC6158, March 2011, 399 . 401 [RFC6890] Cotton, M., Vegoda, L., Bonica, R., Ed., and B. Haberman, 402 "Special-Purpose IP Address Registries", BCP 153, 403 RFC 6890, DOI 10.17487/RFC6890, April 2013, 404 . 406 [RFC8044] DeKok, A., "Data Types in RADIUS", RFC 8044, 407 DOI 10.17487/RFC8044, January 2017, 408 . 410 8.2. Informative References 412 [I-D.nam-mptcp-deployment-considerations] 413 Boucadair, M., Jacquenet, C., Bonaventure, O., Henderickx, 414 W., and R. Skog, "Network-Assisted MPTCP: Use Cases, 415 Deployment Scenarios and Operational Considerations", 416 draft-nam-mptcp-deployment-considerations-01 (work in 417 progress), December 2016. 419 [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, 420 RFC 793, DOI 10.17487/RFC0793, September 1981, 421 . 423 [RFC2131] Droms, R., "Dynamic Host Configuration Protocol", 424 RFC 2131, DOI 10.17487/RFC2131, March 1997, 425 . 427 [RFC3315] Droms, R., Ed., Bound, J., Volz, B., Lemon, T., Perkins, 428 C., and M. Carney, "Dynamic Host Configuration Protocol 429 for IPv6 (DHCPv6)", RFC 3315, DOI 10.17487/RFC3315, July 430 2003, . 432 [RFC4014] Droms, R. and J. Schnizlein, "Remote Authentication Dial- 433 In User Service (RADIUS) Attributes Suboption for the 434 Dynamic Host Configuration Protocol (DHCP) Relay Agent 435 Information Option", RFC 4014, DOI 10.17487/RFC4014, 436 February 2005, . 438 [RFC4908] Nagami, K., Uda, S., Ogashiwa, N., Esaki, H., Wakikawa, 439 R., and H. Ohnishi, "Multi-homing for small scale fixed 440 network Using Mobile IP and NEMO", RFC 4908, 441 DOI 10.17487/RFC4908, June 2007, 442 . 444 [RFC5176] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B. 445 Aboba, "Dynamic Authorization Extensions to Remote 446 Authentication Dial In User Service (RADIUS)", RFC 5176, 447 DOI 10.17487/RFC5176, January 2008, 448 . 450 [RFC6181] Bagnulo, M., "Threat Analysis for TCP Extensions for 451 Multipath Operation with Multiple Addresses", RFC 6181, 452 DOI 10.17487/RFC6181, March 2011, 453 . 455 [RFC6824] Ford, A., Raiciu, C., Handley, M., and O. Bonaventure, 456 "TCP Extensions for Multipath Operation with Multiple 457 Addresses", RFC 6824, DOI 10.17487/RFC6824, January 2013, 458 . 460 [RFC6911] Dec, W., Ed., Sarikaya, B., Zorn, G., Ed., Miles, D., and 461 B. Lourdelet, "RADIUS Attributes for IPv6 Access 462 Networks", RFC 6911, DOI 10.17487/RFC6911, April 2013, 463 . 465 [RFC7037] Yeh, L. and M. Boucadair, "RADIUS Option for the DHCPv6 466 Relay Agent", RFC 7037, DOI 10.17487/RFC7037, October 467 2013, . 469 Authors' Addresses 471 Mohamed Boucadair 472 Orange 473 Rennes 35000 474 France 476 Email: mohamed.boucadair@orange.com 478 Christian Jacquenet 479 Orange 480 Rennes 481 France 483 Email: christian.jacquenet@orange.com