idnits 2.17.1 draft-ietf-softwire-map-radius-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (June 22, 2015) is 3224 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 3315 (Obsoleted by RFC 8415) ** Downref: Normative reference to an Informational RFC: RFC 3580 -- Obsolete informational reference (is this intentional?): RFC 2629 (Obsoleted by RFC 7749) -- Obsolete informational reference (is this intentional?): RFC 5226 (Obsoleted by RFC 8126) Summary: 2 errors (**), 0 flaws (~~), 2 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Softwire S. Jiang 3 Internet-Draft Huawei Technologies Co., Ltd 4 Intended status: Standards Track Y. Fu 5 Expires: December 24, 2015 CNNIC 6 B. Liu 7 Huawei Technologies Co., Ltd 8 P. Deacon 9 IEA Software, Inc. 10 June 22, 2015 12 RADIUS Attribute for MAP 13 draft-ietf-softwire-map-radius-04 15 Abstract 17 Mapping of Address and Port (MAP) is a stateless mechanism for 18 running IPv4 over IPv6-only infrastructure. It provides both IPv4 19 and IPv6 connectivity services simultaneously during the IPv4/IPv6 20 co-existing period. The Dynamic Host Configuration Protocol for IPv6 21 (DHCPv6) MAP options has been defined to configure MAP Customer Edge 22 (CE). However, in many networks, the configuration information may 23 be stored in Authentication Authorization and Accounting (AAA) 24 servers while user configuration is mainly from Broadband Network 25 Gateway (BNG) through DHCPv6 protocol. This document defines a 26 Remote Authentication Dial In User Service (RADIUS) attribute that 27 carries MAP configuration information from AAA server to BNG. The 28 MAP RADIUS attribute are designed following the simplify principle. 29 It provides just enough information to form the correspondent DHCPv6 30 MAP option. 32 Status of This Memo 34 This Internet-Draft is submitted in full conformance with the 35 provisions of BCP 78 and BCP 79. 37 Internet-Drafts are working documents of the Internet Engineering 38 Task Force (IETF). Note that other groups may also distribute 39 working documents as Internet-Drafts. The list of current Internet- 40 Drafts is at http://datatracker.ietf.org/drafts/current/. 42 Internet-Drafts are draft documents valid for a maximum of six months 43 and may be updated, replaced, or obsoleted by other documents at any 44 time. It is inappropriate to use Internet-Drafts as reference 45 material or to cite them other than as "work in progress." 47 This Internet-Draft will expire on December 24, 2015. 49 Copyright Notice 51 Copyright (c) 2015 IETF Trust and the persons identified as the 52 document authors. All rights reserved. 54 This document is subject to BCP 78 and the IETF Trust's Legal 55 Provisions Relating to IETF Documents 56 (http://trustee.ietf.org/license-info) in effect on the date of 57 publication of this document. Please review these documents 58 carefully, as they describe your rights and restrictions with respect 59 to this document. Code Components extracted from this document must 60 include Simplified BSD License text as described in Section 4.e of 61 the Trust Legal Provisions and are provided without warranty as 62 described in the Simplified BSD License. 64 This document may contain material from IETF Documents or IETF 65 Contributions published or made publicly available before November 66 10, 2008. The person(s) controlling the copyright in some of this 67 material may not have granted the IETF Trust the right to allow 68 modifications of such material outside the IETF Standards Process. 69 Without obtaining an adequate license from the person(s) controlling 70 the copyright in such materials, this document may not be modified 71 outside the IETF Standards Process, and derivative works of it may 72 not be created outside the IETF Standards Process, except to format 73 it for publication as an RFC or to translate it into languages other 74 than English. 76 Table of Contents 78 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 79 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 80 3. MAP Configuration process with RADIUS . . . . . . . . . . . . 3 81 4. Attributes . . . . . . . . . . . . . . . . . . . . . . . . . 6 82 4.1. MAP-Configuration Attribute . . . . . . . . . . . . . . . 6 83 4.2. MAP Rule Options . . . . . . . . . . . . . . . . . . . . 6 84 4.3. Sub Options for MAP Rule Option . . . . . . . . . . . . . 7 85 4.3.1. Rule-IPv6-Prefix Sub Option . . . . . . . . . . . . . 7 86 4.3.2. Rule-IPv4-Prefix Sub Option . . . . . . . . . . . . . 8 87 4.3.3. EA Length Sub Option . . . . . . . . . . . . . . . . 9 88 4.3.4. BR-IPv6-Address Sub Option . . . . . . . . . . . . . 9 89 4.3.5. PSID Sub Option . . . . . . . . . . . . . . . . . . . 9 90 4.3.6. PSID Length Sub Option . . . . . . . . . . . . . . . 10 91 4.3.7. PSID Offset Sub Option . . . . . . . . . . . . . . . 10 92 4.4. Table of attributes . . . . . . . . . . . . . . . . . . . 11 93 5. Diameter Considerations . . . . . . . . . . . . . . . . . . . 11 94 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 95 7. Security Considerations . . . . . . . . . . . . . . . . . . . 12 96 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 12 97 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 98 9.1. Normative References . . . . . . . . . . . . . . . . . . 13 99 9.2. Informative References . . . . . . . . . . . . . . . . . 13 100 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 102 1. Introduction 104 Recently providers start to deploy IPv6 and consider how to transit 105 to IPv6. Mapping of Address and Port (MAP)[I-D.ietf-softwire-map] is 106 a stateless mechanism for running IPv4 over IPv6-only infrastructure. 107 It provides both IPv4 and IPv6 connectivity services simultaneously 108 during the IPv4/IPv6 co-existing period. MAP has adopted Dynamic 109 Host Configuration Protocol for IPv6 (DHCPv6) [RFC3315] as auto- 110 configuring protocol. The MAP Customer Edge (CE) uses the DHCPv6 111 extension options [I-D.ietf-softwire-map-dhcp] to discover MAP Border 112 Relay (in tunnel model only) and to configure relevant MAP rules. 114 In many networks, user configuration information may be stored by AAA 115 (Authentication, Authorization, and Accounting) servers. Current AAA 116 servers communicate using the Remote Authentication Dial In User 117 Service (RADIUS) [RFC2865] protocol. In a fixed line broadband 118 network, the Broadband Network Gateways (BNGs) act as the access 119 gateway of users. The BNGs are assumed to embed a DHCPv6 server 120 function that allows them to locally handle any DHCPv6 requests 121 initiated by hosts. 123 Since the MAP configuration information is stored in AAA servers and 124 user configuration is mainly transmitted through DHCPv6 protocol 125 between BNGs and hosts/CEs, new RADIUS attributes are needed to 126 propagate the information from AAA servers to BNGs. The MAP RADIUS 127 attributes designed in this document are especially for the MAP 128 encapsulation mode, while providing enough information to form the 129 correspondent DHCPv6 MAP option [I-D.ietf-softwire-map-dhcp]. 131 2. Terminology 133 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 134 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 135 document are to be interpreted as described in [RFC2119]. 137 The terms MAP CE and MAP Border Relay are defined in 138 [I-D.ietf-softwire-map]. 140 3. MAP Configuration process with RADIUS 142 The below Figure 1 illustrates how the RADIUS protocol and DHCPv6 143 cooperate to provide MAP CE with MAP configuration information. 145 MAP CE BNG AAA Server 146 | | | 147 |------DHCPv6 Solicit----->| | 148 |(Option Request w/ MAP option) | 149 | |--Access-Request(MAP Attr)-->| 150 | | | 151 | |<--Access-Accept(MAP Attr)---| 152 |<---DHCPv6 Advertisement--| | 153 | | | 154 |------DHCPv6 Request---->| | 155 | (MAP Option) | | 156 |<---- -DHCPv6 Reply-------| | 157 | (MAP option) | | 158 | | | 159 DHCPv6 RADIUS 161 Figure 1: the cooperation between DHCPv6 and RADIUS combining with 162 RADIUS authentication 164 The BNG acts as a RADIUS client and as a DHCPv6 server. First, the 165 MAP CE MAY initiate a DHCPv6 Solicit message that includes an Option 166 Request option (6) [RFC3315] with the MAP option 167 [I-D.ietf-softwire-map-dhcp] from the MAP CE. But note that the ORO 168 (Option Request option) with the MAP option could be optional if the 169 network was planned as MAP-enabled as default. When BNG receives the 170 SOLICIT, it SHOULD initiates radius Access-Request message, in which 171 the User-Name attribute (1) SHOULD be filled by the MAP CE MAC 172 address or interface-id or both, to the RADIUS server and the User- 173 password attribute (2) SHOULD be filled by the shared MAP password 174 that has been preconfigured on the DHCPv6 server, requesting 175 authentication as defined in [RFC2865] with MAP-Configuration 176 attribute, which will be defined in the next Section. If the 177 authentication request is approved by the AAA server, an Access- 178 Accept message MUST be acknowledged with the IPv6-MAP-Configuration 179 Attribute. After receiving the Access-Accept message with MAP- 180 Configuration Attribute, the BNG SHOULD respond the user an 181 Advertisement message. Then the user can requests for a MAP Option, 182 and the BNG SHOULD reply the user with the message containing the MAP 183 option. The recommended format of the MAC address is defined as 184 Calling-Station-Id (Section 3.20 in [RFC3580] without the SSID 185 (Service Set Identifier) portion. 187 Figure 2 describes another scenario, in which the authorization 188 operation is not coupled with authentication. Authorization relevant 189 to MAP is done independently after the authentication process. As 190 similar to above scenario, the ORO with the MAP option in the initial 191 DHCPv6 request could be optional if the network was planned as MAP- 192 enabled as default. 194 MAP CE BNG AAA Server 195 | | | 196 |------DHCPv6 Request---->| | 197 |(Option Request w/ MAP option) | 198 | |--Access-Request(MAP Attr)-->| 199 | | | 200 | |<--Access-Accept(MAP Attr)---| 201 | | | 202 |<-----DHCPv6 Reply--------| | 203 | (MAP option) | | 204 | | | 205 DHCPv6 RADIUS 207 Figure 2: the cooperation between DHCPv6 and RADIUS decoupled with 208 RADIUS authentication 210 In the above mentioned scenario, the Access-Request packet SHOULD 211 contain a Service-Type attribute (6) with the value Authorize Only 212 (17); thus, according to [RFC5080], the Access-Request packet MUST 213 contain a State attribute that obtained from the previous 214 authentication process. 216 In both above-mentioned scenarios, Message-authenticator (type 80) 217 [RFC2869] SHOULD be used to protect both Access-Request and Access- 218 Accept messages. 220 After receiving the MAP-Configuration Attribute in the initial 221 Access-Accept, the BNG SHOULD store the received MAP configuration 222 parameters locally. When the MAP CE sends a DHCPv6 Request message 223 to request an extension of the lifetimes for the assigned address, 224 the BNG does not have to initiate a new Access-Request towards the 225 AAA server to request the MAP configuration parameters. The BNG 226 could retrieve the previously stored MAP configuration parameters and 227 use them in its reply. 229 If the BNG does not receive the MAP-Configuration Attribute in the 230 Access-Accept it MAY fallback to a pre-configured default MAP 231 configuration, if any. If the BNG does not have any pre-configured 232 default MAP configuration or if the BNG receives an Access-Reject, 233 the tunnel cannot be established. 235 As specified in [RFC3315], section 18.1.4, "Creation and Transmission 236 of Rebind Messages ", if the DHCPv6 server to which the DHCPv6 Renew 237 message was sent at time T1 has not responded by time T2, the MAP CE 238 (DHCPv6 client) SHOULD enters the Rebind state and attempt to contact 239 any available server. In this situation, the secondary BNG receiving 240 the DHCPv6 message MUST initiate a new Access-Request towards the AAA 241 server. The secondary BNG MAY include the MAP-Configuration 242 Attribute in its Access-Request. 244 4. Attributes 246 This section defines MAP-Rule Attribute which is used in the MAP 247 scenario. The attribute design follows [RFC6158] and refers 248 to[RFC6929]. 250 The MAP RADIUS attribute are designed following the simplify 251 principle. The sub options are organized into two categories: the 252 necessary and the optional. 254 4.1. MAP-Configuration Attribute 256 The MAP-Configuration Attribute is structured as follows: 258 0 1 2 3 259 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 260 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 261 | Type | Length | | 262 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + 263 | | 264 + MAP Rule Option(s) + 265 | | 266 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 267 Type 268 TBD 269 Length 270 2 + the length of the Rule option(s) 271 MAP Rule Option (s) 272 A variable field that may contains one or more Rule option(s), 273 defined in Section 4.2 275 4.2. MAP Rule Options 277 Depending on deployment scenario, one Basic Mapping Rule and zero or 278 more Forwarding Mapping Rules MUST be included in one MAP- 279 Configuration Attribute. 281 0 1 2 3 282 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 283 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 284 | Type | Length | | 285 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + 286 | | 287 + Sub Options + 288 | | 289 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 290 Type 291 1 Basic Mapping Rule (Not Forwarding Mapping Rule) 292 2 Forwarding Mapping Rule (Not Basic Mapping Rule) 293 3 Basic & Forwarding Mapping Rule 294 Length 295 2 + the length of the sub options 296 Sub Option 297 A variable field that contains necessary sub options defined in 298 Section 4.3 and zero or several optional sub options, defined 299 in Section 4.4 301 4.3. Sub Options for MAP Rule Option 303 4.3.1. Rule-IPv6-Prefix Sub Option 305 The Rule-IPv6-Prefix Sub Option is necessary for every MAP Rule 306 option. It should appear for once and only once. 308 The IPv6 Prefix sub option is followed the framed IPv6 prefix 309 designed in [RFC3162]. 311 0 1 2 3 312 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 313 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 314 | SubType | SubLen | Reserved | prefix6-len | 315 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 316 | | 317 | rule-ipv6-prefix | 318 | | 319 | | 320 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 321 SubType 322 1 (SubType number, for the Rule-IPv6-Prefix6 sub option) 323 SubLen 324 20 (the length of the Rule-IPv6-Prefix6 sub option) 325 Reserved 326 Reserved for future usage. It should be set to all zero 327 prefix6-len 328 length of the IPv6 prefix, specified in the rule-ipv6-prefix 329 field, expressed in bits 330 rule-ipv6-prefix 331 a 128-bits field that specifies an IPv6 prefix that appears in 332 a MAP rule 334 4.3.2. Rule-IPv4-Prefix Sub Option 336 0 1 2 3 337 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 338 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 339 | SubType | SubLen | Reserved | prefix4-len | 340 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 341 | rule-ipv4-prefix | 342 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 344 SubType 345 2 (SubType number, for the Rule-IPv4-Prefix6 sub option) 346 SubLen 347 8 (the length of the Rule-IPv4-Prefix6 sub option) 348 Reserved 349 Reserved for future usage. It should be set to all zero 350 Prefix4-len 351 length of the IPv6 prefix, specified in the rule-ipv6-prefix 352 field, expressed in bits 353 rule-ipv4-prefix 354 a 32-bits field that specifies an IPv4 prefix that appears in 355 a MAP rule 357 4.3.3. EA Length Sub Option 359 0 1 2 3 360 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 361 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 362 | SubType | SubLen | EA-len | 363 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 365 SubType 366 3 (SubType number, for the EA Length sub option) 367 SubLen 368 4 (the length of the EA Length sub option) 369 EA-len 370 16 bits long field that specifies the Embedded-Address (EA) 371 bit length. Allowed values range from 0 to 48 373 4.3.4. BR-IPv6-Address Sub Option 375 0 1 2 3 376 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 377 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 378 | SubType | SubLen | BR-ipv6-address | 379 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + 380 | BR-ipv6-address | 381 + + 382 | BR-ipv6-address | 383 + + 384 | BR-ipv6-address | 385 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 386 | BR-ipv6-address | 387 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 388 SubType 389 4 (SubType number, for the BR-ipv6-address sub option) 390 SubLen 391 20 (the length of the BR-ipv6-address sub option) 392 BR-ipv6-address 393 a 128-bits field that specifies the IPv6 address for the BR. 395 4.3.5. PSID Sub Option 396 0 1 2 3 397 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 398 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 399 | SubType | SubLen | PSID | 400 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 402 SubType 403 5 (SubType number, for the PSID Sub Option sub option) 404 SubLen 405 4 (the length of the PSID Sub Option sub option) 406 PSID (Port-set ID) 407 Explicit 16-bit (unsigned word) PSID value. The PSID value 408 algorithmically identifies a set of ports assigned to a CE. The 409 first k-bits on the left of this 2-octets field is the PSID 410 value. The remaining (16-k) bits on the right are padding zeros. 412 4.3.6. PSID Length Sub Option 414 0 1 2 3 415 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 416 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 417 | SubType | SubLen | PSID-len | 418 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 420 SubType 421 6 (SubType number, for the PSID Length sub option) 422 SubLen 423 4 (the length of the PSID Length sub option) 424 PSID-len 425 Bit length value of the number of significant bits in the PSID 426 field. (also known as 'k'). When set to 0, the PSID field is to 427 be ignored. After the first 'a' bits, there are k bits in the 428 port number representing valid of PSID. Subsequently, the 429 address sharing ratio would be 2 ^k. 431 4.3.7. PSID Offset Sub Option 432 0 1 2 3 433 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 434 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 435 | SubType | SubLen | PSID Offset | 436 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 438 SubType 439 7 (SubType number, for the PSID Offset sub option) 440 SubLen 441 4 (the length of the PSID Offset sub option) 442 PSID Offset 443 4 bits long field that specifies the numeric value for the MAP 444 algorithm's excluded port range/offset bits (A-bits), as per 445 section 5.1.1 in [I-D.ietf-softwire-map]. Default must be set 446 to 4. 448 4.4. Table of attributes 450 The following table provides a guide to which attributes may be found 451 in which kinds of packets, and in what quantity. 453 Request Accept Reject Challenge Accounting # Attribute 454 Request 455 0-1 0-1 0 0 0-1 TBD1 MAP- 456 Configuration 457 0-1 0-1 0 0 0-1 1 User-Name 458 0-1 0 0 0 0 2 User-Password 459 0-1 0-1 0 0 0-1 6 Service-Type 460 0-1 0-1 0-1 0-1 0-1 80 Message-Authenticator 462 The following table defines the meaning of the above table entries. 464 0 This attribute MUST NOT be present in packet. 465 0+ Zero or more instances of this attribute MAY be present in 466 packet. 467 0-1 Zero or one instance of this attribute MAY be present in 468 packet. 469 1 Exactly one instance of this attribute MUST be present in 470 packet. 472 5. Diameter Considerations 474 This attribute is usable within either RADIUS or Diameter [RFC6733]. 475 Since the Attributes defined in this document will be allocated from 476 the standard RADIUS type space, no special handling is required by 477 Diameter entities. 479 6. IANA Considerations 481 This document requires the assignment of two new RADIUS Attributes 482 Types in the "Radius Types" registry (currently located at 483 http://www.iana.org/assignments/radius-types for the following 484 attributes: 486 o MAP-Configuration TBD1 488 IANA should allocate the numbers from the standard RADIUS Attributes 489 space using the "IETF Review" policy [RFC5226]. 491 7. Security Considerations 493 In MAP scenarios, both CE and BNG are within a provider network, 494 which can be considered as a closed network and a lower security 495 threat environment. A similar consideration can be applied to the 496 RADIUS message exchange between BNG and the AAA server. 498 Known security vulnerabilities of the RADIUS protocol are discussed 499 in [RFC2607], [RFC2865], and[RFC2869]. Use of IPsec [RFC4301] for 500 providing security when RADIUS is carried in IPv6 is discussed in 501 [RFC3162]. 503 A malicious user may use MAC address proofing and/or dictionary 504 attack on the shared MAP password that has been preconfigured on the 505 DHCPv6 server to get unauthorized MAP configuration information. 507 Security considerations for MAP specific between MAP CE and BNG are 508 discussed in [I-D.ietf-softwire-map]. Furthermore, generic DHCPv6 509 security mechanisms can be applied DHCPv6 intercommunication between 510 MAP CE and BNG. 512 Security considerations for the Diameter protocol are discussed in 513 [RFC6733]. 515 8. Acknowledgements 517 The authors would like to thank the valuable comments made by Peter 518 Lothberg, Wojciech Dec, and Suresh Krishnan for this document. 520 This document was produced using the xml2rfc tool [RFC2629]. 522 9. References 523 9.1. Normative References 525 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 526 Requirement Levels", BCP 14, RFC 2119, March 1997. 528 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, 529 "Remote Authentication Dial In User Service (RADIUS)", RFC 530 2865, June 2000. 532 [RFC3162] Aboba, B., Zorn, G., and D. Mitton, "RADIUS and IPv6", RFC 533 3162, August 2001. 535 [RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., 536 and M. Carney, "Dynamic Host Configuration Protocol for 537 IPv6 (DHCPv6)", RFC 3315, July 2003. 539 [RFC3580] Congdon, P., Aboba, B., Smith, A., Zorn, G., and J. Roese, 540 "IEEE 802.1X Remote Authentication Dial In User Service 541 (RADIUS) Usage Guidelines", RFC 3580, September 2003. 543 [RFC5080] Nelson, D. and A. DeKok, "Common Remote Authentication 544 Dial In User Service (RADIUS) Implementation Issues and 545 Suggested Fixes", RFC 5080, December 2007. 547 [RFC6158] DeKok, A. and G. Weber, "RADIUS Design Guidelines", BCP 548 158, RFC 6158, March 2011. 550 [RFC6929] DeKok, A. and A. Lior, "Remote Authentication Dial In User 551 Service (RADIUS) Protocol Extensions", RFC 6929, April 552 2013. 554 9.2. Informative References 556 [I-D.ietf-softwire-map] 557 Troan, O., Dec, W., Li, X., Bao, C., Matsushima, S., 558 Murakami, T., and T. Taylor, "Mapping of Address and Port 559 with Encapsulation (MAP)", draft-ietf-softwire-map-13 560 (work in progress), March 2015. 562 [I-D.ietf-softwire-map-dhcp] 563 Mrugalski, T., Troan, O., Farrer, I., Perreault, S., Dec, 564 W., Bao, C., Yeh, L., and X. Deng, "DHCPv6 Options for 565 configuration of Softwire Address and Port Mapped 566 Clients", draft-ietf-softwire-map-dhcp-12 (work in 567 progress), March 2015. 569 [RFC2607] Aboba, B. and J. Vollbrecht, "Proxy Chaining and Policy 570 Implementation in Roaming", RFC 2607, June 1999. 572 [RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629, 573 June 1999. 575 [RFC2869] Rigney, C., Willats, W., and P. Calhoun, "RADIUS 576 Extensions", RFC 2869, June 2000. 578 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the 579 Internet Protocol", RFC 4301, December 2005. 581 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an 582 IANA Considerations Section in RFCs", BCP 26, RFC 5226, 583 May 2008. 585 [RFC6733] Fajardo, V., Arkko, J., Loughney, J., and G. Zorn, 586 "Diameter Base Protocol", RFC 6733, October 2012. 588 Authors' Addresses 590 Sheng Jiang 591 Huawei Technologies Co., Ltd 592 Q14, Huawei Campus, No.156 Beiqing Road 593 Hai-Dian District, Beijing, 100095 594 P.R. China 596 Email: jiangsheng@huawei.com 598 Yu Fu 599 CNNIC 600 No.4 South 4th Street, Zhongguancun 601 Hai-Dian District, Beijing, 100190 602 P.R. China 604 Email: fuyu@cnnic.cn 606 Bing Liu 607 Huawei Technologies Co., Ltd 608 Q14, Huawei Campus, No.156 Beiqing Road 609 Hai-Dian District, Beijing, 100095 610 P.R. China 612 Email: leo.liubing@huawei.com 613 Peter Deacon 614 IEA Software, Inc. 615 P.O. Box 1170 616 Veradale, WA 99037 617 USA 619 Email: peterd@iea-software.com