idnits 2.17.1 draft-ietf-softwire-map-radius-11.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There is 1 instance of too long lines in the document, the longest one being 1 character in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 31, 2017) is 2575 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 3315 (Obsoleted by RFC 8415) -- Obsolete informational reference (is this intentional?): RFC 5226 (Obsoleted by RFC 8126) Summary: 2 errors (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Softwire S. Jiang, Ed. 3 Internet-Draft Huawei Technologies Co., Ltd 4 Intended status: Standards Track Y. Fu, Ed. 5 Expires: October 2, 2017 CNNIC 6 B. Liu 7 Huawei Technologies Co., Ltd 8 P. Deacon 9 IEA Software, Inc. 10 C. Xie 11 China Telecom 12 T. Li 13 Tsinghua University 14 March 31, 2017 16 RADIUS Attribute for Softwire Address plus Port based Mechanisms 17 draft-ietf-softwire-map-radius-11 19 Abstract 21 IPv4-over-IPv6 transition mechanisms provide both IPv4 and IPv6 22 connectivity services simultaneously during the IPv4/IPv6 co-existing 23 period. The Dynamic Host Configuration Protocol for IPv6 (DHCPv6) 24 options have been defined to configure Customer Edge (CE) in MAP-E, 25 MAP-T, and Lightweight 4over6. However, in many networks, the 26 configuration information may be stored in an Authentication 27 Authorization and Accounting (AAA) server, while user configuration 28 information is mainly provided by the Broadband Network Gateway (BNG) 29 through the DHCPv6 protocol. This document defines two new Remote 30 Authentication Dial In User Service (RADIUS) attributes that carry CE 31 configuration information from an AAA server to BNG. 33 Status of This Memo 35 This Internet-Draft is submitted in full conformance with the 36 provisions of BCP 78 and BCP 79. 38 Internet-Drafts are working documents of the Internet Engineering 39 Task Force (IETF). Note that other groups may also distribute 40 working documents as Internet-Drafts. The list of current Internet- 41 Drafts is at http://datatracker.ietf.org/drafts/current/. 43 Internet-Drafts are draft documents valid for a maximum of six months 44 and may be updated, replaced, or obsoleted by other documents at any 45 time. It is inappropriate to use Internet-Drafts as reference 46 material or to cite them other than as "work in progress." 48 This Internet-Draft will expire on October 2, 2017. 50 Copyright Notice 52 Copyright (c) 2017 IETF Trust and the persons identified as the 53 document authors. All rights reserved. 55 This document is subject to BCP 78 and the IETF Trust's Legal 56 Provisions Relating to IETF Documents 57 (http://trustee.ietf.org/license-info) in effect on the date of 58 publication of this document. Please review these documents 59 carefully, as they describe your rights and restrictions with respect 60 to this document. Code Components extracted from this document must 61 include Simplified BSD License text as described in Section 4.e of 62 the Trust Legal Provisions and are provided without warranty as 63 described in the Simplified BSD License. 65 Table of Contents 67 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 68 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 69 3. Configuration process with RADIUS . . . . . . . . . . . . . . 3 70 4. Attributes . . . . . . . . . . . . . . . . . . . . . . . . . 6 71 4.1. Softwire46-Configuration Attribute . . . . . . . . . . . 6 72 4.2. S46 Container Options . . . . . . . . . . . . . . . . . . 7 73 4.3. Sub Options for S46 Container Option . . . . . . . . . . 8 74 4.3.1. S46-Rule Sub Option . . . . . . . . . . . . . . . . . 8 75 4.3.2. S46-BR Sub Option . . . . . . . . . . . . . . . . . . 9 76 4.3.3. S46-DMR Sub Option . . . . . . . . . . . . . . . . . 10 77 4.3.4. S46-V4V6Bind Sub Option . . . . . . . . . . . . . . . 10 78 4.3.5. S46-PORTPARAMS Sub Option . . . . . . . . . . . . . . 11 79 4.4. Sub Options for S46-Rule Sub Option . . . . . . . . . . . 12 80 4.4.1. Rule-IPv6-Prefix Sub Option . . . . . . . . . . . . . 12 81 4.4.2. Rule-IPv4-Prefix Sub Option . . . . . . . . . . . . . 13 82 4.4.3. EA Length Sub Option . . . . . . . . . . . . . . . . 14 83 4.5. Softwire46 Sub Options Encapsulation . . . . . . . . . . 14 84 4.6. Softwire46-Priority Attribute . . . . . . . . . . . . . . 14 85 4.7. Table of attributes . . . . . . . . . . . . . . . . . . . 15 86 5. Diameter Considerations . . . . . . . . . . . . . . . . . . . 16 87 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 88 6.1. S46 Mechanisms and Their Identifying Option Codes . . . . 16 89 7. Security Considerations . . . . . . . . . . . . . . . . . . . 17 90 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 17 91 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 17 92 9.1. Normative References . . . . . . . . . . . . . . . . . . 17 93 9.2. Informative References . . . . . . . . . . . . . . . . . 18 94 Additional Authors . . . . . . . . . . . . . . . . . . . . . . . 20 95 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 21 97 1. Introduction 99 Recently providers have started to deploy IPv6 and consider how to 100 transit to IPv6. Many transition mechanisms based on the Address 101 plus Port (A+P) [RFC6346] have been proposed for running IPv4 over 102 IPv6-only infrastructure, including MAP-E, MAP-T, and Lightweight 103 4over6. Mapping of Address and Port with Encapsulation(MAP- 104 E)[RFC7597], Mapping of Address and Port using Translation(MAP- 105 T)[RFC7599] are stateless mechanisms for running IPv4 over IPv6-only 106 infrastructure. Lightweight 4over6[RFC7596] is a hub-and-spoke IPv4- 107 over-IPv6 tunneling mechanism, with complete independence of IPv4 and 108 IPv6 addressing. They provide both IPv4 and IPv6 connectivity 109 services simultaneously during the IPv4/IPv6 co-existing period. 110 MAP-E, MAP-T and Lightweight 4over6 have adopted Dynamic Host 111 Configuration Protocol for IPv6 (DHCPv6) [RFC3315] as auto- 112 configuring protocol. The Customer Edge (CE) uses DHCPv6 options to 113 discover the Border Relay (BR) and get Softwire46 (S46) 114 configurations. 116 In many networks, user configuration information may be stored in an 117 Authentication, Authorization, and Accounting (AAA) server. 118 Currently the AAA servers communicate using the Remote Authentication 119 Dial In User Service (RADIUS) [RFC2865] protocol. In a fixed line 120 broadband network, a Broadband Network Gateway (BNG) acts as the 121 access gateway of users. The BNG is assumed to embed a DHCPv6 server 122 function that allows it to locally handle any DHCPv6 requests 123 initiated by hosts. 125 Since the S46 configuration information is stored in an AAA servers 126 and user configuration information is mainly transmitted through 127 DHCPv6 protocol between the BNGs and hosts/CEs, new RADIUS attributes 128 are needed to propagate the information from the AAA servers to BNGs. 129 The RADIUS attributes designed in this document are especially for 130 the MAP-E[RFC7597], MAP-T[RFC7599] and Lightweight 4over6[RFC7596], 131 providing enough information to form the correspondent DHCPv6 132 configuration options[RFC7598]. 134 2. Terminology 136 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 137 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 138 document are to be interpreted as described in [RFC2119]. 140 3. Configuration process with RADIUS 142 The Figure 1 below illustrates how the RADIUS protocol and DHCPv6 co- 143 operate to provide CE with MAP configuration information. The BNG 144 acts as a RADIUS client and DHCPv6 server. 146 CE BNG AAA Server 147 | | | 148 |-------1.DHCPv6 Solicit------->| | 149 | (ORO w/container option code) | | 150 | |-------2.Access-Request------->| 151 | | (S46-Configuration attribute) | 152 | | | 153 | |<------3.Access-Accept---------| 154 |<---4.DHCPv6 Advertisement-----| (S46-Configuration attribute) | 155 | (container option) | | 156 |-------5.DHCPv6 Request------>| | 157 | (container Option) | | 158 |<------6.DHCPv6 Reply----------| | 159 | (container option) | | 160 | | | 161 DHCPv6 RADIUS 163 Figure 1: the cooperation between DHCPv6 and RADIUS combining with 164 RADIUS authentication 166 1. First, the CE MAY initiate a DHCPv6 Solicit message that includes 167 an Option Request option(6) [RFC3315] with the S46 Container option 168 codes as defined in[RFC7598]. As described in [RFC7598], 169 OPTION_S46_CONT_MAPE should be included for MAP-E[RFC7597], 170 OPTION_S46_CONT_MAPT for MAP-T [RFC7599], and OPTION_S46_CONT_LW for 171 Lightweight 4over6 [RFC7596]. Note however, that the ORO (Option 172 Request option) with the S46 Container option code could be optional 173 if the network was planned as being S46-enabled as default. 175 2. When the BNG receives the Solicit message, it should initiate a 176 radius Access-Request message, in which an User-Name attribute (1) 177 should be filled by a CE MAC address or interface-id or both, to the 178 RADIUS server and a User-password attribute (2) should be filled by 179 the shared password that has been preconfigured on the DHCPv6 server, 180 requesting authentication as defined in [RFC2865] with the 181 corresponding Softwire46-Configuration Attribute, which will be 182 defined in the next Section. 184 3. If the authentication request is approved by the AAA server, an 185 Access-Accept message MUST be acknowledged with the corresponding 186 Softwire46-Configuration Attribute. 188 4. After receiving the Access-Accept message with the corresponding 189 Attribute, the BNG SHOULD respond to the DHCPv6 Client (CE) with an 190 Advertisement message. 192 5. After receiving the Advertise message, the CE MAY request for the 193 corresponding S46 Container option, by including the S46 Container 194 option in the Request message. 196 6. After receiving the client's Request message, containing the 197 corresponding S46 Container option the BNG SHOULD reply to the CE 198 with the message containing the S46 Container option. The 199 recommended format of the MAC address is defined as Calling-Station- 200 Id (Section 3.20 in [RFC3580] without the SSID (Service Set 201 Identifier) portion. 203 For Lightweight 4over6 [RFC7596], the subscriber's binding state 204 should be synchronized between the AAA server and lwAFTR. If the 205 bindings are pre-configured statically, in both the AAA server and 206 lwAFTR, an AAA server does not need to configure the lwAFTR anymore. 207 Otherwise, if the bindings are locally created on-demand in an AAA 208 server, it should inform the lwAFTR with the subscriber's binding 209 state, in order to synchronize the binding information of the lwB4 210 with the lwAFTR. 212 The authorization operation could also be done independently after 213 the authentication process. In such a scenario, after the 214 authentication operation, the client MAY initiate a DHCPv6 Request 215 message that includes the corresponding S46 Container options. 216 Similar to the above scenario, the ORO with the corresponding S46 217 Container option code in the initial DHCPv6 request could be optional 218 if the network was planned as being S46-enabled by default. When the 219 BNG receives the DHCPv6 Request, it SHOULD initiate the radius 220 Access-Request message, which MUST contain a Service-Type attribute 221 (6) with the value Authorize Only (17), the corresponding 222 Softwire46-Configuration Attribute, and a State attribute obtained 223 from the previous authentication process according to [RFC5080]. If 224 the authorization request is approved by an AAA server, an Access- 225 Accept message MUST be acknowledged with the corresponding 226 Softwire46-Configuration Attribute. The BNG SHOULD then send the 227 DHCPv6 Reply message containing the S46 Container option. 229 In both the above-mentioned scenarios, Message-authenticator (type 230 80) [RFC2869] SHOULD be used to protect both Access-Request and 231 Access-Accept messages. 233 If the BNG does not receive the corresponding 234 Softwire46-Configuration Attribute in the Access-Accept message it 235 MAY fallback to a pre-configured default S46 configuration, if any. 236 If the BNG does not have any pre-configured default S46 237 configuration, or if the BNG receives an Access-Reject, then S46 238 connection cannot be established. 240 As specified in [RFC3315], section 18.1.4, "Creation and Transmission 241 of Rebind Messages ", if the DHCPv6 server to which the DHCPv6 Renew 242 message was sent at time T1 has not responded by time T2, the CE 243 (DHCPv6 client) SHOULD enter the Rebind state and attempt to contact 244 any available server. In this situation, the secondary BNG receiving 245 the DHCPv6 message MUST initiate a new Access-Request message towards 246 the AAA server. The secondary BNG MAY include the 247 Softwire46-Configuration Attribute in its Access-Request message. 249 4. Attributes 251 This section defines the Softwire46-Configuration Attribute and the 252 Softwire46-Priority Attribute. The attribute design follows 253 [RFC6158] and refers to [RFC6929]. The Softwire46-Configuration 254 Attribute carries the configuration information for MAP-E, MAP-T, and 255 Lightweight 4over6. The configuration information for each S46 256 mechanism is carried in the corresponding S46 Container option. 257 Different sub options are required for each type of S46 Container 258 option. The RADIUS attribute for Dual-Stack Lite [RFC6333] is 259 defined in [RFC6519]. 261 A client may be capable of supporting several different S46 262 mechanisms. Depending on the deployment scenario, a client might 263 request for more than one S46 mechanism at a time. The 264 Softwire46-Priority Attribute contains information allowing the 265 client to prioritize which mechanism to use, corresponding to 266 OPTION_S46_PRIORITY defined in [RFC8026]. 268 4.1. Softwire46-Configuration Attribute 270 The Softwire46-Configuration Attribute can only encapsulate S46 271 Container Option(s). The Softwire46-Configuration Attribute is 272 structured as follows: 273 0 1 2 3 274 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 275 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 276 | Type | Length | | 277 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + 278 | | 279 + S46 Container Option(s) + 280 | | 281 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 282 Type 283 TBD 284 Length 285 2 + the length of the S46 Container option(s) specified in octets 287 S46 Container Option (s) 288 A variable field that may contains one or more S46 Container 289 option(s), defined in Section 4.2. 291 4.2. S46 Container Options 293 The S46 Container Option can only be encapsulated in the 294 Softwire46-Configuration Attribute. Depending on the deployment 295 scenario, a client might request for more than one transition 296 mechanism at a time, there MUST be at least one S46 Container option 297 encapsulated in one Softwire46-Configuration Attribute. There MUST 298 be at most one instance of each type of S46 Container Option 299 encapsulated in one Softwire46-Configuration Attribute. 301 / 302 / | 1.Rule-IPv6-Prefix Sub 303 | | Option 304 | 1.S46-Rule Sub Option--+ 2.Rule-IPv4-Prefix Sub 305 | | Option 306 | 2.S46-BR Sub Option | 3.EA Length Sub Option 307 S46 Container Option--+ 3.S46-DMR Sub Option \ 308 | 4.S46-v4v6Bind Sub Option 309 | 5.S46-PORTPARAMS Sub Option 310 \ 312 Figure 2: S46 Container Option Hierarchy 314 There are three types of S46 Container Options, namely MAP-E 315 Container Option, MAP-T Container Option, Lightweight 4over6 Container 316 Option. Each type of S46 Container Option contains a number of sub 317 options, defined in Section 4.3. The hierarchy of the S46 Container 318 Option is shown in Figure 2. Section 4.5 describes which Sub Options 319 are mandatory, optional, or not permitted for each defined S46 320 Container Option. 322 There are three types of S46-Rule Sub Options, namely Basic Mapping 323 Rule, Forwarding Mapping Rule, Basic and Forwarding Mapping Rule. 324 Each type of S46-Rule Sub Option also contains a number of Sub 325 Options. The Rule-IPv6-Prefix Sub Option is necessary for every type 326 of S46-Rule Sub Option. It should appear for once and only once. 328 0 1 2 3 329 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 330 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 331 | Type | Length | | 332 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + 333 | | 334 + Sub Options + 335 | | 336 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 337 Type 338 1 MAP-E Container Option 339 2 MAP-T Container Option 340 3 Lightweight 4over6 Container Option 341 Length 342 2 + the length of the Sub Options specified in octets 343 Sub Option 344 A variable field that contains necessary sub options defined in 345 Section 4.3 and zero or several optional sub options, defined 346 in Section 4.4. 348 4.3. Sub Options for S46 Container Option 350 4.3.1. S46-Rule Sub Option 352 The S46-Rule Sub Option can only be encapsulated in the MAP-E 353 Container Option or the MAP-T Container Option. Depending on 354 deployment scenario, one Basic Mapping Rule and zero or more 355 Forwarding Mapping Rules MUST be included in one MAP-E Container 356 Option or MAP-T Container Option. 358 Each type of S46-Rule Sub Option also contains a number of sub 359 options, including Rule-IPv6-Prefix Sub Option, Rule-IPv4-Prefix Sub 360 Option, and EA Length Sub Option. The structure of the sub options 361 for S46-Rule Sub Option is defined in section 4.4. 362 0 1 2 3 363 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 364 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 365 | SubType | SubLen | | 366 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + 367 | | 368 + Sub Options + 369 | | 370 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 371 SubType 372 1 Basic Mapping Rule (Not Forwarding Mapping Rule) 373 2 Forwarding Mapping Rule (Not Basic Mapping Rule) 374 3 Basic & Forwarding Mapping Rule 375 SubLen 376 2 + the length of the Sub Options specified in octets 377 Sub Option 378 A variable field that contains sub options defined in 379 Section 4.4. 381 4.3.2. S46-BR Sub Option 383 The S46-BR Sub Option an only be encapsulated in the MAP-E Container 384 Option or the Lightweight 4over6 Container Option. There MUST be at 385 least one S46-BR Sub Option included in each MAP-E Container Option 386 or Lightweight 4over6 Container Option. 388 0 1 2 3 389 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 390 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 391 | SubType | SubLen | | 392 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + 393 | | 394 | BR-ipv6-address | 395 | | 396 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 397 | | 398 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 400 SubType 401 4 (SubType number, for the S46-BR sub option) 402 SubLen 403 18 (the length of the S46-BR sub option) 404 BR-ipv6-address 405 a fixed-length field of 16 octets that specifies the IPv6 address 406 for the S46 BR. 408 4.3.3. S46-DMR Sub Option 410 The S46-DMR Sub Option can only appear in the MAP-T Container Option. 411 There MUST be exactly one S46-DMR Sub Option included in one MAP-T 412 Container Option. 414 0 1 2 3 415 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 416 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 417 | SubType | SubLen |dmr-prefix6-len| | 418 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + 419 | dmr-ipv6-prefix | 420 | (variable length) | 421 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 423 SubType 424 5 (SubType number, for the S46-DMR Sub Option) 425 SubLen 426 3 + length of dmr-ipv6-prefix specified in octets 427 dmr-prefix6-len 428 8 bits long; expresses the bitmask length of the IPv6 429 prefix specified in the dmr-ipv6-prefix field. Allowed values 430 range from 0 to 96. 431 dmr-ipv6-prefix 432 a variable-length field specifying the IPv6 prefix or address 433 for the BR. This field is right-padded with zeros to the nearest 434 octet boundary when dmr-prefix6-len is not divisible by 8. 436 4.3.4. S46-V4V6Bind Sub Option 438 The S46-V4V6Bind Sub Option can only be encapsulated in the 439 Lightweight 4over6 Container Option. There MUST be at most one 440 S46-V4V6Bind Sub Option included in each Lightweight 4over6 Container 441 Option. 442 0 1 2 3 443 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 444 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 445 | SubType | SubLen | ipv4-address | 446 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 447 | (Continued) |bindprefix6-len| | 448 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + 449 | bind-ipv6-prefix | 450 | (variable length) | 451 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 452 SubType 453 6 (SubType number, for the S46-V4V6Bind sub option) 454 SubLen 455 the length of the S46-V4V6Bind sub option expressed in octets 456 ipv4-address 457 a 32-bits field that specifies an IPv4 address that appears in 458 the V4V6Bind Option 459 bindprefix6-len 460 8 bits long; expresses the bitmask length of the IPv6 prefix 461 specified in the bind-ipv6-prefix field. Allowed values range from 462 0 to 96. 463 bind-ipv6-prefix 464 a variable-length field specifying the IPv6 prefix or address for 465 the S46 CE. This field is right-padded with zeros to the nearest 466 octet boundary when bindprefix6-len is not divisible by 8. 468 4.3.5. S46-PORTPARAMS Sub Option 470 The S46-PORTPARAMS Sub Option specifies optional port set information 471 that MAY be provided to CEs. The S46-PORTPARAMS sub option can be 472 included optionally by each type of S46 Container Option. 473 0 1 2 3 474 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 475 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 476 | SubType | SubLen | PSID-Offset | PSID-len | 477 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 478 | PSID | 479 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 481 SubType 482 7 (SubType number, for the S46-PORTPARAMS Sub Option sub option) 483 SubLen 484 6 (the length of the S46-PORTPARAMS Sub Option sub option) 485 PSID Offset 486 8 bits long field that specifies the numeric value for the S46 487 algorithm's excluded port range/ offset bits (a bits), as per 488 Section 5.1 of RFC7597. Allowed values are between 0 and 15. 489 Default values for this field are specific to the Softwire 490 mechanism being implemented and are defined in the relevant 491 specification document. 493 PSID-len 494 8 bits long; specifies the number of significant bits in the PSID 495 field. (also known as 'k'). When set to 0, the PSID field is to 496 be ignored. After the first 'a' bits, there are k bits in the 497 port number representing valid of PSID. Subsequently, the 498 address sharing ratio would be 2 ^k. 499 PSID (Port-set ID) 500 Explicit 16-bit (unsigned word) PSID value. The PSID value 501 algorithmically identifies a set of ports assigned to a CE. The 502 first k-bits on the left of this 2-octets field is the PSID 503 value. The remaining (16-k) bits on the right are padding zeros. 505 4.4. Sub Options for S46-Rule Sub Option 507 4.4.1. Rule-IPv6-Prefix Sub Option 509 The Rule-IPv6-Prefix Sub Option is necessary for every S46-RULE sub 510 option. There MUST be exactly one S46-IPv6-Prefix Sub Option 511 encapsulated in each type of S46-Rule Sub Option. 513 The IPv6 Prefix sub option is followed the framed IPv6 prefix 514 designed in [RFC3162]. 515 0 1 2 3 516 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 517 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 518 | SubType | SubLen | Reserved | prefix6-len | 519 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 520 | | 521 | rule-ipv6-prefix | 522 | | 523 | | 524 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 525 SubType 526 8 (SubType number, for the Rule-IPv6-Prefix Sub Option) 527 SubLen 528 20 (the length of the Rule-IPv6-Prefix Sub Option) 529 Reserved 530 Reserved for future usage. It should be set to all zero. 531 prefix6-len 532 the length of IPv6 prefix, specified in the rule-ipv6-prefix 533 field, expressed in bits. 534 rule-ipv6-prefix 535 a 128-bits field that specifies an IPv6 prefix that appears in 536 a MAP rule. 538 4.4.2. Rule-IPv4-Prefix Sub Option 540 0 1 2 3 541 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 542 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 543 | SubType | SubLen | Reserved | prefix4-len | 544 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 545 | rule-ipv4-prefix | 546 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 548 SubType 549 9 (SubType number, for the Rule-IPv4-Prefix sub option) 550 SubLen 551 8 (the length of the Rule-IPv4-Prefix sub option) 552 Reserved 553 Reserved for future usage. It should be set to all zero 554 Prefix4-len 555 the length of IPv4 prefix, specified in the rule-ipv4-prefix 556 field, expressed in bits. 557 rule-ipv4-prefix 558 a 32-bits field that specifies an IPv4 prefix that appears in 559 a MAP rule. 561 4.4.3. EA Length Sub Option 563 0 1 2 3 564 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 565 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 566 | SubType | SubLen | EA-len | 567 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 569 SubType 570 10 (SubType number, for the EA Length Sub Option) 571 SubLen 572 4 (the length of the EA Length Sub Option) 573 EA-len 574 16 bits long field that specifies the Embedded-Address (EA) 575 bit length. Allowed values range from 0 to 48. 577 4.5. Softwire46 Sub Options Encapsulation 579 The table below shows which encapsulated Sub Options are mandatory, 580 optional, or not permitted for each defined S46 Container Option. 582 +----------------+-------+-------+--------------------+ 583 | Sub Option | MAP-E | MAP-T | Lightweight 4over6 | 584 +----------------+-------+-------+--------------------+ 585 | S46-BR | M | N/P | M | 586 +----------------+-------+-------+--------------------+ 587 | S46-Rule | M | M | N/P | 588 +----------------+-------+-------+--------------------+ 589 | S46-DMR | N/P | M | N/P | 590 +----------------+-------+-------+--------------------+ 591 | S46-V4V6Bind | N/P | N/P | O | 592 +----------------+-------+-------+--------------------+ 593 | S46-PORTPARAMS | O | O | O | 594 +----------------+-------+-------+--------------------+ 596 M - Mandatory, O - Optional, N/P - Not Permitted 598 4.6. Softwire46-Priority Attribute 600 The S46-Priority Attribute is structured as follows: 601 0 1 2 3 602 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 603 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 604 | Type | Length | S46-option-code | 605 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 606 | ... | S46-option-code | 607 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 608 Type 609 TBD 610 Length 611 2 + the length of the S46-option-code(s) specified in octets 612 S46-option-code 613 16-bit IANA-registered option code of the DHCPv6 option that 614 is used to identify the softwire mechanisms. S46 mechanisms 615 are prioritized in the appearance order of the S46-option-code(s) 616 in the Softwire46-Priority Attribute. A Softwire46-Priority 617 Attribute MUST contain at least one S46-option-code. The option 618 codes of the corresponding S46 mechanisms are listed in 619 Section 6.1. 621 4.7. Table of attributes 623 The following table provides a guide to which attributes may be found 624 in which kinds of packets, and in what quantity. 626 Request Accept Reject Challenge Accounting # Attribute 627 Request 628 0-1 0-1 0 0 0-1 TBD1 Softwire46- 629 Configuration 630 0-1 0-1 0 0 0-1 TBD2 Softwire46- 631 Priority 632 0-1 0-1 0 0 0-1 1 User-Name 633 0-1 0 0 0 0 2 User-Password 634 0-1 0-1 0 0 0-1 6 Service-Type 635 0-1 0-1 0-1 0-1 0-1 80 Message-Authenticator 637 The following table defines the meaning of the above table entries. 639 0 This attribute MUST NOT be present in packet. 640 0+ Zero or more instances of this attribute MAY be present in 641 packet. 642 0-1 Zero or one instance of this attribute MAY be present in 643 packet. 644 1 Exactly one instance of this attribute MUST be present in 645 packet. 647 5. Diameter Considerations 649 S46 Configuration using Diameter [RFC6733] is specified in [RFC7678]. 651 6. IANA Considerations 653 This document requires the assignment of two new RADIUS Attribute 654 Type in the "Radius Types" registry (currently located at 655 http://www.iana.org/assignments/radius-types for the following 656 attributes: 658 o Softwire46-Configuration Attribute TBD1 660 o Softwire46-Priority Attribute TBD2 662 IANA should allocate the numbers from the standard RADIUS Attributes 663 space using the "IETF Review" policy [RFC5226]. 665 6.1. S46 Mechanisms and Their Identifying Option Codes 667 This document requires IANA to register five option codes of the 668 Softwire46 mechanisms permitted to be included in the 669 Softwire46-Priority Attribute. As this work had be done in the 670 section 4.1 of [RFC8026], the five option codes could be consistent 671 with those defined in section 4.1 of [RFC8026]. Additional options 672 may be added to this list in the future using the IETF Review process 673 described in Section 4.1 of [RFC5226]. 675 The following table shows the option codes that are currently 676 defined and the S46 mechanisms that they represent. 678 +-------------+------------------+-----------+ 679 | Option Code | S46 Mechanism | Reference | 680 +-------------+------------------+-----------+ 681 | 94 | MAP-E | RFC7598 | 682 +-------------+------------------+-----------+ 683 | 95 | MAP-T | RFC7598 | 684 +-------------+------------------+-----------+ 685 | 96 |Lightweight 4over6| RFC7598 | 686 +-------------+------------------+-----------+ 687 | 64 | DS-Lite | RFC6334 | 688 +--------------------------------+-----------+ 689 | 88 |DHCPv4 over DHCPv6| RFC7341 | 690 +-------------+------------------+-----------+ 692 Table 1: Option Codes to S46 Mechanisms 694 7. Security Considerations 696 Known security vulnerabilities of the RADIUS protocol are discussed 697 in [RFC2607], [RFC2865], and[RFC2869]. Use of IPsec [RFC4301] for 698 providing security when RADIUS is carried in IPv6 is discussed in 699 [RFC3162]. 701 A malicious user may use MAC address spoofing on the shared password 702 that has been preconfigured on the DHCPv6 server to get unauthorized 703 configuration information. 705 Security considerations for MAP specific between the MAP CE and the 706 BNG are discussed in [RFC7597]. Security considerations for 707 Lightweight 4over6 are discussed in [RFC7596]. Security 708 considerations for DHCPv6-Based S46 Prioritization Mechanism are 709 discussed in [RFC8026]. Furthermore, generic DHCPv6 security 710 mechanisms can be applied DHCPv6 intercommunication between the CE 711 and the BNG. 713 Security considerations for the Diameter protocol are discussed in 714 [RFC6733]. 716 8. Acknowledgements 718 The authors would like to thank the valuable comments made by Peter 719 Lothberg, Wojciech Dec, Ian Farrer and Suresh Krishnan for this 720 document. This document was merged with draft-sun-softwire-lw4over6- 721 radext-01, thanks to everyone who contributed to this draft. 723 This document was produced using the xml2rfc tool [RFC7991]. 725 9. References 727 9.1. Normative References 729 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 730 Requirement Levels", BCP 14, RFC 2119, 731 DOI 10.17487/RFC2119, March 1997, 732 . 734 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, 735 "Remote Authentication Dial In User Service (RADIUS)", 736 RFC 2865, DOI 10.17487/RFC2865, June 2000, 737 . 739 [RFC3162] Aboba, B., Zorn, G., and D. Mitton, "RADIUS and IPv6", 740 RFC 3162, DOI 10.17487/RFC3162, August 2001, 741 . 743 [RFC3315] Droms, R., Ed., Bound, J., Volz, B., Lemon, T., Perkins, 744 C., and M. Carney, "Dynamic Host Configuration Protocol 745 for IPv6 (DHCPv6)", RFC 3315, DOI 10.17487/RFC3315, July 746 2003, . 748 [RFC5080] Nelson, D. and A. DeKok, "Common Remote Authentication 749 Dial In User Service (RADIUS) Implementation Issues and 750 Suggested Fixes", RFC 5080, DOI 10.17487/RFC5080, December 751 2007, . 753 [RFC6158] DeKok, A., Ed. and G. Weber, "RADIUS Design Guidelines", 754 BCP 158, RFC 6158, DOI 10.17487/RFC6158, March 2011, 755 . 757 [RFC6929] DeKok, A. and A. Lior, "Remote Authentication Dial In User 758 Service (RADIUS) Protocol Extensions", RFC 6929, 759 DOI 10.17487/RFC6929, April 2013, 760 . 762 [RFC8026] Boucadair, M. and I. Farrer, "Unified IPv4-in-IPv6 763 Softwire Customer Premises Equipment (CPE): A DHCPv6-Based 764 Prioritization Mechanism", RFC 8026, DOI 10.17487/RFC8026, 765 November 2016, . 767 9.2. Informative References 769 [RFC2607] Aboba, B. and J. Vollbrecht, "Proxy Chaining and Policy 770 Implementation in Roaming", RFC 2607, 771 DOI 10.17487/RFC2607, June 1999, 772 . 774 [RFC2869] Rigney, C., Willats, W., and P. Calhoun, "RADIUS 775 Extensions", RFC 2869, DOI 10.17487/RFC2869, June 2000, 776 . 778 [RFC3580] Congdon, P., Aboba, B., Smith, A., Zorn, G., and J. Roese, 779 "IEEE 802.1X Remote Authentication Dial In User Service 780 (RADIUS) Usage Guidelines", RFC 3580, 781 DOI 10.17487/RFC3580, September 2003, 782 . 784 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the 785 Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, 786 December 2005, . 788 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an 789 IANA Considerations Section in RFCs", BCP 26, RFC 5226, 790 DOI 10.17487/RFC5226, May 2008, 791 . 793 [RFC6333] Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual- 794 Stack Lite Broadband Deployments Following IPv4 795 Exhaustion", RFC 6333, DOI 10.17487/RFC6333, August 2011, 796 . 798 [RFC6346] Bush, R., Ed., "The Address plus Port (A+P) Approach to 799 the IPv4 Address Shortage", RFC 6346, 800 DOI 10.17487/RFC6346, August 2011, 801 . 803 [RFC6519] Maglione, R. and A. Durand, "RADIUS Extensions for Dual- 804 Stack Lite", RFC 6519, DOI 10.17487/RFC6519, February 805 2012, . 807 [RFC6733] Fajardo, V., Ed., Arkko, J., Loughney, J., and G. Zorn, 808 Ed., "Diameter Base Protocol", RFC 6733, 809 DOI 10.17487/RFC6733, October 2012, 810 . 812 [RFC7596] Cui, Y., Sun, Q., Boucadair, M., Tsou, T., Lee, Y., and I. 813 Farrer, "Lightweight 4over6: An Extension to the Dual- 814 Stack Lite Architecture", RFC 7596, DOI 10.17487/RFC7596, 815 July 2015, . 817 [RFC7597] Troan, O., Ed., Dec, W., Li, X., Bao, C., Matsushima, S., 818 Murakami, T., and T. Taylor, Ed., "Mapping of Address and 819 Port with Encapsulation (MAP-E)", RFC 7597, 820 DOI 10.17487/RFC7597, July 2015, 821 . 823 [RFC7598] Mrugalski, T., Troan, O., Farrer, I., Perreault, S., Dec, 824 W., Bao, C., Yeh, L., and X. Deng, "DHCPv6 Options for 825 Configuration of Softwire Address and Port-Mapped 826 Clients", RFC 7598, DOI 10.17487/RFC7598, July 2015, 827 . 829 [RFC7599] Li, X., Bao, C., Dec, W., Ed., Troan, O., Matsushima, S., 830 and T. Murakami, "Mapping of Address and Port using 831 Translation (MAP-T)", RFC 7599, DOI 10.17487/RFC7599, July 832 2015, . 834 [RFC7678] Zhou, C., Taylor, T., Sun, Q., and M. Boucadair, 835 "Attribute-Value Pairs for Provisioning Customer Equipment 836 Supporting IPv4-Over-IPv6 Transitional Solutions", 837 RFC 7678, DOI 10.17487/RFC7678, October 2015, 838 . 840 [RFC7991] Hoffman, P., "The "xml2rfc" Version 3 Vocabulary", 841 RFC 7991, DOI 10.17487/RFC7991, December 2016, 842 . 844 Additional Authors 845 Qiong Sun 846 China Telecom 847 Beijing China 848 Email: sunqiong@ctbri.com.cn 850 Qi Sun 851 Tsinghua University 852 Department of Computer Science, Tsinghua University 853 Beijing 100084 854 P.R.China 855 Phone: +86-10-6278-5822 856 Email: sunqibupt@gmail.com 858 Cathy Zhou 859 Huawei Technologies 860 Bantian, Longgang District 861 Shenzhen 518129 862 Email: cathy.zhou@huawei.com 864 Tina Tsou 865 Huawei Technologies(USA) 866 2330 Central Expressway 867 Santa Clara, CA 95050 868 USA 869 Email: Tina.Tsou.Zouting@huawei.com 871 ZiLong Liu 872 Tsinghua University 873 Beijing 100084 874 P.R.China 875 Phone: +86-10-6278-5822 876 Email: liuzilong8266@126.com 878 Yong Cui 879 Tsinghua University 880 Beijing 100084 881 P.R.China 882 Phone: +86-10-62603059 883 Email: yong@csnet1.cs.tsinghua.edu.cn 885 Authors' Addresses 886 Sheng Jiang 887 Huawei Technologies Co., Ltd 888 Q14, Huawei Campus, No.156 Beiqing Road 889 Hai-Dian District, Beijing, 100095 890 P.R. China 892 Email: jiangsheng@huawei.com 894 Yu Fu 895 CNNIC 896 No.4 South 4th Street, Zhongguancun 897 Hai-Dian District, Beijing, 100190 898 P.R. China 900 Email: fuyu@cnnic.cn 902 Bing Liu 903 Huawei Technologies Co., Ltd 904 Q14, Huawei Campus, No.156 Beiqing Road 905 Hai-Dian District, Beijing, 100095 906 P.R. China 908 Email: leo.liubing@huawei.com 910 Peter Deacon 911 IEA Software, Inc. 912 P.O. Box 1170 913 Veradale, WA 99037 914 USA 916 Email: peterd@iea-software.com 918 Chongfeng Xie 919 China Telecom 920 Beijing 921 P.R. China 923 Email: xiechf.bri@chinatelecom.cn 924 Tianxiang Li 925 Tsinghua University 926 Beijing 100084 927 P.R.China 929 Email: peter416733@gmail.com