idnits 2.17.1 draft-xq-ancp-wlan-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([ANCP-FRAMEWORK]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet has text resembling RFC 2119 boilerplate text. -- The document date (December 17, 2011) is 4485 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Missing Reference: 'ANCP-FRAMEWORK' is mentioned on line 93, but not defined == Missing Reference: 'ANCP-SECURITY' is mentioned on line 446, but not defined == Unused Reference: 'RFC2629' is defined on line 469, but no explicit reference was found in the text == Unused Reference: 'RFC3990' is defined on line 472, but no explicit reference was found in the text == Unused Reference: 'RFC6320' is defined on line 476, but no explicit reference was found in the text == Unused Reference: 'RFC5713' is defined on line 482, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2629 (Obsoleted by RFC 7749) Summary: 2 errors (**), 0 flaws (~~), 8 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 ancp Xiangqing. Chang 3 Internet-Draft Yang. Shi 4 Intended status: Informational Hangzhou H3C Tech. Co., Ltd. 5 Expires: June 19, 2012 T. Taylor 6 Huawei Technologies Co., Ltd. 7 December 17, 2011 9 Applicability of Access Node Control Mechanism to WLAN based Broadband 10 Networks 11 draft-xq-ancp-wlan-00.txt 13 Abstract 15 The purpose of this document is to provide applicability of Access 16 Node Control Mechanism ,as described in [ANCP-FRAMEWORK],to WLAN 17 based broadband access. The need for an Access Node Control 18 Mechanism between a Network Access Server (NAS) and an WLAN Access 19 Node is described.The Access Node Control Mechanism is also extended 20 for WLAN. 22 Status of this Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at http://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on June 19, 2012. 39 Copyright Notice 41 Copyright (c) 2011 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (http://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3 57 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 58 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 59 4. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 4 60 5. Reference Architecture for WLAN Access Network . . . . . . . . 5 61 6. Motivation for explicit extension of ANCP to WLAN . . . . . . 6 62 7. Concept of Access Node Control Mechanism for WLAN based 63 access . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 64 8. ANCP Based WLAN Topology Discovery . . . . . . . . . . . . . . 8 65 9. ANCP Based WLAN roaming status reporting . . . . . . . . . . . 8 66 10. ANCP based WLAN Configuration . . . . . . . . . . . . . . . . 9 67 10.1. Qos policy Configuration . . . . . . . . . . . . . . . . 9 68 10.2. Key transfer . . . . . . . . . . . . . . . . . . . . . . 9 69 10.3. Notification of subscriber's authentication result . . . 10 70 11. ANCP based WLAN Remote Connectivity Testing Capability . . . . 10 71 12. ANCP versus CAPWAP between the AC and WTP . . . . . . . . . . 10 72 13. Security Considerations . . . . . . . . . . . . . . . . . . . 11 73 14. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 74 15. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 11 75 16. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11 76 16.1. Normative References . . . . . . . . . . . . . . . . . . 11 77 16.2. Informative References . . . . . . . . . . . . . . . . . 11 78 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 12 80 1. Conventions 82 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 83 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 84 document are to be interpreted as described in RFC 2119 [RFC2119] 86 2. Introduction 88 With the fast popularization of WLAN terminal,WLAN are being deployed 89 widely across carrier networks to provide hotspot access service.It 90 is an important method for carriers to offload the data pressure of 91 2G/3G mobile network by WLAN access network. 93 [ANCP-FRAMEWORK] provides the framework and requirements for 94 coordinated admission control between a NAS and an AN with special 95 focus on DSL deployments. This document proposes the extension of 96 that framework and the related requirements to WLAN. 98 3. Terminology 100 o Wireless Local Access Network(WLAN):WLAN technologies include the 101 approved IEEE 802.11a, b,g and n specifications. WLAN is a high- 102 speed local wireless technology to enjoy broad deployment , most 103 notably in hotspots around the world, including homes and offices, 104 and increasingly cafes, hostels, and airports. WLAN is also known as 105 Wi-Fi(short for wireless fidelity). 107 o Wireless Termination Point (WTP): The physical or network entity 108 that contains an RF antenna and wireless physical layer (PHY) to 109 transmit and receive station traffic for wireless access networks.For 110 WLAN,WTP is also known as Aceess Point(AP). 112 o Access Controller (AC): The network entity that provides WTP access 113 to the network infrastructure in the data plane, control 114 plane,management plane, or a combination therein. 116 o Control And Provisioning of Wireless Access Points (CAPWAP): It is 117 a generic protocol defining AC and WTP control and data plane 118 communication. 120 o Station (STA): A device that contains an interface to a wireless 121 medium (WM).It is a subscriber device. 123 o Autonomous Wireless Local Area Network (WLAN) Architecture: It is 124 the traditional autonomous WLAN architecture, in which each WTP is a 125 single physical device that implements all the wireless services. 127 o Centralized WLAN Architecture: It is an hierarchical architecture 128 utilizing one or more centralized controllers for managing a large 129 number of WTP devices. It can be said that the full wireless 130 functions are implemented across multiple physical network devices, 131 namely, the WTPs and ACs. 133 o Access Node (AN): Network device, usually located at a service 134 provider central office or street cabinet that terminates 135 access(local) loop connections from subscribers. In case the access 136 loop is a Digital Subscriber Line (DSL), the Access Node provides DSL 137 signal termination, and is referred to as a DSL Access Multiplexer 138 (DSLAM).In case of WLAN, it is referred to as a AC. 140 o Network Access Server (NAS): Network element which aggregates 141 subscriber traffic from a number of ANs or ANXs. The NAS is often an 142 injection point for policy management,authentication and IP QoS in 143 the access network. It is also referred to as Broadband Network 144 Gateway (BNG) or Broadband Remote Access Server (BRAS). 146 4. Problem Statement 148 When wired carriers extend their network with wireless access 149 technologies, they prefer to reuse NAS architecture.For wired 150 carriers,NAS and AC usually coexist in the operator's WLAN access 151 network.Professional NAS is often deployed in the fixed network 152 already,so they prefer to reuse NAS devices for WLAN access network 153 as authentication device to reduce cost and avoid network 154 variation.NAS controls subscriber's access to network with AAA, and 155 AC manages WTPs and controls user's association to WLAN.The focus 156 throughout this document is based on this kind of application 157 scenery.Given the separation of NAS and AC, AC takes the role of 158 wireless AN. 160 Just like wired broadband access network,WLAN provides triple-play 161 services over IP to meet the increasing demand for broadband data 162 service.In order to carry out the QOS policy more effectively and 163 improve the utilization of network resouce,the cooperation between 164 the NAS and the wireless AN is also needed. 166 Furthermore,except for the common things with wired access 167 technology,there are special characters in WLAN.For example,the open 168 media of radio acess,the station's roaming.So, WLAN proposes new 169 requirement to enhance the exchange of information for NAS and 170 AN.Some related use cases include: 172 -----In order to ensure security of data transport over the 173 air,different encryption key is needed for each user. However,the 174 intermediate key material is held by NAS for every subscriber.So, NAS 175 need to deliver the material to wireless AN dynamically to generate 176 the final encryption key over the air. 178 -----To improve the utility of precious wireless spectrum, AN need to 179 get more status information of each user from NAS. 181 -----To make the user's roaming experience better,AN and NAS need 182 more cooperation. 184 It shows that a tighter coordination between NAS and Wireless AN is 185 necessary.Fortunately, ANCP intends to provide a general 186 communication mechanism between NAS and AN,and ANCP support to be 187 extended on demand. So,with the new WLAN requirement,ANCP need to be 188 extended for WLAN. 190 5. Reference Architecture for WLAN Access Network 192 RFC 5851 [RFC5851]provides detailed definition and functions of each 193 network element in the general broadband reference 194 architecture.Figures 1 shows an end-to-end broadband network with 195 WLAN access. 197 There are two WLAN architecture models.One is Centralized WLAN 198 Architecture(or Fit Architecture),the other is Autonomous WLAN 199 Architecture(or Fat Architecture). The need of deploying WLAN more 200 broadly and cost-effectively lead to the population of the 201 centralized WLAN architecture. The Access Node terminates the WLAN 202 access. It is refered to as AC in Centralized WLAN Architecture,and 203 as WTP in Autonomous WLAN Architecture. 205 Given the industry's trend of centralized WLAN architecture, the 206 primary focus throughout this document is on centralized WLAN 207 architecture. 209 RFC 5851 [RFC5851] defines the core of what distinguishes a NAS from 210 a typical routing system as per-user basis authentication,accountting 211 and policies. 213 Access Customer 214 <--- Aggregation ----> Premises 215 Network Network 217 +--------------------+ +---------------------+ 218 +---------+ +---+ | +----------+ | | +---+ +-------+ 219 | | +-|NAS|-|--|Access |-|-|--|WTP|-|Station| 220 ---+ Regional| | +---+ | |Controller| | | +---+ | | 221 |Broadband| | | +----------+ | | +-------+ 222 |Network |-| +------------|-------+ +---------------------+ 223 ---+ | | | +---------------------+ 224 | | | +---+ | | +---+ +-------+ 225 +---------+ +-|NAS| +---------|--|WTP|-|Station| 226 +---+ | +---+ | | 227 | +-------+ 228 +---------------------+ 230 NAS: Network Access Server 231 WTP: Wireless Termination Point 233 Figure 1: WLAN Broadband Aggregation Topology 235 6. Motivation for explicit extension of ANCP to WLAN 237 Compared with wired broadband access technologies,there are several 238 different points need to be considered: 240 o WLAN access protection 242 Strong over-the-air data protection is addressed in WLAN.For 243 example,802.11i greatly increases the level of over-the-air data 244 protection and access control on Wi-Fi networks.NAS will inevitably 245 help to negotiate key materials used for air protection, and it 246 should deliver the intermediate key material (called as PMK in WiFi) 247 to WLAN AN . 249 o Specific identification for WLAN subscriber 251 For DSL access technology, a PVC represent a subscriber. But for 252 WLAN access technology, many subscribers can access with the same 253 radio. It means that there are many subscribers who may use the same 254 VLAN. So when the subscriber's information is exchanged , 255 subscriber's detail specific information need to be clarified. 257 o Radio Resource Control 259 Radio spectrum is a precious and limited resource. The communication 260 between WLAN AN and NAS make it possible to control radio resource 261 more efficiently among different wireless subscribers. For example, 262 according to certain rules, WLAN AN can kick off the inactive 263 subscribers. 265 o Roaming 267 Wireless user can roam from an Access Node to another Access Node.The 268 change of subscriber's location need to be tracked. And subscriber's 269 reauthentication need to be avoided to improve quality of 270 experience.However, subscriber's reauthentication often occur. for 271 example, in WLAN network, given the authentication method of NAS is 272 Portal, when a subscriber moved from an AN to another AN, the 273 subscriber's IP address is usually changed, and it has to be re- 274 authenticate at NAS although the latter AN understand the subscriber 275 's roaming status.If latter AN report roaming information to NAS, the 276 reauthentication can be avoid and the subscriber's roaming experience 277 will be improved. 279 Based on reusing the general framework and protocol of ANCP,typical 280 elements which need to be defined for ANCP in WLAN environment 281 include the following: 283 ---New WLAN capability need to be defined for establishment of 284 adjacency relationship 286 ---New WLAN subscriber identification needs to be defined 288 ---New message type or TLV need to be defined for delivering open air 289 key material from NAS to WLAN AN 291 ---New message type or TLV need to be defined for identifying invalid 292 or unauthenticated user to AN for better radio resource control 294 ---New message type or TLV need to be defined for AN to update NAS 295 with roaming user information for better roaming experience 297 7. Concept of Access Node Control Mechanism for WLAN based access 299 The Access Node Control Mechanism defines a quasi real-time, general- 300 purpose method for multiple network scenarios with an extensible 301 communication scheme. The mechanism consists of control function, 302 and reporting and/or enforcement function.Controller function is used 303 to receive status information or admission requests from the 304 reporting function. It is also used to trigger a certain behavior in 305 the network element where the reporting and/or enforcement function 306 resides. The reporting function is used to convey status information 307 to the controller function that requires the information for 308 executing local functions. The enforcement function can be contacted 309 by the controller function to enforce a specific policy or trigger a 310 local action. 312 Typical use cases related to reporting function for ANCP in WLAN 313 environment include the following: 315 ANCP Based WLAN Topology Discovery 317 ANCP Based WLAN roaming status reporting 319 Typical use cases related to control function and/or enforcement 320 function for ANCP in WLAN environment include the following: 322 ANCP based WLAN Configuration. 324 ANCP based WLAN Remote Connectivity Testing Capability. 326 ANCP based use cases in WLAN environment will be described in detail 327 in the section that follow.Some use case is similar as the situation 328 in DSL access,others are paticular for WLAN access. 330 8. ANCP Based WLAN Topology Discovery 332 In order to convey user related policies to correct Access Node, NAS 333 need to gain knowledge about the topology of the access network and 334 the attributes of the link.Through the procedure of WLAN Topology 335 Discovery,Access Node communicate access network topology information 336 and any corresponding updates to the NAS. 338 For WLAN,when WTP start to run,AC(Access controller) will create a 339 logical port for each radio on WTP.Since AC has known the topology of 340 WTPs,NAS can just convey user related policies to AC,and AC will 341 relay the information to corresponding WTP.So NAS does not bother to 342 know all the WTPs,and just know the identification of AC and the vlan 343 scope of users who come from the AC.Each logical port on AC can 344 belong to different vlan or the same vlan.So the creation and 345 deletion of each logical port may lead to upate vlan information to 346 NAS. 348 9. ANCP Based WLAN roaming status reporting 350 Wireless user is movable.In WLAN,a station can roam from a WTP to 351 another WTP,or from a AC to another AC. Ideally,it is not necessary 352 for the roamer to reauthenticate.However,the IP address is usually 353 changed due to the variation of vlan.Given the authentication method 354 is portal(which is the most convenient authenticate method for user 355 since it is authenticated through web interface),the change of IP 356 address will cause reauthentication at NAS.In WLAN,AC has the ability 357 to understand the roaming status of the roamer.So if AC report the 358 user's roaming status to NAS through ANCP mechanism,the 359 reauthentication at NAS can be avoided. 361 The roaming status reporting message contains AC 362 identification,user's original IP address and new IP address. When 363 the NAS receive the message,it update the user related entry to 364 permit the user with new IP address pass directely, and relay the 365 variation infomation to AAA server to ensure user's correct accouting 366 and record. 368 10. ANCP based WLAN Configuration 370 10.1. Qos policy Configuration 372 The ANCP mechanism make it possible to perform Qos action on the 373 granularity of each user at wireless access edge. It is good to 374 improve the utility of wireless radio resource by limiting the low 375 priority user's flow and ensure the high priority user's flow as 376 early as possible. 378 After the wireless subscriber authenticated at NAS,NAS convey the QOS 379 profile information to wireless Access Node, i.e. Access Controller. 380 Then the Qos policy can be enforced at AC and WTP. 382 10.2. Key transfer 384 Many wireless user need air protection due to security. With the 385 definition of 802.11i(or WPA/WPA2), the air key material is 386 negotiated in the procedure of 802.1x authentication between user and 387 AAA server through NAS.So the intermediate key,i.e pairwise master 388 key (PMK),is held by NAS.However,AC need to establish the final air 389 key with the user based on PMK. Therefore,NAS must transfer the 390 intermediate key to AC based on the ANCP mechanism. 392 After the WLAN subscriber authenticated at NAS,and NAS get the PMK 393 from AAA server,the PMK is transfered from NAS to corresponding AC in 394 addition to user related identification information.Based on the 395 receive PMK,AC then negotiate with the corresponding user to get the 396 final air key. 398 10.3. Notification of subscriber's authentication result 400 Given the authentication method is portal,there are often many users 401 who associated to WLAN without executing autentication on NAS. These 402 users occupies IP resources and WLAN resources.However,strictly 403 speaking,they are not legal.In order to leverage these user's 404 influence,it is good for AC to be notified the authentication result 405 of each subscriber by NAS.Then,AC can selectively refuse to associate 406 illegal users,include those who do not authicate,who are failed to 407 authenticate,and who are put into blacklist. 409 After the WLAN subscriber authenticated at NAS,and NAS notify the 410 result to AC.Based on the information,AC actively kick out those 411 illegal user for a certain period of time. 413 11. ANCP based WLAN Remote Connectivity Testing Capability 415 A simple solution based on ANCP can provide the NAS with an access 416 line test capability and to some extent fault isolation. Controlled 417 by a local management interface the NAS can use an ANCP operation to 418 trigger the Access Node to perform a loopback test on the local loop. 419 The Access Node can respond via another ANCP operation with the 420 result of the triggered loopback test. In the case of WLAN based 421 local loop, the ANCP operation can trigger the AC to generate 422 RF(radio frequency) ping to check the link status of specific user. 424 12. ANCP versus CAPWAP between the AC and WTP 426 CAPWAP is an internal protocol in WLAN.CAPWAP help to extend WLAN in 427 a large scale and lower operating expenses.The intent of the CAPWAP 428 protocol is to facilitate control, management and provisioning of 429 WLAN Termination Points (WTPs) specifying the services, functions and 430 resources relating to 802.11 WLAN Termination Points in order to 431 allow for interoperable implementations of WTPs and ACs. With 432 CAPWAP,the subscriber related requirements which is described above 433 can't be resolved. 435 The focus of ANCP is on the communication between AN and NAS.With 436 ANCP,subscriber-related service can be carried out effectively by 437 delivering user-related information to access edge. 439 Certainly,with the presence of CAPWAP,NAS does not bother to know WTP 440 topology in detail and only need to know AC as Access Node.CAPWAP 441 leverage the workload of NAS to implement ANCP mechanism by shielding 442 WLAN internal structure. 444 13. Security Considerations 446 [ANCP-SECURITY] lists the ANCP related security threats that could be 447 encountered on the Access Node and the NAS. It develops a threat 448 model for ANCP security, and lists the security functions that are 449 required at the ANCP level. 451 14. IANA Considerations 453 To be determined. 455 15. Acknowledgements 457 Thanks to Tina Tsou for helpful comments on this document. 459 The authors also thank their friends and coworkers Jianfeng Liu,Tao 460 Zheng,Min Yao,Haitao Zhang and Xiaolan Wan. 462 16. References 464 16.1. Normative References 466 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 467 Requirement Levels", BCP 14, RFC 2119, March 1997. 469 [RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629, 470 June 1999. 472 [RFC3990] O'Hara, B., Calhoun, P., and J. Kempf, "Configuration and 473 Provisioning for Wireless Access Points (CAPWAP) Problem 474 Statement", RFC 3990, February 2005. 476 [RFC6320] Wadhwa, S., Moisand, J., Haag, T., Voigt, N., and T. 477 Taylor, "Protocol for Access Node Control Mechanism in 478 Broadband Networks", RFC 6320, October 2011. 480 16.2. Informative References 482 [RFC5713] Moustafa, H., Tschofenig, H., and S. De Cnodder, "Security 483 Threats and Security Requirements for the Access Node 484 Control Protocol (ANCP)", RFC 5713, January 2010. 486 [RFC5851] Ooghe, S., Voigt, N., Platnic, M., Haag, T., and S. 487 Wadhwa, "Framework and Requirements for an Access Node 488 Control Mechanism in Broadband Multi-Service Networks", 489 RFC 5851, May 2010. 491 Authors' Addresses 493 Xiangqing Chang 494 Hangzhou H3C Tech. Co., Ltd. 495 Beijing Rnd Center of H3C,Oriental Electronic Bld. 496 Beijing 497 China(100085) 499 Phone: +86 010 82774889 500 Email: chang_xq@h3c.com 502 Yang Shi 503 Hangzhou H3C Tech. Co., Ltd. 504 Beijing Rnd Center of H3C, Digital Technology Plaza 505 Beijing 506 China(100085) 508 Email: rishyang@gmail.com 510 Tom Taylor 511 Huawei Technologies Co., Ltd. 512 Ottawa 513 Canada 515 Email: tom111.taylor@bell.net