Network Working Group Dayong GuoInternetDraft Sheng Jiang (Editor) Intended status:Engineering Task Force (IETF) D. Guo Request for Comments: 6930 S. Jiang, Ed. Category: Standards Track Huawei Technologies Co., LtdExpires: July 28, 2013ISSN: 2070-1721 R. Despres RD-IPtech R. MaglioneTelecom Italia January 24,Cisco Systems April 2013 RADIUS Attribute for6rd draft-ietf-softwire-6rd-radius-attrib-11.txtIPv6 Rapid Deployment on IPv4 Infrastructures (6rd) Abstract The IPv6 Rapid Deployment on IPv4 Infrastructures (6rd) provides both IPv4 and IPv6 connectivity services simultaneously during the IPv4/IPv6co-existencecoexistence period. The Dynamic Host Configuration Protocol (DHCP) 6rd option has been defined to configure the 6rd Customer Edge (CE). However, in many networks, the configuration information may be stored in the Authentication Authorization and Accounting (AAA)serversservers, while user configuration is mainly acquired from a Broadband Network Gateway (BNG) through the DHCP protocol. This document defines a Remote AuthenticationDial InDial-In User Service (RADIUS) attribute that carries 6rd configuration information from the AAA server to BNGs. Status ofthisThis Memo ThisInternet-Draftissubmitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documentsan Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF).Note that other groups may also distribute working documents as Internet-Drafts. The listIt represents the consensus ofcurrent Internet-Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents validthe IETF community. It has received public review and has been approved fora maximumpublication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741. Information about the current status ofsix monthsthis document, any errata, and how to provide feedback on it may beupdated, replaced, or obsoleted by other documentsobtained atany time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on July 28, 2013.http://www.rfc-editor.org/info/rfc6930. Copyright Notice Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction................................................ 3....................................................3 2. Terminology................................................. 3.....................................................3 3. IPv6 6rd Configuration with RADIUS.......................... 3..............................4 4. Attributes.................................................. 6......................................................6 4.1. IPv6-6rd-Configuration Attribute....................... 6...........................6 4.2. Table ofattributes .................................... 8Attributes ........................................9 5. Diameter Considerations..................................... 9.........................................9 6. Security Considerations..................................... 9.........................................9 7. IANA Considerations........................................ 10............................................10 8. Acknowledgments............................................ 10................................................10 9. References................................................. 10.....................................................10 9.1. Normative References.................................. 10......................................10 9.2. Informative References................................ 11....................................11 1. IntroductionRecentlyRecently, providers have started to deploy IPv6 and to consider transition to IPv6. The IPv6 Rapid Deployment (6rd) [RFC5969] provides both IPv4 and IPv6 connectivity services simultaneously during the IPv4/IPv6co-existencecoexistence period. 6rd is used to provide IPv6 connectivity service through legacy IPv4-only infrastructure. 6rd uses the Dynamic Host Configuration Protocol (DHCP)[RFC2131][RFC2131], and the 6rd Customer Edge (CE) uses the DHCP 6rd option [RFC5969] to discover a 6rdborder relayBorder Relay and to configure an IPv6 prefix and address. In many networks,user configurationuser-configuration information is managed byAAA (Authentication,Authentication, Authorization, andAccounting)Accounting (AAA) servers. The Remote Authentication Dial-In User Service (RADIUS) protocol [RFC2865] is usually used by AAA servers to communicate with network elements. In afixed linefixed-line broadband network, the Broadband Network Gateways (BNGs) act as the access gateway for users. The BNGs are assumed to embed a DHCP server function that allows them to handle locally any DHCP requests issued by hosts. Since the 6rd configuration information is stored in AAAserversservers, and user configuration is mainly through DHCP between BNGs and hosts/CEs, new RADIUS attributes are needed to propagate the information from AAA servers to BNGs. 2. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. The terms 6rd Customer Edge (6rd CE) and 6rd Border Relay (BR) are defined in [RFC5969]. "MAC" stands for Media Access Control. 3. IPv6 6rd Configuration with RADIUS Figure 1 illustrates how DHCP and the RADIUS protocoland DHCPcooperate to provide 6rd CE with 6rd configuration information. 6rd CE BNG AAA Server | | | |-------DHCPDISCOVER------>| | |(Parameter Request w/ 6rd option) | | |--Access-Request(6rd Attr)-->| | | | | |<--Access-Accept(6rd Attr)---| |<-------DHCPOFFER---------| | | (6rd option) | | | | | DHCP RADIUS Figure 1:the cooperationThe Cooperation between DHCP and RADIUScombiningWhen Combined with RADIUSauthenticationAuthentication The BNG acts as a client of RADIUS and as a DHCP server. First, the 6rd CE MAY initiate a DHCPDISCOVER message that includes a Parameter Request option (55) [RFC2132] with the 6rd option [RFC5969]. When the BNG receives the DHCPDISCOVER, it SHOULD initiate a RADIUS Access- Request message to the RADIUS server. In that message,in which- the User-Name attribute (1) SHOULD be filled by the 6rd CE MAC address,to the RADIUS serverand - theUser- password (2)User-Password attribute (2) SHOULD be filled by the shared 6rd password that has been preconfigured on the DHCPserver, requesting authenticationserver. The BNG requests authentication, as defined in[RFC2865][RFC2865], withIPv6-6rd-Configuration attribute, defined inthenext Section,IPv6-6rd-Configuration attribute (Section 4.1) in the desired attribute list. If the authentication request is approved by the AAA server, an Access-Accept message MUST be acknowledged with theIPv6-6rd- Configuration Attribute.IPv6-6rd-Configuration attribute. Then, the BNG SHOULD respond to the 6rd CE with a DHCPOFFER message, which contains a DHCP 6rd option. The recommended format of the MAC address is as defined inCalling- Station-Id ([RFC3580]Calling-Station-Id ([RFC3580], Section 3.20) without the SSID (Service Set Identifier) portion. Figure 2 describes another scenario--- laterre-authorize -re-authorization -- in which the authorization operation is not coupled with authentication. Authorization relevant to 6rd is done independently after the authentication process. 6rd CE BNG AAA Server | | | |--------DHCPREQUEST------>| | |(Parameter Request w/ 6rd option) | | |--Access-Request(6rd Attr)-->| | | | | |<--Access-Accept(6rd Attr)---| | | | |<---------DHCPACK---------| | | (6rd option) | | | | | DHCP RADIUS Figure 2:the cooperationThe Cooperation between DHCP and RADIUSdecoupled withWhen Decoupled from RADIUSauthenticationAuthentication In this scenario, the Access-Request packet SHOULD contain a Service- Type attribute (6) with the value Authorize Only (17); thus, according to [RFC5080], the Access-Request packet MUST contain a State attribute that it obtains from the previous authentication process. In both above-mentioned scenarios,Message-authenticatorMessage-Authenticator (type 80) [RFC2865] SHOULD be used to protect both Access-Request and Access- Accept messages. After receiving the IPv6-6rd-ConfigurationAttributeattribute in the initial Access-Accept, the BNG SHOULD store the received 6rd configuration parameters locally. When the 6rd CE sends a DHCP Request message to request an extension of the lifetime for the assigned address, the BNG does not have to initiate a new Access-Request towards the AAA server to request the 6rd configuration parameters. The BNG could retrieve the previously stored 6rd configuration parameters and use them in its reply. If the BNG does not receive the IPv6-6rd-ConfigurationAttributeattribute in theAccess-AcceptAccess-Accept, it MAY fall back to apre-configuredpreconfigured default 6rd configuration, if any. If the BNG does not have anypre-configuredpreconfigured default 6rd configuration or if the BNG receives an Access-Reject, the tunnel cannot be established. As specified in [RFC2131],section 4.4.5, "ReacquisitionSection 4.4.5 ("Reacquisition andexpiration",expiration"), if the DHCP server to which the DHCP Request message was sent at time T1 has not responded by time T2 (typically 0.375*duration_of_lease after T1), the 6rd CE (the DHCP client) SHOULD enter the REBINDING state and attempt to contact any server. In this situation, the secondary BNG receiving the new DHCP message MUST initiate a new Access-Request towards the AAA server. The secondary BNG MAY include the IPv6-6rd-ConfigurationAttributeattribute in its Access-Request. 4. Attributes This section defines the IPv6-6rd-ConfigurationAttribute whichattribute that is used inthebothabovementionedabove-mentioned scenarios. The attribute design follows [RFC6158] andreferringrefers to[I-D.ietf-radext-radius-extensions].[RFC6929]. 4.1. IPv6-6rd-Configuration Attribute The specification requires that multiple IPv4 addresses are associated with one IPv6 prefix. Given that RADIUS currently has no recommended way of grouping multiple attributes, the design below appears to be a reasonable compromise. The IPv6-6rd-ConfigurationAttributeattribute is structured as follows: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | SubType1 | SubLen1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IPv4MaskLen | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | SubType2 | SubLen2 | Reserved | 6rdPrefixLen | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + + | | + 6rdPrefix + | | + + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | SubType3 | SubLen3 | 6rdBRIPv4Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 6rdBRIPv4Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ TypeTBD173 Length 28 + n*6 (the length of the entire attribute inoctets;octets, where nstands foris the number of BR IPv4addresses,addresses and minimum n is1).1) SubType1 1 (SubType number, for the IPv4 Mask Length suboption) SubLen1 6 (the length of the IPv4 Mask Length suboption) IPv4MaskLen The number of high-order bits that are identical across all CE IPv4 addresses within a given 6rd domain. This may be any value between 0 and 32. Any value greater than 32 is invalid. Since[RFC6158] Section A.2.1[RFC6158], Appendix A.2.1, has forbidden 8-bit fields, a 32-bit field is used here. SubType2 2 (SubTypenumber,number for the 6rd prefix suboption) SubLen2 20 (the length of the 6rd prefix suboption) Reserved Set tobeall 0 for now. Reserved for future use. To be compatible with other IPv6 prefix attributes in the RADIUSProtocol. Theprotocol, the bits MUST be set to zero by the sender and MUST be ignored by the receiver. 6rdPrefixLen The IPv6 Prefix length of the Service Provider's 6rd IPv6 prefix in number of bits. The 6rdPrefixLen MUST be less than or equal to 128. 6rdPrefix The Service Provider's 6rd IPv6 prefix represented as a16 octet16-octet IPv6 address. The bits after the 6rdPrefixlen number of bits in the prefix SHOULD be set to zero. SubType3 3 (SubType number, for the 6rd Border Relay IPv4 address suboption) SubLen3 6 (the length of the 6rd Border Relay IPv4 address suboption) 6rdBRIPv4Address One or more IPv4 addresses of the 6rd Border Relay(s) for a given 6rd domain. The maximum RADIUSAttributeattribute length of 255 octets results in a limit of 37 IPv4 addresses. Since the subtypes have values, they can appear in any order. If multiple 6rdBRIPv4Address (subtype 3) appear, they are RECOMMENDED to be placed together. The IPv6-6rd-ConfigurationAttributeattribute is normally used inthe Access-AcceptAccess- Accept messages. It MAY be used in Access-Request packets as a hint to the RADIUS server; forexampleexample, if the BNG ispre-configuredpreconfigured with a default 6rd configuration, these parameters MAY be inserted in the attribute. The RADIUS server MAY ignore the hint sent by theBNGBNG, and it MAY assign different 6rd parameters. If the BNG includes the IPv6-6rd-ConfigurationAttribute,attribute, but the AAA server does not recognize it, this attribute MUST be ignored by the AAAServer.server. If the BNG does not receive the IPv6-6rd-ConfigurationAttributeattribute in theAccess-AcceptAccess-Accept, it MAY fallback to apre-configuredpreconfigured default 6rd configuration, if any. If the BNG does not have anypre-configuredpreconfigured default 6rd configuration, the 6rd tunnel cannot be established. If the BNG is pre-provisioned with a default 6rd configuration and the 6rd configuration received in Access-Accept is different from the configured default, then the 6rd configuration received in the Access-Accept message MUST be used for the session. If the BNG cannot support the received 6rd configuration for any reason, the tunnel SHOULD NOT be established. 4.2. Table ofattributesAttributes The following table adds to the one in [RFC2865], Section 5.44, providing a guide to the quantity of IPv6-6rd-Configuration attributes that may be found in each kind of packet. Request Accept Reject Challenge Accounting # Attribute Request 0-1 0-1 0 0 0-1TBD173 IPv6-6rd- Configuration 0-1 0-1 0 0 0-1 1 User-Name 0-1 0 0 0 0-1 2 User-Password 0-1 0-1 0 0 0-1 6 Service-Type 0-1 0-1 0-1 0-1 0-1 80 Message-Authenticator The followingtablekey defines the meanings of the above table entries. 0 This attribute MUST NOT be present in packet. 0+ Zero or more instances of this attribute MAY be present in packet. 0-1 Zero or one instance of this attribute MAY be present in packet. 1 Exactly one instance of this attribute MUST be present in packet. 5. Diameter Considerations This attribute is usable within either RADIUS or Diameter [RFC6733]. Since theAttributesattribute defined in this documentwill behas been allocated from the standard RADIUS type space, no special handling is required by Diameter entities. 6. Security Considerations In 6rd scenarios, both CE and BNG are within a provider network, which can be considered as a closed network and alower security threatlower-threat environment. A similar consideration can be applied to the RADIUS message exchange between the BNG and the AAA server. In 6rd scenarios, the RADIUS protocol is run over IPv4. Known security vulnerabilities of the RADIUS protocol are discussed in [RFC2607], [RFC2865], and [RFC2869]. Use of IPsec [RFC4301] for providing security when RADIUS is carried in IPv6 is discussed in [RFC3162].ATo get unauthorized 6rd configuration information, a malicious user may use MAC addressproofingspoofing and/or a dictionary attack on the shared 6rd password that has been preconfigured on the DHCPserver to get unauthorized 6rd configuration information.server. Thefollow-up securerelevant security issues have been considered in Section12,12 of [RFC5969]. Securityconsiderations for 6rd specificissues that may arise specifically between the 6rd CE and BNG are discussed in [RFC5969]. Furthermore, generic DHCP security mechanisms can be applied to DHCP intercommunication between 6rd CE and BNG. Security considerations for the Diameter protocol are discussed in [RFC6733]. 7. IANA ConsiderationsThis document requests the assignment ofPer this document, IANA has assigned one new RADIUS AttributeTypesType in the"RADIUS"Radius Types" registry (currently located athttp://www.iana.org/assignments/radius-typeshttp://www.iana.org/assignments/radius-types) for the followingattributes: oattribute: IPv6-6rd-ConfigurationIANA should allocate the number from the standard RADIUS Attributes range (values 1-191). The RFC Editor should use the assigned value to replace "TBD" in Sections 4.1 and 4.2, and should remove this paragraph.(173) 8. Acknowledgments The authors would like to thank Alan DeKok, Yong Cui, Leaf Yeh, Sean Turner, Joseph Salowey, Glen Zorn, Dave Nelson, Bernard Aboba, Benoit Claise, Barry Lieba, Stephen Farrell, Adrian Farrel, RalphDromsDroms, and other members ofSoftwirethe SOFTWIRE WG,RADIUSExtRADEXT WG,AAA-DoctorsAAA Doctors, andSecdirSecurity Directorate for valuable comments. 9. References 9.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2131]R.Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, March 1997. [RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor Extensions", RFC 2132, March 1997. [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, June 2000. [RFC3162] Aboba, B., Zorn, G., and D. Mitton, "RADIUS and IPv6", RFC 3162, August 2001. [RFC4301] Kent, S. and K. Seo, "Security Architecture for the Internet Protocol", RFC 4301, December 2005. [RFC5080] Nelson, D. andDeKok A.,A. DeKok, "Common Remote Authentication Dial In User Service (RADIUS) Implementation Issues and Suggested Fixes", RFC 5080, December 2007. [RFC5969] Townsley,M.W. and O. Troan, "IPv6 Rapid Deployment on IPv4 Infrastructures (6rd) -- Protocol Specification",RFC5969,RFC 5969, August 2010. [RFC6158] DeKok,A.A., Ed., and G. Weber, "RADIUS Design Guidelines", BCP 158, RFC 6158, March 2011. [RFC6733]V.Fajardo, V., Ed.,J.Arkko,J.J., Loughney, J., and G. Zorn, Ed., "Diameter Base Protocol", RFC 6733, October 2012. 9.2. Informative References [RFC2607] Aboba, B. and J. Vollbrecht, "Proxy Chaining and Policy Implementation in Roaming", RFC 2607, June 1999. [RFC2869] Rigney, C., Willats, W., and P. Calhoun, "RADIUS Extensions", RFC 2869, June 2000. [RFC3580] Congdon, P.,B.Aboba,A.B., Smith,G. ZornA., Zorn, G., and J. Roese, "IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines", RFC 3580, September 2003.[I-D.ietf-radext-radius-extensions][RFC6929] DeKok, A. and A. Lior, "Remote AuthenticationDial InDial-In User Service (RADIUS) Protocol Extensions",draft-ietf-radext- radius-extensions, work in process. Author'sRFC 6929, April 2013. Authors' Addresses Dayong Guo Huawei Technologies Co., Ltd Q14 Huawei Campus, 156 BeiQi Road, ZhongGuan Cun, Hai-Dian District, Beijing 100095 P.R. ChinaEmail:EMail: guoseu@huawei.com Sheng Jiang (Editor) Huawei Technologies Co., Ltd Q14 Huawei Campus, 156 BeiQi Road, ZhongGuan Cun, Hai-Dian District, Beijing 100095 P.R. ChinaEmail:EMail: jiangsheng@huawei.com Remi Despres RD-IPtech 3 rue du President WilsonLevallois,Levallois FranceEmail:EMail: despres.remi@laposte.net Roberta MaglioneTelecom Italia Via Reiss Romoli 274 Torino 10148 Italy Email: roberta.maglione@telecomitalia.itCisco Systems 181 Bay Street Toronto, ON M5J 2T3 Canada EMail: robmgl@cisco.com