One document matched: draft-boucadair-mptcp-radius-01.txt
Differences from draft-boucadair-mptcp-radius-00.txt
Network Working Group M. Boucadair
Internet-Draft C. Jacquenet
Intended status: Standards Track Orange
Expires: July 22, 2016 January 19, 2016
RADIUS Extensions for Network-Assisted Multipath TCP (MPTCP)
draft-boucadair-mptcp-radius-01
Abstract
One of the promising deployment scenarios for Multipath TCP (MPTCP)
is to enable a Customer Premises Equipment (CPE) that is connected to
multiple networks (e.g., DSL, LTE, WLAN) to optimize the usage of its
network attachments. Because of the lack of MPTCP support at the
server side, some service providers consider a network-assisted model
that relies upon the activation of a dedicated function called: MPTCP
Concentrator.
This document specifies a new Remote Authentication Dial-In User
Service (RADIUS) attributes that carry the IP addresses that allow
CPE devices to reach one or multiple MPTCP Concentrators.
Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 22, 2016.
Boucadair & Jacquenet Expires July 22, 2016 [Page 1]
Internet-Draft RADIUS for MPTCP January 2016
Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. MPTCP RADIUS Attributes . . . . . . . . . . . . . . . . . . . 4
2.1. MPTCP-IPv4-Concentrator . . . . . . . . . . . . . . . . . 4
2.2. MPTCP-IPv6-Concentrator . . . . . . . . . . . . . . . . . 5
3. Sample Use Case . . . . . . . . . . . . . . . . . . . . . . . 6
4. Security Considerations . . . . . . . . . . . . . . . . . . . 8
5. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 8
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 9
8.1. Normative References . . . . . . . . . . . . . . . . . . 9
8.2. Informative References . . . . . . . . . . . . . . . . . 10
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11
1. Introduction
One of the promising deployment scenarios for Multipath TCP (MPTCP,
[RFC6824]) is to enable a Customer Premises Equipment (CPE) that is
connected to multiple networks (e.g., DSL, LTE, WLAN) to optimize the
usage of such resources, see for example [RFC4908]. This deployment
scenario relies on MPTCP proxies located on both the CPE and network
sides (Figure 1). MPTCP Proxies deployed in the network play the
role of traffic concentrator.
Boucadair & Jacquenet Expires July 22, 2016 [Page 2]
Internet-Draft RADIUS for MPTCP January 2016
IP Network #1
+------------+ _--------_ +------------+
| | (e.g., LTE ) | |
| CPE +======================+ |
| (MPTCP | (_ _) |Concentrator|
| Proxy) | (_______) | (MPTCP |
| | | Proxy) |------> Internet
| | | |
| | IP Network #2 | |
| | _--------_ | |
| | ( e.g., DSL ) | |
| +======================+ |
| | (_ _) | |
+-----+------+ (_______) +------------+
|
----CPE network----
|
end-nodes
Figure 1: "Network-Assisted" MPTCP Design
Within this document, an MPTCP Concentrator (or concentrator) refers
to a functional element that is responsible for aggregating the
traffic originated by a group of CPEs. This element is located in
the network. One or multiple concentrators can be deployed in the
network to assist MPTCP-enabled CPEs to establish MPTCP connections
via their available network attachments. On the uplink path, the
concentrator terminates the MPTCP connections [RFC6824] received from
its customer-facing interfaces and transforms these connections into
legacy TCP connections [RFC0793] towards upstream servers. On the
downlink path, the concentrator turns the legacy server's TCP
connection into MPTCP connections towards its customer-facing
interfaces.
Both implicit (where a CPE has no specific knowledge of any
concentrator deployed in the network) and explicit modes are
considered to steer traffic towards an MPTCP Concentrator. This
document focuses on the explicit mode that consists in explicitly
configuring a CPE with the reachability information of a MPTCP
concentrator.
This document specifies two new Remote Authentication Dial-In User
Service (RADIUS, [RFC2865]) attributes that carry the MPTCP
Concentrator IP address list (Section 2). In order to accommodate
both IPv4 and IPv6 deployment contexts, and given the constraints in
Section 3.4 of [RFC6158], two attributes are specified. Note that
one or multiple IPv4 and/or IPv6 addresses may be returned to a
requesting CPE. A sample use case is described in Section 3.
Boucadair & Jacquenet Expires July 22, 2016 [Page 3]
Internet-Draft RADIUS for MPTCP January 2016
This document assumes that the MPTCP concentrator(s) reachability
information can be stored in Authentication, Authorization, and
Accounting (AAA) servers while the CPE configuration is usually
provided by means of DHCP ([RFC2131][RFC3315]).
This specification assumes an MPTCP Concentrator is reachable through
one or multiple IP addresses. As such, a list of IP addresses can be
communicated via RADIUS. Also, it assumes the various network
attachments provided to an MPTCP-enabled CPE are managed by the same
administrative entity.
This document adheres to [I-D.ietf-radext-datatypes] for defining the
new attributes.
2. MPTCP RADIUS Attributes
2.1. MPTCP-IPv4-Concentrator
Description
The RADIUS MPTCP-Concentrator-IPv4 attribute contains the IPv4
address of an MPTCP Concentrator that is assigned to a CPE.
Because multiple MPTCP Concentrator IP addresses may be
provisioned to an authorised CPE (that is a CPE entitled to
solicit the resources of a concentrator to establish MPTCP
connections), multiple instances of the MPTCP-Concentrator-IPv4
attribute MAY be included; each instance of the attribute carries
a distinct IP address.
Both MPTCP-Concentrator-IPv4 and MPTCP-Concentrator-IPv6
attributes MAY be present in a RADIUS message.
The MPTCP-Concentrator-IPv4 Attribute MAY appear in a RADIUS
Access-Accept packet. It MAY also appear in a RADIUS Access-
Request packet as a hint to the RADIUS server to indicate a
preference, although the server is not required to honor such a
hint.
The MPTCP-Concentrator-IPv4 Attribute MAY appear in a CoA-Request
packet.
The MPTCP-Concentrator-IPv4 Attribute MAY appear in a RADIUS
Accounting-Request packet.
The MPTCP-Concentrator-IPv4 Attribute MUST NOT appear in any other
RADIUS packet.
Boucadair & Jacquenet Expires July 22, 2016 [Page 4]
Internet-Draft RADIUS for MPTCP January 2016
Type
TBA (see Section 6).
Length
6
Data Type
The attribute MPTCP-Concentrator-IPv4 is of type ip4addr
(Section 3.3 of [I-D.ietf-radext-datatypes]).
Value
This field includes an IPv4 address (32 bits) of the MPTCP
Concentrator.
The MPTCP-Concentrator-IPv4 attribute MUST NOT include multicast
and host loopback addresses [RFC6890]. Anycast addresses are
allowed to be included in an MPTCP-Concentrator-IPv4 attribute.
2.2. MPTCP-IPv6-Concentrator
Description
The RADIUS MPTCP-Concentrator-IPv6 attribute contains the IPv6
address of an MPTCP Concentrator that is assigned to a CPE.
Because multiple MPTCP Concentrator IP addresses may be
provisioned to an authorised CPE (that is a CPE entitled to
solicit the resources of a concentrator to establish MPTCP
connections), multiple instances of the MPTCP-Concentrator-IPv6
attribute MAY be included; each instance of the attribute carries
a distinct IP address.
Both MPTCP-Concentrator-IPv4 and MPTCP-Concentrator-IPv6
attributes MAY be present in a RADIUS message.
The MPTCP-Concentrator-IPv6 Attribute MAY appear in a RADIUS
Access-Accept packet. It MAY also appear in a RADIUS Access-
Request packet as a hint to the RADIUS server to indicate a
preference, although the server is not required to honor such a
hint.
The MPTCP-Concentrator-IPv6 Attribute MAY appear in a CoA-Request
packet.
Boucadair & Jacquenet Expires July 22, 2016 [Page 5]
Internet-Draft RADIUS for MPTCP January 2016
The MPTCP-Concentrator-IPv6 Attribute MAY appear in a RADIUS
Accounting-Request packet.
The MPTCP-Concentrator-IPv6 Attribute MUST NOT appear in any other
RADIUS packet.
Type
TBA (see Section 6).
Length
18
Data Type
The attribute MPTCP-Concentrator-IPv6 is of type ip6addr
(Section 3.9 of [I-D.ietf-radext-datatypes]).
Value
This field includes an IPv6 address (128 bits) of the MPTCP
concentrator.
The MPTCP-Concentrator-IPv6 attribute MUST NOT include multicast
and host loopback addresses [RFC6890]. Anycast addresses are
allowed to be included in an MPTCP-Concentrator-IPv6 attribute.
3. Sample Use Case
This section does not aim to provide an exhaustive list of deployment
scenarios where the use of the RADIUS MPTCP-Concentrator-IPv6 and
MPTCP-Concentrator-IPv4 attributes can be helpful. Typical
deployment scenarios are described, for instance, in [RFC6911].
Figure 2 shows an example where a CPE is assigned an MPTCP
Concentrator. This example assumes that the Network Access Server
(NAS) embeds both RADIUS client and DHCPv6 server capabilities.
Boucadair & Jacquenet Expires July 22, 2016 [Page 6]
Internet-Draft RADIUS for MPTCP January 2016
CPE NAS AAA
DHCPv6 client DHCPv6 server server
| | |
|---------DHCPv6 Solicit-------->| |
| |----Access-Request ---->|
| | |
| |<----Access-Accept------|
| | MPTCP-Concentrator-IPv6|
|<-------DHCPv6 Advertisement----| |
| (OPTION_V6_MPTCP) | |
| | |
|---------DHCPv6 Request-------->| |
| | |
|<---------DHCPv6 Reply----------| |
| (OPTION_V6_MPTCP) | |
DHCPv6 RADIUS
Figure 2: Sample Flow Example (1)
Upon receipt of the DHCPv6 Solicit message from a CPE, the NAS sends
a RADIUS Access-Request message to the AAA server. Once the AAA
server receives the request, it replies with an Access-Accept message
(possibly after having sent a RADIUS Access-Challenge message and
assuming the CPE is entitled to connect to the network) that carries
a list of parameters to be used for this session, and which include
MPTCP Concentrator reachability information (namely a list of IP
addresses).
The content of the MPTCP-Concentrator-IPv6 attribute is then used by
the NAS to complete the DHCPv6 procedure that the CPE initiated to
retrieve information about the MPTCP Concentrator it has been
assigned.
Upon change of the MPTCP Concentrator assigned to a CPE, the RADIUS
server sends a RADIUS CoA message [RFC5176] that carries the RADIUS
MPTCP-Concentrator-IPv6 attribute to the NAS. Once that message is
accepted by the NAS, it replies with a RADIUS CoA ACK message. The
NAS replaces the old MPTCP Concentrator with the new one.
Figure 3 shows another example where a CPE is assigned an MPTCP
Concentrator, but the CPE uses DHCPv6 to retrieve a list of IP
addresses of an MPTCP concentrator.
Boucadair & Jacquenet Expires July 22, 2016 [Page 7]
Internet-Draft RADIUS for MPTCP January 2016
CPE NAS AAA
DHCPv4 client DHCPv4 server server
| | |
|-----------DHCPDISCOVER---------->| |
| |----Access-Request ---->|
| | |
| |<----Access-Accept------|
| |MPTCP-Concentrator-IPv4 |
|<------------DHCPOFFER------------| |
| (OPTION_V4_MPTCP) | |
| | |
|------------DHCPREQUEST---------->| |
| (OPTION_V4_MPTCP) | |
| | |
|<-----------DHCPACK---------------| |
| (OPTION_V4_MPTCP) | |
DHCPv4 RADIUS
Figure 3: Sample Flow Example (2)
Some deployments may rely on the mechanisms defined in [RFC4014] or
[RFC7037], which allows a NAS to pass attributes obtained from a
RADIUS server to a DHCP server.
4. Security Considerations
RADIUS-related security considerations are discussed in [RFC2865].
MPTCP-related security considerations are discussed in [RFC6824] and
[RFC6181].
Traffic theft is a risk if an illegitimate concentrator is inserted
in the path. Indeed, inserting an illegitimate concentrator in the
forwarding path allows to intercept traffic and can therefore provide
access to sensitive data issued by or destined to a host. To
mitigate this threat, secure means to discover a concentrator should
be enabled.
5. Table of Attributes
The following table provides a guide as what type of RADIUS packets
that may contain these attributes, and in what quantity.
Boucadair & Jacquenet Expires July 22, 2016 [Page 8]
Internet-Draft RADIUS for MPTCP January 2016
Access- Access- Access- Challenge Acct. # Attribute
Request Accept Reject Request
0+ 0+ 0 0 0+ TBA MPTCP-Concentrator-IPv4
0+ 0+ 0 0 0+ TBA MPTCP-Concentrator-IPv6
CoA-Request CoA-ACK CoA-NACK # Attribute
0+ 0 0 TBA MPTCP-Concentrator-IPv4
0+ 0 0 TBA MPTCP-Concentrator-IPv6
The following table defines the meaning of the above table entries:
0 This attribute MUST NOT be present in packet.
0+ Zero or more instances of this attribute MAY be present in packet.
6. IANA Considerations
IANA is requested to assign two new RADIUS attribute types from the
IANA registry "Radius Attribute Types" located at
http://www.iana.org/assignments/radius-types:
MPTCP-Concentrator-IPv4 (TBA)
MPTCP-Concentrator-IPv6 (TBA)
7. Acknowledgements
Thanks to Alan DeKok for the comments.
8. References
8.1. Normative References
[I-D.ietf-radext-datatypes]
DeKok, A., "Data Types in the Remote Authentication Dial-
In User Service Protocol (RADIUS)", draft-ietf-radext-
datatypes-02 (work in progress), November 2015.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
"Remote Authentication Dial In User Service (RADIUS)",
RFC 2865, DOI 10.17487/RFC2865, June 2000,
<http://www.rfc-editor.org/info/rfc2865>.
Boucadair & Jacquenet Expires July 22, 2016 [Page 9]
Internet-Draft RADIUS for MPTCP January 2016
[RFC6158] DeKok, A., Ed. and G. Weber, "RADIUS Design Guidelines",
BCP 158, RFC 6158, DOI 10.17487/RFC6158, March 2011,
<http://www.rfc-editor.org/info/rfc6158>.
[RFC6890] Cotton, M., Vegoda, L., Bonica, R., Ed., and B. Haberman,
"Special-Purpose IP Address Registries", BCP 153,
RFC 6890, DOI 10.17487/RFC6890, April 2013,
<http://www.rfc-editor.org/info/rfc6890>.
8.2. Informative References
[RFC0793] Postel, J., "Transmission Control Protocol", STD 7,
RFC 793, DOI 10.17487/RFC0793, September 1981,
<http://www.rfc-editor.org/info/rfc793>.
[RFC2131] Droms, R., "Dynamic Host Configuration Protocol",
RFC 2131, DOI 10.17487/RFC2131, March 1997,
<http://www.rfc-editor.org/info/rfc2131>.
[RFC3315] Droms, R., Ed., Bound, J., Volz, B., Lemon, T., Perkins,
C., and M. Carney, "Dynamic Host Configuration Protocol
for IPv6 (DHCPv6)", RFC 3315, DOI 10.17487/RFC3315, July
2003, <http://www.rfc-editor.org/info/rfc3315>.
[RFC4014] Droms, R. and J. Schnizlein, "Remote Authentication Dial-
In User Service (RADIUS) Attributes Suboption for the
Dynamic Host Configuration Protocol (DHCP) Relay Agent
Information Option", RFC 4014, DOI 10.17487/RFC4014,
February 2005, <http://www.rfc-editor.org/info/rfc4014>.
[RFC4908] Nagami, K., Uda, S., Ogashiwa, N., Esaki, H., Wakikawa,
R., and H. Ohnishi, "Multi-homing for small scale fixed
network Using Mobile IP and NEMO", RFC 4908,
DOI 10.17487/RFC4908, June 2007,
<http://www.rfc-editor.org/info/rfc4908>.
[RFC5176] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B.
Aboba, "Dynamic Authorization Extensions to Remote
Authentication Dial In User Service (RADIUS)", RFC 5176,
DOI 10.17487/RFC5176, January 2008,
<http://www.rfc-editor.org/info/rfc5176>.
[RFC6181] Bagnulo, M., "Threat Analysis for TCP Extensions for
Multipath Operation with Multiple Addresses", RFC 6181,
DOI 10.17487/RFC6181, March 2011,
<http://www.rfc-editor.org/info/rfc6181>.
Boucadair & Jacquenet Expires July 22, 2016 [Page 10]
Internet-Draft RADIUS for MPTCP January 2016
[RFC6824] Ford, A., Raiciu, C., Handley, M., and O. Bonaventure,
"TCP Extensions for Multipath Operation with Multiple
Addresses", RFC 6824, DOI 10.17487/RFC6824, January 2013,
<http://www.rfc-editor.org/info/rfc6824>.
[RFC6911] Dec, W., Ed., Sarikaya, B., Zorn, G., Ed., Miles, D., and
B. Lourdelet, "RADIUS Attributes for IPv6 Access
Networks", RFC 6911, DOI 10.17487/RFC6911, April 2013,
<http://www.rfc-editor.org/info/rfc6911>.
[RFC7037] Yeh, L. and M. Boucadair, "RADIUS Option for the DHCPv6
Relay Agent", RFC 7037, DOI 10.17487/RFC7037, October
2013, <http://www.rfc-editor.org/info/rfc7037>.
Authors' Addresses
Mohamed Boucadair
Orange
Rennes 35000
France
Email: mohamed.boucadair@orange.com
Christian Jacquenet
Orange
Rennes
France
Email: christian.jacquenet@orange.com
Boucadair & Jacquenet Expires July 22, 2016 [Page 11]
| PAFTECH AB 2003-2026 | 2026-04-24 01:42:57 |