One document matched: draft-boucadair-mptcp-radius-03.xml
<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc toc="yes"?>
<?rfc tocompact="yes"?>
<?rfc tocdepth="3"?>
<?rfc tocindent="yes"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc compact="yes"?>
<?rfc subcompact="no"?>
<rfc category="std" docName="draft-boucadair-mptcp-radius-03"
ipr="trust200902">
<front>
<title abbrev="RADIUS for MPTCP">RADIUS Extensions for Network-Assisted
Multipath TCP (MPTCP)</title>
<author fullname="Mohamed Boucadair" initials="M." surname="Boucadair">
<organization>Orange</organization>
<address>
<postal>
<street></street>
<city>Rennes</city>
<region></region>
<code>35000</code>
<country>France</country>
</postal>
<email>mohamed.boucadair@orange.com</email>
</address>
</author>
<author fullname="Christian Jacquenet" initials="C." surname="Jacquenet">
<organization>Orange</organization>
<address>
<postal>
<street></street>
<city>Rennes</city>
<region></region>
<country>France</country>
</postal>
<email>christian.jacquenet@orange.com</email>
</address>
</author>
<date />
<abstract>
<t>Because of the lack of Multipath TCP (MPTCP) support at the server
side, some service providers now consider a network-assisted model that
relies upon the activation of a dedicated function called MPTCP
Conversion Point (MCP). Network-assisted MPTCP deployment models are
designed to facilitate the adoption of MPTCP for the establishment of
multi-path communications without making any assumption about the
support of MPTCP by the communicating peers. MCPs located in the network
are responsible for establishing multi-path communications on behalf of
endpoints, thereby taking advantage of MPTCP capabilities to achieve
different goals that include (but are not limited to) optimization of
resource usage (e.g., bandwidth aggregation), of resiliency (e.g.,
primary/backup communication paths), and traffic offload management.</t>
<t>This document specifies a new Remote Authentication Dial-In User
Service (RADIUS) attributes that carry the IP addresses that will be
returned to authorized users to reach one or multiple MCPs.<!--
--></t>
</abstract>
<note title="Requirements Language">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref
target="RFC2119">RFC 2119</xref>.</t>
</note>
</front>
<middle>
<section title="Introduction">
<t>One of the promising deployment scenarios for Multipath TCP (MPTCP,
<xref target="RFC6824"></xref>) is to enable a Customer Premises
Equipment (CPE) that is connected to multiple networks (e.g., DSL, LTE,
WLAN) to optimize the usage of such resources, see for example <xref
target="RFC4908"></xref>.</t>
<t>Network-assisted MPTCP deployment models are designed to facilitate
the adoption of MPTCP for the establishment of multi-path communications
without making any assumption about the support of MPTCP by the
communicating peers. This deployment scenario relies on MPTCP proxies
located on both the CPE and network sides (<xref target="fig"></xref>).
MPTCP proxies are responsible for establishing multi-path communications
on behalf of endpoints, thereby taking advantage of MPTCP capabilities
to optimize resource usage to achieve different goals that include (but
are not limited to) bandwidth aggregation, primary/backup communication
paths, and traffic offload management.<figure align="center"
anchor="fig" title="Network-Assisted MPTCP: Reference Architecture">
<artwork><![CDATA[ +------------+ _--------_ +----------------+
| | ( LTE ) | |
| CPE +=======+ +===+ Backbone |
| (MCP) | (_ _) | Network |
| | (_______) |+--------------+|
| | IP Network #1 || Concentrator ||------> Internet
| | || (MCP) ||
| | |+--------------+|
| | IP Network #2 | |
| | _--------_ | |
| | ( DSL ) | |
| +=======+ +==+ |
| | (_ _) | |
+-----+------+ (_______) +----------------+
|
---- LAN ----
|
end-nodes
]]></artwork>
</figure></t>
<t>Within this document, an MPTCP Conversion Point (MCP) refers to a
functional element that is responsible for aggregating the traffic
originated by a group of CPEs. This element is located in the network.
One or multiple MCPs can be deployed in the network to assist
MPTCP-enabled CPEs to establish MPTCP connections via their available
network attachments. On the uplink path, the MCP terminates the MPTCP
connections received from its customer-facing interfaces and transforms
these connections into legacy TCP connections <xref
target="RFC0793"></xref> towards upstream servers. On the downlink path,
the MCP turns the legacy server's TCP connection into MPTCP connections
towards its customer-facing interfaces.</t>
<t>This document specifies two new Remote Authentication Dial-In User
Service (RADIUS, <xref target="RFC2865"></xref>) attributes that carry
the MCP IP address list (<xref target="att"></xref>). In order to
accommodate both IPv4 and IPv6 deployment contexts, and given the
constraints in Section 3.4 of <xref target="RFC6158"></xref>, two
attributes are specified. Note that one or multiple IPv4 and/or IPv6
addresses may be returned to a requesting CPE. A sample use case is
described in <xref target="uc"></xref>.</t>
<t>This document assumes that the MCP(s) reachability information can be
stored in Authentication, Authorization, and Accounting (AAA) servers
while the CPE configuration is usually provided by means of DHCP (<xref
target="RFC2131"></xref><xref target="RFC3315"></xref>).</t>
<t>This specification assumes an MCP is reachable through one or
multiple IP addresses. As such, a list of IP addresses can be
communicated via RADIUS. Also, it assumes the various network
attachments provided to an MPTCP-enabled CPE are managed by the same
administrative entity.</t>
<t>This document adheres to <xref
target="I-D.ietf-radext-datatypes"></xref> for defining the new
attributes.</t>
</section>
<section anchor="att" title="MPTCP RADIUS Attributes">
<t></t>
<section title="MPTCP-IPv4-Concentrator">
<t>Description<list style="empty">
<t>The RADIUS MPTCP-MCP-IPv4 attribute contains the IPv4 address
of an MCP that is assigned to a CPE. <vspace
blankLines="1" />Because multiple MCP IP addresses may be
provisioned to an authorised CPE (that is a CPE entitled to
solicit the resources of an MCP to establish MPTCP connections),
multiple instances of the MPTCP-MCP-IPv4 attribute MAY be
included; each instance of the attribute carries a distinct IP
address. <vspace blankLines="1" />Both MPTCP-MCP-IPv4 and
MPTCP-MCP-IPv6 attributes MAY be present in a RADIUS message.</t>
<t>The MPTCP-MCP-IPv4 Attribute MAY appear in a RADIUS
Access-Accept packet. It MAY also appear in a RADIUS
Access-Request packet as a hint to the RADIUS server to indicate a
preference, although the server is not required to honor such a
hint.</t>
<t>The MPTCP-MCP-IPv4 Attribute MAY appear in a CoA-Request
packet.</t>
<t>The MPTCP-MCP-IPv4 Attribute MAY appear in a RADIUS
Accounting-Request packet.</t>
<t>The MPTCP-MCP-IPv4 Attribute MUST NOT appear in any other
RADIUS packet.</t>
</list>Type<list style="empty">
<t>TBA (see <xref target="IANA"></xref>).</t>
</list></t>
<t>Length<list style="empty">
<t>6</t>
</list></t>
<t>Data Type<list style="empty">
<t>The attribute MPTCP-MCP-IPv4 is of type ip4addr (Section 3.3 of
<xref target="I-D.ietf-radext-datatypes"></xref>).</t>
</list></t>
<t>Value<list style="empty">
<t>This field includes an IPv4 address (32 bits) of the MCP.
<vspace blankLines="1" />The MPTCP-MCP-IPv4 attribute MUST NOT
include multicast and host loopback addresses <xref
target="RFC6890"></xref>. Anycast addresses are allowed to be
included in an MPTCP-MCP-IPv4 attribute.</t>
</list></t>
</section>
<section title="MPTCP-IPv6-Concentrator">
<t>Description<list style="empty">
<t>The RADIUS MPTCP-MCP-IPv6 attribute contains the IPv6 address
of an MCP that is assigned to a CPE. <vspace
blankLines="1" />Because multiple MCP IP addresses may be
provisioned to an authorised CPE (that is a CPE entitled to
solicit the resources of an MCP to establish MPTCP connections),
multiple instances of the MPTCP-MCP-IPv6 attribute MAY be
included; each instance of the attribute carries a distinct IP
address. <vspace blankLines="1" />Both MPTCP-MCP-IPv4 and
MPTCP-MCP-IPv6 attributes MAY be present in a RADIUS message.</t>
<t>The MPTCP-MCP-IPv6 Attribute MAY appear in a RADIUS
Access-Accept packet. It MAY also appear in a RADIUS
Access-Request packet as a hint to the RADIUS server to indicate a
preference, although the server is not required to honor such a
hint.</t>
<t>The MPTCP-MCP-IPv6 Attribute MAY appear in a CoA-Request
packet.</t>
<t>The MPTCP-MCP-IPv6 Attribute MAY appear in a RADIUS
Accounting-Request packet.</t>
<t>The MPTCP-MCP-IPv6 Attribute MUST NOT appear in any other
RADIUS packet.</t>
</list>Type<list style="empty">
<t>TBA (see <xref target="IANA"></xref>).</t>
</list></t>
<t>Length<list style="empty">
<t>18</t>
</list></t>
<t>Data Type<list style="empty">
<t>The attribute MPTCP-MCP-IPv6 is of type ip6addr (Section 3.9 of
<xref target="I-D.ietf-radext-datatypes"></xref>).</t>
</list></t>
<t>Value<list style="empty">
<t>This field includes an IPv6 address (128 bits) of the MCP.
<vspace blankLines="1" />The MPTCP-MCP-IPv6 attribute MUST NOT
include multicast and host loopback addresses <xref
target="RFC6890"></xref>. Anycast addresses are allowed to be
included in an MPTCP-MCP-IPv6 attribute.</t>
</list></t>
</section>
</section>
<section anchor="uc" title="Sample Use Case">
<t>This section does not aim to provide an exhaustive list of deployment
scenarios where the use of the RADIUS MPTCP-MCP-IPv6 and MPTCP-MCP-IPv4
attributes can be helpful. Typical deployment scenarios are described,
for instance, in <xref target="RFC6911"></xref>.</t>
<t><xref target="ex"></xref> shows an example where a CPE is assigned an
MCP. This example assumes that the Network Access Server (NAS) embeds
both RADIUS client and DHCPv6 server capabilities.</t>
<t><figure align="center" anchor="ex" title="Sample Flow Example (1)">
<artwork><![CDATA[ CPE NAS AAA
DHCPv6 client DHCPv6 server server
| | |
|---------DHCPv6 Solicit-------->| |
| |----Access-Request ---->|
| | |
| |<----Access-Accept------|
| | MPTCP-MCP-IPv6 |
|<-------DHCPv6 Advertisement----| |
| (OPTION_V6_MPTCP) | |
| | |
|---------DHCPv6 Request-------->| |
| | |
|<---------DHCPv6 Reply----------| |
| (OPTION_V6_MPTCP) | |
DHCPv6 RADIUS]]></artwork>
</figure></t>
<t>Upon receipt of the DHCPv6 Solicit message from a CPE, the NAS sends
a RADIUS Access-Request message to the AAA server. Once the AAA server
receives the request, it replies with an Access-Accept message (possibly
after having sent a RADIUS Access-Challenge message and assuming the CPE
is entitled to connect to the network) that carries a list of parameters
to be used for this session, and which include MCP reachability
information (namely a list of IP addresses).</t>
<t>The content of the MPTCP-MCP-IPv6 attribute is then used by the NAS
to complete the DHCPv6 procedure that the CPE initiated to retrieve
information about the MCP it has been assigned.</t>
<t>Upon change of the MCP assigned to a CPE, the RADIUS server sends a
RADIUS CoA message <xref target="RFC5176"></xref> that carries the
RADIUS MPTCP-MCP-IPv6 attribute to the NAS. Once that message is
accepted by the NAS, it replies with a RADIUS CoA ACK message. The NAS
replaces the old MCP with the new one.</t>
<t><xref target="ex2"></xref> shows another example where a CPE is
assigned an MCP, but the CPE uses DHCPv6 to retrieve a list of IP
addresses of an MCP.</t>
<t><figure align="center" anchor="ex2" title="Sample Flow Example (2)">
<artwork><![CDATA[ CPE NAS AAA
DHCPv4 client DHCPv4 server server
| | |
|-----------DHCPDISCOVER---------->| |
| |----Access-Request ---->|
| | |
| |<----Access-Accept------|
| | MPTCP-MCP-IPv4 |
|<------------DHCPOFFER------------| |
| (OPTION_V4_MPTCP) | |
| | |
|------------DHCPREQUEST---------->| |
| (OPTION_V4_MPTCP) | |
| | |
|<-----------DHCPACK---------------| |
| (OPTION_V4_MPTCP) | |
DHCPv4 RADIUS]]></artwork>
</figure></t>
<t>Some deployments may rely on the mechanisms defined in <xref
target="RFC4014"></xref> or <xref target="RFC7037"></xref>, which allows
a NAS to pass attributes obtained from a RADIUS server to a DHCP
server.</t>
</section>
<section anchor="Security" title="Security Considerations">
<t>RADIUS-related security considerations are discussed in <xref
target="RFC2865"></xref>.</t>
<t>MPTCP-related security considerations are discussed in <xref
target="RFC6824"></xref> and <xref target="RFC6181"></xref>.</t>
<t>Traffic theft is a risk if an illegitimate MCP is inserted in the
path. Indeed, inserting an illegitimate MCP in the forwarding path
allows to intercept traffic and can therefore provide access to
sensitive data issued by or destined to a host. To mitigate this threat,
secure means to discover an MCP should be enabled.</t>
</section>
<section title="Table of Attributes">
<t>The following table provides a guide as what type of RADIUS packets
that may contain these attributes, and in what quantity.</t>
<t><figure>
<artwork><![CDATA[Access- Access- Access- Challenge Acct. # Attribute
Request Accept Reject Request
0+ 0+ 0 0 0+ TBA MPTCP-MCP-IPv4
0+ 0+ 0 0 0+ TBA MPTCP-MCP-IPv6
CoA-Request CoA-ACK CoA-NACK # Attribute
0+ 0 0 TBA MPTCP-MCP-IPv4
0+ 0 0 TBA MPTCP-MCP-IPv6
]]></artwork>
</figure></t>
<t>The following table defines the meaning of the above table
entries:<figure>
<artwork><![CDATA[ 0 This attribute MUST NOT be present in packet.
0+ Zero or more instances of this attribute MAY be present in packet.
]]></artwork>
</figure></t>
</section>
<section anchor="IANA" title="IANA Considerations">
<t>IANA is requested to assign two new RADIUS attribute types from the
IANA registry "Radius Attribute Types" located at
http://www.iana.org/assignments/radius-types:<list style="empty">
<t>MPTCP-MCP-IPv4 (TBA)</t>
<t>MPTCP-MCP-IPv6 (TBA)</t>
</list></t>
</section>
<section anchor="Acknowledgements" title="Acknowledgements">
<t>Thanks to Alan DeKok for the comments.</t>
</section>
</middle>
<back>
<references title="Normative References">
<?rfc include="reference.RFC.2119"?>
<?rfc include='reference.RFC.6890'?>
<?rfc include='reference.RFC.2865'?>
<?rfc include='reference.RFC.6158'?>
<?rfc include='reference.I-D.ietf-radext-datatypes'?>
</references>
<references title="Informative References">
<?rfc include='reference.RFC.4908'?>
<?rfc include='reference.RFC.0793'?>
<?rfc include='reference.RFC.6911'?>
<?rfc include='reference.RFC.3315'?>
<?rfc include='reference.RFC.2131'?>
<?rfc include='reference.RFC.6824'?>
<?rfc include='reference.RFC.5176'?>
<?rfc include='reference.RFC.6181'?>
<?rfc include='reference.RFC.4014'?>
<?rfc include='reference.RFC.7037'?>
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 02:58:17 |