One document matched: draft-hu-v6ops-radius-issues-ipv6-01.txt
Differences from draft-hu-v6ops-radius-issues-ipv6-00.txt
V6ops WG Jie. Hu, Ed.
Internet-Draft Yulong. Ouyang
Intended status: Standards Track Qian. Wang
Expires: September 16, 2011 China Telecom
Jacni. Qin, Ed.
ZTE
March 15, 2011
RADIUS issues in IPv6 deployments
draft-hu-v6ops-radius-issues-ipv6-01
Abstract
This document discusses the issues encountered when using RADIUS for
AAA in IPv6 deployments.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 16, 2011.
Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Hu, et al. Expires September 16, 2011 [Page 1]
Internet-Draft RADIUS issues in IPv6 deployments March 2011
This document may contain material from IETF Documents or IETF
Contributions published or made publicly available before November
10, 2008. The person(s) controlling the copyright in some of this
material may not have granted the IETF Trust the right to allow
modifications of such material outside the IETF Standards Process.
Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other
than English.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Requirements Language . . . . . . . . . . . . . . . . . . . 3
2. Problem Statement . . . . . . . . . . . . . . . . . . . . . . . 3
2.1. Issue 1: Identifying users of different protocols . . . . . 3
2.2. Issue 2: Network or Host on Customer Premises? . . . . . . 4
2.3. Issue 3: Protocol Specific Accounting . . . . . . . . . . . 4
3. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 5
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 5
5. Security Considerations . . . . . . . . . . . . . . . . . . . . 5
6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6
6.1. Normative References . . . . . . . . . . . . . . . . . . . 6
6.2. Informative References . . . . . . . . . . . . . . . . . . 6
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 7
Hu, et al. Expires September 16, 2011 [Page 2]
Internet-Draft RADIUS issues in IPv6 deployments March 2011
1. Introduction
RADIUS is a protocol that provides centralized authentication,
authorization and accounting management for users to connect network
services. In current practical broadband networks, RADIUS is widely
used by ISPs for AAA when provisioning Framed Services (e.g. PPPoE)
to subscribers. The RADIUS protocol has currently been specified to
support both IPv4 and IPv6. Attributes are defined in [RFC3162],
[RFC4818], [I-D.ietf-radext-ipv6-access] for IPv6 network access.
While, there are still some issues encountered.
This document discusses these issues learnt from the IPv6 deployments
and the possible solutions.
1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
2. Problem Statement
2.1. Issue 1: Identifying users of different protocols
In the deployment model of centralized AAA and network configuration
assignment, A NAS does not know a-priori whether the user will be
using IPv4, IPv6, or both. For example, after RADIUS authentication
and authorization has completed, the address assignment occurs
accordingly based on the attributes received (IPv4 related, IPv6
related, or both) within the RADIUS message, since there have been
attributes defined to convey configuration information for users of
different protocols (e.g., IPv4, IPv6, and others).
For the sake of efficiency and reliability, in many designs, the
network configuration assignments are distributed and fully
controlled on the NASes which behave as RADIUS client and work with
the RADIUS server only for the centralized AAA of users. In this
case where the configuration information assignments of different
network protocols are managed by NAS but not along with the
centralized authentication and authorization by RADIUS server, a
means is needed to notify NAS the categories of users according to
the result of authentication and authorization (based on service
contracts purchased by users, e.g., IPv4, IPv6 or dual-stack).
The possible solution:
Hu, et al. Expires September 16, 2011 [Page 3]
Internet-Draft RADIUS issues in IPv6 deployments March 2011
Set some 'domains' of users (e.g., 'IPv4 domain', 'IPv6 domain',
'dual-stack domain') on NAS, each with different profiles (
configuration information of given protocols) configured, and
require the users to enclose additional identification when
sending request message for authentication and authorization, for
example, an @domainX suffix added to its usename which can be used
by NAS to classify the users locally before the AAA procedure.
The trade-off is, this may affect the experience of existing users
and cost much if significant changes have to be made.
Or,a dedicated attribute could be defined for the explicit
notification sent by RADIUS server to NAS according to the result
of user authentication and authorization.
2.2. Issue 2: Network or Host on Customer Premises?
In the provisioning mode where user's network is connected through a
RG for example, a delegated prefix is needed to be assigned to the RG
which behaves as the requesting router. Or in other provisioning
mode, only a framed IPv6 address/prefix is needed to be assigned to
the accessing host. If the assignment is centralized managed by the
RADIUS server, the Delegated-IPv6-Prefix Attribute [RFC4818] or
Frame-IPv6-Address/Prefix should be used accordingly to convey the
information to authorized users. While if the configuration
information assignment is managed by NAS, there needs a means for
RADIUS server to notify NAS whether the user is authorized to be
assigned a delegated prefix or just a framed IPv6 address /prefix to
its NAS facing interface.
The possible solution:
Either to define a dedicated Attribute for the explicit
notification, or to specify the rule of implementation of
Attributes related, for example Frame-IPv6-Address/Prefix
Attribute and Delegated-IPv6-Prefix Attribute with special value
on RADIUS server for the notification to NAS as an instruction.
2.3. Issue 3: Protocol Specific Accounting
Accounting operations and attributes are specified in [RFC2866] to
collect statistics for all traffic (including IPv4, IPv6, and other
protocols) over the access service (e.g., Framed). In current
practice, generally it is simply treated as the statistics for IPv4
traffic. That workswell if only IPv4 connectivity is provided over
given Framed service (e.g., PPPoE). While if IPv6 connectivity is
provided as well, for example, there is no means by which the
statistics for traffic of respective protocols can be collected.
Hu, et al. Expires September 16, 2011 [Page 4]
Internet-Draft RADIUS issues in IPv6 deployments March 2011
The possible solution:
At lease two sets of attributes for protocol (IPv4, IPv6) specific
accounting over Framed service (e.g, PPPoE) need to be defined.
For example:
* Acct-Framed-IPv4-Input-Octets
* Acct-Framed-IPv4-Output-Octets
* Acct-Framed-IPv4-Input-Packets
* Acct-Framed-IPv4-Output-Packets
* Acct-Framed-IPv4-Input-Gigawords
* Acct-Framed-IPv4-Output-Gigawords
*
* Acct-Framed-IPv6-Input-Octets
* Acct-Framed-IPv6-Output-Octets
* Acct-Framed-IPv6-Input-Packets
* Acct-Framed-IPv6-Output-Packets
* Acct-Framed-IPv6-Input-Gigawords
* Acct-Framed-IPv6-Output-Gigawords
3. Acknowledgements
TBD
4. IANA Considerations
TBD
5. Security Considerations
TBD
Hu, et al. Expires September 16, 2011 [Page 5]
Internet-Draft RADIUS issues in IPv6 deployments March 2011
6. References
6.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
"Remote Authentication Dial In User Service (RADIUS)",
RFC 2865, June 2000.
[RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000.
[RFC2867] Zorn, G., Aboba, B., and D. Mitton, "RADIUS Accounting
Modifications for Tunnel Protocol Support", RFC 2867,
June 2000.
[RFC2868] Zorn, G., Leifer, D., Rubens, A., Shriver, J., Holdrege,
M., and I. Goyret, "RADIUS Attributes for Tunnel Protocol
Support", RFC 2868, June 2000.
[RFC2869] Rigney, C., Willats, W., and P. Calhoun, "RADIUS
Extensions", RFC 2869, June 2000.
6.2. Informative References
[I-D.ietf-radext-ipv6-access]
Lourdelet, B., Dec, W., Sarikaya, B., Zorn, G., and D.
Miles, "RADIUS attributes for IPv6 Access Networks",
draft-ietf-radext-ipv6-access-04 (work in progress),
March 2011.
[I-D.maglione-radext-ipv6-acct-extensions]
Maglione, R., Krishnan, S., Kavanagh, A., Varga, B., and
J. Kaippallimalil, "RADIUS Accounting Extensions for
IPv6", draft-maglione-radext-ipv6-acct-extensions-01 (work
in progress), March 2010.
[RFC2882] Mitton, D., "Network Access Servers Requirements: Extended
RADIUS Practices", RFC 2882, July 2000.
[RFC3162] Aboba, B., Zorn, G., and D. Mitton, "RADIUS and IPv6",
RFC 3162, August 2001.
[RFC4014] Droms, R. and J. Schnizlein, "Remote Authentication
Dial-In User Service (RADIUS) Attributes Suboption for the
Dynamic Host Configuration Protocol (DHCP) Relay Agent
Information Option", RFC 4014, February 2005.
Hu, et al. Expires September 16, 2011 [Page 6]
Internet-Draft RADIUS issues in IPv6 deployments March 2011
[RFC4818] Salowey, J. and R. Droms, "RADIUS Delegated-IPv6-Prefix
Attribute", RFC 4818, April 2007.
[RFC5080] Nelson, D. and A. DeKok, "Common Remote Authentication
Dial In User Service (RADIUS) Implementation Issues and
Suggested Fixes", RFC 5080, December 2007.
Authors' Addresses
Jie Hu (editor)
China Telecom
No.118, Xizhimennei
Beijing, 100035
China
Phone: +86 10 5855 2808
Email: huj@ctbri.com.cn
Yulong Ouyang
China Telecom
No.359, WuYi Road
Changsha, Hunan 410000
China
Phone: +86 1375 506 9024
Email: oyyl191@gmail.com
Qian Wang
China Telecom
No.118, Xizhimennei
Beijing, 100035
China
Phone: +86 10 5855 2177
Email: wangqian@ctbri.com.cn
Jacni Qin (editor)
ZTE
Shanghai,
China
Phone: +86 1391 861 9913
Email: jacniq@gmail.com
Hu, et al. Expires September 16, 2011 [Page 7]
| PAFTECH AB 2003-2026 | 2026-04-22 23:01:28 |