One document matched: draft-ietf-radext-ipv6-access-06.xml
<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY rfc4862 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4862.xml">
<!ENTITY rfc2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY rfc4191 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4191.xml">
<!ENTITY rfc5006 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5006.xml">
<!ENTITY rfc2868 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2868.xml">
<!ENTITY rfc5226 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5226.xml">
<!ENTITY rfc3162 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3162.xml">
<!ENTITY rfc3315 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3315.xml">
<!ENTITY rfc4818 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4818.xml">
<!ENTITY rfc3633 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3633.xml">
<!ENTITY rfc4861 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4861.xml">
]>
<?rfc toc="yes" ?>
<?rfc symrefs="yes" ?>
<?rfc sortrefs="yes"?>
<?rfc iprnotified="no" ?>
<?rfc strict="yes" ?>
<?rfc compact="yes" ?>
<?rfc subcompact="compact" ?>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<rfc category="std" docName="draft-ietf-radext-ipv6-access-06.txt"
ipr="pre5378Trust200902">
<front>
<title abbrev="RADIUS IPv6 Access">RADIUS attributes for IPv6 Access
Networks</title>
<author fullname="Benoit Lourdelet" initials="B.L." surname="Lourdelet">
<organization>Cisco Systems, Inc.</organization>
<address>
<postal>
<street>Village ent. GreenSide, Bat T3,</street>
<street>400, Av de Roumanille,</street>
<city>06410 BIOT - Sophia-Antipolis Cedex</city>
<country>France</country>
</postal>
<phone>+33 4 97 23 26 23</phone>
<email>blourdel@cisco.com</email>
</address>
</author>
<author fullname="Wojciech Dec" initials="W.D." role="editor"
surname="Dec">
<organization>Cisco Systems, Inc.</organization>
<address>
<postal>
<street>Haarlerbergweg 13-19</street>
<city>Amsterdam , NOORD-HOLLAND 1101 CH</city>
<country>Netherlands</country>
</postal>
<email>wdec@cisco.com</email>
</address>
</author>
<author fullname="Behcet Sarikaya" initials="B.S." surname="Sarikaya">
<organization>Huawei USA</organization>
<address>
<postal>
<street>1700 Alma Dr. Suite 500</street>
<city>Plano</city>
<region>TX</region>
<country>US</country>
</postal>
<phone>+1 972-509-5599</phone>
<email>sarikaya@ieee.org</email>
</address>
</author>
<author fullname="Glen Zorn" initials="G.Z." surname="Zorn">
<organization>Network Zen</organization>
<address>
<postal>
<street>1310 East Thomas Street</street>
<city>Seattle</city>
<region>WA</region>
<country>US</country>
</postal>
<email>gwz@net-zen.net</email>
</address>
</author>
<author fullname="David Miles" initials="D.M." surname="Miles">
<organization>Alcatel-Lucent</organization>
<address>
<postal>
<street>L3 / 215 Spring St</street>
<city>Melbourne, Victoria 3000</city>
<region></region>
<code></code>
<country>Australia</country>
</postal>
<phone></phone>
<facsimile></facsimile>
<email>David.Miles@alcatel-lucent.com</email>
<uri></uri>
</address>
</author>
<date day="14" month="November" year="2011" />
<abstract>
<t>This document specifies additional IPv6 RADIUS attributes useful in
residential broadband network deployments. The attributes, which are
used for authorization and accounting, enable assignment of a host IPv6
address and IPv6 DNS server address via DHCPv6; assignment of an IPv6
route announced via router advertisement; assignment of a named IPv6
delegated prefix pool; and assignment of a named IPv6 pool for host
DHCPv6 addressing.</t>
</abstract>
<note title="Requirements Language">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref
target="RFC2119">RFC 2119</xref>.</t>
</note>
</front>
<middle>
<section title="Introduction">
<t>This document specifies additional RADIUS attributes used to support
configuration of DHCPv6 and/or ICMPv6 parameters on a per-user basis.
The attributes, which complement those defined in [RFC3162] and
[RFC4818], support the following:</t>
<t><list style="symbols">
<t>Assignment of specific IPv6 addresses to hosts via DHCPv6.</t>
<t>Assignment of an IPv6 DNS server address, via DHCPv6 or
[RFC5006].</t>
<t>Configuration of more specific routes to be announced to the user
via the Route Information Option defined in [RFC4191] Section
2.3.</t>
<t>The assignment of a named delegated prefix pool for use with
"IPv6 Prefix Options for DHCPv6" [RFC3633].</t>
<t>The assignment of a named stateful address pool for use with
DHCPv6 stateful address assignment [RFC3315]</t>
</list></t>
</section>
<section title="Deployment Scenarios">
<t>A common broadband network scenario is illustrated in Figure 1. It is
composed of a IP Routing Residential Gateway (RG) or host, a Layer 2
Access-Node (e.g. a DSLAM), one or more IP Network Access Servers
(NASes), and an AAA server. The RG or host are expected to be multi
homed to both NASes. Layer 2 Connectivity between the host and NAS can
be either via PPPoE or IP over Ethernet, and established
dynamically.</t>
<figure>
<artwork><![CDATA[
+-----+
(Radius) | AAA |
...........>| |
. +--+--+
v ^
+---+---+ .
| NAS | .(Radius)
| | .
+---+---+ v
+------+ | +---+---+
+------+ | AN | | | NAS |
| RG/ +-------| +-----------+----------+ |
| host | | | | |
+------+ (DSL) +------+ (Ethernet) +-------+
Figure 1
]]></artwork>
</figure>
<t>In this scenario the NASes may embed a DHCPv6 server to handle DHCPv6
requests issued by RGs/hosts, as well as acting as a router providing
Router Advertisements. The RADIUS server authenticates each RG/host and
returns to the NAS attributes used for authorization and accounting.
These attributes can include a host IPv6 address to be configured via
DHCPv6; the IPv6 address of a DNS server to configured via DHCPv6 or
router advertisement; the name of a prefix pool to be used for DHCPv6
Prefix Delegation; or IPv6 routes to be announced to the host.</t>
<t>The following sub-sections discuss how these uses in more detail.</t>
<section title="IPv6 Address Assignment">
<t>DHCPv6 <xref target="RFC3315"></xref> provides a mechanism to
assign one or more or non- temporary IPv6 addresses to hosts. To
provide a DHCPv6 server residing on a NAS with one or more IPv6
addresses to be assigned, this document specifies the
Framed-IPv6-Address Attribute.</t>
<t>While [RFC3162] permits an IPv6 address to be specified via the
combination of the Framed-Interface-Id and Framed-IPv6-Prefix
attributes, this separation is more natural for use with IPv6CP than
it is for use with DHCPv6, and the use of a single IPv6 address
attribute makes for easier processing of accounting records.</t>
<t>Since DHCPv6 can be deployed on the same network as ICMPv6
stateless (SLAAC) <xref target="RFC4862"></xref>, it is possible that
the NAS will require both stateful and stateless configuration
information. Therefore it is possible for the Framed-IPv6-Address,
Framed-IPv6-Prefix and Framed-Interface-Id attributes [RFC3162] to be
included within the same packet. To avoid ambiguity, the
Framed-IPv6-Address attribute is only used for authorization and
accounting of DHCPv6-assigned addresses and the Framed-IPv6-Prefix and
Framed-Interface-Id attributes are used for authorization and
accounting of addresses assigned via SLAAC.</t>
</section>
<section title="Recursive DNS Servers">
<t>DHCPv6 provides an option for configuring a host with the IPv6
address of a DNS server. The IPv6 address of a DNS server can also be
conveyed to the host using ICMPv6 with Router Advertisements, via the
experimental <xref target="RFC5006"></xref> option. To provide the NAS
with the IPv6 address of a DNS server, this document specifies the
DNS-Server-IPv6-Address Attribute.</t>
</section>
<section title="IPv6 Route Information">
<t>An IPv6 Route Information option, defined in <xref
target="RFC4191"></xref> is intended to be used to inform a host
connected to the NAS that a specific route is reachable via the NAS.
This is particularly desirable in cases where the RG or host are
multi-homed to different NASes as shown in Figure 1.</t>
<t>This document specifies the RADIUS attribute that allows the AAA
system to provision the announcement by the NAS of a specific Route
Information Option to an accessing host. The NAS may advertise this
route using the method defined in <xref target="RFC4191"></xref> or
using other equivalent methods.</t>
<t>While the Framed-IPv6-Prefix Attribute defined in [RFC3162] Section
2.3 causes the route to be advertised in an RA, it cannot be used to
configure more specific routes. While the Framed-IPv6-Route Attribute
defined in [RFC3162] Section 2.5 causes the route to be configured on
the NAS, and potentially announced via an IGP, depending on the value
of Framed-Routing, it does not result in the route being announced in
an RA.</t>
</section>
<section title="Delegated IPv6 Prefix Pool">
<t>DHCPv6 Prefix Delegation <xref target="RFC3633"></xref> involves a
delegating router selecting a prefix and delegating it on a temporary
basis to a requesting router. The delegating router may implement a
number of strategies as to how it chooses what prefix is to be
delegated to a requesting router, one of them being the use of a local
named prefix pool. The Delegated-IPv6-Prefix-Pool Attribute allows the
RADIUS server to convey a prefix pool name to a NAS hosting a
DHCPv6-PD server and acting as a delegated router.</t>
<t>Since DHCPv6 Prefix Delegation can conceivably be used on the same
network as SLAAC, it is possible for the Delegated-IPv6-Prefix-Pool
and Framed-IPv6-Pool attributes to be included within the same packet.
To avoid ambiguity in this scenario, use of the
Delegated-IPv6-Prefix-Pool attribute should be restricted to
authorization and accounting of prefix pools used in DHCPv6 Prefix
Delegation and the Framed-IPv6-Pool attribute should be used for
authorization and accounting of prefix pools used in SLAAC.</t>
</section>
<section title="Stateful IPv6 address pool">
<t>DHCPv6 [RFC3315] provides a mechanism to assign one or more or
non-temporary IPv6 addresses to hosts. Section 2.1 introduces the
Framed-IPv6-Address Attribute to be used for providing a DHCPv6 server
residing on a NAS with one or more IPv6 addresses to be assigned to
the clients. An alternative way to achieve a similar result is for the
NAS to select the IPv6 address to be assigned from an address pool
configured for this purpose on the NAS. This document specifies the
DHCPv6-IPv6-Address-Pool attribute to allow the RADIUS server to
convey a pool name to be used for such stateful DHCPv6 based
addressing, and any subsequent accounting.</t>
</section>
</section>
<section title="Attributes">
<t>The fields shown in the diagrams below are transmitted from left to
right.</t>
<section title="Framed-IPv6-Address">
<t>This Attribute indicates an IPv6 Address that is assigned to the
NAS-facing interface of the RG/host. It MAY be used in Access-Accept
packets, and MAY appear multiple times. It MAY be used in an
Access-Request packet as a hint by the NAS to the server that it would
prefer these IPv6 address(es), but the server is not required to honor
the hint. Since it is assumed that the NAS will add a route
corresponding to the address, it is not necessary for the server to
also send a host Framed-IPv6-Route attribute for the same address.</t>
<t>This Attribute can be used by a DHCPv6 process on the NAS to assign
a unique IPv6 address to the RG/host.</t>
<t>A summary of the Framed-IPv6-Address Attribute format is shown
below. <figure>
<artwork><![CDATA[
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Address
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Address (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Address (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Address (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Address (cont.) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork>
</figure> <list style="hanging">
<t hangText="Type"><vspace blankLines="1" /> TBA1 for
Framed-IPv6-Address</t>
<t hangText="Length"><vspace blankLines="1" /> 18</t>
<t hangText="Address"><vspace blankLines="1" /> The IPv6 address
field contains a 128-bit IPv6 address.</t>
</list></t>
</section>
<section title="DNS-Server-IPv6-Address">
<t>The DNS-Server-IPv6-Address Attribute contains the IPv6 address of
a recursive DNS server. This attribute MAY be included multiple times
in Access-Accept packets, when the intention is for a NAS to announce
more than one recursive DNS address to an RG/host. The same order of
the attributes is expected to be followed in the announcements to the
client.</t>
<t>The content of this attribute can be inserted in a DHCPv6 option as
specified in <xref target="RFC3646"></xref> or mapped option.</t>
<?rfc ?>
<t></t>
<t>A summary of the DNS-Server-IPv6-Address Attribute format is given
below. <figure>
<artwork><![CDATA[
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Address
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Address (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Address (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Address (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Address (cont.) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork>
</figure> <list style="hanging">
<t hangText="Type"><vspace blankLines="1" /> TBA2 for
DNS-Server-IPv6-Address</t>
<t hangText="Length"><vspace blankLines="1" /> 18</t>
<t hangText="Address"><vspace blankLines="1" /> The 128-bit IPv6
address of a DNS server.</t>
</list></t>
</section>
<section anchor="a" title="Route-IPv6-Information">
<t>This Attribute specifies a prefix (and corresponding route) for the
user on the NAS, which is to be announced using the Route Information
Option defined in "Default Router Preferences and More Specific
Routes" [RFC4191] Section 2.3. It is used in the Access-Accept packet
and can appear multiple times. It may also be used in the
Access-Request packet as hint to the server. A summary of the
Route-IPv6-Information attribute format is shown below.</t>
<t></t>
<t><figure>
<artwork><![CDATA[
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Prefix-Length |Resvd|Prf|Resvd|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Route Lifetime |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
. Prefix (variable) .
. .
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork>
</figure></t>
<t><list style="hanging">
<t hangText="Type"><vspace blankLines="1" /> TBA3 for
Route-IPv6-Information</t>
<t hangText="Length"><vspace blankLines="1" /> Length in bytes. At
least 4 and no larger than 20; typically 12 or less.</t>
<t hangText="Prefix Length"><vspace blankLines="1" /> 8-bit
unsigned integer. The number of leading bits in the Prefix that
are valid. The value ranges from 0 to 1. The prefix field is 0, 8
or 16 octets depending on Length.</t>
<t hangText="Prf (Route Preference)">2-bit signed integer. The
Route Preference indicates whether to prefer the router associated
with this prefix over others, when multiple identical prefixes
(for different routers) have been received.</t>
<t hangText="Resvd (Reserved)">Two 3-bit unused fields. They MUST
be initialized to zero.</t>
<t hangText="Route Lifetime">32-bit unsigned integer. The length
of time in seconds (relative to the time the packet is sent) that
the prefix is valid for route determination. A value of all one
bits (0xffffffff) represents infinity.</t>
<t hangText="Prefix"><vspace blankLines="1" />Variable-length
field containing an IP prefix. The Prefix Length field contains
the number of valid leading bits in the prefix. The bits in the
prefix after the prefix length (if any) are reserved and MUST be
initialized to zero.</t>
</list></t>
</section>
<?rfc needLines="10"?>
<section title="Delegated-IPv6-Prefix-Pool">
<t>This Attribute contains the name of an assigned pool that SHOULD be
used to select an IPv6 delegated prefix for the user. If a NAS does
not support multiple prefix pools, the NAS MUST ignore this
Attribute.</t>
<t>A summary of the Delegated-IPv6-Prefix-Pool Attribute format is
shown below. The fields are transmitted from left to right.</t>
<figure>
<artwork><![CDATA[ 0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | String...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork>
</figure>
<t><list style="hanging">
<t hangText="Type"><vspace blankLines="1" /> TBA4 for
Delegated-IPv6-Prefix-Pool</t>
<t hangText="Length"><vspace blankLines="1" /> Length in bytes. At
least 4.</t>
<t hangText="String"><vspace blankLines="1" /> The string field
contains the name of an assigned IPv6 prefix pool configured on
the NAS. The field is not NULL (hex 00) terminated.</t>
</list></t>
</section>
<section title="Stateful-IPv6-Address-Pool">
<t>This Attribute contains the name of an assigned pool that SHOULD be
used to select an IPv6 address for the user. If a NAS does not support
address pools, the NAS MUST ignore this Attribute. A summary of the
Stateful-IPv6-Address-Pool Attribute format is shown below. The fields
are transmitted from left to right.</t>
<t><figure>
<artwork><![CDATA[ 0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | String...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork>
</figure></t>
<t><list style="hanging">
<t hangText="Type"><vspace blankLines="1" /> TBA5 for
Stateful-IPv6-Address-Pool</t>
<t hangText="Length"><vspace blankLines="1" /> Length in bytes. At
least 4.</t>
<t hangText="String"><vspace blankLines="1" />The string field
contains the name of an assigned IPv6 stateful address pool
configured on the NAS. The field is not NULL (hex 00)
terminated.</t>
</list></t>
</section>
<section title="Table of attributes">
<t>The following table provides a guide to which attributes may be
found in which kinds of packets, and in what quantity.</t>
<t><figure>
<artwork align="left"><![CDATA[
Request Accept Reject Challenge Accounting # Attribute
Request
0+ 0+ 0 0 0+ TBA1 Framed-IPv6-Address
0+ 0+ 0 0 0+ TBA2 DNS-Server-IPv6-Address
0 0+ 0 0 0+ TBA3 Route-IPv6-Information
0 0-1 0 0 0-1 TBA4 Delegated-IPv6-Prefix-Pool
0 0-1 0 0 0-1 TBA5 Stateful-IPv6-Address-Pool
]]></artwork>
</figure></t>
</section>
</section>
<section title="Diameter Considerations">
<t>Given that the Attributes defined in this document are allocated from
the standard RADIUS type space (see <xref target="IANA"></xref>), no
special handling is required by Diameter entities.</t>
</section>
<section title="Security Considerations">
<t>This document describes the use of RADIUS for the purposes of
authentication, authorization and accounting in IPv6-enabled networks.
In such networks, the RADIUS protocol may run either over IPv4 or over
IPv6. Known security vulnerabilities of the RADIUS protocol apply to the
attributes defined in this document. Since IPSEC is natively defined for
IPv6, it is expected that running RADIUS implementations supporting IPv6
may want to run over IPSEC. Where RADIUS is run over IPSEC and where
certificates are used for authentication, it may be desirable to avoid
management of RADIUS shared secrets, so as to leverage the improved
scalability of public key infrastructure.</t>
</section>
<section anchor="IANA" title="IANA Considerations">
<t>This document requires the assignment of three new RADIUS Attribute
Types in the "Radius Types" registry (currently located at
http://www.iana.org/assignments/radius-types for the following
attributes: <list style="symbols">
<t>Framed-IPv6-Address</t>
<t>DNS-Server-IPv6-Address</t>
<t>Route-IPv6-Information</t>
<t>Delegated-IPv6-Prefix-Pool</t>
<t>Stateful-IPv6-Address-Pool</t>
</list></t>
</section>
<section title="Acknowledgements">
<t>The authors would like to thank Bernard Aboba, Roberta Maglione,
Alfred Hines, Alan DeKok, Peter Deacon, and Mark Smith for their help
and comments in reviewing this document.</t>
</section>
</middle>
<back>
<references title="Normative References">
&rfc2119;
&rfc4862;
</references>
<references title="Informative References">
&rfc3162;
&rfc3315;
&rfc3633;
<reference anchor="RFC3646">
<front>
<title></title>
<author>
<organization></organization>
</author>
<date />
</front>
</reference>
&rfc4191;
&rfc4818;
&rfc4861;
&rfc5006;
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 02:56:31 |