V6ops WG Jie. Hu, Ed. Internet-Draft Yulong. Ouyang Intended status: Standards Track Qian. Wang Expires: September 16, 2011 China Telecom Jacni. Qin, Ed. ZTE March 15, 2011 RADIUS issues in IPv6 deployments draft-hu-v6ops-radius-issues-ipv6-01 Abstract This document discusses the issues encountered when using RADIUS for AAA in IPv6 deployments. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on September 16, 2011. Copyright Notice Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Hu, et al. Expires September 16, 2011 [Page 1] Internet-Draft RADIUS issues in IPv6 deployments March 2011 This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Language . . . . . . . . . . . . . . . . . . . 3 2. Problem Statement . . . . . . . . . . . . . . . . . . . . . . . 3 2.1. Issue 1: Identifying users of different protocols . . . . . 3 2.2. Issue 2: Network or Host on Customer Premises? . . . . . . 4 2.3. Issue 3: Protocol Specific Accounting . . . . . . . . . . . 4 3. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 5 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 5 5. Security Considerations . . . . . . . . . . . . . . . . . . . . 5 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6 6.1. Normative References . . . . . . . . . . . . . . . . . . . 6 6.2. Informative References . . . . . . . . . . . . . . . . . . 6 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 7 Hu, et al. Expires September 16, 2011 [Page 2] Internet-Draft RADIUS issues in IPv6 deployments March 2011 1. Introduction RADIUS is a protocol that provides centralized authentication, authorization and accounting management for users to connect network services. In current practical broadband networks, RADIUS is widely used by ISPs for AAA when provisioning Framed Services (e.g. PPPoE) to subscribers. The RADIUS protocol has currently been specified to support both IPv4 and IPv6. Attributes are defined in [RFC3162], [RFC4818], [I-D.ietf-radext-ipv6-access] for IPv6 network access. While, there are still some issues encountered. This document discusses these issues learnt from the IPv6 deployments and the possible solutions. 1.1. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 2. Problem Statement 2.1. Issue 1: Identifying users of different protocols In the deployment model of centralized AAA and network configuration assignment, A NAS does not know a-priori whether the user will be using IPv4, IPv6, or both. For example, after RADIUS authentication and authorization has completed, the address assignment occurs accordingly based on the attributes received (IPv4 related, IPv6 related, or both) within the RADIUS message, since there have been attributes defined to convey configuration information for users of different protocols (e.g., IPv4, IPv6, and others). For the sake of efficiency and reliability, in many designs, the network configuration assignments are distributed and fully controlled on the NASes which behave as RADIUS client and work with the RADIUS server only for the centralized AAA of users. In this case where the configuration information assignments of different network protocols are managed by NAS but not along with the centralized authentication and authorization by RADIUS server, a means is needed to notify NAS the categories of users according to the result of authentication and authorization (based on service contracts purchased by users, e.g., IPv4, IPv6 or dual-stack). The possible solution: Hu, et al. Expires September 16, 2011 [Page 3] Internet-Draft RADIUS issues in IPv6 deployments March 2011 Set some 'domains' of users (e.g., 'IPv4 domain', 'IPv6 domain', 'dual-stack domain') on NAS, each with different profiles ( configuration information of given protocols) configured, and require the users to enclose additional identification when sending request message for authentication and authorization, for example, an @domainX suffix added to its usename which can be used by NAS to classify the users locally before the AAA procedure. The trade-off is, this may affect the experience of existing users and cost much if significant changes have to be made. Or,a dedicated attribute could be defined for the explicit notification sent by RADIUS server to NAS according to the result of user authentication and authorization. 2.2. Issue 2: Network or Host on Customer Premises? In the provisioning mode where user's network is connected through a RG for example, a delegated prefix is needed to be assigned to the RG which behaves as the requesting router. Or in other provisioning mode, only a framed IPv6 address/prefix is needed to be assigned to the accessing host. If the assignment is centralized managed by the RADIUS server, the Delegated-IPv6-Prefix Attribute [RFC4818] or Frame-IPv6-Address/Prefix should be used accordingly to convey the information to authorized users. While if the configuration information assignment is managed by NAS, there needs a means for RADIUS server to notify NAS whether the user is authorized to be assigned a delegated prefix or just a framed IPv6 address /prefix to its NAS facing interface. The possible solution: Either to define a dedicated Attribute for the explicit notification, or to specify the rule of implementation of Attributes related, for example Frame-IPv6-Address/Prefix Attribute and Delegated-IPv6-Prefix Attribute with special value on RADIUS server for the notification to NAS as an instruction. 2.3. Issue 3: Protocol Specific Accounting Accounting operations and attributes are specified in [RFC2866] to collect statistics for all traffic (including IPv4, IPv6, and other protocols) over the access service (e.g., Framed). In current practice, generally it is simply treated as the statistics for IPv4 traffic. That workswell if only IPv4 connectivity is provided over given Framed service (e.g., PPPoE). While if IPv6 connectivity is provided as well, for example, there is no means by which the statistics for traffic of respective protocols can be collected. Hu, et al. Expires September 16, 2011 [Page 4] Internet-Draft RADIUS issues in IPv6 deployments March 2011 The possible solution: At lease two sets of attributes for protocol (IPv4, IPv6) specific accounting over Framed service (e.g, PPPoE) need to be defined. For example: * Acct-Framed-IPv4-Input-Octets * Acct-Framed-IPv4-Output-Octets * Acct-Framed-IPv4-Input-Packets * Acct-Framed-IPv4-Output-Packets * Acct-Framed-IPv4-Input-Gigawords * Acct-Framed-IPv4-Output-Gigawords * * Acct-Framed-IPv6-Input-Octets * Acct-Framed-IPv6-Output-Octets * Acct-Framed-IPv6-Input-Packets * Acct-Framed-IPv6-Output-Packets * Acct-Framed-IPv6-Input-Gigawords * Acct-Framed-IPv6-Output-Gigawords 3. Acknowledgements TBD 4. IANA Considerations TBD 5. Security Considerations TBD Hu, et al. Expires September 16, 2011 [Page 5] Internet-Draft RADIUS issues in IPv6 deployments March 2011 6. References 6.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, June 2000. [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. [RFC2867] Zorn, G., Aboba, B., and D. Mitton, "RADIUS Accounting Modifications for Tunnel Protocol Support", RFC 2867, June 2000. [RFC2868] Zorn, G., Leifer, D., Rubens, A., Shriver, J., Holdrege, M., and I. Goyret, "RADIUS Attributes for Tunnel Protocol Support", RFC 2868, June 2000. [RFC2869] Rigney, C., Willats, W., and P. Calhoun, "RADIUS Extensions", RFC 2869, June 2000. 6.2. Informative References [I-D.ietf-radext-ipv6-access] Lourdelet, B., Dec, W., Sarikaya, B., Zorn, G., and D. Miles, "RADIUS attributes for IPv6 Access Networks", draft-ietf-radext-ipv6-access-04 (work in progress), March 2011. [I-D.maglione-radext-ipv6-acct-extensions] Maglione, R., Krishnan, S., Kavanagh, A., Varga, B., and J. Kaippallimalil, "RADIUS Accounting Extensions for IPv6", draft-maglione-radext-ipv6-acct-extensions-01 (work in progress), March 2010. [RFC2882] Mitton, D., "Network Access Servers Requirements: Extended RADIUS Practices", RFC 2882, July 2000. [RFC3162] Aboba, B., Zorn, G., and D. Mitton, "RADIUS and IPv6", RFC 3162, August 2001. [RFC4014] Droms, R. and J. Schnizlein, "Remote Authentication Dial-In User Service (RADIUS) Attributes Suboption for the Dynamic Host Configuration Protocol (DHCP) Relay Agent Information Option", RFC 4014, February 2005. Hu, et al. Expires September 16, 2011 [Page 6] Internet-Draft RADIUS issues in IPv6 deployments March 2011 [RFC4818] Salowey, J. and R. Droms, "RADIUS Delegated-IPv6-Prefix Attribute", RFC 4818, April 2007. [RFC5080] Nelson, D. and A. DeKok, "Common Remote Authentication Dial In User Service (RADIUS) Implementation Issues and Suggested Fixes", RFC 5080, December 2007. Authors' Addresses Jie Hu (editor) China Telecom No.118, Xizhimennei Beijing, 100035 China Phone: +86 10 5855 2808 Email: huj@ctbri.com.cn Yulong Ouyang China Telecom No.359, WuYi Road Changsha, Hunan 410000 China Phone: +86 1375 506 9024 Email: oyyl191@gmail.com Qian Wang China Telecom No.118, Xizhimennei Beijing, 100035 China Phone: +86 10 5855 2177 Email: wangqian@ctbri.com.cn Jacni Qin (editor) ZTE Shanghai, China Phone: +86 1391 861 9913 Email: jacniq@gmail.com Hu, et al. Expires September 16, 2011 [Page 7]