pcp R. Maglione Internet-Draft Telecom Italia Intended status: Standards Track D. Cheng Expires: December 10, 2011 Huawei Technologies June 8, 2011 RADIUS Extensions for Port Control Protocol draft-maglione-pcp-radius-ext-01 Abstract Port Control Protocol (PCP) provides a mechanism to pre-configure a port on a NAT device, a firewall, etc., so that IP packets of applications initiated from network side can be "port forwarded" to the correct user. PCP is a client-server protocol and the PCP client needs to be provisioned with the FQDN of the server. In a broadband network, customer information is usually stored on a RADIUS server and DHC protocol is used to populate user's configuration information. This memo proposes a new RADIUS attribute to carry the FQDN of a PCP server, such that while the PCP server information is configured on a RADIUS server, the information can be conveyed to NAS via RADIUS protocol, and the co-located DHCP/DHCPv6 server can then populate the information to PCP client. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on December 10, 2011. Copyright Notice Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Maglione & Cheng Expires December 10, 2011 [Page 1] Internet-Draft PCP RADIUS Extensions June 2011 Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English. Maglione & Cheng Expires December 10, 2011 [Page 2] Internet-Draft PCP RADIUS Extensions June 2011 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. PCP Server Configuration using RADIUS and DHCP/DHCPv6 . . . . 5 4. RADIUS Attribute . . . . . . . . . . . . . . . . . . . . . . . 8 5. Table of attributes . . . . . . . . . . . . . . . . . . . . . 9 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 8. Normative References . . . . . . . . . . . . . . . . . . . . . 9 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10 Maglione & Cheng Expires December 10, 2011 [Page 3] Internet-Draft PCP RADIUS Extensions June 2011 1. Introduction Port Control Protocol (PCP) [I-D.ietf-pcp-base] provides a mechanism to control how incoming packets are forwarded by upstream devices such as NATs and firewalls. PCP is a client-server protocol where a PCP client may reside on a host, a CPE, etc., which communicates with a PCP server that may reside anywhere in a network. A PCP client must know the Fully Qualified Domain Name of a PCP server, before it can communicate with the later in order to perform the relevant functions defined by PCP. The draft [I-D.bpw-pcp-dhcp] defines DHCPv6 and DHCP options which are meant to be used by a PCP client to discover a PCP server name. However, provisioning for name of the PCP server is required on a DHCP/DHCPv6 server before it can populate these information. Auto-configuration on a DHCP/DHCPv6 is possible in a broadband network, where typically, user profile is maintained on a RADIUS server and RADIUS protocol [RFC2865] is used to convey user related information to other network elements including a host and CPE. [I-D.ietf-radext-ipv6-access] describes a typical broadband network scenario in which the Network Access Server (NAS) acts as the access gateway for the users (hosts or CPEs) and the NAS embeds a DHCPv6 Server function that allows it to locally handle any DHCPv6 requests issued by the clients. In such environment, PCP server's name can be configured on a RADIUS server, which then passes the information to a NAS that co-locates with the DHCP/DHCPv6 server, which in turn populates the location of the PCP server. This memo defines a new RADIUS attribute that can be used to carry the FQDN of a PCP server. 2. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. The following terms are defined in [I-D.ietf-pcp-base]: - Port forwarding - PCP Maglione & Cheng Expires December 10, 2011 [Page 4] Internet-Draft PCP RADIUS Extensions June 2011 - PCP client - PCP Server 3. PCP Server Configuration using RADIUS and DHCP/DHCPv6 Figure 1 illustrates how RADIUS protocol works together with DHCPv6, to allow a user (host or CPE) to learn automatically the FQDN of a PCP server in case of a PPP Session that carries IPv6 traffic. The Network Access Server (NAS) operates as a client of RADIUS and as DHCPv6 Server for DHCPv6 protocol. The NAS initially sends a RADIUS Access Request message to the RADIUS server, requesting authentication. Once the RADIUS server receives the request, it validates the sending client and if the request is approved, the RADIUS server replies with an Access Accept message including a list of attribute-value pairs that describe the parameters to be used for this session. This list may also contain the name of a PCP server. When the NAS receives a DHCPv6 message containing the PCP Server Option, the NAS shall use the name returned in the RADIUS attribute as defined in this memo to populate the DHCPv6 PCP Server option defined in [I-D.bpw-pcp-dhcp] Maglione & Cheng Expires December 10, 2011 [Page 5] Internet-Draft PCP RADIUS Extensions June 2011 PCP NAS AAA Client | Server | | | |----PPP LCP Config Request------> | | | | | | |----Access-Request ---->| | | | | |<-Access-Accept---------| | | (PCP-server-name) | |<-----PPP LCP Config ACK ----- | | | | | | | | |------ PPP IPv6CP Config Req ---->| | | | | |<----- PPP IPv6CP Config ACK -----| | | | | |------- DHCPv6 Solicit -------->| | | | | |<-------DHCPv6 Advertisement------| | | (PCP server FQDN DHCPv6 Option) | | | | | |------- DHCPv6 Request -------->| | | (PCP server FQDN DHCPv6 Option) | | | | | |<-------- DHCPv6 Reply --------- | | | (PCP server FQDN DHCPv6 Option) | | | | | DHCPv6 RADIUS Figure 1: RADIUS and DHCPv6 Message Flow for a PPP Session The Figure 2 illustrates how the RADIUS protocol and DHCPv6 work together to accomplish PCP client configuration when an IP Session is used to provide connectivity to the user. The only difference between this message flow and previous one is that in this scenario the interaction between NAS and AAA/ RADIUS Server is triggered by the DHCPv6 Solicit message received by the NAS from the B4 acting as DHCPv6 client, while in case of a PPP Session the trigger is the PPP LCP Config Request message received by the NAS. Maglione & Cheng Expires December 10, 2011 [Page 6] Internet-Draft PCP RADIUS Extensions June 2011 PC NAS AAA Client | Server | | | |------ DHCPv6 Solicit ---------> | | | | | | |----Access-Request ---->| | | | | |<-Access-Accept---------| | | (PCP-server-name) | | | | |<-------DHCPv6 Advertisement------| | | (PCP server FQDN DHCPv6 Option) | | | | | |------- DHCPv6 Request -------->| | | (PCP server FQDN DHCPv6 Option) | | | | | | <-------- DHCPv6 Reply --------- | | | (PCP server FQDN DHCPv6 Option) | | DHCPv6 RADIUS Figure 2: RADIUS and DHCPv6 Message Flow for an IP Session A similar message flow also applies to the IPv4 scenario when an IP Session is used to provide connectivity to the user (Figure 3). PC NAS AAA Client | Server | | | |-------- DHCP Discovery --------> | | | | | | |----Access-Request ---->| | | | | |<-Access-Accept---------| | | (PCP-server-name) | | | | |<--------- DHCP Offer ------------| | | (PCP server FQDN Sub-Option) | | | | | |--------- DHCP Request -------->| | | (PCP server FQDN Sub-Option) | | | | | | <--------- DHCP Ack -------------| | | (PCP server FQDN Sub-Option) | | DHCPv4 RADIUS Figure 3: RADIUS and DHCPv4 Message Flow for an IP Session Maglione & Cheng Expires December 10, 2011 [Page 7] Internet-Draft PCP RADIUS Extensions June 2011 The scenario with PPP Session and IPv4 only connectivity does not require the DHCP protocol: the whole configuration of the client is performed by PPP. This case is out of scope of this document because in order to complete the configuration of the PCP client a new PPP IPC option would be required. 4. RADIUS Attribute A new RADIUS attribute, called PCP-Server-Name, along with its format is defined below. Description The PCP-server-name attribute contains a Fully Qualified Domain Name (FQDN) that refers to a PCP server the client requests to establish a connection to for PCP related service. The NAS shall use the name returned in the RADIUS PCP-server-name attribute to populate the PCP Server FQDN DHCP Sub-Option in IPv4 addressing context, or the PCP Server FQDN DHCPv6 Option in IPv6 addressing context, as determined by the DHCP server [I-D.bpw-pcp-dhcp] The PCP-server-name attribute MAY appear in an Access-Accept packet, and may also appear in an Accounting-Request packet. In either case, the attribute MUST NOT appear more than once in a single packet. The PCP-server-name MUST NOT appear in any other RADIUS packets. A summary of the PCP-Server-Name RADIUS attribute format is shown below. The fields are transmitted from left to right. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | PCP-Server-Name (FQDN) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | PCP-Server-Name (FQDN) (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: TBA1 for PCP-Server-Name. Length: This field indicates the total length in octets of this attribute including the Type, the Length fields and the length in octets of the PCP-Server-Name field PCP-Server-Name: Maglione & Cheng Expires December 10, 2011 [Page 8] Internet-Draft PCP RADIUS Extensions June 2011 A single Fully Qualified Domain Name of the PCP-Server. The domain name is encoded as specified in [RFC1035] 5. Table of attributes The following table provides a guide to which attributes may be found in which kinds of packets, and in what quantity. Request Accept Reject Challenge Accounting # Attribute Request 0-1 0-1 0 0 0-1 TBA1 PCP-Server-Name The following table defines the meaning of the above table entries. 0 This attribute MUST NOT be present in packet. 0+ Zero or more instances of this attribute MAY be present in packet. 0-1 Zero or one instance of this attribute MAY be present in packet. 6. Security Considerations This document has no additional security considerations beyond those already identified in [RFC2865]. 7. IANA Considerations This document requests the allocation of a new Radius attribute types from the IANA registry "Radius Attribute Types" located at http://www.iana.org/assignments/radius-types PCP-Server-Name - TBA1 8. Normative References [I-D.bpw-pcp-dhcp] Boucadair, M., Penno, R., and D. Wing, "DHCP and DHCPv6 Options for the Port Control Protocol (PCP)", draft-bpw-pcp-dhcp-04 (work in progress), April 2011. [I-D.ietf-pcp-base] Wing, D., Cheshire, S., Boucadair, M., Penno, R., and P. Selkirk, "Port Control Protocol (PCP)", draft-ietf-pcp-base-12 (work in progress), May 2011. Maglione & Cheng Expires December 10, 2011 [Page 9] Internet-Draft PCP RADIUS Extensions June 2011 [I-D.ietf-radext-ipv6-access] Lourdelet, B., Dec, W., Sarikaya, B., Zorn, G., and D. Miles, "RADIUS attributes for IPv6 Access Networks", draft-ietf-radext-ipv6-access-04 (work in progress), March 2011. [RFC1035] Mockapetris, P., "Domain names - implementation and specification", STD 13, RFC 1035, November 1987. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, June 2000. Authors' Addresses Roberta Maglione Telecom Italia Via Reiss Romoli 274 Torino 10148 Italy Phone: Email: roberta.maglione@telecomitalia.it Dean Cheng Huawei Technologies 2330 Central Expressway Santa Clara, CA 95050 USA Phone: +1 408 330 4754 Fax: Email: Chengd@huawei.com URI: Maglione & Cheng Expires December 10, 2011 [Page 10]