Network Working Group R. Penno Internet-Draft A. Albuquerque Expires: June, 2001 Nortel Networks January, 2001 User Identification on the Internet draft-penno-uid-00.txt Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet- Drafts as reference material or to cite them other than as 'work in progress.' The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Copyright Notice Copyright (C) The Internet Society (2000). All Rights Reserved. Abstract With the advent of Content Delivery Networks and personalized services there is a need to uniquely identify a user in oder to be able to offer customized services and content. Unfortunately, the IP Internet makes personalizing content and services difficult for the providers. With the virtualization of Web resources and the widespread use of proxies, an IP address no longer uniquely identifies a Web user or destination. So in oder to uniquely identify a user, the service provider has to make the identification on the edge (or access) network, before the user looses his identity in the core of the network. We present here a overview of these techniques available on the different types of access networks. Penno, et al. [Page 1] Internet-Draft draft-penno-uid-00.txt January,2001 Specification of Requirements The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL, when they appear in this document, are to be interpreted as described in RFC 2119 [1]. Table of Contents 1. Definitions. . . . . . . . . . . . . . . . . . . . . . . . 3 2. Subscriber Awareness. . . . . . . . . . . . . . . . . . . .3 3. Subscriber Awareness and Personalized Services. . . . . . .3 4. Guideline to this Document. . . . . . . . . . . . . . . . .4 5. Digital Subscriber Line Access Networks. . . . . . . . . . 4 5.1 User Identification. . . . . . . . . . . . . . . . . . . . 4 5.1.1 PPPoE. . . . . . . . . . . . . . . . . . . . . . . . . . . 4 5.1.2 PPPoA. . . . . . . . . . . . . . . . . . . . . . . . . . . 5 5.1.3 RFC 2684. . . . . . . . . . . . . . . . . . . . . . . . . .6 5.1.3.1 ATM VCs. . . . . . . . . . . . . . . . . . . . . . . . . . 6 5.1.3.2 IP Networks . . . . . . . . . . . . . . . . . . . . . . . .6 5.1.3.3 Source IP . . . . . . . . . . . . . . . . . . . . . . . . .7 6. Cable Modem Access Networks . . . . . . . . . . . . . . . .7 6.1 User Identification . . . . . . . . . . . . . . . . . . . .7 6.1.1 Source IP . . . . . . . . . . . . . . . . . . . . . . . . .7 6.1.2 Web Login . . . . . . . . . . . . . . . . . . . . . . . . .8 6.1.3 PPPoE. . . . . . . . . . . . . . . . . . . . . . . . . . . 9 7. Dial-up Access Networks . . . . . . . . . . . . . . . . . 10 7.1 PPP . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 8. References . . . . . . . . . . . . . . . . . . . . . . . .10 9. Acknowledgments. . . . . . . . . . . . . . . . . . . . . .11 Author's Addresses. . . . . . . . . . . . . . . . . . . . 11 Full Copyright Statement. . . . . . . . . . . . . . . . . 11 Penno, et al. [Page 2] Internet-Draft draft-penno-uid-00.txt January,2001 1 Definitions User: A unique person that has access to the Internet or some other IP network. One or more person can be treated as a single subscriber. Subscriber: A logical unit to which services are be applied. It can be (but not limited to) a ATM VC, a IP address or a PPP session. A subscriber can composed of one of more users. Subscriber Granularity: This is a measure of how accurate the user identification can be. o If each subscriber corresponds to a unique user we can say that this is the highest level of granularity the subscriber identification can reach. o If each subscriber corresponds to a personal computer or any logical device that is shared by more than one person, we say that the network can provide a medium level granularity of subscriber identification. o If each subscriber corresponds to a logical connection or device that is shared by a company or corporation, we say that this is the lowest level granularity of subscriber identification. 2. Subscriber Awareness Today there is a new class of devices that sit on the edge of the network (between the access and the core), and represents the last point on a network that there is subscriber awareness. One should understand subscribers awareness as the capability to infer who is the actual user on the network and his profile. Examples of the identity of the user are (but not limited to) source IP address or name@domain (PPPoE based) for Cable users, ATM VC or name@domain (PPPoE or PPPoA based) for DSL users, name@domain (PPP based) for dial-up subscribers, DS0 channels or a IP network for leased line users. 3. Subscriber Awareness and Personalized Services Personalization of Web content is one of the fastest-growing segments of Internet Economy. Because it can help in reducing information overload and give users a more customized experience when accessing content, personalization has spawned a multimillion-dollar industry. Penno, et al. [Page 3] Internet-Draft draft-penno-uid-00.txt January,2001 But to offer this customized services it's imperative to know who is the actual user accessing a specific content, and here it's where the edge device comes into play. Since these devices (to some extent) know exactly who the user is, they can control the access of these subscribers to the network, offer personalized services on an per user basis, and propagate this information to other devices in the network to ensure a customized experience end-to-end. 4. Guideline to this Document This document discusses what granularity of subscriber identification is possible on several types of access methods and architectures, limitations and what can be done on some scenarios to improve the granularity. 5. Digital Subscriber Line Access Networks Digital Subscriber Line (DSL) is a technology used to supply high-bandwidth connectivity over ordinary copper telephone lines. xDSL represents the family of digital subscriber line technologies, such as ADSL, HDSL and SDSL. 5.1 User Identification 5.1.1 PPPoE In this model the access network must pass the packets transparently between the DSL modem and the edge device, since a layer 2 end-to-end session must be established between the user's personal computer and the edge device. Layer 2 PPPoE [RFC2516] access via xDSL networks is quite similar to dial-up access, where in the dial-up model, the Remote Access Server (RAS) plays the part of physical access concentrator that the DSL Access Multiplexer (DSLAM) plays in xDSL Networks. In either case an end-to-end PPP session is established, followed by authentication, user validation and IP address allocation for the duration of the call. The fundamental difference is that instead of using a traditional POTS dial-up mechanism, the user executes a PPPoE client on his machine, fills in the user and passwords fields and opens a session with his provider much faster. In the PPPoE model it is possible to identify each user uniquely, because each user has his own unique username and password within the network. In this case, the subscriber in the edge device's standpoint is the established PPP session. Even when several users share the same computer, it is possible to identify each one as a different subscriber and apply personalized services, because they may use distincts usernames to connect to the network. Hence, we can say that this is the highest level of granularity the subscriber identification can reach. Penno, et al. [Page 4] Internet-Draft draft-penno-uid-00.txt January,2001 User A \ \->|----| | PC |\ |------| |------| |------------| /->|----| \-|xDSL | | | |Edge Device | / |Modem |-->Access-->|DSLAM |------>| | User B |----| /-|------| Network | | |------------| ^ | PC |/ |------| | |----| Subscriber 5.1.2 PPPoA In this model the access network must pass the packets transparently between the DSL modem and the edge device, since a layer 2 end-to-end session must be established between the user and the edge device. Layer 2 PPPoA access via xDSL networks is similar to the PPPoE model mentioned above. The main difference is that PPPoA does not use the Ethernet as transport, ATM is used instead of Ethernet. From a xDSL standpoint, where ATM is used by definition, it means less overhead. The concept of what a user is in the PPPoA model is slightly different from the PPPoE model explained above. The PPP session is still used but it can be established from the user's personal computer or from the the xDSL modem. When the PPPoA session is established from the user's personal computer there is no difference in terms of subscriber identification granularity between this and the PPPoE model explained above. On the other hand, if the PPPoA session is established from the xDSL modem, it makes more difficult the identification of who is the actual user because: o In the edge's device point of view the subscriber is the xDSL modem (actually the PPPoA session established from the xDSL modem). o There can be several users behind a xDSL modem. o The username and password supplied by the xDSL modem to establish the PPPoA session is the same for every user behind it. The PPPoA session from the modem can usually be reestablished with differents usernames and passwords but, from the edge device's standpoint, the subscriber granularity remains the same: the entire network behind the PPPoA modem. Penno, et al. [Page 5] Internet-Draft draft-penno-uid-00.txt January,2001 User A \ \->|----| | PC |\ |------| |------| |------------| /->|----| \-|xDSL | | | |Edge Device | / |Modem |-->Access-->|DSLAM |------>| | User B |----| /-|------| Network | | |------------| | PC |/ ^ |------| |----| | Subscriber 5.1.3 RFC 2684 The RFC 2684 specification is used in ATM networks to carry multiprotocol traffic among hosts, routers and bridges which are ATM systems. The xDSL modem vendors may implement the RFC 2684 in bridge or router mode. When the bridge mode is used, the best choice is to use PPP over Ethernet or PPP over ATM as transport in order to have the highest granularity level. On the other hand, when the router mode is used, a Layer 2 protocol cannot be used. In that sense, we may have three ways of identifying the subscribers: ATM VCs, IP Networks or a Source IP. 5.1.3.1 ATM VCs In the ATM VC model, the edge device treats a PVC, SVC or SPVC as a single subscriber and apply personalized services to it. This is the lowest level of granularity reached in a RFC 2684 model, the entire data "pipe" is treated as a single entity, the subscriber. User A \ \->|----| | PC |\ |------| |------| |------------| /->|----| \-|xDSL | | | |Edge Device | / |Modem |-->Access-->|DSLAM |------>| | User B |----| /-|------| Network | | |------------| | PC |/ |------| |----| ^ | Subscriber 5.1.3.2 IP Networks In the IP Networks model, the edge device recognizes an entire IP Network, identified by an IP Address/Netmask or a range of IPs, as a single subscriber and apply personalized services to it. Several IP Networks can be placed behind the xDSL modem and be recognized as different subscribers. This represents the lowest level of granularity, higher than ATM VCs, though. Penno, et al. [Page 6] Internet-Draft draft-penno-uid-00.txt January,2001 |----| /->| PC |\ Subscriber A/ |----| \ \ | \->|----| \ | PC |\ |------| |------| |--------| |----| \-|xDSL | | | | Edge | |Modem |-->Access-->|DSLAM |--->| Device | Subscriber B\ |----| /-|------| Network | | |--------| \->| PC |/ |------| |----| 5.1.3.3 Source IP In the Source IP model, the edge device recognizes the source IP address as the subscriber where all the personalized services will be applied. Several users can share the same logical device in this model, hence, we can say that this model provides a medium level of granularity. User A \ \->|----| | PC |\ |------| |------| |------------| /->|----| \-|xDSL | | | |Edge Device | / |Modem |-->Access-->|DSLAM |------>| | User B |----| /-|------| Network | | |------------| | PC |/ |------| |----| ^ | Subscriber 6. Cable Modem Access Networks Cable modem access is a technology to provide high speed Internet access over the Cable TV infrastructure. 6.1 User Identification 6.1.1 Source IP In the source IP model there is no session between the subscriber's PC and the edge device. In this case, the subscriber in the edge device's point of view is the IP address of the user's personal computer(see figure below). If there are several personal computers behind a cable modem, the edge can identify each one as a different subscriber and apply personalized services based on their respective IP addresses. We can say that this model provides a medium level of granularity. Penno, et al. [Page 7] Internet-Draft draft-penno-uid-00.txt January,2001 User A \ \->|----| | PC |\ |------| |------| |------------| /->|----| \-|Cable | | | |Edge Device | / |Modem |-->Access-->| CMTS |------>| | User B |----| /-|------| Network | | |------------| | PC |/ |------| |----| ^ | Subscriber The later solution also has a drawback when N:M NAT is used or when several users share the same personal computer. The drawback when N:M NAT is used is pretty straightforward. Since there is a device translating several source IP address into some other subset, this implies a loss of granularity on the identification of the actual user. In the case where several users share the same personal computer, there is no way to differentiate when a particular user stopped using and a new one started, since these session-like parameters are not present. 6.1.2 Web Login One solution to the problem depicted above (the shared PC problem) would be the use of some web login method (similar to web mail used today). For instance, let's suppose that users A and B share a personal computer which currently has IP address X.Y.Z. When user A sits on his shared personal computer, he has to go to a specific web page and put his username and password, which would be passed to the edge device, allowing it to accurately identify the subscriber through a (username A<->IP address X.Y.Z) binding. This binding would last until: o User B starts using the shared personal computer. He has to go to the web login page and put his own username and password, which would create a new binding (username B<->IP address X.Y.Z) o Another personal computer gets IP address X.Y.Z through normal DHCP processes o A idle timeout, web login timeout or DHCP timeout expires, which makes the user go to the web login page and put this username and password. Penno, et al. [Page 8] Internet-Draft draft-penno-uid-00.txt January,2001 In the cases where there is no web login, the start of the session would be when the first packet with a specific source IP address reaches the edge device. The stop of the session would be based on some idle or policy timeout. It is worth saying that the web login method discussed in this section also applies to xDSL networks to enhance the granularity level when identifying subscribers by IP prefixes or ATM VCs. 6.1.3 PPPoE In this model the access network must pass the packets transparently between the cable modem and the edge device, since a layer 2 end-to-end session must be established between the user and the edge device. Layer 2 PPPoE [RFC2516] access via cable TV networks is very similar to dial-up access, where in the dial-up model, the Remote Access Server (RAS) plays the part of physical access concentrator that the Cable Modem Termination System (CMTS) plays in Cable Networks. In either case an end-to-end PPP session is established, followed by authentication, user validation and IP address allocation for the duration of the call. The fundamental difference is that instead of using a traditional POTS dial-up mechanism, the user executes a PPPoE client on his machine, fills in the user and passwords fields and opens a session with his provider much faster. In the PPPoE model it is possible to identify each subscriber, one by one, because each subscriber has his own unique username and password within the network. In this case, the subscriber in the edge device's standpoint is the established PPP session. Even when several users share the same computer, it is possible to identify each one as a different subscriber and apply personalized services, because they may use distincts usernames to connect to the network. Hence, we can say that this is the highest level of granularity the subscriber identification can reach. User A \ \->|----| | PC |\ |------| |------| |------------| /->|----| \-|Cable | | | |Edge Device | / |Modem |-->Access-->| CMTS |------>| | User B |----| /-|------| Network | | |------------| ^ | PC |/ |------| | |----| Subscriber Penno, et al. [Page 9] Internet-Draft draft-penno-uid-00.txt January,2001 7. Dial-up Access Networks The dial-up access to network has been traditionally used for years, using the Plain Old Telephony System (POTS) to carry the data from the user's modem to the Remote Access Server (RAS), the device which acts as a physical access concentrator. 7.1 PPP The Point-to-Point Protocol (PPP), as defined by RFC 1661, provides a standard method for transporting multi-protocol datagrams over point-to-point links. In the PPP model, each user has his own login and password within the network, making possible the unique identification of each user. In this case, the subscriber in the edge device's standpoint is the established PPP session. Even when several users share the same computer, personalized services can be applied, because each subscriber can use his own username and password in order to gain access to the network. Hence, this is the highest level of granularity the subscriber identification can achieve. Sometimes, in order to apply personalized services in a more cost-effective manner, the aggregation of a larger amount of subscriber is needed. In order to achive this, it is possible to extend the termination of a PPP session, encapsulating it into a L2TP tunnel to a Edge Device. Using L2TP, it is possible to extend the recognition of a user from a RAS (the L2TP tunnel initiator - LAC) to an Edge Device capable of supply value added services to the subscriber (the Edge Device act as L2TP tunnel terminator - LNS). User A \ \->|----| |-------| |------| |------------| | PC |--|Dial-up| | | L2TP |Edge Device | /->|----| |Modem |--> POTS -->| RAS |------>| | / |-------| | | |------------| User B |------| ^ | Subscriber 8. References [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March, 1997. [2] Bradner, S., "The Internet Standards Process -- Revision 3", BCP 9, RFC 2026, October 1996. Penno, et al. [Page 10] Internet-Draft draft-penno-uid-00.txt January,2001 [3] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997 9. Acknowledgments To be provided. Author's Addresses Reinaldo Penno Nortel Networks, Inc. 2305 Mission College Boulevard Building SC9 Santa Clara, CA 95134 Email: rpenno@tnortelnetworks.com Andre Gustavo de Albuquerque Nortel Networks, Inc. Av. Lauro Muller, 116 Room 605 Rio de Janeiro, Brazil Email: gustavoa@nortelnetworks.com Full Copyright Statement Copyright (C) The Internet Society (2000). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. Penno, et al. [Page 11] Internet-Draft draft-penno-uid-00.txt January,2001 This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgement Funding for the RFC editor function is currently provided by the Internet Society.