Network Working Group R. Penno
Internet-Draft A. Albuquerque
Expires: December 2001 Nortel Networks
June, 2001
User Identification on the Internet
draft-penno-uid-02.txt
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts. Internet-Drafts are draft documents valid for a maximum
of six months and may be updated, replaced, or obsoleted by other
documents at any time. It is inappropriate to use Internet- Drafts
as reference material or to cite them other than as 'work in
progress.' The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Copyright Notice
Copyright (C) The Internet Society (2000). All Rights Reserved.
Abstract
With the advent of Content Delivery Networks and personalized
services there is a need to uniquely identify a user in oder to
be able to offer customized services and content. Unfortunately,
the IP Internet makes personalizing content and services
difficult for the providers.
With the virtualization of Web resources and the widespread use of
Proxies and NAT devces, an IP address no longer uniquely identifies
a Web user or destination.
So in oder to uniquely identify a user, the service provider has to
make the identification on the edge (or access) network, before the
user looses his identity in the core of the network. We present
here a overview of these techniques available on the different
types of access networks.
Penno, et al. [Page 1]
Internet-Draft draft-penno-uid-02.txt May, 2001
Specification of Requirements
The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD,
SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL, when they appear in this
document, are to be interpreted as described in RFC 2119 [1].
Table of Contents
1. Definitions. . . . . . . . . . . . . . . . . . . . . . . . 3
2. Subscriber Awareness. . . . . . . . . . . . . . . . . . . .3
3. Subscriber Awareness and Personalized Services. . . . . . .3
4. Guideline to this Document. . . . . . . . . . . . . . . . .4
5. Digital Subscriber Line Access Networks. . . . . . . . . . 4
5.1 User Identification. . . . . . . . . . . . . . . . . . . . 4
5.1.1 PPPoE. . . . . . . . . . . . . . . . . . . . . . . . . . . 4
5.1.2 PPPoA. . . . . . . . . . . . . . . . . . . . . . . . . . . 5
5.1.3 RFC 2684. . . . . . . . . . . . . . . . . . . . . . . . . .6
5.1.3.1 ATM VCs. . . . . . . . . . . . . . . . . . . . . . . . . . 6
5.1.3.2 IP Networks . . . . . . . . . . . . . . . . . . . . . . . .6
5.1.3.3 Source IP . . . . . . . . . . . . . . . . . . . . . . . . .7
6. Cable Modem Access Networks . . . . . . . . . . . . . . . .7
6.1 User Identification . . . . . . . . . . . . . . . . . . . .7
6.1.1 Source IP . . . . . . . . . . . . . . . . . . . . . . . . .7
6.1.2 Web Login . . . . . . . . . . . . . . . . . . . . . . . . .8
6.1.3 PPPoE. . . . . . . . . . . . . . . . . . . . . . . . . . . 9
7. Dial-up Access Networks . . . . . . . . . . . . . . . . . 10
7.1 PPP . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
8. Leased Line. . . . . . . . . . . . . . . . . . . . . . . .10
9. Ethernet. . . . . . . . . . . . . . . . . . . . . . . . . 10
10. Wireless. . . . . . . . . . . . . . . . . . . . . . . . . 10
11. References . . . . . . . . . . . . . . . . . . . . . . . .10
12. Acknowledgments. . . . . . . . . . . . . . . . . . . . . .11
Author's Addresses. . . . . . . . . . . . . . . . . . . . 11
Full Copyright Statement. . . . . . . . . . . . . . . . . 12
Penno, et al. [Page 2]
Internet-Draft draft-penno-uid-02.txt May,2001
1 Definitions
User: A unique person that has access to the Internet or some other
IP network. One or more person can be treated as a single
subscriber.
Subscriber: A logical unit to which services are be applied. It can
be (but not limited to) a ATM VC, a IP address or a PPP session. A
subscriber can composed of one of more users.
Subscriber Granularity: This is a measure of how accurate the
user identification can be.
o If each subscriber corresponds to a unique user we can say
that this is the highest level of granularity the subscriber
identification can reach.
o If each subscriber corresponds to a personal computer or any
logical device that is shared by more than one person, we say
that the network can provide a medium level granularity of
subscriber identification.
o If each subscriber corresponds to a logical connection or
device that is shared by a company or corporation, we say that
this is the lowest level granularity of subscriber
identification.
2. Subscriber Awareness
Today there is a new class of devices that sit on the edge of the
network (between the access and the core), and represents the last
point on a network that there is subscriber awareness. One should
understand subscribers awareness as the capability to infer who is
the actual user on the network and his profile.
Examples of the identity of the user are (but not limited to) source
IP address or name@domain (PPPoE based) for Cable users, ATM VC or
name@domain (PPPoE or PPPoA based) for DSL users, name@domain (PPP
based) for dial-up subscribers, DS0 channels or a IP network for
leased line users.
3. Subscriber Awareness and Personalized Services
Personalization of Web content is one of the fastest-growing
segments of Internet Economy. Because it can help in reducing
information overload and give users a more customized experience
when accessing content, personalization has spawned a
multimillion-dollar industry.
Penno, et al. [Page 3]
Internet-Draft draft-penno-uid-02.txt May, 2001
But to offer this customized services it's imperative to know who is
the actual user accessing a specific content, and here it's where
the edge device comes into play.
Since these devices (to some extent) know exactly who the user is,
they can control the access of these subscribers to the network,
offer personalized services on an per user basis, and propagate this
information to other devices in the network to ensure a customized
experience end-to-end.
Unfortunately the widespread use of Proxies and NAT devices break
The Internet Transparency making user identification sometimes
extremely difficult. This problem was discussed in [RFC 2775].
4. Guideline to this Document
This document acknowledges the problems first laid out in [RFC 2775]
and discusses what granularity of subscriber identification is
possible on several types of access methods and architectures,
limitations and what can be done on some scenarios to improve the
granularity.
5. Digital Subscriber Line Access Networks
Digital Subscriber Line (DSL) is a technology used to supply
high-bandwidth connectivity over ordinary copper telephone lines.
xDSL represents the family of digital subscriber line technologies,
such as ADSL, HDSL and SDSL.
5.1 User Identification
5.1.1 PPPoE
In this model the access network must pass the packets transparently
between the DSL modem and the edge device, since a layer 2 end-to-
end session must be established between the user's personal computer
and the edge device. Layer 2 PPPoE [RFC2516] access via xDSL
networks is quite similar to dial-up access, where in the dial-up
model, the Remote Access Server (RAS) plays the part of physical
access concentrator that the DSL Access Multiplexer (DSLAM) plays in
xDSL Networks. In either case an end-to-end PPP session is
established, followed by authentication, user validation and IP
address allocation for the duration of the call. The fundamental
difference is that instead of using a traditional POTS dial-up
mechanism, the user executes a PPPoE client on his machine, fills in
the user and passwords fields and opens a session with his provider
much faster.
Penno, et al. [Page 4]
Internet-Draft draft-penno-uid-02.txt May, 2001
In the PPPoE model it is possible to identify each user uniquely,
because each user has his own unique username and password within
the network. In this case, the subscriber in the edge device's
standpoint is the established PPP session. Even when several users
share the same computer, it is possible to identify each one as a
different subscriber and apply personalized services, because they
may use distincts usernames to connect to the network. Hence, we can
say that this is the highest level of granularity the subscriber
identification can reach.
User A
\
\->|----|
| PC |\ |------| |------| |------------|
/->|----| \-|xDSL | | | |Edge Device |
/ |Modem |-->Access-->|DSLAM |------>| |
User B |----| /-|------| Network | | |------------|
^ | PC |/ |------|
| |----|
Subscriber
5.1.2 PPPoA
In this model the access network must pass the packets
Transparently between the DSL modem and the edge device, since a
layer 2 end-to-end session must be established between the user and
the edge device. Layer 2 PPPoA access via xDSL networks is similar
to the PPPoE model mentioned above. The main difference is that
PPPoA does not use the Ethernet as transport, ATM is used instead of
Ethernet. From a xDSL standpoint, where ATM is used by definition,
it means less overhead.
The concept of what a user is in the PPPoA model is slightly
different from the PPPoE model explained above. The PPP session is
still used but it can be established from the user's personal
computer or from the the xDSL modem. When the PPPoA session is
established from the user's personal computer there is no difference
in terms of subscriber identification granularity between this and
the PPPoE model explained above.
On the other hand, if the PPPoA session is established from the xDSL
modem, it makes more difficult the identification of who is the
actual user because:
o In the edge's device point of view the subscriber is the xDSL
modem (actually the PPPoA session established from the xDSL
modem).
Penno, et al. [Page 5]
Internet-Draft draft-penno-uid-02.txt May, 2001
o There can be several users behind a xDSL modem.
o The username and password supplied by the xDSL modem to
establish the PPPoA session is the same for every user behind
it.
The PPPoA session from the modem can usually be reestablished with
differents usernames and passwords but, from the edge device's
standpoint, the subscriber granularity remains the same: the entire
network behind the PPPoA modem.
User A
\
\->|----|
| PC |\ |------| |------| |------------|
/->|----| \-|xDSL | | | |Edge Device |
/ |Modem |-->Access-->|DSLAM |------>| |
User B |----| /-|------| Network | | |------------|
| PC |/ ^ |------|
|----| |
Subscriber
5.1.3 RFC 2684
The RFC 2684 specification is used in ATM networks to carry
multiprotocol traffic among hosts, routers and bridges which are ATM
systems. The xDSL modem vendors may implement the RFC 2684 in bridge
or router mode. When the bridge mode is used, the best choice is to
use PPP over Ethernet or PPP over ATM as transport in order to have
the highest granularity level. On the other hand, when the router
mode is used, a Layer 2 protocol cannot be used. In that sense, we
may have three ways of identifying the subscribers: ATM VCs, IP
Networks or a Source IP.
5.1.3.1 ATM VCs
In the ATM VC model, the edge device treats a PVC, SVC or SPVC as
a single subscriber and apply personalized services to it. This is
the lowest level of granularity reached in a RFC 2684 model, the
entire data "pipe" is treated as a single entity, the subscriber.
Penno, et al. [Page 6]
Internet-Draft draft-penno-uid-02.txt May, 2001
User A
\
\->|----|
| PC |\ |------| |------| |------------|
/->|----| \-|xDSL | | | |Edge Device |
/ |Modem |-->Access-->|DSLAM |------>| |
User B |----| /-|------| Network | | |------------|
| PC |/ |------|
|----|
^
|
Subscriber
5.1.3.2 IP Networks
In the IP Networks model, the edge device recognizes an entire IP
Network, identified by an IP Address/Netmask or a range of IPs, as
a single subscriber and apply personalized services to it.
Several IP Networks can be placed behind the xDSL modem and be
recognized as different subscribers. This represents the lowest
level of granularity, higher than ATM VCs, though.
|----|
/->| PC |\
Subscriber A/ |----| \
\ |
\->|----| \
| PC |\ |------| |------| |--------|
|----| \-|xDSL | | | | Edge |
|Modem |-->Access-->|DSLAM |--->| Device |
Subscriber B\ |----| /-|------| Network | | |--------|
\->| PC |/ |------|
|----|
5.1.3.3 Source IP
In the Source IP model, the edge device recognizes the source IP
address as the subscriber where all the personalized services will
be applied. Several users can share the same logical device in this
model, hence, we can say that this model provides a medium level of
granularity.
Penno, et al. [Page 7]
Internet-Draft draft-penno-uid-02.txt May, 2001
User A
\
\->|----|
| PC |\ |------| |------| |------------|
/->|----| \-|xDSL | | | |Edge Device |
/ |Modem |-->Access-->|DSLAM |------>| |
User B |----| /-|------| Network | | |------------|
| PC |/ |------|
|----|
^
|
Subscriber
6. Cable Modem Access Networks
Cable modem access is a technology to provide high speed Internet
access over the Cable TV infrastructure.
6.1 User Identification
6.1.1 Source IP
In the source IP model there is no session between the subscriber's
PC and the edge device. In this case, the subscriber in the edge
device's point of view is the IP address of the user's personal
computer(see figure below). If there are several personal computers
behind a cable modem, the edge can identify each one as a different
subscriber and apply personalized services based on their
respective IP addresses. We can say that this model provides a
medium level of granularity.
User A
\
\->|----|
| PC |\ |------| |------| |------------|
/->|----| \-|Cable | | | |Edge Device |
/ |Modem |-->Access-->| CMTS |------>| |
User B |----| /-|------| Network | | |------------|
| PC |/ |------|
|----|
^
|
Subscriber
Penno, et al. [Page 8]
Internet-Draft draft-penno-uid-02.txt May, 2001
The later solution also has a drawback when N:M NAT is used or when
several users share the same personal computer. The drawback when
N:M NAT is used is pretty straightforward. Since there is a device
translating several source IP address into some other subset, this
implies a loss of granularity on the identification of the actual
user.
In the case where several users share the same personal computer,
there is no way to differentiate when a particular user stopped
using and a new one started, since these session-like
parameters are not present.
6.1.2 Web Login
One solution to the problem depicted above (the shared PC problem)
would be the use of some web login method (similar to web mail used
today). For instance, let's suppose that users A and B share a
personal computer which currently has IP address X.Y.Z. When user A
sits on his shared personal computer, he has to go to a specific web
page and put his username and password, which would be passed to the
edge device, allowing it to accurately identify the subscriber
through a (username A<->IP address X.Y.Z) binding. This binding
would last until:
o User B starts using the shared personal computer. He has to go
to the web login page and put his own username and password,
which would create a new binding (username B<->IP address X.Y.Z)
o Another personal computer gets IP address X.Y.Z through
normal DHCP processes
o A idle timeout, web login timeout or DHCP timeout expires,
which makes the user go to the web login page and put this
username and password.
In the cases where there is no web login, the start of the session
would be when the first packet with a specific source IP address
reaches the edge device. The stop of the session would be based on
some idle or policy timeout.
It is worth saying that the web login method discussed in this
section also applies to xDSL networks to enhance the granularity
level when identifying subscribers by IP prefixes or ATM VCs.
Penno, et al. [Page 9]
Internet-Draft draft-penno-uid-02.txt May, 2001
6.1.3 PPPoE
In this model the access network must pass the packets transparently
between the cable modem and the edge device, since a layer 2
end-to-end session must be established between the user and the edge
device. Layer 2 PPPoE [RFC2516] access via cable TV networks is very
similar to dial-up access, where in the dial-up model, the Remote
Access Server (RAS) plays the part of physical access concentrator
that the Cable Modem Termination System (CMTS) plays in Cable
Networks. In either case an end-to-end PPP session is established,
followed by authentication, user validation and IP address
allocation for the duration of the call. The fundamental difference
is that instead of using a traditional POTS dial-up mechanism, the
user executes a PPPoE client on his machine, fills in the user
and passwords fields and opens a session with his provider much
faster.
In the PPPoE model it is possible to identify each subscriber, one
by one, because each subscriber has his own unique username and
password within the network. In this case, the subscriber in the
edge device's standpoint is the established PPP session. Even when
several users share the same computer, it is possible to identify
each one as a different subscriber and apply personalized services,
because they may use distincts usernames to connect to the network.
Hence, we can say that this is the highest level of granularity the
Subscriber identification can reach.
User A
\
\->|----|
| PC |\ |------| |------| |------------|
/->|----| \-|Cable | | | |Edge Device |
/ |Modem |-->Access-->| CMTS |------>| |
User B |----| /-|------| Network | | |------------|
^ | PC |/ |------|
| |----|
Subscriber
7. Dial-up Access Networks
The dial-up access to network has been traditionally used for
years, using the Plain Old Telephony System (POTS) to carry the
data from the user's modem to the Remote Access Server (RAS), the
device which acts as a physical access concentrator.
Penno, et al. [Page 10]
Internet-Draft draft-penno-uid-02.txt May, 2001
7.1 PPP
The Point-to-Point Protocol (PPP), as defined by RFC 1661, provides
a standard method for transporting multi-protocol datagrams over
point-to-point links.
In the PPP model, each user has his own login and password within
the network, making possible the unique identification of each
user. In this case, the subscriber in the edge device's standpoint
is the established PPP session. Even when several users share the
same computer, personalized services can be applied, because each
subscriber can use his own username and password in order to gain
access to the network. Hence, this is the highest level of
granularity the subscriber identification can achieve.
Sometimes, in order to apply personalized services in a more
cost-effective manner, the aggregation of a larger amount of
subscriber is needed. In order to achive this, it is possible to
extend the termination of a PPP session, encapsulating it into a
L2TP tunnel to a Edge Device. Using L2TP, it is possible to extend
the recognition of a user from a RAS (the L2TP tunnel initiator -
LAC) to an Edge Device capable of supply value added services to
the subscriber (the Edge Device act as L2TP tunnel terminator -
LNS).
User A
\
\->|----| |-------| |------| |------------|
| PC |--|Dial-up| | | L2TP |Edge Device |
/->|----| |Modem |--> POTS -->| RAS |------>| |
/ |-------| | | |------------|
User B |------|
^
|
Subscriber
8. Leased Line
Leased lines are usually used by corporations to connect to a ISP or
Carrier that provides Internet connectivity. This model is analogous
to the one discussed in section 5.1.3.2, i.e., the subscriber in the
Edge Device point of view is the whole network,identified by an IP
Address/Netmask or a range of IPs, behind the router or switch
that connects the corporation to the backbone provider. This
represents the lowest level of granularity
Penno, et al. [Page 11]
Internet-Draft draft-penno-uid-02.txt May, 2001
Subscriber A
|------------| /
|Corporation | ----/
| | |------| |------| |--------|
| |----| | | | | | | Edge |
| | PC | |---------->|Router|-->Access-->|Access|--->| Device |
| |----| | |------| Network |Router| |--------|
| ^ | |------|
|-----|------|
|
|
Subscriber B
Optionally the corporation could want to provide special services
to certain employee or group of empoyess within the organization.
In this case there would a special subscriber (subscriber
B in the figure above) identified by his IP address/mask
to which the Edge Device would provide customized services.
9. Ethernet Networks [TBD]
9.1 MAC Address
9.2 802.1Q
10. Wireless Networks
Most mobile wireless networks also use PPP between the user's
device and the packet gateway, which terminates the sessions. So
the same user identification methods used in dial-up enviroments
also apply to most wireless networks.
In wireless networks there is also the possibility to use the
calling number (MSID) as a user identification. This method is
analogous to using an IP address as a user identification in cable
or ADSL networks. Most of the time there will be a valid and fixed
subscriber <-> MSID. But if the celular is shared by more than one
person, this method looses its value.
On the other hand, a celular usually belongs to only one person for
a long period of time and is not shared by other people.
Differently than cable or adsl networks where is common to have a
PC shared by several people.
11. References
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March, 1997.
Penno, et al. [Page 12]
Internet-Draft draft-penno-uid-02.txt May, 2001
[2] Bradner, S., "The Internet Standards Process -- Revision 3",
BCP 9, RFC 2026, October 1996.
[3] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997
[4] Carpenter, B., "Internet Transparency", RFC 2775, February 2000
12. Acknowledgments
To be provided.
Author's Addresses
Reinaldo Penno
Nortel Networks, Inc.
2305 Mission College Boulevard
Building SC9
Santa Clara, CA 95134
Email: rpenno@nortelnetworks.com
Andre Gustavo de Albuquerque
Nortel Networks, Inc.
Av. Lauro Muller, 116
Room 605
Rio de Janeiro, Brazil
Email: gustavoa@nortelnetworks.com
Full Copyright Statement
Copyright (C) The Internet Society (2000). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph
are included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
Penno, et al. [Page 13]
Internet-Draft draft-penno-uid-02.txt May, 2001
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC editor function is currently provided by the
Internet Society.