Internet DRAFT - draft-heinanen-radius-pe-discovery

draft-heinanen-radius-pe-discovery









Internet Engineering Task Force                            Juha Heinanen
INTERNET DRAFT                                             TutPro Inc.
Expires December 2003                                      June, 2003


                Using Radius for PE-Based VPN Discovery
              <draft-heinanen-radius-pe-discovery-04.txt>


Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC 2026.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet- Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

Abstract

   This document describes how in PE-based VPNs a PE of a VPN can use
   Radius to authenticate its CEs and discover the other PEs of the VPN.

1. Introduction

   This document describes how in PE-based VPNs a PE of a VPN can use
   Radius [1-2] to authenticate its CEs and discover the other PEs of
   the VPN.  In Radius terms, the CEs are users and PEs are Network
   Access Servers (NAS) implementing Radius client function.

   A VPN can span multiple Autonomous Systems (AS) and multiple
   providers.  Each PE, however, only needs to be a Radius client to
   Radius of the "local" provider.  In case of a CE belongs to a
   "foreign" VPN, Radius of the local provider acts as a proxy client to
   Radius of the foreign provider.




Heinanen         Using Radius for PE-Based VPN Discovery        [Page 1]

INTERNET DRAFT                                                June, 2003


2. Site Identification

   Each CE (a VPN site) is identified by a "user name" of the form

       [provider/]site@vpn

   "provider" identifier, if present, denotes a provider that is the
   administrative owner of the VPN.  It is needed only if a CE connects
   to a VPN at a PE that does not belong to the owner of the VPN and is
   then used by Radius of the PE to proxy requests to Radius of the
   owner of the VPN.

   "site" identifier denotes a site in a VPN identified by "vpn".  As an
   example,

       providerX/atlanta@vpnY.domainZ.net

   could denote a CE called "atlanta" in a VPN identified by
   "vpnY.domainZ.net", which is owned by providerX.

3. Radius Configuration

   Each "provider" has a single Radius that stores all information
   regarding VPNs that belong to the provider.  For reliable operation
   of this protocol, each Radius should consist of more than one
   physical Radius server.  For correct operation of this protocol, all
   these physical servers MUST at all times share the same database
   content.

   For each VPN, Radius of the provider to which the VPN belongs to MUST
   at all times be configured with a set of "users" that correspond to
   the potential CEs of the VPN, i.e., CEs that are currently allowed to
   be connected to the VPN at some PE.  User information includes site
   identifier, password, and VPN identifier:

       <site, password, vpn>

   User information MAY also include other information, such as a list
   of PEs to which the CE is allowed to connect to and QoS information
   regarding the CE's connection to the VPN.

   In addition to the above manually configured information, Radius
   keeps dynamically track of the PEs and CEs of a VPN in a database
   table that has the following fields:

       <vpn, PE IP address, site, timestamp>





Heinanen         Using Radius for PE-Based VPN Discovery        [Page 2]

INTERNET DRAFT                                                June, 2003


   received from the PE any Radius request:

       <PE IP address, timestamp>

   Timestamp tells the most recent time when the PE has authenticated
   the site to the VPN.  It is used by Radius to detect if a PE has
   failed for a longer period of time or has been taken improperly out
   of use, and if so, to clean up the site and PE from its database.

   The PEs MAY also have pre-configured attributes telling, for example,
   that a PE is a hub of a VPN.

   If dynamic PE discovery capability of this protocol is not used,
   Radius MUST be configured for each VPN with a list of its PEs.  Such
   a degenerate use of this protocol is not discussed further in this
   memo.

   In order to allow queries about CEs that are connected PEs of a
   "foreign" provider, the Radius servers of this foreign provider MUST
   be configured as clients in the Radius of the VPN owner.

4. PE Configuration

   Each PE MUST be configured with the information about the Radius
   servers of local Radius to which to send requests to.  For
   reliability reasons, each PE SHOULD have available more than one
   physical Radius server.

5. Protocol Operation

5.1 Connecting a CE to a VPN at a PE

   When a CE is to be connected to a VPN at a PE, the PE issues a Radius
   Access-Request using the user name and password of the CE.  The PE
   has either learned this information from the CE via an authentication
   protocol, for example, 802.1x/EAP, or it has been configured in the
   PE.

   Service-Type of the Access-Request is VPN-Login (value TBD).

   If authentication succeeds and possible other (VPN or provider)
   specific preconditions are met (for example, the CE is allowed to
   connect to the particular PE and it is not already connected to some
   other PE), Radius inserts a

       <vpn, PE IP address, site, timestamp>

   record in its database (replacing a possible earlier record that only



Heinanen         Using Radius for PE-Based VPN Discovery        [Page 3]

INTERNET DRAFT                                                June, 2003


   differs by the timestamp value) and responds with an Access-Accept.
   Access-Accept includes as reply items a Session-Timeout attribute and
   one or more PE-List attributes that contain all unique PE IP
   addresses in the set

       <vpn, *, *>

   and possibly other CE specific information, e.g., QoS parameters.

   Session-Timeout attribute tells to the PE for how long time Radius
   considers the CE as connected to the VPN at the PE unless the PE re-
   authenticates the CE.  The value of the timestamp in

          <vpn, PE IP address, site, timestamp>

   record is the time of the Access-Accept plus the number of seconds in
   the Session-Timeout attribute.

   PE-List attribute contains a list of PE IP addresses.  It is only
   used in Access-Accept packets and has the following format:

        0                   1                   2
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
       |     Type      |    Length     |  String ...
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

       Type

       TBD for PE-List

       Length

       16 + N * 4 bytes, where 1 <= N <= 63.

       String

       N IP Addresses of PEs (the most significant octet first in each
       address).

   After receiving the Access-Accept, the PE considers the CE as
   connected to the VPN and issues a Start Accounting-Request.

   If authentication fails or some pre-conditions are not met, Radius
   responds with Access-Reject.

   If a PE wants for some reason to get from Radius an up-to-date list
   of PEs in a particular VPN, it can at any time issue a new Access-



Heinanen         Using Radius for PE-Based VPN Discovery        [Page 4]

INTERNET DRAFT                                                June, 2003


   Request for any one of its CEs that belongs to the VPN.  In order to
   keep the CE connected to the VPN at the PE, the PE MUST issue a new
   Access-Request before the number of seconds returned by Radius in
   Session-Timeout attribute of the most recent Access-Accept has
   elapsed.

   Note that this document does not define any protocol mechanisms by
   which the other PEs of the VPN would be notified that a new CE was
   connected to the VPN at the PE or that a new PE became associated
   with the VPN.  Such mechanisms belong to the VPN solution documents
   that utilize the discovery protocol defined in this memo.

5.2 Disconnecting a CE from a VPN at a PE

   When a CE is to be disconnected from the VPN at a PE, the PE issues a
   Stop Accounting-Request.  After receiving the request, Radius removes
   the

       <vpn, PE IP address, site>

   record from its database and responds with an Accounting-Response.
   The PE considers the CE as disconnected from the VPN at the PE when
   it has received the Accounting-Response.

   Note that this document does not define any protocol mechanisms by
   which the other PEs of the VPN would be notified that a CE was
   disconnected from the VPN at the PE or that the PE is not anymore
   associated with the VPN. Such mechanisms belong to the VPN solution
   documents that utilize the PE discovery protocol defined in this
   memo.

5.3  PE Failure Detection and Recovery

   When a PE recovers from a failure, it re-authenticates all CEs
   connected to it in all VPNs and thus re-discovers all other PEs in
   all those VPNs.

6. Scaling Limits

   Since Radius protocol operates over UDP, the maximum UDP payload size
   available for Radius attributes is limited to about 1500 - 40 = 1460
   octets assuming that UDP fragmentation is not supported.  The most
   space consuming message is Access-Accept response, which contains a
   list of IP addresses of the PEs of a VPN.  This limits the number of
   PEs in a VPN to about 350.

   Besides the packet size, another factor limiting scalability of this
   protocol might be the periodic re-authentication of CEs as required



Heinanen         Using Radius for PE-Based VPN Discovery        [Page 5]

INTERNET DRAFT                                                June, 2003


   by the Session-Timeout reply attribute.  For example, if a provider
   has 3600 VPN sites and uses a Session-Timeout value of 1 hour, then
   Radius will get on the average of 1 Access-Requests per second.

7. Security Considerations

   Security of Radius based VPN discovery depends on the security of
   Radius that is covered in [1] and [2].  In multi-provider operation,
   secure tunnels SHOULD be used to carry Radius traffic between
   providers.

8. Compliance with PPVPN L2 Requirements

   This document covers a PE discovery and CE authentication solution
   for provider based VPNs.  Thus only a small subset of the complete
   PPVPN L2 requirements listed in [3] are applicable to this document.

   The solution described in this document fulfills all the requirements
   of section 6.3 of [3] on "Discovering L2VPN Related Information".  In
   particular:

     (1) Radius based discovery allows PEs to dynamically discover
         information about other PEs of a VPN with minimal or even with
         no configuration in the PEs.

     (2) Unauthorized access to the VPN can be prevented by
         authentication that is an integral part of Radius.

     (3) VPN membership information is only distributed to the PEs that
         have sites that are members of the VPN.

   Other aspects mentioned on section 6.3 of [3], such as propagation of
   membership changes in a "timely manner" and no manual reconfiguration
   of the other PEs, are not directly covered in this document.  They
   belong to VPN solution specifications that apply Radius based PE
   discovery and CE authentication, such as the one described in [4].

   The Radius based solution described in this document also complies
   with all applicable generic requirements listed in [3].  In
   particular:

     (1) The PEs of a VPN can be associated with topology and tunneling
         protocol information.

     (2) VPN sites can be associated with QoS and access control
         information.

     (3) Radius has been widely implemented by existing PEs and has



Heinanen         Using Radius for PE-Based VPN Discovery        [Page 6]

INTERNET DRAFT                                                June, 2003


         very good interoperability record.

     (4) Multi-provider/multi-AS VPNs are readily supported without any
         extra complications.

     (5) CEs of a VPN require either no configuration or minimal
         configuration (user name/password).

     (6) There is no practical limit on the number of VPNs and, with
         hierarchical implementation, each VPN can have a very large
         number of PEs and CEs.

     (7) Radius based provisioning systems are readily available and are
         easily adaptable to PE discovery.

   In summary, Radius provides a good directory based alternative to
   PPVPN PE discovery and a natural means to authenticate VPN CEs.

Acknowledgements

   I would like to thank Mark Duffy, Joel Halpern, and Mark Townsley for
   their constructive comments on earlier versions of this memo.

References

   [1] C. Rigney, et al., "Remote Authentication Dial In User Service
   (RADIUS)". RFC 2865, June 2000.

   [2] C. Rigney, "RADIUS Accounting". RFC 2866, June 2000.

   [3] W. Augustun, Y. Serbest, "Service Requirements for Layer 2
   Provider Provisioned Virtual Private Networks".  draft-augustyn-
   ppvpn-l2vpn-requirements-02.txt, February 2003.

   [4] J. Heinanen, "Radius/L2TP Based VPLS".  draft-heinanen-radius-
   l2tp-vpls-00.txt, February 2003.

Author's Address

   Juha Heinanen
   TutPro Inc.
   Utsjoki, Finland
   Email: jh@tutpro.com

Full Copyright

   Copyright (C) The Internet Society (2000). All Rights Reserved.




Heinanen         Using Radius for PE-Based VPN Discovery        [Page 7]

INTERNET DRAFT                                                June, 2003


   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it or
   assist in its implementation may be prepared, copied, published and
   distributed, in whole or in part, without restriction of any kind,
   provided that the above copyright notice and this paragraph are included
   on all such copies and derivative works. However, this document itself
   may not be modified in any way, such as by removing the copyright notice
   or references to the Internet Society or other Internet organizations,
   except as needed for the purpose of developing Internet standards in
   which case the procedures for copyrights defined in the Internet
   Standards process must be followed, or as required to translate it into
   languages other than English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an "AS
   IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK
   FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT
   LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT
   INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR
   FITNESS FOR A PARTICULAR PURPOSE.





























Heinanen         Using Radius for PE-Based VPN Discovery        [Page 8]