TOC |
|
This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as “work in progress.”
The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html.
This Internet-Draft will expire on December 30, 2009.
Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents in effect on the date of publication of this document (http://trustee.ietf.org/license-info). Please review these documents carefully, as they describe your rights and restrictions with respect to this document.
This document specifies new IPv6 RADIUS attributes used to support IPv6 network access. As IPv6 specifies two configuration mechanisms (DHCP and SLAAC), the new attributes are targeted at both protocols when that makes sense.
1.
Requirements Language
2.
Introduction
3.
Attributes
3.1.
IPv6-Address
3.2.
IPv6-DNS-Server-Address
3.3.
IPv6-Prefix
3.4.
IPv6-Route-Option-Preference
3.5.
IPv6-Route-Option-Lifetime
3.6.
Auth-IPv6-Prefix-Valid-Lifetime
3.7.
Auth-IPv6-Prefix-Prefd-Lifetime
3.8.
Auth-IPv6-Prefix-User-ID
3.9.
Prefix-Lifetime-Service-Type
3.10.
Table of attributes
4.
Diameter Considerations
5.
Security Considerations
6.
IANA Considerations
7.
Acknowledgements
8.
References
8.1.
Normative References
8.2.
Informative References
§
Authors' Addresses
TOC |
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119] (Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” March 1997.).
TOC |
This document specifies new IPv6 attributes for RADIUS that both complement and extend the functionality provided by those already defined [RFC3162] (Aboba, B., Zorn, G., and D. Mitton, “RADIUS and IPv6,” August 2001.). Its goal is to offer more IPv6 deployment options when StateLess Address Auto Configuration (SLAAC) or DHCP are utilized.
TOC |
As usual, the fields shown in the diagrams below are transmitted from left to right. Multiple instances of each of the attributes defined below may be included in a single RADIUS packet. In this case, the attributes to be applied to any given prefix MUST all contain the same value in their respective Tag fields; otherwise, the Tag field MUST be set to zero (0x00) [RFC2868] (Zorn, G., Leifer, D., Rubens, A., Shriver, J., Holdrege, M., and I. Goyret, “RADIUS Attributes for Tunnel Protocol Support,” June 2000.).
TOC |
This Attribute indicates an IPv6 Address that is assigned to the uplink of the user equipment. It MAY be used in Access-Accept packets, and can appear multiple times. It MAY be used in an Access-Request packet as a hint by the NAS to the server that it would prefer these IPv6 address(es), but the server is not required to honor the hint. Since it is assumed that the NAS, when necessary, will add a route corresponding to the address, it is not necessary for the server to also send a host Framed-IPv6-Route attribute for the same address.
This Attribute can be used by DHCPv6 to offer a unique IPv6 address or can be used for a-posteriori validation of an autoconfigured address.
A summary of the IPv6-Address Attribute format is shown below.
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Address +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Address (cont) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Address (cont) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Address (cont) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Address (cont.) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- Type
TBA1 for IPv6-Address- Length
18- Address
The Address field contains a 128-bit IPv6 address.
TOC |
The IPv6-DNS-Server-Address Attribute contains the IPv6 address of a DNS server. This attribute MAY be included multiple times in Access-Accept.
The content of this attribute can be inserted in a Router Advertisement as specified in [RFC5006] (Jeong, J., Park, S., Beloeil, L., and S. Madanapalli, “IPv6 Router Advertisement Option for DNS Configuration,” September 2007.) or mapped to the matching DHCPv6 option.
A summary of the IPv6-DNS-Server-Address Attribute format is given below.
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Address +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Address (cont) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Address (cont) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Address (cont) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Address (cont.) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- Type
TBA2 for IPv6-DNS-Server-Address- Length
18- Address
The 128-bit IPv6 address of a DNS server.
TOC |
This Attribute specifies a prefix (and corresponding route) to be authorized for the user or NAS interface. This Attribute also specifies a prefix that is reachable via the NAS and that need to be advertised as routes to the user by the NAS. It is used in the Access-Accept packet and can appear multiple times. It may be used in the Access-Request packet and can appear multiple times.
A summary of the IPv6-Prefix Attribute format is shown below. The route information option defined in [RFC4191] (Draves, R. and D. Thaler, “Default Router Preferences and More-Specific Routes,” November 2005.) is captured in this and following two attributes.
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Tag | Prefix-Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ Prefix (variable) ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- Type
TBA3 for IPv6-Prefix- Length
At least 4 and no larger than 20; typically 12 or less.- Prefix Length
The length of the prefix, in bits; at least 0 and no more than 128; typically 64 or less.- Tag
The Tag field is one octet in length and is intended to provide a means of grouping attributes in the same packet which refer to the same IPv6 Route Option or Authorized Prefixes depending on the tag value. The Tag field is mandatory. The Tag field values are greater than 0x00.- Prefix
Variable-length field containing an IP address or a prefix of an IP address. The Prefix Length field contains the number of valid leading bits in the prefix. The bits in the prefix after the prefix length (if any) are reserved and MUST be initialized to zero by the sender and ignored by the receiver.
TOC |
This Attribute specifies the preference value that is associated with the prefix in IPv6-Prefix as defined in Section 3.3. It is used in the Access-Accept packet and can appear multiple times.
A summary of the IPv6-Route-Option-Preference Attribute format is shown below.
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Tag | Value | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- Type
TBA4 for IPv6-Route-Option-Preference- Length
6.- Tag
The Tag field is one octet in length and is intended to provide a means of grouping attributes in the same packet which refer to the same IPv6 Route Option. The Tag field is mandatory. The Tag field values are greater than 0x00.- Value
- Only the first two bits of the Value is interpreted as 2-bit signed integer. The remaining bits are ignored. The 2-bit signed integer indicates the Route Preference to a host whether to prefer the NAS announcing the prefix in IPv6-Route-Option-Prefix attribute over others, when multiple identical prefixes (for different NASes) have been received.
TOC |
This Attribute specifies a lifetime value to be used in association with IPv6-Prefix attribute as defined in Section 3.3. It is used in the Access-Accept packet and can appear multiple times.
A summary of the IPv6-Route-Option-Lifetime Attribute format is shown below.
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Tag | Value | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Value(cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- Type
TBA5 for IPv6-Route-Option-Lifetime- Length
7.- Tag
The Tag field is one octet in length and is intended to provide a means of grouping attributes in the same packet which refer to the same IPv6 Route Option. The Tag field is mandatory. The Tag field values are greater than 0x00.- Value
- The Value field is 32-bit unsigned integer. The length of time in seconds to be announced by the NAS along with the prefix in association with IPv6-Route-Option-Prefix attribute as being valid for route determination. A value of all one bits (0xffffffff) represents infinity.
TOC |
This Attribute indicates Valid Lifetime for the authorized IPv6-Prefix attribute defined in Section 3.3 (IPv6-Prefix). It MAY be used in Access-Accept packets, and can appear multiple times together with IPv6-Prefix.
A summary of the Auth-IPv6-Prefix-Valid-Lifetime Attribute format is shown below.
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Tag | Value | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Value(cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- Type
TBA6 for Auth-IPv6-Prefix-Valid-Lifetime- Length
7.- Tag
The Tag field is one octet in length and is intended to provide a means of grouping attributes in the same packet which refer to the same Authorized IPv6 Prefix. The Tag field is mandatory. The Tag field values are greater than 0x00.- Value
The Value field is 32-bit unsigned integer. The length of time in seconds (relative to the time the packet is sent) that the prefix is valid for the purpose of on-link determination. A value of all one bits (0xffffffff) represents infinity.
TOC |
This Attribute indicates Preferred Lifetime for the authorized IPv6-Prefix attribute defined in Section 3.3 (IPv6-Prefix). It MAY be used in Access-Request packets, and can appear multiple times together with IPv6-Prefix as a hint that the NAS would prefer this value as the lifetime, but the server is not required to honor the hint.
A summary of the Auth-IPv6-Prefix-Prefd-Lifetime Attribute format is shown below.
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Tag | Value | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Value(cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- Type
TBA7 for Auth-IPv6-Prefix-Preferred-Lifetime- Length
7.- Tag
The Tag field is one octet in length and is intended to provide a means of grouping attributes in the same packet which refer to the same Authorized IPv6 Prefix. The Tag field is mandatory. The Tag field values are greater than 0x00.- Value
The Value field is 32-bit unsigned integer. The length of time in seconds (relative to the time the packet is sent) that addresses generated from the prefix via stateless address autoconfiguration remain preferred [RFC4862] (Thomson, S., Narten, T., and T. Jinmei, “IPv6 Stateless Address Autoconfiguration,” September 2007.). A value of all one bits (0xffffffff) represents infinity.
TOC |
This Attribute identifies the user of the authorized IPv6-Prefix defined in Section 3.3 (IPv6-Prefix). It MAY be used in Access-Accept packets, and can appear only once. It MAY be used in an Access-Request packet and can appear only once.
The server manages authorized prefixes based on Auth-IPv6-Prefix-User-IDs. MAC addresses MAY be used as Auth-IPv6-Prefix-User-IDs.
A summary of the Auth-IPv6-Prefix-User-ID Attribute format is shown below.
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Value (cont) | |-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- Type
TBA8 for Auth-IPv6-Prefix-User-ID- Length
10- Value
The Value field is 64 bits unsigned integer.
TOC |
This Attribute indicates how Prefix Lifetimes, i.e. Auth-IPv6-Prefix-Valid-Lifetime and Auth-IPv6-Prefix-Prefd-Lifetime attributes can be used. It MAY be used in Access-Accept packets, and can appear only once. It MAY be used in an Access-Request packet and can appear only once.
Access-Request message containing at least one Auth-IPv6-Prefix-Valid-Lifetime or Auth-IPv6-Prefix-Prefd-Lifetime attribute MUST also contain Prefix-Lifetime-Service-Type attribute. Access-Accept message containing at least one Auth-IPv6-Prefix-Valid-Lifetime or Auth-IPv6-Prefix-Prefd-Lifetime attribute MUST also contain Prefix-Lifetime-Service-Type attribute.
A summary of the Prefix-Lifetime-Service-Type Attribute format is shown below.
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- Type
TBA9 for Prefix-Lifetime-Service-Type- Length
4- Value
The Value field is two octets.- 1
- Request
- 2
- Release
- 3
- Renew
Prefix-Lifetime-Service-Type values are defined as follows when used in an Access- Accept. When used in an Access-Request, they MAY be considered to be a hint to the RADIUS server that the NAS has reason to believe the user would prefer the kind of service indicated, but the server is not required to honor the hint.
- Request
- Prefix request for a user or a NAS interface. The interface of the user or NAS that the prefix (Authorized-IPv6-Prefix) is to be configured MUST be sent in Auth-IPv6-Prefix-User-ID attribute Section 3.8 (Auth-IPv6-Prefix-User-ID) in Access-Request. Auth-IPv6-Prefix-Prefd-Lifetime MUST be set to a non zero value. Auth-IPv6-Prefix-Valid-Lifetime becomes the lifetime of the prefix assigned.
- Renew
- Renew the lifetime of the prefix already requested by Valid Lifetime seconds.
- Release
- For a disconnected user or for a disabled NAS interface, NAS MAY request a release of a prefix (Auth-IPv6-Prefix) to the RADIUS server. Each interface for which the prefix is to be released is identified using Auth-IPv6-Prefix-User-ID attribute.
TOC |
The following table provides a guide to which attributes may be found in which kinds of packets, and in what quantity.
Req Acc Rej Chal Acct-Req # Attribute 0+ 0+ 0 0 0+ TBA1 IPv6-Address 0+ 0+ 0 0 0+ TBA2 IPv6-DNS-Server-Address 0+ 0+ 0 0 0+ TBA3 IPv6-Prefix 0 0+ 0 0 0+ TBA4 IPv6-Route-Option-Preference 0 0+ 0 0 0+ TBA5 IPv6-Route-Option-Lifetime 0+ 0+ 0 0 0+ TBA6 Auth-IPv6-Prefix-Valid-Lifetime 0+ 0 0 0 0+ TBA7 Auth-IPv6-Prefix-Preferred-Lifetime 0-1 0-1 0 0 0-1 TBA8 Auth-IPv6-Prefix-User-ID 0-1 0-1 0 0 0-1 TBA9 Prefix-Lifetime-Service-Type
TOC |
Since the Attributes defined in this document are allocated from the standard RADIUS type space (see Section 6 (IANA Considerations)), no special handling is required by Diameter entities.
TOC |
This document describes the use of RADIUS for the purposes of authentication, authorization and accounting in IPv6-enabled networks. In such networks, the RADIUS protocol may run either over IPv4 or over IPv6. Known security vulnerabilities of the RADIUS protocol apply to the attributes defined in this document. Since IPSEC is natively defined for IPv6, it is expected that running RADIUS implementations supporting IPv6 may want to run over IPSEC. Where RADIUS is run over IPSEC and where certificates are used for authentication, it may be desirable to avoid management of RADIUS shared secrets, so as to leverage the improved scalability of public key infrastructure.
TOC |
This document requires the assignment of three new RADIUS Attribute Types in the "Radius Types" registry (currently located at http://www.iana.org/assignments/radius-types for the following attributes:
IANA should allocate these numbers from the standard RADIUS Attributes space using the "IETF Review" policy [RFC5226] (Narten, T. and H. Alvestrand, “Guidelines for Writing an IANA Considerations Section in RFCs,” May 2008.).
TOC |
The authors would like to thank Alfred Hines for his contributions and comments to this document.
TOC |
TOC |
[RFC2119] | Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” BCP 14, RFC 2119, March 1997 (TXT, HTML, XML). |
[RFC4862] | Thomson, S., Narten, T., and T. Jinmei, “IPv6 Stateless Address Autoconfiguration,” RFC 4862, September 2007 (TXT). |
TOC |
[RFC2868] | Zorn, G., Leifer, D., Rubens, A., Shriver, J., Holdrege, M., and I. Goyret, “RADIUS Attributes for Tunnel Protocol Support,” RFC 2868, June 2000 (TXT). |
[RFC3162] | Aboba, B., Zorn, G., and D. Mitton, “RADIUS and IPv6,” RFC 3162, August 2001 (TXT). |
[RFC4191] | Draves, R. and D. Thaler, “Default Router Preferences and More-Specific Routes,” RFC 4191, November 2005 (TXT). |
[RFC5006] | Jeong, J., Park, S., Beloeil, L., and S. Madanapalli, “IPv6 Router Advertisement Option for DNS Configuration,” RFC 5006, September 2007 (TXT). |
[RFC5226] | Narten, T. and H. Alvestrand, “Guidelines for Writing an IANA Considerations Section in RFCs,” BCP 26, RFC 5226, May 2008 (TXT). |
TOC |
Benoit Lourdelet (editor) | |
Cisco Systems, Inc. | |
Village ent. GreenSide, Bat T3, | |
400, Av de Roumanille, | |
06410 BIOT - Sophia-Antipolis Cedex | |
France | |
Phone: | +33 4 97 23 26 23 |
Email: | blourdel@cisco.com |
Wojciech Dec | |
Cisco Systems, Inc. | |
Haarlerbergweg 13-19 | |
Amsterdam , NOORD-HOLLAND 1101 CH | |
Netherlands | |
Email: | wdec@cisco.com |
Behcet Sarikaya | |
Huawei USA | |
1700 Alma Dr. Suite 500 | |
Plano, TX | |
US | |
Phone: | +1 972-509-5599 |
Email: | sarikaya@ieee.org |
Glen Zorn (editor) | |
Network Zen | |
1310 East Thomas Street | |
Seattle, WA | |
US | |
Email: | gwz@net-zen.net |