draft-ietf-radext-delegated-prefix-01.txt | draft-ietf-radext-delegated-prefix-02.txt | |||
---|---|---|---|---|
Network Working Group J. Salowey | Network Working Group J. Salowey | |||
Internet-Draft R. Droms | Internet-Draft R. Droms | |||
Intended status: Standards Track Cisco Systems, Inc. | Intended status: Standards Track Cisco Systems, Inc. | |||
Expires: November 24, 2006 May 23, 2006 | Expires: January 11, 2007 July 10, 2006 | |||
RADIUS Delegated-IPv6-Prefix Attribute | RADIUS Delegated-IPv6-Prefix Attribute | |||
draft-ietf-radext-delegated-prefix-01.txt | draft-ietf-radext-delegated-prefix-02.txt | |||
Status of this Memo | Status of this Memo | |||
By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
skipping to change at page 1, line 34 | skipping to change at page 1, line 34 | |||
and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
This Internet-Draft will expire on November 24, 2006. | This Internet-Draft will expire on January 11, 2007. | |||
Copyright Notice | Copyright Notice | |||
Copyright (C) The Internet Society (2006). | Copyright (C) The Internet Society (2006). | |||
Abstract | Abstract | |||
This document defines a RADIUS (Remote Authentication Dial In User | This document defines a RADIUS (Remote Authentication Dial In User | |||
Service) attribute that carries an IPv6 prefix that is to be | Service) attribute that carries an IPv6 prefix that is to be | |||
delegated to the user. This attribute is usable within either RADIUS | delegated to the user. This attribute is usable within either RADIUS | |||
or Diameter. | or Diameter. | |||
1. Introduction | 1. Introduction | |||
The Delegated-IPv6-Prefix is a RADIUS attribute [1] that carries an | The Delegated-IPv6-Prefix is a RADIUS attribute [1] that carries an | |||
IPv6 prefix to be delegated to the user. For example, the prefix in | IPv6 prefix to be delegated to the user, for use in the user's | |||
a Delegated-IPv6-Prefix attribute can be delegated to another node | network. For example, the prefix in a Delegated-IPv6-Prefix | |||
through DHCP Prefix Delegation [2]. | attribute can be delegated to another node through DHCP Prefix | |||
Delegation [2]. | ||||
The Framed-IPv6-Prefix attribute [4] serves a similar purpose, but | ||||
may also be used for other purposes other than delegating a prefix | ||||
for use in a user's network. Definition of the Delegated-IPv6-Prefix | ||||
allows the simultaneous use of the Framed-IPv6-Prefix for other | ||||
purposes and the Delegated-IPv6-Prefix for prefix delegation. | ||||
2. Terminology | 2. Terminology | |||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
document are to be interpreted as described in RFC 2119 [3]. | document are to be interpreted as described in RFC 2119 [3]. | |||
3. Attribute format | 3. Attribute format | |||
The format of the Delegated-IPv6-Prefix is: | The format of the Delegated-IPv6-Prefix is: | |||
skipping to change at page 2, line 39 | skipping to change at page 3, line 4 | |||
Prefix | Prefix | |||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
Prefix | Prefix | |||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
Prefix | | Prefix | | |||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
Type | Type | |||
TBD for Delegated-IPv6-Prefix | TBD for Delegated-IPv6-Prefix | |||
Length | Length | |||
At least 4 and no larger than 20 | The length of the entire attribute, in bytes. At least 4 | |||
(to hold Type/Length/Reserved/Prefix-Length for a 0-bit | ||||
prefix), and no larger than 20 (to hold Type/Length/ | ||||
Reserved/Prefix-Length for a 128-bit prefix) | ||||
Reserved | Reserved | |||
Always set to zero | Always set to zero by sender; ignored by receiver | |||
Prefix-Length | Prefix-Length | |||
The length of the prefix, in bits. At least 0 and no larger | The length of the prefix being delegated, in bits. At least | |||
than 128 | 0 and no larger than 128 bits (identifying a single IPv6 | |||
address) | ||||
Note that the prefix field is only required to be long enough to hold | Note that the prefix field is only required to be long enough to hold | |||
the prefix bits and can be shorter than 16 bytes. Any bits in the | the prefix bits and can be shorter than 16 bytes. Any bits in the | |||
prefix field that are not part of the prefix MUST be zero. | prefix field that are not part of the prefix MUST be zero. | |||
The definition of the Delegated-IPv6-Prefix Attribute is based on the | The definition of the Delegated-IPv6-Prefix Attribute is based on the | |||
Framed-IPv6-Prefix attribute. | Framed-IPv6-Prefix attribute [4]. | |||
The Delegated-IPv6-Prefix MAY appear in an Access-Accept packet, and | The Delegated-IPv6-Prefix MAY appear in an Access-Accept packet, and | |||
can appear multiple times. It MAY appear in an Access-Request packet | can appear multiple times. It MAY appear in an Access-Request packet | |||
as a hint by the NAS to the server that it would prefer these | as a hint by the NAS to the server that it would prefer these | |||
prefix(es), but the server is not required to honor the hint. | prefix(es), but the server is not required to honor the hint. | |||
The Delegated-IPv6-Prefix attribute MAY appear in an Accounting- | The Delegated-IPv6-Prefix attribute MAY appear in an Accounting- | |||
Request packet. | Request packet. | |||
The Delegated-IPv6-Prefix MUST NOT appear in any other RADIUS | The Delegated-IPv6-Prefix MUST NOT appear in any other RADIUS | |||
packets. | packets. | |||
The following table describes which messages the Delegated-IPv6- | The following table describes which messages the Delegated-IPv6- | |||
Prefix attribute can appear in and in what quantity. | Prefix attribute can appear in and in what quantity. | |||
Request Accept Accounting # Attribute | +------------------------------------------------------+ | |||
Request | | Request Accept Accounting # Attribute | | |||
0+ 0+ 0+ TBD Delegated-IPv6-Prefix | | Request | | |||
| 0+ 0+ 0+ TBD Delegated-IPv6-Prefix | | ||||
+------------------------------------------------------+ | ||||
In this table 0+ means that zero or more instances of this attribute | In this table 0+ means that zero or more instances of this attribute | |||
MAY be present in packet. This attribute MUST NOT appear in any | MAY be present in packet. This attribute MUST NOT appear in any | |||
packet not listed in the table. | packet not listed in the table. | |||
4. Diameter Considerations | 4. Diameter Considerations | |||
A definition is needed for an identical attribute with the same Type | When used in Diameter, the attribute defined in this specification | |||
value for Diameter [4]. The attribute should be available as part of | can be used as a Diameter AVP from the Code space 1-255, i.e., RADIUS | |||
the NASREQ application [5], as well as the Diameter EAP application | attribute compatibility space. No additional Diameter Code values | |||
[6]. | are therefore allocated. The data types of the attributes are as | |||
follows: | ||||
Delegated-IPv6-Prefix OctetString | ||||
The attribute in this specification has no special translation | ||||
requirements for Diameter to RADIUS or RADIUS to Diameter gateways, | ||||
i.e., the attribute is copied as is, except for changes relating to | ||||
headers, alignment, and padding. See also RFC 3588 [5], Section 4.1, | ||||
and RFC 4005 [6], Section 9. | ||||
The text in this specification describing the applicability of the | ||||
Delegated-IPv6-Prefix attribute for RADIUS Access-Request applies in | ||||
Diameter to AA-Request [6] or Diameter-EAP-Request [7]. | ||||
The text in this specification describing the applicability of the | ||||
Delegated-IPv6-Prefix attribute for RADIUS Access-Accept applies in | ||||
Diameter to AA-Answer or Diameter-EAP-Answer that indicates success. | ||||
The text in this specification describing the applicability of the | ||||
Delegated-IPv6-Prefix attribute for RADIUS Accounting-Request applies | ||||
to Diameter Accounting-Request [6] as well. | ||||
5. IANA Considerations | 5. IANA Considerations | |||
IANA is requested to assign a Type value, TBD, for this attribute | IANA is requested to assign a Type value, TBD, for this attribute | |||
from the RADIUS Types registry. | from the RADIUS Attribute Types registry. | |||
6. Security Considerations | 6. Security Considerations | |||
Known security vulnerabilities of the RADIUS protocol are discussed | Known security vulnerabilities of the RADIUS protocol are discussed | |||
in RFC 2607 [7], RFC 2865 [1] and RFC 2869 [8]. Use of IPsec [9] for | in RFC 2607 [8], RFC 2865 [1] and RFC 2869 [9]. Use of IPsec [10] | |||
providing security when RADIUS is carried in IPv6 is discussed in RFC | for providing security when RADIUS is carried in IPv6 is discussed in | |||
3162 [10]. | RFC 3162. | |||
Security considerations for the Diameter protocol are discussed in | ||||
RFC 3588 [5]. | ||||
7. Change Log | 7. Change Log | |||
This section to be removed before publication as an RFC. | ||||
The following changes were made in revision -01 of this document: | The following changes were made in revision -01 of this document: | |||
o Added additional details to Abstract; defined that this attribute | o Added additional details to Abstract; defined that this attribute | |||
can be used in both RADIUS and Diameter. (Issue 188) | can be used in both RADIUS and Diameter. (Issue 188) | |||
o Moved and clarified text describing which packets this attribute | o Moved and clarified text describing which packets this attribute | |||
can appear in adjacent to table in section 3. (Issue 188) | can appear in adjacent to table in section 3. (Issue 188) | |||
o Fixed RFC 2119 boilerplate in section 2. (Issue 185) | o Fixed RFC 2119 boilerplate in section 2. (Issue 185) | |||
o Fixed table in section 3 to clarify which packets this attribute | o Fixed table in section 3 to clarify which packets this attribute | |||
cannot appear in. (Issue 188) | cannot appear in. (Issue 188) | |||
o Added section 4, Diameter Considerations. (Issue 188) | o Added section 4, Diameter Considerations. (Issue 188) | |||
o Made some references in section 6, Security Considerations, | o Made some references in section 6, Security Considerations, | |||
Informative rather than Normative. (Issue 188) | Informative rather than Normative. (Issue 188) | |||
o Updated reference to RFC 2401 [9] to RFC 4301. (Issue 188) | o Updated reference to RFC 2401 [9] to RFC 4301. (Issue 188) | |||
o Changed "IP SEC" to "IPsec" in section 6. (Issues 185 and 188) | o Changed "IP SEC" to "IPsec" in section 6. (Issues 185 and 188) | |||
The following changes were made in revision -02 of this document: | ||||
o Added a second paragraph to the Introduction, referencing the | ||||
Framed-IPv6-Prefix attribute | ||||
o Improved description of attribute fields in section 3 | ||||
o Added border to table in section 3 | ||||
o Updated Section 4, Diameter Considerations, to describe how this | ||||
attribute would be used in Diameter. | ||||
o Added reference to RFC 3588 in Section 6, Security Considerations. | ||||
8. References | 8. References | |||
8.1. Normative References | 8.1. Normative References | |||
[1] Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote | [1] Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote | |||
Authentication Dial In User Service (RADIUS)", RFC 2865, | Authentication Dial In User Service (RADIUS)", RFC 2865, | |||
June 2000. | June 2000. | |||
[2] Troan, O. and R. Droms, "IPv6 Prefix Options for Dynamic Host | [2] Troan, O. and R. Droms, "IPv6 Prefix Options for Dynamic Host | |||
Configuration Protocol (DHCP) version 6", RFC 3633, | Configuration Protocol (DHCP) version 6", RFC 3633, | |||
December 2003. | December 2003. | |||
[3] Bradner, S., "Key words for use in RFCs to Indicate Requirement | [3] Bradner, S., "Key words for use in RFCs to Indicate Requirement | |||
Levels", BCP 14, RFC 2119, March 1997. | Levels", BCP 14, RFC 2119, March 1997. | |||
8.2. Non-normative References | 8.2. Non-normative References | |||
[4] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J. Arkko, | [4] Aboba, B., Zorn, G., and D. Mitton, "RADIUS and IPv6", | |||
RFC 3162, August 2001. | ||||
[5] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J. Arkko, | ||||
"Diameter Base Protocol", RFC 3588, September 2003. | "Diameter Base Protocol", RFC 3588, September 2003. | |||
[5] Calhoun, P., Zorn, G., Spence, D., and D. Mitton, "Diameter | [6] Calhoun, P., Zorn, G., Spence, D., and D. Mitton, "Diameter | |||
Network Access Server Application", RFC 4005, August 2005. | Network Access Server Application", RFC 4005, August 2005. | |||
[6] Eronen, P., Hiller, T., and G. Zorn, "Diameter Extensible | [7] Eronen, P., Hiller, T., and G. Zorn, "Diameter Extensible | |||
Authentication Protocol (EAP) Application", RFC 4072, | Authentication Protocol (EAP) Application", RFC 4072, | |||
August 2005. | August 2005. | |||
[7] Aboba, B. and J. Vollbrecht, "Proxy Chaining and Policy | [8] Aboba, B. and J. Vollbrecht, "Proxy Chaining and Policy | |||
Implementation in Roaming", RFC 2607, June 1999. | Implementation in Roaming", RFC 2607, June 1999. | |||
[8] Rigney, C., Willats, W., and P. Calhoun, "RADIUS Extensions", | [9] Rigney, C., Willats, W., and P. Calhoun, "RADIUS Extensions", | |||
RFC 2869, June 2000. | RFC 2869, June 2000. | |||
[9] Kent, S. and K. Seo, "Security Architecture for the Internet | [10] Kent, S. and K. Seo, "Security Architecture for the Internet | |||
Protocol", RFC 4301, December 2005. | Protocol", RFC 4301, December 2005. | |||
[10] Aboba, B., Zorn, G., and D. Mitton, "RADIUS and IPv6", | ||||
RFC 3162, August 2001. | ||||
Authors' Addresses | Authors' Addresses | |||
Joe Salowey | Joe Salowey | |||
Cisco Systems, Inc. | Cisco Systems, Inc. | |||
2901 Third Avenue | 2901 Third Avenue | |||
Seattle, WA 98121 | Seattle, WA 98121 | |||
USA | USA | |||
Phone: +1 206.310.0596 | Phone: +1 206.310.0596 | |||
Email: jsalowey@cisco.com | Email: jsalowey@cisco.com | |||
End of changes. 22 change blocks. | ||||
32 lines changed or deleted | 80 lines changed or added | |||
This html diff was produced by rfcdiff 1.32. The latest version is available from http://www.levkowetz.com/ietf/tools/rfcdiff/ |