| draft-ietf-radext-ip-port-radius-ext-09.txt | draft-ietf-radext-ip-port-radius-ext-10.txt | |||
|---|---|---|---|---|
| Network Working Group D. Cheng | Network Working Group D. Cheng | |||
| Internet-Draft Huawei | Internet-Draft Huawei | |||
| Intended status: Standards Track J. Korhonen | Intended status: Standards Track J. Korhonen | |||
| Expires: September 18, 2016 Broadcom Corporation | Expires: January 29, 2017 Broadcom Corporation | |||
| M. Boucadair | M. Boucadair | |||
| Orange | Orange | |||
| S. Sivakumar | S. Sivakumar | |||
| Cisco Systems | Cisco Systems | |||
| March 17, 2016 | July 28, 2016 | |||
| RADIUS Extensions for IP Port Configuration and Reporting | RADIUS Extensions for IP Port Configuration and Reporting | |||
| draft-ietf-radext-ip-port-radius-ext-09 | draft-ietf-radext-ip-port-radius-ext-10 | |||
| Abstract | Abstract | |||
| This document defines three new RADIUS attributes. For devices that | This document defines three new RADIUS attributes. For devices that | |||
| implementing IP port ranges, these attributes are used to communicate | implement IP port ranges, these attributes are used to communicate | |||
| with a RADIUS server in order to configure and report TCP/UDP ports | with a RADIUS server in order to configure and report TCP/UDP ports | |||
| and ICMP identifiers, as well as mapping behavior for specific hosts. | and ICMP identifiers, as well as mapping behavior for specific hosts. | |||
| This mechanism can be used in various deployment scenarios such as | This mechanism can be used in various deployment scenarios such as | |||
| Carrier-Grade NAT, IPv4/IPv6 translators, Provider WLAN Gateway, etc. | Carrier-Grade NAT, IPv4/IPv6 translators, Provider WLAN Gateway, etc. | |||
| Requirements Language | Requirements Language | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in RFC 2119 [RFC2119]. | document are to be interpreted as described in RFC 2119 [RFC2119]. | |||
| skipping to change at page 1, line 46 ¶ | skipping to change at page 1, line 46 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on September 18, 2016. | This Internet-Draft will expire on January 29, 2017. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2016 IETF Trust and the persons identified as the | Copyright (c) 2016 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 51 ¶ | skipping to change at page 2, line 51 ¶ | |||
| 4. Applications, Use Cases and Examples . . . . . . . . . . . . 23 | 4. Applications, Use Cases and Examples . . . . . . . . . . . . 23 | |||
| 4.1. Managing CGN Port Behavior using RADIUS . . . . . . . . . 23 | 4.1. Managing CGN Port Behavior using RADIUS . . . . . . . . . 23 | |||
| 4.1.1. Configure IP Port Limit for a User . . . . . . . . . 24 | 4.1.1. Configure IP Port Limit for a User . . . . . . . . . 24 | |||
| 4.1.2. Report IP Port Allocation/Deallocation . . . . . . . 26 | 4.1.2. Report IP Port Allocation/Deallocation . . . . . . . 26 | |||
| 4.1.3. Configure Forwarding Port Mapping . . . . . . . . . . 27 | 4.1.3. Configure Forwarding Port Mapping . . . . . . . . . . 27 | |||
| 4.1.4. An Example . . . . . . . . . . . . . . . . . . . . . 29 | 4.1.4. An Example . . . . . . . . . . . . . . . . . . . . . 29 | |||
| 4.2. Report Assigned Port Set for a Visiting UE . . . . . . . 30 | 4.2. Report Assigned Port Set for a Visiting UE . . . . . . . 30 | |||
| 5. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 31 | 5. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 31 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 32 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 32 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 32 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 32 | |||
| 7.1. IANA Considerations on New IPFIX Information Elements . . 32 | 7.1. IANA Considerations on New IPFIX Information Elements . . 33 | |||
| 7.2. IANA Considerations on New RADIUS Attributes . . . . . . 33 | 7.2. IANA Considerations on New RADIUS Attributes . . . . . . 33 | |||
| 7.3. IANA Considerations on New RADIUS TLVs . . . . . . . . . 33 | 7.3. IANA Considerations on New RADIUS TLVs . . . . . . . . . 34 | |||
| 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 33 | 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 34 | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 34 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 34 | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . 34 | 9.1. Normative References . . . . . . . . . . . . . . . . . . 34 | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . 34 | 9.2. Informative References . . . . . . . . . . . . . . . . . 35 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 36 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 36 | |||
| 1. Introduction | 1. Introduction | |||
| In a broadband network, customer information is usually stored on a | In a broadband network, customer information is usually stored on a | |||
| RADIUS server [RFC2865]. At the time when a user initiates an IP | RADIUS server [RFC2865]. At the time when a user initiates an IP | |||
| connection request, if this request is authorized, the RADIUS server | connection request, if this request is authorized, the RADIUS server | |||
| will populate the user's configuration information to the Network | will populate the user's configuration information to the Network | |||
| Access Server (NAS), which is often referred to as a Broadband | Access Server (NAS), which is often referred to as a Broadband | |||
| Network Gateway (BNG) in broadband access networks. The Carrier- | Network Gateway (BNG) in broadband access networks. The Carrier- | |||
| skipping to change at page 5, line 19 ¶ | skipping to change at page 5, line 19 ¶ | |||
| o Internal Port: is a UDP or TCP port, or an ICMP identifier, which | o Internal Port: is a UDP or TCP port, or an ICMP identifier, which | |||
| is allocated by a host or application behind a device supporting | is allocated by a host or application behind a device supporting | |||
| port ranges for an outbound IP packet in the internal realm. | port ranges for an outbound IP packet in the internal realm. | |||
| o External Port: is a UDP or TCP port, or an ICMP identifier, which | o External Port: is a UDP or TCP port, or an ICMP identifier, which | |||
| is allocated by a device supporting port ranges upon receiving an | is allocated by a device supporting port ranges upon receiving an | |||
| outbound IP packet in the internal realm, and is used to replace | outbound IP packet in the internal realm, and is used to replace | |||
| the internal port that is allocated by a user or application. | the internal port that is allocated by a user or application. | |||
| o External realm: refers to the networking segment where external IP | o External realm: refers to the networking segment where external IP | |||
| addresses are used in respective of the device supporting port | addresses are used as source addresses of outbound packets | |||
| ranges. | forwarded by a device supporting port ranges. | |||
| o Internal realm: refers to the networking segment that is behind a | o Internal realm: refers to the networking segment that is behind a | |||
| device supporting port ranges and where internal IP addresses are | device supporting port ranges and where internal IP addresses are | |||
| used. | used. | |||
| o Mapping: associates with a device supporting port ranges for a | o Mapping: associates with a device supporting port ranges for a | |||
| relationship between an internal IP address, internal port and the | relationship between an internal IP address, internal port and the | |||
| protocol, and an external IP address, external port, and the | protocol, and an external IP address, external port, and the | |||
| protocol. | protocol. | |||
| skipping to change at page 26, line 12 ¶ | skipping to change at page 26, line 12 ¶ | |||
| Figure 16: RADIUS Message Flow for changing a user's NAT44 port limit | Figure 16: RADIUS Message Flow for changing a user's NAT44 port limit | |||
| 4.1.2. Report IP Port Allocation/Deallocation | 4.1.2. Report IP Port Allocation/Deallocation | |||
| Upon obtaining the IP port limit for a user, the CGN device needs to | Upon obtaining the IP port limit for a user, the CGN device needs to | |||
| allocate a TCP/UDP port or an ICMP identifiers for the user when | allocate a TCP/UDP port or an ICMP identifiers for the user when | |||
| receiving a new IP flow sent from that user. | receiving a new IP flow sent from that user. | |||
| As one practice, a CGN may allocate a bulk of TCP/UDP ports or ICMP | As one practice, a CGN may allocate a bulk of TCP/UDP ports or ICMP | |||
| identifiers once at a time for a specific user, instead of one port/ | identifiers one at a time for a specific user, instead of one port/ | |||
| identifier at a time, and within each port bulk, the ports/ | identifier at a time, and within each port bulk, the ports/ | |||
| identifiers may be randomly distributed or in consecutive fashion. | identifiers may be randomly distributed or in consecutive fashion. | |||
| When a CGN device allocates bulk of TCP/UDP ports and ICMP | When a CGN device allocates bulk of TCP/UDP ports and ICMP | |||
| identifiers, the information can be easily conveyed to the RADIUS | identifiers, the information can be easily conveyed to the RADIUS | |||
| server by a new RADIUS attribute called the IP-Port-Range (defined in | server by a new RADIUS attribute called the IP-Port-Range (defined in | |||
| Section 3.1.2). The CGN device may allocate one or more TCP/UDP port | Section 3.1.2). The CGN device may allocate one or more TCP/UDP port | |||
| ranges or ICMP identifier ranges, or generally called IP port ranges, | ranges or ICMP identifier ranges, or generally called IP port ranges, | |||
| where each range contains a set of numbers representing TCP/UDP ports | where each range contains a set of numbers representing TCP/UDP ports | |||
| or ICMP identifiers, and the total number of ports/identifiers must | or ICMP identifiers, and the total number of ports/identifiers must | |||
| be less or equal to the associated IP port limit imposed for that | be less or equal to the associated IP port limit imposed for that | |||
| skipping to change at page 32, line 22 ¶ | skipping to change at page 32, line 22 ¶ | |||
| 0+ 0+ 0 0 0+ TBA IP-Port-Forwarding-Map | 0+ 0+ 0 0 0+ TBA IP-Port-Forwarding-Map | |||
| The following table defines the meaning of the above table entries. | The following table defines the meaning of the above table entries. | |||
| 0 This attribute MUST NOT be present in packet. | 0 This attribute MUST NOT be present in packet. | |||
| 0+ Zero or more instances of this attribute MAY be present in packet. | 0+ Zero or more instances of this attribute MAY be present in packet. | |||
| 6. Security Considerations | 6. Security Considerations | |||
| This document does not introduce any security issue other than the | This document does not introduce any security issue other than the | |||
| ones already identified in RADIUS [RFC2865]. | ones already identified in RADIUS [RFC2865] and [RFC5176] for CoA | |||
| messages. Known RADIUS vulnerabilities apply to this specification. | ||||
| For example, if RADIUS packets are sent in the clear, an attacker in | ||||
| the communication path between the RADIUS client and server may glean | ||||
| information that it will use to prevent a legitimate user to access | ||||
| the service by appropriately setting the maximum number of IP ports | ||||
| conveyed in an IP-Port-Limit-Info attribute, exhaust the port quota | ||||
| of a user by installing many mapping entries (IP-Port-Forwarding-Map | ||||
| attribute), prevent incoming traffic to be delivered to its | ||||
| legitimate destination by manipulating the mapping entries installed | ||||
| by means of an IP-Port-Forwarding-Map attribute, discover the IP | ||||
| address and port range assigned to a given user and which is reported | ||||
| in an IP-Port-Range attribute, etc. The root cause of these attack | ||||
| vectors is the communication between the RADIUS client and server. | ||||
| This document targets deployed where a trusted relationship is in | ||||
| place between the RADIUS client and server with communication | ||||
| optionally secured by IPsec or Transport Layer Security (TLS) | ||||
| [RFC6614]. | ||||
| 7. IANA Considerations | 7. IANA Considerations | |||
| This document requires new code point assignments for both IPFIX | This document requires new code point assignments for both IPFIX | |||
| Information Elements and RADIUS attributes as explained in the | Information Elements and RADIUS attributes as explained in the | |||
| following sub-sections. | following sub-sections. | |||
| It is assumed that Extended-Type-1 "241" will be used for RADIUS | It is assumed that Extended-Type-1 "241" will be used for RADIUS | |||
| attributes in Section 7.2. | attributes in Section 7.2. | |||
| skipping to change at page 34, line 5 ¶ | skipping to change at page 34, line 29 ¶ | |||
| IP-Port-Range-Start 9 see Section 3.2.9 | IP-Port-Range-Start 9 see Section 3.2.9 | |||
| IP-Port-Range-End 10 see Section 3.2.10 | IP-Port-Range-End 10 see Section 3.2.10 | |||
| IP-Port-Local-Id 11 see Section 3.2.11 | IP-Port-Local-Id 11 see Section 3.2.11 | |||
| 8. Acknowledgements | 8. Acknowledgements | |||
| Many thanks to Dan Wing, Roberta Maglione, Daniel Derksen, David | Many thanks to Dan Wing, Roberta Maglione, Daniel Derksen, David | |||
| Thaler, Alan Dekok, Lionel Morand, and Peter Deacon for their useful | Thaler, Alan Dekok, Lionel Morand, and Peter Deacon for their useful | |||
| comments and suggestions. | comments and suggestions. | |||
| Special thanks to Lionel Morand for the Shepherd review. | Special thanks to Lionel Morand for the Shepherd review and to | |||
| Kathleen Moriarty for the AD review. | ||||
| 9. References | 9. References | |||
| 9.1. Normative References | 9.1. Normative References | |||
| [IPFIX] IANA, "IP Flow Information Export (IPFIX) Entities", | [IPFIX] IANA, "IP Flow Information Export (IPFIX) Entities", | |||
| <http://www.iana.org/assignments/ipfix/ipfix.xhtml>. | <http://www.iana.org/assignments/ipfix/ipfix.xhtml>. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| skipping to change at page 35, line 31 ¶ | skipping to change at page 36, line 5 ¶ | |||
| [RFC6269] Ford, M., Ed., Boucadair, M., Durand, A., Levis, P., and | [RFC6269] Ford, M., Ed., Boucadair, M., Durand, A., Levis, P., and | |||
| P. Roberts, "Issues with IP Address Sharing", RFC 6269, | P. Roberts, "Issues with IP Address Sharing", RFC 6269, | |||
| DOI 10.17487/RFC6269, June 2011, | DOI 10.17487/RFC6269, June 2011, | |||
| <http://www.rfc-editor.org/info/rfc6269>. | <http://www.rfc-editor.org/info/rfc6269>. | |||
| [RFC6333] Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual- | [RFC6333] Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual- | |||
| Stack Lite Broadband Deployments Following IPv4 | Stack Lite Broadband Deployments Following IPv4 | |||
| Exhaustion", RFC 6333, DOI 10.17487/RFC6333, August 2011, | Exhaustion", RFC 6333, DOI 10.17487/RFC6333, August 2011, | |||
| <http://www.rfc-editor.org/info/rfc6333>. | <http://www.rfc-editor.org/info/rfc6333>. | |||
| [RFC6614] Winter, S., McCauley, M., Venaas, S., and K. Wierenga, | ||||
| "Transport Layer Security (TLS) Encryption for RADIUS", | ||||
| RFC 6614, DOI 10.17487/RFC6614, May 2012, | ||||
| <http://www.rfc-editor.org/info/rfc6614>. | ||||
| [RFC6619] Arkko, J., Eggert, L., and M. Townsley, "Scalable | [RFC6619] Arkko, J., Eggert, L., and M. Townsley, "Scalable | |||
| Operation of Address Translators with Per-Interface | Operation of Address Translators with Per-Interface | |||
| Bindings", RFC 6619, DOI 10.17487/RFC6619, June 2012, | Bindings", RFC 6619, DOI 10.17487/RFC6619, June 2012, | |||
| <http://www.rfc-editor.org/info/rfc6619>. | <http://www.rfc-editor.org/info/rfc6619>. | |||
| [RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and | [RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and | |||
| P. Selkirk, "Port Control Protocol (PCP)", RFC 6887, | P. Selkirk, "Port Control Protocol (PCP)", RFC 6887, | |||
| DOI 10.17487/RFC6887, April 2013, | DOI 10.17487/RFC6887, April 2013, | |||
| <http://www.rfc-editor.org/info/rfc6887>. | <http://www.rfc-editor.org/info/rfc6887>. | |||
| End of changes. 13 change blocks. | ||||
| 14 lines changed or deleted | 38 lines changed or added | |||
This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||