draft-ietf-radext-ip-port-radius-ext-14.txt   draft-ietf-radext-ip-port-radius-ext-15.txt 
Network Working Group D. Cheng Network Working Group D. Cheng
Internet-Draft Huawei Internet-Draft Huawei
Intended status: Standards Track J. Korhonen Intended status: Standards Track J. Korhonen
Expires: April 21, 2017 Broadcom Corporation Expires: April 24, 2017 Broadcom Corporation
M. Boucadair M. Boucadair
Orange Orange
S. Sivakumar S. Sivakumar
Cisco Systems Cisco Systems
October 18, 2016 October 21, 2016
RADIUS Extensions for IP Port Configuration and Reporting RADIUS Extensions for IP Port Configuration and Reporting
draft-ietf-radext-ip-port-radius-ext-14 draft-ietf-radext-ip-port-radius-ext-15
Abstract Abstract
This document defines three new RADIUS attributes. For devices that This document defines three new RADIUS attributes. For devices that
implement IP port ranges, these attributes are used to communicate implement IP port ranges, these attributes are used to communicate
with a RADIUS server in order to configure and report IP transport with a RADIUS server in order to configure and report IP transport
ports, as well as mapping behavior for specific hosts. This ports, as well as mapping behavior for specific hosts. This
mechanism can be used in various deployment scenarios such as mechanism can be used in various deployment scenarios such as
Carrier-Grade NAT, IPv4/IPv6 translators, Provider WLAN Gateway, etc. Carrier-Grade NAT, IPv4/IPv6 translators, Provider WLAN Gateway, etc.
This document defines a mapping between some RADIUS attributes and This document defines a mapping between some RADIUS attributes and
skipping to change at page 1, line 48 skipping to change at page 1, line 48
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 21, 2017. This Internet-Draft will expire on April 24, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 32 skipping to change at page 2, line 32
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Extensions of RADIUS Attributes and TLVs . . . . . . . . . . 5 3. Extensions of RADIUS Attributes and TLVs . . . . . . . . . . 5
3.1. Extended Attributes for IP Ports . . . . . . . . . . . . 6 3.1. Extended Attributes for IP Ports . . . . . . . . . . . . 6
3.1.1. IP-Port-Limit-Info Attribute . . . . . . . . . . . . 6 3.1.1. IP-Port-Limit-Info Attribute . . . . . . . . . . . . 6
3.1.2. IP-Port-Range Attribute . . . . . . . . . . . . . . . 8 3.1.2. IP-Port-Range Attribute . . . . . . . . . . . . . . . 8
3.1.3. IP-Port-Forwarding-Map Attribute . . . . . . . . . . 11 3.1.3. IP-Port-Forwarding-Map Attribute . . . . . . . . . . 11
3.2. RADIUS TLVs for IP Ports . . . . . . . . . . . . . . . . 13 3.2. RADIUS TLVs for IP Ports . . . . . . . . . . . . . . . . 13
3.2.1. IP-Port-Type TLV . . . . . . . . . . . . . . . . . . 14 3.2.1. IP-Port-Type TLV . . . . . . . . . . . . . . . . . . 14
3.2.2. IP-Port-Limit TLV . . . . . . . . . . . . . . . . . . 15 3.2.2. IP-Port-Limit TLV . . . . . . . . . . . . . . . . . . 15
3.2.3. IP-Port-Ext-IPv4-Addr TLV . . . . . . . . . . . . . . 15 3.2.3. IP-Port-Ext-IPv4-Addr TLV . . . . . . . . . . . . . . 16
3.2.4. IP-Port-Int-IPv4-Addr TLV . . . . . . . . . . . . . . 16 3.2.4. IP-Port-Int-IPv4-Addr TLV . . . . . . . . . . . . . . 16
3.2.5. IP-Port-Int-IPv6-Addr TLV . . . . . . . . . . . . . . 17 3.2.5. IP-Port-Int-IPv6-Addr TLV . . . . . . . . . . . . . . 17
3.2.6. IP-Port-Int-Port TLV . . . . . . . . . . . . . . . . 18 3.2.6. IP-Port-Int-Port TLV . . . . . . . . . . . . . . . . 18
3.2.7. IP-Port-Ext-Port TLV . . . . . . . . . . . . . . . . 19 3.2.7. IP-Port-Ext-Port TLV . . . . . . . . . . . . . . . . 19
3.2.8. IP-Port-Alloc TLV . . . . . . . . . . . . . . . . . . 20 3.2.8. IP-Port-Alloc TLV . . . . . . . . . . . . . . . . . . 20
3.2.9. IP-Port-Range-Start TLV . . . . . . . . . . . . . . . 21 3.2.9. IP-Port-Range-Start TLV . . . . . . . . . . . . . . . 21
3.2.10. IP-Port-Range-End TLV . . . . . . . . . . . . . . . . 22 3.2.10. IP-Port-Range-End TLV . . . . . . . . . . . . . . . . 22
3.2.11. IP-Port-Local-Id TLV . . . . . . . . . . . . . . . . 23 3.2.11. IP-Port-Local-Id TLV . . . . . . . . . . . . . . . . 22
4. Applications, Use Cases and Examples . . . . . . . . . . . . 24 4. Applications, Use Cases and Examples . . . . . . . . . . . . 24
4.1. Managing CGN Port Behavior using RADIUS . . . . . . . . . 24 4.1. Managing CGN Port Behavior using RADIUS . . . . . . . . . 24
4.1.1. Configure IP Port Limit for a User . . . . . . . . . 25 4.1.1. Configure IP Port Limit for a User . . . . . . . . . 24
4.1.2. Report IP Port Allocation/Deallocation . . . . . . . 27 4.1.2. Report IP Port Allocation/Deallocation . . . . . . . 26
4.1.3. Configure Forwarding Port Mapping . . . . . . . . . . 28 4.1.3. Configure Forwarding Port Mapping . . . . . . . . . . 28
4.1.4. An Example . . . . . . . . . . . . . . . . . . . . . 30 4.1.4. An Example . . . . . . . . . . . . . . . . . . . . . 30
4.2. Report Assigned Port Set for a Visiting UE . . . . . . . 31 4.2. Report Assigned Port Set for a Visiting UE . . . . . . . 31
5. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 32 5. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 32
6. Security Considerations . . . . . . . . . . . . . . . . . . . 33 6. Security Considerations . . . . . . . . . . . . . . . . . . . 33
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 33 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 34
7.1. IANA Considerations on New IPFIX Information 7.1. IANA Considerations on New IPFIX Information
Elements . . . . . . . . . . . . . . . . . . . . . . . . 34 Elements . . . . . . . . . . . . . . . . . . . . . . . . 34
7.2. IANA Considerations on New RADIUS Attributes . . . . . . 34 7.2. IANA Considerations on New RADIUS Attributes . . . . . . 34
7.3. IANA Considerations on New RADIUS TLVs . . . . . . . . . 35 7.3. IANA Considerations on New RADIUS TLVs . . . . . . . . . 35
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 35 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 35
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 35 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 35
9.1. Normative References . . . . . . . . . . . . . . . . . . 35 9.1. Normative References . . . . . . . . . . . . . . . . . . 36
9.2. Informative References . . . . . . . . . . . . . . . . . 36 9.2. Informative References . . . . . . . . . . . . . . . . . 37
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 38 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 39
1. Introduction 1. Introduction
In a broadband network, customer information is usually stored on a In a broadband network, customer information is usually stored on a
RADIUS server [RFC2865]. At the time when a user initiates an IP RADIUS server [RFC2865]. At the time when a user initiates an IP
connection request, if this request is authorized, the RADIUS server connection request, if this request is authorized, the RADIUS server
will populate the user's configuration information to the Network will populate the user's configuration information to the Network
Access Server (NAS), which is often referred to as a Broadband Access Server (NAS), which is often referred to as a Broadband
Network Gateway (BNG) in broadband access networks. The Carrier- Network Gateway (BNG) in broadband access networks. The Carrier-
Grade NAT (CGN) function may also be implemented on the BNG. Within Grade NAT (CGN) function may also be implemented on the BNG. Within
skipping to change at page 4, line 32 skipping to change at page 4, line 32
IPv6 address are mapped to an external source transport port IPv6 address are mapped to an external source transport port
along with the external IPv4 address. along with the external IPv4 address.
IPFIX Information Elements [RFC7012] can be used for IP flow IPFIX Information Elements [RFC7012] can be used for IP flow
identification and representation over RADIUS. This document identification and representation over RADIUS. This document
provides a mapping between some RADIUS TLVs and IPFIX Information provides a mapping between some RADIUS TLVs and IPFIX Information
Element Identifiers. A new IPFIX Information Element is defined by Element Identifiers. A new IPFIX Information Element is defined by
this document (see Section 3.2.2). this document (see Section 3.2.2).
IP protocol numbers (refer to [ProtocolNumbers]) can be used for IP protocol numbers (refer to [ProtocolNumbers]) can be used for
identification of IP transport protocols (e.g., TCP, UDP, DCCP, and identification of IP transport protocols (e.g., TCP [RFC0793], UDP
SCTP) that are associated with some RADIUS attributes. [RFC0768], DCCP [RFC4340], and SCTP [RFC4960]) that are associated
with some RADIUS attributes.
This document focuses on IPv4 address sharing. IPv6 prefix sharing This document focuses on IPv4 address sharing. IPv6 prefix sharing
mechanisms (e.g., NPTv6) are out of scope. mechanisms (e.g., NPTv6) are out of scope.
2. Terminology 2. Terminology
This document makes use of the following terms: This document makes use of the following terms:
o IP Port: refers to IP transport port (e.g., TCP port number, UDP o IP Port: refers to IP transport port (e.g., TCP port number, UDP
port number). port number).
o IP Port Type: refers to the IP transport protocol as indicated by o IP Port Type: refers to the IP transport protocol as indicated by
the IP transport protocol number, refer to (refer to the IP transport protocol number, refer to (refer to
[ProtocolNumbers]) [ProtocolNumbers])
o IP Port Limit: denotes the maximum number of IP ports for a o IP Port Limit: denotes the maximum number of IP ports for a
specific IP port type, that a device supporting port ranges can specific (or all) IP transport protocol(s), that a device
use when performing port number mappings for a specific user/host. supporting port ranges can use when performing port number
mappings for a specific user/host. Note, this limit is usually
Note, this limit is usually associated with one or more IPv4/IPv6 associated with one or more IPv4/IPv6 addresses.
addresses.
o IP Port Range: specifies a set of contiguous IP ports, indicated o IP Port Range: specifies a set of contiguous IP ports, indicated
by the lowest numerical number and the highest numerical number, by the lowest numerical number and the highest numerical number,
inclusively. inclusively.
o Internal IP Address: refers to the IP address that is used by a o Internal IP Address: refers to the IP address that is used by a
host as a source IP address in an outbound IP packet sent towards host as a source IP address in an outbound IP packet sent towards
a device supporting port ranges in the internal realm. The a device supporting port ranges in the internal realm. The
internal IP address may be IPv4 or IPv6. internal IP address may be IPv4 or IPv6.
skipping to change at page 14, line 7 skipping to change at page 14, line 7
The TLVs that are included in the three attributes (see Section 3.1) The TLVs that are included in the three attributes (see Section 3.1)
are defined in the following sub-sections. These TLVs use the format are defined in the following sub-sections. These TLVs use the format
defined in [RFC6929]. As the three attributes carry similar data, we defined in [RFC6929]. As the three attributes carry similar data, we
have defined a common set of TLVs which are used for all three have defined a common set of TLVs which are used for all three
attributes. That is, the TLVs have the same name and number, when attributes. That is, the TLVs have the same name and number, when
encapsulated in any one of the three parent attributes. See encapsulated in any one of the three parent attributes. See
Section 3.1.1, Section 3.1.2, and Section 3.1.3 for a list of which Section 3.1.1, Section 3.1.2, and Section 3.1.3 for a list of which
TLV is permitted within which parent attribute. TLV is permitted within which parent attribute.
The encoding of the Value field of these TLVs follows the
recommendation of [RFC6158]. In particular, IP-Port-Type, IP-Port-
Limit, IP-Port-Int-Port, IP-Port-Ext-Port, IP-Port-Alloc, IP-Port-
Range-Start, and IP-Port-Range-End TLVs are encoded in 32 bits as per
the recommendation in Appendix A.2.1 of [RFC6158].
3.2.1. IP-Port-Type TLV 3.2.1. IP-Port-Type TLV
The format of IP-Port-Type TLV is shown in Figure 4. This attribute The format of IP-Port-Type TLV is shown in Figure 4. This attribute
carries the IP transport protocol number defined by IANA (refer to carries the IP transport protocol number defined by IANA (refer to
[ProtocolNumbers]) [ProtocolNumbers])
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TLV-Type | Length | Protocol-Number | TLV-Type | Length | Protocol-Number
skipping to change at page 14, line 33 skipping to change at page 14, line 39
TLV-Type TLV-Type
1 1
Length Length
6 6
Protocol-Number Protocol-Number
Integer. This field contains the data (unsigned8) of the port Integer. This field contains the data (unsigned8) of the protocol
number defined in [ProtocolNumbers], right justified, and the number defined in [ProtocolNumbers], right justified, and the
unused bits in this field MUST be set to zero. Protocols that do unused bits in this field MUST be set to zero. Protocols that do
not use a port number (e.g., Resource Reservation Protocol (RSVP), not use a port number (e.g., Resource Reservation Protocol (RSVP),
IP Encapsulating Security Payload (ESP)) MUST NOT be included in IP Encapsulating Security Payload (ESP)) MUST NOT be included in
the IP-Port-Type TLV. the IP-Port-Type TLV.
IP-Port-Type TLV MAY be included in the following Attributes: IP-Port-Type TLV MAY be included in the following Attributes:
o IP-Port-Limit-Info Attribute, identified as 241.TBD1.1 (see o IP-Port-Limit-Info Attribute, identified as 241.TBD1.1 (see
Section 3.1.1). Section 3.1.1).
o IP-Port-Range Attribute, identified as 241.TBD2.1 (see o IP-Port-Range Attribute, identified as 241.TBD2.1 (see
Section 3.1.2). Section 3.1.2).
o IP-Port-Forwarding-Map Attribute, identified as 241.TBD3.1 (see
Section 3.1.3).
When the IP-Port-Type TLV is included within a RADIUS Attribute, the When the IP-Port-Type TLV is included within a RADIUS Attribute, the
associated attribute is applied to the IP transport protocol as associated attribute is applied to the IP transport protocol as
indicated by the Protocol-Number only, such as TCP, UDP, SCTP indicated by the Protocol-Number only, such as TCP, UDP, SCTP, DCCP,
[RFC4960], DCCP [RFC4340], etc. etc.
3.2.2. IP-Port-Limit TLV 3.2.2. IP-Port-Limit TLV
The format of IP-Port-Limit TLV is shown in Figure 5. This attribute The format of IP-Port-Limit TLV is shown in Figure 5. This attribute
carries IPFIX Information Element "sourceTransportPortsLimit (TBAx1), carries IPFIX Information Element "sourceTransportPortsLimit (TBAx1),
which indicates the maximum number of IP transport ports as a limit which indicates the maximum number of IP transport ports as a limit
for an end user to use that is associated with one or more IPv4 or for an end user to use that is associated with one or more IPv4 or
IPv6 addresses. IPv6 addresses.
0 1 2 3 0 1 2 3
skipping to change at page 18, line 43 skipping to change at page 18, line 43
If the internal realm is with IPv6 address family, the IP-Port-Int- If the internal realm is with IPv6 address family, the IP-Port-Int-
IPv6-Addr TLV MUST be included as part of the IP-Port-Forwarding-Map IPv6-Addr TLV MUST be included as part of the IP-Port-Forwarding-Map
Attribute (refer to Section 3.1.3), identified as 241.TBD3.5. Attribute (refer to Section 3.1.3), identified as 241.TBD3.5.
3.2.6. IP-Port-Int-Port TLV 3.2.6. IP-Port-Int-Port TLV
The format of IP-Port-Int-Port TLV is shown in Figure 9. This The format of IP-Port-Int-Port TLV is shown in Figure 9. This
attribute carries IPFIX Information Element 7, "sourceTransportPort", attribute carries IPFIX Information Element 7, "sourceTransportPort",
which is the source transport number associated with an internal IPv4 which is the source transport number associated with an internal IPv4
or IPv6 address (refer to [IPFIX]). The attribute is encoded in 32 or IPv6 address (refer to [IPFIX]).
bits as per the recommendation in Appendix A.2.1 of [RFC6158].
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TLV-Type | Length | sourceTransportPort | TLV-Type | Length | sourceTransportPort
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
sourceTransportPort | sourceTransportPort |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 9 Figure 9
skipping to change at page 19, line 38 skipping to change at page 19, line 38
IP-Port-Int-Port TLV MUST be included as part of the IP-Port- IP-Port-Int-Port TLV MUST be included as part of the IP-Port-
Forwarding-Map Attribute (refer to Section 3.1.3), identified as Forwarding-Map Attribute (refer to Section 3.1.3), identified as
241.TBD3.6. 241.TBD3.6.
3.2.7. IP-Port-Ext-Port TLV 3.2.7. IP-Port-Ext-Port TLV
The format of IP-Port-Ext-Port TLV is shown in Figure 10. This The format of IP-Port-Ext-Port TLV is shown in Figure 10. This
attribute carries IPFIX Information Element 227, attribute carries IPFIX Information Element 227,
"postNAPTSourceTransportPort", which is the transport number "postNAPTSourceTransportPort", which is the transport number
associated with an external IPv4 address(refer to [IPFIX]). The associated with an external IPv4 address(refer to [IPFIX]).
attribute is encoded in 32 bits as per the recommendation in
Appendix A.2.1 of [RFC6158].
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TLV-Type | Length | postNAPTSourceTransportPort | TLV-Type | Length | postNAPTSourceTransportPort
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
postNAPTSourceTransportPort | postNAPTSourceTransportPort |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 10 Figure 10
skipping to change at page 21, line 32 skipping to change at page 21, line 29
0. 0.
IP-Port-Alloc TLV MUST be included as part of the IP-Port-Range IP-Port-Alloc TLV MUST be included as part of the IP-Port-Range
Attribute (refer to Section 3.1.2), identified as 241.TBD2.8. Attribute (refer to Section 3.1.2), identified as 241.TBD2.8.
3.2.9. IP-Port-Range-Start TLV 3.2.9. IP-Port-Range-Start TLV
The format of IP-Port-Range-Start TLV is shown in Figure 12. This The format of IP-Port-Range-Start TLV is shown in Figure 12. This
attribute carries IPFIX Information Element 361, "portRangeStart", attribute carries IPFIX Information Element 361, "portRangeStart",
which is the smallest port number of a range of contiguous transport which is the smallest port number of a range of contiguous transport
ports (refer to [IPFIX]). The attribute is encoded in 32 bits as per ports (refer to [IPFIX]).
the recommendation in Appendix A.2.1 of [RFC6158].
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TLV-Type | Length | portRangeStart | TLV-Type | Length | portRangeStart
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
portRangeStart | portRangeStart |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 12 Figure 12
skipping to change at page 22, line 20 skipping to change at page 22, line 16
zero. zero.
IP-Port-Range-Start TLV is included as part of the IP-Port-Range IP-Port-Range-Start TLV is included as part of the IP-Port-Range
Attribute (refer to Section 3.1.2), identified as 241.TBD2.9. Attribute (refer to Section 3.1.2), identified as 241.TBD2.9.
3.2.10. IP-Port-Range-End TLV 3.2.10. IP-Port-Range-End TLV
The format of IP-Port-Range-End TLV is shown in Figure 13. This The format of IP-Port-Range-End TLV is shown in Figure 13. This
attribute carries IPFIX Information Element 362, "portRangeEnd", attribute carries IPFIX Information Element 362, "portRangeEnd",
which is the largest port number of a range of contiguous transport which is the largest port number of a range of contiguous transport
ports (refer to [IPFIX]). The attribute is encoded in 32 bits as per ports (refer to [IPFIX]).
the recommendation in Appendix A.2.1 of [RFC6158].
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TLV-Type | Length | portRangeEnd | TLV-Type | Length | portRangeEnd
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
portRangeEnd | portRangeEnd |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 13 Figure 13
skipping to change at page 27, line 42 skipping to change at page 27, line 19
address. address.
A CGN device may decide to "free" a previously assigned set of IP A CGN device may decide to "free" a previously assigned set of IP
ports that have been allocated for a specific user but not currently ports that have been allocated for a specific user but not currently
in use, and with that, the CGN device must send the information of in use, and with that, the CGN device must send the information of
the deallocated IP port range along with the shared IPv4 address to the deallocated IP port range along with the shared IPv4 address to
the RADIUS server. the RADIUS server.
Figure 17 illustrates how RADIUS protocol is used to report a set of Figure 17 illustrates how RADIUS protocol is used to report a set of
ports allocated and deallocated, respectively, by a NAT64 device for ports allocated and deallocated, respectively, by a NAT64 device for
a specific user to the RADIUS server. a specific user to the RADIUS server. 2001:db8:100:200::/56 is the
IPv6 prefix allocated to this user. In order to limit the usage of
the NAT64 resources on a per-user basis for fairness of resource
usage (see REQ-4 of [RFC6888]), port range allocations are bound to
the /56 prefix, not to the source IPv6 address of the request. The
NAT64 devices is configured with the per-user port limit policy by
some means (e.g., subscriber-mask [RFC7785]).
Host NAT64/NAS AAA Host NAT64/NAS AAA
| BNG Server | BNG Server
| | | | | |
| | | | | |
|----Service Request------>| | |----Service Request------>| |
| | | | | |
| |-----Access-Request -------->| | |-----Access-Request -------->|
| | | | | |
| |<----Access-Accept-----------| | |<----Access-Accept-----------|
skipping to change at page 33, line 43 skipping to change at page 33, line 43
address and port range assigned to a given user and which is reported address and port range assigned to a given user and which is reported
in an IP-Port-Range Attribute, etc. The root cause of these attack in an IP-Port-Range Attribute, etc. The root cause of these attack
vectors is the communication between the RADIUS client and server. vectors is the communication between the RADIUS client and server.
The IP-Port-Local-Id TLV includes an identifier of which the type and The IP-Port-Local-Id TLV includes an identifier of which the type and
length is deployment and implementation dependent. This identifier length is deployment and implementation dependent. This identifier
might carry privacy sensitive information. It is therefore might carry privacy sensitive information. It is therefore
RECOMMENDED to utilize identifiers that do not have such privacy RECOMMENDED to utilize identifiers that do not have such privacy
concerns. concerns.
If there is any error in a Radius Accounting-Request packet sent from
a RADIUS client to the server, the RADIUS server MUST NOT send
response to the client (refer to [RFC2866]). Examples of the errors
include the erroneous port range in IP-Port-Range Attribute,
inconsistent port mapping in IP-Port-Forwarding-Map Attribute, etc.
This document targets deployments where a trusted relationship is in This document targets deployments where a trusted relationship is in
place between the RADIUS client and server with communication place between the RADIUS client and server with communication
optionally secured by IPsec or Transport Layer Security (TLS) optionally secured by IPsec or Transport Layer Security (TLS)
[RFC6614]. [RFC6614].
7. IANA Considerations 7. IANA Considerations
This document requires new code point assignments for both IPFIX This document requires new code point assignments for both IPFIX
Information Elements and RADIUS attributes as explained in the Information Elements and RADIUS attributes as explained in the
following sub-sections. following sub-sections.
skipping to change at page 35, line 42 skipping to change at page 36, line 4
Thaler, Alan Dekok, Lionel Morand, and Peter Deacon for their useful Thaler, Alan Dekok, Lionel Morand, and Peter Deacon for their useful
comments and suggestions. comments and suggestions.
Special thanks to Lionel Morand for the Shepherd review and to Special thanks to Lionel Morand for the Shepherd review and to
Kathleen Moriarty for the AD review. Kathleen Moriarty for the AD review.
Thanks to Carl Wallace, Tim Chown, and Ben Campbell for the detailed Thanks to Carl Wallace, Tim Chown, and Ben Campbell for the detailed
review. review.
9. References 9. References
9.1. Normative References 9.1. Normative References
[I-D.ietf-radext-datatypes] [I-D.ietf-radext-datatypes]
DeKok, A., "Data Types in the Remote Authentication Dial- DeKok, A., "Data Types in the Remote Authentication Dial-
In User Service Protocol (RADIUS)", draft-ietf-radext- In User Service Protocol (RADIUS)", draft-ietf-radext-
datatypes-07 (work in progress), August 2016. datatypes-08 (work in progress), October 2016.
[IPFIX] IANA, "IP Flow Information Export (IPFIX) Entities", [IPFIX] IANA, "IP Flow Information Export (IPFIX) Entities",
<http://www.iana.org/assignments/ipfix/ipfix.xhtml>. <http://www.iana.org/assignments/ipfix/ipfix.xhtml>.
[ProtocolNumbers] [ProtocolNumbers]
IANA, "Protocol Numbers", IANA, "Protocol Numbers",
<http://www.iana.org/assignments/protocol-numbers/ <http://www.iana.org/assignments/protocol-numbers/
protocol-numbers.xhtml>. protocol-numbers.xhtml>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
skipping to change at page 36, line 48 skipping to change at page 37, line 13
<http://www.rfc-editor.org/info/rfc7012>. <http://www.rfc-editor.org/info/rfc7012>.
9.2. Informative References 9.2. Informative References
[I-D.gundavelli-v6ops-community-wifi-svcs] [I-D.gundavelli-v6ops-community-wifi-svcs]
Gundavelli, S., Grayson, M., Seite, P., and Y. Lee, Gundavelli, S., Grayson, M., Seite, P., and Y. Lee,
"Service Provider Wi-Fi Services Over Residential "Service Provider Wi-Fi Services Over Residential
Architectures", draft-gundavelli-v6ops-community-wifi- Architectures", draft-gundavelli-v6ops-community-wifi-
svcs-06 (work in progress), April 2013. svcs-06 (work in progress), April 2013.
[RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768,
DOI 10.17487/RFC0768, August 1980,
<http://www.rfc-editor.org/info/rfc768>.
[RFC0793] Postel, J., "Transmission Control Protocol", STD 7,
RFC 793, DOI 10.17487/RFC0793, September 1981,
<http://www.rfc-editor.org/info/rfc793>.
[RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G., [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G.,
and E. Lear, "Address Allocation for Private Internets", and E. Lear, "Address Allocation for Private Internets",
BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996, BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996,
<http://www.rfc-editor.org/info/rfc1918>. <http://www.rfc-editor.org/info/rfc1918>.
[RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866,
DOI 10.17487/RFC2866, June 2000,
<http://www.rfc-editor.org/info/rfc2866>.
[RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network
Address Translator (Traditional NAT)", RFC 3022, Address Translator (Traditional NAT)", RFC 3022,
DOI 10.17487/RFC3022, January 2001, DOI 10.17487/RFC3022, January 2001,
<http://www.rfc-editor.org/info/rfc3022>. <http://www.rfc-editor.org/info/rfc3022>.
[RFC4340] Kohler, E., Handley, M., and S. Floyd, "Datagram [RFC4340] Kohler, E., Handley, M., and S. Floyd, "Datagram
Congestion Control Protocol (DCCP)", RFC 4340, Congestion Control Protocol (DCCP)", RFC 4340,
DOI 10.17487/RFC4340, March 2006, DOI 10.17487/RFC4340, March 2006,
<http://www.rfc-editor.org/info/rfc4340>. <http://www.rfc-editor.org/info/rfc4340>.
skipping to change at page 38, line 21 skipping to change at page 39, line 5
A., and H. Ashida, "Common Requirements for Carrier-Grade A., and H. Ashida, "Common Requirements for Carrier-Grade
NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888, NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888,
April 2013, <http://www.rfc-editor.org/info/rfc6888>. April 2013, <http://www.rfc-editor.org/info/rfc6888>.
[RFC6967] Boucadair, M., Touch, J., Levis, P., and R. Penno, [RFC6967] Boucadair, M., Touch, J., Levis, P., and R. Penno,
"Analysis of Potential Solutions for Revealing a Host "Analysis of Potential Solutions for Revealing a Host
Identifier (HOST_ID) in Shared Address Deployments", Identifier (HOST_ID) in Shared Address Deployments",
RFC 6967, DOI 10.17487/RFC6967, June 2013, RFC 6967, DOI 10.17487/RFC6967, June 2013,
<http://www.rfc-editor.org/info/rfc6967>. <http://www.rfc-editor.org/info/rfc6967>.
[RFC7785] Vinapamula, S. and M. Boucadair, "Recommendations for
Prefix Binding in the Context of Softwire Dual-Stack
Lite", RFC 7785, DOI 10.17487/RFC7785, February 2016,
<http://www.rfc-editor.org/info/rfc7785>.
[TR-146] Broadband Forum, "TR-146: Subscriber Sessions", [TR-146] Broadband Forum, "TR-146: Subscriber Sessions",
<http://www.broadband-forum.org/technical/download/ <http://www.broadband-forum.org/technical/download/
TR-146.pdf>. TR-146.pdf>.
Authors' Addresses Authors' Addresses
Dean Cheng Dean Cheng
Huawei Huawei
2330 Central Expressway 2330 Central Expressway
Santa Clara, California 95050 Santa Clara, California 95050
 End of changes. 26 change blocks. 
34 lines changed or deleted 66 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/