--- 1/draft-ietf-radext-ip-port-radius-ext-14.txt 2016-10-21 10:16:14.216891823 -0700 +++ 2/draft-ietf-radext-ip-port-radius-ext-15.txt 2016-10-21 10:16:14.292893693 -0700 @@ -1,23 +1,23 @@ Network Working Group D. Cheng Internet-Draft Huawei Intended status: Standards Track J. Korhonen -Expires: April 21, 2017 Broadcom Corporation +Expires: April 24, 2017 Broadcom Corporation M. Boucadair Orange S. Sivakumar Cisco Systems - October 18, 2016 + October 21, 2016 RADIUS Extensions for IP Port Configuration and Reporting - draft-ietf-radext-ip-port-radius-ext-14 + draft-ietf-radext-ip-port-radius-ext-15 Abstract This document defines three new RADIUS attributes. For devices that implement IP port ranges, these attributes are used to communicate with a RADIUS server in order to configure and report IP transport ports, as well as mapping behavior for specific hosts. This mechanism can be used in various deployment scenarios such as Carrier-Grade NAT, IPv4/IPv6 translators, Provider WLAN Gateway, etc. This document defines a mapping between some RADIUS attributes and @@ -37,21 +37,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on April 21, 2017. + This Internet-Draft will expire on April 24, 2017. Copyright Notice Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -66,49 +66,49 @@ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Extensions of RADIUS Attributes and TLVs . . . . . . . . . . 5 3.1. Extended Attributes for IP Ports . . . . . . . . . . . . 6 3.1.1. IP-Port-Limit-Info Attribute . . . . . . . . . . . . 6 3.1.2. IP-Port-Range Attribute . . . . . . . . . . . . . . . 8 3.1.3. IP-Port-Forwarding-Map Attribute . . . . . . . . . . 11 3.2. RADIUS TLVs for IP Ports . . . . . . . . . . . . . . . . 13 3.2.1. IP-Port-Type TLV . . . . . . . . . . . . . . . . . . 14 3.2.2. IP-Port-Limit TLV . . . . . . . . . . . . . . . . . . 15 - 3.2.3. IP-Port-Ext-IPv4-Addr TLV . . . . . . . . . . . . . . 15 + 3.2.3. IP-Port-Ext-IPv4-Addr TLV . . . . . . . . . . . . . . 16 3.2.4. IP-Port-Int-IPv4-Addr TLV . . . . . . . . . . . . . . 16 3.2.5. IP-Port-Int-IPv6-Addr TLV . . . . . . . . . . . . . . 17 3.2.6. IP-Port-Int-Port TLV . . . . . . . . . . . . . . . . 18 3.2.7. IP-Port-Ext-Port TLV . . . . . . . . . . . . . . . . 19 3.2.8. IP-Port-Alloc TLV . . . . . . . . . . . . . . . . . . 20 3.2.9. IP-Port-Range-Start TLV . . . . . . . . . . . . . . . 21 3.2.10. IP-Port-Range-End TLV . . . . . . . . . . . . . . . . 22 - 3.2.11. IP-Port-Local-Id TLV . . . . . . . . . . . . . . . . 23 + 3.2.11. IP-Port-Local-Id TLV . . . . . . . . . . . . . . . . 22 4. Applications, Use Cases and Examples . . . . . . . . . . . . 24 4.1. Managing CGN Port Behavior using RADIUS . . . . . . . . . 24 - 4.1.1. Configure IP Port Limit for a User . . . . . . . . . 25 - 4.1.2. Report IP Port Allocation/Deallocation . . . . . . . 27 + 4.1.1. Configure IP Port Limit for a User . . . . . . . . . 24 + 4.1.2. Report IP Port Allocation/Deallocation . . . . . . . 26 4.1.3. Configure Forwarding Port Mapping . . . . . . . . . . 28 4.1.4. An Example . . . . . . . . . . . . . . . . . . . . . 30 4.2. Report Assigned Port Set for a Visiting UE . . . . . . . 31 5. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 32 6. Security Considerations . . . . . . . . . . . . . . . . . . . 33 - 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 33 + 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 34 7.1. IANA Considerations on New IPFIX Information Elements . . . . . . . . . . . . . . . . . . . . . . . . 34 7.2. IANA Considerations on New RADIUS Attributes . . . . . . 34 7.3. IANA Considerations on New RADIUS TLVs . . . . . . . . . 35 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 35 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 35 - 9.1. Normative References . . . . . . . . . . . . . . . . . . 35 - 9.2. Informative References . . . . . . . . . . . . . . . . . 36 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 38 + 9.1. Normative References . . . . . . . . . . . . . . . . . . 36 + 9.2. Informative References . . . . . . . . . . . . . . . . . 37 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 39 1. Introduction In a broadband network, customer information is usually stored on a RADIUS server [RFC2865]. At the time when a user initiates an IP connection request, if this request is authorized, the RADIUS server will populate the user's configuration information to the Network Access Server (NAS), which is often referred to as a Broadband Network Gateway (BNG) in broadband access networks. The Carrier- Grade NAT (CGN) function may also be implemented on the BNG. Within @@ -162,43 +162,43 @@ IPv6 address are mapped to an external source transport port along with the external IPv4 address. IPFIX Information Elements [RFC7012] can be used for IP flow identification and representation over RADIUS. This document provides a mapping between some RADIUS TLVs and IPFIX Information Element Identifiers. A new IPFIX Information Element is defined by this document (see Section 3.2.2). IP protocol numbers (refer to [ProtocolNumbers]) can be used for - identification of IP transport protocols (e.g., TCP, UDP, DCCP, and - SCTP) that are associated with some RADIUS attributes. + identification of IP transport protocols (e.g., TCP [RFC0793], UDP + [RFC0768], DCCP [RFC4340], and SCTP [RFC4960]) that are associated + with some RADIUS attributes. This document focuses on IPv4 address sharing. IPv6 prefix sharing mechanisms (e.g., NPTv6) are out of scope. 2. Terminology This document makes use of the following terms: o IP Port: refers to IP transport port (e.g., TCP port number, UDP port number). o IP Port Type: refers to the IP transport protocol as indicated by the IP transport protocol number, refer to (refer to [ProtocolNumbers]) o IP Port Limit: denotes the maximum number of IP ports for a - specific IP port type, that a device supporting port ranges can - use when performing port number mappings for a specific user/host. - - Note, this limit is usually associated with one or more IPv4/IPv6 - addresses. + specific (or all) IP transport protocol(s), that a device + supporting port ranges can use when performing port number + mappings for a specific user/host. Note, this limit is usually + associated with one or more IPv4/IPv6 addresses. o IP Port Range: specifies a set of contiguous IP ports, indicated by the lowest numerical number and the highest numerical number, inclusively. o Internal IP Address: refers to the IP address that is used by a host as a source IP address in an outbound IP packet sent towards a device supporting port ranges in the internal realm. The internal IP address may be IPv4 or IPv6. @@ -610,20 +610,26 @@ The TLVs that are included in the three attributes (see Section 3.1) are defined in the following sub-sections. These TLVs use the format defined in [RFC6929]. As the three attributes carry similar data, we have defined a common set of TLVs which are used for all three attributes. That is, the TLVs have the same name and number, when encapsulated in any one of the three parent attributes. See Section 3.1.1, Section 3.1.2, and Section 3.1.3 for a list of which TLV is permitted within which parent attribute. + The encoding of the Value field of these TLVs follows the + recommendation of [RFC6158]. In particular, IP-Port-Type, IP-Port- + Limit, IP-Port-Int-Port, IP-Port-Ext-Port, IP-Port-Alloc, IP-Port- + Range-Start, and IP-Port-Range-End TLVs are encoded in 32 bits as per + the recommendation in Appendix A.2.1 of [RFC6158]. + 3.2.1. IP-Port-Type TLV The format of IP-Port-Type TLV is shown in Figure 4. This attribute carries the IP transport protocol number defined by IANA (refer to [ProtocolNumbers]) 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TLV-Type | Length | Protocol-Number @@ -636,39 +642,42 @@ TLV-Type 1 Length 6 Protocol-Number - Integer. This field contains the data (unsigned8) of the port + Integer. This field contains the data (unsigned8) of the protocol number defined in [ProtocolNumbers], right justified, and the unused bits in this field MUST be set to zero. Protocols that do not use a port number (e.g., Resource Reservation Protocol (RSVP), IP Encapsulating Security Payload (ESP)) MUST NOT be included in the IP-Port-Type TLV. IP-Port-Type TLV MAY be included in the following Attributes: o IP-Port-Limit-Info Attribute, identified as 241.TBD1.1 (see Section 3.1.1). o IP-Port-Range Attribute, identified as 241.TBD2.1 (see Section 3.1.2). + o IP-Port-Forwarding-Map Attribute, identified as 241.TBD3.1 (see + Section 3.1.3). + When the IP-Port-Type TLV is included within a RADIUS Attribute, the associated attribute is applied to the IP transport protocol as - indicated by the Protocol-Number only, such as TCP, UDP, SCTP - [RFC4960], DCCP [RFC4340], etc. + indicated by the Protocol-Number only, such as TCP, UDP, SCTP, DCCP, + etc. 3.2.2. IP-Port-Limit TLV The format of IP-Port-Limit TLV is shown in Figure 5. This attribute carries IPFIX Information Element "sourceTransportPortsLimit (TBAx1), which indicates the maximum number of IP transport ports as a limit for an end user to use that is associated with one or more IPv4 or IPv6 addresses. 0 1 2 3 @@ -812,22 +821,21 @@ If the internal realm is with IPv6 address family, the IP-Port-Int- IPv6-Addr TLV MUST be included as part of the IP-Port-Forwarding-Map Attribute (refer to Section 3.1.3), identified as 241.TBD3.5. 3.2.6. IP-Port-Int-Port TLV The format of IP-Port-Int-Port TLV is shown in Figure 9. This attribute carries IPFIX Information Element 7, "sourceTransportPort", which is the source transport number associated with an internal IPv4 - or IPv6 address (refer to [IPFIX]). The attribute is encoded in 32 - bits as per the recommendation in Appendix A.2.1 of [RFC6158]. + or IPv6 address (refer to [IPFIX]). 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TLV-Type | Length | sourceTransportPort +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ sourceTransportPort | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 9 @@ -848,23 +856,21 @@ IP-Port-Int-Port TLV MUST be included as part of the IP-Port- Forwarding-Map Attribute (refer to Section 3.1.3), identified as 241.TBD3.6. 3.2.7. IP-Port-Ext-Port TLV The format of IP-Port-Ext-Port TLV is shown in Figure 10. This attribute carries IPFIX Information Element 227, "postNAPTSourceTransportPort", which is the transport number - associated with an external IPv4 address(refer to [IPFIX]). The - attribute is encoded in 32 bits as per the recommendation in - Appendix A.2.1 of [RFC6158]. + associated with an external IPv4 address(refer to [IPFIX]). 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TLV-Type | Length | postNAPTSourceTransportPort +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ postNAPTSourceTransportPort | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 10 @@ -936,22 +940,21 @@ 0. IP-Port-Alloc TLV MUST be included as part of the IP-Port-Range Attribute (refer to Section 3.1.2), identified as 241.TBD2.8. 3.2.9. IP-Port-Range-Start TLV The format of IP-Port-Range-Start TLV is shown in Figure 12. This attribute carries IPFIX Information Element 361, "portRangeStart", which is the smallest port number of a range of contiguous transport - ports (refer to [IPFIX]). The attribute is encoded in 32 bits as per - the recommendation in Appendix A.2.1 of [RFC6158]. + ports (refer to [IPFIX]). 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TLV-Type | Length | portRangeStart +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ portRangeStart | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 12 @@ -970,22 +973,21 @@ zero. IP-Port-Range-Start TLV is included as part of the IP-Port-Range Attribute (refer to Section 3.1.2), identified as 241.TBD2.9. 3.2.10. IP-Port-Range-End TLV The format of IP-Port-Range-End TLV is shown in Figure 13. This attribute carries IPFIX Information Element 362, "portRangeEnd", which is the largest port number of a range of contiguous transport - ports (refer to [IPFIX]). The attribute is encoded in 32 bits as per - the recommendation in Appendix A.2.1 of [RFC6158]. + ports (refer to [IPFIX]). 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TLV-Type | Length | portRangeEnd +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ portRangeEnd | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 13 @@ -1210,21 +1212,27 @@ address. A CGN device may decide to "free" a previously assigned set of IP ports that have been allocated for a specific user but not currently in use, and with that, the CGN device must send the information of the deallocated IP port range along with the shared IPv4 address to the RADIUS server. Figure 17 illustrates how RADIUS protocol is used to report a set of ports allocated and deallocated, respectively, by a NAT64 device for - a specific user to the RADIUS server. + a specific user to the RADIUS server. 2001:db8:100:200::/56 is the + IPv6 prefix allocated to this user. In order to limit the usage of + the NAT64 resources on a per-user basis for fairness of resource + usage (see REQ-4 of [RFC6888]), port range allocations are bound to + the /56 prefix, not to the source IPv6 address of the request. The + NAT64 devices is configured with the per-user port limit policy by + some means (e.g., subscriber-mask [RFC7785]). Host NAT64/NAS AAA | BNG Server | | | | | | |----Service Request------>| | | | | | |-----Access-Request -------->| | | | | |<----Access-Accept-----------| @@ -1488,20 +1496,26 @@ address and port range assigned to a given user and which is reported in an IP-Port-Range Attribute, etc. The root cause of these attack vectors is the communication between the RADIUS client and server. The IP-Port-Local-Id TLV includes an identifier of which the type and length is deployment and implementation dependent. This identifier might carry privacy sensitive information. It is therefore RECOMMENDED to utilize identifiers that do not have such privacy concerns. + If there is any error in a Radius Accounting-Request packet sent from + a RADIUS client to the server, the RADIUS server MUST NOT send + response to the client (refer to [RFC2866]). Examples of the errors + include the erroneous port range in IP-Port-Range Attribute, + inconsistent port mapping in IP-Port-Forwarding-Map Attribute, etc. + This document targets deployments where a trusted relationship is in place between the RADIUS client and server with communication optionally secured by IPsec or Transport Layer Security (TLS) [RFC6614]. 7. IANA Considerations This document requires new code point assignments for both IPFIX Information Elements and RADIUS attributes as explained in the following sub-sections. @@ -1585,27 +1599,26 @@ Thaler, Alan Dekok, Lionel Morand, and Peter Deacon for their useful comments and suggestions. Special thanks to Lionel Morand for the Shepherd review and to Kathleen Moriarty for the AD review. Thanks to Carl Wallace, Tim Chown, and Ben Campbell for the detailed review. 9. References - 9.1. Normative References [I-D.ietf-radext-datatypes] DeKok, A., "Data Types in the Remote Authentication Dial- In User Service Protocol (RADIUS)", draft-ietf-radext- - datatypes-07 (work in progress), August 2016. + datatypes-08 (work in progress), October 2016. [IPFIX] IANA, "IP Flow Information Export (IPFIX) Entities", . [ProtocolNumbers] IANA, "Protocol Numbers", . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate @@ -1639,25 +1652,37 @@ . 9.2. Informative References [I-D.gundavelli-v6ops-community-wifi-svcs] Gundavelli, S., Grayson, M., Seite, P., and Y. Lee, "Service Provider Wi-Fi Services Over Residential Architectures", draft-gundavelli-v6ops-community-wifi- svcs-06 (work in progress), April 2013. + [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, + DOI 10.17487/RFC0768, August 1980, + . + + [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, + RFC 793, DOI 10.17487/RFC0793, September 1981, + . + [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G., and E. Lear, "Address Allocation for Private Internets", BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996, . + [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, + DOI 10.17487/RFC2866, June 2000, + . + [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network Address Translator (Traditional NAT)", RFC 3022, DOI 10.17487/RFC3022, January 2001, . [RFC4340] Kohler, E., Handley, M., and S. Floyd, "Datagram Congestion Control Protocol (DCCP)", RFC 4340, DOI 10.17487/RFC4340, March 2006, . @@ -1709,20 +1734,25 @@ A., and H. Ashida, "Common Requirements for Carrier-Grade NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888, April 2013, . [RFC6967] Boucadair, M., Touch, J., Levis, P., and R. Penno, "Analysis of Potential Solutions for Revealing a Host Identifier (HOST_ID) in Shared Address Deployments", RFC 6967, DOI 10.17487/RFC6967, June 2013, . + [RFC7785] Vinapamula, S. and M. Boucadair, "Recommendations for + Prefix Binding in the Context of Softwire Dual-Stack + Lite", RFC 7785, DOI 10.17487/RFC7785, February 2016, + . + [TR-146] Broadband Forum, "TR-146: Subscriber Sessions", . Authors' Addresses Dean Cheng Huawei 2330 Central Expressway Santa Clara, California 95050