Network Working Group M. Boucadair
Internet-Draft C. Jacquenet
Intended status: Standards Track Orange
Expires: July 22, 2016 January 19, 2016

RADIUS Extensions for Network-Assisted Multipath TCP (MPTCP)
draft-boucadair-mptcp-radius-01

Abstract

One of the promising deployment scenarios for Multipath TCP (MPTCP) is to enable a Customer Premises Equipment (CPE) that is connected to multiple networks (e.g., DSL, LTE, WLAN) to optimize the usage of its network attachments. Because of the lack of MPTCP support at the server side, some service providers consider a network-assisted model that relies upon the activation of a dedicated function called: MPTCP Concentrator.

This document specifies a new Remote Authentication Dial-In User Service (RADIUS) attributes that carry the IP addresses that allow CPE devices to reach one or multiple MPTCP Concentrators.

Requirements Language

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on July 22, 2016.

Copyright Notice

Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.


Table of Contents

1. Introduction

One of the promising deployment scenarios for Multipath TCP (MPTCP, [RFC6824]) is to enable a Customer Premises Equipment (CPE) that is connected to multiple networks (e.g., DSL, LTE, WLAN) to optimize the usage of such resources, see for example [RFC4908]. This deployment scenario relies on MPTCP proxies located on both the CPE and network sides (Figure 1). MPTCP Proxies deployed in the network play the role of traffic concentrator.

                      IP Network #1                     
 +------------+        _--------_    +------------+   
 |            |       (e.g., LTE )   |            |   
 |   CPE      +======================+            |    
 | (MPTCP     |       (_        _)   |Concentrator|   
 |  Proxy)    |         (_______)    | (MPTCP     |    
 |            |                      |  Proxy)    |------> Internet
 |            |                      |            |
 |            |        IP Network #2 |            |     
 |            |        _--------_    |            |    
 |            |       ( e.g., DSL )  |            |   
 |            +======================+            |
 |            |       (_        _)   |            |
 +-----+------+        (_______)     +------------+
       |
----CPE network----     
       |
    end-nodes

Figure 1: “Network-Assisted” MPTCP Design

Within this document, an MPTCP Concentrator (or concentrator) refers to a functional element that is responsible for aggregating the traffic originated by a group of CPEs. This element is located in the network. One or multiple concentrators can be deployed in the network to assist MPTCP-enabled CPEs to establish MPTCP connections via their available network attachments. On the uplink path, the concentrator terminates the MPTCP connections [RFC6824] received from its customer-facing interfaces and transforms these connections into legacy TCP connections [RFC0793] towards upstream servers. On the downlink path, the concentrator turns the legacy server's TCP connection into MPTCP connections towards its customer-facing interfaces.

Both implicit (where a CPE has no specific knowledge of any concentrator deployed in the network) and explicit modes are considered to steer traffic towards an MPTCP Concentrator. This document focuses on the explicit mode that consists in explicitly configuring a CPE with the reachability information of a MPTCP concentrator.

This document specifies two new Remote Authentication Dial-In User Service (RADIUS, [RFC2865]) attributes that carry the MPTCP Concentrator IP address list (Section 2). In order to accommodate both IPv4 and IPv6 deployment contexts, and given the constraints in Section 3.4 of [RFC6158], two attributes are specified. Note that one or multiple IPv4 and/or IPv6 addresses may be returned to a requesting CPE. A sample use case is described in Section 3.

This document assumes that the MPTCP concentrator(s) reachability information can be stored in Authentication, Authorization, and Accounting (AAA) servers while the CPE configuration is usually provided by means of DHCP ([RFC2131][RFC3315]).

This specification assumes an MPTCP Concentrator is reachable through one or multiple IP addresses. As such, a list of IP addresses can be communicated via RADIUS. Also, it assumes the various network attachments provided to an MPTCP-enabled CPE are managed by the same administrative entity.

This document adheres to [I-D.ietf-radext-datatypes] for defining the new attributes.

2. MPTCP RADIUS Attributes

2.1. MPTCP-IPv4-Concentrator

Description

Type

Length

Data Type

Value

2.2. MPTCP-IPv6-Concentrator

Description

Type

Length

Data Type

Value

3. Sample Use Case

This section does not aim to provide an exhaustive list of deployment scenarios where the use of the RADIUS MPTCP-Concentrator-IPv6 and MPTCP-Concentrator-IPv4 attributes can be helpful. Typical deployment scenarios are described, for instance, in [RFC6911].

Figure 2 shows an example where a CPE is assigned an MPTCP Concentrator. This example assumes that the Network Access Server (NAS) embeds both RADIUS client and DHCPv6 server capabilities.

      CPE                             NAS                      AAA
  DHCPv6 client                    DHCPv6 server              server
       |                                |                        |
       |---------DHCPv6 Solicit-------->|                        |
       |                                |----Access-Request ---->|
       |                                |                        |
       |                                |<----Access-Accept------|
       |                                | MPTCP-Concentrator-IPv6|
       |<-------DHCPv6 Advertisement----|                        |
       |        (OPTION_V6_MPTCP)       |                        |
       |                                |                        |
       |---------DHCPv6 Request-------->|                        |
       |                                |                        |
       |<---------DHCPv6 Reply----------|                        |
       |       (OPTION_V6_MPTCP)        |                        |

                    DHCPv6                          RADIUS

Figure 2: Sample Flow Example (1)

Upon receipt of the DHCPv6 Solicit message from a CPE, the NAS sends a RADIUS Access-Request message to the AAA server. Once the AAA server receives the request, it replies with an Access-Accept message (possibly after having sent a RADIUS Access-Challenge message and assuming the CPE is entitled to connect to the network) that carries a list of parameters to be used for this session, and which include MPTCP Concentrator reachability information (namely a list of IP addresses).

The content of the MPTCP-Concentrator-IPv6 attribute is then used by the NAS to complete the DHCPv6 procedure that the CPE initiated to retrieve information about the MPTCP Concentrator it has been assigned.

Upon change of the MPTCP Concentrator assigned to a CPE, the RADIUS server sends a RADIUS CoA message [RFC5176] that carries the RADIUS MPTCP-Concentrator-IPv6 attribute to the NAS. Once that message is accepted by the NAS, it replies with a RADIUS CoA ACK message. The NAS replaces the old MPTCP Concentrator with the new one.

Figure 3 shows another example where a CPE is assigned an MPTCP Concentrator, but the CPE uses DHCPv6 to retrieve a list of IP addresses of an MPTCP concentrator.

      CPE                               NAS                      AAA
  DHCPv4 client                      DHCPv4 server              server
       |                                  |                        |
       |-----------DHCPDISCOVER---------->|                        |
       |                                  |----Access-Request ---->|
       |                                  |                        |
       |                                  |<----Access-Accept------|
       |                                  |MPTCP-Concentrator-IPv4 |
       |<------------DHCPOFFER------------|                        |
       |         (OPTION_V4_MPTCP)        |                        |
       |                                  |                        |
       |------------DHCPREQUEST---------->|                        |
       |         (OPTION_V4_MPTCP)        |                        |
       |                                  |                        |
       |<-----------DHCPACK---------------|                        |
       |        (OPTION_V4_MPTCP)         |                        |

                     DHCPv4                         RADIUS

Figure 3: Sample Flow Example (2)

Some deployments may rely on the mechanisms defined in [RFC4014] or [RFC7037], which allows a NAS to pass attributes obtained from a RADIUS server to a DHCP server.

4. Security Considerations

RADIUS-related security considerations are discussed in [RFC2865].

MPTCP-related security considerations are discussed in [RFC6824] and [RFC6181].

Traffic theft is a risk if an illegitimate concentrator is inserted in the path. Indeed, inserting an illegitimate concentrator in the forwarding path allows to intercept traffic and can therefore provide access to sensitive data issued by or destined to a host. To mitigate this threat, secure means to discover a concentrator should be enabled.

5. Table of Attributes

The following table provides a guide as what type of RADIUS packets that may contain these attributes, and in what quantity.

Access- Access- Access-  Challenge Acct. # Attribute
Request Accept  Reject             Request 
 0+      0+      0        0         0+      TBA MPTCP-Concentrator-IPv4
 0+      0+      0        0         0+      TBA MPTCP-Concentrator-IPv6

CoA-Request CoA-ACK CoA-NACK #   Attribute
  0+          0       0        TBA MPTCP-Concentrator-IPv4
  0+          0       0        TBA MPTCP-Concentrator-IPv6

   0  This attribute MUST NOT be present in packet.
   0+ Zero or more instances of this attribute MAY be present in packet.

The following table defines the meaning of the above table entries:

6. IANA Considerations

IANA is requested to assign two new RADIUS attribute types from the IANA registry "Radius Attribute Types" located at http://www.iana.org/assignments/radius-types:

  • MPTCP-Concentrator-IPv4 (TBA)
  • MPTCP-Concentrator-IPv6 (TBA)

7. Acknowledgements

Thanks to Alan DeKok for the comments.

8. References

8.1. Normative References

[I-D.ietf-radext-datatypes] DeKok, A., "Data Types in the Remote Authentication Dial-In User Service Protocol (RADIUS)", Internet-Draft draft-ietf-radext-datatypes-02, November 2015.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997.
[RFC2865] Rigney, C., Willens, S., Rubens, A. and W. Simpson, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, DOI 10.17487/RFC2865, June 2000.
[RFC6158] DeKok, A. and G. Weber, "RADIUS Design Guidelines", BCP 158, RFC 6158, DOI 10.17487/RFC6158, March 2011.
[RFC6890] Cotton, M., Vegoda, L., Bonica, R. and B. Haberman, "Special-Purpose IP Address Registries", BCP 153, RFC 6890, DOI 10.17487/RFC6890, April 2013.

8.2. Informative References

[RFC0793] Postel, J., "Transmission Control Protocol", STD 7, RFC 793, DOI 10.17487/RFC0793, September 1981.
[RFC2131] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, DOI 10.17487/RFC2131, March 1997.
[RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C. and M. Carney, "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", RFC 3315, DOI 10.17487/RFC3315, July 2003.
[RFC4014] Droms, R. and J. Schnizlein, "Remote Authentication Dial-In User Service (RADIUS) Attributes Suboption for the Dynamic Host Configuration Protocol (DHCP) Relay Agent Information Option", RFC 4014, DOI 10.17487/RFC4014, February 2005.
[RFC4908] Nagami, K., Uda, S., Ogashiwa, N., Esaki, H., Wakikawa, R. and H. Ohnishi, "Multi-homing for small scale fixed network Using Mobile IP and NEMO", RFC 4908, DOI 10.17487/RFC4908, June 2007.
[RFC5176] Chiba, M., Dommety, G., Eklund, M., Mitton, D. and B. Aboba, "Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)", RFC 5176, DOI 10.17487/RFC5176, January 2008.
[RFC6181] Bagnulo, M., "Threat Analysis for TCP Extensions for Multipath Operation with Multiple Addresses", RFC 6181, DOI 10.17487/RFC6181, March 2011.
[RFC6824] Ford, A., Raiciu, C., Handley, M. and O. Bonaventure, "TCP Extensions for Multipath Operation with Multiple Addresses", RFC 6824, DOI 10.17487/RFC6824, January 2013.
[RFC6911] Dec, W., Sarikaya, B., Zorn, G., Miles, D. and B. Lourdelet, "RADIUS Attributes for IPv6 Access Networks", RFC 6911, DOI 10.17487/RFC6911, April 2013.
[RFC7037] Yeh, L. and M. Boucadair, "RADIUS Option for the DHCPv6 Relay Agent", RFC 7037, DOI 10.17487/RFC7037, October 2013.

Authors' Addresses

Mohamed Boucadair Orange Rennes, 35000 France EMail: mohamed.boucadair@orange.com
Christian Jacquenet Orange Rennes, France EMail: christian.jacquenet@orange.com