RADIUS Attributes for Address plus
Port (A+P) based Softwire MechanismsHuawei Technologies Co., LtdQ14, Huawei Campus, No.156 Beiqing RoadHai-Dian District, Beijing, 100095P.R. Chinajiangsheng@huawei.comCNNICNo.4 South 4th Street, ZhongguancunHai-Dian District, Beijing, 100190P.R. Chinaeleven711711@foxmail.comHuawei Technologies Co., LtdQ14, Huawei Campus, No.156 Beiqing RoadHai-Dian District, Beijing, 100095P.R. Chinaleo.liubing@huawei.comIEA Software, Inc.P.O. Box 1170VeradaleWA99037USApeterd@iea-software.comChina TelecomBeijingP.R. Chinaxiechf.bri@chinatelecom.cnTsinghua UniversityBeijing100084P.R.Chinapeter416733@gmail.comOrangeRennes, 35000Francemohamed.boucadair@orange.com
Internet Area
SoftwireIPv6 Transition, MAP-E, MAP-T, Lightweight 4over6, RADIUS,
address sharing, authorization, AAA, provisioningIPv4-over-IPv6 transition mechanisms provide IPv4 connectivity
services over IPv6 native networks during the IPv4/IPv6 co-existence
period. DHCPv6 options have been defined for configuring clients for
Lightweight 4over6, Mapping of Address and Port with Encapsulation, and
Mapping of Address and Port using Translation unicast softwire
mechanisms, and also multicast softwires. However, in many networks,
configuration information is stored in an Authentication, Authorization,
and Accounting server which utilizes the RADIUS protocol to provide
centralized management for users. When a new transition mechanism is
developed, new RADIUS attributes need to be defined correspondingly.This document defines new RADIUS attributes to carry Address plus
Port based softwire configuration parameters from an Authentication,
Authorization, and Accounting server to a Broadband Network Gateway.
Both unicast and multicast attributes are covered.Providers have started deploying and transitioning to IPv6. Several
IPv4 service continuity mechanisms based on the Address plus Port (A+P)
have been proposed for providing unicast
IPv4 over IPv6-only infrastructure, such as Mapping of Address and Port
with Encapsulation (MAP-E) , Mapping of
Address and Port using Translation (MAP-T) , and Lightweight 4over6 . Also, specifies
a generic solution for the delivery of IPv4 multicast services to IPv4
clients over an IPv6 multicast network. For each of these mechanisms,
DHCPv6 options have been specified for client configuration.In many networks, user configuration information is stored in an
Authentication, Authorization, and Accounting (AAA) server. AAA servers
generally communicate using the Remote Authentication Dial In User
Service (RADIUS) protocol. In a fixed
broadband network, a Broadband Network Gateway (BNG) acts as the access
gateway for users. That is, the BNG acts as both an AAA client to the
AAA server, and a DHCPv6 server for DHCPv6 messages sent by clients.
Throughout this document, the term BNG describes a device implementing
both the AAA client and DHCPv6 server functions.Since IPv4-in-IPv6 softwire configuration information is stored in an
AAA server, and user configuration information is mainly transmitted
through DHCPv6 protocol between the BNGs and Customer Premises Equipment
(CEs, a.k.a., CPE), new RADIUS attributes are needed to propagate the
information from the AAA servers to BNGs.The RADIUS attributes defined in this document provide configuration
to populate the corresponding DHCPv6 options for unicast and multicast
softwire configuration, specifically:"Mapping of Address and Port with Encapsulation (MAP-E)" (DHCPv6 options defined in ."Mapping of Address and Port using Translation (MAP-T)" (DHCPv6 options defined in ."Lightweight 4over6: An Extension to the Dual-Stack Lite
Architecture" (DHCPv6 options defined
in ."Unified IPv4-in-IPv6 Softwire Customer Premises Equipment (CPE):
A DHCPv6-Based Prioritization Mechanism" ."Delivery of IPv4 Multicast Services to IPv4 Clients over an IPv6
Multicast Network" (DHCPv6 options
defined in .The contents of the attributes defined in this document have a 1:1
mapping into the fields of the various DHCPv6 options in , , and . Table 1 shows how the DHCPv6 options map to
the corresponding RADIUS attribute. For detailed mappings between each
DHCPv6 option field and the corresponding RADIUS Attribute or field, see
.A RADIUS attribute for Dual-Stack Lite
is defined in .The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in when, and only
when, they appear in all capitals, as shown here.The reader should be familiar with the concepts and terms defined in
, , , and .The terms "multicast Basic Bridging BroadBand" element (mB4) and
"multicast Address Family Transition Router" element (mAFTR) are defined
in .Softwire46 (S46) is used throughout to denote any of the IPv4-in-IPv6
softwire mechanisms listed above. Additionally, the following
abbreviations are used within the document:BMR: Basic Mapping RuleBNG: Broadband Network GatewayBR: Border RelayCE: Customer EdgeDMR: Default Mapping RuleEA: Embedded AddressFMR: Forwarding Mapping RulePSID: Port Set IdentifierTLV: Type, Length, ValueMAP-E: Mapping of Address and Port with EncapsulationMAP-T: Mapping of Address and Port using TranslationThis section defines the following attributes: Softwire46-Configuration Attribute (): This attribute
carries the configuration information for MAP-E, MAP-T, and
Lightweight 4over6. The configuration information for each
Softwire46 mechanism is carried in the corresponding Softwire46
attributes. Different attributes are required for each Softwire46
mechanism.Softwire46-Priority Attribute (): Depending
on the deployment scenario, a client may support several different
Softwire46 mechanisms and so request configuration for more than one
Softwire46 mechanism at a time. The Softwire46-Priority Attribute
contains information allowing the client to prioritize which
mechanism to use, corresponding to OPTION_S46_PRIORITY defined in
.Softwire46-Multicast Attribute (): This
attribute conveys the IPv6 prefixes to be used in to synthesize IPv4-embedded IPv6 addresses.
The BNG uses the IPv6 prefixes returned in the RADIUS
Softwire46-Multicast Attribute to populate the DHCPv6 PREFIX64
Option .All of these attributes are allocated from the RADIUS "Extended Type"
code space per .All of these attribute designs follow
and .This document adheres to for defining
the new RADIUS attributes.This attribute is of type "tlv", as defined in the RADIUS Protocol
Extensions . It contains some
sub-attributes, with the following requirements:The Softwire46-Configuration Attribute MUST contain one or more
of the following attributes: Softwire46-MAP-E, Softwire46-MAP-T,
and/or Softwire46-Lightweight-4over6.The Softwire46-Configuration Attribute conveys the
configuration information for MAP-E, MAP-T, or Lightweight 4over6.
The BNG SHALL use the configuration information returned in the
RADIUS attribute to populate the DHCPv6 Softwire46 Container
Option defined in Section 5 of .The Softwire46-Configuration Attribute MAY appear in an
Access-Accept packet. It MAY also appear in an Access-Request
packet.The Softwire46-Configuration Attribute MAY appear in a
CoA-Request packet.The Softwire46-Configuration Attribute MAY appear in an
Accounting-Request packet.The Softwire46-Configuration Attribute MUST NOT appear in any
other RADIUS packet.The Softwire46-Configuration Attribute MUST only encapsulate
one or more of the Softwire46 attributes defined in this
document.The Softwire46-Configuration Attribute is structured as
follows:The Softwire46-Configuration Attribute is associated with the
following identifier: 241.Extended-Type(TBD1).The Softwire46 attributes can only be encapsulated in the
Softwire46-Configuration Attribute. Depending on the deployment
scenario, a client might request for more than one transition
mechanism at a time. There MUST be at least one Softwire46 attribute
encapsulated in one Softwire46-Configuration Attribute. There MUST
be at most one instance of each type of Softwire46 attribute
encapsulated in one Softwire46-Configuration Attribute.There are three types of Softwire46 attributes, namely:Softwire46-MAP-E ()Softwire46-MAP-T ()Softwire46-Lightweight 4over6 ()Each type of Softwire46 attribute contains a number of
sub-attributes, defined in . The hierarchy of the Softwire46
attributes is shown in . describes which sub-attributes are
mandatory, optional, or not permitted for each defined Softwire46
attribute.Softwire46-MAP-E attribute is designed for carrying the
configuration information for MAP-E. The structure of
Softwire46-MAP-E is shown below:Softwire46-MAP-T attribute is designed for carrying the
configuration information for MAP-T. The structure of
Softwire46-MAP-T is shown below:Softwire46-Lightweight-4over6 attribute is designed for
carrying the configuration information for Lightweight 4over6. The
structure of Softwire46-Lightweight-4over6 is shown below:Table 2 shows which encapsulated sub-attributes are mandatory,
optional, or not permitted for each defined Softwire46
attribute.The following table defines the meaning of Table 2 entries.Softwire46-Rule can only be encapsulated in Softwire46-MAP-E
() or Softwire46-MAP-T (). Depending on the deployment scenario, one
Basic Mapping Rule (BMR) and zero or more Forwarding Mapping Rules
(FMRs) MUST be included in one Softwire46-MAP-E or
Softwire46-MAP-T.Each type of Softwire46-Rule also contains a number of
sub-attributes, including Rule-IPv6-Prefix, Rule-IPv4-Prefix, and
EA-Length. The structure of the sub-attributes for Softwire46-Rule
is defined in .Defining multiple TLV-types achieves the same design goals as
the "Softwire46 Rule Flags" defined in Section 4.1 of . Using TLV-type set to 5 is equivalent to
setting the F-flag in the OPTION_S46_RULE S46 Rule Flags
field.Softwire46-BR can only be encapsulated in Softwire46-MAP-E
() or Softwire46-Lightweight-4over6
().There MUST be at least one Softwire46-BR included in each
Softwire46-MAP-E or Softwire46-Lightweight-4over6.The structure of Softwire46-BR is shown below:Softwire46-DMR may only appear in Softwire46-MAP-T (). There MUST be exactly one Softwire46-DMR
included in one Softwire46-MAP-T.The structure of Softwire46-DMR is shown below:Softwire46-V4V6Bind may only be encapsulated in
Softwire46-Lightweight-4over6 (). There
MUST be exactly one Softwire46-V4V6Bind included in each
Softwire46-Lightweight-4over6.The structure of Softwire46-V4V6Bind is shown below:Softwire46-PORTPARAMS is optional. It is used to specify port
set information for IPv4 address sharing between clients.
Softwire46-PORTPARAMS MAY be included in any of the Softwire46
attributes.The structure of Softwire46-PORTPARAMS is shown below:There are two types of Softwire46-Rule: the Basic Mapping Rule
and the Forwarding Mapping Rule, indicated by the value in the
TLV-Type field of Softwire46-Rule ().Each type of Softwire46-Rule also contains a number of
Sub-attributes as detailed in the following sub-sections.Rule-IPv6-Prefix is REQUIRED for every Softwire46-Rule. There
MUST be exactly one Rule-IPv6-Prefix encapsulated in each type of
Softwire46-Rule.Rule-IPv6-Prefix follows the framed IPv6 prefix designed in
and .The structure of Rule-IPv6-Prefix is shown below:This attribute is used to convey the MAP Rule IPv4 prefix. The
structure of Rule-IPv4-Prefix is shown below:This attribute is used to convey the Embedded-Address(EA) bit
length. The structure of EA-Length is shown below:The IPv4-address MAY be used to specify the full or shared IPv4
address of the CE.The structure of IPv4-address is shown below:The Bind-IPv6-Prefix is used by the CE to identify the correct
IPv6 prefix to be used as the tunnel source.The structure of Bind-IPv6-Prefix is shown below:This attribute is used to convey the Port Set Identifier offset
as defined in . This attribute is
encoded 32 bits as per the recommendation in Appendix A.2.1 of
.The structure of PSID-offset is shown below:This attribute is used to convey the PSID length as defined in
. This attribute is encoded 32 bits
as per the recommendation in Appendix A.2.1 of .The structure of PSID-len is shown below:This attribute is used to convey the PSID as defined in . This attribute is encoded 32 bits as per
the recommendation in Appendix A.2.1 of .The structure of PSID is shown below:The Softwire46-Priority Attribute includes an ordered list of
Softwire64 mechanisms allowing the client to prioritize which
mechanism to use, corresponding to OPTION_S46_PRIORITY defined in
. The following requirements apply:The Softwire46-Priority Attribute MAY appear in an
Access-Accept packet. It MAY also appear in an Access-Request
packet.The Softwire46-Priority Attribute MAY appear in a CoA-Request
packet.The Softwire46-Priority Attribute MAY appear in an
Accounting-Request packet.The Softwire46-Priority Attribute MUST NOT appear in any other
RADIUS packet.The Softwrie46-Priority Attribute is structured as follows:The Softwire46-Priority Attribute is associated with the following
identifier: 241.Extended-Type (TBD5).This attribute is used to convey an option code assigned to a
Softwire64 mechanism . This attribute
is encoded 32 bits as per the recommendation in Appendix A.2.1 of
.The structure of Softwire46-Option-Code is shown below:The Softwire46-Multicast Attribute conveys the IPv6 prefixes to be
used to synthesize multicast and unicast IPv4-embedded IPv6 addresses
as per . This attribute is of type "tlv"
and contains additional TLVs. The following requirements apply:The BNG SHALL use the IPv6 prefixes returned in the RADIUS
Softwire46-Multicast Attribute to populate the DHCPv6 PREFIX64
Option .This attribute MAY be used in Access-Request packets as a hint
to the RADIUS server. For example, if the BNG is pre-configured
for Softwire46-Multicast, these prefixes MAY be inserted in the
attribute. The RADIUS server MAY ignore the hint sent by the BNG,
and it MAY assign a different Softwire46-Multicast Attribute.The Softwire46-Multicast Attribute MAY appear in an
Access-Request, Access-Accept, CoA-Request, and Accounting-Request
packet.The Softwire46-Multicast Attribute MUST NOT appear in any other
RADIUS packet.The Softwire46-Multicast Attribute MAY contain ASM-Prefix64
(), SSM-Prefix64 (), and U-Prefix64 ().The Softwire46-Multicast Attribute MUST include ASM-Prefix64 or
SSM-Prefix64, and it MAY include both.The U-Prefix64 MUST be present when SSM-Prefix64 is present.
U-Prefix64 MAY be present when ASM-Prefix64 is present.The Softwire46-Multicast Attribute is structured as follows:The Softwire46-Multicast Attribute is associated with the following
identifier: 241.Extended-Type(TBD6).The ASM-Prefix64 attribute is structured as follows:The SSM-Prefix64 attribute is structured as follows:The structure of U-Prefix64 is shown below: illustrates how the RADIUS and DHCPv6
protocols interwork to provide CE with softwire configuration
information.The CE creates a DHCPv6 Solicit message. For unicast softwire
configuration, the message includes an OPTION_REQUEST_OPTION (6)
with the Softwire46 Container option codes as defined in . OPTION_S46_CONT_MAPE (94) should be
included for MAP-E, OPTION_S46_CONT_MAPT (95) for MAP-T, and
OPTION_S46_CONT_LW (96) for Lightweight 4over6. For multicast
configuration, the option number for OPTION_V6_PREFIX64 (113) is
included in the client's ORO. The message is sent to the BNG.On receipt of the Solicit message, the BNG constructs a RADIUS
Access-Request message containing a User-Name Attribute (1)
(containing either a CE MAC address, interface-id or both), a
User-Password Attribute (2) (with a pre-configured shared password
as defined in . The
Softwire46-Configuration Attribute and/or Softwire46-Multicast
Attribute are also included (as requested by the client). The
resulting message is sent to the AAA server.The AAA server authenticates the request. If this is successful,
and suitable configuration is available, an Access-Accept message is
sent to the BNG containing the requested Softwire46-Configuration
Attribute or Softwire46-Multicast Attribute. It is the
responsibility of the AAA server to ensure the consistency of the
provided configuration.The BNG maps the received softwire configuration into the
corresponding fields in the DHCPv6 softwire configuration option(s).
These are included in the DHCPv6 Advertise message which is sent to
the CE.The CE sends a DHCPv6 Request message. In the ORO, the option
code(s) of any of the required softwire options that were received
in the Advertise message are included.The BNG sends a Reply message to the client containing the
softwire container options enumerated in the ORO.The authorization operation could also be done independently, after
the authentication process. In this case, steps 1-5 are completed as
above, then the following steps are performed:When the BNG receives the DHCPv6 Request, it
constructs a RADIUS Access-Request message, which contains a
Service-Type Attribute (6) with the value "Authorize Only" (17), the
corresponding Softwire46-Configuration Attribute, and a State
Attribute obtained from the previous authentication process
according to . The resulting message
is sent to the AAA server.The AAA checks the authorization request. If it is
approved, an Access-Accept message is returned to the BNG with the
corresponding Softwire46-Configuration Attribute.The BNG sends a Reply message to the client
containing the softwire container options enumerated in the ORO.In addition to the above, the following points need to be
considered:In both the configuration message flows described above the
Message-authenticator (type 80)
SHOULD be used to protect both Access-Request and Access-Accept
messages.If the BNG does not receive the corresponding
Softwire46-Configuration Attribute in the Access-Accept message it
MAY fall back to creating the DHCPv6 softwire configuration options
using pre-configured Softwire46 configuration, if this is
present.If the BNG receives an Access-Reject from the AAA server, then
Softwire46 configuration MUST NOT be supplied to the client.As specified in , Section 18.2.5,
"Creation and Transmission of Rebind Messages", if the DHCPv6 server
to which the DHCPv6 Renew message was sent at time T1 has not
responded by time T2, the CE (DHCPv6 client) SHOULD enter the Rebind
state and attempt to contact any available server. In this
situation, a secondary BNG receiving the DHCPv6 message MUST
initiate a new Access-Request message towards the AAA server. The
secondary BNG includes the Softwire46-Configuration Attribute in
this Access-Request message.For Lightweight 4over6, the subscriber's binding state needs to
be synchronized between the clients and the lwAFTR/BR. This can be
achieved in two ways: static pre-configuration of the bindings on
both the AAA server and lwAFTR, or on-demand whereby the AAA server
updates the lwAFTR with the subscriber's binding state as it is
created or deleted.In some deployments, the DHCP server may use the Accounting-Request
to report to a AAA server the softwire configuration returned to a
requesting host. It is the responsibility of the DHCP server to ensure
the consistency of the configuration provided to requesting hosts.
Reported data to a AAA server may be required for various operational
purposes (e.g., regulatory).This document specifies three new RADIUS attributes, and their
formats are as follows:Softwire46-Configuration Attribute: 241.TBD1Softwire46-Priority Attribute: 241.TBD5Softwire46-Multicast Attribute: 241.TBD6Table 3 describes which attributes may be found, in which kinds of
packets and in what quantity.Known security vulnerabilities of the RADIUS protocol are discussed
in , ,
and. Use of IPsec for providing security when RADIUS is carried
in IPv6 is discussed in .Specific security considerations for interactions between the MAP CE
and the BNG are discussed in and . Security considerations for Lightweight 4over6
are discussed in . Security considerations
for DHCPv6-Based Softwire46 Prioritization Mechanism are discussed in
. Security considerations for multicast
scenarios are discussed in . Furthermore,
generic DHCPv6 security mechanisms can be applied to DHCPv6
intercommunication between the CE and the BNG.IANA is requested to make new code point assignments for RADIUS
attributes as described in the following subsections.This document requests IANA to assign the Attribute Types defined
in this document from the RADIUS namespace as described in the "IANA
Considerations" section of , in
accordance with BCP 26 .This document requests that IANA register three new RADIUS
attributes, from the "Short Extended Space" of . The attributes are: Softwire46-Configuration
Attribute, Softwire46-Priority Attribute, and Softwire46-Multicast
Attribute:IANA is requested to create a new registry called "RADIUS
Softwire46 Configuration and Multicast Attributes".All attributes in this registry have one or more parent RADIUS
attributes in nesting (refer to ).This registry must be initially populated with the following
values:The registration procedure for this registry is Standards Action as
defined in .The Softwire46-Priority Attribute defines a 16-bit
Softwire46-option-code field, for which IANA is requested to create
and maintain a new registry entitled "Option Codes Permitted in the
Softwire46-Priority Attribute". The registration procedure for this
registry is Standards Action as defined in .This document requests IANA to register the three option codes of
the Softwire46 mechanisms permitted to be included in the
Softwire46-Priority Attribute. The value of option code corresponds to
the TLV-Type defined in . Additional
options may be added to this list in the future using the IETF Review
process described in Section 4.8 of .Table 4 shows the option codes required, and the Softwire46
mechanisms that they represent. The option code for DS-Lite is derived
from the IANA allocated RADIUS Attribute Type value for DS-Lite . The option codes for MAP-E, MAP-T, and
Lightweight 4over6 need to be assigned. The option codes for MAP-E,
MAP-T, and Lightweight 4over6 should also be used as the TLV-Type
values for the MAP-E, MAP-T, and Lightweight 4over6 attributes defined
in .The authors would like to thank the valuable comments made by Peter
Lothberg, Wojciech Dec, Ian Farrer, Suresh Krishnan, Qian Wang, Wei
Meng, Cui Wang, Alan Dekok, Stefan Winter, and Yu Tianpeng to this
document.This document was merged with draft-sun-softwire-lw4over6-radext-01
and draft-wang-radext-multicast-radius-ext-00, thanks to everyone who
contributed to this document.This document was produced using the xml2rfc tool .Many thanks to Al Morton and Bernie Volz for the review. The following sections detail the mappings between the softwire
DHCPv6 option fields and the relevant RADIUS attributes as defined in
this document.OPTION_S46_RULE FieldSoftwire46-Rule NameTLV SubfieldflagsN/ATLV-type (TBD7, TBD8)ea-lenEA-LengthEA-lenprefix4-lenRule-IPv4-PrefixPrefix-Lengthipv4-prefixRule-IPv4-Prefixrule-ipv4-prefixprefix6-lenRule-IPv6-PrefixPrefix-Lengthipv6-prefixRule-IPv6-Prefixrule-ipv6-prefixOPTION_S46_BR FieldSoftwire46-BR Subfieldbr-ipv6-addressbr-ipv6-addressOPTION_S46_BR FieldSoftwire46-DMR Subfielddmr-prefix6-lendmr-prefix6-lendmr-ipv6-prefixdmr-ipv6-prefixOPTION_S46_V4V6BIND FieldSoftwire46-V4V6Bind NameTLV Subfieldipv4-addressIPv4-addressipv4-addressbindprefix6-lenBind-IPv6-PrefixPrefix-Lengthbind-ipv6-prefixBind-IPv6-Prefixbind-ipv6-prefixOPTION_S46_PORTPARAMS FieldSoftwire46-PORTPARAMS NameTLV SubfieldoffsetPSID-offsetPSID-OffsetPSID-lenPSID-lenPSID-lenPSIDPSIDPSIDOPTION_S46_PRIORITY FieldSoftwire46-Priority Attribute Subfields46-option-codeSoftwire46-option-codeOPTION_V6_PREFIX64 FieldSoftwire46-Multicast Attribute TLV
NameTLV Subfieldasm-lengthASM-Prefix64Prefix-LengthASM_mPrefix64ASM-Prefix64asm-prefix64ssm-lengthSSM-Prefix64Prefix-LengthSSM_mPrefix64SSM-Prefix64ssm-prefix64unicast-lengthU-Prefix64Prefix-LengthuPrefix64U-Prefix64u-prefix64