idnits 2.17.00 (12 Aug 2021) /tmp/idnits28218/draft-boucadair-opsawg-tcpm-converter-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (February 28, 2020) is 806 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC4908' is defined on line 505, but no explicit reference was found in the text == Outdated reference: draft-ietf-tcpm-converters has been published as RFC 8803 ** Downref: Normative reference to an Experimental draft: draft-ietf-tcpm-converters (ref. 'I-D.ietf-tcpm-converters') -- Obsolete informational reference (is this intentional?): RFC 6824 (Obsoleted by RFC 8684) Summary: 1 error (**), 0 flaws (~~), 3 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Boucadair 3 Internet-Draft C. Jacquenet 4 Intended status: Standards Track Orange 5 Expires: August 31, 2020 February 28, 2020 7 RADIUS Extensions for 0-RTT TCP Converters 8 draft-boucadair-opsawg-tcpm-converter-01 10 Abstract 12 Because of the lack of important TCP extensions, e.g., Multipath TCP 13 support at the server side, some service providers now consider a 14 network-assisted model that relies upon the activation of a dedicated 15 function called Transport Converters. For example, network-assisted 16 Multipath TCP deployment models are designed to facilitate the 17 adoption of Multipath TCP for the establishment of multi-path 18 communications without making any assumption about the support of 19 Multipath TCP by the remote servers. Transport Converters located in 20 the network are responsible for establishing multi-path 21 communications on behalf of endpoints, thereby taking advantage of 22 Multipath TCP capabilities to achieve different goals that include 23 (but are not limited to) optimization of resource usage (e.g., 24 bandwidth aggregation), of resiliency (e.g., primary/backup 25 communication paths), and traffic offload management. 27 This document specifies a new Remote Authentication Dial-In User 28 Service (RADIUS) attributes that carry the IP addresses that will be 29 returned to authorized users to reach one or multiple Converters. 31 Status of This Memo 33 This Internet-Draft is submitted in full conformance with the 34 provisions of BCP 78 and BCP 79. 36 Internet-Drafts are working documents of the Internet Engineering 37 Task Force (IETF). Note that other groups may also distribute 38 working documents as Internet-Drafts. The list of current Internet- 39 Drafts is at https://datatracker.ietf.org/drafts/current/. 41 Internet-Drafts are draft documents valid for a maximum of six months 42 and may be updated, replaced, or obsoleted by other documents at any 43 time. It is inappropriate to use Internet-Drafts as reference 44 material or to cite them other than as "work in progress." 46 This Internet-Draft will expire on August 31, 2020. 48 Copyright Notice 50 Copyright (c) 2020 IETF Trust and the persons identified as the 51 document authors. All rights reserved. 53 This document is subject to BCP 78 and the IETF Trust's Legal 54 Provisions Relating to IETF Documents 55 (https://trustee.ietf.org/license-info) in effect on the date of 56 publication of this document. Please review these documents 57 carefully, as they describe your rights and restrictions with respect 58 to this document. Code Components extracted from this document must 59 include Simplified BSD License text as described in Section 4.e of 60 the Trust Legal Provisions and are provided without warranty as 61 described in the Simplified BSD License. 63 Table of Contents 65 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 66 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 67 3. CONVERT RADIUS Attributes . . . . . . . . . . . . . . . . . . 4 68 3.1. CONVERT-IPv4 . . . . . . . . . . . . . . . . . . . . . . 4 69 3.2. CONVERT-IPv6 . . . . . . . . . . . . . . . . . . . . . . 5 70 3.3. CONVERT-Port . . . . . . . . . . . . . . . . . . . . . . 6 71 4. Sample Use Case . . . . . . . . . . . . . . . . . . . . . . . 7 72 5. Security Considerations . . . . . . . . . . . . . . . . . . . 9 73 6. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 9 74 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 75 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10 76 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 77 9.1. Normative References . . . . . . . . . . . . . . . . . . 10 78 9.2. Informative References . . . . . . . . . . . . . . . . . 11 79 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 81 1. Introduction 83 One of the promising deployment scenarios for Multipath TCP (MPTCP, 84 [RFC6824]) is to enable a host or a Customer Premises Equipment (CPE) 85 connected to multiple networks (e.g., DSL, LTE, WLAN) to optimize the 86 usage of such resources. A deployment scenario relies on MPTCP 87 Conversion Points (called, Transport Converters 88 [I-D.ietf-tcpm-converters]). A Converter terminates the extended TCP 89 (e.g., MPTCP, TCPinc) sessions established from a host, before 90 redirecting traffic into a legacy TCP session. Further Network- 91 Assisted MPTCP deployment and operational considerations are 92 discussed in [I-D.nam-mptcp-deployment-considerations]. 94 Figure 1 shows a deployment example of the Converters to assist 95 establishing MPTCP connections. 97 +------------+ _--------_ +----------------+ 98 | | ( LTE ) | | 99 | Host +=======+ +===+ Backbone | 100 | | (_ _) | Network | 101 | | (_______) |+--------------+| 102 | | IP Network #1 || Converter ||------> Internet 103 | | || || 104 | | |+--------------+| 105 | | IP Network #2 | | 106 | | _--------_ | | 107 | | ( DSL ) | | 108 | +=======+ +==+ | 109 | | (_ _) | | 110 +------------+ (_______) +----------------+ 112 Figure 1: "Network-Assisted" MPTCP Design 114 [I-D.ietf-tcpm-converters] specifies the Converter as a function that 115 is installed by a network operator to aid the deployment of TCP 116 extensions and to provide the benefits of such extensions to clients. 117 A Transport Converter supports one or more TCP extensions. 119 Within this document, a Converter refers to a function that 120 terminates a transport flow and relays all data received over it over 121 another transport flow. This element is located upstream in the 122 network. One or multiple Converters can be deployed in the network 123 side. The Converter achieves the following: 125 o Listen for client sessions; 127 o Receive from a client the address of the final target server; 129 o Setup a session to the final server; 131 o Relay control messages and data between the client and the server; 133 o Perform access controls according to local policies. 135 The Converter element is located in the network. One or multiple 136 Converters can be deployed. 138 This document specifies two new Remote Authentication Dial-In User 139 Service (RADIUS, [RFC2865]) attributes that carry the Converter IP 140 address list (Section 3). In order to accommodate both IPv4 and IPv6 141 deployment contexts, and given the constraints in Section 3.4 of 142 [RFC6158], two attributes are specified. Note that one or multiple 143 IPv4 and/or IPv6 addresses may be returned to a requesting CPE. A 144 sample use case is described in Section 4. 146 This document assumes that the Converter(s) reachability information 147 can be stored in Authentication, Authorization, and Accounting (AAA) 148 servers while the CPE configuration is usually provided by means of 149 DHCP ([RFC2131][RFC8415]). Further Network-Assisted MPTCP deployment 150 and operational considerations are discussed in 151 [I-D.nam-mptcp-deployment-considerations]. 153 This specification assumes a Converter is reachable through one or 154 multiple IP addresses. As such, a list of IP addresses can be 155 communicated via RADIUS. Also, it assumes the various network 156 attachments provided to an MPTCP-enabled host are managed by the same 157 administrative entity. 159 This document adheres to [RFC8044] for defining the new attributes. 161 2. Terminology 163 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 164 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 165 "OPTIONAL" in this document are to be interpreted as described in BCP 166 14 [RFC2119][RFC8174] when, and only when, they appear in all 167 capitals, as shown here. 169 3. CONVERT RADIUS Attributes 171 3.1. CONVERT-IPv4 173 Description 175 The RADIUS CONVERT-IPv4 attribute contains the IPv4 address of a 176 Converter that is assigned to a host. 178 Because multiple Converters IP addresses may be provisioned to an 179 authorised host (that is a host entitled to solicit the resources 180 of a Converter), multiple instances of the CONVERT-IPv4 attribute 181 MAY be included; each instance of the attribute carries a distinct 182 IP address. 184 CONVERT-IPv4, CONVERT-IPv6, and CONVERT-Port attributes MAY be 185 present in a RADIUS message. 187 The CONVERT-IPv4 Attribute MAY appear in a RADIUS Access-Accept 188 packet. It MAY also appear in a RADIUS Access-Request packet as a 189 hint to the RADIUS server to indicate a preference, although the 190 server is not required to honor such a hint. 192 The CONVERT-IPv4 Attribute MAY appear in a CoA-Request packet. 194 The CONVERT-IPv4 Attribute MAY appear in a RADIUS Accounting- 195 Request packet. 197 The CONVERT-IPv4 Attribute MUST NOT appear in any other RADIUS 198 packet. 200 Type 202 TBA1 (see Section 7). 204 Length 206 6 208 Data Type 210 The attribute CONVERT-IPv4 is of type ip4addr (Section 3.3 of 211 [RFC8044]). 213 Value 215 This field includes an IPv4 address (32 bits) of the Converter. 217 The CONVERT-IPv4 attribute MUST NOT include multicast and host 218 loopback addresses [RFC6890]. Anycast addresses are allowed to be 219 included in a CONVERT-IPv4 attribute. 221 3.2. CONVERT-IPv6 223 Description 225 The RADIUS CONVERT-IPv6 attribute contains the IPv6 address of a 226 Converter that is assigned to a host. 228 Because multiple Converter IP addresses may be provisioned to an 229 authorised CPE (that is a host entitled to solicit the resources 230 of a Converter), multiple instances of the CONVERT-IPv6 attribute 231 MAY be included; each instance of the attribute carries a distinct 232 IP address. 234 CONVERT-IPv4, CONVERT-IPv6, and CONVERT-Port attributes MAY be 235 present in a RADIUS message. 237 The CONVERT-IPv6 Attribute MAY appear in a RADIUS Access-Accept 238 packet. It MAY also appear in a RADIUS Access-Request packet as a 239 hint to the RADIUS server to indicate a preference, although the 240 server is not required to honor such a hint. 242 The CONVERT-IPv6 Attribute MAY appear in a CoA-Request packet. 244 The CONVERT-IPv6 Attribute MAY appear in a RADIUS Accounting- 245 Request packet. 247 The CONVERT-IPv6 Attribute MUST NOT appear in any other RADIUS 248 packet. 250 Type 252 TBA2 (see Section 7). 254 Length 256 18 258 Data Type 260 The attribute CONVERT-IPv6 is of type ip6addr (Section 3.9 of 261 [RFC8044]). 263 Value 265 This field includes an IPv6 address (128 bits) of the Converter. 267 The CONVERT-IPv6 attribute MUST NOT include multicast and host 268 loopback addresses [RFC6890]. Anycast addresses are allowed to be 269 included in an CONVERT-IPv6 attribute. 271 3.3. CONVERT-Port 273 Description 275 The RADIUS CONVERT-Port attribute contains the port number on 276 which a Converter listens to Convert messages. 278 CONVERT-IPv4, CONVERT-IPv6, and CONVERT-Port attributes MAY be 279 present in a RADIUS message. 281 When both CONVERT-IPv4 and CONVERT-IPv6 are included, port number 282 conveyed in CONVERT-Port MUST be used for all included IP 283 addresses. 285 The CONVERT-Port Attribute MAY appear in a RADIUS Access-Accept 286 packet. It MAY also appear in a RADIUS Access-Request packet as a 287 hint to the RADIUS server to indicate a preference, although the 288 server is not required to honor such a hint. 290 The CONVERT-Port Attribute MAY appear in a CoA-Request packet. 292 The CONVERT-Port Attribute MAY appear in a RADIUS Accounting- 293 Request packet. 295 The CONVERT-Port Attribute MUST NOT appear in any other RADIUS 296 packet. 298 Type 300 TBA3 (see Section 7). 302 Length 304 6 306 Data Type 308 Integer 310 Value 312 This field includes the port number used by the Converter, right 313 justified, and unused bits MUST be set to zero. 315 4. Sample Use Case 317 This section does not aim to provide an exhaustive list of deployment 318 scenarios where the use of the RADIUS CONVERT-IPv6 and CONVERT-IPv4 319 attributes can be helpful. Typical deployment scenarios are 320 described, for instance, in [RFC6911]. 322 Figure 2 shows an example where a CPE is assigned a Converter. This 323 example assumes that the Network Access Server (NAS) embeds both 324 RADIUS client and DHCPv6 server capabilities. 326 CPE NAS AAA 327 DHCPv6 client DHCPv6 server server 328 | | | 329 |---------DHCPv6 Solicit-------->| | 330 | |----Access-Request ---->| 331 | | | 332 | |<----Access-Accept------| 333 | | CONVERT-IPv6 | 334 | | CONVERT-Port | 335 |<-------DHCPv6 Advertisement----| | 336 | (OPTION_V6_CONVERT) | | 337 | | | 338 |---------DHCPv6 Request-------->| | 339 | | | 340 |<---------DHCPv6 Reply----------| | 341 | (OPTION_V6_CONVERT) | | 343 DHCPv6 RADIUS 345 Figure 2: Sample Flow Example (1) 347 Upon receipt of the DHCPv6 Solicit message from a CPE, the NAS sends 348 a RADIUS Access-Request message to the AAA server. Once the AAA 349 server receives the request, it replies with an Access-Accept message 350 (possibly after having sent a RADIUS Access-Challenge message and 351 assuming the CPE is entitled to connect to the network) that carries 352 a list of parameters to be used for this session, and which include 353 Converter reachability information (namely a list of IP addresses). 355 The content of the CONVERT-IPv6 and CONVERT-Port attribute is then 356 used by the NAS to complete the DHCPv6 procedure that the CPE 357 initiated to retrieve information about the Converter it has been 358 assigned. 360 Upon change of the Converter assigned to a CPE, the RADIUS server 361 sends a RADIUS CoA message [RFC5176] that carries the RADIUS CONVERT- 362 IPv6 and/or CONVERT-Port attribute to the NAS. Once that message is 363 accepted by the NAS, it replies with a RADIUS CoA ACK message. The 364 NAS replaces the old Converter with the new one. 366 Figure 3 shows another example where a CPE is assigned a Converter, 367 but the CPE uses DHCPv6 to retrieve a list of IP addresses of a 368 Converter. 370 CPE NAS AAA 371 DHCPv4 client DHCPv4 server server 372 | | | 373 |-----------DHCPDISCOVER---------->| | 374 | |----Access-Request ---->| 375 | | | 376 | |<----Access-Accept------| 377 | | CONVERT-IPv4 | 378 | | CONVERT-Port | 379 |<------------DHCPOFFER------------| | 380 | (OPTION_V4_CONVERT) | | 381 | | | 382 |------------DHCPREQUEST---------->| | 383 | (OPTION_V4_CONVERT) | | 384 | | | 385 |<-----------DHCPACK---------------| | 386 | (OPTION_V4_CONVERT) | | 388 DHCPv4 RADIUS 390 Figure 3: Sample Flow Example (2) 392 Some deployments may rely on the mechanisms defined in [RFC4014] or 393 [RFC7037], which allows a NAS to pass attributes obtained from a 394 RADIUS server to a DHCP server. 396 5. Security Considerations 398 RADIUS-related security considerations are discussed in [RFC2865]. 400 Generic Convert security considerations are discussed in 401 [I-D.ietf-tcpm-converters]. 403 MPTCP-related security considerations are discussed in [RFC6824] and 404 [RFC6181]. 406 Traffic theft is a risk if an illegitimate Converter is inserted in 407 the path. Indeed, inserting an illegitimate Converter in the 408 forwarding path allows to intercept traffic and can therefore provide 409 access to sensitive data issued by or destined to a host. To 410 mitigate this threat, secure means to discover a Converter should be 411 enabled. 413 6. Table of Attributes 415 The following table provides a guide as what type of RADIUS packets 416 that may contain these attributes, and in what quantity. 418 Access- Access- Access- Challenge Acct. # Attribute 419 Request Accept Reject Request 420 0+ 0+ 0 0 0+ TBA1 CONVERT-IPv4 421 0+ 0+ 0 0 0+ TBA2 CONVERT-IPv6 422 0-1 0-1 0 0 0-1 TBA1 CONVERT-Port 424 CoA-Request CoA-ACK CoA-NACK # Attribute 425 0+ 0 0 TBA1 CONVERT-IPv4 426 0+ 0 0 TBA2 CONVERT-IPv6 427 0-1 0 0 TBA1 CONVERT-Port 429 The following table defines the meaning of the above table entries: 431 0 This attribute MUST NOT be present in packet. 432 0+ Zero or more instances of this attribute MAY be present in packet. 434 7. IANA Considerations 436 IANA is requested to assign two new RADIUS attribute types from the 437 IANA registry "Radius Attribute Types" located at 438 http://www.iana.org/assignments/radius-types: 440 CONVERT-IPv4 (TBA1) 442 CONVERT-IPv6 (TBA2) 444 CONVERT-Port (TBA3) 446 8. Acknowledgements 448 Thanks to Alan DeKok for the comments. 450 9. References 452 9.1. Normative References 454 [I-D.ietf-tcpm-converters] 455 Bonaventure, O., Boucadair, M., Gundavelli, S., Seo, S., 456 and B. Hesmans, "0-RTT TCP Convert Protocol", draft-ietf- 457 tcpm-converters-16 (work in progress), February 2020. 459 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 460 Requirement Levels", BCP 14, RFC 2119, 461 DOI 10.17487/RFC2119, March 1997, 462 . 464 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, 465 "Remote Authentication Dial In User Service (RADIUS)", 466 RFC 2865, DOI 10.17487/RFC2865, June 2000, 467 . 469 [RFC6158] DeKok, A., Ed. and G. Weber, "RADIUS Design Guidelines", 470 BCP 158, RFC 6158, DOI 10.17487/RFC6158, March 2011, 471 . 473 [RFC6890] Cotton, M., Vegoda, L., Bonica, R., Ed., and B. Haberman, 474 "Special-Purpose IP Address Registries", BCP 153, 475 RFC 6890, DOI 10.17487/RFC6890, April 2013, 476 . 478 [RFC8044] DeKok, A., "Data Types in RADIUS", RFC 8044, 479 DOI 10.17487/RFC8044, January 2017, 480 . 482 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 483 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 484 May 2017, . 486 9.2. Informative References 488 [I-D.nam-mptcp-deployment-considerations] 489 Boucadair, M., Jacquenet, C., Bonaventure, O., Henderickx, 490 W., and R. Skog, "Network-Assisted MPTCP: Use Cases, 491 Deployment Scenarios and Operational Considerations", 492 draft-nam-mptcp-deployment-considerations-01 (work in 493 progress), December 2016. 495 [RFC2131] Droms, R., "Dynamic Host Configuration Protocol", 496 RFC 2131, DOI 10.17487/RFC2131, March 1997, 497 . 499 [RFC4014] Droms, R. and J. Schnizlein, "Remote Authentication Dial- 500 In User Service (RADIUS) Attributes Suboption for the 501 Dynamic Host Configuration Protocol (DHCP) Relay Agent 502 Information Option", RFC 4014, DOI 10.17487/RFC4014, 503 February 2005, . 505 [RFC4908] Nagami, K., Uda, S., Ogashiwa, N., Esaki, H., Wakikawa, 506 R., and H. Ohnishi, "Multi-homing for small scale fixed 507 network Using Mobile IP and NEMO", RFC 4908, 508 DOI 10.17487/RFC4908, June 2007, 509 . 511 [RFC5176] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B. 512 Aboba, "Dynamic Authorization Extensions to Remote 513 Authentication Dial In User Service (RADIUS)", RFC 5176, 514 DOI 10.17487/RFC5176, January 2008, 515 . 517 [RFC6181] Bagnulo, M., "Threat Analysis for TCP Extensions for 518 Multipath Operation with Multiple Addresses", RFC 6181, 519 DOI 10.17487/RFC6181, March 2011, 520 . 522 [RFC6824] Ford, A., Raiciu, C., Handley, M., and O. Bonaventure, 523 "TCP Extensions for Multipath Operation with Multiple 524 Addresses", RFC 6824, DOI 10.17487/RFC6824, January 2013, 525 . 527 [RFC6911] Dec, W., Ed., Sarikaya, B., Zorn, G., Ed., Miles, D., and 528 B. Lourdelet, "RADIUS Attributes for IPv6 Access 529 Networks", RFC 6911, DOI 10.17487/RFC6911, April 2013, 530 . 532 [RFC7037] Yeh, L. and M. Boucadair, "RADIUS Option for the DHCPv6 533 Relay Agent", RFC 7037, DOI 10.17487/RFC7037, October 534 2013, . 536 [RFC8415] Mrugalski, T., Siodelski, M., Volz, B., Yourtchenko, A., 537 Richardson, M., Jiang, S., Lemon, T., and T. Winters, 538 "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", 539 RFC 8415, DOI 10.17487/RFC8415, November 2018, 540 . 542 Authors' Addresses 544 Mohamed Boucadair 545 Orange 546 Rennes 35000 547 France 549 Email: mohamed.boucadair@orange.com 551 Christian Jacquenet 552 Orange 553 Rennes 554 France 556 Email: christian.jacquenet@orange.com