Network Working Group V. Mammoliti Request for Comments: 4679 G. Zorn Category: Informational Cisco Systems P. Arberg Redback Networks, Inc. R. Rennison ECI Telecom September 2006
DSL Forum Vendor-Specific RADIUS Attributes
Status of this Memo
This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2006).
IESG Note
This RFC is not a candidate for any level of Internet Standard. The IETF disclaims any knowledge of the fitness of this RFC for any purpose and in particular notes that the decision to publish is not based on IETF review for such things as security, congestion control, or inappropriate interaction with deployed protocols. The RFC Editor has chosen to publish this document at its discretion. Readers of this document should exercise caution in evaluating its value for implementation and deployment. See RFC 3932 for more information.
Abstract
This document describes the set of Remote Authentication Dial-In User Service Vendor-Specific Attributes (RADIUS VSAs) defined by the DSL Forum.
These attributes are designed to transport Digital Subscriber Line (DSL) information that is not supported by the standard RADIUS attribute set. It is expected that this document will be updated if and when the DSL Forum defines additional vendor-specific attributes, since its primary purpose is to provide a reference for DSL equipment vendors wishing to interoperate with other vendors' products.
The DSL Forum has created additional RADIUS [RFC2865] [RFC2866] vendor-specific attributes to carry DSL line identification and characterization information. This information is forwarded from the Access Node/DSLAM to the BRAS via Vendor-Specific PPPoE Tags [RFC2516], DHCP Relay Options [RFC3046], and Vendor-Specific Information Suboptions [RFC4243]. This document describes the subscriber line identification and characterization information and its mapping to RADIUS VSAs by the BRAS.
The information acquired may be used to provide authentication and accounting functionality. It may also be collected and used for management and troubleshooting purposes.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
Access Node/DSLAM The Access Node/DSLAM is a DSL signal terminator that contains a minimum of one Ethernet interface that serves as its northbound interface into which it aggregates traffic from several Asynchronous Transfer Mode (ATM)-based (subscriber ports) or Ethernet-based southbound interfaces.
BNG Broadband Network Gateway. A BNG is an IP edge router where bandwidth and QoS policies are applied; the functions performed by a BRAS are a superset of those performed by a BNG.
Mammoliti, et al. Informational [Page 3]
RFC 4679 DSL Forum RADIUS VSA September 2006
BRAS Broadband Remote Access Server. A BRAS is a BNG and is the aggregation point for the subscriber traffic. It provides aggregation capabilities (e.g., IP, PPP, Ethernet) between the access network and the core network. Beyond its aggregation function, the BRAS is also an injection point for policy management and IP QoS in the access network.
DSL Digital Subscriber Line. DSL is a technology that allows digital data transmission over wires in the local telephone network.
DSLAM Digital Subscriber Line Access Multiplexer. DSLAM is a device that terminates DSL subscriber lines. The data is aggregated and forwarded to ATM- or Ethernet-based aggregation networks.
FCS Frame Check Sequence. The FCS is a checksum added to an Ethernet frame for error detection/correction purposes.
IPoA IP over ATM
IWF Interworking Function. The set of functions required for interconnecting two networks of different technologies (e.g., ATM and Ethernet). IWF is utilized to enable the carriage of PPP over ATM (PPPoA) traffic over PPPoE.
The following subsections describe the Attributes defined by this document. These Attributes MAY be transmitted in one or more RADIUS Attributes of type Vendor-Specific [RFC2865]. More than one attribute MAY be transmitted in a single Vendor-Specific Attribute; if this is done, the attributes SHOULD be packed as a sequence of Vendor-Type/Vendor-Length/Value triples following the initial Type, Length, and Vendor-Id fields.
This Attribute functions as a "container", encapsulating one or more vendor-specific sub-attributes; the encoding follows the recommendations in [RFC2865].
A summary of the generic DSL Forum VSA format is shown below. The fields are transmitted from left to right.
This field MUST be set equal to the sum of the Vendor-Length fields of the sub-attributes contained in the Vendor-Specific Attribute, plus six (Type + Length + Vendor-Id).
Vendor-Id
This field MUST be set to decimal 3561, the enterprise number assigned to the ADSL Forum [IANA].
Sub-Attributes
This field MUST contain one or more DSL Forum Vendor-Specific sub-attributes, as specified below.
Mammoliti, et al. Informational [Page 5]
RFC 4679 DSL Forum RADIUS VSA September 2006
3.2. DSL Forum Vendor Specific Sub-Attribute Encoding
A summary of the sub-attribute format is shown below. The fields are transmitted from left to right.
The Vendor-Type field is one octet in length and contains the sub-attribute type, as assigned by the DSL Forum.
Vendor-Length
The Vendor-Length field is one octet and indicates the length of the entire sub-attribute, including the Vendor-Type, Vendor-Length, and Value fields.
Value
The Value field is zero or more octets and contains information specific to the sub-attribute. The format and length of the Value field is determined by the Vendor-Type and Vendor-Length fields. The format of the value field is one of 2 data types, string or integer [RFC2865].
This Attribute contains information describing the subscriber agent circuit identifier corresponding to the logical access loop port of the Access Node/DSLAM from which a subscriber's requests are initiated. It MAY be present in both Access-Request and Accounting-Request packets.
A summary of the Agent-Circuit-Id Attribute format is shown below. The fields are transmitted from left to right.
The String field contains information about the Access-Node to which the subscriber is attached, along with an identifier for the subscriber's DSL port on that Access-Node.
The exact syntax of the string is implementation dependent; however, a typical practice is to subdivide it into two or more space-separated components, one to identify the Access-Node and another the subscriber line on that node, with perhaps an indication of whether that line is Ethernet or ATM. Example formats for this string are shown below.
"Access-Node-Identifier atm slot/port:vpi.vci" (when ATM/DSL is used)
"Access-Node-Identifier eth slot/port[:vlan-id]" (when Ethernet/DSL is used)
An example showing the slot and port field encoding is given below:
The Access-Node-Identifier is a unique ASCII string that does not include 'space' characters. The syntax of the slot and port fields reflects typical practices currently in place. The slot identifier does not exceed 6 characters in length, and the port identifier does not exceed 3 characters in length using a '\' as a delimiter.
Mammoliti, et al. Informational [Page 7]
RFC 4679 DSL Forum RADIUS VSA September 2006
The exact manner in which slots are identified is Access Node/DSLAM implementation dependent. The vpi, vci, and vlan-id fields (when applicable) are related to a given access loop (U-interface).
The Agent-Remote-Id Attribute contains an operator-specific, statically configured string that uniquely identifies the subscriber on the associated access loop of the Access Node/DSLAM.
In a typical subscriber environment, multiple attributes can be used to identify the user, among others: Username (for example, as defined on a PPP client); Agent-Circuit-Id (a static, pre-defined string sent from the Access Node/DSLAM); Agent-Remote-Id (an operator-defined string configured on and sent by the Access Node/DSLAM).
This Attribute MAY be included in both Access-Request and Accounting-Request packets.
A summary of the Agent-Remote-Id Attribute format is shown below. The fields are transmitted from left to right.
This value of this field is entirely open to the service provider's discretion. For example, it MAY contain a subscriber billing identifier or telephone number.
This Attribute contains the actual upstream train rate of a subscriber's synchronized DSL link. It MAY be included in both Access-Request and Accounting-Request packets.
A summary of the Actual-Data-Rate-Upstream Attribute format is shown below. The fields are transmitted from left to right.
This field contains a 4-byte unsigned integer, indicating the subscriber's actual data rate upstream of a synchronized DSL link. The rate is coded in bits per second.
This Attribute contains the actual downstream train rate of a subscriber's synchronized DSL link. It MAY be included in both Access-Request and Accounting-Request packets.
A summary of the Actual-Data-Rate-Downstream Attribute format is shown below. The fields are transmitted from left to right.
This field contains a 4-byte unsigned integer, indicating the subscriber's actual data rate downstream of a synchronized DSL link. The rate is coded in bits per second.
This field contains a 4-byte unsigned integer, indicating the subscriber's minimum upstream data rate (as configured by the operator). The rate is coded in bits per second.
This field contains a 4-byte unsigned integer, indicating the subscriber's minimum downstream data rate (as configured by the operator). The rate is coded in bits per second.
This field contains a 4-byte unsigned integer, indicating the subscriber's actual DSL attainable upstream data rate. The rate is coded in bits per second.
This field contains a 4-byte unsigned integer, indicating the subscriber's actual DSL attainable downstream data rate. The rate is coded in bits per second.
This field is a 4-byte unsigned integer, indicating the numeric value of the subscriber's DSL maximum upstream data rate. The rate is coded in bits per second.
This Attribute contains the subscriber's maximum downstream data rate, as configured by the operator. It MAY be included in Accounting-Request packets.
Mammoliti, et al. Informational [Page 13]
RFC 4679 DSL Forum RADIUS VSA September 2006
A summary of the Maximum-Data-Rate-Downstream Attribute format is shown below. The fields are transmitted from left to right.
This field is a 4-byte unsigned integer, indicating the numeric value of the subscriber's DSL maximum downstream data rate. The rate is coded in bits per second.
This Attribute contains the subscriber's minimum upstream data rate in low power state, as configured by the operator. It MAY be included in Accounting-Request packets.
A summary of the Minimum-Data-Rate-Upstream-Low-Power Attribute format is shown below. The fields are transmitted from left to right.
137 (0x89) for Minimum-Data-Rate-Upstream-Low-Power
Mammoliti, et al. Informational [Page 14]
RFC 4679 DSL Forum RADIUS VSA September 2006
Vendor-Length
6
Value
This field is a 4-byte unsigned integer, indicating the numeric value of the subscriber's DSL minimum upstream data rate when in low power state (L1/L2). The rate is coded in bits per second.
This Attribute contains the subscriber's minimum downstream data rate in low power state, as configured by the operator. It MAY be included in Accounting-Request packets.
A summary of the Minimum-Data-Rate-Downstream-Low-Power Attribute format is shown below. The fields are transmitted from left to right.
138 (0x8A) for Minimum-Data-Rate-Downstream-Low-Power
Vendor-Length
6
Value
This field is a 4-byte unsigned integer, indicating the numeric value of the subscriber's DSL minimum downstream data rate. The rate is coded in bits per second.
This Attribute contains the subscriber's maximum one-way upstream interleaving delay, as configured by the operator. It MAY be included in Accounting-Request packets.
A summary of the Maximum-Interleaving-Delay-Upstream Attribute format is shown below. The fields are transmitted from left to right.
139 (0x8B) for Maximum-Interleaving-Delay-Upstream
Vendor-Length
6
Value
This field is a 4-byte unsigned integer, indicating the numeric value in milliseconds of the subscriber's DSL maximum one-way upstream interleaving delay.
This Attribute contains the subscriber's maximum one-way downstream interleaving delay, as configured by the operator. It MAY be included in Accounting-Request packets.
A summary of the Maximum-Interleaving-Delay-Downstream Attribute format is shown below. The fields are transmitted from left to right.
141 (0x8D) for Maximum-Interleaving-Delay-Downstream
Mammoliti, et al. Informational [Page 17]
RFC 4679 DSL Forum RADIUS VSA September 2006
Vendor-Length
6
Value
This field is a 4-byte unsigned integer, indicating the numeric value in milliseconds of the subscriber's DSL maximum one-way downstream interleaving delay.
This Attribute describes the encapsulation(s) used by the subscriber on the DSL access loop. It MAY be present in both Access-Request and Accounting-Request packets.
A summary of the Access-Loop-Encapsulation Attribute format is shown below. The fields are transmitted from left to right.
0x00 NA - Not Available 0x01 Untagged Ethernet 0x02 Single-Tagged Ethernet
Encaps 2
0x00 NA - Not Available 0x01 PPPoA LLC 0x02 PPPoA Null 0x03 IPoA LLC 0x04 IPoA Null 0x05 Ethernet over AAL5 LLC with FCS 0x06 Ethernet over AAL5 LLC without FCS 0x07 Ethernet over AAL5 Null with FCS 0x08 Ethernet over AAL5 Null without FCS
The presence of this Attribute indicates that the IWF has been performed with respect to the subscriber's session; note that no data field is necessary. It MAY be included in both Access- Request and Accounting-Request packets.
A summary of the IWF-Session Attribute format is shown below. The fields are transmitted from left to right.
The following table provides a guide to which attributes may be found in which kinds of packets, and in what quantity; note that since none of the DSL Forum VSAs may be present in the Access-Accept, Access- Reject or Access-Challenge packets, those columns have been omitted from the table.
The security of these Attributes relies on an implied trust relationship between the Access Node/DSLAM and the BRAS. The identifiers that are inserted by the Access Node/DSLAM are unconditionally trusted; the BRAS does not perform any validity check on the information received. These Attributes are intended to be used in environments in which the network infrastructure (the Access Node/DSLAM, the BRAS, and the entire network in which those two devices reside) is trusted and secure.
Mammoliti, et al. Informational [Page 21]
RFC 4679 DSL Forum RADIUS VSA September 2006
As used in this document, the word "trusted" implies that unauthorized traffic cannot enter the network except through secured and trusted devices and that all devices internal to the network are secure and trusted. Careful consideration should be given to the potential security vulnerabilities that are present in this model before deploying this option in actual networks.
The Attributes described in this document neither increase nor decrease the security of the RADIUS protocol. For discussions of various RADIUS vulnerabilities, see [RFC2607], [RFC3579], [RFC3162], and [RFC3580].
[ITU.I363-5.1996] International Telecommunications Union, "B-ISDN ATM Adaptation Layer Specification: Type 5 AAL", ITU-T Recommendation I.363.5, August 1996.
[RFC2516] Mamakos, L., Lidl, K., Evarts, J., Carrel, D., Simone, D., and R. Wheeler, "A Method for Transmitting PPP Over Ethernet (PPPoE)", RFC 2516, February 1999.
[RFC2607] Aboba, B. and J. Vollbrecht, "Proxy Chaining and Policy Implementation in Roaming", RFC 2607, June 1999.
[RFC3046] Patrick, M., "DHCP Relay Agent Information Option", RFC 3046, January 2001.
[RFC3162] Aboba, B., Zorn, G., and D. Mitton, "RADIUS and IPv6", RFC 3162, August 2001.
Mammoliti, et al. Informational [Page 22]
RFC 4679 DSL Forum RADIUS VSA September 2006
[RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP)", RFC 3579, September 2003.
[RFC3580] Congdon, P., Aboba, B., Smith, A., Zorn, G., and J. Roese, "IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines", RFC 3580, September 2003.
[RFC4243] Stapp, M., Johnson, R., and T. Palaniappan, "Vendor- Specific Information Suboption for the Dynamic Host Configuration Protocol (DHCP) Relay Agent Option", RFC 4243, December 2005.
Mammoliti, et al. Informational [Page 23]
RFC 4679 DSL Forum RADIUS VSA September 2006
Authors' Addresses
Vince Mammoliti Cisco Systems 181 Bay Street, Suite 3400 Toronto, ON M5J 2T3 Canada
EMail: vince@cisco.com
Glen Zorn Cisco Systems 2901 Third Avenue, Suite 600 SEA1/5/ Seattle, WA 98121 USA
Phone: +1 (425) 344 8113 EMail: gwz@cisco.com
Peter Arberg Redback Networks, Inc. 300 Holger Way San Jose, CA 95134 USA
EMail: parberg@redback.com
Robert Rennison ECI Telecom Omega Corporate Center 1300 Omega Drive Pittsburgh, PA 15205 USA
EMail: robert.rennison@ecitele.com
Mammoliti, et al. Informational [Page 24]
RFC 4679 DSL Forum RADIUS VSA September 2006
Full Copyright Statement
Copyright (C) The Internet Society (2006).
This document is subject to the rights, licenses and restrictions contained in BCP 78 and at www.rfc-editor.org/copyright.html, and except as set forth therein, the authors retain all their rights.
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is provided by the IETF Administrative Support Activity (IASA).