Internet Engineering Task Force (IETF) L. Yeh Request for Comments: 7037 Freelancer Technologies Category: Standards Track M. Boucadair ISSN: 2070-1721 France Telecom October 2013
RADIUS Option for the DHCPv6 Relay Agent
Abstract
The DHCPv6 RADIUS option provides a mechanism to exchange authorization and identification information between the DHCPv6 relay agent and DHCPv6 server. This architecture assumes that the Network Access Server (NAS) acts as both a DHCPv6 relay agent and RADIUS client. When receiving messages from the DHCPv6 clients, the NAS consults the RADIUS server and adds the RADIUS response when forwarding the DHCPv6 client's messages to the DHCPv6 server. The DHCPv6 server then uses that additional information to generate an appropriate response to the DHCPv6 client's requests.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741.
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7037.
Yeh & Boucadair Standards Track [Page 1]
RFC 7037 DHCPv6 RADIUS Option October 2013
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
DHCPv6 provides a mechanism that allows the server to assign or delegate both stateful and stateless configuration parameters to clients. The stateful configuration parameters include IPv6 addresses [RFC3315] and IPv6 prefixes [RFC3633]. The stateless configuration parameters [RFC3736] include, for example, DNS [RFC3646], or a Fully Qualified Domain Name (FQDN) of an Address Family Transition Router (AFTR) [RFC6334]. In the scenarios described in this document, the DHCPv6 server is deployed in the central part of an ISP network.
RADIUS [RFC2865] is widely used as the centralized authentication, authorization, and user management mechanism for service provision in a Broadband access network. [RFC3162], [RFC4818], [RFC6519], and [RFC6911] specify the attributes that support the service provision
Yeh & Boucadair Standards Track [Page 2]
RFC 7037 DHCPv6 RADIUS Option October 2013
for IPv6-only and IPv6-transition access. The RADIUS server authorizes the Network Access Server (NAS) to assign an IPv6 address or prefix from the indicated pool, or to assign an IPv6 address or prefix with an explicitly indicated value, and to indicate other configuration parameters as per the RADIUS attributes for the subscribers.
When the NAS acts as the distributed DHCPv6 server and RADIUS client simultaneously, it communicates with the RADIUS server after receiving a request from the DHCPv6 client. Upon receiving the Access-Accept message from the RADIUS server, the NAS then responds to the DHCPv6 client's requests per the associated authorization information indicated by the RADIUS attributes in the Access-Accept message. When NAS acts as the DHCPv6 relay agent and RADIUS client simultaneously, and the centralized DHCPv6 server is co-located with the RADIUS server, they may share the same database of users. However, when the centralized DHCPv6 server is not located in the same place as the RADIUS server, a new communication mechanism is needed for the DHCPv6 relay agent to transfer the authorization information indicated by the RADIUS attributes to the DHCPv6 server.
This document specifies a new DHCPv6 option for the DHCPv6 Relay Agent to transfer the authorization information of RADIUS attributes received in the Access-Accept message from the RADIUS server to the centralized DHCPv6 server. Definitions for terms and acronyms not specified in this document are defined in [RFC2865] and [RFC3315].
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
Figures 1 and 2 show the typical network scenarios where the communication mechanism introduced in this document is necessary. In these scenarios, the centralized DHCPv6 server is not co-located with the RADIUS server, but both are in the same administrative domain. The NAS acts as the DHCPv6 relay agent and the RADIUS client simultaneously. Figure 1 shows the sequence of DHCPv6 and RADIUS messages for the IP over Ethernet (IPoE) access model, when the access loop adopts the direct Ethernet encapsulation. Figure 2 shows the sequence of DHCPv6 and RADIUS messages for the PPP over Ethernet (PPPoE) access model.
Yeh & Boucadair Standards Track [Page 3]
RFC 7037 DHCPv6 RADIUS Option October 2013
The mechanism introduced in this document is a generic mechanism and might also be employed in other network scenarios where the DHCPv6 relay agent and the RADIUS client are located in the same device.
Figure 2: Network Scenario and Message Sequence When Employing DHCPv6 RADIUS Option in PPPoE Access
If the authentication or the authorization through RADIUS fails, the associated message sequences will stop. The NAS acting as the DHCPv6 relay agent will not forward the message received from the client to the DHCPv6 server. If the authentication or the authorization through RADIUS passes, the NAS MUST store the information indicated
Yeh & Boucadair Standards Track [Page 5]
RFC 7037 DHCPv6 RADIUS Option October 2013
in the RADIUS attributes received in the Access-Accept message from the RADIUS server during the whole session. How the NAS manages this information during the RADIUS session is out of the scope of this document.
After receiving a RENEW (5) message from the DHCPv6 client, the NAS SHOULD NOT initiate a new Access-Request/Access-Accept message exchange with the RADIUS server. After receiving a REBIND (6) message from the DHCPv6 client, the NAS MUST initiate a new Access- Request/Access-Accept message exchange with the RADIUS server, unless RADIUS capability is disabled on the NAS.
The OPTION_RADIUS is a DHCPv6 option used by the DHCPv6 relay agent to carry the authorization information of RADIUS attributes received in the Access-Accept message from the RADIUS server.
The format of the OPTION_RADIUS option is defined as follows:
option-code 81 option-len Length of the option-data in octets option-data List of one or more RADIUS attributes
The option-data of OPTION_RADIUS is a list of one or more RADIUS attributes received in the Access-Accept message from the RADIUS server. The format of RADIUS attributes is defined in Section 5 of [RFC2865] as well as Sections 2.1 and 2.2 of [RFC6929]. If multiple attributes with the same type (including the Long Extended Type defined in Section 2.2 of [RFC6929]) are present, the order of attributes with the same type MUST be the same as that received from the RADIUS server. The OPTION_RADIUS can only contain the RADIUS attributes listed in the "RADIUS Attributes Permitted in DHCPv6 RADIUS Option" registry.
Yeh & Boucadair Standards Track [Page 6]
RFC 7037 DHCPv6 RADIUS Option October 2013
According to the network scenarios described in Section 3, the OPTION_RADIUS should appear in the RELAY-FORW (12) message relaying SOLICIT (1), REQUEST (3), and REBIND (6) from the DHCPv6 client and may appear in the RELAY-FORW (12) relaying any other message from the DHCPv6 client.
4.1. RADIUS Attributes Permitted in DHCPv6 RADIUS Option
The RADIUS attributes listed in the following table are the initial attributes registered in the "RADIUS Attributes Permitted in DHCPv6 RADIUS Option" registry. New RADIUS attributes can be added to this list after Expert Review [RFC5226].
If the Relay Agent is configured to send OPTION_RADIUS, and the Access-Accept message from the RADIUS server contained RADIUS attributes permitted for use in OPTION_RADIUS, the Relay Agent MUST include OPTION_RADIUS in the RELAY-FORW (12) message. The DHCPv6 relay agent adds the permitted RADIUS attributes into OPTION_RADIUS one by one; if multiple attributes with the same type are present, the order of attributes with the same type MUST be the same as that received from the RADIUS server.
Upon receipt of the RELAY-FORW (12) message with OPTION_RADIUS from a relay agent, the DHCPv6 server that supports OPTION_RADIUS SHOULD extract and interpret the RADIUS attributes in the OPTION_RADIUS and use that information to select configuration parameters for the requesting client. If the DHCPv6 server does not support OPTION_RADIUS, the DHCPv6 server MUST silently discard this option.
OPTION_RADIUS is only exchanged between the relay agents and the servers. DHCPv6 clients are not aware of the usage of OPTION_RADIUS. DHCPv6 clients MUST NOT send OPTION_RADIUS and MUST ignore OPTION_RADIUS if received.
Known security vulnerabilities of the DHCPv6 and RADIUS protocols may apply to their options. Security issues related with DHCPv6 are described in Section 23 of [RFC3315]. Security issues related with RADIUS are described in Section 8 of [RFC2865], Section 5 of [RFC3162], and Section 11 of [RFC6929].
The mechanism described in this document may introduce a new attack vector against the DHCPv6 server in cases where the DHCPv6 relay agent is compromised. By forging the RADIUS attributes contained in the OPTION_RADIUS of the RELAY-FORW (12) messages, the attacker may influence the parameter assignment on the DHCPv6 server for the DHCPv6 clients. However, as described in the Section 3, NAS always belongs to the same administrative domain of the DHCPv6 server in the real deployment.
Network administrators should be aware that although RADIUS messages are encrypted, DHCPv6 messages are always unencrypted. It is possible that some RADIUS vendor-specific attributes might contain sensitive or confidential information. Network administrators are strongly advised to prevent such information from being included in DHCPv6 messages.
If the use of vendor-specific attributes with confidential content is required, administrators are advised to use IPsec with encryption to protect the confidentiality of the RADIUS attributes. Relay agents and servers implementing this specification MUST support the use of IPsec Encapsulating Security Payload (ESP) with encryption in transport mode, according to Section 3.1.1 of [RFC4303] and Section 21.1 of [RFC3315].
IANA has assigned OPTION_RADIUS (81) in the "DHCP Option Codes" registry, as defined in Section 4. In addition, IANA has created a new registry entitled "RADIUS Attributes Permitted in DHCPv6 RADIUS Option" in the "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" registry, as defined in Section 4.1. The new registry enumerates the RADIUS Attributes Types (http://www.iana.org/assignments/radius-types) that are permitted for
Yeh & Boucadair Standards Track [Page 8]
RFC 7037 DHCPv6 RADIUS Option October 2013
inclusion in the DHCPv6 RADIUS option. The allocation policy of this "RADIUS Attributes Permitted in DHCPv6 RADIUS Option" registry is Expert Review per [RFC5226]. Designated experts should carefully consider the security implications of allowing the relay agent to include new RADIUS attributes to this registry.
Thanks to Tomek Mrugalski, Bernie Volz, Gaurav Halwasia, and Roberta Maglione for their thorough review comments in the DHC working group mailing list. Thanks also to Ted Lemon for his continuous encouragement and technical guidance.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, June 2000.
[RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., and M. Carney, "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", RFC 3315, July 2003.