RADIUS and IPv6 [frc-3162 translation], radiusfrc-3162

RADIUS and IPv6 [frc-3162 translation], radiusfrc-3162

Now the project needs to involve the use of RADIUS and IPv6, and the network information is relatively small, now the frc-3162 of Chinese translation, sharing out.
Due to the limited level of English, translation is not appropriate, please make it easy to modify it in time.
Original article link

Status of this document

This document provides Internet standard tracking protocols for Internet communities and requires discussion and improvement suggestions.
For more information about the standard status and status of the Protocol, see the official Internet protocol standard (STD 1. The distribution of this memorandum is unlimited.
Copyright Notice
Copyright (c) Internet Association (2001 ). Copyright.
Summary
This document specifies the RADIUS (remote identity authentication dialing User Service) operation during IPv6 running and the RADIUS attribute used to support IPv6 network access.

1. Introduction

This document specifies the RADIUS 4 [8] operation on IPv6 13 and the RADIUS attribute used to support IPv6 Access.
Note that if a NAS sends a RADIUS access request, you may not know whether the prior host will use IPv4, IPv6, or both. For example, if LCP occurs in PPP and ipv6cp [11], address allocation does not occur until radius authentication and authorization are completed.
Therefore, if the IPv6 attribute described in this document can be sent together with the IPv4-related attribute in the same RADIUS message, NAS will decide which attributes to use.
NAS should only allocate addresses and prefixes that can be used by clients.
For example, there is no need to retain a NAS that only supports the IPv4 address of an IPv6 host. Similarly, the host only uses IPv4 or IPv6 [12] and does not require an IPv6 prefix allocation.
NAS can provide IPv6 Access itself, or use other methods, such as in IPv4 Tunnel [15] and [14] IPv6 6over4.
The selection of IPv6 Access methods does not affect the use of radius. However, if you want IPv6 in the IPv4 Tunnel to be opened to a specific location, you should use the tunnel attributes, such as [6], [7.

1. required language
In this document, words such as "required", "optional", "suggestion", "should", and "no" are provided, it shall be explained as described in [1.

2. PROPERTIES 2.1. nas-ipv6-address

Description:
This attribute indicates the IPv6 address identified by the NAS.
The request for user authentication should be a unique nas within the radius server.
NAS-IPv6-address is only used for Access-Request packet.
Nas-ipv6-address and/or NAS-IP-Address can access the rendering of request packets; however, if no attribute exists, NAS-Identifier must be present.
The format of the nas-ipv6-address property is summarized as follows.
The fields are transmitted from left to right.

 0                   1                   2                   3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+|     Type      |    Length     |             Address+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                             Address+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                             Address+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                             Address+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+            Address             |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+Type        [95 for NAS-IPv6-Address]Length         [18]Address       [The Address field is 16 octets.]

2.2. Framed-Interface-Id

Description
This attribute indicates the IPv6 interface identifier configured by the user.
It can be used to access the receiving package.
If Interface-Identifier ipv6cp option [11] has been successfully negotiated, this attribute must be included in the Access-Request packet as a NAS prompt to the server that it is willing to use this value.
This is recommended, but not required,
Server respect prompt.
The following is a summary of the format of the Framework Interface id attribute.
The fields are transmitted from left to right.

0 1 2 3 0 1 2 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 4 5 6 7 8 9 0 1 +- +- +-+ | Type | Length | Interface-Id +-+ -+ -+ Interface-Id +-+ -+ -+ Interface-Id | +-+ Type [96 for Framed-Interface-Id] Length [10] Interface-Id [Interface-Id field is 8 bytes.]

2.3. Framed-IPv6-Prefix

Description
This attribute indicates the IPv6 prefix (and the corresponding route) configured for the user ).
It can be used to access the accept package and appears multiple times.
It can be used in the access request package. As NAS, it prompts the server that it wants to use these prefixes (ES), but the server does not need to follow the prompts.
Because it is assumed that NAS will vertically correspond to the prefix path, it does not require the server to send a framed-ipv6-route attribute with the same prefix.
The format of the framed-ipv6-prefix property is summarized as follows.
The fields are transmitted from left to right.

0 1 2 3 0 1 2 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 4 5 6 7 8 9 0 1 +- +- +-+ | Type | Length | Reserved | Prefix-Length | +- +- +-+ Prefix +- +- +-+ Prefix +- +-+ Prefix +- +-+ Prefix | +-+ -+ -+ Type [97 for Framed-IPv6-Prefix] Length [Length: [)] Reserved [this field is retained and must exist. It is always set to zero.] Prefix-Length [Prefix Length, expressed in bits. At least 0, not greater than 128] Prefix [the length of a Prefix field can be up to 16 bytes. Bits other than the prefix length must be zero if they are included.]

2.4. Login-IPv6-Host

Description
This attribute indicates the system to connect to when the Login-Service attribute is included.
It can be used for Access-Accept packets.
It can be used as a server prompt in Access-Request packet. NAS wants to use this host, but the server does not need to follow the prompt.
The format of the login-ipv6-host property is summarized as follows.
The fields are transmitted from left to right.

0 1 2 3 0 1 2 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 4 5 6 7 8 9 0 1 +- +- +-+ | Type | Length | Address +-+ -+ -+ Address +-+ -+ Address + -+ -+ Address +-+ -+ -+ Address | +- +-+ Type [98 for Login-IPv6-Host] Length [18] Address [the Length of the Address field is 16 bytes. The value 0xffffffffffffffffffffffffffff indicates that NAS should allow users to select an address or name for connection. 0 indicates that NAS should select a host to connect users. Other values indicate the address to which NAS should connect users.]

2.5. Framed-IPv6-Route

Description
This attribute provides the route information configured for users on NAS.
It is used for Access-Accept packet and can appear multiple times.
The format of the framed-ipv6-route property is summarized as follows.
The fields are transmitted from left to right.

0 1 2 0 1 2 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 +-+ -+-| Type | Length | Text... +- +-Type [99 for Framed-IPv6-Route] Length [> = 3] Text [text field is one or more bytes, its content depends on implementation. This field is not terminated by nul (base 00. It aims to make the user readable and does not affect protocol operations. IPv6 routing, which should contain the destination address prefix followed by a slash and decimal length specifier to describe the use of many high-order bit prefixes. The second is space, gateway address, space, and one or more measurements separated by spaces (in decimal format ). The format of the prefix and address is described in [16. For example, "2000: 0: 0: 106:/64 2000: 106: a00: 20ff fe99 a998 1 ". When the gateway address is an IPv6 unspecified address, the user's IP address is used as the gateway address. Unspecified addresses can be expressed in any acceptable format described in [16. For example, "2000: 0: 0: 106: 64: 1".]

2.6. Framed-IPv6-Pool

Description
This attribute contains the name of the specified pool used to assign an IPv6 prefix to the user.
If NAS does not support multiple prefix pools, NAS must ignore this attribute.
The format of the framed-ipv6-pool property is summarized as follows.
The fields are transmitted from left to right.

0 1 2 0 1 2 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 +-+ -+ | Type | Length | String... +- +-+ Type [100 for Framed-IPv6-Pool] Length [> = 3] String [String field contains the name of the allocated IPv6 prefix pool configured on NAS. The field is not terminated with nul (base 00).]

3. Table of Attributes

The following table provides a guide on which attributes and quantities can be found in the packages.

Request	Accept	Reject	Challenge	Accounting Request	#	Attribute
0-1	0	0	0	0-1	95	NAS-IPv6-Address
0-1	0-1	0	0	0-1	96	Framed-Interface-Id
0 +	0 +	0	0	0 +	97	Framed-IPv6-Prefix
0 +	0 +	0	0	0 +	98	Login-IPv6-Host
0	0 +	0	0	0 +	99	Framed-IPv6-Route
0	0-1	0	0	0-1	100	Framed-IPv6-Pool

4. References

[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels ", BCP 14, RFC 2119, March, 1997.

[2] Yergeau, F., "UTF-8, a transformation format of Unicode and ISO
10646 ", RFC 2044, October 1996.

[3] Aboba, B. and J. Vollbrecht, "Proxy Chaining and Policy
Implementation in Roaming ", RFC 2607, June 1999.

[4] Rigney, C., Rubens, A., Simpson, W. and S. Willens, "Remote
Authentication Dial In User Service (RADIUS) ", RFC 2865, June
2000.

[5] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000.

[6] Zorn, G., Mitton, D. and B. Aboba, "RADIUS Accounting
Modifications for Tunnel Protocol Support ", RFC 2867, June
2000.

[7] Zorn, G., Leifer, D., Rubens, A., Shriver, J., Holdrege, M.
And I. Goyret, "RADIUS Attributes for Tunnel Protocol Support ",
RFC 2868, June 2000.

[8] Rigney, C., Willats, W. and P. Calhoun, "RADIUS Extensions ",
RFC 2869, June 2000.

[9] Kent S. and R. Atkinson, "Security Architecture for
Internet Protocol ", RFC 2401, November 1998.

[10] Alvestrand, H. and T. Narten, "Guidelines for Writing an IANA
Considerations Section in RFCs ", BCP 26, RFC 2434, October
1998.

[11] Haskin, D. and E. Allen, "IP Version 6 over PPP", RFC 2472,
December 1998.

[12] Carpenter, B. and K. Moore, "Connection of IPv6 Domains
IPv4 Clouds ", RFC 3056, February 2001.

[13] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6)
Specification ", RFC 2460, December 1998.

[14] Carpenter, B. and C. Jung, "Transmission of IPv6 over IPv4
Domains without Explicit Tunnels ", RFC 2529, March 1999.

[15] Gilligan, R. and E. Nordmark, "Transition Mechanisms for IPv6
Hosts and Routers ", RFC 2893, August 2000.

[16] Hinden, R. and S. Deering, "IP Version 6 Addressing
Architecture ", RFC 2373, July 1998.

5. security considerations

This document describes how to use RADIUS for identity authentication, authorization, and billing in IPv6-supported networks.
In this network, the RADIUS protocol can run on IPv4 or IPv6.
Known security vulnerabilities of the RADIUS protocol are described in [3], [4], and [8.
Because IPSec (9) is implemented for IPv6, it is expected that the implementation of the IPv6 running radius will usually run through IPSec.
If you run a RADIUS on IPSec and use a certificate for authentication, you may want to avoid managing RADIUS sharing secrets, so as to take advantage of the improved scalability of the public key infrastructure.
In the RADIUS Range, shared secrets are used to hide attributes such as user passwords [4] and tunnel passwords [7.
In addition, the shared key is used for computing in response to authentication [4] and Message-Authenticator attribute [8].
Therefore, in RADIUS, shared secrets are used to provide confidentiality, integrity protection, and identity authentication.
Therefore, only IPSec ESP with non-empty conversions can provide sufficient security services to replace the security of the RADIUS application layer.
Therefore, when using IPSec AH or ESP null, configuring the RADIUS shared key is still required.
However, if the radius esp is run in a non-dedicated conversion mode, the secret shared between the RADIUS and the RADIUS server may not be configured.
In this case, a zero-length shared key must be assumed.

6. IANA considerations

This document needs to assign six new RADIUS attribute numbers to the following attributes:

  NAS-IPv6-Address  Framed-Interface-Id  Framed-IPv6-Prefix  Login-IPv6-Host  Framed-IPv6-Route  Framed-IPv6-Pool