RADIUS Option for DHCPv6 Relay Agent
draft-ietf-dhc-dhcpv6-radius-opt-11
The information below is for an old version of the document.
Document | Type |
This is an older version of an Internet-Draft that was ultimately published as RFC 7037.
|
|
---|---|---|---|
Authors | Leaf Yeh , Mohamed Boucadair | ||
Last updated | 2013-05-17 (Latest revision 2013-04-12) | ||
RFC stream | Internet Engineering Task Force (IETF) | ||
Formats | |||
Reviews |
GENART Last Call review
by Martin Thomson
Ready w/issues
SECDIR Last Call review
by Tero Kivinen
Has issues
|
||
Additional resources | Mailing list discussion | ||
Stream | WG state | Submitted to IESG for Publication | |
Document shepherd | Tomek Mrugalski | ||
Shepherd write-up | Show Last changed 2013-05-09 | ||
IESG | IESG state | Became RFC 7037 (Proposed Standard) | |
Consensus boilerplate | Unknown | ||
Telechat date | (None) | ||
Responsible AD | Ted Lemon | ||
IESG note | ** No value found for 'doc.notedoc.note' ** | ||
Send notices to | dhc-chairs@tools.ietf.org, draft-ietf-dhc-dhcpv6-radius-opt@tools.ietf.org | ||
IANA | IANA review state | IANA - Review Needed |
draft-ietf-dhc-dhcpv6-radius-opt-11
DHC Working Group L. Yeh Internet-Draft Freelancer Technologies Intended status: Standards Track M. Boucadair Expires: October 14, 2013 France Telecom April 12, 2013 RADIUS Option for DHCPv6 Relay Agent draft-ietf-dhc-dhcpv6-radius-opt-11 Abstract The DHCPv6 RADIUS option provides a mechanism to exchange authorization and identification information between the DHCPv6 relay agent and the DHCPv6 server. This mechanism is meant for the centralized DHCPv6 server to select the right configuration for the requesting DHCPv6 client based on the authorization information received from the RADIUS server, which is not co-located with the DHCPv6 server. The Network Access Server (NAS) acts as DHCPv6 relay agent and RADIUS client simultaneously in this document. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on October 14, 2013. Copyright Notice Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect Yeh & Boucadair Expires October 14, 2013 [Page 1] Internet-Draft DHCPv6 RADIUS Option April 2013 to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology and Language . . . . . . . . . . . . . . . . . . . 3 3. Network Scenarios . . . . . . . . . . . . . . . . . . . . . . 4 4. DHCPv6 RADIUS option . . . . . . . . . . . . . . . . . . . . . 7 4.1. RADIUS attributes permitted in DHCPv6 RADIUS option . . . 7 5. DHCPv6 Relay Agent Behavior . . . . . . . . . . . . . . . . . 8 6. DHCPv6 Server Behavior . . . . . . . . . . . . . . . . . . . . 8 7. DHCPv6 Client Behavior . . . . . . . . . . . . . . . . . . . . 8 8. Security Considerations . . . . . . . . . . . . . . . . . . . 8 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 9 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 11.1. Normative References . . . . . . . . . . . . . . . . . . . 9 11.2. Informative References . . . . . . . . . . . . . . . . . . 10 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10 Yeh & Boucadair Expires October 14, 2013 [Page 2] Internet-Draft DHCPv6 RADIUS Option April 2013 1. Introduction DHCPv6 provides a mechanism that allows the server to assign or delegate both stateful and stateless configuration parameters to the clients. The stateful configuration parameters include IPv6 address [RFC3315] and IPv6 prefix [RFC3633]. The stateless configuration parameters [RFC3736] include, for example, DNS [RFC3646], or a FQDN of AFTR [RFC6334]. In the scenarios described in this document, the DHCPv6 server is deployed in the central part of an ISP network. RADIUS [RFC2865] is widely used as the centralized authentication, authorization and user management mechanism for the service provision in Broadband access network. [RFC3162], [RFC4818], [RFC6519] and [I-D.ietf-radext-ipv6-access] specified attributes that support the service provision for IPv6-only and IPv6-transition access. RADIUS server authorizes the Network Access Server (NAS) to assign an IPv6 address or prefix from the indicated pool, or to assign an IPv6 address or prefix with an explicitly indicated value, and other configuration parameters as per the attributes for the subscribers. These mechanisms work well in the deployment scenarios where the NAS acts as the distributed DHCPv6 server. In that case the NAS directly responds the DHCPv6 messages as per the indication conveyed by the attributes in the Access-Accept message from the RADIUS server. These mechanisms might also work well in the scenario where the centralized DHCPv6 server is co-located with the RADIUS server, where they can share the same database of the users. But when the NAS acts as the relay agent and RADIUS client simultaneously, and the centralized DHCPv6 server is not located in the same place as the RADIUS server, a new communication mechanism is needed for the relay agent to transfer the authorization information indicated by the RADIUS attributes to the DHCPv6 server. 2. Terminology and Language This document specifies a new DHCPv6 option for the DHCPv6 Relay Agent to transfer the authorization information of RADIUS attributes received in the Access-Accept message from the RADIUS server to the centralized DHCPv6 server. Definitions for terms and acronyms not specified in this document are defined in [RFC2865] and [RFC3315]. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. Yeh & Boucadair Expires October 14, 2013 [Page 3] Internet-Draft DHCPv6 RADIUS Option April 2013 3. Network Scenarios Figure 1 and Figure 2 show the typical network scenarios where the communication mechanism introduced in this document is necessary. In these scenarios, the centralized DHCPv6 server is not co-located with the RADIUS server, but both of them are in the same administrative domain. The NAS acts as the DHCPv6 relay agent and the RADIUS client simultaneously. Figure 1 shows the sequence of DHCPv6 and RADIUS messages for IP over Ethernet (IPoE) access model, when the access loop adopts the direct Ethernet encapsulation. Figure 2 shows the sequence of DHCPv6 and RADIUS messages for PPP over Ethernet (PPPoE) access model. The mechanism introduced in this document is a generic mechanism, and might also be employed in other network scenarios where the DHCPv6 relay agent and the RADIUS client locate in the same device. Yeh & Boucadair Expires October 14, 2013 [Page 4] Internet-Draft DHCPv6 RADIUS Option April 2013 +-------+ +-------+ +-------+ |DHCPv6 | Access Model: | NAS | |RADIUS | |Client | IPoE | | |Server | +-------+ +-------+ +-------+ RADIUS Client/DHCPv6 Relay Agent | | | |---Solicit---------------->| | | |---Access-Request---------->| | | | | |<--Access-Accept------------| | |(e.g. Delegated-IPv6-Prefix)| | | | DHCPv6 messages RADIUS messages +-------+ |DHCPv6 | |Server | +-------+ | | | | |---Relay-forward----------->| | | (OPTION_RADIUS) | | | | | |<--Relay-reply -------------| |<--Advertise---------------| | | (e.g. IA_PD) | | | | | |---Request---------------->| | | (e.g. IA_PD) |---Relay-forward----------->| | | (OPTION_RADIUS) | | | | | |<--Relay-reply -------------| |" flag is used in the context of RPL. A 6LN operates as a RUL for an IPv6 address iff it sets the "R" flag in the EARO used to register the address. The RPL Router generates a DAO message for the Registered Address upon an NS(EARO) iff the "R" flag in the EARO is set. Conversely, this document specifies the behavior of a RPL Router acting as 6LR that depends on the setting of the "R" flag in the EARO. 3.2.2. TID, I Field and Opaque Fields The EARO also includes a sequence counter called Transaction ID (TID), which maps to the Path Sequence Field found in Transit Options in RPL DAO messages. This is the reason why the support of [RFC8505] by the RUL as opposed to only [RFC6775] is a prerequisite for this specification (more in Section 6.1). The EARO also transports an Opaque field and an "I" field that describes what the Opaque field transports and how to use it. Section 9.2.1 specifies the use of the "I" field and of the Opaque field by a RUL. 3.2.3. ROVR Section 5.3. of [RFC8505] introduces the Registration Ownership Verifier (ROVR) field of variable length from 64 to 256 bits. The ROVR is a replacement of the EUI-64 in the ARO [RFC6775] that was used to identify uniquely an Address Registration with the Link-Layer address of the owner, but provided no protection against spoofing. "Address Protected Neighbor Discovery for Low-power and Lossy Networks" [AP-ND] leverages the ROVR field as a cryptographic proof of ownership to prevent a rogue third party from misusing the address. [AP-ND] adds a challenge/response exchange to the [RFC8505] Address Registration and enables Source Address Validation by a 6LR that will drop packets with a spoofed address. This specification does not address how the protection by [AP-ND] could be extended to RPL. On the other hand, it adds the ROVR to the DAO to build the proxied EDAR at the Root, which means that nodes that are aware of the Host route to the 6LN are now aware of the associated ROVR as well. Thubert & Richardson Expires 18 June 2020 [Page 8] Internet-Draft RPL Unaware Leaves December 2019 3.3. RFC 8505 Extended DAR/DAC [RFC8505] updates the periodic DAR/DAC exchange that takes place between the 6LR and the 6LBR using Extended DAR/DAC messages. The Extended Duplicate Address messages can carry a ROVR field of variable size. The periodic EDAR/EDAC exchange is triggered by a NS(EARO) message and is intended to create and then refresh the corresponding state in the 6LBR for a lifetime that is indicated by the 6LN. Conversely, RPL [RFC6550] specifies a periodic DAO from the 6LN all the way to the Root that maintains the routing state in the RPL network for a lifetime that is indicated by the source of the DAO. This means that there are two periodic messages that traverse the whole network to indicate that an address is still reachable, one to the Root and one to the 6LBR. This specification saves the support of RPL in a 6LN called a RUL and avoids an extraneous periodic flow across the LLN. The RUL only needs to perform a [RFC8505] Address Registration to the 6LR. The 6LR turns it into a DAO message to the Root on behalf of the RUL. Upon the new DAO, the Root proxies the EDAR exchange to the 6LBR on behalf of the 6LR. This is illustrated in Figure 5. 4. Updating RFC 6550 This document specifies a new behavior whereby a 6LR injects DAO messages for unicast addresses (see Section 9) and multicast addresses (see Section 10) on behalf of leaves that are not aware of RPL. The Targets are exposed as External addresses. An IP-in-IP encapsulation that terminates at the border 6LR is used to remove RPL artifacts and compression techniques that may not be processed correctly outside of the RPL domain. This document also synchronizes the liveness monitoring at the Root and the 6LBR. A same value of lifetime is used for both, and a single heartbeat message, the RPL DAO, traverses the RPL network. A new behavior is introduced whereby the RPL Root proxies the EDAR message to the 6LBR on behalf of the 6LR (more in Section 5), for any 6LN, RUL or RAN. RPL defines a configuration option that is registered to IANA in section 20.14. of [RFC6550]. This specification defines a new flag "Root Proxies EDAR/EDAC" (P) that is encoded in one of the reserved control bits in the option. The new flag is set to indicate that the Root performs the proxy operation and that all nodes in the network must refrain from renewing the 6LBR state directly. The bit position of the "P" flag is indicated in Section 12.1. Thubert & Richardson Expires 18 June 2020 [Page 9] Internet-Draft RPL Unaware Leaves December 2019 Section 6.3.1. of [RFC6550] defines a 3-bit Mode of Operation (MOP) in the DIO Base Object. The new "P" flag is defined only for MOP value between 0 to 6. For a MOP value of 7 or above, the flag MAY indicate something different and MUST NOT be interpreted as "Root Proxies EDAR/EDAC" unless the specification of the MOP indicates to do so. The RPL Status defined in section 6.5.1. of [RFC6550] for use in the DAO-Ack message is extended to be used in the DCO messages [EFFICIENT-NPDAO] as well. Furthermore, this specification enables to use a RPL Status to transport the IPv6 ND Status defined for use in the EARO, more in Section 7. Section 6.7. of [RFC6550] introduces the RPL Control Message Options such as the RPL Target Option that can be included in a RPL Control Message such as the DAO. Section 8 updates the RPL Target Option to optionally transport the ROVR used in the IPv6 Registration (see Section 3.2.3) so the RPL Root can generate a full EDAR Message. 5. Updating RFC 8505 This document updates [RFC8505] to introduce a keep-alive EDAR message and a keep-alive NS(EARO) message. The keep-alive messages are used for backward compatibility, when the DAO does not transport a ROVR as specified in Section 8. The keep-alive messages have a zero ROVR field and can only be used to refresh a pre-existing state associated to the Registered Address. More specifically, a keep- alive message can only increase the lifetime and/or increment the TID of the existing state in a 6LBR. Upon the renewal of a 6LoWPAN ND Address Registration, this specification changes the behavior of a RPL Router acting as 6LR for the Address Registration as follows. If the Root indicates the capability to proxy the EDAR/EDAC exchange to the 6LBR then the 6LR refrains from sending an EDAR message; if the Root is separated from the 6LBR, the Root regenerates the EDAR message to the 6LBR upon a DAO message that signals the liveliness of the Address. 6. Requirements on the RPL-Unware Leaf This document provides RPL routing for a RUL, that is a 6LN acting as an IPv6 Host and not aware of RPL. Still, a minimal RPL-independent functionality is required from the RUL in order to obtain routing services from the 6LR. Thubert & Richardson Expires 18 June 2020 [Page 10] Internet-Draft RPL Unaware Leaves December 2019 6.1. Support of 6LoWPAN ND In order to obtain routing services from a RPL 6LR, a RUL MUST implement [RFC8505] and set the "R" flag in the EARO option. The RUL MUST register to all the 6LRs from which it expects to get routing services. The Address Registrations SHOULD be performed in a rapid sequence, using the exact same EARO for a same Address. Gaps between the Address Registrations will invalidate some of the routes till the Address Registration finally shows on those routes as well. [RFC8505] introduces error Status values in the NA(EARO) which can be received synchronously upon an NS(EARO) or asynchronously. The RUL MUST support both cases and refrain from using the Registered Address as specified by [RFC8505] depending on the Status value. A RUL SHOULD support [AP-ND] to protect the ownership of its addresses. 6.2. External Routes and RPL Artifacts Section 4.1. of [USEofRPLinfo] provides a set of rules that MUST be followed when forwarding packets over an external route: RPL data packets are often encapsulated using IP-in-IP and in Non- Storing Mode, packets going down will carry an SRH as well. RPL data packets also typically carry a Hop-by-Hop Header to transport a RPL Packet Information (RPI) [RFC6550]. These additional headers are called RPL artifacts. When IP-in-IP is used and the outer headers terminate at a 6LR down the path (see Figure 9 for the compressed format in Storing Mode), then the 6LR decapsulates the IP-in-IP and the packet that is forwarded to the external destination is free of RPL artifacts - but possibly an RPI if packet was generated by a RAN in the same RPL domain as the destination RUL. Non-Storing Mode DAO messages are used to signal external routes to the Root, even if the DODAG is operated in Storing Mode. This enables to advertise the 6LR that injects the route for use as tunnel endpoint in the data path. For all external routes, the Root should use an IP-in-IP tunnel to that 6LR, with the RPL artifacts in the outer header to be stripped by the 6LR. The IP-in-IP encapsulation may be avoided in Storing Mode if the path to the external destination beyond the 6LR is known to handle or ignore the RPL artifacts properly [RFC8200]. Thubert & Richardson Expires 18 June 2020 [Page 11] Internet-Draft RPL Unaware Leaves December 2019 A RUL is an example of a destination that is reachable via an external (Host) route for which IP-in-IP tunneling may be avoided as it ignores the RPI and the consumed SRH artifacts. The use of non- Storing Mode signaling in Storing Mode and the associated IP-in-IP encapsulation are transparent to intermediate Routers that only see packets back and forth between the Root and the 6LR and do not need a special support for external routes. The RUL may not support IP-in-IP tunneling [RFC8504], so if IP-in-IP is used, and unless the Root as a better knowledge, the tunnel should terminate at the 6LR that injected the external route to the RUL. Additionally, the RUL is not expected to support the compression method defined in [RFC8138]. The 6LR that injected the route MUST uncompress the packet before forwarding over an external route, even when delivering to a RUL, even when it is not the destination in the outer header of the incoming packet, unless configured to do otherwise. 6.2.1. Support of the HbH Header A RUL is expected to process an unknown Option Type in a Hop-by-Hop Header as prescribed by section 4.2 of [RFC8200]. This means in particular that an RPI with an Option Type of 0x23 [USEofRPLinfo] is ignored when not understood. 6.2.2. Support of the Routing Header A RUL is expected to process an unknown Routing Header Type as prescribed by section 4.4 of [RFC8200]. This means in particular that Routing Header with a Routing Type of 3 [RFC6553] is ignored when the Segments Left is zero, and dropped otherwise. 6.2.3. Support of IPv6 Encapsulation Section 2.1 of [USEofRPLinfo] sets the rules for forwarding IP-in-IP either to the final 6LN or to a parent 6LR. In order to enable IP- in-IP to the 6LN in Non-Storing Mode, the 6LN must be able to decapsulate the tunneled packet and either drop the inner packet if it is not the final destination, or pass it to the upper layer for further processing. Unless it is aware that the RUL can handle IP- in-IP properly, the Root that encapsulates a packet to a RUL terminates the IP-in-IP tunnel at the parent 6LR . For that reason, it is beneficial but not necessary for a RUL to support IP-in-IP. Thubert & Richardson Expires 18 June 2020 [Page 12] Internet-Draft RPL Unaware Leaves December 2019lt;--Reply-------------------| | | (e.g. IA_PD) | | | | | DHCPv6 messages DHCPv6 messages Figure 1: Network scenario and message sequence when employing DHCPv6 RADIUS option in IPoE access Yeh & Boucadair Expires October 14, 2013 [Page 5] Internet-Draft DHCPv6 RADIUS Option April 2013 +-------+ +-------+ +-------+ |DHCPv6 | Access Model: | NAS | |RADIUS | |Client | PPPoE | | |Server | +-------+ +-------+ +-------+ RADIUS Client/DHCPv6 Relay Agent | | | |--PPP LCP Config-Request-->| | | |---Access-Request---------->| | | | | |<--Access-Accept------------| |<----PPP LCP Config-ACK----|(e.g. Delegated-IPv6-Prefix)| | | | PPP messages RADIUS messages +-------+ |DHCPv6 | |Server | +-------+ | | | |---Solicit---------------->| | | |---Relay-forward----------->| | | (OPTION_RADIUS) | | | | | |<--Relay-reply -------------| |<--Advertise---------------| | | (e.g. IA_PD) | | | | | |---Request---------------->| | | (e.g. IA_PD) |---Relay-forward----------->| | | (OPTION_RADIUS) | | | | |<--Relay-reply -------------| |<--Reply-------------------| | | (e.g. IA_PD) | | | | | DHCPv6 messages DHCPv6 messages Figure 2: Network scenario and message sequence when employing DHCPv6 RADIUS option in PPPoE access If the authentication or the authorization through RADIUS fails, the associated message sequences will stop. The NAS acting as the DHCPv6 relay agent will not forward the message received from the client to the DHCPv6 server. If the authentication or the authorization through RADIUS passes, the NAS MUST store the information indicated Yeh & Boucadair Expires October 14, 2013 [Page 6] Internet-Draft DHCPv6 RADIUS Option April 2013 in the RADIUS attributes received in the Access-Accept message from the RADIUS server during the whole session. How the NAS manages these information during the RADIUS session is out of the scope of this document. After receiving RENEW (5) message from the DHCPv6 client, the NAS SHOULD NOT initiate a new Access-Request/Access-Accept message exchange with the RADIUS server; but after receiving REBIND (6) message from the DHCPv6 client, the NAS SHOULD initiate a new Access- Request/Access-Accept message exchange with the RADIUS server. 4. DHCPv6 RADIUS option The OPTION_RADIUS is a DHCPv6 option used by the DHCPv6 relay agent to carry the authorization information of RADIUS attributes received in the Access-Accept message from the RADIUS server. The format of the OPTION_RADIUS option is defined as follows: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | OPTION_RADIUS | option-len | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | option-data (List of RADIUS Attributes) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ option-code TBD option-len Length of the option-data in octets option-data List of one or more RADIUS attributes The option-data of OPTION_RADIUS is a list of one or more RADIUS attributes received in the Access-Accept message from the RADIUS server. The OPTION_RADIUS can only contain the RADIUS attributes listed in the IANA Registry of 'RADIUS attributes permitted in DHCPv6 RADIUS option'. According to the network scenarios described in section 3, the OPTION_RADIUS SHOULD appear in the RELAY-FORW (12) message relaying SOLICIT (1), REQUEST (3) and REBIND (6) from the DHCPv6 client, and MAY appear in the RELAY-FORW (12) relaying any other message from the DHCPv6 client. 4.1. RADIUS attributes permitted in DHCPv6 RADIUS option The RADIUS attributes listed in the below table are recommended as the first batch of attributes in the IANA Registry of 'RADIUS Yeh & Boucadair Expires October 14, 2013 [Page 7] Internet-Draft DHCPv6 RADIUS Option April 2013 attributes permitted in DHCPv6 RADIUS option'. New RADIUS attributes MAY be added to this list after the IETF Expert Review [RFC5226]. Type Code Attribute Reference 26 Vendor-Specific [RFC2865] 123 Delegated-IPv6-Prefix [RFC4818] 144 DS-Lite-Tunnel-Name [RFC6519] 168 Framed-IPv6-Address [I-D.ietf-radext-ipv6-access] 169 DNS-Server-IPv6-Address [I-D.ietf-radext-ipv6-access] 171 Delegated-IPv6-Prefix-Pool [I-D.ietf-radext-ipv6-access] 172 Stateful-IPv6-Address-Pool [I-D.ietf-radext-ipv6-access] Note: The RADIUS attribute's 'Length' defined in section 5 of [RFC2865] includes the length of 'Type' and 'Length' fields. 5. DHCPv6 Relay Agent Behavior The DHCPv6 relay agent MAY include OPTION_RADIUS in the RELAY-FORW (12) message. When the value in the attributes, for example, Delegated-IPv6-Prefix-Pool (171), Stateful-IPv6-Address-Pool (172), Delegated-IPv6-Prefix (123) or Framed-IPv6-Address (168) in the Access-Accept message replied from RADIUS server are valid, the relay agent that supports OPTION_RADIUS SHOULD include these RADIUS attributes into the OPTION_RADIUS one by one. 6. DHCPv6 Server Behavior Upon receipt of the RELAY-FORW (12) message with OPTION_RADIUS from a relay agent, the DHCPv6 server that supports OPTION_RADIUS SHOULD extract and interpret the RADIUS attributes in the OPTION_RADIUS, and use that information in selecting configuration parameters for the requesting client. If the DHCPv6 server does not support OPTION_RADIUS, the DHCPv6 server MUST silently discard this option. 7. DHCPv6 Client Behavior OPTION_RADIUS is only exchanged between the relay agents and the servers. DHCPv6 clients are not aware of the usage of OPTION_RADIUS. DHCPv6 client MUST NOT send OPTION_RADIUS, and MUST ignore OPTION_RADIUS if received. 8. Security Considerations Known security vulnerabilities of the DHCPv6 and RADIUS protocol may Yeh & Boucadair Expires October 14, 2013 [Page 8] Internet-Draft DHCPv6 RADIUS Option April 2013 apply to its options. Security issues related with DHCPv6 are described in section 23 of [RFC3315]. Security issues related with RADIUS are described in section 8 of [RFC2865], section 5 of [RFC3162]. The mechanism described in this document may introduce new attack vector against the DHCPv6 server in case the DHCPv6 relay agent is compromised. By forging the RADIUS attributes contained in the OPTION_RADIUS of the RELAY-FORW (12) messages, the attacker may influence the parameter assignment on the DHCPv6 server for the DHCPv6 clients. However, in the network scenarios described in the section 3, NAS could always be regarded as a trusted network component in the real deployment. 9. IANA Considerations This document requests to assign a new DHCPv6 option code for OPTION_RADIUS defined in section 4, and to create a new registry on the same assignment page, which is entitled as 'RADIUS attributes permitted in DHCPv6 RADIUS option' defined in section 4.1. The new registry will enumerate the RADIUS Attributes Types (http://www.iana.org/assignments/radius-types/radius-types.xml) that are permitted to be included in the DHCPv6 RADIUS option. New RADIUS attributes MAY be added to this list after the IETF Expert Review [RFC5226]. The IETF expert review SHOULD include careful consideration of the security implications of allowing the relay agent to include the RADIUS attribute being considered for addition to this registry. 10. Acknowledgements Thanks to Tomek Mrugalski, Bernie Volz, Gaurav Halwasia and Roberta Maglione for their thorough review comments in the mailing list of DHC working group, to Ted Lemon for his continuous encouragement and technical guidance. 11. References 11.1. Normative References [I-D.ietf-radext-ipv6-access] Dec, W., Sarikaya, B., Zorn, G., Miles, D., and B. Lourdelet, "RADIUS attributes for IPv6 Access Networks", draft-ietf-radext-ipv6-access-16 (work in progress), February 2013. Yeh & Boucadair Expires October 14, 2013 [Page 9] Internet-Draft DHCPv6 RADIUS Option April 2013 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, June 2000. [RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., and M. Carney, "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", RFC 3315, July 2003. [RFC4818] Salowey, J. and R. Droms, "RADIUS Delegated-IPv6-Prefix Attribute", RFC 4818, April 2007. [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 5226, May 2008. [RFC6519] Maglione, R. and A. Durand, "RADIUS Extensions for Dual- Stack Lite", RFC 6519, February 2012. 11.2. Informative References [RFC3162] Aboba, B., Zorn, G., and D. Mitton, "RADIUS and IPv6", RFC 3162, August 2001. [RFC3633] Troan, O. and R. Droms, "IPv6 Prefix Options for Dynamic Host Configuration Protocol (DHCP) version 6", RFC 3633, December 2003. [RFC3646] Droms, R., "DNS Configuration options for Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", RFC 3646, December 2003. [RFC3736] Droms, R., "Stateless Dynamic Host Configuration Protocol (DHCP) Service for IPv6", RFC 3736, April 2004. [RFC6334] Hankins, D. and T. Mrugalski, "Dynamic Host Configuration Protocol for IPv6 (DHCPv6) Option for Dual-Stack Lite", RFC 6334, August 2011. Yeh & Boucadair Expires October 14, 2013 [Page 10] Internet-Draft DHCPv6 RADIUS Option April 2013 Authors' Addresses Leaf Y. Yeh Freelancer Technologies P. R. China Email: leaf.yeh.sdo@gmail.com Mohamed Boucadair France Telecom France Email: mohamed.boucadair@orange.com Yeh & Boucadair Expires October 14, 2013 [Page 11]