Internet Engineering Task Force (IETF) W. Dec, Ed. Request for Comments: 6911 Cisco Systems, Inc. Category: Standards Track B. Sarikaya ISSN: 2070-1721 Huawei USA G. Zorn, Ed. Network Zen D. Miles Google B. Lourdelet Juniper Networks April 2013
Internet Engineering Task Force (IETF) W. Dec, Ed. Request for Comments: 6911 Cisco Systems, Inc. Category: Standards Track B. Sarikaya ISSN: 2070-1721 Huawei USA G. Zorn, Ed. Network Zen D. Miles Google B. Lourdelet Juniper Networks April 2013
RADIUS Attributes for IPv6 Access Networks
IPv6接入网络的RADIUS属性
Abstract
摘要
This document specifies additional IPv6 RADIUS Attributes useful in residential broadband network deployments. The Attributes, which are used for authorization and accounting, enable assignment of a host IPv6 address and an IPv6 DNS server address via DHCPv6, assignment of an IPv6 route announced via router advertisement, assignment of a named IPv6 delegated prefix pool, and assignment of a named IPv6 pool for host DHCPv6 addressing.
本文档指定了在住宅宽带网络部署中有用的其他IPv6 RADIUS属性。用于授权和记帐的属性允许通过DHCPv6分配主机IPv6地址和IPv6 DNS服务器地址,通过路由器公告分配IPv6路由,分配命名IPv6委派前缀池,以及为主机DHCPv6寻址分配命名IPv6池。
Status of This Memo
关于下段备忘
This is an Internet Standards Track document.
这是一份互联网标准跟踪文件。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6911.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6911.
Copyright Notice
版权公告
Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2013 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 2. Deployment Scenarios . . . . . . . . . . . . . . . . . . . . 3 2.1. IPv6 Address Assignment . . . . . . . . . . . . . . . . . 4 2.2. DNS Servers . . . . . . . . . . . . . . . . . . . . . . . 5 2.3. IPv6 Route Information . . . . . . . . . . . . . . . . . 5 2.4. Delegated IPv6 Prefix Pool . . . . . . . . . . . . . . . 6 2.5. Stateful IPv6 Address Pool . . . . . . . . . . . . . . . 6 3. Attributes . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.1. Framed-IPv6-Address . . . . . . . . . . . . . . . . . . . 6 3.2. DNS-Server-IPv6-Address . . . . . . . . . . . . . . . . . 8 3.3. Route-IPv6-Information . . . . . . . . . . . . . . . . . 9 3.4. Delegated-IPv6-Prefix-Pool . . . . . . . . . . . . . . . 10 3.5. Stateful-IPv6-Address-Pool . . . . . . . . . . . . . . . 11 3.6. Table of Attributes . . . . . . . . . . . . . . . . . . . 11 4. Diameter Considerations . . . . . . . . . . . . . . . . . . . 12 5. Security Considerations . . . . . . . . . . . . . . . . . . . 12 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 13 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 8.1. Normative References . . . . . . . . . . . . . . . . . . 13 8.2. Informative References . . . . . . . . . . . . . . . . . 13
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 2. Deployment Scenarios . . . . . . . . . . . . . . . . . . . . 3 2.1. IPv6 Address Assignment . . . . . . . . . . . . . . . . . 4 2.2. DNS Servers . . . . . . . . . . . . . . . . . . . . . . . 5 2.3. IPv6 Route Information . . . . . . . . . . . . . . . . . 5 2.4. Delegated IPv6 Prefix Pool . . . . . . . . . . . . . . . 6 2.5. Stateful IPv6 Address Pool . . . . . . . . . . . . . . . 6 3. Attributes . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.1. Framed-IPv6-Address . . . . . . . . . . . . . . . . . . . 6 3.2. DNS-Server-IPv6-Address . . . . . . . . . . . . . . . . . 8 3.3. Route-IPv6-Information . . . . . . . . . . . . . . . . . 9 3.4. Delegated-IPv6-Prefix-Pool . . . . . . . . . . . . . . . 10 3.5. Stateful-IPv6-Address-Pool . . . . . . . . . . . . . . . 11 3.6. Table of Attributes . . . . . . . . . . . . . . . . . . . 11 4. Diameter Considerations . . . . . . . . . . . . . . . . . . . 12 5. Security Considerations . . . . . . . . . . . . . . . . . . . 12 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 13 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 8.1. Normative References . . . . . . . . . . . . . . . . . . 13 8.2. Informative References . . . . . . . . . . . . . . . . . 13
This document specifies additional RADIUS Attributes used to support configuration of DHCPv6 and/or ICMPv6 Router Advertisement (RA) parameters on a per-user basis. The Attributes, which complement those defined in [RFC3162] and [RFC4818], support the following:
本文档指定了用于支持每个用户配置DHCPv6和/或ICMPv6路由器广告(RA)参数的其他RADIUS属性。补充[RFC3162]和[RFC4818]中定义的属性的属性支持以下内容:
o The assignment of specific IPv6 addresses to hosts via DHCPv6.
o 通过DHCPv6将特定IPv6地址分配给主机。
o The assignment of an IPv6 DNS server address, via DHCPv6 or Router Advertisement [RFC6106].
o 通过DHCPv6或路由器公告[RFC6106]分配IPv6 DNS服务器地址。
o The configuration of more specific routes to be announced to the user via the Route Information Option defined in [RFC4191], Section 2.3.
o 通过[RFC4191]第2.3节中定义的路线信息选项向用户公布的更具体路线的配置。
o The assignment of a named delegated prefix pool for use with "IPv6 Prefix Options for Dynamic Host Configuration Protocol (DHCP) version 6" [RFC3633].
o 指定用于“动态主机配置协议(DHCP)版本6的IPv6前缀选项”的指定委派前缀池[RFC3633]。
o The assignment of a named stateful address pool for use with DHCPv6 stateful address assignment [RFC3315].
o 与DHCPv6有状态地址分配一起使用的命名有状态地址池的分配[RFC3315]。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].
本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照RFC 2119[RFC2119]中所述进行解释。
The extensions in this document are intended to be applicable across a wide variety of network access scenarios in which RADIUS is involved. One such typical network scenario is illustrated in Figure 1. It is composed of an IP Routing Residential Gateway (RG) or host; a Layer 2 Access Node (AN), e.g., a Digital Subscriber Line Access Multiplexer (DSLAM); an IP Network Access Server (NAS) (incorporating an Authentication, Authorization, and Accounting (AAA) client); and a AAA server.
本文档中的扩展旨在适用于RADIUS涉及的各种网络访问场景。图1说明了一种典型的网络场景。它由IP路由住宅网关(RG)或主机组成;第2层接入节点(AN),例如数字用户线接入多路复用器(DSLAM);IP网络访问服务器(NAS)(包括身份验证、授权和计费(AAA)客户端);和AAA服务器。
+-----+ | AAA | | | +--+--+ ^ . .(RADIUS) . v +------+ +---+---+ +------+ | | | | | RG/ +-------| AN +-----------+----------+ NAS | | host | | | | | +------+ (DSL) +------+ (Ethernet) +-------+
+-----+ | AAA | | | +--+--+ ^ . .(RADIUS) . v +------+ +---+---+ +------+ | | | | | RG/ +-------| AN +-----------+----------+ NAS | | host | | | | | +------+ (DSL) +------+ (Ethernet) +-------+
Figure 1
图1
In the depicted scenario, the NAS may utilize an IP address configuration protocol (e.g., DHCPv6) to handle address assignment to RGs/hosts. The RADIUS server authenticates each RG/host and returns the Attributes used for authorization and accounting. These Attributes can include a host's IPv6 address, a DNS server address, and a set of IPv6 routes to be advertised via any suitable protocol, e.g., ICMPv6 (Neighbor Discovery). The name of a prefix pool to be used for DHCPv6 Prefix Delegation or the name of an address pool to be used for DHCPv6 address assignment can also be Attributes provided to the NAS by the RADIUS AAA server.
在所描述的场景中,NAS可利用IP地址配置协议(例如,DHCPv6)来处理对RGs/主机的地址分配。RADIUS服务器对每个RG/主机进行身份验证,并返回用于授权和记帐的属性。这些属性可以包括主机的IPv6地址、DNS服务器地址以及通过任何合适的协议(例如ICMPv6(邻居发现))公布的一组IPv6路由。RADIUS AAA服务器还可以向NAS提供用于DHCPv6前缀委派的前缀池名称或用于DHCPv6地址分配的地址池名称。
The following subsections discuss how these Attributes are used in more detail.
以下小节将更详细地讨论如何使用这些属性。
DHCPv6 [RFC3315] provides a mechanism to assign one or more non-temporary IPv6 addresses to hosts. To provide a DHCPv6 server residing on a NAS with one or more IPv6 addresses to be assigned, this document specifies the Framed-IPv6-Address Attribute (Section 3.1).
DHCPv6[RFC3315]提供了一种机制,可将一个或多个非临时IPv6地址分配给主机。为了向驻留在NAS上的DHCPv6服务器提供一个或多个要分配的IPv6地址,本文档指定了Framed-IPv6-Address属性(第3.1节)。
While [RFC3162] permits the specification of an IPv6 address via the combination of the Framed-Interface-Id and Framed-IPv6-Prefix Attributes, this separation is more natural for use with PPP's IPv6 Control Protocol than it is for use with DHCPv6, and the use of a single IPv6 address Attribute makes for easier processing of accounting records.
虽然[RFC3162]允许通过框架接口Id和框架IPv6前缀属性的组合来指定IPv6地址,但与DHCPv6相比,PPP的IPv6控制协议使用这种分离更为自然,并且使用单个IPv6地址属性可以更容易地处理记帐记录。
Because DHCPv6 can be deployed on the same network as ICMPv6 stateless address autoconfiguration (SLAAC) [RFC4862], it is possible that the NAS will require both stateful and stateless configuration information. Therefore, it is possible for the Framed-IPv6-Address, Framed-IPv6-Prefix, and Framed-Interface-Id Attributes [RFC3162] to be included within the same packet. To avoid ambiguity in this case, the Framed-IPv6-Address Attribute is intended for authorization and accounting of DHCPv6-assigned addresses, and the Framed-IPv6-Prefix and Framed-Interface-Id Attributes are used for authorization and accounting of addresses assigned via SLAAC.
由于DHCPv6可以部署在与ICMPv6无状态地址自动配置(SLAAC)[RFC4862]相同的网络上,NAS可能需要有状态和无状态配置信息。因此,有可能在同一数据包中包括Framed-IPv6-Address、Framed-IPv6-Prefix和Framed-Interface Id属性[rfc312]。为避免这种情况下的歧义,Framed-IPv6-Address属性用于授权和记帐DHCPv6分配的地址,Framed-IPv6-Prefix和Framed Interface Id属性用于授权和记帐通过SLAAC分配的地址。
DHCPv6 provides an option for configuring a host with the IPv6 address of a DNS server. The IPv6 address of a DNS server can also be conveyed to the host using ICMPv6 with Router Advertisements, via the Recursive DNS Server Option [RFC6106]. To provide the NAS with the IPv6 address of one or more DNS servers, this document specifies the DNS-Server-IPv6-Address Attribute (Section 3.2).
DHCPv6提供了一个选项,用于使用DNS服务器的IPv6地址配置主机。DNS服务器的IPv6地址也可以通过递归DNS服务器选项[RFC6106],使用带有路由器广告的ICMPv6传送到主机。为了向NAS提供一个或多个DNS服务器的IPv6地址,本文档指定了DNS-Server-IPv6-address属性(第3.2节)。
The IPv6 Route Information Option [RFC4191], is intended to be used to inform a host connected to the NAS that a specific route is reachable via any given NAS.
IPv6路由信息选项[RFC4191]用于通知连接到NAS的主机可以通过任何给定NAS访问特定路由。
This document specifies the Route-IPv6-Information Attribute (Section 3.3) that allows the AAA server to provision the announcement by the NAS of a specific Route Information Option to an accessing host. The NAS may advertise this route using the method defined in RFC 4191 or other equivalent methods. Any other information, such as preference or lifetime values, that is to be present in the actual announcement using a given method is assumed to be determined by the NAS using means not specified by this document (e.g., local configuration on the NAS).
本文档指定了Route-IPv6-Information属性(第3.3节),该属性允许AAA服务器通过NAS向访问主机提供特定路由信息选项的公告。NAS可使用RFC 4191中定义的方法或其他等效方法公布该路由。假设NAS使用本文档未指定的方式(例如,NAS上的本地配置)确定使用给定方法在实际公告中显示的任何其他信息,如首选项或寿命值。
While the Framed-IPv6-Prefix Attribute ([RFC3162], Section 2.3) allows the route to be advertised in an RA, it cannot be used to configure more specific routes. While the Framed-IPv6-Route Attribute ([RFC3162], Section 2.5) causes the route to be configured on the NAS and potentially to be announced via an IP routing protocol, depending on the value of Framed-Routing, it does not result in the route being announced in an RA.
虽然Framed-IPv6-Prefix属性([RFC3162],第2.3节)允许在RA中公布路由,但它不能用于配置更具体的路由。虽然Framed-IPv6-Route属性([RFC3162],第2.5节)导致在NAS上配置路由,并可能通过IP路由协议宣布路由,这取决于Framed routing的值,但它不会导致在RA中宣布路由。
DHCPv6 Prefix Delegation (DHCPv6-PD) [RFC3633] involves a delegating router selecting a prefix and delegating it on a temporary basis to a requesting router. The delegating router may implement a number of strategies as to how it chooses what prefix is to be delegated to a requesting router, one of them being the use of a local named prefix pool. The Delegated-IPv6-Prefix-Pool Attribute (Section 3.4) allows the RADIUS server to convey a prefix pool name to a NAS that is hosting a DHCPv6-PD server and that is acting as a delegating router.
DHCPv6前缀委派(DHCPv6 PD)[RFC3633]涉及委派路由器选择前缀并临时将其委派给请求路由器。授权路由器可实施关于其如何选择将什么前缀授权给请求路由器的若干策略,其中之一是使用本地命名前缀池。Delegated-IPv6-Prefix-Pool属性(第3.4节)允许RADIUS服务器向承载DHCPv6 PD服务器并充当委派路由器的NAS传递前缀池名称。
Because DHCPv6 Prefix Delegation can be used with SLAAC on the same network, it is possible for the Delegated-IPv6-Prefix-Pool and Framed-IPv6-Pool Attributes to be included within the same packet. To avoid ambiguity in this scenario, use of the Delegated-IPv6- Prefix-Pool Attribute should be restricted to authorization and accounting of prefix pools used in DHCPv6 Prefix Delegation, and the Framed-IPv6-Pool Attribute should be used for authorization and accounting of prefix pools used in SLAAC.
因为DHCPv6前缀委派可以在同一网络上与SLAAC一起使用,所以Delegated-IPv6-Prefix-Pool和Framed-IPv6-Pool属性可能包含在同一数据包中。为了避免这种情况下的歧义,Delegated-IPv6-前缀池属性的使用应限于DHCPv6前缀委派中使用的前缀池的授权和记帐,Framed-IPv6-Pool属性应用于SLAAC中使用的前缀池的授权和记帐。
DHCPv6 [RFC3315] provides a mechanism to assign one or more non-temporary IPv6 addresses to hosts. Section 3.1 introduces the Framed-IPv6-Address Attribute to be used to provide a DHCPv6 server residing on a NAS with one or more IPv6 addresses to be assigned to the clients. An alternative way to achieve a similar result is for the NAS to select the IPv6 address to be assigned from an address pool configured for this purpose on the NAS. This document specifies the Stateful-IPv6-Address-Pool Attribute (Section 3.5) to allow the RADIUS server to convey a pool name to be used for such stateful DHCPv6-based addressing and for any subsequent accounting.
DHCPv6[RFC3315]提供了一种机制,可将一个或多个非临时IPv6地址分配给主机。第3.1节介绍了Framed-IPv6-Address属性,该属性用于为驻留在NAS上的DHCPv6服务器提供一个或多个要分配给客户端的IPv6地址。实现类似结果的另一种方法是NAS从NAS上为此目的配置的地址池中选择要分配的IPv6地址。本文档指定了Stateful-IPv6-Address-Pool属性(第3.5节),以允许RADIUS服务器传递池名,用于此类基于状态DHCPv6的寻址和任何后续记帐。
The fields shown in the diagrams below are transmitted from left to right.
下图中显示的字段从左向右传输。
The Framed-IPv6-Address Attribute indicates an IPv6 address that is assigned to the NAS-facing interface of the RG/host. It MAY be used in Access-Accept packets and MAY appear multiple times. It MAY be used in an Access-Request packet as a hint by the NAS to the RADIUS server that it would prefer this IPv6 address, but the RADIUS server is not required to honor the hint. Because it is assumed that the
Framed-IPv6-Address属性表示分配给RG/主机面向NAS接口的IPv6地址。它可以用于访问和接受数据包,并且可能出现多次。NAS可以在访问请求数据包中向RADIUS服务器提示它更喜欢此IPv6地址,但RADIUS服务器不需要遵守此提示。因为假设
NAS will add a route corresponding to the address, it is not necessary for the RADIUS server to also send a host Framed-IPv6-Route Attribute for the same address.
NAS将添加与该地址对应的路由,RADIUS服务器不必也为同一地址发送host-IPv6-route属性。
This Attribute can be used by a DHCPv6 process on the NAS to assign a unique IPv6 address to the RG/host.
NAS上的DHCPv6进程可以使用此属性为RG/主机分配唯一的IPv6地址。
A summary of the Framed-IPv6-Address Attribute format is shown below. The format of the Address field is identical to that of the corresponding field in the NAS-IPv6-Address Attribute [RFC3162].
Framed-IPv6-Address属性格式的摘要如下所示。地址字段的格式与NAS-IPv6-Address属性[RFC3162]中相应字段的格式相同。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Address +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Address (cont) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Address (cont) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Address (cont) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Address (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Address +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Address (cont) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Address (cont) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Address (cont) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Address (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
168 for Framed-IPv6-Address
168用于帧-IPv6-Address
Length
长
18
18
Address
住址
A 128-bit IPv6 address.
128位IPv6地址。
The DNS-Server-IPv6-Address Attribute contains the IPv6 address of a DNS server. This Attribute MAY be included multiple times in Access-Accept packets when the intention is for a NAS to announce more than one DNS server address to an RG/host. The Attribute MAY be used in an Access-Request packet as a hint by the NAS to the RADIUS server regarding the DNS IPv6 address, but the RADIUS server is not required to honor the hint.
DNS-Server-IPv6-Address属性包含DNS服务器的IPv6地址。当NAS向RG/主机宣布多个DNS服务器地址时,此属性可能多次包含在Access Accept数据包中。该属性可在访问请求数据包中用作NAS向RADIUS服务器发出的有关DNS IPv6地址的提示,但RADIUS服务器无需遵守该提示。
The content of this Attribute can be copied to an instance of the DHCPv6 DNS Recursive Name Server Option [RFC3646] or to an IPv6 Router Advertisement Recursive DNS Server Option [RFC6106]. If more than one DNS-Server-IPv6-Address Attribute is present in the Access-Accept packet, the addresses from the Attributes SHOULD be copied in the same order as received.
此属性的内容可以复制到DHCPv6 DNS递归名称服务器选项[RFC3646]的实例或IPv6路由器广告递归DNS服务器选项[RFC6106]。如果访问接受数据包中存在多个DNS-Server-IPv6-Address属性,则应按照接收到的相同顺序复制属性中的地址。
A summary of the DNS-Server-IPv6-Address Attribute format is given below. The format of the Address field is the same as that of the corresponding field in the NAS-IPv6-Address Attribute [RFC3162].
DNS-Server-IPv6-Address属性格式的摘要如下所示。地址字段的格式与NAS-IPv6-Address属性[RFC3162]中相应字段的格式相同。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Address +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Address (cont) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Address (cont) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Address (cont) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Address (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Address +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Address (cont) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Address (cont) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Address (cont) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Address (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
169 for DNS-Server-IPv6-Address
169用于DNS-Server-IPv6-Address
Length
长
18
18
Address
住址
The 128-bit IPv6 address of a DNS server.
DNS服务器的128位IPv6地址。
The Route-IPv6-Information Attribute specifies a prefix (and corresponding route) for the user on the NAS, which is to be announced using the Route Information Option defined in "Default Router Preferences and More Specific Routes" [RFC4191], Section 2.3. It is used in the Access-Accept packet and can appear multiple times. It MAY be used in an Access-Request packet as a hint by the NAS to the RADIUS server, but the RADIUS server is not required to honor the hint. The Route-IPv6-Information Attribute format is depicted below. The format of the prefix is as per [RFC3162].
Route-IPv6-Information属性为NAS上的用户指定一个前缀(和相应的路由),该前缀将使用“默认路由器首选项和更多特定路由”[RFC4191]第2.3节中定义的路由信息选项来宣布。它用于Access Accept数据包中,可以多次出现。它可以在访问请求数据包中用作NAS对RADIUS服务器的提示,但RADIUS服务器不需要遵守该提示。Route-IPv6-Information属性格式如下所示。前缀的格式符合[RFC3162]。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Reserved | Prefix-Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | . Prefix (variable) . . . | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Reserved | Prefix-Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | . Prefix (variable) . . . | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
170 for Route-IPv6-Information
170用于路由IPv6信息
Length
长
Length, in bytes. At least 4 and no larger than 20; typically, 12 or less.
长度,以字节为单位。至少4个且不大于20个;通常为12或更少。
Prefix Length
前缀长度
8-bit unsigned integer. The number of leading bits in the prefix that are valid. The value can range from 0 to 128. The prefix field is 0, 8, or 16 octets depending on Length.
8位无符号整数。前缀中有效的前导位数。该值的范围从0到128。前缀字段是0、8或16个八位字节,具体取决于长度。
Prefix
前缀
Variable-length field containing an IP prefix. The prefix length field contains the number of valid leading bits in the prefix. The bits in the prefix after the prefix length, if any, are reserved and MUST be initialized to zero.
包含IP前缀的可变长度字段。前缀长度字段包含前缀中的有效前导位数。前缀长度后的前缀中的位(如果有)是保留的,必须初始化为零。
The Delegated-IPv6-Prefix-Pool Attribute contains the name of an assigned pool that SHOULD be used to select an IPv6 delegated prefix for the user on the NAS. If a NAS does not support prefix pools, the NAS MUST ignore this Attribute. It MAY be used in an Access-Request packet as a hint by the NAS to the RADIUS server regarding the pool, but the RADIUS server is not required to honor the hint.
Delegated-IPv6-Prefix-Pool属性包含分配池的名称,该池应用于为NAS上的用户选择IPv6委派前缀。如果NAS不支持前缀池,则NAS必须忽略此属性。它可以在访问请求数据包中用作NAS向RADIUS服务器发出的有关池的提示,但RADIUS服务器无需遵守该提示。
A summary of the Delegated-IPv6-Prefix-Pool Attribute format is shown below.
下面显示了Delegated-IPv6-Prefix-Pool属性格式的摘要。
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | String... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | String... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
171 for Delegated-IPv6-Prefix-Pool
171用于委派IPv6前缀池
Length
长
Length, in bytes. At least 3.
长度,以字节为单位。至少3个。
String
一串
The string field contains the name of an assigned IPv6 prefix pool configured on the NAS. The field is not NULL (hexadecimal 00) terminated.
字符串字段包含NAS上配置的已分配IPv6前缀池的名称。该字段不以NULL(十六进制00)结尾。
Note: The string data type is as documented in [RFC6158] and carries binary data that is external to the RADIUS protocol, e.g., the name of a pool of prefixes configured on the NAS.
注:字符串数据类型如[RFC6158]中所述,并携带RADIUS协议外部的二进制数据,例如NAS上配置的前缀池的名称。
The Stateful-IPv6-Address-Pool Attribute contains the name of an assigned pool that SHOULD be used to select an IPv6 address for the user on the NAS. If a NAS does not support address pools, the NAS MUST ignore this Attribute. A summary of the Stateful-IPv6-Address-Pool Attribute format is shown below. It MAY be used in an Access-Request packet as a hint by the NAS to the RADIUS server regarding the pool, but the RADIUS server is not required to honor the hint.
Stateful-IPv6-Address-Pool属性包含分配的池的名称,该池应用于为NAS上的用户选择IPv6地址。如果NAS不支持地址池,则NAS必须忽略此属性。下面显示了Stateful-IPv6-Address-Pool属性格式的摘要。它可以在访问请求数据包中用作NAS向RADIUS服务器发出的有关池的提示,但RADIUS服务器无需遵守该提示。
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | String... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | String... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
172 for Stateful-IPv6-Address-Pool
172用于有状态的IPv6地址池
Length
长
Length, in bytes. At least 3.
长度,以字节为单位。至少3个。
String
一串
The string field contains the name of an assigned IPv6 stateful address pool configured on the NAS. The field is not NULL (hexadecimal 00) terminated.
字符串字段包含NAS上配置的已分配IPv6有状态地址池的名称。该字段不以NULL(十六进制00)结尾。
Note: The string data type is as documented in [RFC6158] and carries binary data that is external to the RADIUS protocol, e.g., the name of a pool of addresses configured on the NAS.
注:字符串数据类型如[RFC6158]中所述,并携带RADIUS协议外部的二进制数据,例如NAS上配置的地址池的名称。
The following table provides a guide to which Attributes may be found in which kinds of packets, and in what quantity. The optional inclusion of the options in Access Request messages is intended to allow for a NAS to provide the RADIUS server with a hint of the Attributes in advance of user authentication, which may be useful in cases in which a user reconnects or has a static address. The server is under no obligation to honor such hints.
下表提供了在哪些类型的数据包中可以找到哪些属性以及数量的指南。访问请求消息中选项的可选包含旨在允许NAS在用户身份验证之前向RADIUS服务器提供属性提示,这在用户重新连接或具有静态地址的情况下可能很有用。服务器没有义务遵守这些提示。
Request Accept Reject Challenge Accounting # Attribute Request 0+ 0+ 0 0 0+ 168 Framed-IPv6-Address 0+ 0+ 0 0 0+ 169 DNS-Server-IPv6-Address 0+ 0+ 0 0 0+ 170 Route-IPv6-Information 0+ 0+ 0 0 0+ 171 Delegated-IPv6-Prefix-Pool 0+ 0+ 0 0 0+ 172 Stateful-IPv6-Address-Pool
Request Accept Reject Challenge Accounting # Attribute Request 0+ 0+ 0 0 0+ 168 Framed-IPv6-Address 0+ 0+ 0 0 0+ 169 DNS-Server-IPv6-Address 0+ 0+ 0 0 0+ 170 Route-IPv6-Information 0+ 0+ 0 0 0+ 171 Delegated-IPv6-Prefix-Pool 0+ 0+ 0 0 0+ 172 Stateful-IPv6-Address-Pool
Given that the Attributes defined in this document are allocated from the standard RADIUS type space (see Section 6), no special handling is required by Diameter entities.
鉴于本文件中定义的属性是从标准半径类型空间分配的(见第6节),直径实体不需要特殊处理。
This document specifies additional IPv6 RADIUS Attributes useful in residential broadband network deployments. In such networks, the RADIUS protocol may run either over IPv4 or over IPv6, and known security vulnerabilities of the RADIUS protocol, e.g., [SECI], apply to the Attributes defined in this document. A trust relationship between a NAS and RADIUS server is expected to be in place, with communication optionally secured by IPsec or Transport Layer Security (TLS) [RFC6614].
本文档指定了在住宅宽带网络部署中有用的其他IPv6 RADIUS属性。在此类网络中,RADIUS协议可以在IPv4或IPv6上运行,RADIUS协议的已知安全漏洞(例如[SECI])适用于本文档中定义的属性。NAS和RADIUS服务器之间的信任关系有望建立,通信可选择由IPsec或传输层安全性(TLS)保护[RFC6614]。
IANA has assigned five new RADIUS Attribute types in the "Radius Attribute Types" registry (currently located at http://www.iana.org/assignments/radius-types) for the following Attributes:
IANA在“RADIUS属性类型”注册表中分配了五种新的RADIUS属性类型(当前位于http://www.iana.org/assignments/radius-types)对于以下属性:
o Framed-IPv6-Address
o 带帧IPv6地址
o DNS-Server-IPv6-Address
o DNS-Server-IPv6-Address
o Route-IPv6-Information
o 路由信息
o Delegated-IPv6-Prefix-Pool
o 委派IPv6前缀池
o Stateful-IPv6-Address-Pool
o 有状态IPv6地址池
The authors would like to thank Bernard Aboba, Benoit Claise, Peter Deacon, Alan DeKok, Ralph Droms, Brian Haberman, Alfred Hines, Stephen Farrell, Jouni Korhonen, Roberta Maglione, Pete Resnick, Mark Smith, and Leaf Yeh for their help and comments in reviewing this document.
作者感谢Bernard Aboba、Benoit Claise、Peter Deacon、Alan DeKok、Ralph Droms、Brian Haberman、Alfred Hines、Stephen Farrell、Jouni Korhonen、Roberta Maglione、Pete Resnick、Mark Smith和Leaf Yeh在审查本文件时提供的帮助和意见。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless Address Autoconfiguration", RFC 4862, September 2007.
[RFC4862]Thomson,S.,Narten,T.,和T.Jinmei,“IPv6无状态地址自动配置”,RFC 48622007年9月。
[RFC3162] Aboba, B., Zorn, G., and D. Mitton, "RADIUS and IPv6", RFC 3162, August 2001.
[RFC3162]Aboba,B.,Zorn,G.和D.Mitton,“RADIUS和IPv6”,RFC 3162,2001年8月。
[RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., and M. Carney, "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", RFC 3315, July 2003.
[RFC3315]Droms,R.,Bound,J.,Volz,B.,Lemon,T.,Perkins,C.,和M.Carney,“IPv6的动态主机配置协议(DHCPv6)”,RFC3315,2003年7月。
[RFC3633] Troan, O. and R. Droms, "IPv6 Prefix Options for Dynamic Host Configuration Protocol (DHCP) version 6", RFC 3633, December 2003.
[RFC3633]Troan,O.和R.Droms,“动态主机配置协议(DHCP)版本6的IPv6前缀选项”,RFC 3633,2003年12月。
[RFC3646] Droms, R., "DNS Configuration options for Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", RFC 3646, December 2003.
[RFC3646]Droms,R.,“IPv6动态主机配置协议(DHCPv6)的DNS配置选项”,RFC 36462003年12月。
[RFC4191] Draves, R. and D. Thaler, "Default Router Preferences and More-Specific Routes", RFC 4191, November 2005.
[RFC4191]Draves,R.和D.Thaler,“默认路由器首选项和更具体的路由”,RFC 41912005年11月。
[RFC4818] Salowey, J. and R. Droms, "RADIUS Delegated-IPv6-Prefix Attribute", RFC 4818, April 2007.
[RFC4818]Salowey,J.和R.Droms,“RADIUS-IPv6-Prefix属性”,RFC 4818,2007年4月。
[RFC6106] Jeong, J., Park, S., Beloeil, L., and S. Madanapalli, "IPv6 Router Advertisement Options for DNS Configuration", RFC 6106, November 2010.
[RFC6106]Jeong,J.,Park,S.,Beloeil,L.,和S.Madanapalli,“DNS配置的IPv6路由器广告选项”,RFC 61062010年11月。
[RFC6158] DeKok, A. and G. Weber, "RADIUS Design Guidelines", BCP 158, RFC 6158, March 2011.
[RFC6158]DeKok,A.和G.Weber,“半径设计指南”,BCP 158,RFC 6158,2011年3月。
[RFC6614] Winter, S., McCauley, M., Venaas, S., and K. Wierenga, "Transport Layer Security (TLS) Encryption for RADIUS", RFC 6614, May 2012.
[RFC6614]Winter,S.,McCauley,M.,Venaas,S.,和K.Wierenga,“RADIUS的传输层安全(TLS)加密”,RFC 6614,2012年5月。
[SECI] Hill, J., "An Analysis of the RADIUS Authentication Protocol", November 2001, <http://regul.uni-mb.si/~meolic/ ptk-seminarske/radius.pdf>.
[SECI]Hill,J.,“RADIUS认证协议分析”,2001年11月<http://regul.uni-mb.si/~meolic/ptk seminarske/radius.pdf>。
Authors' Addresses
作者地址
Wojciech Dec (editor) Cisco Systems, Inc. Haarlerbergweg 13-19 Amsterdam, Noord-Holland 1101 CH Netherlands
Wojciech Dec(编辑)Cisco Systems,Inc.Haarlerbergweg 13-19阿姆斯特丹,荷兰诺德1101 CH
EMail: wdec@cisco.com
EMail: wdec@cisco.com
Behcet Sarikaya Huawei USA 1700 Alma Drive, Suite 500 Plano, TX US
Behcet Sarikaya Huawei USA美国德克萨斯州普莱诺市阿尔玛大道1700号500室
Phone: +1 972-509-5599 EMail: sarikaya@ieee.org
Phone: +1 972-509-5599 EMail: sarikaya@ieee.org
Glen Zorn (editor) Network Zen 227/358 Thanon Sanphawut Bang Na, Bangkok 10260 Thailand
格伦·佐恩(编辑)网络禅227/358泰国曼谷Thnon Sanphawut Bang Na 10260
Phone: +66 (0) 8-1000-4155 EMail: glenzorn@gmail.com
Phone: +66 (0) 8-1000-4155 EMail: glenzorn@gmail.com
David Miles Google
大卫·迈尔斯谷歌
EMail: davidmiles@google.com
EMail: davidmiles@google.com
Benoit Lourdelet Juniper Networks France
法国贝诺特·卢德雷特Juniper Networks
EMail: blourdel@juniper.net
EMail: blourdel@juniper.net