Internet Engineering Task Force (IETF) D. Guo Request for Comments: 6930 S. Jiang, Ed. Category: Standards Track Huawei Technologies Co., Ltd ISSN: 2070-1721 R. Despres RD-IPtech R. Maglione Cisco Systems April 2013
Internet Engineering Task Force (IETF) D. Guo Request for Comments: 6930 S. Jiang, Ed. Category: Standards Track Huawei Technologies Co., Ltd ISSN: 2070-1721 R. Despres RD-IPtech R. Maglione Cisco Systems April 2013
RADIUS Attribute for IPv6 Rapid Deployment on IPv4 Infrastructures (6rd)
IPv4基础架构上IPv6快速部署的RADIUS属性(第6条)
Abstract
摘要
The IPv6 Rapid Deployment on IPv4 Infrastructures (6rd) provides both IPv4 and IPv6 connectivity services simultaneously during the IPv4/IPv6 coexistence period. The Dynamic Host Configuration Protocol (DHCP) 6rd option has been defined to configure the 6rd Customer Edge (CE). However, in many networks, the configuration information may be stored in the Authentication Authorization and Accounting (AAA) servers, while user configuration is mainly acquired from a Broadband Network Gateway (BNG) through the DHCP protocol. This document defines a Remote Authentication Dial-In User Service (RADIUS) attribute that carries 6rd configuration information from the AAA server to BNGs.
IPv4基础架构上的IPv6快速部署(第6条)在IPv4/IPv6共存期间同时提供IPv4和IPv6连接服务。动态主机配置协议(DHCP)第6rd选项已定义为配置第6rd客户边缘(CE)。然而,在许多网络中,配置信息可能存储在认证授权和计费(AAA)服务器中,而用户配置主要通过DHCP协议从宽带网络网关(BNG)获取。本文档定义了一个远程身份验证拨入用户服务(RADIUS)属性,该属性将第6条配置信息从AAA服务器传送到BNGs。
Status of This Memo
关于下段备忘
This is an Internet Standards Track document.
这是一份互联网标准跟踪文件。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6930.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6930.
Copyright Notice
版权公告
Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2013 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Introduction ....................................................3 2. Terminology .....................................................3 3. IPv6 6rd Configuration with RADIUS ..............................4 4. Attributes ......................................................6 4.1. IPv6-6rd-Configuration Attribute ...........................6 4.2. Table of Attributes ........................................9 5. Diameter Considerations .........................................9 6. Security Considerations .........................................9 7. IANA Considerations ............................................10 8. Acknowledgments ................................................10 9. References .....................................................10 9.1. Normative References ......................................10 9.2. Informative References ....................................11
1. Introduction ....................................................3 2. Terminology .....................................................3 3. IPv6 6rd Configuration with RADIUS ..............................4 4. Attributes ......................................................6 4.1. IPv6-6rd-Configuration Attribute ...........................6 4.2. Table of Attributes ........................................9 5. Diameter Considerations .........................................9 6. Security Considerations .........................................9 7. IANA Considerations ............................................10 8. Acknowledgments ................................................10 9. References .....................................................10 9.1. Normative References ......................................10 9.2. Informative References ....................................11
Recently, providers have started to deploy IPv6 and to consider transition to IPv6. The IPv6 Rapid Deployment (6rd) [RFC5969] provides both IPv4 and IPv6 connectivity services simultaneously during the IPv4/IPv6 coexistence period. 6rd is used to provide IPv6 connectivity service through legacy IPv4-only infrastructure. 6rd uses the Dynamic Host Configuration Protocol (DHCP) [RFC2131], and the 6rd Customer Edge (CE) uses the DHCP 6rd option [RFC5969] to discover a 6rd Border Relay and to configure an IPv6 prefix and address.
最近,供应商已经开始部署IPv6,并考虑向IPv6过渡。IPv6快速部署(6rd)[RFC5969]在IPv4/IPv6共存期间同时提供IPv4和IPv6连接服务。6rd用于通过传统的纯IPv4基础设施提供IPv6连接服务。第6rd使用动态主机配置协议(DHCP)[RFC2131],第6rd客户边缘(CE)使用DHCP第6rd选项[RFC5969]来发现第6rd边界中继并配置IPv6前缀和地址。
In many networks, user-configuration information is managed by Authentication, Authorization, and Accounting (AAA) servers. The Remote Authentication Dial-In User Service (RADIUS) protocol [RFC2865] is usually used by AAA servers to communicate with network elements. In a fixed-line broadband network, the Broadband Network Gateways (BNGs) act as the access gateway for users. The BNGs are assumed to embed a DHCP server function that allows them to handle locally any DHCP requests issued by hosts.
在许多网络中,用户配置信息由身份验证、授权和记帐(AAA)服务器管理。AAA服务器通常使用远程身份验证拨入用户服务(RADIUS)协议[RFC2865]与网元通信。在固定线路宽带网络中,宽带网络网关(BNG)充当用户的接入网关。假定BNG嵌入一个DHCP服务器功能,允许它们在本地处理主机发出的任何DHCP请求。
Since the 6rd configuration information is stored in AAA servers, and user configuration is mainly through DHCP between BNGs and hosts/CEs, new RADIUS attributes are needed to propagate the information from AAA servers to BNGs.
由于第六个配置信息存储在AAA服务器中,并且用户配置主要通过BNG和主机/CE之间的DHCP进行,因此需要新的RADIUS属性将信息从AAA服务器传播到BNG。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。
The terms 6rd Customer Edge (6rd CE) and 6rd Border Relay (BR) are defined in [RFC5969]. "MAC" stands for Media Access Control.
[RFC5969]中定义了第六条客户边界(第六条CE)和第六条边界中继(BR)。“MAC”代表媒体访问控制。
Figure 1 illustrates how DHCP and the RADIUS protocol cooperate to provide 6rd CE with 6rd configuration information.
图1说明了DHCP和RADIUS协议如何合作,为6rd CE提供6rd配置信息。
6rd CE BNG AAA Server | | | |-------DHCPDISCOVER------>| | |(Parameter Request w/ 6rd option) | | |--Access-Request(6rd Attr)-->| | | | | |<--Access-Accept(6rd Attr)---| |<-------DHCPOFFER---------| | | (6rd option) | | | | | DHCP RADIUS
6rd CE BNG AAA Server | | | |-------DHCPDISCOVER------>| | |(Parameter Request w/ 6rd option) | | |--Access-Request(6rd Attr)-->| | | | | |<--Access-Accept(6rd Attr)---| |<-------DHCPOFFER---------| | | (6rd option) | | | | | DHCP RADIUS
Figure 1: The Cooperation between DHCP and RADIUS When Combined with RADIUS Authentication
图1:DHCP和RADIUS在结合RADIUS身份验证时的协作
The BNG acts as a client of RADIUS and as a DHCP server. First, the 6rd CE MAY initiate a DHCPDISCOVER message that includes a Parameter Request option (55) [RFC2132] with the 6rd option [RFC5969]. When the BNG receives the DHCPDISCOVER, it SHOULD initiate a RADIUS Access- Request message to the RADIUS server. In that message,
BNG充当RADIUS的客户端和DHCP服务器。首先,第6rd CE可以发起DHCPDISCOVER消息,该消息包括具有第6rd选项[RFC5969]的参数请求选项(55)[RFC2132]。当BNG收到DHCPDISCOVER时,它应该向RADIUS服务器发出RADIUS访问请求消息。在这一信息中,
- the User-Name attribute (1) SHOULD be filled by the 6rd CE MAC address, and
- 用户名属性(1)应由第6个CE MAC地址填充,并且
- the User-Password attribute (2) SHOULD be filled by the shared 6rd password that has been preconfigured on the DHCP server.
- 用户密码属性(2)应由DHCP服务器上预配置的共享第6个密码填充。
The BNG requests authentication, as defined in [RFC2865], with the IPv6-6rd-Configuration attribute (Section 4.1) in the desired attribute list. If the authentication request is approved by the AAA server, an Access-Accept message MUST be acknowledged with the IPv6-6rd-Configuration attribute. Then, the BNG SHOULD respond to the 6rd CE with a DHCPOFFER message, which contains a DHCP 6rd option. The recommended format of the MAC address is as defined in Calling-Station-Id ([RFC3580], Section 3.20) without the SSID (Service Set Identifier) portion.
BNG根据[RFC2865]中的定义,使用所需属性列表中的IPv6-6rd-Configuration属性(第4.1节)请求认证。如果AAA服务器批准了身份验证请求,则必须使用IPv6-6rd-Configuration属性确认访问接受消息。然后,BNG应使用DHCPOFFER消息响应第6rd CE,该消息包含DHCP第6rd选项。MAC地址的推荐格式如呼叫站Id([RFC3580],第3.20节)中所定义,没有SSID(服务集标识符)部分。
Figure 2 describes another scenario -- later re-authorization -- in which the authorization operation is not coupled with authentication. Authorization relevant to 6rd is done independently after the authentication process.
图2描述了另一个场景——稍后的重新授权——其中授权操作不与身份验证耦合。与6rd相关的授权在认证过程后独立完成。
6rd CE BNG AAA Server | | | |--------DHCPREQUEST------>| | |(Parameter Request w/ 6rd option) | | |--Access-Request(6rd Attr)-->| | | | | |<--Access-Accept(6rd Attr)---| | | | |<---------DHCPACK---------| | | (6rd option) | | | | | DHCP RADIUS
6rd CE BNG AAA Server | | | |--------DHCPREQUEST------>| | |(Parameter Request w/ 6rd option) | | |--Access-Request(6rd Attr)-->| | | | | |<--Access-Accept(6rd Attr)---| | | | |<---------DHCPACK---------| | | (6rd option) | | | | | DHCP RADIUS
Figure 2: The Cooperation between DHCP and RADIUS When Decoupled from RADIUS Authentication
图2:与RADIUS身份验证分离时DHCP和RADIUS之间的协作
In this scenario, the Access-Request packet SHOULD contain a Service-Type attribute (6) with the value Authorize Only (17); thus, according to [RFC5080], the Access-Request packet MUST contain a State attribute that it obtains from the previous authentication process.
在这种情况下,访问请求数据包应该包含一个值为Authorize Only(17)的服务类型属性(6);因此,根据[RFC5080],访问请求数据包必须包含它从先前的身份验证过程中获得的状态属性。
In both above-mentioned scenarios, Message-Authenticator (type 80) [RFC2865] SHOULD be used to protect both Access-Request and Access-Accept messages.
在上述两种情况下,应使用消息验证器(类型80)[RFC2865]来保护访问请求和访问接受消息。
After receiving the IPv6-6rd-Configuration attribute in the initial Access-Accept, the BNG SHOULD store the received 6rd configuration parameters locally. When the 6rd CE sends a DHCP Request message to request an extension of the lifetime for the assigned address, the BNG does not have to initiate a new Access-Request towards the AAA server to request the 6rd configuration parameters. The BNG could retrieve the previously stored 6rd configuration parameters and use them in its reply.
在初始访问接受中接收到IPv6-6rd-Configuration属性后,BNG应在本地存储接收到的6rd配置参数。当第6rd CE发送DHCP请求消息以请求延长分配地址的生存期时,BNG不必向AAA服务器发起新的访问请求以请求第6rd配置参数。BNG可以检索先前存储的第6个配置参数,并在其应答中使用它们。
If the BNG does not receive the IPv6-6rd-Configuration attribute in the Access-Accept, it MAY fall back to a preconfigured default 6rd configuration, if any. If the BNG does not have any preconfigured default 6rd configuration or if the BNG receives an Access-Reject, the tunnel cannot be established.
如果BNG在Access Accept中未接收到IPv6-6rd-Configuration属性,它可能会退回到预配置的默认6rd配置(如果有)。如果BNG没有任何预配置的默认第六配置,或者如果BNG收到访问拒绝,则无法建立隧道。
As specified in [RFC2131], Section 4.4.5 ("Reacquisition and expiration"), if the DHCP server to which the DHCP Request message was sent at time T1 has not responded by time T2 (typically 0.375*duration_of_lease after T1), the 6rd CE (the DHCP client) SHOULD enter the REBINDING state and attempt to contact any server.
如[RFC2131]第4.4.5节(“重新获取和过期”)中所述,如果在时间T1向其发送DHCP请求消息的DHCP服务器在时间T2之前没有响应(通常为时间T1之后的0.375*租赁持续时间),则第6rd CE(DHCP客户端)应进入重新绑定状态并尝试联系任何服务器。
In this situation, the secondary BNG receiving the new DHCP message MUST initiate a new Access-Request towards the AAA server. The secondary BNG MAY include the IPv6-6rd-Configuration attribute in its Access-Request.
在这种情况下,接收新DHCP消息的辅助BNG必须向AAA服务器发起新的访问请求。辅助BNG可以在其访问请求中包括IPv6-6rd-Configuration属性。
This section defines the IPv6-6rd-Configuration attribute that is used in both above-mentioned scenarios. The attribute design follows [RFC6158] and refers to [RFC6929].
本节定义了在上述两种方案中使用的IPv6-6rd-Configuration属性。属性设计遵循[RFC6158],并参考[RFC6929]。
The specification requires that multiple IPv4 addresses are associated with one IPv6 prefix. Given that RADIUS currently has no recommended way of grouping multiple attributes, the design below appears to be a reasonable compromise. The IPv6-6rd-Configuration attribute is structured as follows:
该规范要求多个IPv4地址与一个IPv6前缀相关联。鉴于RADIUS目前没有推荐的将多个属性分组的方法,下面的设计似乎是一个合理的折衷方案。IPv6-6rd-Configuration属性的结构如下所示:
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | SubType1 | SubLen1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IPv4MaskLen | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | SubType2 | SubLen2 | Reserved | 6rdPrefixLen | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + + | | + 6rdPrefix + | | + + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | SubType3 | SubLen3 | 6rdBRIPv4Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 6rdBRIPv4Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | SubType1 | SubLen1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IPv4MaskLen | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | SubType2 | SubLen2 | Reserved | 6rdPrefixLen | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + + | | + 6rdPrefix + | | + + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | SubType3 | SubLen3 | 6rdBRIPv4Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 6rdBRIPv4Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
173
173
Length
长
28 + n*6 (the length of the entire attribute in octets, where n is the number of BR IPv4 addresses and minimum n is 1)
28+n*6(以八位字节为单位的整个属性的长度,其中n是BR IPv4地址数,最小n为1)
SubType1
亚型1
1 (SubType number, for the IPv4 Mask Length suboption)
1(子类型编号,用于IPv4掩码长度子选项)
SubLen1
转租1
6 (the length of the IPv4 Mask Length suboption)
6(IPv4掩码长度子选项的长度)
IPv4MaskLen
IPv4MaskLen
The number of high-order bits that are identical across all CE IPv4 addresses within a given 6rd domain. This may be any value between 0 and 32. Any value greater than 32 is invalid. Since [RFC6158], Appendix A.2.1, has forbidden 8-bit fields, a 32-bit field is used here.
给定第6个域中所有CE IPv4地址中相同的高阶位数。这可以是0到32之间的任何值。任何大于32的值都无效。由于附录A.2.1中的[RFC6158]禁止使用8位字段,因此此处使用32位字段。
SubType2
亚型2
2 (SubType number for the 6rd prefix suboption)
2(第6个前缀子选项的子类型编号)
SubLen2
次级住宅2
20 (the length of the 6rd prefix suboption)
20(第6个前缀子选项的长度)
Reserved
含蓄的
Set to all 0 for now. Reserved for future use. To be compatible with other IPv6 prefix attributes in the RADIUS protocol, the bits MUST be set to zero by the sender and MUST be ignored by the receiver.
现在设置为全部0。保留供将来使用。为了与RADIUS协议中的其他IPv6前缀属性兼容,发送方必须将位设置为零,接收方必须忽略位。
6rdPrefixLen
6Rd预桥
The IPv6 Prefix length of the Service Provider's 6rd IPv6 prefix in number of bits. The 6rdPrefixLen MUST be less than or equal to 128.
服务提供商第6个IPv6前缀的IPv6前缀长度(以位为单位)。6rdPrefixLen必须小于或等于128。
6rdPrefix
6rdPrefix
The Service Provider's 6rd IPv6 prefix represented as a 16-octet IPv6 address. The bits after the 6rdPrefixlen number of bits in the prefix SHOULD be set to zero.
服务提供商的第6个IPv6前缀表示为16个八位组的IPv6地址。前缀中6rdPrefixlen位数后的位数应设置为零。
SubType3
亚型3
3 (SubType number, for the 6rd Border Relay IPv4 address suboption)
3(子类型编号,用于第6个边界中继IPv4地址子选项)
SubLen3
转租3
6 (the length of the 6rd Border Relay IPv4 address suboption)
6(第6个边界中继IPv4地址子选项的长度)
6rdBRIPv4Address
6RDBRIPv4地址
One or more IPv4 addresses of the 6rd Border Relay(s) for a given 6rd domain. The maximum RADIUS attribute length of 255 octets results in a limit of 37 IPv4 addresses.
给定第六个域的第六个边界中继的一个或多个IPv4地址。255个八位字节的最大RADIUS属性长度限制为37个IPv4地址。
Since the subtypes have values, they can appear in any order. If multiple 6rdBRIPv4Address (subtype 3) appear, they are RECOMMENDED to be placed together.
由于子类型具有值,因此它们可以以任何顺序出现。如果出现多个6rdBRIPv4Address(子类型3),建议将它们放在一起。
The IPv6-6rd-Configuration attribute is normally used in Access-Accept messages. It MAY be used in Access-Request packets as a hint to the RADIUS server; for example, if the BNG is preconfigured with a default 6rd configuration, these parameters MAY be inserted in the attribute. The RADIUS server MAY ignore the hint sent by the BNG, and it MAY assign different 6rd parameters.
IPv6-6rd-Configuration属性通常用于Access-Accept消息中。它可以在访问请求包中用作对RADIUS服务器的提示;例如,如果BNG预先配置了默认的第六配置,则可以将这些参数插入属性中。RADIUS服务器可能会忽略BNG发送的提示,并且可能会分配不同的第6个参数。
If the BNG includes the IPv6-6rd-Configuration attribute, but the AAA server does not recognize it, this attribute MUST be ignored by the AAA server.
如果BNG包含IPv6-6rd-Configuration属性,但AAA服务器无法识别该属性,则AAA服务器必须忽略该属性。
If the BNG does not receive the IPv6-6rd-Configuration attribute in the Access-Accept, it MAY fallback to a preconfigured default 6rd configuration, if any. If the BNG does not have any preconfigured default 6rd configuration, the 6rd tunnel cannot be established.
如果BNG在Access Accept中未接收到IPv6-6rd-Configuration属性,它可能会退回到预配置的默认6rd配置(如果有)。如果BNG没有任何预配置的默认第六条配置,则无法建立第六条隧道。
If the BNG is pre-provisioned with a default 6rd configuration and the 6rd configuration received in Access-Accept is different from the configured default, then the 6rd configuration received in the Access-Accept message MUST be used for the session.
如果BNG预先配置了默认的第六配置,并且Access Accept中接收到的第六配置与配置的默认配置不同,则Access Accept消息中接收到的第六配置必须用于会话。
If the BNG cannot support the received 6rd configuration for any reason, the tunnel SHOULD NOT be established.
如果BNG因任何原因无法支持接收到的第6次配置,则不应建立隧道。
The following table adds to the one in [RFC2865], Section 5.44, providing a guide to the quantity of IPv6-6rd-Configuration attributes that may be found in each kind of packet.
下表补充了[RFC2865]第5.44节中的内容,为每种数据包中可能存在的IPv6-6rd-Configuration属性数量提供了指南。
Request Accept Reject Challenge Accounting # Attribute Request 0-1 0-1 0 0 0-1 173 IPv6-6rd-Configuration 0-1 0-1 0 0 0-1 1 User-Name 0-1 0 0 0 0-1 2 User-Password 0-1 0-1 0 0 0-1 6 Service-Type 0-1 0-1 0-1 0-1 0-1 80 Message-Authenticator
请求接受拒绝质询记帐#属性请求0-10-10 0-1 173 IPv6-6rd-Configuration 0-1 0-1 0-1 1用户名0-1 0 0 0-1 2用户密码0-1 0-1 0-1 0-0-1 0-1 6服务类型0-1 0-1 0-1 0-1 0-1 80消息验证器
The following key defines the meanings of the above table entries.
以下键定义了上述表格条目的含义。
0 This attribute MUST NOT be present in packet. 0+ Zero or more instances of this attribute MAY be present in packet. 0-1 Zero or one instance of this attribute MAY be present in packet. 1 Exactly one instance of this attribute MUST be present in packet.
0此属性不能出现在数据包中。数据包中可能存在0+零个或多个此属性的实例。0-1数据包中可能存在该属性的零个或一个实例。1数据包中必须正好存在此属性的一个实例。
This attribute is usable within either RADIUS or Diameter [RFC6733]. Since the attribute defined in this document has been allocated from the standard RADIUS type space, no special handling is required by Diameter entities.
此属性在半径或直径[RFC6733]内可用。由于本文档中定义的属性是从标准半径类型空间分配的,因此直径实体不需要特殊处理。
In 6rd scenarios, both CE and BNG are within a provider network, which can be considered as a closed network and a lower-threat environment. A similar consideration can be applied to the RADIUS message exchange between the BNG and the AAA server.
在第六种情况下,CE和BNG都位于提供商网络内,可以将其视为一个封闭的网络和威胁较低的环境。类似的考虑也可应用于BNG和AAA服务器之间的RADIUS消息交换。
In 6rd scenarios, the RADIUS protocol is run over IPv4. Known security vulnerabilities of the RADIUS protocol are discussed in [RFC2607], [RFC2865], and [RFC2869]. Use of IPsec [RFC4301] for providing security when RADIUS is carried in IPv6 is discussed in [RFC3162].
在第六种情况下,RADIUS协议通过IPv4运行。[RFC2607]、[RFC2865]和[RFC2869]中讨论了RADIUS协议的已知安全漏洞。[RFC3162]中讨论了在IPv6中承载RADIUS时使用IPsec[RFC4301]提供安全性。
To get unauthorized 6rd configuration information, a malicious user may use MAC address spoofing and/or a dictionary attack on the shared 6rd password that has been preconfigured on the DHCP server. The relevant security issues have been considered in Section 12 of [RFC5969].
为了获取未经授权的第6条配置信息,恶意用户可能会对DHCP服务器上预配置的共享第6条密码使用MAC地址欺骗和/或字典攻击。[RFC5969]第12节考虑了相关安全问题。
Security issues that may arise specifically between the 6rd CE and BNG are discussed in [RFC5969]. Furthermore, generic DHCP security mechanisms can be applied to DHCP intercommunication between 6rd CE and BNG.
[RFC5969]中讨论了第六代CE和BNG之间可能出现的安全问题。此外,通用DHCP安全机制可应用于第6rd CE和BNG之间的DHCP双向通信。
Security considerations for the Diameter protocol are discussed in [RFC6733].
[RFC6733]中讨论了Diameter协议的安全注意事项。
Per this document, IANA has assigned one new RADIUS Attribute Type in the "Radius Types" registry (currently located at http://www.iana.org/assignments/radius-types) for the following attribute:
根据本文件,IANA在“RADIUS Types”注册表中分配了一个新的RADIUS属性类型(当前位于http://www.iana.org/assignments/radius-types)对于以下属性:
IPv6-6rd-Configuration (173)
IPv6-6rd-配置(173)
The authors would like to thank Alan DeKok, Yong Cui, Leaf Yeh, Sean Turner, Joseph Salowey, Glen Zorn, Dave Nelson, Bernard Aboba, Benoit Claise, Barry Lieba, Stephen Farrell, Adrian Farrel, Ralph Droms, and other members of the SOFTWIRE WG, RADEXT WG, AAA Doctors, and Security Directorate for valuable comments.
作者要感谢Alan DeKok、Yong Cui、Leaf Yeh、Sean Turner、Joseph Salowey、Glen Zorn、Dave Nelson、Bernard Aboba、Benoit Claise、Barry Lieba、Stephen Farrell、Adrian Farrel、Ralph Droms以及SOFTWIRE工作组、RADEXT工作组、AAA医生和安全理事会的其他成员的宝贵意见。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC2131] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, March 1997.
[RFC2131]Droms,R.,“动态主机配置协议”,RFC21311997年3月。
[RFC2132] Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor Extensions", RFC 2132, March 1997.
[RFC2132]Alexander,S.和R.Droms,“DHCP选项和BOOTP供应商扩展”,RFC 21321997年3月。
[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, June 2000.
[RFC2865]Rigney,C.,Willens,S.,Rubens,A.,和W.Simpson,“远程认证拨入用户服务(RADIUS)”,RFC 28652000年6月。
[RFC3162] Aboba, B., Zorn, G., and D. Mitton, "RADIUS and IPv6", RFC 3162, August 2001.
[RFC3162]Aboba,B.,Zorn,G.和D.Mitton,“RADIUS和IPv6”,RFC 3162,2001年8月。
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the Internet Protocol", RFC 4301, December 2005.
[RFC4301]Kent,S.和K.Seo,“互联网协议的安全架构”,RFC 43012005年12月。
[RFC5080] Nelson, D. and A. DeKok, "Common Remote Authentication Dial In User Service (RADIUS) Implementation Issues and Suggested Fixes", RFC 5080, December 2007.
[RFC5080]Nelson,D.和A.DeKok,“通用远程身份验证拨入用户服务(RADIUS)实施问题和建议修复”,RFC 50802007年12月。
[RFC5969] Townsley, W. and O. Troan, "IPv6 Rapid Deployment on IPv4 Infrastructures (6rd) -- Protocol Specification", RFC 5969, August 2010.
[RFC5969]Townsley,W.和O.Troan,“IPv4基础设施上的IPv6快速部署(第6条)——协议规范”,RFC 5969,2010年8月。
[RFC6158] DeKok, A., Ed., and G. Weber, "RADIUS Design Guidelines", BCP 158, RFC 6158, March 2011.
[RFC6158]DeKok,A.,Ed.,和G.Weber,“半径设计指南”,BCP 158,RFC 6158,2011年3月。
[RFC6733] Fajardo, V., Ed., Arkko, J., Loughney, J., and G. Zorn, Ed., "Diameter Base Protocol", RFC 6733, October 2012.
[RFC6733]Fajardo,V.,Ed.,Arkko,J.,Loughney,J.,和G.Zorn,Ed.,“直径基础协议”,RFC 6733,2012年10月。
[RFC2607] Aboba, B. and J. Vollbrecht, "Proxy Chaining and Policy Implementation in Roaming", RFC 2607, June 1999.
[RFC2607]Aboba,B.和J.Vollbrecht,“漫游中的代理链接和策略实施”,RFC 2607,1999年6月。
[RFC2869] Rigney, C., Willats, W., and P. Calhoun, "RADIUS Extensions", RFC 2869, June 2000.
[RFC2869]Rigney,C.,Willats,W.,和P.Calhoun,“半径延伸”,RFC 2869,2000年6月。
[RFC3580] Congdon, P., Aboba, B., Smith, A., Zorn, G., and J. Roese, "IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines", RFC 3580, September 2003.
[RFC3580]Congdon,P.,Aboba,B.,Smith,A.,Zorn,G.,和J.Roese,“IEEE 802.1X远程认证拨入用户服务(RADIUS)使用指南”,RFC 35802003年9月。
[RFC6929] DeKok, A. and A. Lior, "Remote Authentication Dial-In User Service (RADIUS) Protocol Extensions", RFC 6929, April 2013.
[RFC6929]DeKok,A.和A.Lior,“远程身份验证拨入用户服务(RADIUS)协议扩展”,RFC 69292013年4月。
Authors' Addresses
作者地址
Dayong Guo Huawei Technologies Co., Ltd Q14 Huawei Campus, 156 BeiQi Road, ZhongGuan Cun, Hai-Dian District, Beijing 100095 P.R. China
中国北京市海淀区中关村北七路156号华为校园Q14号大勇国华为技术有限公司100095
EMail: guoseu@huawei.com
EMail: guoseu@huawei.com
Sheng Jiang (Editor) Huawei Technologies Co., Ltd Q14 Huawei Campus, 156 BeiQi Road, ZhongGuan Cun, Hai-Dian District, Beijing 100095 P.R. China
盛江(编辑)华为技术有限公司中国北京市海淀区中关村北七路156号华为校区Q14 100095
EMail: jiangsheng@huawei.com
EMail: jiangsheng@huawei.com
Remi Despres RD-IPtech 3 rue du President Wilson Levallois France
法国总统威尔逊·莱瓦洛伊街3号雷米·德斯普雷斯路IPtech
EMail: despres.remi@laposte.net
EMail: despres.remi@laposte.net
Roberta Maglione Cisco Systems 181 Bay Street Toronto, ON M5J 2T3 Canada
Roberta Maglione思科系统公司位于加拿大多伦多湾街181号M5J 2T3
EMail: robmgl@cisco.com
EMail: robmgl@cisco.com