Internet Engineering Task Force (IETF)                            L. Yeh
Request for Comments: 7037                       Freelancer Technologies
Category: Standards Track                                   M. Boucadair
ISSN: 2070-1721                                           France Telecom
                                                            October 2013
        
Internet Engineering Task Force (IETF)                            L. Yeh
Request for Comments: 7037                       Freelancer Technologies
Category: Standards Track                                   M. Boucadair
ISSN: 2070-1721                                           France Telecom
                                                            October 2013
        

RADIUS Option for the DHCPv6 Relay Agent

DHCPv6中继代理的RADIUS选项

Abstract

摘要

The DHCPv6 RADIUS option provides a mechanism to exchange authorization and identification information between the DHCPv6 relay agent and DHCPv6 server. This architecture assumes that the Network Access Server (NAS) acts as both a DHCPv6 relay agent and RADIUS client. When receiving messages from the DHCPv6 clients, the NAS consults the RADIUS server and adds the RADIUS response when forwarding the DHCPv6 client's messages to the DHCPv6 server. The DHCPv6 server then uses that additional information to generate an appropriate response to the DHCPv6 client's requests.

DHCPv6 RADIUS选项提供了一种在DHCPv6中继代理和DHCPv6服务器之间交换授权和标识信息的机制。此体系结构假定网络访问服务器(NAS)同时充当DHCPv6中继代理和RADIUS客户端。当从DHCPv6客户端接收消息时,NAS会咨询RADIUS服务器,并在将DHCPv6客户端的消息转发到DHCPv6服务器时添加RADIUS响应。然后,DHCPv6服务器使用该附加信息生成对DHCPv6客户端请求的适当响应。

Status of This Memo

关于下段备忘

This is an Internet Standards Track document.

这是一份互联网标准跟踪文件。

This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741.

本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 5741第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7037.

有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc7037.

Copyright Notice

版权公告

Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2013 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。

Table of Contents

目录

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology and Language  . . . . . . . . . . . . . . . . . .   3
   3.  Network Scenarios . . . . . . . . . . . . . . . . . . . . . .   3
   4.  DHCPv6 RADIUS Option  . . . . . . . . . . . . . . . . . . . .   6
     4.1.  RADIUS Attributes Permitted in DHCPv6 RADIUS Option . . .   7
   5.  DHCPv6 Relay Agent Behavior . . . . . . . . . . . . . . . . .   7
   6.  DHCPv6 Server Behavior  . . . . . . . . . . . . . . . . . . .   7
   7.  DHCPv6 Client Behavior  . . . . . . . . . . . . . . . . . . .   7
   8.  Security Considerations . . . . . . . . . . . . . . . . . . .   8
   9.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   8
   10. Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   9
   11. References  . . . . . . . . . . . . . . . . . . . . . . . . .   9
     11.1.  Normative References . . . . . . . . . . . . . . . . . .   9
     11.2.  Informative References . . . . . . . . . . . . . . . . .  10
        
   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology and Language  . . . . . . . . . . . . . . . . . .   3
   3.  Network Scenarios . . . . . . . . . . . . . . . . . . . . . .   3
   4.  DHCPv6 RADIUS Option  . . . . . . . . . . . . . . . . . . . .   6
     4.1.  RADIUS Attributes Permitted in DHCPv6 RADIUS Option . . .   7
   5.  DHCPv6 Relay Agent Behavior . . . . . . . . . . . . . . . . .   7
   6.  DHCPv6 Server Behavior  . . . . . . . . . . . . . . . . . . .   7
   7.  DHCPv6 Client Behavior  . . . . . . . . . . . . . . . . . . .   7
   8.  Security Considerations . . . . . . . . . . . . . . . . . . .   8
   9.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   8
   10. Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   9
   11. References  . . . . . . . . . . . . . . . . . . . . . . . . .   9
     11.1.  Normative References . . . . . . . . . . . . . . . . . .   9
     11.2.  Informative References . . . . . . . . . . . . . . . . .  10
        
1. Introduction
1. 介绍

DHCPv6 provides a mechanism that allows the server to assign or delegate both stateful and stateless configuration parameters to clients. The stateful configuration parameters include IPv6 addresses [RFC3315] and IPv6 prefixes [RFC3633]. The stateless configuration parameters [RFC3736] include, for example, DNS [RFC3646], or a Fully Qualified Domain Name (FQDN) of an Address Family Transition Router (AFTR) [RFC6334]. In the scenarios described in this document, the DHCPv6 server is deployed in the central part of an ISP network.

DHCPv6提供了一种机制,允许服务器向客户端分配或委托有状态和无状态配置参数。有状态配置参数包括IPv6地址[RFC3315]和IPv6前缀[RFC3633]。无状态配置参数[RFC3736]包括例如DNS[RFC3646]或地址族转换路由器(AFTR)[RFC6334]的完全限定域名(FQDN)。在本文档描述的场景中,DHCPv6服务器部署在ISP网络的中心部分。

RADIUS [RFC2865] is widely used as the centralized authentication, authorization, and user management mechanism for service provision in a Broadband access network. [RFC3162], [RFC4818], [RFC6519], and [RFC6911] specify the attributes that support the service provision

RADIUS[RFC2865]广泛用作宽带接入网络中服务提供的集中式身份验证、授权和用户管理机制。[RFC3162]、[RFC4818]、[RFC6519]和[RFC6911]指定支持服务提供的属性

for IPv6-only and IPv6-transition access. The RADIUS server authorizes the Network Access Server (NAS) to assign an IPv6 address or prefix from the indicated pool, or to assign an IPv6 address or prefix with an explicitly indicated value, and to indicate other configuration parameters as per the RADIUS attributes for the subscribers.

仅适用于IPv6和IPv6转换访问。RADIUS服务器授权网络访问服务器(NAS)从指定的池分配IPv6地址或前缀,或使用明确指示的值分配IPv6地址或前缀,并根据订阅者的RADIUS属性指示其他配置参数。

When the NAS acts as the distributed DHCPv6 server and RADIUS client simultaneously, it communicates with the RADIUS server after receiving a request from the DHCPv6 client. Upon receiving the Access-Accept message from the RADIUS server, the NAS then responds to the DHCPv6 client's requests per the associated authorization information indicated by the RADIUS attributes in the Access-Accept message. When NAS acts as the DHCPv6 relay agent and RADIUS client simultaneously, and the centralized DHCPv6 server is co-located with the RADIUS server, they may share the same database of users. However, when the centralized DHCPv6 server is not located in the same place as the RADIUS server, a new communication mechanism is needed for the DHCPv6 relay agent to transfer the authorization information indicated by the RADIUS attributes to the DHCPv6 server.

当NAS同时充当分布式DHCPv6服务器和RADIUS客户端时,它会在收到来自DHCPv6客户端的请求后与RADIUS服务器通信。在从RADIUS服务器接收到Access Accept消息后,NAS会根据Access Accept消息中RADIUS属性指示的相关授权信息响应DHCPv6客户端的请求。当NAS同时充当DHCPv6中继代理和RADIUS客户端,并且集中式DHCPv6服务器与RADIUS服务器位于同一位置时,它们可能共享相同的用户数据库。但是,当集中式DHCPv6服务器与RADIUS服务器不在同一位置时,DHCPv6中继代理需要新的通信机制将RADIUS属性指示的授权信息传输到DHCPv6服务器。

2. Terminology and Language
2. 术语和语言

This document specifies a new DHCPv6 option for the DHCPv6 Relay Agent to transfer the authorization information of RADIUS attributes received in the Access-Accept message from the RADIUS server to the centralized DHCPv6 server. Definitions for terms and acronyms not specified in this document are defined in [RFC2865] and [RFC3315].

本文档为DHCPv6中继代理指定了一个新的DHCPv6选项,用于将Access Accept消息中接收到的RADIUS属性的授权信息从RADIUS服务器传输到集中式DHCPv6服务器。[RFC2865]和[RFC3315]中定义了本文件中未规定的术语和首字母缩略词的定义。

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].

本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。

3. Network Scenarios
3. 网络场景

Figures 1 and 2 show the typical network scenarios where the communication mechanism introduced in this document is necessary. In these scenarios, the centralized DHCPv6 server is not co-located with the RADIUS server, but both are in the same administrative domain. The NAS acts as the DHCPv6 relay agent and the RADIUS client simultaneously. Figure 1 shows the sequence of DHCPv6 and RADIUS messages for the IP over Ethernet (IPoE) access model, when the access loop adopts the direct Ethernet encapsulation. Figure 2 shows the sequence of DHCPv6 and RADIUS messages for the PPP over Ethernet (PPPoE) access model.

图1和图2显示了本文档中引入的通信机制是必要的典型网络场景。在这些场景中,集中式DHCPv6服务器不与RADIUS服务器位于同一个管理域中。NAS同时充当DHCPv6中继代理和RADIUS客户端。图1显示了当接入环路采用直接以太网封装时,IP over Ethernet(IPoE)接入模型的DHCPv6和RADIUS消息序列。图2显示了以太网PPP(PPPoE)访问模型的DHCPv6和RADIUS消息序列。

The mechanism introduced in this document is a generic mechanism and might also be employed in other network scenarios where the DHCPv6 relay agent and the RADIUS client are located in the same device.

本文档中介绍的机制是一种通用机制,也可用于DHCPv6中继代理和RADIUS客户端位于同一设备中的其他网络场景。

   +-------+                   +-------+                    +-------+
   |DHCPv6 |   Access Model:   |  NAS  |                    |RADIUS |
   |Client |       IPoE        |       |                    |Server |
   +-------+                   +-------+                    +-------+
                      RADIUS Client/DHCPv6 Relay Agent
        
   +-------+                   +-------+                    +-------+
   |DHCPv6 |   Access Model:   |  NAS  |                    |RADIUS |
   |Client |       IPoE        |       |                    |Server |
   +-------+                   +-------+                    +-------+
                      RADIUS Client/DHCPv6 Relay Agent
        
       |                           |                            |
       |---Solicit---------------->|                            |
       |                           |---Access-Request---------->|
       |                           |                            |
       |                           |<--Access-Accept------------|
       |                           |(e.g. Delegated-IPv6-Prefix)|
       |                           |                            |
        
       |                           |                            |
       |---Solicit---------------->|                            |
       |                           |---Access-Request---------->|
       |                           |                            |
       |                           |<--Access-Accept------------|
       |                           |(e.g. Delegated-IPv6-Prefix)|
       |                           |                            |
        

DHCPv6 messages RADIUS messages

DHCPv6消息RADIUS消息

                                                            +-------+
                                                            |DHCPv6 |
                                                            |Server |
                                                            +-------+
       |                           |                            |
       |                           |---Relay-forward----------->|
       |                           |  (OPTION_RADIUS)           |
       |                           |                            |
       |                           |<--Relay-reply -------------|
       |<--Advertise---------------|                            |
       |  (e.g., IA_PD)            |                            |
       |                           |                            |
       |---Request---------------->|                            |
       |  (e.g., IA_PD)            |---Relay-forward----------->|
       |                           |  (OPTION_RADIUS)           |
       |                           |                            |
       |                           |<--Relay-reply -------------|
       |<--Reply-------------------|                            |
       |  (e.g., IA_PD)            |                            |
       |                           |                            |
        
                                                            +-------+
                                                            |DHCPv6 |
                                                            |Server |
                                                            +-------+
       |                           |                            |
       |                           |---Relay-forward----------->|
       |                           |  (OPTION_RADIUS)           |
       |                           |                            |
       |                           |<--Relay-reply -------------|
       |<--Advertise---------------|                            |
       |  (e.g., IA_PD)            |                            |
       |                           |                            |
       |---Request---------------->|                            |
       |  (e.g., IA_PD)            |---Relay-forward----------->|
       |                           |  (OPTION_RADIUS)           |
       |                           |                            |
       |                           |<--Relay-reply -------------|
       |<--Reply-------------------|                            |
       |  (e.g., IA_PD)            |                            |
       |                           |                            |
        

DHCPv6 messages DHCPv6 messages

DHCPv6消息DHCPv6消息

Figure 1: Network Scenario and Message Sequence When Employing DHCPv6 RADIUS Option in IPoE Access

图1:在IPoE访问中使用DHCPv6 RADIUS选项时的网络场景和消息序列

   +-------+                   +-------+                    +-------+
   |DHCPv6 |   Access Model:   |  NAS  |                    |RADIUS |
   |Client |      PPPoE        |       |                    |Server |
   +-------+                   +-------+                    +-------+
                      RADIUS Client/DHCPv6 Relay Agent
        
   +-------+                   +-------+                    +-------+
   |DHCPv6 |   Access Model:   |  NAS  |                    |RADIUS |
   |Client |      PPPoE        |       |                    |Server |
   +-------+                   +-------+                    +-------+
                      RADIUS Client/DHCPv6 Relay Agent
        
       |                           |                            |
       |--PPP LCP Config-Request-->|                            |
       |                           |---Access-Request---------->|
       |                           |                            |
       |                           |<--Access-Accept------------|
       |<----PPP LCP Config-ACK----|(e.g. Delegated-IPv6-Prefix)|
       |                           |                            |
        
       |                           |                            |
       |--PPP LCP Config-Request-->|                            |
       |                           |---Access-Request---------->|
       |                           |                            |
       |                           |<--Access-Accept------------|
       |<----PPP LCP Config-ACK----|(e.g. Delegated-IPv6-Prefix)|
       |                           |                            |
        

PPP messages RADIUS messages

PPP消息RADIUS消息

                                                            +-------+
                                                            |DHCPv6 |
                                                            |Server |
                                                            +-------+
       |                           |                            |
       |---Solicit---------------->|                            |
       |                           |---Relay-forward----------->|
       |                           |  (OPTION_RADIUS)           |
       |                           |                            |
       |                           |<--Relay-reply -------------|
       |<--Advertise---------------|                            |
       |  (e.g., IA_PD)            |                            |
       |                           |                            |
       |---Request---------------->|                            |
       |  (e.g., IA_PD)            |---Relay-forward----------->|
       |                           |  (OPTION_RADIUS)
       |                           |                            |
       |                           |<--Relay-reply -------------|
       |<--Reply-------------------|                            |
       |  (e.g., IA_PD)            |                            |
       |                           |                            |
        
                                                            +-------+
                                                            |DHCPv6 |
                                                            |Server |
                                                            +-------+
       |                           |                            |
       |---Solicit---------------->|                            |
       |                           |---Relay-forward----------->|
       |                           |  (OPTION_RADIUS)           |
       |                           |                            |
       |                           |<--Relay-reply -------------|
       |<--Advertise---------------|                            |
       |  (e.g., IA_PD)            |                            |
       |                           |                            |
       |---Request---------------->|                            |
       |  (e.g., IA_PD)            |---Relay-forward----------->|
       |                           |  (OPTION_RADIUS)
       |                           |                            |
       |                           |<--Relay-reply -------------|
       |<--Reply-------------------|                            |
       |  (e.g., IA_PD)            |                            |
       |                           |                            |
        

DHCPv6 messages DHCPv6 messages

DHCPv6消息DHCPv6消息

Figure 2: Network Scenario and Message Sequence When Employing DHCPv6 RADIUS Option in PPPoE Access

图2:在PPPoE访问中使用DHCPv6 RADIUS选项时的网络场景和消息序列

If the authentication or the authorization through RADIUS fails, the associated message sequences will stop. The NAS acting as the DHCPv6 relay agent will not forward the message received from the client to the DHCPv6 server. If the authentication or the authorization through RADIUS passes, the NAS MUST store the information indicated

如果通过RADIUS的身份验证或授权失败,则关联的消息序列将停止。充当DHCPv6中继代理的NAS不会将从客户端接收到的消息转发到DHCPv6服务器。如果通过RADIUS进行身份验证或授权,NAS必须存储指示的信息

in the RADIUS attributes received in the Access-Accept message from the RADIUS server during the whole session. How the NAS manages this information during the RADIUS session is out of the scope of this document.

在整个会话期间从RADIUS服务器接收的Access Accept消息中的RADIUS属性。NAS在RADIUS会话期间如何管理此信息超出了本文档的范围。

After receiving a RENEW (5) message from the DHCPv6 client, the NAS SHOULD NOT initiate a new Access-Request/Access-Accept message exchange with the RADIUS server. After receiving a REBIND (6) message from the DHCPv6 client, the NAS MUST initiate a new Access-Request/Access-Accept message exchange with the RADIUS server, unless RADIUS capability is disabled on the NAS.

从DHCPv6客户端接收到续订(5)消息后,NAS不应启动与RADIUS服务器的新访问请求/访问接受消息交换。从DHCPv6客户端接收到重新绑定(6)消息后,NAS必须启动与RADIUS服务器的新访问请求/访问接受消息交换,除非NAS上禁用了RADIUS功能。

4. DHCPv6 RADIUS Option
4. DHCPv6半径选项

The OPTION_RADIUS is a DHCPv6 option used by the DHCPv6 relay agent to carry the authorization information of RADIUS attributes received in the Access-Accept message from the RADIUS server.

选项_RADIUS是DHCPv6中继代理使用的DHCPv6选项,用于携带从RADIUS服务器的访问接受消息中接收的RADIUS属性的授权信息。

The format of the OPTION_RADIUS option is defined as follows:

选项_半径选项的格式定义如下:

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |         OPTION_RADIUS         |          option-len           |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |            option-data (List of RADIUS Attributes)
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        
    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |         OPTION_RADIUS         |          option-len           |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |            option-data (List of RADIUS Attributes)
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        

option-code 81 option-len Length of the option-data in octets option-data List of one or more RADIUS attributes

选项代码81选项长度以八位字节为单位的选项数据长度一个或多个半径属性的选项数据列表

The option-data of OPTION_RADIUS is a list of one or more RADIUS attributes received in the Access-Accept message from the RADIUS server. The format of RADIUS attributes is defined in Section 5 of [RFC2865] as well as Sections 2.1 and 2.2 of [RFC6929]. If multiple attributes with the same type (including the Long Extended Type defined in Section 2.2 of [RFC6929]) are present, the order of attributes with the same type MUST be the same as that received from the RADIUS server. The OPTION_RADIUS can only contain the RADIUS attributes listed in the "RADIUS Attributes Permitted in DHCPv6 RADIUS Option" registry.

option_RADIUS的选项数据是从RADIUS服务器的Access Accept消息中接收的一个或多个RADIUS属性的列表。[RFC2865]第5节以及[RFC6929]第2.1和2.2节定义了半径属性的格式。如果存在具有相同类型的多个属性(包括[RFC6929]第2.2节中定义的长扩展类型),则具有相同类型的属性的顺序必须与从RADIUS服务器接收的顺序相同。选项_RADIUS只能包含“DHCPv6 RADIUS选项中允许的半径属性”注册表中列出的半径属性。

According to the network scenarios described in Section 3, the OPTION_RADIUS should appear in the RELAY-FORW (12) message relaying SOLICIT (1), REQUEST (3), and REBIND (6) from the DHCPv6 client and may appear in the RELAY-FORW (12) relaying any other message from the DHCPv6 client.

根据第3节中描述的网络场景,选项_RADIUS应该出现在中继DHCPv6客户端的请求(1)、请求(3)和重新绑定(6)的中继FORW(12)消息中,并且可能出现在中继DHCPv6客户端的任何其他消息的中继FORW(12)消息中。

4.1. RADIUS Attributes Permitted in DHCPv6 RADIUS Option
4.1. DHCPv6半径选项中允许的半径属性

The RADIUS attributes listed in the following table are the initial attributes registered in the "RADIUS Attributes Permitted in DHCPv6 RADIUS Option" registry. New RADIUS attributes can be added to this list after Expert Review [RFC5226].

下表中列出的半径属性是在“DHCPv6半径选项中允许的半径属性”注册表中注册的初始属性。专家评审后,可将新的半径属性添加到此列表中[RFC5226]。

   Type Code  Attribute                   Reference
   26         Vendor-Specific             [RFC2865]
   123        Delegated-IPv6-Prefix       [RFC4818]
   144        DS-Lite-Tunnel-Name         [RFC6519]
   168        Framed-IPv6-Address         [RFC6911]
   169        DNS-Server-IPv6-Address     [RFC6911]
   171        Delegated-IPv6-Prefix-Pool  [RFC6911]
   172        Stateful-IPv6-Address-Pool  [RFC6911]
        
   Type Code  Attribute                   Reference
   26         Vendor-Specific             [RFC2865]
   123        Delegated-IPv6-Prefix       [RFC4818]
   144        DS-Lite-Tunnel-Name         [RFC6519]
   168        Framed-IPv6-Address         [RFC6911]
   169        DNS-Server-IPv6-Address     [RFC6911]
   171        Delegated-IPv6-Prefix-Pool  [RFC6911]
   172        Stateful-IPv6-Address-Pool  [RFC6911]
        

Note: The RADIUS attribute's 'Length' defined in Section 5 of [RFC2865] includes the length of 'Type' and 'Length' fields.

注:[RFC2865]第5节中定义的半径属性的“长度”包括“类型”和“长度”字段的长度。

5. DHCPv6 Relay Agent Behavior
5. DHCPv6中继代理行为

If the Relay Agent is configured to send OPTION_RADIUS, and the Access-Accept message from the RADIUS server contained RADIUS attributes permitted for use in OPTION_RADIUS, the Relay Agent MUST include OPTION_RADIUS in the RELAY-FORW (12) message. The DHCPv6 relay agent adds the permitted RADIUS attributes into OPTION_RADIUS one by one; if multiple attributes with the same type are present, the order of attributes with the same type MUST be the same as that received from the RADIUS server.

如果中继代理配置为发送OPTION_RADIUS,并且来自RADIUS服务器的Access Accept消息包含允许在OPTION_RADIUS中使用的RADIUS属性,则中继代理必须在中继FORW(12)消息中包含OPTION_RADIUS。DHCPv6中继代理将允许的半径属性逐个添加到选项_RADIUS中;如果存在多个具有相同类型的属性,则具有相同类型的属性的顺序必须与从RADIUS服务器接收的属性的顺序相同。

6. DHCPv6 Server Behavior
6. DHCPv6服务器行为

Upon receipt of the RELAY-FORW (12) message with OPTION_RADIUS from a relay agent, the DHCPv6 server that supports OPTION_RADIUS SHOULD extract and interpret the RADIUS attributes in the OPTION_RADIUS and use that information to select configuration parameters for the requesting client. If the DHCPv6 server does not support OPTION_RADIUS, the DHCPv6 server MUST silently discard this option.

从中继代理接收到带有OPTION_RADIUS的中继-FORW(12)消息后,支持OPTION_RADIUS的DHCPv6服务器应提取并解释OPTION_RADIUS中的RADIUS属性,并使用该信息为请求的客户端选择配置参数。如果DHCPv6服务器不支持选项_RADIUS,则DHCPv6服务器必须自动放弃此选项。

7. DHCPv6 Client Behavior
7. DHCPv6客户端行为

OPTION_RADIUS is only exchanged between the relay agents and the servers. DHCPv6 clients are not aware of the usage of OPTION_RADIUS. DHCPv6 clients MUST NOT send OPTION_RADIUS and MUST ignore OPTION_RADIUS if received.

选项_RADIUS仅在中继代理和服务器之间交换。DHCPv6客户端不知道选项_RADIUS的用法。DHCPv6客户端不得发送选项_RADIUS,如果收到,则必须忽略选项_RADIUS。

8. Security Considerations
8. 安全考虑

Known security vulnerabilities of the DHCPv6 and RADIUS protocols may apply to their options. Security issues related with DHCPv6 are described in Section 23 of [RFC3315]. Security issues related with RADIUS are described in Section 8 of [RFC2865], Section 5 of [RFC3162], and Section 11 of [RFC6929].

DHCPv6和RADIUS协议的已知安全漏洞可能适用于其选项。[RFC3315]第23节描述了与DHCPv6相关的安全问题。[RFC2865]第8节、[RFC3162]第5节和[RFC6929]第11节描述了与RADIUS相关的安全问题。

The mechanism described in this document may introduce a new attack vector against the DHCPv6 server in cases where the DHCPv6 relay agent is compromised. By forging the RADIUS attributes contained in the OPTION_RADIUS of the RELAY-FORW (12) messages, the attacker may influence the parameter assignment on the DHCPv6 server for the DHCPv6 clients. However, as described in the Section 3, NAS always belongs to the same administrative domain of the DHCPv6 server in the real deployment.

在DHCPv6中继代理被破坏的情况下,该文档中描述的机制可以引入针对DHCPv6服务器的新攻击向量。通过伪造中继-FORW(12)消息的选项_RADIUS中包含的RADIUS属性,攻击者可能会影响DHCPv6服务器上DHCPv6客户端的参数分配。但是,如第3节所述,NAS在实际部署中始终属于DHCPv6服务器的同一管理域。

Network administrators should be aware that although RADIUS messages are encrypted, DHCPv6 messages are always unencrypted. It is possible that some RADIUS vendor-specific attributes might contain sensitive or confidential information. Network administrators are strongly advised to prevent such information from being included in DHCPv6 messages.

网络管理员应该知道,尽管RADIUS消息是加密的,但DHCPv6消息始终是未加密的。某些RADIUS供应商特定属性可能包含敏感或机密信息。强烈建议网络管理员防止DHCPv6消息中包含此类信息。

If the use of vendor-specific attributes with confidential content is required, administrators are advised to use IPsec with encryption to protect the confidentiality of the RADIUS attributes. Relay agents and servers implementing this specification MUST support the use of IPsec Encapsulating Security Payload (ESP) with encryption in transport mode, according to Section 3.1.1 of [RFC4303] and Section 21.1 of [RFC3315].

如果需要对机密内容使用供应商特定的属性,建议管理员使用IPsec加密以保护RADIUS属性的机密性。根据[RFC4303]第3.1.1节和[RFC3315]第21.1节的规定,实施本规范的中继代理和服务器必须支持在传输模式下使用加密的IPsec封装安全有效负载(ESP)。

9. IANA Considerations
9. IANA考虑

IANA has assigned OPTION_RADIUS (81) in the "DHCP Option Codes" registry, as defined in Section 4. In addition, IANA has created a new registry entitled "RADIUS Attributes Permitted in DHCPv6 RADIUS Option" in the "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)" registry, as defined in Section 4.1. The new registry enumerates the RADIUS Attributes Types (http://www.iana.org/assignments/radius-types) that are permitted for

IANA已在“DHCP选项代码”注册表中分配选项_半径(81),如第4节所定义。此外,IANA在“IPv6动态主机配置协议(DHCPv6)”注册表中创建了一个名为“DHCPv6 RADIUS选项中允许的RADIUS属性”的新注册表,如第4.1节所定义。新注册表将枚举RADIUS属性类型(http://www.iana.org/assignments/radius-types)这是允许的

inclusion in the DHCPv6 RADIUS option. The allocation policy of this "RADIUS Attributes Permitted in DHCPv6 RADIUS Option" registry is Expert Review per [RFC5226]. Designated experts should carefully consider the security implications of allowing the relay agent to include new RADIUS attributes to this registry.

包含在DHCPv6半径选项中。此“DHCPv6 RADIUS选项中允许的RADIUS属性”注册表的分配策略由[RFC5226]专家审查。指定的专家应该仔细考虑允许中继代理将新RADIUS属性包含到该注册表中的安全含义。

10. Acknowledgements
10. 致谢

Thanks to Tomek Mrugalski, Bernie Volz, Gaurav Halwasia, and Roberta Maglione for their thorough review comments in the DHC working group mailing list. Thanks also to Ted Lemon for his continuous encouragement and technical guidance.

感谢Tomek Mrugalski、Bernie Volz、Gaurav Halwasia和Roberta Maglione在DHC工作组邮件列表中提出的全面审查意见。还要感谢Ted Lemon不断的鼓励和技术指导。

11. References
11. 工具书类
11.1. Normative References
11.1. 规范性引用文件

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。

[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, June 2000.

[RFC2865]Rigney,C.,Willens,S.,Rubens,A.,和W.Simpson,“远程认证拨入用户服务(RADIUS)”,RFC 28652000年6月。

[RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., and M. Carney, "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", RFC 3315, July 2003.

[RFC3315]Droms,R.,Bound,J.,Volz,B.,Lemon,T.,Perkins,C.,和M.Carney,“IPv6的动态主机配置协议(DHCPv6)”,RFC3315,2003年7月。

[RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC 4303, December 2005.

[RFC4303]Kent,S.,“IP封装安全有效载荷(ESP)”,RFC 4303,2005年12月。

[RFC4818] Salowey, J. and R. Droms, "RADIUS Delegated-IPv6-Prefix Attribute", RFC 4818, April 2007.

[RFC4818]Salowey,J.和R.Droms,“RADIUS-IPv6-Prefix属性”,RFC 4818,2007年4月。

[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 5226, May 2008.

[RFC5226]Narten,T.和H.Alvestrand,“在RFCs中编写IANA注意事项部分的指南”,BCP 26,RFC 5226,2008年5月。

[RFC6519] Maglione, R. and A. Durand, "RADIUS Extensions for Dual-Stack Lite", RFC 6519, February 2012.

[RFC6519]Maglione,R.和A.Durand,“双堆栈Lite的半径扩展”,RFC 6519,2012年2月。

[RFC6911] Dec, W., Sarikaya, B., Zorn, G., Miles, D., and B. Lourdelet, "RADIUS Attributes for IPv6 Access Networks", RFC 6911, April 2013.

[RFC6911]Dec,W.,Sarikaya,B.,Zorn,G.,Miles,D.,和B.Lourdelet,“IPv6接入网络的半径属性”,RFC 69112013年4月。

[RFC6929] DeKok, A. and A. Lior, "Remote Authentication Dial In User Service (RADIUS) Protocol Extensions", RFC 6929, April 2013.

[RFC6929]DeKok,A.和A.Lior,“远程身份验证拨入用户服务(RADIUS)协议扩展”,RFC 69292013年4月。

11.2. Informative References
11.2. 资料性引用

[RFC3162] Aboba, B., Zorn, G., and D. Mitton, "RADIUS and IPv6", RFC 3162, August 2001.

[RFC3162]Aboba,B.,Zorn,G.和D.Mitton,“RADIUS和IPv6”,RFC 3162,2001年8月。

[RFC3633] Troan, O. and R. Droms, "IPv6 Prefix Options for Dynamic Host Configuration Protocol (DHCP) version 6", RFC 3633, December 2003.

[RFC3633]Troan,O.和R.Droms,“动态主机配置协议(DHCP)版本6的IPv6前缀选项”,RFC 3633,2003年12月。

[RFC3646] Droms, R., "DNS Configuration options for Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", RFC 3646, December 2003.

[RFC3646]Droms,R.,“IPv6动态主机配置协议(DHCPv6)的DNS配置选项”,RFC 36462003年12月。

[RFC3736] Droms, R., "Stateless Dynamic Host Configuration Protocol (DHCP) Service for IPv6", RFC 3736, April 2004.

[RFC3736]Droms,R.,“IPv6的无状态动态主机配置协议(DHCP)服务”,RFC 3736,2004年4月。

[RFC6334] Hankins, D. and T. Mrugalski, "Dynamic Host Configuration Protocol for IPv6 (DHCPv6) Option for Dual-Stack Lite", RFC 6334, August 2011.

[RFC6334]Hankins,D.和T.Mrugalski,“双栈Lite的IPv6动态主机配置协议(DHCPv6)选项”,RFC 63342011年8月。

Authors' Addresses

作者地址

Leaf Y. Yeh Freelancer Technologies P. R. China

叶Y.叶自由职业者技术中国

   EMail: leaf.yeh.sdo@gmail.com
        
   EMail: leaf.yeh.sdo@gmail.com
        

Mohamed Boucadair France Telecom France

穆罕默德·布卡达尔法国电信公司

   EMail: mohamed.boucadair@orange.com
        
   EMail: mohamed.boucadair@orange.com