Upload
charles-ferguson
View
220
Download
0
Embed Size (px)
Citation preview
1© 2004 Cisco Systems, Inc. All rights reserved.
L2VPN RADIUS - IETF 62
L2VPN RADIUS Auto-discovery and provisioningdraft-ietf-l2vpn-radius-pe-discovery-01
Mark Townsley, Greg Weber, Wei Luo, Skip Booth
(Juha Heinanen)
IETF 62
222© 2004 Cisco Systems, Inc. All rights reserved.
L2VPN RADIUS – IETF 62
draft-ietf-l2vpn-radius-pe-discovery-01
• -00 presented at IETF-61
• Protocol-independent information model corresponding to multi-layered authorization
• Different layers may map to different protocol-specific solutions based on deployments
• RADIUS-specific mappings defined
• Collapsible layers
333© 2004 Cisco Systems, Inc. All rights reserved.
L2VPN RADIUS – IETF 62
L2VPN Authorization Steps
1. CE/AC Authorization – Attachment Circuit to VPN ID
2. VPN Authorization – VPN ID to PE Membership
3. PW Authorization – PE Membership to PW
signaling
CE PE
• Each step is independent and may be performed by any combination of local configuration, RADIUS, BGP, etc.
444© 2004 Cisco Systems, Inc. All rights reserved.
L2VPN RADIUS – IETF 62
L2VPN Authorization Steps
1. CE/AC Authorization – Attachment Circuit to VPN ID
2. VPN Authorization – VPN ID to PE Membership
3. PW Authorization – PE Membership to PW
signaling
CE PE
• Each step is independent and may be performed by any combination of local configuration, RADIUS, BGP, etc.
VPN-ID=“101:14”
555© 2004 Cisco Systems, Inc. All rights reserved.
L2VPN RADIUS – IETF 62
L2VPN Authorization Steps
1. CE/AC Authorization – Attachment Circuit to VPN ID
2. VPN Authorization – VPN ID to PE Membership
CE PE
• Each step is independent and may be performed by any combination of local configuration, RADIUS, BGP, etc.
VPN-ID=“101:14”
PE-A PE-B
3. PW Authorization – PE Membership to PW
signaling
666© 2004 Cisco Systems, Inc. All rights reserved.
L2VPN RADIUS – IETF 62
1. CE/AC Authorization – Attachment Circuit to VPN ID
2. VPN Authorization – VPN ID to PE Membership
3. PW Authorization – PE Membership to PW
signaling
L2VPN Authorization Steps
CE PE
• Each step is independent and may be performed by any combination of local configuration, RADIUS, BGP, etc.
PE-A PE-B
777© 2004 Cisco Systems, Inc. All rights reserved.
L2VPN RADIUS – IETF 62
Changes in the -01 versiondraft-ietf-l2vpn-radius-pe-discovery
• Updated terminology
• Generalized from VPLS to VPLS/VPWS/etc.
• Reduce L2VPN-specific requirements on RADIUS servers: e.g. make servers less stateful.
• Defined RADIUS attributes to support the above
888© 2004 Cisco Systems, Inc. All rights reserved.
L2VPN RADIUS – IETF 62
AII: Attachment Individual IdentifierAC: Attachment CircuitAGI: Attachment Group IdentifierAS: Autonomous SystemCE: Customer EquipmentL2VPN: Layer 2 Provider Provisioned Virtual Private NetworkNAI Network Access IdentifierNAS: Network Access ServerPE: Provider EquipmentSAI: Source Attachment IdentifierSAII: Source Attachment Individual IdentifierRADIUS: Remote Authentication Dial In User ServiceTAI: Target Attachment IdentifierTAII: Target Attachment Individual IdentifierVPLS: Virtual Private LAN ServiceVPN: Virtual Private NetworkVPWS: Virtual Private Wire Service
Updated Terminology
Latest terminology from:
• draft-ietf-l2vpn-l2-framework-05
• draft-ietf-l2vpn-signaling-03
999© 2004 Cisco Systems, Inc. All rights reserved.
L2VPN RADIUS – IETF 62
RADIUS Attributes
• VPN-IDRFC 2685, “Virtual Private Networks Identifier”
• Router-Distinguisherdraft-ietf-l3vpn-rfc2547bis-03, “BGP/MPLS IP VPNs”
• Attachment-Individual-IDdraft-ietf-l2vpn-signaling-03, “Provisioning Models and Endpoint Identifiers in L2VPN Signaling”
• Per-Hop-BehaviorRFC 3140, “Per Hop Behavior Identification Codes”
• PE-Router-IDdraft-ietf-l2vpn-signaling-03, “Provisioning Models and Endpoint Identifiers in L2VPN Signaling”
• PE-AddressIP address of PE
• PE-RecordPE-Router-ID + AII [+PW attributes/value pairs]
101010© 2004 Cisco Systems, Inc. All rights reserved.
L2VPN RADIUS – IETF 62
RADIUS Transactions
Access-Request Access-Response
CE/AC Authorization
User-Name = NAI or AC nameNAS-IP-Address
VPN-ID or Router-DistinguisherVSAs for circuit specific parameters
VPN Authorization
User-Name = VPN-ID or Router-DistinguisherNAS-IP-Address
PE-Router-IDPE-AddressAttachment-Individual-Identifier orMultiple PE-Records like: “PE-Router-ID:AII” “PE-Router-ID:AII”
Pseudowire Authorization
User-Name = PE-Router-IDNAS-IP-AddressVPN-ID or Router-DistinguisherAttachment-Individual-Identifier
Per-Hop-BehaviorPossibly DSCP setting
Collapsed Transaction
User-Name = NAI or AC nameNAS-IP-Address
Multiple PE-Records like: “PE-Router-ID:AII:PHB=<val>” “PE-Router-ID:AII:PHB=<val>”
111111© 2004 Cisco Systems, Inc. All rights reserved.
L2VPN RADIUS – IETF 62
RADIUS Examples
CE/AC Authorization
Request User-Name = "providerX/[email protected]" (CE NAI) NAS-IP-Address = "1.1.1.1" Response VPN-ID = "100:14"
Request User-Name = "ATM14.0.1" (AC Name) NAS-IP-Address = "1.1.1.1" Response Router-Distinguisher = "1:1.2.3.4:10001"
121212© 2004 Cisco Systems, Inc. All rights reserved.
L2VPN RADIUS – IETF 62
RADIUS Examples
VPN Authorization
Request User-Name = "100:14" (VPN-ID) NAS-IP-Address = "1.1.1.1" Response PE-Record = "2.2.2.2:14" (PE-Router-ID:AII) PE-Record = "2.2.2.2:15" PE-Record = "3.3.3.3:24" PE-Record = "3.3.3.3:25"
Request User-Name = "100:14" (VPN-ID) NAS-IP-Address = "1.1.1.1" Response PE-Record = "2.2.2.2:14:PHB=256"
131313© 2004 Cisco Systems, Inc. All rights reserved.
L2VPN RADIUS – IETF 62
RADIUS Examples
Pseudowire Authorization
Request User-Name = "2.2.2.2" (PE-Router-ID) NAS-IP-Address = "1.1.1.1" Attachment-Individual-ID = "14" VPN-ID = "100:14" Response Per-Hop-Behavior = "256"
141414© 2004 Cisco Systems, Inc. All rights reserved.
L2VPN RADIUS – IETF 62
To do…
• Address accountingSteps #1 & #3 most interesting
• Address dynamic authorization changes (via RFC 3576)
• Input from RADEXT WG (this week)
• Security, IANA
• Scalability
• Considerations for IPv6?
• How do CE credentials get to the PE for authenticated “zero-touch” provisioning?