1 / 14

L2VPN RADIUS Auto-discovery and Provisioning

This draft proposes a protocol-independent information model for multi-layered authorization in L2VPN. It defines RADIUS-specific mappings and collapsible layers for CE/AC, VPN, and PW authorization steps.

phiala
Download Presentation

L2VPN RADIUS Auto-discovery and Provisioning

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. L2VPN RADIUS Auto-discovery and provisioningdraft-ietf-l2vpn-radius-pe-discovery-01 Mark Townsley, Greg Weber, Wei Luo, Skip Booth (Juha Heinanen) IETF 62

  2. draft-ietf-l2vpn-radius-pe-discovery-01 • -00 presented at IETF-61 • Protocol-independent information model corresponding to multi-layered authorization • Different layers may map to different protocol-specific solutions based on deployments • RADIUS-specific mappings defined • Collapsible layers

  3. L2VPN Authorization Steps • Each step is independent and may be performed by any combination of local configuration, RADIUS, BGP, etc. 1. CE/AC Authorization – Attachment Circuit to VPN ID CE PE • 2. VPN Authorization – • VPN ID to PE Membership • 3. PW Authorization – • PE Membership to PW signaling

  4. L2VPN Authorization Steps • Each step is independent and may be performed by any combination of local configuration, RADIUS, BGP, etc. 1. CE/AC Authorization – Attachment Circuit to VPN ID CE PE • 2. VPN Authorization – • VPN ID to PE Membership VPN-ID=“101:14” • 3. PW Authorization – • PE Membership to PW signaling

  5. L2VPN Authorization Steps • Each step is independent and may be performed by any combination of local configuration, RADIUS, BGP, etc. 1. CE/AC Authorization – Attachment Circuit to VPN ID VPN-ID=“101:14” CE PE • 2. VPN Authorization – • VPN ID to PE Membership PE-A PE-B • 3. PW Authorization – • PE Membership to PW signaling

  6. L2VPN Authorization Steps • Each step is independent and may be performed by any combination of local configuration, RADIUS, BGP, etc. 1. CE/AC Authorization – Attachment Circuit to VPN ID CE PE • 2. VPN Authorization – • VPN ID to PE Membership PE-A PE-B • 3. PW Authorization – • PE Membership to PW signaling

  7. Changes in the -01 versiondraft-ietf-l2vpn-radius-pe-discovery • Updated terminology • Generalized from VPLS to VPLS/VPWS/etc. • Reduce L2VPN-specific requirements on RADIUS servers: e.g. make servers less stateful. • Defined RADIUS attributes to support the above

  8. Updated Terminology Latest terminology from: • draft-ietf-l2vpn-l2-framework-05 • draft-ietf-l2vpn-signaling-03 AII: Attachment Individual Identifier AC: Attachment Circuit AGI: Attachment Group Identifier AS: Autonomous System CE: Customer Equipment L2VPN: Layer 2 Provider Provisioned Virtual Private Network NAI Network Access Identifier NAS: Network Access Server PE: Provider Equipment SAI: Source Attachment Identifier SAII: Source Attachment Individual Identifier RADIUS: Remote Authentication Dial In User Service TAI: Target Attachment Identifier TAII: Target Attachment Individual Identifier VPLS: Virtual Private LAN Service VPN: Virtual Private Network VPWS: Virtual Private Wire Service

  9. RADIUS Attributes • VPN-IDRFC 2685, “Virtual Private Networks Identifier” • Router-Distinguisherdraft-ietf-l3vpn-rfc2547bis-03, “BGP/MPLS IP VPNs” • Attachment-Individual-IDdraft-ietf-l2vpn-signaling-03, “Provisioning Models and Endpoint Identifiers in L2VPN Signaling” • Per-Hop-BehaviorRFC 3140, “Per Hop Behavior Identification Codes” • PE-Router-IDdraft-ietf-l2vpn-signaling-03, “Provisioning Models and Endpoint Identifiers in L2VPN Signaling” • PE-AddressIP address of PE • PE-RecordPE-Router-ID + AII [+PW attributes/value pairs]

  10. RADIUS Transactions

  11. RADIUS Examples CE/AC Authorization Request User-Name = "providerX/atlanta@vpnY.domainZ.net" (CE NAI) NAS-IP-Address = "1.1.1.1" Response VPN-ID = "100:14" Request User-Name = "ATM14.0.1" (AC Name) NAS-IP-Address = "1.1.1.1" Response Router-Distinguisher = "1:1.2.3.4:10001"

  12. RADIUS Examples VPN Authorization Request User-Name = "100:14" (VPN-ID) NAS-IP-Address = "1.1.1.1" Response PE-Record = "2.2.2.2:14" (PE-Router-ID:AII) PE-Record = "2.2.2.2:15" PE-Record = "3.3.3.3:24" PE-Record = "3.3.3.3:25" Request User-Name = "100:14" (VPN-ID) NAS-IP-Address = "1.1.1.1" Response PE-Record = "2.2.2.2:14:PHB=256"

  13. RADIUS Examples Pseudowire Authorization Request User-Name = "2.2.2.2" (PE-Router-ID) NAS-IP-Address = "1.1.1.1" Attachment-Individual-ID = "14" VPN-ID = "100:14" Response Per-Hop-Behavior = "256"

  14. To do… • Address accountingSteps #1 & #3 most interesting • Address dynamic authorization changes (via RFC 3576) • Input from RADEXT WG (this week) • Security, IANA • Scalability • Considerations for IPv6? • How do CE credentials get to the PE for authenticated “zero-touch” provisioning?

More Related