FireBrick - Firewalls, Bonding ADSL, Routers, Traffic Shaping...
FireBrick FB6000
RADIUS Interface specification
RADIUS is used for authentication and accounting of L2TP connections. If no authentication servers are configured then authentication is not performed. If no accounting servers are configured then no accounting is generated. Multiple servers can be configured and they are processed in order. Each can have multiple IP addresses. The IP addresses are tried at random for each server that has multiple addresses allowing load sharing. If a server does not respond a number of times as configured then it is blacklisted for a configurable period. After the specified number of tries the next server is tried. Eventually the RADIUS will fail if no servers respond or all are blacklisted.
Default operation when no authentication servers respond is TBA. We plan to allow configurable operation for accept, drop, or reject. Default operation when no accounting servers respond is to discard the accounting data.
Authentication
| AVP | No. | Usage |
|---|---|---|
| Message-Authenticator | 80 | Message signature as per RFC2869 |
| User-Name | 1 | Username from authentication (PAP/CHAP) or proxy authentication received on L2TP |
| Calling-Station-Id | 30 | Calling number as received on L2TP |
| Called-Station-Id | 31 | Called number as received on L2TP |
| Acct-Session-Id | 44 | Unique ID (hex string) for session as used on all following accounting records |
| NAS-Identifier | 32 | Configured hostname of FireBrick |
| NAS-IP-Address | 4 | NAS IPv4 address if using IPv4 |
| NAS-IPv6-Address | 95 | NAS IPv6 address if using IPv6 |
| NAS-Port | 5 | L2TP session ID |
| Service-Type | 6 | Framed |
| Framed-Protocol | 7 | PPP |
| CHAP-Password | 3 | CHAP ID and response |
| CHAP-Challenge | 60 | CHAP challenge (only present if not the same as RADIUS authenticator) |
| Framed-MTU | 12 | MTU requested by PPP, if one was requested (even if 1500) |
| Connect-Info | 77 | Text Tx speed/Rx speed from L2TP connection if known |
Note that the NAS-IP-Address is normally the local end of the L2TP connection for the incoming connection. However, there is a configuration option to pass the remote end of the L2TP as the NAS-IP-Address as this is often more useful. If the remote Ip is used the NAS-Port is set to the far end L2TP session ID rather than the local end session ID. The NAS-Identified remains the name of the FB6000. This option is separately available for accounting messages.
Note that the Calling-Station-Id is included even if not present in L2TP connection if a cache platform RADIUS request matched the L2TP connection and had a Calling-Station-Id.
Authentication response
For Reject, only Reply-Message is processed. Accept may simply include tunnel relay data. If Tunnel-Server-Endpoint is present then it is assumed that the connection is to be relayed to that endpoint even if no other Tunnel settings exist.
| AVP | No. | Usage |
|---|---|---|
| Reply-Message | 18 | Reply message sent on PPP authentication response |
| Primary-DNS-Address | 135 | Primary DNS address used in PPP IPCP |
| Secondary-DNS-Address | 136 | Secondary DNS address used in PPP IPCP |
| Framed-Interface-ID | 96 | Peer IPv6 Interface ID expected in PPP IPV6CP |
| Framed-IP-Address | 8 | Peer IPv4 address expected in PPP IPCP (does not support 255.255.255.255 or 255.255.255.254 yet). Maximum localpref used. |
| Framed-Route | 22 | May appear more than once. Text format is IPv4-Address/Bits 0.0.0.0 metric. The target IP is ignored but must be valid IPv4 syntax. The metric is used as localpref in routing. |
| Framed-IPv6-Prefix | 97 | 8 byte IPv6 prefix to be routed to line. Maximum locapref used. |
| Framed-IPv6-Route | 99 | May appear more than once. Text format is IPv6-Address/Bits :: metric. The target IP is ignored but must be valid IPv6 syntax. The metric is used as localpref in routing. Alternative format IPv6/Bits IPv4-Address metric defines that prefix is to be protocol 41 IPv4 tunneled to specified target via this link. |
| User-Name | 1 | Username may be specified - this replaces the username already present and is then used on accounting start and relay L2TP. |
| Class | 25 | String to use in accounting start messages |
| Chargeable-User-Identity | 89 | This is used as the preferred CQM graph name. |
| Session-Timeout | 27 | Absolute limit on session, in seconds |
| Idle-Timeout | 28 | Not yet used |
| Filter-Id | 11 | See filter ID section |
| Framed-MTU | 12 | Set MTU for session |
| Connect-Info | 77 | Text tx speed limit to apply to session |
| Tunnel-Type | 64 | Tag must be 0. If specified must be 3 (L2TP), L2TP is assumed |
| Tunnel-Medium-Type | 65 | Tag must be 0. If specified must be 1 (IPv4) or 2 (IPv6), syntax of endpoint is used if this is not specified |
| Tunnel-Server-Endpoint | 67 | Tag must be unusued. Text IPv4 or IPv6 address of endpoint (FQDN is not accepted) |
| Tunnel-Client-Auth-ID | 90 | Tag must be unusued. Hostname to quote on outgoing tunnel, if omitted then configured FireBrick hostname is used |
| Tunnel-Password | 69 | Tag must be 0. Shared secret to use on outgoing tunnel (encrypted), if omitted then assumed no secret |
| Tunnel-Private-Group-Id | 81 | Tag must be 0. Name of outgoing tunnel shaper/graph |
Note that an authentication reject will normally cause the reply message to be sent as an authentication reject message. The reply "Try another" causes the L2TP session to be closed with result/error 2/7 (Try another) without sending an authentication reply on PPP.
Accounting Start
| AVP | No. | Usage |
|---|---|---|
| Acct-Status-Type | 40 | 1 Start |
| User-Name | 1 | Username from authentication (PAP/CHAP) or proxy authentication received on L2TP or received in authentication response |
| Class | 25 | From authentication response if present |
| Chargeable-User-Identity | 89 | Graph name that applies, sanitised to comply with CQM graph name rules.. |
| Calling-Station-Id | 30 | Calling number as received on L2TP |
| Called-Station-Id | 31 | Called number as received on L2TP |
| Service-Type | 6 | Framed |
| Framed-Protocol | 7 | PPP |
| Framed-MTU | 12 | Final MTU being used for session |
| Filter-Id | 11 | Filters in use |
| Session-Timeout | 27 | Absolute limit on session, in seconds, if specified in authentication reply |
| Idle-Timeout | 28 | Idle timeout, in seconds, if specified in authentication reply |
| Framed-Interface-ID | 96 | Peer IPv6 Interface ID from PPP IPV6CP |
| Framed-IP-Address | 8 | Peer IPv4 address negotiated in PPP (normally from authentication response) |
| Connect-Info | 77 | Text Tx speed/Rx speed in use |
| Acct-Delay-Time | 41 | Seconds since session started |
| Acct-Event-Timestamp | 55 | Session start time (unix timestamp) |
| Acct-Session-Id | 44 | Unique ID (hex string) for session |
| NAS-Identifier | 32 | Configured hostname of FireBrick |
| NAS-IP-Address | 4 | NAS IPv4 address if using IPv4 |
| NAS-IPv6-Address | 95 | NAS IPv6 address if using IPv6 |
| NAS-Port | 5 | L2TP session ID |
| Tunnel-Type | 64 | Present for relayed L2TP sessions, L2TP |
| Tunnel-Medium-Type | 65 | Present for relayed L2TP, 1 (IPv4) or 2 (IPv6) |
| Tunnel-Client-Endpoint | 66 | Present for relayed L2TP, text IPv4 or IPv6 address of our address on the outbound tunnel |
| Tunnel-Server-Endpoint | 67 | Present for relayed L2TP, text IPv4 or IPv6 address of the far end address of the outbound tunnel |
| Tunnel-Assignment-ID | 82 | Present for relayed L2TP, text local L2TP tunnel ID |
| Tunnel-Client-Auth-ID | 90 | Present for relayed L2TP, local end hostname quoted by outgoing tunnel |
| Tunnel-Server-Auth-ID | 91 | Present for relayed L2TP, far end hostname quoted by outgoing tunnel |
Note that most parameters are not included in interim and stop accounting records. The acct-session-id should be used by accounting servers to correlate interim and stop records with the start record. The graph name could be used, but is only available where there is a graph. If too many different graphs then that is not present. Some exceptions apply as they can be changed by a change of authorisation RADIUS request, such as Connect-Info.
Accounting Interim
| AVP | No. | Usage |
|---|---|---|
| Acct-Status-Type | 40 | 3 Interim-Update |
| Acct-Delay-Time | 41 | Seconds since accounting data collected |
| Acct-Event-Timestamp | 55 | Data collected time (unix timestamp) |
| Acct-Session-Id | 44 | Unique ID (hex string) for session |
| Chargeable-User-Identity | 89 | Graph name that applies, sanitised to comply with CQM graph name rules.. |
| Connect-Info | 77 | Text Tx speed/Rx speed in use |
| NAS-Identifier | 32 | Configured hostname of FireBrick |
| NAS-IP-Address | 4 | NAS IPv4 address if using IPv4 |
| NAS-IPv6-Address | 95 | NAS IPv6 address if using IPv6 |
| NAS-Port | 5 | L2TP session ID |
| Acct-Input-Octets | 42 | Rx byte count |
| Acct-Input-Gigawords | 52 | Rx byte count (high 4 bytes) |
| Acct-Output-Octets | 43 | Tx byte count |
| Acct-Output-Gigawords | 53 | Tx byte count (high 4 bytes) |
| Acct-Input-Packets | 47 | Rx packet count |
| Acct-Output-Packets | 48 | Tx packet count |
| Tunnel-Type | 64 | Present for relayed L2TP sessions, L2TP |
| Tunnel-Medium-Type | 65 | Present for relayed L2TP, 1 (IPv4) or 2 (IPv6) |
| Tunnel-Client-Endpoint | 66 | Present for relayed L2TP, text IPv4 or IPv6 address of our address on the outbound tunnel |
| Tunnel-Server-Endpoint | 67 | Present for relayed L2TP, text IPv4 or IPv6 address of the far end address of the outbound tunnel |
| Tunnel-Assignment-ID | 82 | Present for relayed L2TP, text local L2TP tunnel ID |
| Tunnel-Client-Auth-ID | 90 | Present for relayed L2TP, local end hostname quoted by outgoing tunnel |
| Tunnel-Server-Auth-ID | 91 | Present for relayed L2TP, far end hostname quoted by outgoing tunnel |
Accounting Stop
As accounting interim update plus
| AVP | No. | Usage |
|---|---|---|
| Acct-Terminate-Cause | 49 | Cause code as appropriate |
Cause codes of note are 2(Lost-Carrier) which is sent if LCP echos do not reply for several seconds, and 14(Port-Suspended) which is sent if the dos-limit is exceeded on a session. For DOS handling is is recommended that subsequent authentication requests are rejected for several minutes or a fake accept is and session-timeout is used as DOS attacks usually continue until the customer is off-line.
Disconnect
A disconnect message is accepted as per RFC5176, if the session can be disconnected, and ACK is sent, else a NAK
| AVP | No. | Usage |
|---|---|---|
| Acct-Session-Id | 44 | Unique ID (hex string) for session |
| Chargeable-User-Identity | 89 | This is used as CQM graph name. |
| Acct-Terminate-Cause | 49 | Cause code as appropriate to be used in accounting stop message |
The session is identified by Acct-Session-Id if present, else by Chargeable-User-Identity. No other identification parameters are supported. If sent then they are ignored.
Change of Authorisation
A change of authorisation message is accepted as per RFC5176
| AVP | No. | Usage |
|---|---|---|
| Acct-Session-Id | 44 | Unique ID (hex string) for session |
| Chargeable-User-Identity | 89 | This is used as CQM graph name. |
| Framed-Route | 22 | May appear more than once. Text format is IPv4-Address/Bits 0.0.0.0 metric. The target IP is ignored but must be valid IPv4 syntax. The metric is used as localpref in routing. |
| Framed-IPv6-Prefix | 97 | 8 byte IPv6 prefix to be routed to line. Maximum locapref used. |
| Framed-IPv6-Route | 99 | May appear more than once. Text format is IPv6-Address/Bits :: metric. The target IP is ignored but must be valid IPv6 syntax. The metric is used as localpref in routing. Alternative format IPv6/Bits IPv4-Address metric defines that prefix is to be protocol 41 IPv4 tunneled to specified target via this link. |
| Session-Timeout | 27 | Absolute limit on session, in seconds |
| Connect-Info | 77 | Text tx speed limit to apply to session |
| Filter-Id | 11 | See filter ID section |
The session is identified by Acct-Session-Id if present, else by Chargeable-User-Identity. No other identification parameters are supported. If sent then they are ignored.
Parameters are left unchanged if not specified.
No other parameters are supported, and if sent then they are ignored
Filter ID
The Filter-ID can be set in authentication response and change of authorisation. There can be many records. Each can have many filters. Each filter is of the form of a letter possibly followed by number digits. The accounting start lists relevant filters that have been set, each in a separate filter-id AVP. Unknown filters are ignored.
| Filter | meaning |
|---|---|
| Tn | Set routing table for payload traffic. This can be used for private routing, and for walled garden / credit control |
| An | Specify this connection is a member of a closed user group n (1-32767) but has normal IP access as well. This connection is not filtered by traffic can go to/from connections that are filtered in the same CUG |
| Rn | Specify this connection is a member of a closed user group n (1-32767) and is restricted to sending traffic to/from connections in the same CUG. |
| H | Sets the connection to send HDLC framing headers on all PPP packets. This adds 2 extra byte to the packet. This is the default setting. |
| h | Sets the connection not to send HDLC framing headers on all PPP packets. This is in accordance with the L2TP/PPP RFCs. This does not work on BT 21CN BRASs. |
| F | Sets TCP MTU fix flag which causes the MTU option in TCP SYN to be adjusted if necessary to fit MTU. |
| f | Sets no TCP MTU fix |
| M | Sets the connection to ignore the MRU. Actually, the MRU is used to generate ICMP errors for IPv6 and IPv4 with DF set, but otherwise full size packets are sent on the connection even if a lower MRU was advised. This is in accordance with the PPP RFC but breaks some routers that do not accept 1500 byte packets (e.g. PPPoE) |
| m | Sets the connection to fragment IPv4 packets with DF not set that are too big for the advised MRU. This is teh default |
| L | This is not a filter and not confirmed back on accounting start and not valid on Change of Authorisation. It forces a restart of LCP negotiation. This is useful when BRASs lie about negotiated LCP (such as BTs 21CN BRASs) |
| X | Pad native IPv6 packets to 74 bytes to work around bug in BT 20CN BRAS |
| S | Flag session as slow polled. LCP once per 16 seconds with graphs based on 16 answers all the same in a row unless there is loss in which case once a second. |
| P | Mark session as premium (see shaper and damping) |
For change of authorisation the absence of a filter has no effect. To set normal routing table 0 zero, send T0. To set not a member of a CUG send A0.
L2TP relay
L2TP relay means that an incoming call (ICRQ) is relayed to another L2TP endpoint. The decision of which calls to relay to what endpoint can be made in one of two ways:-
- Configured pattern match based on calling number, called number, or login
- RADIUS response to initial authentication request advising new endpoint for connection
A test is made against the config on the initial connection based on known data. This is calling number (if present), called number (if present) and login (proxy_auth_name if present). If a match is found the call is relayed with no additional PPP packets exchanged.
If there is no proxy LCP provided, or the provided negotiation conflicts with the configuration, then LCP negotiation is completed.
If there is no proxy authentication, PPP authentication is start until a response/login is received from the peer (assuming authentication is required in the config)
At this point a further check is made for a configured relay which can now be based on a login if one was not present before.
RADIUS authentication is completed, and if the response indicates a relay then the call is relayed
The relayed call includes the incoming call parameters, and any LCP and authentication parameters that may have been negotiated at that point.
LCP echo and CQM graphs
Depending on configuration, LCP echos are faked both ways from the FireBrick, and LCP echos are generated by the FireBrick and responses checked. This allows the CQM graphs to be created. The graph is only created for the outgoing part of the connection. If not configured to fake LCP echos, then these are passed through as normal and no graph is created.
Each session gets a CQM graph which uses one second LCP requests and produces detailed loss/latency graphs for the session. The graph name is picked based on the first available of :-
- Chargeable-User-Identity sent in the RADIUS authentication response
- Calling-Station-Id from L2TP
- User-name in RADIUS athentication response
- Proxy-Auth-Name from L2TP
- Negotiated user name from PAP/CHAP
If a second session starts with the same graph name as an existing session then the existing session is cleared with cause 13(Preempted). It is recommended that a unique circuit ID is passed as the Chargeable-User-Identity in the authentication response to allow simple location of graphs.
Closed User Group
Each session can have a CUG defined (1-32768) which may be allow or restrict. Interfaces (port/VLAN) may also be defined in the same way. A packet from an interface/session with a CUG is tagged with that packet. If the source is restricted that packet can only leave via an interface/session with the same CUG. Similarly if the target interface/session is restricted than only a packet tagged with the same CUG can be sent to it.
Routing table
The FireBrick operates independant routing cores allowing a totally independant routing table to be used for L2TP wrapper traffic and payload traffic. It is also possible to set the payload table in use on a per session basis from RADIUS thus allowing a walled garden to be set up, or a private network, or simple an unusable session.