WiFi Aggregation and Offload — IPv4/v6 Dual-Stack UEs
This chapter provides information about WiFi aggregation and offload IPv4/v6 dual-stack UEs.
Topics in this chapter include:
Applicability
The information and configuration in this chapter are based on SR OS Release 13.0.R3.
WiFi Aggregation and Offload functionality is supported on SR OS 10.0.R3 or later. The functionality includes enhanced subscriber management (ESM) for user equipment (UE) that gains network access via a WiFi service.
Overview
This chapter provides a functional description of the WLAN-GW features related to IPv4/v6 dual-stack UEs, as well as the related configuration.
Because IP address demand is mainly due to mobile devices, the support of IPv6 on mobile devices is a major requirement to manage IPv4 address depletion.
However, IPv6 on mobile devices is currently considered as an add-on rather than a replacement of IPv4, so the demand is for IPv4/v6 dual-stack UEs.
The basic concepts of ESMv6 for IPoE dual-stack hosts also apply to dual-stack UEs. However, WLAN-GW operates in a bridged environment where the Access Point (AP) performs L2 forwarding of Ethernet frames between the IEEE 802.11 air interface and the soft-GRE, soft-L2TPv3, or VLAN tunnel. Therefore, a WLAN-GW treats each UE as an individual subscriber who connects to the WiFi service. This contrasts with ESMv6 IPoE hosts behind a routed residential gateway (RG), where multiple hosts connect via the RG and the BNG treats the RG as the subscriber.
Depending on the type of UE, it may be allocated an IPv4 address through DHCPv4 and an IPv6 address through Stateless Address Auto-Configuration (SLAAC), or DHCPv6, or both (not all UEs have support for DHCPv6). Therefore, a UE can instantiate up to three IPoE hosts: a DHCPv4 host, a SLAAC host, and a DHCPv6 host.
Authentication and authorization depend on whether the UE connects to a WiFi with open or closed SSID. With an open SSID, authentication and authorization are performed when the first packet is received from the UE (typically a DHCPv4 Discover, an ICMPv6 Router-Solicit, or a DHCPv6 Solicit), similar to the routed RG model. Upon successful authentication, the Access-Accept is stored for 10 s on the WLAN-GW, so for a dual-stack IPv4/v6 UE, two or three authentication rounds can be avoided if DHCPv4, SLAAC, and DHCPv6 are started within this 10 s interval.
When the UE has successfully authenticated with the portal, a CoA-Request may lift the HTTP redirect filter by changing the SLA profile and, optionally, the subscriber profile. If the CoA-Request contains the subscriber ID, the CoA-Request applies to both the DHCPv4 host and the SLAAC and/or DHCPv6 host. See the RADIUS attributes reference guide for more information about alternative subscriber host identification in RADIUS CoA-Request messages.
With a closed SSID, there is a separation between the authentication and authorization phases. When a UE connects to a WiFi with closed SSID in WPA-Enterprise mode, also known as WPA-802.1X mode, the UE initiates authentication before it obtains an IP address. The WLAN-GW is aware of the successful authentication when it receives the DHCPv4 Discover, the ICMPv6 Router-Solicit, or the DHCPv6 Solicit.
As with ESMv6, the WLAN-GW supports SLAAC/64 and DHCPv6/128 Identity Association for Non-temporary Addresses (IA_NA). DHCPv6 Identity Association for Prefix Delegation (IA_PD) is not supported because the UEs are considered as individual hosts that have direct Layer 2 connectivity with the WLAN-GW. Devices that use the UE as an IPv6 gateway are currently not supported.
For SLAAC/64 hosts, the DNS information can be advertised with the recursive DNS server (RDNSS) option [RFC 6106] via SLAAC or via stateless DHCPv6 [RFC 3736]. For DHCPv6/128 hosts, the DNS information is advertised via DNS options for DHCPv6 [RFC3646]. If the AP supports a Lightweight DHCPv6 Relay Agent (LDRA), the WLAN-GW can learn the AP MAC address and the SSID that the UE connects to if the DHCPv6 Interface-Id option is in the format <ap-mac>:<ssid>:{o (open) | s (secure)} This information can then be used in subsequent accounting messages.
The following three IPv4/v6 dual-stack UE IP address assignment models are available:
DHCPv4 + SLAAC/64
DHCPv4 + SLAAC/64 with DHCPv4 linking
DHCPv4 + DHCPv6/128 IA_NA
In the DHCPv4 + SLAAC/64 model, DHCPv4 DORA and SLAAC/64 are processed independently of each other. If successful, two IPoE hosts are instantiated on the WLAN-GW for a particular UE: a DHCPv4 IPoE host and an IPv6 SLAAC/64 host.
When the AP sends a RADIUS Accounting-Stop for a particular UE while track-accounting is enabled for Accounting-Stop messages, both the DHCPv4 IPoE host and the IPv6 SLAAC/64 host will be removed.
However, it is not always possible for the AP to send RADIUS accounting messages (for example, in the case of an open SSID). Because SLAAC has no renew or release mechanism, the only way to delete a SLAAC host is to determine which UE was stopped using the SLAAC prefix; for example, by using idle-timeout and/or by periodic Subscriber Host Connectivity Verification (SHCV).
In the DHCPv4 + SLAAC/64 with DHCPv4 linking model, a SLAAC/64 host is instantiated when a DHCPv4 host is instantiated. The state of the SLAAC/64 host is linked to the state of the DHCPv4 host. This is useful to speed up the removal of the SLAAC host in cases where the AP does not send RADIUS accounting messages. With DHCPv4 linking, when the DHCPv4 host is removed, also the SLAAC/64 host is removed.
In the DHCPv4 + DHCPv6/128 IA_NA model, similar to the DHCPv4 + SLAAC/64 model, DHCPv4 DORA and DHCPv6/128 IA_NA are processed independently of each other. SLAAC/64 is optional in this model although it is typically enabled because some UEs do not support DHCPv6.
UEs that do support stateful address auto-configuration only initiate DHCPv6 when they receive an ICMPv6 Router-Advertisement with the M-bit set (RFC 2462, IPv6 Stateless Address Autoconfiguration). Because the WLAN-GW does not know whether the UE supports DHCPv6, the WLAN-GW must include a SLAAC/64 prefix in the ICMPv6 Router-Advertisement, also for UEs that do support DHCPv6. Therefore, for a UE that does support DHCPv6, three IPoE hosts are instantiated in the WLAN-GW. To avoid this, the WLAN-GW can be configured to flush the SLAAC/64 host when a DHCPv6/128 IA_NA host is established. The UE should always prefer the DHCPv6/128 IA_NA address for sending data traffic above the IPv6 address derived from the SLAAC/64 prefix.
As with ESMv6, the SLAAC/64 prefix could come from the Local User Database (LUDB); this is typically not used because it requires configuring individual UE MAC addresses with their associated SLAAC/64 prefix. Alternatively, the SLAAC/64 prefix could come from RADIUS via the Framed-IPv6-Prefix attribute, or from a local SLAAC prefix pool that is referenced in the LUDB or from RADIUS via the Alc-SLAAC-IPv6-Pool attribute.
The DHCPv6/128 prefix comes from a DHCPv6 server that could be local (collocated with the WLAN-GW) or external, or from RADIUS via the Alc-IPv6-Address attribute. When a DHCPv6 server is used, the WLAN-GW relays the DHCPv6 messages between the UE and the local or external DHCPv6 server. If the DHCPv6/128 prefix comes from RADIUS/LUDB, the WLAN-GW must be configured as a DHCPv6 proxy server.
Note that IPv6 for WLAN-GW UEs is not supported in combination with certain other features, which include GPRS Tunneling Protocol (GTP(v2)) offload, migrant UEs, and data-triggered authentication (DTA).
Data-triggered authentication is not supported for IPv6 hosts, which means that an IPv6 packet from a UE for which no ESM context exists will not trigger RADIUS authentication. However, by using SLAAC/64 with DHCPv4 linking, the SLAAC host will be created together with the DHCPv4 host by successful completion of IPv4 data-triggered authentication. This requires the RADIUS Access-Accept to contain the necessary DHCPv4 and SLAAC/64 attributes.
IPv6 is also not supported for migrant UEs, which means that ICMPv6 Router-Solicitation and DHCPv6 Solicit messages will be dropped by the WLAN-GW as long as the UE is in a migrant state. However, by using SLAAC/64 with DHCPv4 linking, when the UE becomes an ESM subscriber and a DHCPv4 host is created, a SLAAC/64 host is also created.
Configuration
Open versus closed SSID
The configuration examples in this chapter always refer to a closed SSID scenario. With an open SSID, the lookup in the RADIUS proxy cache is typically not configured. Instead, an authentication policy is directly referenced.
configure service vprn 2 customer 1 create
subscriber-interface "sub-int-1" create
group-interface "group-int-1" wlangw create
authentication-policy "auth-pol-1"
dhcp
no user-db
exit
exit
exit
exit
DHCPv4 + SLAAC/64 model
In this model, DHCPv4 and SLAAC/64 are enabled independently of each other. The autonomous flag tells the UE that the IPv6 prefix in the ICMPv6 Router-Advertisement can be used for SLAAC. The no on-link configuration commands the UE to always perform neighbor discovery for the WLAN-GW, even for destinations within the IPv6 prefix.
configure service vprn 2 customer 1 create
subscriber-interface "sub-int-1" create
address 10.255.255.254/8
ipv6
subscriber-prefixes
prefix 2001:db8:ffff::/48 wan-host
exit
exit
group-interface "group-int-1" wlangw create
ipv6
router-advertisements
no managed-configuration
no other-stateful-configuration
dns-options
include-dns
exit
prefix-options
autonomous
no on-link
exit
no shutdown
exit
router-solicit
user-db "ludb-1"
no shutdown
exit
exit
ipoe-linking
shutdown
exit
sap-parameters
sub-sla-mgmt
def-sub-id use-auto-id
sub-ident-policy "policy-sub-ident-1"
exit
exit
dhcp
proxy-server
emulated-server 172.16.0.1
no shutdown
exit
lease-populate 10000
user-db "ludb-1"
no shutdown
exit
ip-mtu 1454
wlan-gw
gw-address 172.16.74.244
gw-ipv6-address 2001:db8::1:1
router 1
tcp-mss-adjust 1400
wlan-gw-group 1
no shutdown
exit
exit
exit
no shutdown
exit
The SLAAC/64 prefix can come from the RADIUS server, as in the following RADIUS users file:
"user-1" Cleartext-Password := "pass-1"
Alc-Subsc-ID-Str := "user-1",
Alc-Subsc-Prof-Str := "sub-profile-1",
Alc-SLA-Prof-Str := "sla-profile-1",
Framed-IP-Address := 10.255.0.1,
Alc-Primary-DNS := 67.138.54.100,
Framed-IPv6-Prefix := 2001:db8:ffff::/64,
Alc-IPv6-Primary-Dns := 2001:db8::8:8:8:8,
Alc-IPv6-Secondary-Dns := 2001:db8::8:8:4:4
If the UE is successfully connected, two IPoE hosts will exist on the WLAN-GW.
*A:WLAN-GW # show service active-subscribers
===============================================================================
Active Subscribers
===============================================================================
-------------------------------------------------------------------------------
Subscriber user-1 (sub-profile-1)
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
(1) SLA Profile Instance sap:[4/2/nat-out-ip:2049.4] - sla:sla-profile-1
-------------------------------------------------------------------------------
IP Address
MAC Address PPPoE-SID Origin
--------------------------------------------------------
10.255.0.1
b0:9f:ba:b9:40:f8 N/A DHCP
2001:db8:ffff::/64
b0:9f:ba:b9:40:f8 N/A IPoE-SLAAC
-------------------------------------------------------------------------------
Number of active subscribers : 1
-------------------------------------------------------------------------------
The trigger that created the SLAAC host and the origin is shown by issuing:
*A:WLAN-GW # show service id 2 slaac host detail
===============================================================================
SLAAC hosts for service 2
===============================================================================
Service ID : 2
Prefix : 2001:db8:ffff::/64
Interface Id : N/A
Mac Address : b0:9f:ba:b9:40:f8
Subscriber-interface : sub-int-1
Group-interface : group-int-1
SAP : [4/2/nat-out-ip:2049.4]
Creation Time : 2015/07/09 11:24:19
Persistence Key : N/A
IPoE Trigger : rtr-solicit
Last Auth Time : 2015/07/09 11:24:19
Inactivity Timer : 0d 00:03:59
Sub-Ident : "user-1"
Sub-Profile-String : "sub-profile-1"
SLA-Profile-String : "sla-profile-1"
App-Profile-String : ""
ANCP-String : ""
Int Dest Id : ""
Category-Map-Name : ""
Info origin : radius
Pool : ""
Primary-Dns : 2001:db8::8:8:8:8
Secondary-Dns : 2001:db8::8:8:4:4
Circuit Id : N/A
Remote Id : N/A
-------------------------------------------------------------------------------
Number of hosts : 1
===============================================================================
The SLAAC/64 prefix can also come from a local SLAAC prefix pool:
configure service vprn 2 customer 1 create
dhcp6
local-dhcp-server "local-dhcp-server-1" create
use-pool-from-client
pool "slaac-prefix-pool-1" create
prefix 2001:db8:ffff:ffff::/64 wan-host create
options
dns-server 2001:db8::8:8:8:8
exit
exit
exit
no shutdown
exit
exit
exit
The subscriber interface must then be configured with local-address-assignment enabled:
configure service vprn 2 customer 1 create
subscriber-interface "sub-int-1" create
group-interface "group-int-1" wlangw create
local-address-assignment
ipv6
client-application ipoe-slaac
server "local-dhcp-server-1"
exit
no shutdown
exit
exit
exit
exit
The origin of the SLAAC host then changes to:
*A:WLAN-GW # show service id 2 slaac host detail | match origin
Info origin : localPool
DHCPv4 + SLAAC/64 with DHCPv4 linking model
In this model, DHCPv4 linking instantiates a SLAAC/64 host when a DHCPv4 host is instantiated. This requires ipoe-linking to be configured:
configure service vprn 2 customer 1 create
subscriber-interface "sub-int-1" create
address 10.255.255.254/8
ipv6
subscriber-prefixes
prefix 2001:db8:ffff::/48 wan-host
exit
exit
group-interface "group-int-1" wlangw create
ipv6
router-advertisements
no managed-configuration
no other-stateful-configuration
dns-options
include-dns
exit
prefix-options
autonomous
no on-link
exit
no shutdown
exit
router-solicit
shutdown
exit
exit
ipoe-linking
gratuitous-rtr-adv
no shutdown
exit
sap-parameters
sub-sla-mgmt
def-sub-id use-auto-id
sub-ident-policy "policy-sub-ident-1"
exit
exit
dhcp
proxy-server
emulated-server 172.16.0.1
no shutdown
exit
lease-populate 10000
user-db "ludb-1"
no shutdown
exit
ip-mtu 1454
wlan-gw
gw-address 172.16.74.244
gw-ipv6-address 2001:db8::1:1
router 1
tcp-mss-adjust 1400
wlan-gw-group 1
no shutdown
exit
exit
exit
no shutdown
exit
Note that DHCPv4 linking is mutually exclusive with ICMPv6 Router-Solicit handling. Configuring DHCPv4 linking while ICMPv6 Router-Solicit handling is still enabled results in the following error:
*A:WLAN-GW # configure service vprn 2 subscriber-interface "sub-int-1" group-interface "group-int-1" ipoe-linking no shutdown
MINOR: SVCMGR #1543 Can't enable linking if router solicit authentication is enabled
Similarly, enabling ICMPv6 Router-Solicit handling while DHCPv4 linking is still enabled, results in the following error:
*A:WLAN-GW # configure service vprn 2 subscriber-interface "sub-int-1" group-interface "group-int-1" ipv6 router-solicit no shutdown
MINOR: SVCMGR #1544 Can't enable router solicit authentication if linking is enabled
As with the DHCPv4 + SLAAC/64 model without DHCPv4 linking, if the UE is successfully connected, two IPoE hosts will exist on the WLAN-GW:
*A:WLAN-GW # show service active-subscribers
===============================================================================
Active Subscribers
===============================================================================
-------------------------------------------------------------------------------
Subscriber user-1 (sub-profile-1)
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
(1) SLA Profile Instance sap:[4/2/nat-out-ip:2049.4] - sla:sla-profile-1
-------------------------------------------------------------------------------
IP Address
MAC Address PPPoE-SID Origin
--------------------------------------------------------
10.255.0.1
b0:9f:ba:b9:40:f8 N/A DHCP
2001:db8:ffff::/64
b0:9f:ba:b9:40:f8 N/A IPoE-SLAAC
-------------------------------------------------------------------------------
Number of active subscribers : 1
-------------------------------------------------------------------------------
The trigger that created the SLAAC host and the origin is shown by issuing:
*A:WLAN-GW # show service id 2 slaac host detail
===============================================================================
SLAAC hosts for service 2
===============================================================================
Service ID : 2
Prefix : 2001:db8:ffff::/64
Interface Id : N/A
Mac Address : b0:9f:ba:b9:40:f8
Subscriber-interface : sub-int-1
Group-interface : group-int-1
SAP : [4/2/nat-out-ip:2049.4]
Creation Time : 2015/07/09 11:49:42
Persistence Key : N/A
IPoE Trigger : linking
Last Auth Time : N/A
Inactivity Timer : N/A
Sub-Ident : "user-1"
Sub-Profile-String : "sub-profile-1"
SLA-Profile-String : "sla-profile-1"
App-Profile-String : ""
ANCP-String : ""
Int Dest Id : ""
Category-Map-Name : ""
Info origin : radius
Pool : ""
Primary-Dns : 2001:db8::8:8:8:8
Secondary-Dns : 2001:db8::8:8:4:4
Circuit Id : N/A
Remote Id : N/A
-------------------------------------------------------------------------------
Number of hosts : 1
===============================================================================
Clearing the DHCPv4 host results in both the DHCPv4 host and the SLAAC host being deleted.
*A:WLAN-GW # clear service id 2 dhcp lease-state mac b0:9f:ba:b9:40:f8
*A:WLAN-GW # show service active-subscribers
===============================================================================
Active Subscribers
===============================================================================
-------------------------------------------------------------------------------
No active subscribers found
-------------------------------------------------------------------------------
DHCPv4 + DHCPv6/128 IA_NA model
Because some UEs do not support DHCPv6, this model configures DHCPv4 + DHCPv6/128 IA_NA with SLAAC/64 enabled. To avoid having two IPv6oE hosts set up for the UEs that do support DHCPv6, the allow-multiple-wan-addresses and override-slaac parameters are both configured. The allow-multiple-wan-addresses allows handling of DHCPv6 when a SLAAC host exists already, and the override-slaac parameter removes the SLAAC host after successful assignment of an IPv6 address via DHCPv6:
configure service vprn 2 customer 1 create
subscriber-interface "sub-int-1" create
address 10.255.255.254/8
ipv6
subscriber-prefixes
prefix 2001:db8:ffff::/48 wan-host
exit
exit
group-interface "group-int-1" wlangw create
ipv6
allow-multiple-wan-addresses
router-advertisements
managed-configuration
other-stateful-configuration
dns-options
include-dns
exit
prefix-options
autonomous
no on-link
exit
no shutdown
exit
router-solicit
user-db "ludb-1"
no shutdown
exit
dhcp6
user-db "ludb-1"
proxy-server
no shutdown
exit
override-slaac
exit
exit
ipoe-linking
shutdown
exit
sap-parameters
sub-sla-mgmt
def-sub-id use-auto-id
sub-ident-policy "policy-sub-ident-1"
exit
exit
dhcp
proxy-server
emulated-server 172.16.0.1
no shutdown
exit
lease-populate 10000
user-db "ludb-1"
no shutdown
exit
ip-mtu 1454
wlan-gw
gw-address 172.16.74.244
gw-ipv6-address 2001:db8::1:1
router 1
tcp-mss-adjust 1400
wlan-gw-group 1
no shutdown
exit
exit
exit
no shutdown
exit
If the UE is successfully connected, two IPoE hosts will exist on the WLAN-GW:
*A:WLAN-GW # show service active-subscribers
===============================================================================
Active Subscribers
===============================================================================
-------------------------------------------------------------------------------
Subscriber user-1 (sub-profile-1)
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
(1) SLA Profile Instance sap:[4/2/nat-out-ip:2049.4] - sla:sla-profile-1
-------------------------------------------------------------------------------
IP Address
MAC Address PPPoE-SID Origin
--------------------------------------------------------
10.255.0.1
b0:9f:ba:b9:40:f8 N/A DHCP
2001:db8:ffff::1/128
b0:9f:ba:b9:40:f8 N/A IPoE-DHCP6
-------------------------------------------------------------------------------
Number of active subscribers : 1
-------------------------------------------------------------------------------
The origin of the DHCPv6 lease is shown by issuing:
*A:WLAN-GW # show service id 2 dhcp6 lease-state
===============================================================================
DHCP lease state table, service 2
===============================================================================
IP Address Mac Address Sap/Sdp Id Remaining Lease MC
LeaseTime Origin Stdby
-------------------------------------------------------------------------------
2001:db8:ffff::1/128
b0:9f:ba:b9:40:f8 [4/2/nat-out-ip:20* 23h59m29s Radius
-------------------------------------------------------------------------------
Number of lease states : 1
===============================================================================
* indicates that the corresponding row element may have been truncated.
Conclusion
The WLAN-GW supports IPv4/v6 dual-stack UEs. Although the IPv6 support for UEs can handle single-stack IPv6-only UEs, the UEs only have IPv6 support as an add-on to IPv4.