draft-ietf-dhc-agentopt-radius-06.txt   draft-ietf-dhc-agentopt-radius-07.txt 
Network Working Group R. Droms Network Working Group R. Droms
Internet-Draft J. Schnizlein Internet-Draft J. Schnizlein
Expires: October 11, 2004 Cisco Systems Expires: January 5, 2005 Cisco Systems
April 12, 2004 July 7, 2004
RADIUS Attributes Sub-option for the DHCP Relay Agent Information RADIUS Attributes Sub-option for the DHCP Relay Agent Information
Option Option
draft-ietf-dhc-agentopt-radius-06.txt draft-ietf-dhc-agentopt-radius-07.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, I certify that any applicable By submitting this Internet-Draft, I certify that any applicable
patent or other IPR claims of which I am aware have been patent or other IPR claims of which I am aware have been disclosed,
disclosed, and any of which I become aware will be disclosed, in and any of which I become aware will be disclosed, in accordance with
accordance with RFC 3667. RFC 3667.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that other
other groups may also distribute working documents as groups may also distribute working documents as Internet-Drafts.
Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six Internet-Drafts are draft documents valid for a maximum of six months
months and may be updated, replaced, or obsoleted by other and may be updated, replaced, or obsoleted by other documents at any
documents at any time. It is inappropriate to use Internet-Drafts time. It is inappropriate to use Internet-Drafts as reference
as reference material or to cite them other than as "work in material or to cite them other than as "work in progress."
progress."
The list of current Internet-Drafts can be accessed at http:// The list of current Internet-Drafts can be accessed at http://
www.ietf.org/ietf/1id-abstracts.txt. www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on October 11, 2004. This Internet-Draft will expire on January 5, 2005.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2004). All Rights Reserved. Copyright (C) The Internet Society (2004). All Rights Reserved.
Abstract Abstract
A NAS (network access server) may choose to authenticate the A NAS (network access server) may choose to authenticate the identity
identity of a device before granting that device access to the of a device before granting that device access to the network. The
network. The IEEE 802.1X protocol is an example of a mechanism IEEE 802.1X protocol is an example of a mechanism for providing
for providing authenticated layer 2 network access. A network authenticated layer 2 network access. A network element using RADIUS
element using RADIUS as an authentication authority will receive as an authentication authority will receive attributes from a RADIUS
attributes from a RADIUS server that may be used by a DHCP server server that may be used by a DHCP server in the selection of
in the selection of configuration parameters to be delivered to configuration parameters to be delivered to the device through its
the device through its DHCP client. The RADIUS Attributes DHCP client. The RADIUS Attributes sub-option enables a network
sub-option enables a network element to pass along attributes for element to pass along attributes for the user of a device received
the user of a device received during RADIUS authentication to a during RADIUS authentication to a DHCP server.
DHCP server.
1. Introduction and Background 1. Introduction and Background
The RADIUS Attributes sub-option for the DHCP Relay Agent option The RADIUS Attributes sub-option for the DHCP Relay Agent option
provides a way in which a NAS can pass attributes obtained from a provides a way in which a NAS can pass attributes obtained from a
RADIUS server to a DHCP server [1]. IEEE 802.1X [2] is an example RADIUS server to a DHCP server [1]. IEEE 802.1X [2] is an example of
of a mechanism through which a NAS such as a switch or a wireless a mechanism through which a NAS such as a switch or a wireless LAN
LAN access point can authenticate the identity of the user of a access point can authenticate the identity of the user of a device
device before providing layer 2 network access using RADIUS as the before providing layer 2 network access using RADIUS as the
Authentication Service specified in RFC3580 [10]. In 802.1X Authentication Service specified in RFC3580 [10]. In IEEE 802.1X
authenticated access, a device must first exchange some authenticated access, a device must first exchange some
authentication credentials with the NAS. The NAS then supplies authentication credentials with the NAS. The NAS then supplies these
these credentials to a RADIUS server, which eventually sends credentials to a RADIUS server, which eventually sends either an
either an Access-Accept or an Access-Reject in response to an Access-Accept or an Access-Reject in response to an Access-Request.
Access-Request. The NAS, based on the reply of the RADIUS server, The NAS, based on the reply of the RADIUS server, then allows or
then allows or denies network access to the requesting device. denies network access to the requesting device.
Figure 1 summarizes the message exchange among the participants in Figure 1 summarizes the message exchange among the participants in
IEEE 802.1X authentication. IEEE 802.1X authentication.
+-----------------+ +-----------------+
|Device requesting| |Device requesting|
| network access | | network access |
+-----------------+ +-----------------+
| ^ | ^
| | | |
(1) Request for access (1) Request for access
| | | |
| (4) Success/Failure | (4) Success/Failure
v | v |
+-----------------+ +-----------------+
| NAS | | NAS |
|(802.1X and DHCP | |(IEEE 802.1X and |
| relay agent} | |DHCP relay agent}|
+-----------------+ +-----------------+
| ^ | ^
| | | |
(2) Request for authentication (2) Request for authentication
| | | |
| (3) Access-Accept/Reject | (3) Access-Accept/Reject
v | v |
+-----------------+ +-----------------+
| RADIUS | | RADIUS |
| Server | | Server |
skipping to change at page 3, line 33 skipping to change at page 3, line 4
| ^ | ^
| | | |
(2) Request for authentication (2) Request for authentication
| | | |
| (3) Access-Accept/Reject | (3) Access-Accept/Reject
v | v |
+-----------------+ +-----------------+
| RADIUS | | RADIUS |
| Server | | Server |
+-----------------+ +-----------------+
Figure 1 Figure 1
In the application described in this document, the access device In the application described in this document, the access device acts
acts as an 802.1X Authenticator and adds DHCP relay agent options as an IEEE 802.1X Authenticator and adds DHCP relay agent options to
to DHCP messages. At the successful conclusion of IEEE 802.1X DHCP messages. At the successful conclusion of IEEE 802.1X
authentication, a RADIUS Access-Accept provides attributes for authentication, a RADIUS Access-Accept provides attributes for
service authorizations to the NAS. The NAS stores these service authorizations to the NAS. The NAS stores these attributes
attributes locally. When the NAS subsequently forwards DHCP locally. When the NAS subsequently forwards DHCP messages from the
messages from the network device, the NAS adds these attributes in network device, the NAS adds these attributes in a RADIUS Attributes
a RADIUS Attributes sub-option. The RADIUS Attributes sub-option sub-option. The RADIUS Attributes sub-option is another suboption of
is another suboption of the Relay Agent Information option [5]. the Relay Agent Information option [5].
This document uses IEEE 802.1X as an example to motivate the use This document uses IEEE 802.1X as an example to motivate the use of
of RADIUS by a NAS. The RADIUS Attributes sub-option described in RADIUS by a NAS. The RADIUS Attributes sub-option described in this
this document is not limited to use in conjunction with IEEE document is not limited to use in conjunction with IEEE 802.1X and
802.1X and can be used to carry RADIUS attributes obtained by the can be used to carry RADIUS attributes obtained by the relay agent
relay agent for any reason. for any reason. That is, the option is not limited to use with IEEE
802.1X, but is constrained by RADIUS semantics (see Section 4).
2. Terminology 2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
in this document are to be interpreted as described in RFC 2119 document are to be interpreted as described in RFC 2119 [3].
[3].
2.1 DHCP Terminology 2.1 DHCP Terminology
The following terms are used as defined in RFC2131 and RFC3046: The following terms are used as defined in RFC2131 and RFC3046: DHCP
DHCP relay agent, DHCP server, DHCP client. relay agent, DHCP server, DHCP client.
2.2 RADIUS Terminology 2.2 RADIUS Terminology
The following terms are used in conjunction with RADIUS: The following terms are used in conjunction with RADIUS:
RADIUS server: A RADIUS server is responsible for receiving user RADIUS server: A RADIUS server is responsible for receiving user
connection requests, authenticating the user, and then connection requests, authenticating the user, and then returning
returning all configuration information necessary for the all configuration information necessary for the client to deliver
client to deliver service to the user. service to the user.
Attribute: A Type-Length-Value tuple encapsulating data elements Attribute: A Type-Length-Value tuple encapsulating data elements as
as defined in RFC 2865 [4]. defined in RFC 2865 [4].
NAS: A Network Access Server (NAS) provides access to the network NAS: A Network Access Server (NAS) provides access to the network
and operates as a client of RADIUS. The client is responsible and operates as a client of RADIUS. The client is responsible for
for passing user information to designated RADIUS servers, and passing user information to designated RADIUS servers, and then
then acting on the response which is returned. Unlike a acting on the response which is returned. Unlike a traditional
traditional dial NAS, the NAS considered here may not have a dial NAS, the NAS considered here may not have a protocol like PPP
protocol like PPP through which it can pass configuration through which it can pass configuration information from the
information from the RADIUS attributes to the client RADIUS attributes to the client
2.3 802.1X Terminology 2.3 IEEE 802.1X Terminology
The following terms are used as defined in the IEEE 802.1X The following terms are used as defined in the IEEE 802.1X protocol:
protocol: Authenticator, Supplicant. Authenticator, Supplicant.
3. RADIUS Attributes sub-option format 3. RADIUS Attributes sub-option format
The RADIUS Attributes Sub-option is a new sub-option for the DHCP The RADIUS Attributes Sub-option is a new sub-option for the DHCP
Relay Agent option. Relay Agent option.
The format of the RADIUS Attributes sub-option is: The format of the RADIUS Attributes sub-option is:
SubOpt Len RADIUS attributes SubOpt Len RADIUS attributes
code code
+-------+-----+------+------+------+------+--...-+------+ +-------+-----+------+------+------+------+--...-+------+
| TBD | N | o1 | o2 | o3 | o4 | | oN | | TBD | N | o1 | o2 | o3 | o4 | | oN |
+-------+-----+------+------+------+------+--...-+------+ +-------+-----+------+------+------+------+--...-+------+
The RADIUS attributes are encoded according to the encoding rules The RADIUS attributes are encoded according to the encoding rules in
in RFC 2865, in octets b1...bN. RFC 2865, in octets o1...oN.
The NAS truncates the RADIUS attributes to fit in the RADIUS The NAS truncates the RADIUS attributes to fit in the RADIUS
Attributes sub-option. For predictable behavior, the RADIUS Attributes sub-option. For predictable behavior, the RADIUS server
server should be configured to return few than 255 octets of should be configured to return fewer than 255 octets of RADIUS
RADIUS attributes. attributes.
4. RADIUS Server Behavior 4. RADIUS Server Behavior
The RADIUS server that implements this specification MUST be The RADIUS server that implements this specification MUST be
configured to return the User-Name and Class attributes to the configured to return the User-Name and Class attributes to the NAS,
NAS, and MAY return other attributes. and MAY return other attributes.
To avoid dependencies between the address allocation and other To avoid dependencies between the address allocation and other state
state information between the RADIUS server and the DHCP server, information between the RADIUS server and the DHCP server, only the
only the attributes in the table below SHOULD be included in this attributes in the table below SHOULD be included in this sub-option.
sub-option. Because RADIUS servers rely on the directive in Because RADIUS servers rely on the directive in section 1.1 or RFC
section 1.1 or RFC 2865 that "A NAS MUST treat a RADIUS 2865 that "A NAS MUST treat a RADIUS access-accept authorizing an
access-accept authorizing an unavailable service as an unavailable service as an access-reject instead.", a RADIUS server
access-reject instead.", a RADIUS server SHOULD send only those SHOULD send only those attributes for which the relay agent can
attributes for which the relay agent can ensure that either the ensure that either the relay agent or the DHCP server will provide
relay agent or the DHCP server will provide the associated the associated service. The following table, based on the analysis
service. The following table, based on the analysis in RFC 3580 in RFC 3580 [10], lists attributes that MAY be included:
[10], lists attributes that MAY be included:
# Attribute # Attribute
--- --------- --- ---------
1 User-Name (RFC 2865 [3]) 1 User-Name (RFC 2865 [3])
4 NAS-IP-Address (RFC 2865)
6 Service-Type (RFC 2865) 6 Service-Type (RFC 2865)
25 Class (RFC 2865) 25 Class (RFC 2865)
26 Vendor-Specific (RFC 2865) 26 Vendor-Specific (RFC 2865)
27 Session-Timeout (RFC 2865) 27 Session-Timeout (RFC 2865)
30 Called-Station-Id (RFC 2865)
31 Calling-Station-Id (RFC 2865)
32 NAS-Identifier (RFC 2865)
44 Acct-Session-Id (RFC 2866 [5])
50 Acct-Multi-Session-Id (RFC 2866)
87 NAS-Port-Id (RFC 2869 [6])
88 Framed-Pool (RFC 2869) 88 Framed-Pool (RFC 2869)
100 Framed-IPv6-Pool (RFC 3162 [8]) 100 Framed-IPv6-Pool (RFC 3162 [8])
5. DHCP Relay Agent Behavior 5. DHCP Relay Agent Behavior
When the DHCP relay agent receives a DHCP message from the client, When the DHCP relay agent receives a DHCP message from the client, it
it MAY append a DHCP Relay Agent Information option containing the MAY append a DHCP Relay Agent Information option containing the
RADIUS Attributes sub-option, along with any other sub-options it RADIUS Attributes sub-option, along with any other sub-options it is
is configured to supply. The RADIUS Attributes sub-option MUST configured to supply. The RADIUS Attributes sub-option MUST only
only contain the attributes provided in the RADIUS Access/Accept contain the attributes provided in the RADIUS Access/Accept message.
message. The DHCP relay agent MUST NOT add more than one RADIUS The DHCP relay agent MUST NOT add more than one RADIUS Attributes
Attributes sub-option in a message. sub-option in a message.
The relay agent SHOULD include the User-Name and Class attributes The relay agent SHOULD include the User-Name and Class attributes in
in the RADIUS Attributes sub-option if available, and MAY include the RADIUS Attributes sub-option if available, and MAY include other
other attributes. attributes.
6. DHCP Server Behavior 6. DHCP Server Behavior
When the DHCP server receives a message from a relay agent When the DHCP server receives a message from a relay agent containing
containing a RADIUS Attributes sub-option, it extracts the a RADIUS Attributes sub-option, it extracts the contents of the
contents of the sub-option and uses that information in selecting sub-option and uses that information in selecting configuration
configuration parameters for the client. If the relay agent parameters for the client. If the relay agent forwards RADIUS
forwards RADIUS attributes not included in the table in Section 4, attributes not included in the table in Section 4, the DHCP server
the DHCP server SHOULD ignore them. If the DHCP server uses SHOULD ignore them. If the DHCP server uses attributes not specified
attributes not specified here, it might result in side effects not here, it might result in side effects not anticipated in the existing
anticipated in the existing RADIUS specifications. RADIUS specifications.
7. DHCP Client Behavior 7. DHCP Client Behavior
Relay agent options are exchanged only between relay agents and Relay agent options are exchanged only between relay agents and DHCP
DHCP server, so DHCP clients are never aware of their use. server, so DHCP clients are never aware of their use.
8. Security Considerations 8. Security Considerations
Message authentication in DHCP for intradomain use where the Message authentication in DHCP for intradomain use where the
out-of-band exchange of a shared secret is feasible is defined in out-of-band exchange of a shared secret is feasible is defined in RFC
RFC 3118 [8]. Potential exposures to attack are discussed in 3118 [8]. Potential exposures to attack are discussed in section 7
section 7 of the DHCP protocol specification in RFC 2131. of the DHCP protocol specification in RFC 2131 [1].
The DHCP Relay Agent option depends on a trusted relationship The DHCP Relay Agent option depends on a trusted relationship between
between the DHCP relay agent and the server, as described in the DHCP relay agent and the server, as described in section 5 of RFC
section 5 of RFC 3046. While the introduction of fraudulent 3046 [5]. While the introduction of fraudulent relay-agent options
relay-agent options can be prevented by a perimeter defense that can be prevented by a perimeter defense that blocks these options
blocks these options unless the relay agent is trusted, a deeper unless the relay agent is trusted, a deeper defense using the
defense using the authentication option for relay agent options authentication option for relay agent options [11] or IPsec [12]
[11] or IPsec [12] SHOULD be deployed as well. SHOULD be deployed as well.
9. IANA Considerations 9. IANA Considerations
IANA has assigned the value of TBD for the DHCP Relay Agent IANA has assigned the value of TBD for the DHCP Relay Agent
Information option sub-option code for this sub-option. This Information option sub-option code for this sub-option. This
document does not define any new namespaces or other constants for document does not define any new namespaces or other constants for
which IANA must maintain a registry. which IANA must maintain a registry.
10. Acknowledgments 10. Acknowledgments
Bernard Aboba's expert advice on avoiding RADIUS entanglements is Bernard Aboba's expert advice on avoiding RADIUS entanglements is
gratefully acknowledged. gratefully acknowledged.
Normative References Normative References
[1] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, [1] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131,
March 1997. March 1997.
[2] Institute of Electrical and Electronics Engineers, "Local and [2] Institute of Electrical and Electronics Engineers, "Local and
Metropolitan Area Networks: Port based Network Access Metropolitan Area Networks: Port based Network Access Control",
Control", IEEE Standard 802.1X, March 2001. IEEE Standard 802.1X, March 2001.
[3] Bradner, S., "Key words for use in RFCs to Indicate [3] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Requirement Levels", BCP 14, RFC 2119, March 1997. Levels", BCP 14, RFC 2119, March 1997.
[4] Rigney, C., Willens, S., Rubens, A. and W. Simpson, "Remote [4] Rigney, C., Willens, S., Rubens, A. and W. Simpson, "Remote
Authentication Dial In User Service (RADIUS)", RFC 2865, June Authentication Dial In User Service (RADIUS)", RFC 2865, June
2000. 2000.
[5] Patrick, M., "DHCP Relay Agent Information Option", RFC 3046, [5] Patrick, M., "DHCP Relay Agent Information Option", RFC 3046,
January 2001. January 2001.
Informative References Informative References
[6] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. [6] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000.
[7] Rigney, C., Willats, W. and P. Calhoun, "RADIUS Extensions", [7] Rigney, C., Willats, W. and P. Calhoun, "RADIUS Extensions",
RFC 2869, June 2000. RFC 2869, June 2000.
[8] Droms, R. and W. Arbaugh, "Authentication for DHCP [8] Droms, R. and W. Arbaugh, "Authentication for DHCP Messages",
Messages", RFC 3118, June 2001. RFC 3118, June 2001.
[9] Aboba, B., Zorn, G. and D. Mitton, "RADIUS and IPv6", RFC [9] Aboba, B., Zorn, G. and D. Mitton, "RADIUS and IPv6", RFC 3162,
3162, August 2001. August 2001.
[10] Congdon, P., Aboba, B., Smith, A., Zorn, G. and J. Roese, [10] Congdon, P., Aboba, B., Smith, A., Zorn, G. and J. Roese, "IEEE
"IEEE 802.1X Remote Authentication Dial In User Service 802.1X Remote Authentication Dial In User Service (RADIUS)
(RADIUS) Usage Guidelines", RFC 3580, September 2003. Usage Guidelines", RFC 3580, September 2003.
[11] Stapp, M. and T. Lemon, "The Authentication Suboption for [11] Stapp, M. and T. Lemon, "The Authentication Suboption for the
the DHCP Relay Agent Option", DHCP Relay Agent Option", draft-ietf-dhc-auth-suboption-02
draft-ietf-dhc-auth-suboption-02 (work in progress), October (work in progress), October 2003.
2003.
[12] Droms, R., "Authentication of DHCP Relay Agent Options Using [12] Droms, R., "Authentication of DHCP Relay Agent Options Using
IPsec", draft-ietf-dhc-relay-agent-ipsec-00 (work in IPsec", draft-ietf-dhc-relay-agent-ipsec-00 (work in progress),
progress), September 2003. September 2003.
Authors' Addresses Authors' Addresses
Ralph Droms Ralph Droms
Cisco Systems Cisco Systems
1414 Massachusetts Avenue 1414 Massachusetts Avenue
Boxborough, MA 01719 Boxborough, MA 01719
USA USA
EMail: rdroms@cisco.com EMail: rdroms@cisco.com
skipping to change at page 9, line 8 skipping to change at page 8, line 8
Cisco Systems Cisco Systems
9123 Loughran Road 9123 Loughran Road
Fort Washington, MD 20744 Fort Washington, MD 20744
USA USA
EMail: jschnizl@cisco.com EMail: jschnizl@cisco.com
Intellectual Property Statement Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed Intellectual Property Rights or other rights that might be claimed to
to pertain to the implementation or use of the technology pertain to the implementation or use of the technology described in
described in this document or the extent to which any license this document or the extent to which any license under such rights
under such rights might or might not be available; nor does it might or might not be available; nor does it represent that it has
represent that it has made any independent effort to identify any made any independent effort to identify any such rights. Information
such rights. Information on the IETF's procedures with respect to on the IETF's procedures with respect to rights in IETF Documents can
rights in IETF Documents can be found in BCP 78 and BCP 79. be found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use attempt made to obtain a general license or permission for the use of
of such proprietary rights by implementers or users of this such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository specification can be obtained from the IETF on-line IPR repository at
at http://www.ietf.org/ipr. http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention The IETF invites any interested party to bring to its attention any
any copyrights, patents or patent applications, or other copyrights, patents or patent applications, or other proprietary
proprietary rights that may cover technology that may be required rights that may cover technology that may be required to implement
to implement this standard. Please address the information to the this standard. Please address the information to the IETF at
IETF at ietf-ipr@ietf.org. ietf-ipr@ietf.org.
The IETF has been notified of intellectual property rights claimed The IETF has been notified of intellectual property rights claimed in
in regard to some or all of the specification contained in this regard to some or all of the specification contained in this
document. For more information consult the online list of claimed document. For more information consult the online list of claimed
rights. rights.
Disclaimer of Validity Disclaimer of Validity
This document and the information contained herein are provided on This document and the information contained herein are provided on an
an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
PARTICULAR PURPOSE.
Copyright Statement Copyright Statement
Copyright (C) The Internet Society (2004). This document is Copyright (C) The Internet Society (2004). This document is subject
subject to the rights, licenses and restrictions contained in BCP to the rights, licenses and restrictions contained in BCP 78, and
78, and except as set forth therein, the authors retain all their except as set forth therein, the authors retain all their rights.
rights.
Acknowledgment Acknowledgment
Funding for the RFC Editor function is currently provided by the Funding for the RFC Editor function is currently provided by the
Internet Society. Internet Society.
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/