draft-ietf-dime-rfc4005bis-01.txt   draft-ietf-dime-rfc4005bis-02.txt 
Network Working Group G. Zorn Network Working Group G. Zorn
Internet-Draft Network Zen Internet-Draft Network Zen
Obsoletes: 4005 (if approved) October 15, 2010 Obsoletes: 4005 (if approved) November 16, 2010
Intended status: Standards Track Intended status: Standards Track
Expires: April 18, 2011 Expires: May 20, 2011
Diameter Network Access Server Application Diameter Network Access Server Application
draft-ietf-dime-rfc4005bis-01 draft-ietf-dime-rfc4005bis-02
Abstract Abstract
This document describes the Diameter protocol application used for This document describes the Diameter protocol application used for
Authentication, Authorization, and Accounting (AAA) services in the Authentication, Authorization, and Accounting (AAA) services in the
Network Access Server (NAS) environment. When combined with the Network Access Server (NAS) environment. When combined with the
Diameter Base protocol, Transport Profile, and Extensible Diameter Base protocol, Transport Profile, and Extensible
Authentication Protocol specifications, this application Authentication Protocol specifications, this application
specification satisfies typical network access services requirements. specification satisfies typical network access services requirements.
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 18, 2011. This Internet-Draft will expire on May 20, 2011.
Copyright Notice Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 32 skipping to change at page 2, line 32
3.5. Session-Termination-Request (STR) Command . . . . . . . . 15 3.5. Session-Termination-Request (STR) Command . . . . . . . . 15
3.6. Session-Termination-Answer (STA) Command . . . . . . . . . 16 3.6. Session-Termination-Answer (STA) Command . . . . . . . . . 16
3.7. Abort-Session-Request (ASR) Command . . . . . . . . . . . 17 3.7. Abort-Session-Request (ASR) Command . . . . . . . . . . . 17
3.8. Abort-Session-Answer (ASA) Command . . . . . . . . . . . . 18 3.8. Abort-Session-Answer (ASA) Command . . . . . . . . . . . . 18
3.9. Accounting-Request (ACR) Command . . . . . . . . . . . . . 19 3.9. Accounting-Request (ACR) Command . . . . . . . . . . . . . 19
3.10. Accounting-Answer (ACA) Command . . . . . . . . . . . . . 21 3.10. Accounting-Answer (ACA) Command . . . . . . . . . . . . . 21
4. Diameter NAS Application AVPs . . . . . . . . . . . . . . . . 22 4. Diameter NAS Application AVPs . . . . . . . . . . . . . . . . 22
4.1. Derived AVP Data Formats . . . . . . . . . . . . . . . . . 22 4.1. Derived AVP Data Formats . . . . . . . . . . . . . . . . . 22
4.1.1. QoSFilterRule . . . . . . . . . . . . . . . . . . . . 22 4.1.1. QoSFilterRule . . . . . . . . . . . . . . . . . . . . 22
4.2. NAS Session AVPs . . . . . . . . . . . . . . . . . . . . . 23 4.2. NAS Session AVPs . . . . . . . . . . . . . . . . . . . . . 23
4.2.1. Call and Session Information . . . . . . . . . . . . . 24 4.2.1. Call and Session Information . . . . . . . . . . . . . 23
4.2.2. NAS-Port AVP . . . . . . . . . . . . . . . . . . . . . 24 4.2.2. NAS-Port AVP . . . . . . . . . . . . . . . . . . . . . 24
4.2.3. NAS-Port-Id AVP . . . . . . . . . . . . . . . . . . . 25 4.2.3. NAS-Port-Id AVP . . . . . . . . . . . . . . . . . . . 24
4.2.4. NAS-Port-Type AVP . . . . . . . . . . . . . . . . . . 25 4.2.4. NAS-Port-Type AVP . . . . . . . . . . . . . . . . . . 25
4.2.5. Called-Station-Id AVP . . . . . . . . . . . . . . . . 25 4.2.5. Called-Station-Id AVP . . . . . . . . . . . . . . . . 25
4.2.6. Calling-Station-Id AVP . . . . . . . . . . . . . . . . 25 4.2.6. Calling-Station-Id AVP . . . . . . . . . . . . . . . . 25
4.2.7. Connect-Info AVP . . . . . . . . . . . . . . . . . . . 26 4.2.7. Connect-Info AVP . . . . . . . . . . . . . . . . . . . 26
4.2.8. Originating-Line-Info AVP . . . . . . . . . . . . . . 26 4.2.8. Originating-Line-Info AVP . . . . . . . . . . . . . . 26
4.2.9. Reply-Message AVP . . . . . . . . . . . . . . . . . . 27 4.2.9. Reply-Message AVP . . . . . . . . . . . . . . . . . . 27
4.3. NAS Authentication AVPs . . . . . . . . . . . . . . . . . 27 4.3. NAS Authentication AVPs . . . . . . . . . . . . . . . . . 27
4.3.1. User-Password AVP . . . . . . . . . . . . . . . . . . 28 4.3.1. User-Password AVP . . . . . . . . . . . . . . . . . . 28
4.3.2. Password-Retry AVP . . . . . . . . . . . . . . . . . . 28 4.3.2. Password-Retry AVP . . . . . . . . . . . . . . . . . . 28
4.3.3. Prompt AVP . . . . . . . . . . . . . . . . . . . . . . 29 4.3.3. Prompt AVP . . . . . . . . . . . . . . . . . . . . . . 28
4.3.4. CHAP-Auth AVP . . . . . . . . . . . . . . . . . . . . 29 4.3.4. CHAP-Auth AVP . . . . . . . . . . . . . . . . . . . . 28
4.3.5. CHAP-Algorithm AVP . . . . . . . . . . . . . . . . . . 29 4.3.5. CHAP-Algorithm AVP . . . . . . . . . . . . . . . . . . 29
4.3.6. CHAP-Ident AVP . . . . . . . . . . . . . . . . . . . . 29 4.3.6. CHAP-Ident AVP . . . . . . . . . . . . . . . . . . . . 29
4.3.7. CHAP-Response AVP . . . . . . . . . . . . . . . . . . 29 4.3.7. CHAP-Response AVP . . . . . . . . . . . . . . . . . . 29
4.3.8. CHAP-Challenge AVP . . . . . . . . . . . . . . . . . . 30 4.3.8. CHAP-Challenge AVP . . . . . . . . . . . . . . . . . . 29
4.3.9. ARAP-Password AVP . . . . . . . . . . . . . . . . . . 30 4.3.9. ARAP-Password AVP . . . . . . . . . . . . . . . . . . 29
4.3.10. ARAP-Challenge-Response AVP . . . . . . . . . . . . . 30 4.3.10. ARAP-Challenge-Response AVP . . . . . . . . . . . . . 29
4.3.11. ARAP-Security AVP . . . . . . . . . . . . . . . . . . 30 4.3.11. ARAP-Security AVP . . . . . . . . . . . . . . . . . . 30
4.3.12. ARAP-Security-Data AVP . . . . . . . . . . . . . . . . 30 4.3.12. ARAP-Security-Data AVP . . . . . . . . . . . . . . . . 30
4.4. NAS Authorization AVPs . . . . . . . . . . . . . . . . . . 31 4.4. NAS Authorization AVPs . . . . . . . . . . . . . . . . . . 30
4.4.1. Service-Type AVP . . . . . . . . . . . . . . . . . . . 32 4.4.1. Service-Type AVP . . . . . . . . . . . . . . . . . . . 31
4.4.2. Callback-Number AVP . . . . . . . . . . . . . . . . . 33 4.4.2. Callback-Number AVP . . . . . . . . . . . . . . . . . 32
4.4.3. Callback-Id AVP . . . . . . . . . . . . . . . . . . . 34 4.4.3. Callback-Id AVP . . . . . . . . . . . . . . . . . . . 33
4.4.4. Idle-Timeout AVP . . . . . . . . . . . . . . . . . . . 34 4.4.4. Idle-Timeout AVP . . . . . . . . . . . . . . . . . . . 33
4.4.5. Port-Limit AVP . . . . . . . . . . . . . . . . . . . . 34 4.4.5. Port-Limit AVP . . . . . . . . . . . . . . . . . . . . 33
4.4.6. NAS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 34 4.4.6. NAS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 33
4.4.7. Filter-Id AVP . . . . . . . . . . . . . . . . . . . . 34 4.4.7. Filter-Id AVP . . . . . . . . . . . . . . . . . . . . 33
4.4.8. Configuration-Token AVP . . . . . . . . . . . . . . . 35 4.4.8. Configuration-Token AVP . . . . . . . . . . . . . . . 34
4.4.9. QoS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 35 4.4.9. QoS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 34
4.4.10. Framed Access Authorization AVPs . . . . . . . . . . . 35 4.4.10. Framed Access Authorization AVPs . . . . . . . . . . . 34
4.4.10.1. Framed-Protocol AVP . . . . . . . . . . . . . . . 36 4.4.10.1. Framed-Protocol AVP . . . . . . . . . . . . . . . 35
4.4.10.2. Framed-Routing AVP . . . . . . . . . . . . . . . 36 4.4.10.2. Framed-Routing AVP . . . . . . . . . . . . . . . 35
4.4.10.3. Framed-MTU AVP . . . . . . . . . . . . . . . . . 36 4.4.10.3. Framed-MTU AVP . . . . . . . . . . . . . . . . . 35
4.4.10.4. Framed-Compression AVP . . . . . . . . . . . . . 36 4.4.10.4. Framed-Compression AVP . . . . . . . . . . . . . 35
4.4.10.5. IP Access Authorization AVPs . . . . . . . . . . 36 4.4.10.5. IP Access Authorization AVPs . . . . . . . . . . 35
4.4.10.5.1. Framed-IP-Address AVP . . . . . . . . . . . . 36 4.4.10.5.1. Framed-IP-Address AVP . . . . . . . . . . . . 35
4.4.10.5.2. Framed-IP-Netmask AVP . . . . . . . . . . . . 37 4.4.10.5.2. Framed-IP-Netmask AVP . . . . . . . . . . . . 36
4.4.10.5.3. Framed-Route AVP . . . . . . . . . . . . . . 37 4.4.10.5.3. Framed-Route AVP . . . . . . . . . . . . . . 36
4.4.10.5.4. Framed-Pool AVP . . . . . . . . . . . . . . . 37 4.4.10.5.4. Framed-Pool AVP . . . . . . . . . . . . . . . 36
4.4.10.5.5. Framed-Interface-Id AVP . . . . . . . . . . . 38 4.4.10.5.5. Framed-Interface-Id AVP . . . . . . . . . . . 37
4.4.10.5.6. Framed-IPv6-Prefix AVP . . . . . . . . . . . 38 4.4.10.5.6. Framed-IPv6-Prefix AVP . . . . . . . . . . . 37
4.4.10.5.7. Framed-IPv6-Route AVP . . . . . . . . . . . . 38 4.4.10.5.7. Framed-IPv6-Route AVP . . . . . . . . . . . . 37
4.4.10.5.8. Framed-IPv6-Pool AVP . . . . . . . . . . . . 39 4.4.10.5.8. Framed-IPv6-Pool AVP . . . . . . . . . . . . 38
4.4.10.6. IPX Access AVPs . . . . . . . . . . . . . . . . . 39 4.4.10.6. IPX Access AVPs . . . . . . . . . . . . . . . . . 38
4.4.10.6.1. Framed-IPX-Network AVP . . . . . . . . . . . 39 4.4.10.6.1. Framed-IPX-Network AVP . . . . . . . . . . . 38
4.4.10.7. AppleTalk Network Access AVPs . . . . . . . . . . 39 4.4.10.7. AppleTalk Network Access AVPs . . . . . . . . . . 38
4.4.10.7.1. Framed-AppleTalk-Link AVP . . . . . . . . . . 39 4.4.10.7.1. Framed-AppleTalk-Link AVP . . . . . . . . . . 38
4.4.10.7.2. Framed-AppleTalk-Network AVP . . . . . . . . 40 4.4.10.7.2. Framed-AppleTalk-Network AVP . . . . . . . . 39
4.4.10.7.3. Framed-AppleTalk-Zone AVP . . . . . . . . . . 40 4.4.10.7.3. Framed-AppleTalk-Zone AVP . . . . . . . . . . 39
4.4.10.8. AppleTalk Remote Access AVPs . . . . . . . . . . 40 4.4.10.8. AppleTalk Remote Access AVPs . . . . . . . . . . 39
4.4.10.8.1. ARAP-Features AVP . . . . . . . . . . . . . . 40 4.4.10.8.1. ARAP-Features AVP . . . . . . . . . . . . . . 39
4.4.10.8.2. ARAP-Zone-Access AVP . . . . . . . . . . . . 40 4.4.10.8.2. ARAP-Zone-Access AVP . . . . . . . . . . . . 39
4.4.11. Non-Framed Access Authorization AVPs . . . . . . . . . 41 4.4.11. Non-Framed Access Authorization AVPs . . . . . . . . . 40
4.4.11.1. Login-IP-Host AVP . . . . . . . . . . . . . . . . 41 4.4.11.1. Login-IP-Host AVP . . . . . . . . . . . . . . . . 40
4.4.11.2. Login-IPv6-Host AVP . . . . . . . . . . . . . . . 41 4.4.11.2. Login-IPv6-Host AVP . . . . . . . . . . . . . . . 40
4.4.11.3. Login-Service AVP . . . . . . . . . . . . . . . . 41 4.4.11.3. Login-Service AVP . . . . . . . . . . . . . . . . 40
4.4.11.4. TCP Services . . . . . . . . . . . . . . . . . . 41 4.4.11.4. TCP Services . . . . . . . . . . . . . . . . . . 40
4.4.11.4.1. Login-TCP-Port AVP . . . . . . . . . . . . . 42 4.4.11.4.1. Login-TCP-Port AVP . . . . . . . . . . . . . 41
4.4.11.5. LAT Services . . . . . . . . . . . . . . . . . . 42 4.4.11.5. LAT Services . . . . . . . . . . . . . . . . . . 41
4.4.11.5.1. Login-LAT-Service AVP . . . . . . . . . . . . 42 4.4.11.5.1. Login-LAT-Service AVP . . . . . . . . . . . . 41
4.4.11.5.2. Login-LAT-Node AVP . . . . . . . . . . . . . 42 4.4.11.5.2. Login-LAT-Node AVP . . . . . . . . . . . . . 41
4.4.11.5.3. Login-LAT-Group AVP . . . . . . . . . . . . . 43 4.4.11.5.3. Login-LAT-Group AVP . . . . . . . . . . . . . 42
4.4.11.5.4. Login-LAT-Port AVP . . . . . . . . . . . . . 43 4.4.11.5.4. Login-LAT-Port AVP . . . . . . . . . . . . . 42
4.5. NAS Tunneling AVPs . . . . . . . . . . . . . . . . . . . . 44 4.5. NAS Tunneling AVPs . . . . . . . . . . . . . . . . . . . . 43
4.5.1. Tunneling AVP . . . . . . . . . . . . . . . . . . . . 44 4.5.1. Tunneling AVP . . . . . . . . . . . . . . . . . . . . 43
4.5.2. Tunnel-Type AVP . . . . . . . . . . . . . . . . . . . 45 4.5.2. Tunnel-Type AVP . . . . . . . . . . . . . . . . . . . 44
4.5.3. Tunnel-Medium-Type AVP . . . . . . . . . . . . . . . . 45 4.5.3. Tunnel-Medium-Type AVP . . . . . . . . . . . . . . . . 44
4.5.4. Tunnel-Client-Endpoint AVP . . . . . . . . . . . . . . 45 4.5.4. Tunnel-Client-Endpoint AVP . . . . . . . . . . . . . . 44
4.5.5. Tunnel-Server-Endpoint AVP . . . . . . . . . . . . . . 46 4.5.5. Tunnel-Server-Endpoint AVP . . . . . . . . . . . . . . 45
4.5.6. Tunnel-Password AVP . . . . . . . . . . . . . . . . . 47 4.5.6. Tunnel-Password AVP . . . . . . . . . . . . . . . . . 46
4.5.7. Tunnel-Private-Group-Id AVP . . . . . . . . . . . . . 47 4.5.7. Tunnel-Private-Group-Id AVP . . . . . . . . . . . . . 46
4.5.8. Tunnel-Assignment-Id AVP . . . . . . . . . . . . . . . 47 4.5.8. Tunnel-Assignment-Id AVP . . . . . . . . . . . . . . . 46
4.5.9. Tunnel-Preference AVP . . . . . . . . . . . . . . . . 49 4.5.9. Tunnel-Preference AVP . . . . . . . . . . . . . . . . 48
4.5.10. Tunnel-Client-Auth-Id AVP . . . . . . . . . . . . . . 49 4.5.10. Tunnel-Client-Auth-Id AVP . . . . . . . . . . . . . . 48
4.5.11. Tunnel-Server-Auth-Id AVP . . . . . . . . . . . . . . 49 4.5.11. Tunnel-Server-Auth-Id AVP . . . . . . . . . . . . . . 48
4.6. NAS Accounting AVPs . . . . . . . . . . . . . . . . . . . 50 4.6. NAS Accounting AVPs . . . . . . . . . . . . . . . . . . . 49
4.6.1. Accounting-Input-Octets AVP . . . . . . . . . . . . . 51 4.6.1. Accounting-Input-Octets AVP . . . . . . . . . . . . . 50
4.6.2. Accounting-Output-Octets AVP . . . . . . . . . . . . . 51 4.6.2. Accounting-Output-Octets AVP . . . . . . . . . . . . . 50
4.6.3. Accounting-Input-Packets AVP . . . . . . . . . . . . . 51 4.6.3. Accounting-Input-Packets AVP . . . . . . . . . . . . . 50
4.6.4. Accounting-Output-Packets AVP . . . . . . . . . . . . 51 4.6.4. Accounting-Output-Packets AVP . . . . . . . . . . . . 50
4.6.5. Acct-Session-Time AVP . . . . . . . . . . . . . . . . 51 4.6.5. Acct-Session-Time AVP . . . . . . . . . . . . . . . . 50
4.6.6. Acct-Authentic AVP . . . . . . . . . . . . . . . . . . 52 4.6.6. Acct-Authentic AVP . . . . . . . . . . . . . . . . . . 51
4.6.7. Accounting-Auth-Method AVP . . . . . . . . . . . . . . 52 4.6.7. Accounting-Auth-Method AVP . . . . . . . . . . . . . . 51
4.6.8. Acct-Delay-Time AVP . . . . . . . . . . . . . . . . . 52 4.6.8. Acct-Delay-Time AVP . . . . . . . . . . . . . . . . . 51
4.6.9. Acct-Link-Count AVP . . . . . . . . . . . . . . . . . 52 4.6.9. Acct-Link-Count AVP . . . . . . . . . . . . . . . . . 51
4.6.10. Acct-Tunnel-Connection AVP . . . . . . . . . . . . . . 53 4.6.10. Acct-Tunnel-Connection AVP . . . . . . . . . . . . . . 52
4.6.11. Acct-Tunnel-Packets-Lost AVP . . . . . . . . . . . . . 53 4.6.11. Acct-Tunnel-Packets-Lost AVP . . . . . . . . . . . . . 52
5. AVP Occurrence Tables . . . . . . . . . . . . . . . . . . . . 53 5. AVP Occurrence Tables . . . . . . . . . . . . . . . . . . . . 52
5.1. AA-Request/Answer AVP Table . . . . . . . . . . . . . . . 54 5.1. AA-Request/Answer AVP Table . . . . . . . . . . . . . . . 53
5.2. Accounting AVP Tables . . . . . . . . . . . . . . . . . . 56 5.2. Accounting AVP Tables . . . . . . . . . . . . . . . . . . 55
5.2.1. Framed Access Accounting AVP Table . . . . . . . . . . 57 5.2.1. Framed Access Accounting AVP Table . . . . . . . . . . 56
5.2.2. Non-Framed Access Accounting AVP Table . . . . . . . . 59 5.2.2. Non-Framed Access Accounting AVP Table . . . . . . . . 58
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 60 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 59
6.1. Command Codes . . . . . . . . . . . . . . . . . . . . . . 60 6.1. Command Codes . . . . . . . . . . . . . . . . . . . . . . 59
6.2. AVP Codes . . . . . . . . . . . . . . . . . . . . . . . . 61 6.2. AVP Codes . . . . . . . . . . . . . . . . . . . . . . . . 60
6.3. Application Identifier . . . . . . . . . . . . . . . . . . 61 6.3. Application Identifier . . . . . . . . . . . . . . . . . . 60
6.4. CHAP-Algorithm AVP Values . . . . . . . . . . . . . . . . 61 6.4. CHAP-Algorithm AVP Values . . . . . . . . . . . . . . . . 60
6.5. Accounting-Auth-Method AVP Values . . . . . . . . . . . . 61 6.5. Accounting-Auth-Method AVP Values . . . . . . . . . . . . 60
7. Security Considerations . . . . . . . . . . . . . . . . . . . 61 7. Security Considerations . . . . . . . . . . . . . . . . . . . 60
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 62 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 61
8.1. Normative References . . . . . . . . . . . . . . . . . . . 62 8.1. Normative References . . . . . . . . . . . . . . . . . . . 61
8.2. Informative References . . . . . . . . . . . . . . . . . . 63 8.2. Informative References . . . . . . . . . . . . . . . . . . 62
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 65 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 64
A.1. RFC 4005 . . . . . . . . . . . . . . . . . . . . . . . . . 65 A.1. RFC 4005 . . . . . . . . . . . . . . . . . . . . . . . . . 64
A.2. RFC 4005bis . . . . . . . . . . . . . . . . . . . . . . . 66 A.2. RFC 4005bis . . . . . . . . . . . . . . . . . . . . . . . 65
1. Introduction 1. Introduction
This document describes the Diameter protocol application used for This document describes the Diameter protocol application used for
AAA in the Network Access Server (NAS) environment. When combined AAA in the Network Access Server (NAS) environment. When combined
with the Diameter Base protocol [I-D.ietf-dime-rfc3588bis], Transport with the Diameter Base protocol [I-D.ietf-dime-rfc3588bis], Transport
Profile [RFC3539], and EAP [RFC4072] specifications, this Profile [RFC3539], and EAP [RFC4072] specifications, this
specification satisfies NAS-related requirements defined in [RFC2989] specification satisfies the NAS-related requirements defined in
and [RFC3169]. [RFC2989] and [RFC3169].
First, this document describes the operation of a Diameter NAS First, this document describes the operation of a Diameter NAS
application. Then it defines the Diameter message Command-Codes. application. Then it defines the Diameter message Command-Codes.
The following sections list the AVPs used in these messages, grouped The following sections list the AVPs used in these messages, grouped
by common usage. These are session identification, authentication, by common usage. These are session identification, authentication,
authorization, tunneling, and accounting. The authorization AVPs are authorization, tunneling, and accounting. The authorization AVPs are
further broken down by service type. further broken down by service type.
1.1. Terminology 1.1. Terminology
skipping to change at page 6, line 45 skipping to change at page 6, line 45
authentication information are packaged into a Diameter AA-Request authentication information are packaged into a Diameter AA-Request
(AAR) message and sent to a server. (AAR) message and sent to a server.
The server processes the information and responds with a Diameter AA- The server processes the information and responds with a Diameter AA-
Answer (AAA) message that contains authorization information for the Answer (AAA) message that contains authorization information for the
NAS, or a failure code (Result-Code AVP). A value of NAS, or a failure code (Result-Code AVP). A value of
DIAMETER_MULTI_ROUND_AUTH indicates an additional authentication DIAMETER_MULTI_ROUND_AUTH indicates an additional authentication
exchange, and several AAR and AAA messages may be exchanged until the exchange, and several AAR and AAA messages may be exchanged until the
transaction completes. transaction completes.
Depending on the vale of the Auth-Request-Type AVP, the Diameter Depending on the value of the Auth-Request-Type AVP, the Diameter
protocol allows authorization-only requests that contain no protocol allows authorization-only requests that contain no
authentication information from the client. This capability goes authentication information from the client. This capability goes
beyond the Call Check capabilities provided by RADIUS (Section 5.6 of beyond the Call Check capabilities provided by RADIUS (Section 5.6 of
[RFC2865]) in that no access decision is requested. As a result, [RFC2865]) in that no access decision is requested. As a result,
service cannot be started as a result of a response to an service cannot be started as a result of a response to an
authorization-only request without introducing a significant security authorization-only request without introducing a significant security
vulnerability. vulnerability.
2.1. Diameter Session Establishment 2.1. Diameter Session Establishment
skipping to change at page 8, line 11 skipping to change at page 8, line 11
If accounting is active, every change of authentication or If accounting is active, every change of authentication or
authorization SHOULD generate an accounting message. If the NAS authorization SHOULD generate an accounting message. If the NAS
service is a continuation of the prior user context, then an service is a continuation of the prior user context, then an
Accounting-Record-Type of INTERIM_RECORD indicating the new session Accounting-Record-Type of INTERIM_RECORD indicating the new session
attributes and cumulative status would be appropriate. If a new user attributes and cumulative status would be appropriate. If a new user
or a significant change in authorization is detected by the NAS, then or a significant change in authorization is detected by the NAS, then
the service may send two messages of the types STOP_RECORD and the service may send two messages of the types STOP_RECORD and
START_RECORD. Accounting may change the subsession identifiers START_RECORD. Accounting may change the subsession identifiers
(Acct-Session-ID, or Acct-Sub-Session-Id) to indicate such sub- (Acct-Session-ID, or Acct-Sub-Session-Id) to indicate such sub-
sessions. A service may also use a different Session-Id value for sessions. A service may also use a different Session-Id value for
accounting see Section 9.6 of [I-D.ietf-dime-rfc3588bis]. accounting (see Section 9.6 of [I-D.ietf-dime-rfc3588bis]).
However, the Diameter Session-ID AVP value used for the initial However, the Diameter Session-ID AVP value used for the initial
authorization exchange MUST be used to generate an STR message when authorization exchange MUST be used to generate an STR message when
the session context is terminated. the session context is terminated.
2.3. Diameter Session Termination 2.3. Diameter Session Termination
When a NAS receives an indication that a user's session is being When a NAS receives an indication that a user's session is being
disconnected by the client (e.g., LCP Terminate is received) or an disconnected by the client (e.g., LCP Terminate is received) or an
administrative command, the NAS MUST issue a Session-Termination- administrative command, the NAS MUST issue a Session-Termination-
skipping to change at page 9, line 26 skipping to change at page 9, line 26
| Accounting-Request | ACR | 271 | Section 3.9 | | Accounting-Request | ACR | 271 | Section 3.9 |
| Accounting-Answer | ACA | 271 | Section 3.10 | | Accounting-Answer | ACA | 271 | Section 3.10 |
+-----------------------------------+---------+------+--------------+ +-----------------------------------+---------+------+--------------+
3.1. AA-Request (AAR) Command 3.1. AA-Request (AAR) Command
The AA-Request (AAR), which is indicated by setting the Command-Code The AA-Request (AAR), which is indicated by setting the Command-Code
field to 265 and the 'R' bit in the Command Flags field, is used to field to 265 and the 'R' bit in the Command Flags field, is used to
request authentication and/or authorization for a given NAS user. request authentication and/or authorization for a given NAS user.
The type of request is identified through the Auth-Request-Type AVP The type of request is identified through the Auth-Request-Type AVP
[I-D.ietf-dime-rfc3588bis] The recommended value for most RADIUS [I-D.ietf-dime-rfc3588bis] The recommended value for most situations
interoperability situations is AUTHORIZE_AUTHENTICATE. is AUTHORIZE_AUTHENTICATE.
If Authentication is requested, the User-Name attribute SHOULD be If Authentication is requested, the User-Name attribute SHOULD be
present, as well as any additional authentication AVPs that would present, as well as any additional authentication AVPs that would
carry the password information. A request for authorization SHOULD carry the password information. A request for authorization SHOULD
only include the information from which the authorization will be only include the information from which the authorization will be
performed, such as the User-Name, Called-Station-Id, or Calling- performed, such as the User-Name, Called-Station-Id, or Calling-
Station-Id AVPs. All requests SHOULD contain AVPs uniquely Station-Id AVPs. All requests SHOULD contain AVPs uniquely
identifying the source of the call, such as Origin-Host and NAS-Port. identifying the source of the call, such as Origin-Host and NAS-Port.
Certain networks MAY use different AVPs for authorization purposes. Certain networks MAY use different AVPs for authorization purposes.
A request for authorization will include some AVPs defined in A request for authorization will include some AVPs defined in
skipping to change at page 23, line 46 skipping to change at page 23, line 46
src and dst The format is as described under IPFilterRule src and dst The format is as described under IPFilterRule
[I-D.ietf-dime-rfc3588bis] [I-D.ietf-dime-rfc3588bis]
The options are described in Section 4.4.9. The options are described in Section 4.4.9.
The rule syntax is a modified subset of ipfw(8) from FreeBSD, and the The rule syntax is a modified subset of ipfw(8) from FreeBSD, and the
ipfw.c code may provide a useful base for implementations. ipfw.c code may provide a useful base for implementations.
4.2. NAS Session AVPs 4.2. NAS Session AVPs
Diameter reserves the AVP Codes 0 - 255 for RADIUS functions that are Diameter reserves the AVP Codes 0 - 255 for RADIUS Attributes that
implemented in Diameter. are implemented in Diameter.
AVPs new to Diameter have code values of 256 and greater. A Diameter
message that includes one of these AVPs may represent functions not
present in the RADIUS environment and may cause interoperability
issues, should the request traverse an AAA system that only supports
the RADIUS protocol.
4.2.1. Call and Session Information 4.2.1. Call and Session Information
This section describes the AVPs specific to NAS Diameter applications This section describes the AVPs specific to Diameter applications
that are needed to identify the call and session context and status that are needed to identify the call and session context and status
information. On a request, this information allows the server to information. On a request, this information allows the server to
qualify the session. qualify the session.
These AVPs are used in addition to the following AVPs from the base These AVPs are used in addition to the following AVPs from the base
protocol specification [I-D.ietf-dime-rfc3588bis]: protocol specification [I-D.ietf-dime-rfc3588bis]:
Session-Id Session-Id
Auth-Application-Id Auth-Application-Id
Origin-Host Origin-Host
skipping to change at page 27, line 31 skipping to change at page 27, line 25
The Reply-Message AVP MAY contain text to prompt the user before The Reply-Message AVP MAY contain text to prompt the user before
another AA-Request attempt. When used in an AA-Answer message another AA-Request attempt. When used in an AA-Answer message
containing a Result-Code AVP with the value DIAMETER_MULTI_ROUND_AUTH containing a Result-Code AVP with the value DIAMETER_MULTI_ROUND_AUTH
or in an Re-Auth-Request message, it MAY contain text to prompt the or in an Re-Auth-Request message, it MAY contain text to prompt the
user for a response. user for a response.
4.3. NAS Authentication AVPs 4.3. NAS Authentication AVPs
This section defines the AVPs necessary to carry the authentication This section defines the AVPs necessary to carry the authentication
information in the Diameter protocol. The functionality defined here information in the Diameter protocol. The functionality defined here
provides a RADIUS-like AAA service over a more reliable and secure provides a RADIUS-like AAA service [RFC2865] over a more reliable and
transport, as defined in the base protocol secure transport, as defined in the base protocol
[I-D.ietf-dime-rfc3588bis]. [I-D.ietf-dime-rfc3588bis].
The following table gives the possible flag values for the session The following table gives the possible flag values for the session
level AVPs and specifies whether the AVP MAY be encrypted. level AVPs and specifies whether the AVP MAY be encrypted.
+---------------------+ +---------------------+
| AVP Flag rules | | AVP Flag rules |
|----+-----+----+-----|----+ |----+-----+----+-----|----+
| | |SHLD| MUST| | | | |SHLD| MUST| |
Attribute Name Section Defined |MUST| MAY | NOT| NOT|Encr| Attribute Name Section Defined |MUST| MAY | NOT| NOT|Encr|
skipping to change at page 30, line 24 skipping to change at page 29, line 49
only present when the Framed-Protocol AVP (Section 4.4.10.1) is only present when the Framed-Protocol AVP (Section 4.4.10.1) is
included in the message and is set to ARAP. This AVP MUST NOT be included in the message and is set to ARAP. This AVP MUST NOT be
present if either the User-Password or the CHAP-Auth AVP is present. present if either the User-Password or the CHAP-Auth AVP is present.
See [RFC2869] for more information on the contents of this AVP. See [RFC2869] for more information on the contents of this AVP.
4.3.10. ARAP-Challenge-Response AVP 4.3.10. ARAP-Challenge-Response AVP
The ARAP-Challenge-Response AVP (AVP Code 84) is of type OctetString The ARAP-Challenge-Response AVP (AVP Code 84) is of type OctetString
and is only present when the Framed-Protocol AVP (Section 4.4.10.1) and is only present when the Framed-Protocol AVP (Section 4.4.10.1)
is included in the message and is set to ARAP. This AVP contains an is included in the message and is set to ARAP. This AVP contains an
8 octet response to the dial-in client's challenge. The RADIUS 8 octet response to the dial-in client's challenge. The Diameter
server calculates this value by taking the dial-in client's challenge server calculates this value by taking the dial-in client's challenge
from the high-order 8 octets of the ARAP-Password AVP and performing from the high-order 8 octets of the ARAP-Password AVP and performing
DES encryption on this value with the authenticating user's password DES encryption on this value with the authenticating user's password
as the key. If the user's password is fewer than 8 octets in length, as the key. If the user's password is fewer than 8 octets in length,
the password is padded at the end with NULL octets to a length of the password is padded at the end with NULL octets to a length of 8
8before it is used as a key. before it is used as a key.
4.3.11. ARAP-Security AVP 4.3.11. ARAP-Security AVP
The ARAP-Security AVP (AVP Code 73) is of type Unsigned32 and MAY be The ARAP-Security AVP (AVP Code 73) is of type Unsigned32 and MAY be
present in the AA-Answer message if the Framed-Protocol AVP present in the AA-Answer message if the Framed-Protocol AVP
(Section 4.4.10.1) is set to the value of ARAP, and the Result-Code (Section 4.4.10.1) is set to the value of ARAP, and the Result-Code
AVP ([I-D.ietf-dime-rfc3588bis], Section 7.1) is set to AVP ([I-D.ietf-dime-rfc3588bis], Section 7.1) is set to
DIAMETER_MULTI_ROUND_AUTH. See [RFC2869] for more information on the DIAMETER_MULTI_ROUND_AUTH. See [RFC2869] for more information on the
contents of this AVP. contents of this AVP.
skipping to change at page 35, line 10 skipping to change at page 34, line 10
However, this AVP is not roaming-friendly, as filter naming differs However, this AVP is not roaming-friendly, as filter naming differs
from one service provider to another. from one service provider to another.
In environments where backward compatibility with RADIUS is not In environments where backward compatibility with RADIUS is not
required, it is RECOMMENDED that the NAS-Filter-Rule AVP required, it is RECOMMENDED that the NAS-Filter-Rule AVP
Section 4.4.6 be used instead. Section 4.4.6 be used instead.
4.4.8. Configuration-Token AVP 4.4.8. Configuration-Token AVP
The Configuration-Token AVP (AVP Code 78) is of type OctetString and The Configuration-Token AVP (AVP Code 78) is of type OctetString and
is sent by a Diameter Server to a Diameter Proxy Agent or Translation is sent by a Diameter Server to a Diameter Proxy Agent in an AA-
Agent in an AA-Answer command to indicate a type of user profile to Answer command to indicate a type of user profile to be used. It
be used. It should not be sent to a Diameter Client (NAS). should not be sent to a Diameter Client (NAS).
The format of the Data field of this AVP is site specific. The format of the Data field of this AVP is site specific.
4.4.9. QoS-Filter-Rule AVP 4.4.9. QoS-Filter-Rule AVP
The QoS-Filter-Rule AVP (AVP Code 407) is of type QoSFilterRule The QoS-Filter-Rule AVP (AVP Code 407) is of type QoSFilterRule
Section 4.1.1 and provides QoS filter rules that need to be Section 4.1.1 and provides QoS filter rules that need to be
configured on the NAS for the user. One or more such AVPs MAY be configured on the NAS for the user. One or more such AVPs MAY be
present in an authorization response. present in an authorization response.
skipping to change at page 47, line 17 skipping to change at page 46, line 17
If Tunnel-Medium-Type is not IPv4 or IPv6, this string is a tag If Tunnel-Medium-Type is not IPv4 or IPv6, this string is a tag
referring to configuration data local to the Diameter client that referring to configuration data local to the Diameter client that
describes the interface or medium-specific server address to use. describes the interface or medium-specific server address to use.
4.5.6. Tunnel-Password AVP 4.5.6. Tunnel-Password AVP
The Tunnel-Password AVP (AVP Code 69) is of type OctetString and may The Tunnel-Password AVP (AVP Code 69) is of type OctetString and may
contain a password to be used to authenticate to a remote server. contain a password to be used to authenticate to a remote server.
The Tunnel-Password AVP contains sensitive information. This value The Tunnel-Password AVP SHOULD NOT be used in untrusted proxy
is not protected in the same manner as RADIUS [RFC2868]. Diameter environments without encrypting it by using end-to-end security
messages are secured by using IPsec or TLS techniques.
[I-D.ietf-dime-rfc3588bis]. The Tunnel-Password AVP SHOULD NOT be
used in untrusted proxy environments without encrypting it by using
end-to-end security techniques.
4.5.7. Tunnel-Private-Group-Id AVP 4.5.7. Tunnel-Private-Group-Id AVP
The Tunnel-Private-Group-Id AVP (AVP Code 81) is of type OctetString The Tunnel-Private-Group-Id AVP (AVP Code 81) is of type OctetString
and contains the group Id for a particular tunneled session. The and contains the group Id for a particular tunneled session. The
Tunnel-Private-Group-Id AVP MAY be included in an authorization Tunnel-Private-Group-Id AVP MAY be included in an authorization
request if the tunnel initiator can predetermine the group resulting request if the tunnel initiator can predetermine the group resulting
from a particular connection. It SHOULD be included in the from a particular connection. It SHOULD be included in the
authorization response if this tunnel session is to be treated as authorization response if this tunnel session is to be treated as
belonging to a particular private group. Private groups may be used belonging to a particular private group. Private groups may be used
 End of changes. 20 change blocks. 
126 lines changed or deleted 117 lines changed or added

This html diff was produced by rfcdiff 1.40. The latest version is available from http://tools.ietf.org/tools/rfcdiff/