draft-ietf-dime-rfc4005bis-02.txt   draft-ietf-dime-rfc4005bis-03.txt 
Network Working Group G. Zorn Network Working Group G. Zorn
Internet-Draft Network Zen Internet-Draft Network Zen
Obsoletes: 4005 (if approved) November 16, 2010 Obsoletes: 4005 (if approved) January 2, 2011
Intended status: Standards Track Intended status: Standards Track
Expires: May 20, 2011 Expires: July 6, 2011
Diameter Network Access Server Application Diameter Network Access Server Application
draft-ietf-dime-rfc4005bis-02 draft-ietf-dime-rfc4005bis-03
Abstract Abstract
This document describes the Diameter protocol application used for This document describes the Diameter protocol application used for
Authentication, Authorization, and Accounting (AAA) services in the Authentication, Authorization, and Accounting (AAA) services in the
Network Access Server (NAS) environment. When combined with the Network Access Server (NAS) environment. When combined with the
Diameter Base protocol, Transport Profile, and Extensible Diameter Base protocol, Transport Profile, and Extensible
Authentication Protocol specifications, this application Authentication Protocol specifications, this application
specification satisfies typical network access services requirements. specification satisfies typical network access services requirements.
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 20, 2011. This Internet-Draft will expire on July 6, 2011.
Copyright Notice Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5
1.2. Requirements Language . . . . . . . . . . . . . . . . . . 6 1.2. Requirements Language . . . . . . . . . . . . . . . . . . 6
1.3. Advertising Application Support . . . . . . . . . . . . . 6 1.3. Advertising Application Support . . . . . . . . . . . . . 7
2. NAS Calls, Ports, and Sessions . . . . . . . . . . . . . . . . 6 2. NAS Calls, Ports, and Sessions . . . . . . . . . . . . . . . . 7
2.1. Diameter Session Establishment . . . . . . . . . . . . . . 7 2.1. Diameter Session Establishment . . . . . . . . . . . . . . 7
2.2. Diameter Session Reauthentication or Reauthorization . . . 7 2.2. Diameter Session Reauthentication or Reauthorization . . . 8
2.3. Diameter Session Termination . . . . . . . . . . . . . . . 8 2.3. Diameter Session Termination . . . . . . . . . . . . . . . 8
3. Diameter NAS Application Messages . . . . . . . . . . . . . . 8 3. Diameter NAS Application Messages . . . . . . . . . . . . . . 9
3.1. AA-Request (AAR) Command . . . . . . . . . . . . . . . . . 9 3.1. AA-Request (AAR) Command . . . . . . . . . . . . . . . . . 9
3.2. AA-Answer (AAA) Command . . . . . . . . . . . . . . . . . 11 3.2. AA-Answer (AAA) Command . . . . . . . . . . . . . . . . . 11
3.3. Re-Auth-Request (RAR) Command . . . . . . . . . . . . . . 13 3.3. Re-Auth-Request (RAR) Command . . . . . . . . . . . . . . 13
3.4. Re-Auth-Answer (RAA) Command . . . . . . . . . . . . . . . 14 3.4. Re-Auth-Answer (RAA) Command . . . . . . . . . . . . . . . 14
3.5. Session-Termination-Request (STR) Command . . . . . . . . 15 3.5. Session-Termination-Request (STR) Command . . . . . . . . 15
3.6. Session-Termination-Answer (STA) Command . . . . . . . . . 16 3.6. Session-Termination-Answer (STA) Command . . . . . . . . . 16
3.7. Abort-Session-Request (ASR) Command . . . . . . . . . . . 17 3.7. Abort-Session-Request (ASR) Command . . . . . . . . . . . 17
3.8. Abort-Session-Answer (ASA) Command . . . . . . . . . . . . 18 3.8. Abort-Session-Answer (ASA) Command . . . . . . . . . . . . 18
3.9. Accounting-Request (ACR) Command . . . . . . . . . . . . . 19 3.9. Accounting-Request (ACR) Command . . . . . . . . . . . . . 19
3.10. Accounting-Answer (ACA) Command . . . . . . . . . . . . . 21 3.10. Accounting-Answer (ACA) Command . . . . . . . . . . . . . 21
skipping to change at page 2, line 44 skipping to change at page 2, line 44
4.2.3. NAS-Port-Id AVP . . . . . . . . . . . . . . . . . . . 24 4.2.3. NAS-Port-Id AVP . . . . . . . . . . . . . . . . . . . 24
4.2.4. NAS-Port-Type AVP . . . . . . . . . . . . . . . . . . 25 4.2.4. NAS-Port-Type AVP . . . . . . . . . . . . . . . . . . 25
4.2.5. Called-Station-Id AVP . . . . . . . . . . . . . . . . 25 4.2.5. Called-Station-Id AVP . . . . . . . . . . . . . . . . 25
4.2.6. Calling-Station-Id AVP . . . . . . . . . . . . . . . . 25 4.2.6. Calling-Station-Id AVP . . . . . . . . . . . . . . . . 25
4.2.7. Connect-Info AVP . . . . . . . . . . . . . . . . . . . 26 4.2.7. Connect-Info AVP . . . . . . . . . . . . . . . . . . . 26
4.2.8. Originating-Line-Info AVP . . . . . . . . . . . . . . 26 4.2.8. Originating-Line-Info AVP . . . . . . . . . . . . . . 26
4.2.9. Reply-Message AVP . . . . . . . . . . . . . . . . . . 27 4.2.9. Reply-Message AVP . . . . . . . . . . . . . . . . . . 27
4.3. NAS Authentication AVPs . . . . . . . . . . . . . . . . . 27 4.3. NAS Authentication AVPs . . . . . . . . . . . . . . . . . 27
4.3.1. User-Password AVP . . . . . . . . . . . . . . . . . . 28 4.3.1. User-Password AVP . . . . . . . . . . . . . . . . . . 28
4.3.2. Password-Retry AVP . . . . . . . . . . . . . . . . . . 28 4.3.2. Password-Retry AVP . . . . . . . . . . . . . . . . . . 28
4.3.3. Prompt AVP . . . . . . . . . . . . . . . . . . . . . . 28 4.3.3. Prompt AVP . . . . . . . . . . . . . . . . . . . . . . 29
4.3.4. CHAP-Auth AVP . . . . . . . . . . . . . . . . . . . . 28 4.3.4. CHAP-Auth AVP . . . . . . . . . . . . . . . . . . . . 29
4.3.5. CHAP-Algorithm AVP . . . . . . . . . . . . . . . . . . 29 4.3.5. CHAP-Algorithm AVP . . . . . . . . . . . . . . . . . . 29
4.3.6. CHAP-Ident AVP . . . . . . . . . . . . . . . . . . . . 29 4.3.6. CHAP-Ident AVP . . . . . . . . . . . . . . . . . . . . 29
4.3.7. CHAP-Response AVP . . . . . . . . . . . . . . . . . . 29 4.3.7. CHAP-Response AVP . . . . . . . . . . . . . . . . . . 29
4.3.8. CHAP-Challenge AVP . . . . . . . . . . . . . . . . . . 29 4.3.8. CHAP-Challenge AVP . . . . . . . . . . . . . . . . . . 30
4.3.9. ARAP-Password AVP . . . . . . . . . . . . . . . . . . 29 4.3.9. ARAP-Password AVP . . . . . . . . . . . . . . . . . . 30
4.3.10. ARAP-Challenge-Response AVP . . . . . . . . . . . . . 29 4.3.10. ARAP-Challenge-Response AVP . . . . . . . . . . . . . 30
4.3.11. ARAP-Security AVP . . . . . . . . . . . . . . . . . . 30 4.3.11. ARAP-Security AVP . . . . . . . . . . . . . . . . . . 30
4.3.12. ARAP-Security-Data AVP . . . . . . . . . . . . . . . . 30 4.3.12. ARAP-Security-Data AVP . . . . . . . . . . . . . . . . 30
4.4. NAS Authorization AVPs . . . . . . . . . . . . . . . . . . 30 4.4. NAS Authorization AVPs . . . . . . . . . . . . . . . . . . 31
4.4.1. Service-Type AVP . . . . . . . . . . . . . . . . . . . 31 4.4.1. Service-Type AVP . . . . . . . . . . . . . . . . . . . 33
4.4.2. Callback-Number AVP . . . . . . . . . . . . . . . . . 32 4.4.2. Callback-Number AVP . . . . . . . . . . . . . . . . . 33
4.4.3. Callback-Id AVP . . . . . . . . . . . . . . . . . . . 33 4.4.3. Callback-Id AVP . . . . . . . . . . . . . . . . . . . 34
4.4.4. Idle-Timeout AVP . . . . . . . . . . . . . . . . . . . 33 4.4.4. Idle-Timeout AVP . . . . . . . . . . . . . . . . . . . 34
4.4.5. Port-Limit AVP . . . . . . . . . . . . . . . . . . . . 33 4.4.5. Port-Limit AVP . . . . . . . . . . . . . . . . . . . . 34
4.4.6. NAS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 33 4.4.6. NAS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 34
4.4.7. Filter-Id AVP . . . . . . . . . . . . . . . . . . . . 33 4.4.7. Filter-Id AVP . . . . . . . . . . . . . . . . . . . . 34
4.4.8. Configuration-Token AVP . . . . . . . . . . . . . . . 34 4.4.8. Configuration-Token AVP . . . . . . . . . . . . . . . 35
4.4.9. QoS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 34 4.4.9. QoS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 35
4.4.10. Framed Access Authorization AVPs . . . . . . . . . . . 34 4.4.10. Framed Access Authorization AVPs . . . . . . . . . . . 36
4.4.10.1. Framed-Protocol AVP . . . . . . . . . . . . . . . 35 4.4.10.1. Framed-Protocol AVP . . . . . . . . . . . . . . . 36
4.4.10.2. Framed-Routing AVP . . . . . . . . . . . . . . . 35 4.4.10.2. Framed-Routing AVP . . . . . . . . . . . . . . . 36
4.4.10.3. Framed-MTU AVP . . . . . . . . . . . . . . . . . 35 4.4.10.3. Framed-MTU AVP . . . . . . . . . . . . . . . . . 36
4.4.10.4. Framed-Compression AVP . . . . . . . . . . . . . 35 4.4.10.4. Framed-Compression AVP . . . . . . . . . . . . . 36
4.4.10.5. IP Access Authorization AVPs . . . . . . . . . . 35 4.4.10.5. IP Access Authorization AVPs . . . . . . . . . . 36
4.4.10.5.1. Framed-IP-Address AVP . . . . . . . . . . . . 35 4.4.10.5.1. Framed-IP-Address AVP . . . . . . . . . . . . 37
4.4.10.5.2. Framed-IP-Netmask AVP . . . . . . . . . . . . 36 4.4.10.5.2. Framed-IP-Netmask AVP . . . . . . . . . . . . 37
4.4.10.5.3. Framed-Route AVP . . . . . . . . . . . . . . 36 4.4.10.5.3. Framed-Route AVP . . . . . . . . . . . . . . 37
4.4.10.5.4. Framed-Pool AVP . . . . . . . . . . . . . . . 36 4.4.10.5.4. Framed-Pool AVP . . . . . . . . . . . . . . . 38
4.4.10.5.5. Framed-Interface-Id AVP . . . . . . . . . . . 37 4.4.10.5.5. Framed-Interface-Id AVP . . . . . . . . . . . 38
4.4.10.5.6. Framed-IPv6-Prefix AVP . . . . . . . . . . . 37 4.4.10.5.6. Framed-IPv6-Prefix AVP . . . . . . . . . . . 38
4.4.10.5.7. Framed-IPv6-Route AVP . . . . . . . . . . . . 37 4.4.10.5.7. Framed-IPv6-Route AVP . . . . . . . . . . . . 38
4.4.10.5.8. Framed-IPv6-Pool AVP . . . . . . . . . . . . 38 4.4.10.5.8. Framed-IPv6-Pool AVP . . . . . . . . . . . . 39
4.4.10.6. IPX Access AVPs . . . . . . . . . . . . . . . . . 38 4.4.10.6. IPX Access AVPs . . . . . . . . . . . . . . . . . 39
4.4.10.6.1. Framed-IPX-Network AVP . . . . . . . . . . . 38 4.4.10.6.1. Framed-IPX-Network AVP . . . . . . . . . . . 39
4.4.10.7. AppleTalk Network Access AVPs . . . . . . . . . . 38 4.4.10.7. AppleTalk Network Access AVPs . . . . . . . . . . 39
4.4.10.7.1. Framed-AppleTalk-Link AVP . . . . . . . . . . 38 4.4.10.7.1. Framed-AppleTalk-Link AVP . . . . . . . . . . 39
4.4.10.7.2. Framed-AppleTalk-Network AVP . . . . . . . . 39 4.4.10.7.2. Framed-AppleTalk-Network AVP . . . . . . . . 40
4.4.10.7.3. Framed-AppleTalk-Zone AVP . . . . . . . . . . 39 4.4.10.7.3. Framed-AppleTalk-Zone AVP . . . . . . . . . . 40
4.4.10.8. AppleTalk Remote Access AVPs . . . . . . . . . . 39 4.4.10.8. AppleTalk Remote Access AVPs . . . . . . . . . . 40
4.4.10.8.1. ARAP-Features AVP . . . . . . . . . . . . . . 39 4.4.10.8.1. ARAP-Features AVP . . . . . . . . . . . . . . 40
4.4.10.8.2. ARAP-Zone-Access AVP . . . . . . . . . . . . 39 4.4.10.8.2. ARAP-Zone-Access AVP . . . . . . . . . . . . 40
4.4.11. Non-Framed Access Authorization AVPs . . . . . . . . . 40 4.4.11. Non-Framed Access Authorization AVPs . . . . . . . . . 41
4.4.11.1. Login-IP-Host AVP . . . . . . . . . . . . . . . . 40 4.4.11.1. Login-IP-Host AVP . . . . . . . . . . . . . . . . 41
4.4.11.2. Login-IPv6-Host AVP . . . . . . . . . . . . . . . 40 4.4.11.2. Login-IPv6-Host AVP . . . . . . . . . . . . . . . 41
4.4.11.3. Login-Service AVP . . . . . . . . . . . . . . . . 40 4.4.11.3. Login-Service AVP . . . . . . . . . . . . . . . . 41
4.4.11.4. TCP Services . . . . . . . . . . . . . . . . . . 40 4.4.11.4. TCP Services . . . . . . . . . . . . . . . . . . 42
4.4.11.4.1. Login-TCP-Port AVP . . . . . . . . . . . . . 41 4.4.11.4.1. Login-TCP-Port AVP . . . . . . . . . . . . . 42
4.4.11.5. LAT Services . . . . . . . . . . . . . . . . . . 41 4.4.11.5. LAT Services . . . . . . . . . . . . . . . . . . 42
4.4.11.5.1. Login-LAT-Service AVP . . . . . . . . . . . . 41 4.4.11.5.1. Login-LAT-Service AVP . . . . . . . . . . . . 42
4.4.11.5.2. Login-LAT-Node AVP . . . . . . . . . . . . . 41 4.4.11.5.2. Login-LAT-Node AVP . . . . . . . . . . . . . 43
4.4.11.5.3. Login-LAT-Group AVP . . . . . . . . . . . . . 42 4.4.11.5.3. Login-LAT-Group AVP . . . . . . . . . . . . . 43
4.4.11.5.4. Login-LAT-Port AVP . . . . . . . . . . . . . 42 4.4.11.5.4. Login-LAT-Port AVP . . . . . . . . . . . . . 43
4.5. NAS Tunneling AVPs . . . . . . . . . . . . . . . . . . . . 43 4.5. NAS Tunneling AVPs . . . . . . . . . . . . . . . . . . . . 44
4.5.1. Tunneling AVP . . . . . . . . . . . . . . . . . . . . 43 4.5.1. Tunneling AVP . . . . . . . . . . . . . . . . . . . . 44
4.5.2. Tunnel-Type AVP . . . . . . . . . . . . . . . . . . . 44 4.5.2. Tunnel-Type AVP . . . . . . . . . . . . . . . . . . . 45
4.5.3. Tunnel-Medium-Type AVP . . . . . . . . . . . . . . . . 44 4.5.3. Tunnel-Medium-Type AVP . . . . . . . . . . . . . . . . 45
4.5.4. Tunnel-Client-Endpoint AVP . . . . . . . . . . . . . . 44 4.5.4. Tunnel-Client-Endpoint AVP . . . . . . . . . . . . . . 45
4.5.5. Tunnel-Server-Endpoint AVP . . . . . . . . . . . . . . 45 4.5.5. Tunnel-Server-Endpoint AVP . . . . . . . . . . . . . . 46
4.5.6. Tunnel-Password AVP . . . . . . . . . . . . . . . . . 46 4.5.6. Tunnel-Password AVP . . . . . . . . . . . . . . . . . 47
4.5.7. Tunnel-Private-Group-Id AVP . . . . . . . . . . . . . 46 4.5.7. Tunnel-Private-Group-Id AVP . . . . . . . . . . . . . 47
4.5.8. Tunnel-Assignment-Id AVP . . . . . . . . . . . . . . . 46 4.5.8. Tunnel-Assignment-Id AVP . . . . . . . . . . . . . . . 47
4.5.9. Tunnel-Preference AVP . . . . . . . . . . . . . . . . 48 4.5.9. Tunnel-Preference AVP . . . . . . . . . . . . . . . . 49
4.5.10. Tunnel-Client-Auth-Id AVP . . . . . . . . . . . . . . 48 4.5.10. Tunnel-Client-Auth-Id AVP . . . . . . . . . . . . . . 49
4.5.11. Tunnel-Server-Auth-Id AVP . . . . . . . . . . . . . . 48 4.5.11. Tunnel-Server-Auth-Id AVP . . . . . . . . . . . . . . 49
4.6. NAS Accounting AVPs . . . . . . . . . . . . . . . . . . . 49 4.6. NAS Accounting AVPs . . . . . . . . . . . . . . . . . . . 50
4.6.1. Accounting-Input-Octets AVP . . . . . . . . . . . . . 50 4.6.1. Accounting-Input-Octets AVP . . . . . . . . . . . . . 51
4.6.2. Accounting-Output-Octets AVP . . . . . . . . . . . . . 50 4.6.2. Accounting-Output-Octets AVP . . . . . . . . . . . . . 51
4.6.3. Accounting-Input-Packets AVP . . . . . . . . . . . . . 50 4.6.3. Accounting-Input-Packets AVP . . . . . . . . . . . . . 51
4.6.4. Accounting-Output-Packets AVP . . . . . . . . . . . . 50 4.6.4. Accounting-Output-Packets AVP . . . . . . . . . . . . 51
4.6.5. Acct-Session-Time AVP . . . . . . . . . . . . . . . . 50 4.6.5. Acct-Session-Time AVP . . . . . . . . . . . . . . . . 51
4.6.6. Acct-Authentic AVP . . . . . . . . . . . . . . . . . . 51 4.6.6. Acct-Authentic AVP . . . . . . . . . . . . . . . . . . 52
4.6.7. Accounting-Auth-Method AVP . . . . . . . . . . . . . . 51 4.6.7. Accounting-Auth-Method AVP . . . . . . . . . . . . . . 52
4.6.8. Acct-Delay-Time AVP . . . . . . . . . . . . . . . . . 51 4.6.8. Acct-Delay-Time AVP . . . . . . . . . . . . . . . . . 52
4.6.9. Acct-Link-Count AVP . . . . . . . . . . . . . . . . . 51 4.6.9. Acct-Link-Count AVP . . . . . . . . . . . . . . . . . 52
4.6.10. Acct-Tunnel-Connection AVP . . . . . . . . . . . . . . 52 4.6.10. Acct-Tunnel-Connection AVP . . . . . . . . . . . . . . 53
4.6.11. Acct-Tunnel-Packets-Lost AVP . . . . . . . . . . . . . 52 4.6.11. Acct-Tunnel-Packets-Lost AVP . . . . . . . . . . . . . 53
5. AVP Occurrence Tables . . . . . . . . . . . . . . . . . . . . 52 5. AVP Occurrence Tables . . . . . . . . . . . . . . . . . . . . 53
5.1. AA-Request/Answer AVP Table . . . . . . . . . . . . . . . 53 5.1. AA-Request/Answer AVP Table . . . . . . . . . . . . . . . 54
5.2. Accounting AVP Tables . . . . . . . . . . . . . . . . . . 55 5.2. Accounting AVP Tables . . . . . . . . . . . . . . . . . . 56
5.2.1. Framed Access Accounting AVP Table . . . . . . . . . . 56 5.2.1. Framed Access Accounting AVP Table . . . . . . . . . . 57
5.2.2. Non-Framed Access Accounting AVP Table . . . . . . . . 58 5.2.2. Non-Framed Access Accounting AVP Table . . . . . . . . 59
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 59 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 60
6.1. Command Codes . . . . . . . . . . . . . . . . . . . . . . 59
6.2. AVP Codes . . . . . . . . . . . . . . . . . . . . . . . . 60
6.3. Application Identifier . . . . . . . . . . . . . . . . . . 60
6.4. CHAP-Algorithm AVP Values . . . . . . . . . . . . . . . . 60
6.5. Accounting-Auth-Method AVP Values . . . . . . . . . . . . 60
7. Security Considerations . . . . . . . . . . . . . . . . . . . 60 7. Security Considerations . . . . . . . . . . . . . . . . . . . 60
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 61 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 61
8.1. Normative References . . . . . . . . . . . . . . . . . . . 61 8.1. Normative References . . . . . . . . . . . . . . . . . . . 61
8.2. Informative References . . . . . . . . . . . . . . . . . . 62 8.2. Informative References . . . . . . . . . . . . . . . . . . 62
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 64 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 64
A.1. RFC 4005 . . . . . . . . . . . . . . . . . . . . . . . . . 64 A.1. RFC 4005 . . . . . . . . . . . . . . . . . . . . . . . . . 64
A.2. RFC 4005bis . . . . . . . . . . . . . . . . . . . . . . . 65 A.2. RFC 4005bis . . . . . . . . . . . . . . . . . . . . . . . 65
1. Introduction 1. Introduction
skipping to change at page 6, line 8 skipping to change at page 6, line 8
SLIP (Serial Line Interface Protocol) SLIP (Serial Line Interface Protocol)
A serial datalink that only supports IP. A design prior to PPP. A serial datalink that only supports IP. A design prior to PPP.
ARAP (Appletalk Remote Access Protocol) ARAP (Appletalk Remote Access Protocol)
A serial datalink for accessing Appletalk networks [ARAP]. A serial datalink for accessing Appletalk networks [ARAP].
IPX (Internet Packet Exchange) IPX (Internet Packet Exchange)
The network protocol used by NetWare networks [IPX]. The network protocol used by NetWare networks [IPX].
LAT (Local Area Transport L2TP (Layer Two Tunneling Protocol)
L2TP [RFC3931] provides a dynamic mechanism for tunneling Layer 2
"circuits" across a packet-oriented data network.
LAC (L2TP Access Concentrator)
An L2TP Control Connection Endpoint being used tocross-connect an
L2TP session directly to a data link [RFC3931].
LAT (Local Area Transport)
A Digital Equipment Corp. LAN protocol for terminal services A Digital Equipment Corp. LAN protocol for terminal services
[LAT]. [LAT].
LCP (Link Control Protocol)
One of the three major components of PPP [RFC1661]. LCP is used
to automatically agree upon encapsulation format options, handle
varying limits on sizes of packets, detect a looped-back link and
other common misconfiguration errors, and terminate the link.
Other optional facilities provided are authentication of the
identity of its peer on the link, and determination when a link is
functioning properly and when it is failing.
PAC (PPTP Access Concentrator)
A device attached to one or more Public Switched Telephone Network
(PSTN) or Integrated Services Digtal Network (ISDN) lines capable
of PPP operation and of handling PPTP [RFC2637].
PPTP (Point-to-Point Tunneling Protocol)
A protocol which allows PPP to be tunneled through an IP network
[RFC2637].
VPN (Virtual Private Network) VPN (Virtual Private Network)
In this document, this term is used to describe access services In this document, this term is used to describe access services
that use tunneling methods. that use tunneling methods.
1.2. Requirements Language 1.2. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119]. document are to be interpreted as described in RFC 2119 [RFC2119].
1.3. Advertising Application Support 1.3. Advertising Application Support
Diameter applications conforming to this specification MUST advertise Diameter applications conforming to this specification MUST advertise
support by including the value of one (1) in the Auth-Application-Id support by including the value of one (1) in the Auth-Application-Id
of the Capabilities-Exchange-Request (CER), AA-Request (AAR), and AA- of the Capabilities-Exchange-Request (CER), AA-Request (AAR), and AA-
Answer (AAA) messages. All other messages are defined by RFC 3588 Answer (AAA) messages. All other messages use the Base application
and use the Base application id value. id value [I-D.ietf-dime-rfc3588bis].
2. NAS Calls, Ports, and Sessions 2. NAS Calls, Ports, and Sessions
The arrival of a new call or service connection at a port of a The arrival of a new call or service connection at a port of a
Network Access Server (NAS) starts a Diameter NAS message exchange. Network Access Server (NAS) starts a Diameter NAS message exchange.
Information about the call, the identity of the user, and the user's Information about the call, the identity of the user, and the user's
authentication information are packaged into a Diameter AA-Request authentication information are packaged into a Diameter AA-Request
(AAR) message and sent to a server. (AAR) message and sent to a server.
The server processes the information and responds with a Diameter AA- The server processes the information and responds with a Diameter AA-
skipping to change at page 8, line 20 skipping to change at page 8, line 52
sessions. A service may also use a different Session-Id value for sessions. A service may also use a different Session-Id value for
accounting (see Section 9.6 of [I-D.ietf-dime-rfc3588bis]). accounting (see Section 9.6 of [I-D.ietf-dime-rfc3588bis]).
However, the Diameter Session-ID AVP value used for the initial However, the Diameter Session-ID AVP value used for the initial
authorization exchange MUST be used to generate an STR message when authorization exchange MUST be used to generate an STR message when
the session context is terminated. the session context is terminated.
2.3. Diameter Session Termination 2.3. Diameter Session Termination
When a NAS receives an indication that a user's session is being When a NAS receives an indication that a user's session is being
disconnected by the client (e.g., LCP Terminate is received) or an disconnected by the client (e.g., an LCP Terminate-Request message
administrative command, the NAS MUST issue a Session-Termination-
Request (STR) [I-D.ietf-dime-rfc3588bis] to its Diameter Server. [RFC1661] is received) or an administrative command, the NAS MUST
This will ensure that any resources maintained on the servers are issue a Session-Termination-Request (STR) [I-D.ietf-dime-rfc3588bis]
freed appropriately. to its Diameter Server. This will ensure that any resources
maintained on the servers are freed appropriately.
Furthermore, a NAS that receives an Abort-Session-Request (ASR) Furthermore, a NAS that receives an Abort-Session-Request (ASR)
[I-D.ietf-dime-rfc3588bis] MUST issue an ASA if the session [I-D.ietf-dime-rfc3588bis] MUST issue an ASA if the session
identified is active and disconnect the PPP (or tunneling) session. identified is active and disconnect the PPP (or tunneling) session.
If accounting is active, an Accounting STOP_RECORD message If accounting is active, an Accounting STOP_RECORD message
[I-D.ietf-dime-rfc3588bis] MUST be sent upon termination of the [I-D.ietf-dime-rfc3588bis] MUST be sent upon termination of the
session context. session context.
More information on Diameter Session Termination can be found in More information on Diameter Session Termination can be found in
skipping to change at page 24, line 20 skipping to change at page 24, line 20
Session-Id Session-Id
Auth-Application-Id Auth-Application-Id
Origin-Host Origin-Host
Origin-Realm Origin-Realm
Auth-Request-Type Auth-Request-Type
Termination-Cause Termination-Cause
The following table gives the possible flag values for the session The following table gives the possible flag values for the session
level AVPs and specifies whether the AVP MAY be encrypted. level AVPs and specifies whether the AVP MAY be encrypted.
+---------------------+ +----------+
| AVP Flag rules | | AVP Flag |
|----+-----+----+-----|----+ | rules |
| | |SHLD| MUST| | |----+-----+
Attribute Name Section Defined |MUST| MAY | NOT| NOT|Encr| |MUST| MUST|
-----------------------------------------|----+-----+----+-----|----| Attribute Name Section Defined | | NOT|
NAS-Port 4.2.2 | M | P | | V | Y | -----------------------------------------|----+-----|
NAS-Port-Id 4.2.3 | M | P | | V | Y | NAS-Port 4.2.2 | M | V |
NAS-Port-Type 4.2.4 | M | P | | V | Y | NAS-Port-Id 4.2.3 | M | V |
Called-Station-Id 4.2.5 | M | P | | V | Y | NAS-Port-Type 4.2.4 | M | V |
Calling-Station-Id 4.2.6 | M | P | | V | Y | Called-Station-Id 4.2.5 | M | V |
Connect-Info 4.2.7 | M | P | | V | Y | Calling-Station-Id 4.2.6 | M | V |
Originating-Line-Info 4.2.8 | | M,P | | V | Y | Connect-Info 4.2.7 | M | V |
Reply-Message 4.2.9 | M | P | | V | Y | Originating-Line-Info 4.2.8 | | V |
-----------------------------------------|----+-----+----+-----|----| Reply-Message 4.2.9 | M | V |
-----------------------------------------|----+-----|
4.2.2. NAS-Port AVP 4.2.2. NAS-Port AVP
The NAS-Port AVP (AVP Code 5) is of type Unsigned32 and contains the The NAS-Port AVP (AVP Code 5) is of type Unsigned32 and contains the
physical or virtual port number of the NAS which is authenticating physical or virtual port number of the NAS which is authenticating
the user. Note that "port" is meant in its sense as a service the user. Note that "port" is meant in its sense as a service
connection on the NAS, not as an IP protocol identifier. connection on the NAS, not as an IP protocol identifier.
Either the NAS-Port AVP or the NAS-Port-Id AVP (Section 4.2.3) SHOULD Either the NAS-Port AVP or the NAS-Port-Id AVP (Section 4.2.3) SHOULD
be present in the AA-Request (AAR, Section 3.1) command if the NAS be present in the AA-Request (AAR, Section 3.1) command if the NAS
skipping to change at page 25, line 37 skipping to change at page 25, line 38
Identification Service (DNIS) or a similar technology. Note that Identification Service (DNIS) or a similar technology. Note that
this may be different from the phone number the call comes in on. this may be different from the phone number the call comes in on.
For use with IEEE 802 access, the Called-Station-Id MAY contain a MAC For use with IEEE 802 access, the Called-Station-Id MAY contain a MAC
address formatted as described in [RFC3580]. It SHOULD only be address formatted as described in [RFC3580]. It SHOULD only be
present in authentication and/or authorization requests. present in authentication and/or authorization requests.
If the Called-Station-Id AVP is present in an AAR message, Auth- If the Called-Station-Id AVP is present in an AAR message, Auth-
Request-Type AVP is set to AUTHORIZE_ONLY and the User-Name AVP is Request-Type AVP is set to AUTHORIZE_ONLY and the User-Name AVP is
absent, the Diameter Server MAY perform authorization based on this absent, the Diameter Server MAY perform authorization based on this
AVP. This can be used by a NAS to request whether a call should be AVP. This can be used by a NAS to request whether a call should be
answered based on the DNIS. answered based on the DNIS result.
The codification of this field's allowed usage range is outside the The codification of this field's allowed usage range is outside the
scope of this specification. scope of this specification.
4.2.6. Calling-Station-Id AVP 4.2.6. Calling-Station-Id AVP
The Calling-Station-Id AVP (AVP Code 31) is of type UTF8String and The Calling-Station-Id AVP (AVP Code 31) is of type UTF8String and
allows the NAS to send the ASCII string describing the Layer 2 allows the NAS to send the ASCII string describing the Layer 2
address from which the user connected in the request. For dialup address from which the user connected in the request. For dialup
access, this is the phone number the call came from, using Automatic access, this is the phone number the call came from, using Automatic
skipping to change at page 26, line 43 skipping to change at page 26, line 44
Connect-Info AVP may contain information on the number of link layer Connect-Info AVP may contain information on the number of link layer
retransmissions. The exact format of this attribute is retransmissions. The exact format of this attribute is
implementation specific. implementation specific.
4.2.8. Originating-Line-Info AVP 4.2.8. Originating-Line-Info AVP
The Originating-Line-Info AVP (AVP Code 94) is of type OctetString The Originating-Line-Info AVP (AVP Code 94) is of type OctetString
and is sent by the NAS system to convey information about the origin and is sent by the NAS system to convey information about the origin
of the call from an SS7 system. of the call from an SS7 system.
The originating line information (OLI) element indicates the nature The Originating Line Information (OLI) element indicates the nature
and/or characteristics of the line from which a call originated and/or characteristics of the line from which a call originated
(e.g., pay phone, hotel, cellular). Telephone companies are starting (e.g., pay phone, hotel, cellular). Telephone companies are starting
to offer OLI to their customers as an option over Primary Rate to offer OLI to their customers as an option over Primary Rate
Interface (PRI). Internet Service Providers (ISPs) can use OLI in Interface (PRI). Internet Service Providers (ISPs) can use OLI in
addition to Called-Station-Id and Calling-Station-Id attributes to addition to Called-Station-Id and Calling-Station-Id attributes to
differentiate customer calls and to define different services. differentiate customer calls and to define different services.
The Value field contains two octets (00 - 99). ANSI T1.113 and The Value field contains two octets (00 - 99). ANSI T1.113 and
BELLCORE 394 can be used for additional information about these BELLCORE 394 can be used for additional information about these
values and their use. For information on the currently assigned values and their use. For information on the currently assigned
skipping to change at page 27, line 32 skipping to change at page 28, line 5
This section defines the AVPs necessary to carry the authentication This section defines the AVPs necessary to carry the authentication
information in the Diameter protocol. The functionality defined here information in the Diameter protocol. The functionality defined here
provides a RADIUS-like AAA service [RFC2865] over a more reliable and provides a RADIUS-like AAA service [RFC2865] over a more reliable and
secure transport, as defined in the base protocol secure transport, as defined in the base protocol
[I-D.ietf-dime-rfc3588bis]. [I-D.ietf-dime-rfc3588bis].
The following table gives the possible flag values for the session The following table gives the possible flag values for the session
level AVPs and specifies whether the AVP MAY be encrypted. level AVPs and specifies whether the AVP MAY be encrypted.
+---------------------+ +----------+
| AVP Flag rules | | AVP Flag |
|----+-----+----+-----|----+ | rules |
| | |SHLD| MUST| | |----+-----|
Attribute Name Section Defined |MUST| MAY | NOT| NOT|Encr| |MUST| MUST|
-----------------------------------------|----+-----+----+-----|----| Attribute Name Section Defined | | NOT|
User-Password 4.3.1 | M | P | | V | Y | -----------------------------------------|----+-----|
Password-Retry 4.3.2 | M | P | | V | Y | User-Password 4.3.1 | M | V |
Prompt 4.3.3 | M | P | | V | Y | Password-Retry 4.3.2 | M | V |
CHAP-Auth 4.3.4 | M | P | | V | Y | Prompt 4.3.3 | M | V |
CHAP-Algorithm 4.3.5 | M | P | | V | Y | CHAP-Auth 4.3.4 | M | V |
CHAP-Ident 4.3.6 | M | P | | V | Y | CHAP-Algorithm 4.3.5 | M | V |
CHAP-Response 4.3.7 | M | P | | V | Y | CHAP-Ident 4.3.6 | M | V |
CHAP-Challenge 4.3.8 | M | P | | V | Y | CHAP-Response 4.3.7 | M | V |
ARAP-Password 4.3.9 | M | P | | V | Y | CHAP-Challenge 4.3.8 | M | V |
ARAP-Challenge-Response 4.3.10 | M | P | | V | Y | ARAP-Password 4.3.9 | M | V |
ARAP-Security 4.3.11 | M | P | | V | Y | ARAP-Challenge-Response 4.3.10 | M | V |
ARAP-Security-Data 4.3.12 | M | P | | V | Y | ARAP-Security 4.3.11 | M | V |
-----------------------------------------|----+-----+----+-----|----| ARAP-Security-Data 4.3.12 | M | V |
-----------------------------------------|----+-----|
4.3.1. User-Password AVP 4.3.1. User-Password AVP
The User-Password AVP (AVP Code 2) is of type OctetString and The User-Password AVP (AVP Code 2) is of type OctetString and
contains the password of the user to be authenticated, or the user's contains the password of the user to be authenticated, or the user's
input in a multi-round authentication exchange. input in a multi-round authentication exchange.
The User-Password AVP contains a user password or one-time password The User-Password AVP contains a user password or one-time password
and therefore represents sensitive information. As required in and therefore represents sensitive information. As required in
[I-D.ietf-dime-rfc3588bis], Diameter messages are encrypted by using [I-D.ietf-dime-rfc3588bis], Diameter messages are encrypted by using
IPsec or TLS. Unless this AVP is used for one-time passwords, the IPsec [RFC4301] or TLS [RFC5246]. Unless this AVP is used for one-
User-Password AVP SHOULD NOT be used in untrusted proxy environments time passwords, the User-Password AVP SHOULD NOT be used in untrusted
without encrypting it by using end-to-end security techniques. proxy environments without encrypting it by using end-to-end security
techniques.
The clear-text password (prior to encryption) MUST NOT be longer than The clear-text password (prior to encryption) MUST NOT be longer than
128 bytes in length. 128 bytes in length.
4.3.2. Password-Retry AVP 4.3.2. Password-Retry AVP
The Password-Retry AVP (AVP Code 75) is of type Unsigned32 and MAY be The Password-Retry AVP (AVP Code 75) is of type Unsigned32 and MAY be
included in the AA-Answer if the Result-Code indicates an included in the AA-Answer if the Result-Code indicates an
authentication failure. The value of this AVP indicates how many authentication failure. The value of this AVP indicates how many
authentication attempts a user is permitted before being authentication attempts a user is permitted before being
skipping to change at page 31, line 5 skipping to change at page 32, line 5
4.4. NAS Authorization AVPs 4.4. NAS Authorization AVPs
This section contains the authorization AVPs supported in the NAS This section contains the authorization AVPs supported in the NAS
Application. The Service-Type AVP SHOULD be present in all messages Application. The Service-Type AVP SHOULD be present in all messages
and, based on its value, additional AVPs defined in this section and and, based on its value, additional AVPs defined in this section and
Section 4.5 MAY be present. Section 4.5 MAY be present.
The following table gives the possible flag values for the session The following table gives the possible flag values for the session
level AVPs and specifies whether the AVP MAY be encrypted. level AVPs and specifies whether the AVP MAY be encrypted.
+---------------------+ +----------+
| AVP Flag rules | | AVP Flag |
|----+-----+----+-----|----+ | rules |
| | |SHLD| MUST| | |----+-----|
Attribute Name Section Defined |MUST| MAY | NOT| NOT|Encr| |MUST| MUST|
-----------------------------------------|----+-----+----+-----|----| Attribute Name Section Defined | | NOT|
Service-Type 4.4.1 | M | P | | V | Y | -----------------------------------------|----+-----|
Callback-Number 4.4.2 | M | P | | V | Y | Service-Type 4.4.1 | M | V |
Callback-Id 4.4.3 | M | P | | V | Y | Callback-Number 4.4.2 | M | V |
Idle-Timeout 4.4.4 | M | P | | V | Y | Callback-Id 4.4.3 | M | V |
Port-Limit 4.4.5 | M | P | | V | Y | Idle-Timeout 4.4.4 | M | V |
NAS-Filter-Rule 4.4.6 | M | P | | V | Y | Port-Limit 4.4.5 | M | V |
Filter-Id 4.4.7 | M | P | | V | Y | NAS-Filter-Rule 4.4.6 | M | V |
Configuration-Token 4.4.8 | M | | | P,V | | Filter-Id 4.4.7 | M | V |
QoS-Filter-Rule 4.4.9 | | | | | | Configuration-Token 4.4.8 | M | P,V |
Framed-Protocol 4.4.10.1 | M | P | | V | Y | QoS-Filter-Rule 4.4.9 | | |
Framed-Routing 4.4.10.2 | M | P | | V | Y | Framed-Protocol 4.4.10.1 | M | V |
Framed-MTU 4.4.10.3 | M | P | | V | Y | Framed-Routing 4.4.10.2 | M | V |
Framed-Compression 4.4.10.4 | M | P | | V | Y | Framed-MTU 4.4.10.3 | M | V |
Framed-IP-Address 4.4.10.5.1 | M | P | | V | Y | Framed-Compression 4.4.10.4 | M | V |
Framed-IP-Netmask 4.4.10.5.2 | M | P | | V | Y | Framed-IP-Address 4.4.10.5.1 | M | V |
Framed-Route 4.4.10.5.3 | M | P | | V | Y | Framed-IP-Netmask 4.4.10.5.2 | M | V |
Framed-Pool 4.4.10.5.4 | M | P | | V | Y | Framed-Route 4.4.10.5.3 | M | V |
Framed-Interface-Id 4.4.10.5.5 | M | P | | V | Y | Framed-Pool 4.4.10.5.4 | M | V |
Framed-IPv6-Prefix 4.4.10.5.6 | M | P | | V | Y | Framed-Interface-Id 4.4.10.5.5 | M | V |
Framed-IPv6-Route 4.4.10.5.7 | M | P | | V | Y | Framed-IPv6-Prefix 4.4.10.5.6 | M | V |
Framed-IPv6-Pool 4.4.10.5.8 | M | P | | V | Y | Framed-IPv6-Route 4.4.10.5.7 | M | V |
Framed-IPX-Network 4.4.10.6.1 | M | P | | V | Y | Framed-IPv6-Pool 4.4.10.5.8 | M | V |
Framed-Appletalk-Link 4.4.10.7.1 | M | P | | V | Y | Framed-IPX-Network 4.4.10.6.1 | M | V |
Framed-Appletalk-Network 4.4.10.7.2 | M | P | | V | Y | Framed-Appletalk-Link 4.4.10.7.1 | M | V |
Framed-Appletalk-Zone 4.4.10.7.3 | M | P | | V | Y | Framed-Appletalk-Network 4.4.10.7.2 | M | V |
ARAP-Features 4.4.10.8.1 | M | P | | V | Y | Framed-Appletalk-Zone 4.4.10.7.3 | M | V |
ARAP-Zone-Access 4.4.10.8.2 | M | P | | V | Y | ARAP-Features 4.4.10.8.1 | M | V |
Login-IP-Host 4.4.11.1 | M | P | | V | Y | ARAP-Zone-Access 4.4.10.8.2 | M | V |
Login-IPv6-Host 4.4.11.2 | M | P | | V | Y | Login-IP-Host 4.4.11.1 | M | V |
Login-Service 4.4.11.3 | M | P | | V | Y | Login-IPv6-Host 4.4.11.2 | M | V |
Login-TCP-Port 4.4.11.4.1 | M | P | | V | Y | Login-Service 4.4.11.3 | M | V |
Login-LAT-Service 4.4.11.5.1 | M | P | | V | Y | Login-TCP-Port 4.4.11.4.1 | M | V |
Login-LAT-Node 4.4.11.5.2 | M | P | | V | Y | Login-LAT-Service 4.4.11.5.1 | M | V |
Login-LAT-Group 4.4.11.5.3 | M | P | | V | Y | Login-LAT-Node 4.4.11.5.2 | M | V |
Login-LAT-Port 4.4.11.5.4 | M | P | | V | Y | Login-LAT-Group 4.4.11.5.3 | M | V |
-----------------------------------------|----+-----+----+-----|----| Login-LAT-Port 4.4.11.5.4 | M | V |
-----------------------------------------|----+-----|
4.4.1. Service-Type AVP 4.4.1. Service-Type AVP
The Service-Type AVP (AVP Code 6) is of type Enumerated and contains The Service-Type AVP (AVP Code 6) is of type Enumerated and contains
the type of service the user has requested or the type of service to the type of service the user has requested or the type of service to
be provided. One such AVP MAY be present in an authentication and/or be provided. One such AVP MAY be present in an authentication and/or
authorization request or response. A NAS is not required to authorization request or response. A NAS is not required to
implement all of these service types. It MUST treat unknown or implement all of these service types. It MUST treat unknown or
unsupported Service-Types received in a response as a failure and end unsupported Service-Types received in a response as a failure and end
the session with a DIAMETER_INVALID_AVP_VALUE Result-Code. the session with a DIAMETER_INVALID_AVP_VALUE Result-Code.
skipping to change at page 37, line 40 skipping to change at page 38, line 47
contains the ASCII routing information to be configured for the user contains the ASCII routing information to be configured for the user
on the NAS. Zero or more of these AVPs MAY be present in an on the NAS. Zero or more of these AVPs MAY be present in an
authorization response. authorization response.
The string MUST contain an IPv6 address prefix followed by a slash The string MUST contain an IPv6 address prefix followed by a slash
and a decimal length specifier stating how many high order bits of and a decimal length specifier stating how many high order bits of
the prefix should be used. This is followed by a space, a gateway the prefix should be used. This is followed by a space, a gateway
address in hexadecimal notation, a space, and one or more metrics address in hexadecimal notation, a space, and one or more metrics
separated by spaces; for example, separated by spaces; for example,
"2000:0:0:106::/64 2000::106:a00:20ff:fe99:a998 1" "2001:db8::/32 2001:db8:106:a00:20ff:fe99:a998 1"
Whenever the gateway address is the IPv6 unspecified address, the IP Whenever the gateway address is the IPv6 unspecified address, the IP
address of the user SHOULD be used as the gateway address, such as address of the user SHOULD be used as the gateway address, such as
in: in:
"2000:0:0:106::/64 :: 1" "2001:db8::/32 :: 1"
4.4.10.5.8. Framed-IPv6-Pool AVP 4.4.10.5.8. Framed-IPv6-Pool AVP
The Framed-IPv6-Pool AVP (AVP Code 100) is of type OctetString and The Framed-IPv6-Pool AVP (AVP Code 100) is of type OctetString and
contains the name of an assigned pool that SHOULD be used to assign contains the name of an assigned pool that SHOULD be used to assign
an IPv6 prefix for the user. If the access device does not support an IPv6 prefix for the user. If the access device does not support
multiple prefix pools, it MUST ignore this AVP. multiple prefix pools, it MUST ignore this AVP.
Although specified as type OctetString for compatibility with RADIUS Although specified as type OctetString for compatibility with RADIUS
[RFC3162], the encoding of the Data field SHOULD also conform to the [RFC3162], the encoding of the Data field SHOULD also conform to the
skipping to change at page 41, line 29 skipping to change at page 42, line 35
The Login-LAT-Service AVP (AVP Code 34) is of type OctetString and The Login-LAT-Service AVP (AVP Code 34) is of type OctetString and
contains the system with which the user is to be connected by LAT. contains the system with which the user is to be connected by LAT.
It MAY be used in an authorization request as a hint to the server It MAY be used in an authorization request as a hint to the server
that a specific service is desired, but the server is not required to that a specific service is desired, but the server is not required to
honor the hint in the corresponding response. This AVP MUST only be honor the hint in the corresponding response. This AVP MUST only be
present in the response if the Login-Service AVP states that LAT is present in the response if the Login-Service AVP states that LAT is
desired. desired.
Administrators use this service attribute when dealing with clustered Administrators use this service attribute when dealing with clustered
systems, such as a VAX or Alpha cluster. In these environments, systems. In these environments, several different time-sharing hosts
several different time-sharing hosts share the same resources (disks, share the same resources (disks, printers, etc.), and administrators
printers, etc.), and administrators often configure each host to often configure each host to offer access (service) to each of the
offer access (service) to each of the shared resources. In this shared resources. In this case, each host in the cluster advertises
case, each host in the cluster advertises its services through LAT its services through LAT broadcasts.
broadcasts.
Sophisticated users often know which service providers (machines) are Sophisticated users often know which service providers (machines) are
faster and tend to use a node name when initiating a LAT connection. faster and tend to use a node name when initiating a LAT connection.
Some administrators want particular users to use certain machines as Some administrators want particular users to use certain machines as
a primitive form of load balancing (although LAT knows how to do load a primitive form of load balancing (although LAT knows how to do load
balancing itself). balancing itself).
The String field contains the identity of the LAT service to use. The String field contains the identity of the LAT service to use.
The LAT Architecture allows this string to contain $ (dollar), - The LAT Architecture allows this string to contain $ (dollar), -
(hyphen), . (period), _ (underscore), numerics, upper- and lowercase (hyphen), . (period), _ (underscore), numerics, upper- and lowercase
skipping to change at page 43, line 21 skipping to change at page 44, line 27
elsewhere in the network. This is typically transparent to the elsewhere in the network. This is typically transparent to the
service user, and the tunnel characteristics may be described by the service user, and the tunnel characteristics may be described by the
remote AAA server, based on the user's authorization information. remote AAA server, based on the user's authorization information.
Several tunnel characteristics may be returned, and the NAS Several tunnel characteristics may be returned, and the NAS
implementation may choose one. See [RFC2868] and [RFC2867] for implementation may choose one. See [RFC2868] and [RFC2867] for
further information. further information.
The following table gives the possible flag values for the session The following table gives the possible flag values for the session
level AVPs and specifies whether the AVP MAY be encrypted. level AVPs and specifies whether the AVP MAY be encrypted.
+---------------------+ +----------+
| AVP Flag rules | | AVP Flag |
|----+-----+----+-----|----+ | rules |
| | |SHLD| MUST| | |----+-----|
Attribute Name Section Defined |MUST| MAY | NOT| NOT|Encr| |MUST| MUST|
-----------------------------------------|----+-----+----+-----|----| Attribute Name Section Defined | | NOT |
Tunneling 4.5.1 | M | P | | V | N | -----------------------------------------|----+-----|
Tunnel-Type 4.5.2 | M | P | | V | Y | Tunneling 4.5.1 | M | V |
Tunnel-Medium-Type 4.5.3 | M | P | | V | Y | Tunnel-Type 4.5.2 | M | V |
Tunnel-Client-Endpoint 4.5.4 | M | P | | V | Y | Tunnel-Medium-Type 4.5.3 | M | V |
Tunnel-Server-Endpoint 4.5.5 | M | P | | V | Y | Tunnel-Client-Endpoint 4.5.4 | M | V |
Tunnel-Password 4.5.6 | M | P | | V | Y | Tunnel-Server-Endpoint 4.5.5 | M | V |
Tunnel-Private-Group-Id 4.5.7 | M | P | | V | Y | Tunnel-Password 4.5.6 | M | V |
Tunnel-Assignment-Id 4.5.8 | M | P | | V | Y | Tunnel-Private-Group-Id 4.5.7 | M | V |
Tunnel-Preference 4.5.9 | M | P | | V | Y | Tunnel-Assignment-Id 4.5.8 | M | V |
Tunnel-Client-Auth-Id 4.5.10 | M | P | | V | Y | Tunnel-Preference 4.5.9 | M | V |
Tunnel-Server-Auth-Id 4.5.11 | M | P | | V | Y | Tunnel-Client-Auth-Id 4.5.10 | M | V |
-----------------------------------------|----+-----+----+-----|----| Tunnel-Server-Auth-Id 4.5.11 | M | V |
-----------------------------------------|----+-----|
4.5.1. Tunneling AVP 4.5.1. Tunneling AVP
The Tunneling AVP (AVP Code 401) is of type Grouped and contains the The Tunneling AVP (AVP Code 401) is of type Grouped and contains the
following AVPs, used to describe a compulsory tunnel service following AVPs, used to describe a compulsory tunnel service
([RFC2868], [RFC2867]). Its data field has the following ABNF ([RFC2868], [RFC2867]). Its data field has the following ABNF
grammar: grammar:
Tunneling ::= < AVP Header: 401 > Tunneling ::= < AVP Header: 401 >
{ Tunnel-Type } { Tunnel-Type }
skipping to change at page 44, line 40 skipping to change at page 45, line 40
unknown or unsupported Tunnel-Types, the tunnel initiator MUST behave unknown or unsupported Tunnel-Types, the tunnel initiator MUST behave
as though a response were received with the Result-Code indicating a as though a response were received with the Result-Code indicating a
failure. failure.
The supported values are listed in [RADIUSTypes]. The supported values are listed in [RADIUSTypes].
4.5.3. Tunnel-Medium-Type AVP 4.5.3. Tunnel-Medium-Type AVP
The Tunnel-Medium-Type AVP (AVP Code 65) is of type Enumerated and The Tunnel-Medium-Type AVP (AVP Code 65) is of type Enumerated and
contains the transport medium to use when creating a tunnel for contains the transport medium to use when creating a tunnel for
protocols (such as L2TP [RFC2661]) that can operate over multiple protocols (such as L2TP [RFC3931]) that can operate over multiple
transports. It MAY be used in an authorization request as a hint to transports. It MAY be used in an authorization request as a hint to
the server that a specific medium is desired, but the server is not the server that a specific medium is desired, but the server is not
required to honor the hint in the corresponding response. required to honor the hint in the corresponding response.
The supported values are listed in [RADIUSTypes]. The supported values are listed in [RADIUSTypes].
4.5.4. Tunnel-Client-Endpoint AVP 4.5.4. Tunnel-Client-Endpoint AVP
The Tunnel-Client-Endpoint AVP (AVP Code 66) is of type UTF8String The Tunnel-Client-Endpoint AVP (AVP Code 66) is of type UTF8String
and contains the address of the initiator end of the tunnel. It MAY and contains the address of the initiator end of the tunnel. It MAY
skipping to change at page 46, line 40 skipping to change at page 47, line 40
to associate a tunneled session with a particular group of users. to associate a tunneled session with a particular group of users.
For example, it MAY be used to facilitate routing of unregistered IP For example, it MAY be used to facilitate routing of unregistered IP
addresses through a particular interface. This AVP SHOULD be addresses through a particular interface. This AVP SHOULD be
included in the ACR messages that pertain to the tunneled session. included in the ACR messages that pertain to the tunneled session.
4.5.8. Tunnel-Assignment-Id AVP 4.5.8. Tunnel-Assignment-Id AVP
The Tunnel-Assignment-Id AVP (AVP Code 82) is of type OctetString and The Tunnel-Assignment-Id AVP (AVP Code 82) is of type OctetString and
is used to indicate to the tunnel initiator the particular tunnel to is used to indicate to the tunnel initiator the particular tunnel to
which a session is to be assigned. Some tunneling protocols, such as which a session is to be assigned. Some tunneling protocols, such as
PPTP [RFC2637] and L2TP [RFC2661], allow for sessions between the PPTP [RFC2637] and L2TP [RFC3931], allow for sessions between the
same two tunnel endpoints to be multiplexed over the same tunnel and same two tunnel endpoints to be multiplexed over the same tunnel and
also for a given session to use its own dedicated tunnel. This also for a given session to use its own dedicated tunnel. This
attribute provides a mechanism for Diameter to inform the tunnel attribute provides a mechanism for Diameter to inform the tunnel
initiator (e.g., PAC, LAC) whether to assign the session to a initiator (e.g., PAC, LAC) whether to assign the session to a
multiplexed tunnel or to a separate tunnel. Furthermore, it allows multiplexed tunnel or to a separate tunnel. Furthermore, it allows
for sessions sharing multiplexed tunnels to be assigned to different for sessions sharing multiplexed tunnels to be assigned to different
multiplexed tunnels. multiplexed tunnels.
A particular tunneling implementation may assign differing A particular tunneling implementation may assign differing
characteristics to particular tunnels. For example, different characteristics to particular tunnels. For example, different
skipping to change at page 48, line 25 skipping to change at page 49, line 25
For example, suppose that AVPs describing two tunnels are returned by For example, suppose that AVPs describing two tunnels are returned by
the server, one with a Tunnel-Type of PPTP and the other with a the server, one with a Tunnel-Type of PPTP and the other with a
Tunnel-Type of L2TP. If the tunnel initiator supports only one of Tunnel-Type of L2TP. If the tunnel initiator supports only one of
the Tunnel-Types returned, it will initiate a tunnel of that type. the Tunnel-Types returned, it will initiate a tunnel of that type.
If, however, it supports both tunnel protocols, it SHOULD use the If, however, it supports both tunnel protocols, it SHOULD use the
value of the Tunnel-Preference AVP to decide which tunnel should be value of the Tunnel-Preference AVP to decide which tunnel should be
started. The tunnel with the lowest numerical value in the Value started. The tunnel with the lowest numerical value in the Value
field of this AVP SHOULD be given the highest preference. The values field of this AVP SHOULD be given the highest preference. The values
assigned to two or more instances of the Tunnel-Preference AVP within assigned to two or more instances of the Tunnel-Preference AVP within
a given authorization response MAY be identical. In this case, the a given authorization response MAY be identical. In this case, the
tunnel initiator SHOULD use locally configured metrics to decidewhich tunnel initiator SHOULD use locally configured metrics to decide
set of AVPs to use. which set of AVPs to use.
4.5.10. Tunnel-Client-Auth-Id AVP 4.5.10. Tunnel-Client-Auth-Id AVP
The Tunnel-Client-Auth-Id AVP (AVP Code 90) is of type UTF8String and The Tunnel-Client-Auth-Id AVP (AVP Code 90) is of type UTF8String and
specifies the name used by the tunnel initiator during the specifies the name used by the tunnel initiator during the
authentication phase of tunnel establishment. It MAY be used in an authentication phase of tunnel establishment. It MAY be used in an
authorization request as a hint to the server that a specific authorization request as a hint to the server that a specific
preference is desired, but the server is not required to honor the preference is desired, but the server is not required to honor the
hint in the corresponding response. This AVP MUST be present in the hint in the corresponding response. This AVP MUST be present in the
authorization response if an authentication name other than the authorization response if an authentication name other than the
skipping to change at page 49, line 31 skipping to change at page 50, line 31
additional Authentications or Authorizations occur in later additional Authentications or Authorizations occur in later
transactions, the first exchange should generate a START_RECORD, and transactions, the first exchange should generate a START_RECORD, and
the later an INTERIM_RECORD. For a given session, there MUST only be the later an INTERIM_RECORD. For a given session, there MUST only be
one set of matching START and STOP records, with any number of one set of matching START and STOP records, with any number of
INTERIM_RECORDS in between, or one EVENT_RECORD indicating the reason INTERIM_RECORDS in between, or one EVENT_RECORD indicating the reason
a session wasn't started. a session wasn't started.
The following table gives the possible flag values for the session The following table gives the possible flag values for the session
level AVPs and specifies whether the AVP MAY be encrypted. level AVPs and specifies whether the AVP MAY be encrypted.
+---------------------+ +----------+
| AVP Flag rules | | AVP Flag |
|----+-----+----+-----|----+ | rules |
Section | | |SHLD| MUST| | |----+-----|
Attribute Name Defined |MUST| MAY | NOT| NOT|Encr| Section |MUST| MUST|
-----------------------------------------|----+-----+----+-----|----| Attribute Name Defined | | NOT|
Accounting-Input-Octets 4.6.1 | M | P | | V | Y | -----------------------------------------|----+-----|
Accounting-Output-Octets 4.6.2 | M | P | | V | Y | Accounting-Input-Octets 4.6.1 | M | V |
Accounting-Input-Packets 4.6.3 | M | P | | V | Y | Accounting-Output-Octets 4.6.2 | M | V |
Accounting-Output-Packets 4.6.4 | M | P | | V | Y | Accounting-Input-Packets 4.6.3 | M | V |
Acct-Session-Time 4.6.5 | M | P | | V | Y | Accounting-Output-Packets 4.6.4 | M | V |
Acct-Authentic 4.6.6 | M | P | | V | Y | Acct-Session-Time 4.6.5 | M | V |
Accounting-Auth-Method 4.6.7 | M | P | | V | Y | Acct-Authentic 4.6.6 | M | V |
Acct-Delay-Time 4.6.8 | M | P | | V | Y | Accounting-Auth-Method 4.6.7 | M | V |
Acct-Link-Count 4.6.9 | M | P | | V | Y | Acct-Delay-Time 4.6.8 | M | V |
Acct-Tunnel-Connection 4.6.10 | M | P | | V | Y | Acct-Link-Count 4.6.9 | M | V |
Acct-Tunnel-Packets-Lost 4.6.11 | M | P | | V | Y | Acct-Tunnel-Connection 4.6.10 | M | V |
-----------------------------------------|----+-----+----+-----|----| Acct-Tunnel-Packets-Lost 4.6.11 | M | V |
-----------------------------------------|----+-----|
4.6.1. Accounting-Input-Octets AVP 4.6.1. Accounting-Input-Octets AVP
The Accounting-Input-Octets AVP (AVP Code 363) is of type Unsigned64 The Accounting-Input-Octets AVP (AVP Code 363) is of type Unsigned64
and contains the number of octets received from the user. and contains the number of octets received from the user.
For NAS usage, this AVP indicates how many octets have been received For NAS usage, this AVP indicates how many octets have been received
from the port in the course of this session. It can only be present from the port in the course of this session. It can only be present
in ACR messages with an Accounting-Record-Type in ACR messages with an Accounting-Record-Type
[I-D.ietf-dime-rfc3588bis] of INTERIM_RECORD or STOP_RECORD. [I-D.ietf-dime-rfc3588bis] of INTERIM_RECORD or STOP_RECORD.
skipping to change at page 53, line 5 skipping to change at page 54, line 5
5. AVP Occurrence Tables 5. AVP Occurrence Tables
The following tables present the AVPs used by NAS applications in NAS The following tables present the AVPs used by NAS applications in NAS
messages and specify in which Diameter messages they may or may not messages and specify in which Diameter messages they may or may not
be present. Messages and AVPs defined in the base Diameter protocol be present. Messages and AVPs defined in the base Diameter protocol
[I-D.ietf-dime-rfc3588bis] are not described in this document. Note [I-D.ietf-dime-rfc3588bis] are not described in this document. Note
that AVPs that can only be present within a Grouped AVP are not that AVPs that can only be present within a Grouped AVP are not
represented in this table. represented in this table.
The table uses the following symbols: The tables use the following symbols:
0 The AVP MUST NOT be present in the message. 0 The AVP MUST NOT be present in the message.
0+ Zero or more instances of the AVP MAY be present in the 0+ Zero or more instances of the AVP MAY be present in the
message. message.
0-1 Zero or one instance of the AVP MAY be present in the 0-1 Zero or one instance of the AVP MAY be present in the
message. message.
1 Exactly one instance of the AVP MUST be present in the 1 Exactly one instance of the AVP MUST be present in the
message. message.
5.1. AA-Request/Answer AVP Table 5.1. AA-Request/Answer AVP Table
skipping to change at page 59, line 33 skipping to change at page 60, line 33
Result-Code | 0 | 1 | Result-Code | 0 | 1 |
Session-Id | 1 | 1 | Session-Id | 1 | 1 |
Service-Type | 0-1 | 0-1 | Service-Type | 0-1 | 0-1 |
Termination-Cause | 0-1 | 0-1 | Termination-Cause | 0-1 | 0-1 |
User-Name | 0-1 | 0-1 | User-Name | 0-1 | 0-1 |
Vendor-Specific-Application-Id | 0-1 | 0-1 | Vendor-Specific-Application-Id | 0-1 | 0-1 |
---------------------------------------|-----+-----+ ---------------------------------------|-----+-----+
6. IANA Considerations 6. IANA Considerations
This section provides guidance to the Internet Assigned Numbers This document does not request any action by IANA.
Authority (IANA) regarding registration of values related to the
Diameter protocol, in accordance with BCP 26 [RFC5226].
This document defines values in the namespaces that have been created
and defined in the Diameter Base [I-D.ietf-dime-rfc3588bis]. The
IANA Considerations section of that document details the assignment
criteria. Values assigned in this document, or by future IANA
action, must be coordinated within this shared namespace.
6.1. Command Codes
This specification assigns the value 265 from the Command Code
namespace defined in [I-D.ietf-dime-rfc3588bis]. See Sections 3.1
and 3.2 for the assignment of the namespace in this specification.
6.2. AVP Codes
This specification assigns the values 363 - 366 and 400 - 408 from
the AVP Code namespace defined in [I-D.ietf-dime-rfc3588bis]. See
Section 4 for the assignment of the namespace in this specification.
Note that the values 363 - 366 are jointly, but consistently,
assigned in [RFC4004]. This document also creates one new namespace
to be managed by IANA, as described in Section 6.5
This specification also specifies the use of AVPs in the 0 - 255
range, which are listed in [RADIUSTypes] These values are assigned
according to the policy stated in Section 6 of [RFC2865], as amended
by [RFC3575].
6.3. Application Identifier
This specification uses the value one (1) in the Application
Identifier namespace as assigned in [I-D.ietf-dime-rfc3588bis]. See
Section 1.3 above for more information.
6.4. CHAP-Algorithm AVP Values
As defined in Section 4.3.4, the CHAP-Algorithm AVP (AVP Code 403)
uses the values of the "PPP AUTHENTICATION ALGORITHMS" namespace
defined in [RFC1994].
6.5. Accounting-Auth-Method AVP Values
As defined in Section 4.6.7 the Accounting-Auth-Method AVP (AVP Code
406) defines the values 1 - 5. All remaining values are available
for assignment via the IETF Review policy [RFC5226].
7. Security Considerations 7. Security Considerations
This document describes the extension of Diameter for the NAS This document describes the extension of Diameter for the NAS
application. The security considerations of the Diameter protocol application. The security considerations of the Diameter protocol
itself have been discussed in [I-D.ietf-dime-rfc3588bis]. Use of itself have been discussed in [I-D.ietf-dime-rfc3588bis]. Use of
this application of Diameter MUST take into consideration the this application of Diameter MUST take into consideration the
security issues and requirements of the Base protocol. security issues and requirements of the Base protocol.
This document does not contain a security protocol but does discuss This document does not contain a security protocol but does discuss
skipping to change at page 62, line 6 skipping to change at page 62, line 5
[RFC3162] Aboba, B., Zorn, G., and D. Mitton, [RFC3162] Aboba, B., Zorn, G., and D. Mitton,
"RADIUS and IPv6", RFC 3162, August 2001. "RADIUS and IPv6", RFC 3162, August 2001.
[RFC3516] Nerenberg, L., "IMAP4 Binary Content [RFC3516] Nerenberg, L., "IMAP4 Binary Content
Extension", RFC 3516, April 2003. Extension", RFC 3516, April 2003.
[RFC3539] Aboba, B. and J. Wood, "Authentication, [RFC3539] Aboba, B. and J. Wood, "Authentication,
Authorization and Accounting (AAA) Authorization and Accounting (AAA)
Transport Profile", RFC 3539, June 2003. Transport Profile", RFC 3539, June 2003.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines
for Writing an IANA Considerations
Section in RFCs", BCP 26, RFC 5226,
May 2008.
8.2. Informative References 8.2. Informative References
[ARAP] Apple Computer, "Apple Remote Access [ARAP] Apple Computer, "Apple Remote Access
Protocol (ARAP) Version 2.0 External Protocol (ARAP) Version 2.0 External
Reference Specification", R0612LL/B , Reference Specification", R0612LL/B ,
September 1994. September 1994.
[AppleTalk] Sidhu, G., Andrews, R., and A. [AppleTalk] Sidhu, G., Andrews, R., and A.
Oppenheimer, "Inside AppleTalk", Second Oppenheimer, "Inside AppleTalk", Second
Edition Apple Computer, 1990. Edition Apple Computer, 1990.
skipping to change at page 63, line 18 skipping to change at page 63, line 11
[RFC2597] Heinanen, J., Baker, F., Weiss, W., and [RFC2597] Heinanen, J., Baker, F., Weiss, W., and
J. Wroclawski, "Assured Forwarding PHB J. Wroclawski, "Assured Forwarding PHB
Group", RFC 2597, June 1999. Group", RFC 2597, June 1999.
[RFC2637] Hamzeh, K., Pall, G., Verthein, W., [RFC2637] Hamzeh, K., Pall, G., Verthein, W.,
Taarud, J., Little, W., and G. Zorn, Taarud, J., Little, W., and G. Zorn,
"Point-to-Point Tunneling Protocol", "Point-to-Point Tunneling Protocol",
RFC 2637, July 1999. RFC 2637, July 1999.
[RFC2661] Townsley, W., Valencia, A., Rubens, A.,
Pall, G., Zorn, G., and B. Palter, "Layer
Two Tunneling Protocol "L2TP"", RFC 2661,
August 1999.
[RFC2866] Rigney, C., "RADIUS Accounting", [RFC2866] Rigney, C., "RADIUS Accounting",
RFC 2866, June 2000. RFC 2866, June 2000.
[RFC2867] Zorn, G., Aboba, B., and D. Mitton, [RFC2867] Zorn, G., Aboba, B., and D. Mitton,
"RADIUS Accounting Modifications for "RADIUS Accounting Modifications for
Tunnel Protocol Support", RFC 2867, Tunnel Protocol Support", RFC 2867,
June 2000. June 2000.
[RFC2868] Zorn, G., Leifer, D., Rubens, A., [RFC2868] Zorn, G., Leifer, D., Rubens, A.,
Shriver, J., Holdrege, M., and I. Goyret, Shriver, J., Holdrege, M., and I. Goyret,
skipping to change at page 64, line 19 skipping to change at page 64, line 7
[RFC3169] Beadles, M. and D. Mitton, "Criteria for [RFC3169] Beadles, M. and D. Mitton, "Criteria for
Evaluating Network Access Server Evaluating Network Access Server
Protocols", RFC 3169, September 2001. Protocols", RFC 3169, September 2001.
[RFC3246] Davie, B., Charny, A., Bennet, J., [RFC3246] Davie, B., Charny, A., Bennet, J.,
Benson, K., Le Boudec, J., Courtney, W., Benson, K., Le Boudec, J., Courtney, W.,
Davari, S., Firoiu, V., and D. Stiliadis, Davari, S., Firoiu, V., and D. Stiliadis,
"An Expedited Forwarding PHB (Per-Hop "An Expedited Forwarding PHB (Per-Hop
Behavior)", RFC 3246, March 2002. Behavior)", RFC 3246, March 2002.
[RFC3575] Aboba, B., "IANA Considerations for
RADIUS (Remote Authentication Dial In
User Service)", RFC 3575, July 2003.
[RFC3580] Congdon, P., Aboba, B., Smith, A., Zorn, [RFC3580] Congdon, P., Aboba, B., Smith, A., Zorn,
G., and J. Roese, "IEEE 802.1X Remote G., and J. Roese, "IEEE 802.1X Remote
Authentication Dial In User Service Authentication Dial In User Service
(RADIUS) Usage Guidelines", RFC 3580, (RADIUS) Usage Guidelines", RFC 3580,
September 2003. September 2003.
[RFC4004] Calhoun, P., Johansson, T., Perkins, C., [RFC3931] Lau, J., Townsley, M., and I. Goyret,
Hiller, T., and P. McCann, "Diameter "Layer Two Tunneling Protocol - Version 3
Mobile IPv4 Application", RFC 4004, (L2TPv3)", RFC 3931, March 2005.
August 2005.
[RFC4072] Eronen, P., Hiller, T., and G. Zorn, [RFC4072] Eronen, P., Hiller, T., and G. Zorn,
"Diameter Extensible Authentication "Diameter Extensible Authentication
Protocol (EAP) Application", RFC 4072, Protocol (EAP) Application", RFC 4072,
August 2005. August 2005.
[RFC4301] Kent, S. and K. Seo, "Security
Architecture for the Internet Protocol",
RFC 4301, December 2005.
[RFC5246] Dierks, T. and E. Rescorla, "The
Transport Layer Security (TLS) Protocol
Version 1.2", RFC 5246, August 2008.
Appendix A. Acknowledgements Appendix A. Acknowledgements
A.1. RFC 4005 A.1. RFC 4005
The authors would like to thank Carl Rigney, Allan C. Rubens, William The authors would like to thank Carl Rigney, Allan C. Rubens, William
Allen Simpson, and Steve Willens for their work on the original Allen Simpson, and Steve Willens for their work on the original
RADIUS protocol, from which many of the concepts in this RADIUS protocol, from which many of the concepts in this
specification were derived. Thanks, also, to Carl Rigney for specification were derived. Thanks, also, to Carl Rigney for
[RFC2866] and [RFC2869]; Ward Willats for [RFC2869]; Glen Zorn, [RFC2866] and [RFC2869]; Ward Willats for [RFC2869]; Glen Zorn,
Bernard Aboba, and Dave Mitton for [RFC2867] and [RFC3162]; and Dory Bernard Aboba, and Dave Mitton for [RFC2867] and [RFC3162]; and Dory
 End of changes. 36 change blocks. 
296 lines changed or deleted 275 lines changed or added

This html diff was produced by rfcdiff 1.40. The latest version is available from http://tools.ietf.org/tools/rfcdiff/