draft-ietf-dime-rfc4005bis-07.txt   draft-ietf-dime-rfc4005bis-08.txt 
Network Working Group G. Zorn, Ed. Network Working Group G. Zorn, Ed.
Internet-Draft Network Zen Internet-Draft Network Zen
Obsoletes: 4005 (if approved) February 4, 2012 Obsoletes: 4005 (if approved) April 23, 2012
Intended status: Standards Track Intended status: Standards Track
Expires: August 7, 2012 Expires: October 25, 2012
Diameter Network Access Server Application Diameter Network Access Server Application
draft-ietf-dime-rfc4005bis-07 draft-ietf-dime-rfc4005bis-08
Abstract Abstract
This document describes the Diameter protocol application used for This document describes the Diameter protocol application used for
Authentication, Authorization, and Accounting (AAA) services in the Authentication, Authorization, and Accounting (AAA) services in the
Network Access Server (NAS) environment; it obsoletes RFC 4005. When Network Access Server (NAS) environment; it obsoletes RFC 4005. When
combined with the Diameter Base protocol, Transport Profile, and combined with the Diameter Base protocol, Transport Profile, and
Extensible Authentication Protocol specifications, this application Extensible Authentication Protocol specifications, this application
specification satisfies typical network access services requirements. specification satisfies typical network access services requirements.
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 7, 2012. This Internet-Draft will expire on October 25, 2012.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 23 skipping to change at page 3, line 23
4.4.5. Port-Limit AVP . . . . . . . . . . . . . . . . . . . . 34 4.4.5. Port-Limit AVP . . . . . . . . . . . . . . . . . . . . 34
4.4.6. NAS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 34 4.4.6. NAS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 34
4.4.7. Filter-Id AVP . . . . . . . . . . . . . . . . . . . . 34 4.4.7. Filter-Id AVP . . . . . . . . . . . . . . . . . . . . 34
4.4.8. Configuration-Token AVP . . . . . . . . . . . . . . . 35 4.4.8. Configuration-Token AVP . . . . . . . . . . . . . . . 35
4.4.9. QoS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 35 4.4.9. QoS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 35
4.4.10. Framed Access Authorization AVPs . . . . . . . . . . . 36 4.4.10. Framed Access Authorization AVPs . . . . . . . . . . . 36
4.4.10.1. Framed-Protocol AVP . . . . . . . . . . . . . . . 36 4.4.10.1. Framed-Protocol AVP . . . . . . . . . . . . . . . 36
4.4.10.2. Framed-Routing AVP . . . . . . . . . . . . . . . 36 4.4.10.2. Framed-Routing AVP . . . . . . . . . . . . . . . 36
4.4.10.3. Framed-MTU AVP . . . . . . . . . . . . . . . . . 36 4.4.10.3. Framed-MTU AVP . . . . . . . . . . . . . . . . . 36
4.4.10.4. Framed-Compression AVP . . . . . . . . . . . . . 36 4.4.10.4. Framed-Compression AVP . . . . . . . . . . . . . 36
4.4.10.5. IP Access Authorization AVPs . . . . . . . . . . 36 4.4.10.5. IP Access Authorization AVPs . . . . . . . . . . 37
4.4.10.5.1. Framed-IP-Address AVP . . . . . . . . . . . . 37 4.4.10.5.1. Framed-IP-Address AVP . . . . . . . . . . . . 37
4.4.10.5.2. Framed-IP-Netmask AVP . . . . . . . . . . . . 37 4.4.10.5.2. Framed-IP-Netmask AVP . . . . . . . . . . . . 37
4.4.10.5.3. Framed-Route AVP . . . . . . . . . . . . . . 37 4.4.10.5.3. Framed-Route AVP . . . . . . . . . . . . . . 37
4.4.10.5.4. Framed-Pool AVP . . . . . . . . . . . . . . . 38 4.4.10.5.4. Framed-Pool AVP . . . . . . . . . . . . . . . 38
4.4.10.5.5. Framed-Interface-Id AVP . . . . . . . . . . . 38 4.4.10.5.5. Framed-Interface-Id AVP . . . . . . . . . . . 38
4.4.10.5.6. Framed-IPv6-Prefix AVP . . . . . . . . . . . 38 4.4.10.5.6. Framed-IPv6-Prefix AVP . . . . . . . . . . . 38
4.4.10.5.7. Framed-IPv6-Route AVP . . . . . . . . . . . . 38 4.4.10.5.7. Framed-IPv6-Route AVP . . . . . . . . . . . . 38
4.4.10.5.8. Framed-IPv6-Pool AVP . . . . . . . . . . . . 39 4.4.10.5.8. Framed-IPv6-Pool AVP . . . . . . . . . . . . 39
4.4.10.6. IPX Access AVPs . . . . . . . . . . . . . . . . . 39 4.4.10.6. IPX Access AVPs . . . . . . . . . . . . . . . . . 39
4.4.10.6.1. Framed-IPX-Network AVP . . . . . . . . . . . 39 4.4.10.6.1. Framed-IPX-Network AVP . . . . . . . . . . . 39
4.4.10.7. AppleTalk Network Access AVPs . . . . . . . . . . 39 4.4.10.7. AppleTalk Network Access AVPs . . . . . . . . . . 39
4.4.10.7.1. Framed-AppleTalk-Link AVP . . . . . . . . . . 39 4.4.10.7.1. Framed-AppleTalk-Link AVP . . . . . . . . . . 39
4.4.10.7.2. Framed-AppleTalk-Network AVP . . . . . . . . 40 4.4.10.7.2. Framed-AppleTalk-Network AVP . . . . . . . . 40
4.4.10.7.3. Framed-AppleTalk-Zone AVP . . . . . . . . . . 40 4.4.10.7.3. Framed-AppleTalk-Zone AVP . . . . . . . . . . 40
4.4.10.8. AppleTalk Remote Access AVPs . . . . . . . . . . 40 4.4.10.8. AppleTalk Remote Access AVPs . . . . . . . . . . 40
4.4.10.8.1. ARAP-Features AVP . . . . . . . . . . . . . . 40 4.4.10.8.1. ARAP-Features AVP . . . . . . . . . . . . . . 40
4.4.10.8.2. ARAP-Zone-Access AVP . . . . . . . . . . . . 40 4.4.10.8.2. ARAP-Zone-Access AVP . . . . . . . . . . . . 41
4.4.11. Non-Framed Access Authorization AVPs . . . . . . . . . 41 4.4.11. Non-Framed Access Authorization AVPs . . . . . . . . . 41
4.4.11.1. Login-IP-Host AVP . . . . . . . . . . . . . . . . 41 4.4.11.1. Login-IP-Host AVP . . . . . . . . . . . . . . . . 41
4.4.11.2. Login-IPv6-Host AVP . . . . . . . . . . . . . . . 41 4.4.11.2. Login-IPv6-Host AVP . . . . . . . . . . . . . . . 41
4.4.11.3. Login-Service AVP . . . . . . . . . . . . . . . . 41 4.4.11.3. Login-Service AVP . . . . . . . . . . . . . . . . 42
4.4.11.4. TCP Services . . . . . . . . . . . . . . . . . . 42 4.4.11.4. TCP Services . . . . . . . . . . . . . . . . . . 42
4.4.11.4.1. Login-TCP-Port AVP . . . . . . . . . . . . . 42 4.4.11.4.1. Login-TCP-Port AVP . . . . . . . . . . . . . 42
4.4.11.5. LAT Services . . . . . . . . . . . . . . . . . . 42 4.4.11.5. LAT Services . . . . . . . . . . . . . . . . . . 42
4.4.11.5.1. Login-LAT-Service AVP . . . . . . . . . . . . 42 4.4.11.5.1. Login-LAT-Service AVP . . . . . . . . . . . . 42
4.4.11.5.2. Login-LAT-Node AVP . . . . . . . . . . . . . 43 4.4.11.5.2. Login-LAT-Node AVP . . . . . . . . . . . . . 43
4.4.11.5.3. Login-LAT-Group AVP . . . . . . . . . . . . . 43 4.4.11.5.3. Login-LAT-Group AVP . . . . . . . . . . . . . 43
4.4.11.5.4. Login-LAT-Port AVP . . . . . . . . . . . . . 43 4.4.11.5.4. Login-LAT-Port AVP . . . . . . . . . . . . . 44
4.5. NAS Tunneling AVPs . . . . . . . . . . . . . . . . . . . . 44 4.5. NAS Tunneling AVPs . . . . . . . . . . . . . . . . . . . . 44
4.5.1. Tunneling AVP . . . . . . . . . . . . . . . . . . . . 44 4.5.1. Tunneling AVP . . . . . . . . . . . . . . . . . . . . 45
4.5.2. Tunnel-Type AVP . . . . . . . . . . . . . . . . . . . 45 4.5.2. Tunnel-Type AVP . . . . . . . . . . . . . . . . . . . 45
4.5.3. Tunnel-Medium-Type AVP . . . . . . . . . . . . . . . . 45 4.5.3. Tunnel-Medium-Type AVP . . . . . . . . . . . . . . . . 46
4.5.4. Tunnel-Client-Endpoint AVP . . . . . . . . . . . . . . 45 4.5.4. Tunnel-Client-Endpoint AVP . . . . . . . . . . . . . . 46
4.5.5. Tunnel-Server-Endpoint AVP . . . . . . . . . . . . . . 46 4.5.5. Tunnel-Server-Endpoint AVP . . . . . . . . . . . . . . 47
4.5.6. Tunnel-Password AVP . . . . . . . . . . . . . . . . . 47 4.5.6. Tunnel-Password AVP . . . . . . . . . . . . . . . . . 47
4.5.7. Tunnel-Private-Group-Id AVP . . . . . . . . . . . . . 47 4.5.7. Tunnel-Private-Group-Id AVP . . . . . . . . . . . . . 47
4.5.8. Tunnel-Assignment-Id AVP . . . . . . . . . . . . . . . 47 4.5.8. Tunnel-Assignment-Id AVP . . . . . . . . . . . . . . . 48
4.5.9. Tunnel-Preference AVP . . . . . . . . . . . . . . . . 49 4.5.9. Tunnel-Preference AVP . . . . . . . . . . . . . . . . 49
4.5.10. Tunnel-Client-Auth-Id AVP . . . . . . . . . . . . . . 49 4.5.10. Tunnel-Client-Auth-Id AVP . . . . . . . . . . . . . . 50
4.5.11. Tunnel-Server-Auth-Id AVP . . . . . . . . . . . . . . 49 4.5.11. Tunnel-Server-Auth-Id AVP . . . . . . . . . . . . . . 50
4.6. NAS Accounting AVPs . . . . . . . . . . . . . . . . . . . 50 4.6. NAS Accounting AVPs . . . . . . . . . . . . . . . . . . . 50
4.6.1. Accounting-Input-Octets AVP . . . . . . . . . . . . . 51 4.6.1. Accounting-Input-Octets AVP . . . . . . . . . . . . . 51
4.6.2. Accounting-Output-Octets AVP . . . . . . . . . . . . . 51 4.6.2. Accounting-Output-Octets AVP . . . . . . . . . . . . . 51
4.6.3. Accounting-Input-Packets AVP . . . . . . . . . . . . . 51 4.6.3. Accounting-Input-Packets AVP . . . . . . . . . . . . . 51
4.6.4. Accounting-Output-Packets AVP . . . . . . . . . . . . 51 4.6.4. Accounting-Output-Packets AVP . . . . . . . . . . . . 52
4.6.5. Acct-Session-Time AVP . . . . . . . . . . . . . . . . 51 4.6.5. Acct-Session-Time AVP . . . . . . . . . . . . . . . . 52
4.6.6. Acct-Authentic AVP . . . . . . . . . . . . . . . . . . 52 4.6.6. Acct-Authentic AVP . . . . . . . . . . . . . . . . . . 52
4.6.7. Accounting-Auth-Method AVP . . . . . . . . . . . . . . 52 4.6.7. Accounting-Auth-Method AVP . . . . . . . . . . . . . . 52
4.6.8. Acct-Delay-Time AVP . . . . . . . . . . . . . . . . . 52 4.6.8. Acct-Delay-Time AVP . . . . . . . . . . . . . . . . . 52
4.6.9. Acct-Link-Count AVP . . . . . . . . . . . . . . . . . 52 4.6.9. Acct-Link-Count AVP . . . . . . . . . . . . . . . . . 53
4.6.10. Acct-Tunnel-Connection AVP . . . . . . . . . . . . . . 53 4.6.10. Acct-Tunnel-Connection AVP . . . . . . . . . . . . . . 53
4.6.11. Acct-Tunnel-Packets-Lost AVP . . . . . . . . . . . . . 53 4.6.11. Acct-Tunnel-Packets-Lost AVP . . . . . . . . . . . . . 54
5. AVP Occurrence Tables . . . . . . . . . . . . . . . . . . . . 53 5. AVP Occurrence Tables . . . . . . . . . . . . . . . . . . . . 54
5.1. AA-Request/Answer AVP Table . . . . . . . . . . . . . . . 54 5.1. AA-Request/Answer AVP Table . . . . . . . . . . . . . . . 54
5.2. Accounting AVP Tables . . . . . . . . . . . . . . . . . . 56 5.2. Accounting AVP Tables . . . . . . . . . . . . . . . . . . 57
5.2.1. Framed Access Accounting AVP Table . . . . . . . . . . 57 5.2.1. Framed Access Accounting AVP Table . . . . . . . . . . 58
5.2.2. Non-Framed Access Accounting AVP Table . . . . . . . . 59 5.2.2. Non-Framed Access Accounting AVP Table . . . . . . . . 60
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 60 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 61
7. Security Considerations . . . . . . . . . . . . . . . . . . . 60 7. Security Considerations . . . . . . . . . . . . . . . . . . . 61
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 61 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 62
8.1. Normative References . . . . . . . . . . . . . . . . . . . 61 8.1. Normative References . . . . . . . . . . . . . . . . . . . 62
8.2. Informative References . . . . . . . . . . . . . . . . . . 62 8.2. Informative References . . . . . . . . . . . . . . . . . . 63
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 64 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 65
A.1. RFC 4005 . . . . . . . . . . . . . . . . . . . . . . . . . 64 A.1. RFC 4005 . . . . . . . . . . . . . . . . . . . . . . . . . 65
A.2. RFC 4005bis . . . . . . . . . . . . . . . . . . . . . . . 65 A.2. RFC 4005bis . . . . . . . . . . . . . . . . . . . . . . . 66
1. Introduction 1. Introduction
This document describes the Diameter protocol application used for This document describes the Diameter protocol application used for
AAA in the Network Access Server (NAS) environment. When combined AAA in the Network Access Server (NAS) environment. When combined
with the Diameter Base protocol [I-D.ietf-dime-rfc3588bis], Transport with the Diameter Base protocol [I-D.ietf-dime-rfc3588bis], Transport
Profile [RFC3539], and EAP [RFC4072] specifications, this Profile [RFC3539], and EAP [RFC4072] specifications, this
specification satisfies the NAS-related requirements defined in specification satisfies the NAS-related requirements defined in
[RFC2989] and [RFC3169]. Aboba, et al. [RFC2989] and Beadles & Mitton [RFC3169].
First, this document describes the operation of a Diameter NAS First, this document describes the operation of a Diameter NAS
application. Then it defines the Diameter message Command-Codes. application. Then it defines the Diameter message Command-Codes.
The following sections list the AVPs used in these messages, grouped The following sections list the AVPs used in these messages, grouped
by common usage. These are session identification, authentication, by common usage. These are session identification, authentication,
authorization, tunneling, and accounting. The authorization AVPs are authorization, tunneling, and accounting. The authorization AVPs are
further broken down by service type. further broken down by service type.
1.1. Terminology 1.1. Terminology
skipping to change at page 26, line 31 skipping to change at page 26, line 31
4.2.5. Called-Station-Id AVP 4.2.5. Called-Station-Id AVP
The Called-Station-Id AVP (AVP Code 30) is of type UTF8String and The Called-Station-Id AVP (AVP Code 30) is of type UTF8String and
allows the NAS to send the ASCII string describing the Layer 2 allows the NAS to send the ASCII string describing the Layer 2
address the user contacted in the request. For dialup access, this address the user contacted in the request. For dialup access, this
can be a phone number obtained by using the Dialed Number can be a phone number obtained by using the Dialed Number
Identification Service (DNIS) or a similar technology. Note that Identification Service (DNIS) or a similar technology. Note that
this may be different from the phone number the call comes in on. this may be different from the phone number the call comes in on.
For use with IEEE 802 access, the Called-Station-Id MAY contain a MAC For use with IEEE 802 access, the Called-Station-Id MAY contain a MAC
address formatted as described in [RFC3580]. address formatted as described in Congdon, et al. [RFC3580].
If the Called-Station-Id AVP is present in an AAR message, Auth- If the Called-Station-Id AVP is present in an AAR message, Auth-
Request-Type AVP is set to AUTHORIZE_ONLY and the User-Name AVP is Request-Type AVP is set to AUTHORIZE_ONLY and the User-Name AVP is
absent, the Diameter Server MAY perform authorization based on this absent, the Diameter Server MAY perform authorization based on this
AVP. This can be used by a NAS to request whether a call should be AVP. This can be used by a NAS to request whether a call should be
answered based on the DNIS result. answered based on the DNIS result.
The codification of this field's allowed usage range is outside the The codification of this field's allowed usage range is outside the
scope of this specification. scope of this specification.
4.2.6. Calling-Station-Id AVP 4.2.6. Calling-Station-Id AVP
The Calling-Station-Id AVP (AVP Code 31) is of type UTF8String and The Calling-Station-Id AVP (AVP Code 31) is of type UTF8String and
allows the NAS to send the ASCII string describing the Layer 2 allows the NAS to send the ASCII string describing the Layer 2
address from which the user connected in the request. For dialup address from which the user connected in the request. For dialup
access, this is the phone number the call came from, using Automatic access, this is the phone number the call came from, using Automatic
Number Identification (ANI) or a similar technology. For use with Number Identification (ANI) or a similar technology. For use with
IEEE 802 access, the Calling-Station-Id AVP MAY contain a MAC IEEE 802 access, the Calling-Station-Id AVP MAY contain a MAC
address, formated as described in [RFC3580]. address, formated as described in RFC 3580.
If the Calling-Station-Id AVP is present in an AAR message, the Auth- If the Calling-Station-Id AVP is present in an AAR message, the Auth-
Request-Type AVP is set to AUTHORIZE_ONLY and the User-Name AVP is Request-Type AVP is set to AUTHORIZE_ONLY and the User-Name AVP is
absent, the Diameter Server MAY perform authorization based on the absent, the Diameter Server MAY perform authorization based on the
value of this AVP. This can be used by a NAS to request whether a value of this AVP. This can be used by a NAS to request whether a
call should be answered based on the Layer 2 address (ANI, MAC call should be answered based on the Layer 2 address (ANI, MAC
Address, etc.) Address, etc.)
The codification of this field's allowed usage range is outside the The codification of this field's allowed usage range is outside the
scope of this specification. scope of this specification.
skipping to change at page 29, line 12 skipping to change at page 29, line 12
ARAP-Security-Data 4.3.12 | M | V | ARAP-Security-Data 4.3.12 | M | V |
-----------------------------------------|----+-----| -----------------------------------------|----+-----|
4.3.1. User-Password AVP 4.3.1. User-Password AVP
The User-Password AVP (AVP Code 2) is of type OctetString and The User-Password AVP (AVP Code 2) is of type OctetString and
contains the password of the user to be authenticated, or the user's contains the password of the user to be authenticated, or the user's
input in a multi-round authentication exchange. input in a multi-round authentication exchange.
The User-Password AVP contains a user password or one-time password The User-Password AVP contains a user password or one-time password
and therefore represents sensitive information. As required in and therefore represents sensitive information. As required by
[I-D.ietf-dime-rfc3588bis], Diameter messages are encrypted by using Fajardo, et al. [I-D.ietf-dime-rfc3588bis], Diameter messages are
IPsec [RFC4301] or TLS [RFC5246]. Unless this AVP is used for one- encrypted by using IPsec [RFC4301] or TLS [RFC5246]. Unless this AVP
time passwords, the User-Password AVP SHOULD NOT be used in untrusted is used for one-time passwords, the User-Password AVP SHOULD NOT be
proxy environments without encrypting it by using end-to-end security used in untrusted proxy environments without encrypting it by using
techniques. end-to-end security techniques.
The clear-text password (prior to encryption) MUST NOT be longer than The clear-text password (prior to encryption) MUST NOT be longer than
128 bytes in length. 128 bytes in length.
4.3.2. Password-Retry AVP 4.3.2. Password-Retry AVP
The Password-Retry AVP (AVP Code 75) is of type Unsigned32 and MAY be The Password-Retry AVP (AVP Code 75) is of type Unsigned32 and MAY be
included in the AA-Answer if the Result-Code indicates an included in the AA-Answer if the Result-Code indicates an
authentication failure. The value of this AVP indicates how many authentication failure. The value of this AVP indicates how many
authentication attempts a user is permitted before being authentication attempts a user is permitted before being
skipping to change at page 30, line 46 skipping to change at page 30, line 46
The CHAP-Challenge AVP (AVP Code 60) is of type OctetString and The CHAP-Challenge AVP (AVP Code 60) is of type OctetString and
contains the CHAP Challenge sent by the NAS to the CHAP peer contains the CHAP Challenge sent by the NAS to the CHAP peer
[RFC1994]. [RFC1994].
4.3.9. ARAP-Password AVP 4.3.9. ARAP-Password AVP
The ARAP-Password AVP (AVP Code 70) is of type OctetString and is The ARAP-Password AVP (AVP Code 70) is of type OctetString and is
only present when the Framed-Protocol AVP (Section 4.4.10.1) is only present when the Framed-Protocol AVP (Section 4.4.10.1) is
included in the message and is set to ARAP. This AVP MUST NOT be included in the message and is set to ARAP. This AVP MUST NOT be
present if either the User-Password or the CHAP-Auth AVP is present. present if either the User-Password or the CHAP-Auth AVP is present.
See [RFC2869] for more information on the contents of this AVP. See Rigney, et al. [RFC2869] for more information on the contents of
this AVP.
4.3.10. ARAP-Challenge-Response AVP 4.3.10. ARAP-Challenge-Response AVP
The ARAP-Challenge-Response AVP (AVP Code 84) is of type OctetString The ARAP-Challenge-Response AVP (AVP Code 84) is of type OctetString
and is only present when the Framed-Protocol AVP (Section 4.4.10.1) and is only present when the Framed-Protocol AVP (Section 4.4.10.1)
is included in the message and is set to ARAP. This AVP contains an is included in the message and is set to ARAP. This AVP contains an
8 octet response to the dial-in client's challenge. The Diameter 8 octet response to the dial-in client's challenge. The Diameter
server calculates this value by taking the dial-in client's challenge server calculates this value by taking the dial-in client's challenge
from the high-order 8 octets of the ARAP-Password AVP and performing from the high-order 8 octets of the ARAP-Password AVP and performing
DES encryption on this value with the authenticating user's password DES encryption on this value with the authenticating user's password
as the key. If the user's password is fewer than 8 octets in length, as the key. If the user's password is fewer than 8 octets in length,
the password is padded at the end with NULL octets to a length of 8 the password is padded at the end with NULL octets to a length of 8
before it is used as a key. before it is used as a key.
4.3.11. ARAP-Security AVP 4.3.11. ARAP-Security AVP
The ARAP-Security AVP (AVP Code 73) is of type Unsigned32 and MAY be The ARAP-Security AVP (AVP Code 73) is of type Unsigned32 and MAY be
present in the AA-Answer message if the Framed-Protocol AVP present in the AA-Answer message if the Framed-Protocol AVP
(Section 4.4.10.1) is set to the value of ARAP, and the Result-Code (Section 4.4.10.1) is set to the value of ARAP, and the Result-Code
AVP ([I-D.ietf-dime-rfc3588bis], Section 7.1) is set to AVP ([I-D.ietf-dime-rfc3588bis], Section 7.1) is set to
DIAMETER_MULTI_ROUND_AUTH. See [RFC2869] for more information on the DIAMETER_MULTI_ROUND_AUTH. See RFC 2869 for more information on the
contents of this AVP. contents of this AVP.
4.3.12. ARAP-Security-Data AVP 4.3.12. ARAP-Security-Data AVP
The ARAP-Security-Data AVP (AVP Code 74) is of type OctetString and The ARAP-Security-Data AVP (AVP Code 74) is of type OctetString and
MAY be present in the AA-Request or AA-Answer message if the Framed- MAY be present in the AA-Request or AA-Answer message if the Framed-
Protocol AVP (Section 4.4.10.1) is set to the value of ARAP and the Protocol AVP (Section 4.4.10.1) is set to the value of ARAP and the
Result-Code AVP ([I-D.ietf-dime-rfc3588bis], Section 7.1) is set to Result-Code AVP ([I-D.ietf-dime-rfc3588bis], Section 7.1) is set to
DIAMETER_MULTI_ROUND_AUTH. This AVP contains the security module DIAMETER_MULTI_ROUND_AUTH. This AVP contains the security module
challenge or response associated with the ARAP Security Module challenge or response associated with the ARAP Security Module
skipping to change at page 35, line 29 skipping to change at page 35, line 29
The format of the Data field of this AVP is site specific. The format of the Data field of this AVP is site specific.
4.4.9. QoS-Filter-Rule AVP 4.4.9. QoS-Filter-Rule AVP
The QoS-Filter-Rule AVP (AVP Code 407) is of type QoSFilterRule The QoS-Filter-Rule AVP (AVP Code 407) is of type QoSFilterRule
(Section 4.1.1) and provides QoS filter rules that need to be (Section 4.1.1) and provides QoS filter rules that need to be
configured on the NAS for the user. One or more such AVPs MAY be configured on the NAS for the user. One or more such AVPs MAY be
present in an authorization response. present in an authorization response.
The use of this AVP is NOT RECOMMENDED; the AVPs defined by Korhonen, The use of this AVP is NOT RECOMMENDED; the AVPs defined by Korhonen,
et al. [RFC5777] SHOULD be used instead. et al. [RFC5777] SHOULD be used instead.
DSCP <color> If action is set to tag (Section 4.1.1) this option DSCP <color> If action is set to tag (Section 4.1.1) this option
MUST be included in the rule. MUST be included in the rule.
Color values are defined in [RFC2474]. Exact matching of DSCP Color values are defined in Nichols, et al. [RFC2474]. Exact
values is required (no masks or ranges). matching of DSCP values is required (no masks or ranges).
metering <rate> <color_under> <color_over> The metering option metering <rate> <color_under> <color_over> The metering option
provides Assured Forwarding, as defined in [RFC2597]. and MUST provides Assured Forwarding, as defined in Heinanen, et al.
be present if the action is set to meter (Section 4.1.1) The [RFC2597]. and MUST be present if the action is set to meter
rate option is the throughput, in bits per second, used by the (Section 4.1.1) The rate option is the throughput, in bits per
access device to mark packets. Traffic over the rate is marked second, used by the access device to mark packets. Traffic
with the color_over codepoint, and traffic under the rate is over the rate is marked with the color_over codepoint, and
marked with the color_under codepoint. The color_under and traffic under the rate is marked with the color_under
color_over options contain the drop preferences and MUST codepoint. The color_under and color_over options contain the
conform to the recommended codepoint keywords described in drop preferences and MUST conform to the recommended codepoint
[RFC2597] (e.g., AF13). keywords described in RFC 2597 (e.g., AF13).
The metering option also supports the strict limit on traffic The metering option also supports the strict limit on traffic
required by Expedited Forwarding, as defined in [RFC3246]. The required by Expedited Forwarding, as defined in Davie, et
color_over option may contain the keyword "drop" to prevent al. [RFC3246]. The color_over option may contain the keyword
forwarding of traffic that exceeds the rate parameter. "drop" to prevent forwarding of traffic that exceeds the rate
parameter.
4.4.10. Framed Access Authorization AVPs 4.4.10. Framed Access Authorization AVPs
This section lists the authorization AVPs necessary to support framed This section lists the authorization AVPs necessary to support framed
access, such as PPP and SLIP. AVPs defined in this section MAY be access, such as PPP and SLIP. AVPs defined in this section MAY be
present in a message if the Service-Type AVP was set to "Framed" or present in a message if the Service-Type AVP was set to "Framed" or
"Callback Framed". "Callback Framed".
4.4.10.1. Framed-Protocol AVP 4.4.10.1. Framed-Protocol AVP
skipping to change at page 40, line 37 skipping to change at page 40, line 43
The codification of this field's allowed range is outside the scope The codification of this field's allowed range is outside the scope
of this specification. of this specification.
4.4.10.8. AppleTalk Remote Access AVPs 4.4.10.8. AppleTalk Remote Access AVPs
The AVPs defined in this section are used when the user requests, or The AVPs defined in this section are used when the user requests, or
is being granted, access to the AppleTalk network via the AppleTalk is being granted, access to the AppleTalk network via the AppleTalk
Remote Access Protocol [ARAP]. They are only present if the Framed- Remote Access Protocol [ARAP]. They are only present if the Framed-
Protocol AVP (Section 4.4.10.1) is set to ARAP. Section 2.2 of RFC Protocol AVP (Section 4.4.10.1) is set to ARAP. Section 2.2 of RFC
2869 [RFC2869] describes the operational use of these attributes. 2869 describes the operational use of these attributes.
4.4.10.8.1. ARAP-Features AVP 4.4.10.8.1. ARAP-Features AVP
The ARAP-Features AVP (AVP Code 71) is of type OctetString and MAY be The ARAP-Features AVP (AVP Code 71) is of type OctetString and MAY be
present in the AA-Accept message if the Framed-Protocol AVP is set to present in the AA-Accept message if the Framed-Protocol AVP is set to
the value of ARAP. See [RFC2869] for more information about the the value of ARAP. See RFC 2869 for more information about the
format of this AVP. format of this AVP.
4.4.10.8.2. ARAP-Zone-Access AVP 4.4.10.8.2. ARAP-Zone-Access AVP
The ARAP-Zone-Access AVP (AVP Code 72) is of type Enumerated and MAY The ARAP-Zone-Access AVP (AVP Code 72) is of type Enumerated and MAY
be present in the AA-Accept message if the Framed-Protocol AVP is set be present in the AA-Accept message if the Framed-Protocol AVP is set
to the value of ARAP. to the value of ARAP.
The supported values are listed in [RADIUSTypes] and defined in The supported values are listed in [RADIUSTypes] and defined in RFC
[RFC2869]. 2869.
4.4.11. Non-Framed Access Authorization AVPs 4.4.11. Non-Framed Access Authorization AVPs
This section contains the authorization AVPs that are needed to This section contains the authorization AVPs that are needed to
support terminal server functionality. AVPs defined in this section support terminal server functionality. AVPs defined in this section
MAY be present in a message if the Service-Type AVP was set to MAY be present in a message if the Service-Type AVP was set to
"Login" or "Callback Login". "Login" or "Callback Login".
4.4.11.1. Login-IP-Host AVP 4.4.11.1. Login-IP-Host AVP
skipping to change at page 41, line 49 skipping to change at page 42, line 10
0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF and 0. The value 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF and 0. The value
0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF indicates that the NAS SHOULD 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF indicates that the NAS SHOULD
allow the user to select an address. The value 0 indicates that the allow the user to select an address. The value 0 indicates that the
NAS SHOULD select a host to connect the user to. NAS SHOULD select a host to connect the user to.
4.4.11.3. Login-Service AVP 4.4.11.3. Login-Service AVP
The Login-Service AVP (AVP Code 15) is of type Enumerated and The Login-Service AVP (AVP Code 15) is of type Enumerated and
contains the service that should be used to connect the user to the contains the service that should be used to connect the user to the
login host. This AVP SHOULD only be present in authorization login host. This AVP SHOULD only be present in authorization
responses. The supported values are listed in [RFC2869]. responses. The supported values are listed in RFC 2869.
4.4.11.4. TCP Services 4.4.11.4. TCP Services
The AVP described in the following section MAY be present if the The AVP described in the following section MAY be present if the
Login-Service AVP is set to Telnet, Rlogin, TCP Clear, or TCP Clear Login-Service AVP is set to Telnet, Rlogin, TCP Clear, or TCP Clear
Quiet. Quiet.
4.4.11.4.1. Login-TCP-Port AVP 4.4.11.4.1. Login-TCP-Port AVP
The Login-TCP-Port AVP (AVP Code 16) is of type Unsigned32 and The Login-TCP-Port AVP (AVP Code 16) is of type Unsigned32 and
skipping to change at page 44, line 21 skipping to change at page 44, line 30
All LAT string comparisons are case insensitive. All LAT string comparisons are case insensitive.
4.5. NAS Tunneling AVPs 4.5. NAS Tunneling AVPs
Some NASes support compulsory tunnel services in which the incoming Some NASes support compulsory tunnel services in which the incoming
connection data is conveyed by an encapsulation method to a gateway connection data is conveyed by an encapsulation method to a gateway
elsewhere in the network. This is typically transparent to the elsewhere in the network. This is typically transparent to the
service user, and the tunnel characteristics may be described by the service user, and the tunnel characteristics may be described by the
remote AAA server, based on the user's authorization information. remote AAA server, based on the user's authorization information.
Several tunnel characteristics may be returned, and the NAS Several tunnel characteristics may be returned, and the NAS
implementation may choose one. See [RFC2868] and [RFC2867] for implementation may choose one. See Zorn, et al. [RFC2868] and Zorn,
further information. Aboba & Mitton [RFC2867] for further information.
The following table gives the possible flag values for the session The following table gives the possible flag values for the session
level AVPs and specifies whether the AVP MAY be encrypted. level AVPs and specifies whether the AVP MAY be encrypted.
+----------+ +----------+
| AVP Flag | | AVP Flag |
| rules | | rules |
|----+-----| |----+-----|
|MUST| MUST| |MUST| MUST|
Attribute Name Section Defined | | NOT | Attribute Name Section Defined | | NOT |
skipping to change at page 61, line 24 skipping to change at page 62, line 24
8.1. Normative References 8.1. Normative References
[ANITypes] NANPA Number Resource Info, "ANI [ANITypes] NANPA Number Resource Info, "ANI
Assignments", <http://www.nanpa.com/ Assignments", <http://www.nanpa.com/
number_resource_info/ number_resource_info/
ani_ii_assignments.html>. ani_ii_assignments.html>.
[I-D.ietf-dime-rfc3588bis] Fajardo, V., Arkko, J., Loughney, J., and [I-D.ietf-dime-rfc3588bis] Fajardo, V., Arkko, J., Loughney, J., and
G. Zorn, "Diameter Base Protocol", G. Zorn, "Diameter Base Protocol",
draft-ietf-dime-rfc3588bis-29 (work in draft-ietf-dime-rfc3588bis-32 (work in
progress), August 2011. progress), April 2012.
[RADIUSTypes] IANA, "RADIUS Types", <http:// [RADIUSTypes] IANA, "RADIUS Types", <http://
www.iana.org/assignments/radius-types>. www.iana.org/assignments/radius-types>.
[RFC1994] Simpson, W., "PPP Challenge Handshake [RFC1994] Simpson, W., "PPP Challenge Handshake
Authentication Protocol (CHAP)", Authentication Protocol (CHAP)",
RFC 1994, August 1996. RFC 1994, August 1996.
[RFC2119] Bradner, S., "Key words for use in RFCs [RFC2119] Bradner, S., "Key words for use in RFCs
to Indicate Requirement Levels", BCP 14, to Indicate Requirement Levels", BCP 14,
 End of changes. 32 change blocks. 
66 lines changed or deleted 68 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/