draft-ietf-dime-rfc4005bis-08.txt   draft-ietf-dime-rfc4005bis-09.txt 
Network Working Group G. Zorn, Ed. Network Working Group G. Zorn, Ed.
Internet-Draft Network Zen Internet-Draft Network Zen
Obsoletes: 4005 (if approved) April 23, 2012 Obsoletes: 4005 (if approved) May 18, 2012
Intended status: Standards Track Intended status: Standards Track
Expires: October 25, 2012 Expires: November 19, 2012
Diameter Network Access Server Application Diameter Network Access Server Application
draft-ietf-dime-rfc4005bis-08 draft-ietf-dime-rfc4005bis-09
Abstract Abstract
This document describes the Diameter protocol application used for This document describes the Diameter protocol application used for
Authentication, Authorization, and Accounting (AAA) services in the Authentication, Authorization, and Accounting (AAA) services in the
Network Access Server (NAS) environment; it obsoletes RFC 4005. When Network Access Server (NAS) environment; it obsoletes RFC 4005. When
combined with the Diameter Base protocol, Transport Profile, and combined with the Diameter Base protocol, Transport Profile, and
Extensible Authentication Protocol specifications, this application Extensible Authentication Protocol specifications, this application
specification satisfies typical network access services requirements. specification satisfies typical network access services requirements.
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 25, 2012. This Internet-Draft will expire on November 19, 2012.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 1.1. Changes from RFC 4005 . . . . . . . . . . . . . . . . . . 5
1.2. Requirements Language . . . . . . . . . . . . . . . . . . 6 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6
1.3. Advertising Application Support . . . . . . . . . . . . . 6 1.3. Requirements Language . . . . . . . . . . . . . . . . . . 7
1.4. Application Identification . . . . . . . . . . . . . . . . 7 1.4. Advertising Application Support . . . . . . . . . . . . . 7
1.5. Accounting Model . . . . . . . . . . . . . . . . . . . . . 7 1.5. Application Identification . . . . . . . . . . . . . . . . 7
2. NAS Calls, Ports, and Sessions . . . . . . . . . . . . . . . . 7 1.6. Accounting Model . . . . . . . . . . . . . . . . . . . . . 8
2. NAS Calls, Ports, and Sessions . . . . . . . . . . . . . . . . 8
2.1. Diameter Session Establishment . . . . . . . . . . . . . . 8 2.1. Diameter Session Establishment . . . . . . . . . . . . . . 8
2.2. Diameter Session Reauthentication or Reauthorization . . . 8 2.2. Diameter Session Reauthentication or Reauthorization . . . 9
2.3. Diameter Session Termination . . . . . . . . . . . . . . . 9 2.3. Diameter Session Termination . . . . . . . . . . . . . . . 10
3. Diameter NAS Application Messages . . . . . . . . . . . . . . 9 3. Diameter NAS Application Messages . . . . . . . . . . . . . . 10
3.1. AA-Request (AAR) Command . . . . . . . . . . . . . . . . . 10 3.1. AA-Request (AAR) Command . . . . . . . . . . . . . . . . . 11
3.2. AA-Answer (AAA) Command . . . . . . . . . . . . . . . . . 12 3.2. AA-Answer (AAA) Command . . . . . . . . . . . . . . . . . 12
3.3. Re-Auth-Request (RAR) Command . . . . . . . . . . . . . . 14 3.3. Re-Auth-Request (RAR) Command . . . . . . . . . . . . . . 14
3.4. Re-Auth-Answer (RAA) Command . . . . . . . . . . . . . . . 15 3.4. Re-Auth-Answer (RAA) Command . . . . . . . . . . . . . . . 15
3.5. Session-Termination-Request (STR) Command . . . . . . . . 16 3.5. Session-Termination-Request (STR) Command . . . . . . . . 16
3.6. Session-Termination-Answer (STA) Command . . . . . . . . . 17 3.6. Session-Termination-Answer (STA) Command . . . . . . . . . 17
3.7. Abort-Session-Request (ASR) Command . . . . . . . . . . . 18 3.7. Abort-Session-Request (ASR) Command . . . . . . . . . . . 18
3.8. Abort-Session-Answer (ASA) Command . . . . . . . . . . . . 19 3.8. Abort-Session-Answer (ASA) Command . . . . . . . . . . . . 19
3.9. Accounting-Request (ACR) Command . . . . . . . . . . . . . 20 3.9. Accounting-Request (ACR) Command . . . . . . . . . . . . . 20
3.10. Accounting-Answer (ACA) Command . . . . . . . . . . . . . 22 3.10. Accounting-Answer (ACA) Command . . . . . . . . . . . . . 22
4. Diameter NAS Application AVPs . . . . . . . . . . . . . . . . 23 4. Diameter NAS Application AVPs . . . . . . . . . . . . . . . . 23
skipping to change at page 4, line 39 skipping to change at page 4, line 39
5. AVP Occurrence Tables . . . . . . . . . . . . . . . . . . . . 54 5. AVP Occurrence Tables . . . . . . . . . . . . . . . . . . . . 54
5.1. AA-Request/Answer AVP Table . . . . . . . . . . . . . . . 54 5.1. AA-Request/Answer AVP Table . . . . . . . . . . . . . . . 54
5.2. Accounting AVP Tables . . . . . . . . . . . . . . . . . . 57 5.2. Accounting AVP Tables . . . . . . . . . . . . . . . . . . 57
5.2.1. Framed Access Accounting AVP Table . . . . . . . . . . 58 5.2.1. Framed Access Accounting AVP Table . . . . . . . . . . 58
5.2.2. Non-Framed Access Accounting AVP Table . . . . . . . . 60 5.2.2. Non-Framed Access Accounting AVP Table . . . . . . . . 60
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 61 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 61
7. Security Considerations . . . . . . . . . . . . . . . . . . . 61 7. Security Considerations . . . . . . . . . . . . . . . . . . . 61
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 62 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 62
8.1. Normative References . . . . . . . . . . . . . . . . . . . 62 8.1. Normative References . . . . . . . . . . . . . . . . . . . 62
8.2. Informative References . . . . . . . . . . . . . . . . . . 63 8.2. Informative References . . . . . . . . . . . . . . . . . . 63
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 65 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 66
A.1. RFC 4005 . . . . . . . . . . . . . . . . . . . . . . . . . 65 A.1. RFC 4005 . . . . . . . . . . . . . . . . . . . . . . . . . 66
A.2. RFC 4005bis . . . . . . . . . . . . . . . . . . . . . . . 66 A.2. RFC 4005bis . . . . . . . . . . . . . . . . . . . . . . . 67
1. Introduction 1. Introduction
This document describes the Diameter protocol application used for This document describes the Diameter protocol application used for
AAA in the Network Access Server (NAS) environment. When combined AAA in the Network Access Server (NAS) environment. When combined
with the Diameter Base protocol [I-D.ietf-dime-rfc3588bis], Transport with the Diameter Base protocol [I-D.ietf-dime-rfc3588bis], Transport
Profile [RFC3539], and EAP [RFC4072] specifications, this Profile [RFC3539], and EAP [RFC4072] specifications, this
specification satisfies the NAS-related requirements defined in specification satisfies the NAS-related requirements defined in
Aboba, et al. [RFC2989] and Beadles & Mitton [RFC3169]. Aboba, et al. [RFC2989] and Beadles & Mitton [RFC3169].
First, this document describes the operation of a Diameter NAS First, this document describes the operation of a Diameter NAS
application. Then it defines the Diameter message Command-Codes. application. Then it defines the Diameter message Command-Codes.
The following sections list the AVPs used in these messages, grouped The following sections list the AVPs used in these messages, grouped
by common usage. These are session identification, authentication, by common usage. These are session identification, authentication,
authorization, tunneling, and accounting. The authorization AVPs are authorization, tunneling, and accounting. The authorization AVPs are
further broken down by service type. further broken down by service type.
1.1. Terminology 1.1. Changes from RFC 4005
This document obsoletes RFC 4005 and is not backward compatible with
that document. An overview of some the major changes are given
below.
o All of the material regarding RADIUS/Diameter protocol
interactions has been removed.
o The Command Code Format (CCF) [I-D.ietf-dime-rfc3588bis] for the
Accounting-Request and Accounting-Answer messages has been changed
to explicitly require the inclusion of the Acct-Application-Id AVP
and exclude the Vendor-Specific-Application-Id AVP. Normally,
this type of change would also require the allocation of a new
command code and consequently, a new application-id (See Section
1.3.3 of [I-D.ietf-dime-rfc3588bis]). However, the presence of an
instance of the Acct-Application-Id AVP was required in RFC 4005,
as well:
The ACR message [BASE] is sent by the NAS to report its session
information to a target server downstream.
Either of Acct-Application-Id or Vendor-Specific-Application-Id
AVPs MUST be present. If the Vendor-Specific-Application-Id
grouped AVP is present, it must have an Acct-Application-Id
inside.
Thus, though the syntax of the commands has changed, the semantics
have not (with the caveat that the Acct-Application-Id AVP can no
longer be contained in the Vendor-Specific-Application-Id AVP).
o The lists of RADIUS attribute values have been deleted in favor of
references to the appropriate IANA registries.
o The accounting model to be used is now specified.
There are many other many miscellaneous fixes that have been
introduced in this document that may not be considered significant
but they are useful nonetheless. Examples are fixes to example IP
addresses, addition of clarifying references, etc. All of the errata
previously filed against RFC 4005 have been fixed. A comprehensive
list of changes is not shown here for practical reasons.
1.2. Terminology
Section 1.2 of the base Diameter specification Section 1.2 of the base Diameter specification
[I-D.ietf-dime-rfc3588bis] defines most of the terminology used in [I-D.ietf-dime-rfc3588bis] defines most of the terminology used in
this document. Additionally, the following terms and acronyms are this document. Additionally, the following terms and acronyms are
used in this application: used in this application:
NAS (Network Access Server) NAS (Network Access Server)
A device that provides an access service for a user to a network. A device that provides an access service for a user to a network.
The service may be a network connection or a value-added service The service may be a network connection or a value-added service
such as terminal emulation [RFC2881]. such as terminal emulation [RFC2881].
skipping to change at page 6, line 41 skipping to change at page 7, line 33
PPTP (Point-to-Point Tunneling Protocol) PPTP (Point-to-Point Tunneling Protocol)
A protocol which allows PPP to be tunneled through an IP network A protocol which allows PPP to be tunneled through an IP network
[RFC2637]. [RFC2637].
VPN (Virtual Private Network) VPN (Virtual Private Network)
In this document, this term is used to describe access services In this document, this term is used to describe access services
that use tunneling methods. that use tunneling methods.
1.2. Requirements Language 1.3. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119]. document are to be interpreted as described in RFC 2119 [RFC2119].
1.3. Advertising Application Support 1.4. Advertising Application Support
Diameter applications conforming to this specification MUST advertise Diameter nodes conforming to this specification MUST advertise
support by including the value of one (1) in the Auth-Application-Id support by including the value of one (1) in the Auth-Application-Id
of the Capabilities-Exchange-Request (CER) message. of the Capabilities-Exchange-Request (CER) message.
1.4. Application Identification 1.5. Application Identification
The Auth-Application-Id AVP MUST be set to the value one (1) in the When used in this application, the Auth-Application-Id AVP MUST be
following messages set to the value one (1) in the following messages
o AA-Request (Section 3.1) o AA-Request (Section 3.1)
o Re-Auth-Request(Section 3.3) o Re-Auth-Request(Section 3.3)
o Session-Termination-Request (Section 3.5) o Session-Termination-Request (Section 3.5)
o Abort-Session-Request (Section 3.7) o Abort-Session-Request (Section 3.7)
1.5. Accounting Model 1.6. Accounting Model
It is RECOMMENDED that the coupled accounting model (Section 9.3 of It is RECOMMENDED that the coupled accounting model (Section 9.3 of
[I-D.ietf-dime-rfc3588bis]) be used with this application; therefore, [I-D.ietf-dime-rfc3588bis]) be used with this application; therefore,
the value of the Acct-Application-Id AVP in the Accounting-Request the value of the Acct-Application-Id AVP in the Accounting-Request
(Section 3.10) and Accounting-Answer (Section 3.9) messages SHOULD be (Section 3.10) and Accounting-Answer (Section 3.9) messages SHOULD be
set to one (1). set to one (1).
2. NAS Calls, Ports, and Sessions 2. NAS Calls, Ports, and Sessions
The arrival of a new call or service connection at a port of a The arrival of a new call or service connection at a port of a
skipping to change at page 22, line 27 skipping to change at page 22, line 27
[ Login-TCP-Port ] [ Login-TCP-Port ]
* [ Tunneling ] * [ Tunneling ]
* [ Proxy-Info ] * [ Proxy-Info ]
* [ Route-Record ] * [ Route-Record ]
* [ AVP ] * [ AVP ]
3.10. Accounting-Answer (ACA) Command 3.10. Accounting-Answer (ACA) Command
The ACA message [I-D.ietf-dime-rfc3588bis] is used to acknowledge an The ACA message [I-D.ietf-dime-rfc3588bis] is used to acknowledge an
Accounting-Request command. The Accounting-Answer command contains Accounting-Request command. The Accounting-Answer command contains
the same Session-Id as the Request. If the Accounting-Request was the same Session-Id as the Request. The same level of security MUST
protected by end-to-end security, then the corresponding ACA message be applied to both the Accounting-Request and the corresponding
MUST be protected as well. Accounting-Answer message. For example, if the ACR was protected
using end-to-end security techniques then the corresponding ACA
message MUST be protected in the same way; note, however, that the
definition of such techniques is outside the scope of this document.
Only the target Diameter Server or home Diameter Server SHOULD Only the target Diameter Server or home Diameter Server SHOULD
respond with the Accounting-Answer command. respond with the Accounting-Answer command.
Either the Acct-Application-Id AVP MUST be present, as it was in the The Acct-Application-Id AVP MUST be present.
request.
The AVPs listed in the Base protocol specification The AVPs listed in the Base protocol specification
[I-D.ietf-dime-rfc3588bis] MUST be assumed to be present, as [I-D.ietf-dime-rfc3588bis] MUST be assumed to be present, as
appropriate. NAS service-specific accounting AVPs SHOULD be present appropriate. NAS service-specific accounting AVPs SHOULD be present
as described in Section 4.6 and the rest of this specification. as described in Section 4.6 and the rest of this specification.
Message Format Message Format
<AC-Answer> ::= < Diameter Header: 271, PXY > <AC-Answer> ::= < Diameter Header: 271, PXY >
< Session-Id > < Session-Id >
skipping to change at page 25, line 18 skipping to change at page 25, line 18
protocol specification [I-D.ietf-dime-rfc3588bis]: protocol specification [I-D.ietf-dime-rfc3588bis]:
Session-Id Session-Id
Auth-Application-Id Auth-Application-Id
Origin-Host Origin-Host
Origin-Realm Origin-Realm
Auth-Request-Type Auth-Request-Type
Termination-Cause Termination-Cause
The following table gives the possible flag values for the session The following table gives the possible flag values for the session
level AVPs and specifies whether the AVP MAY be encrypted. level AVPs.
+----------+ +----------+
| AVP Flag | | AVP Flag |
| rules | | rules |
|----+-----+ |----+-----+
|MUST| MUST| |MUST| MUST|
Attribute Name Section Defined | | NOT| Attribute Name Section Defined | | NOT|
-----------------------------------------|----+-----| -----------------------------------------|----+-----|
NAS-Port 4.2.2 | M | V | NAS-Port 4.2.2 | M | V |
NAS-Port-Id 4.2.3 | M | V | NAS-Port-Id 4.2.3 | M | V |
NAS-Port-Type 4.2.4 | M | V | NAS-Port-Type 4.2.4 | M | V |
Called-Station-Id 4.2.5 | M | V | Called-Station-Id 4.2.5 | M | V |
Calling-Station-Id 4.2.6 | M | V | Calling-Station-Id 4.2.6 | M | V |
Connect-Info 4.2.7 | M | V | Connect-Info 4.2.7 | M | V |
Originating-Line-Info 4.2.8 | | V | Originating-Line-Info 4.2.8 | M | V |
Reply-Message 4.2.9 | M | V | Reply-Message 4.2.9 | M | V |
-----------------------------------------|----+-----| -----------------------------------------|----+-----|
4.2.2. NAS-Port AVP 4.2.2. NAS-Port AVP
The NAS-Port AVP (AVP Code 5) is of type Unsigned32 and contains the The NAS-Port AVP (AVP Code 5) is of type Unsigned32 and contains the
physical or virtual port number of the NAS which is authenticating physical or virtual port number of the NAS which is authenticating
the user. Note that "port" is meant in its sense as a service the user. Note that "port" is meant in its sense as a service
connection on the NAS, not as an IP protocol identifier. connection on the NAS, not as an IP protocol identifier.
skipping to change at page 26, line 7 skipping to change at page 26, line 7
be present in the AA-Request (AAR, Section 3.1) command if the NAS be present in the AA-Request (AAR, Section 3.1) command if the NAS
differentiates among its ports. differentiates among its ports.
4.2.3. NAS-Port-Id AVP 4.2.3. NAS-Port-Id AVP
The NAS-Port-Id AVP (AVP Code 87) is of type UTF8String and consists The NAS-Port-Id AVP (AVP Code 87) is of type UTF8String and consists
of ASCII text identifying the port of the NAS authenticating the of ASCII text identifying the port of the NAS authenticating the
user. Note that "port" is meant in its sense as a service connection user. Note that "port" is meant in its sense as a service connection
on the NAS, not as an IP protocol identifier. on the NAS, not as an IP protocol identifier.
Either the NAS-Port-Id or the NAS-Port (Section 4.2.2) SHOULD be Either the NAS-Port-Id AVP or the NAS-Port AVP (Section 4.2.2) SHOULD
present in the AA-Request (AAR, Section 3.1) command if the NAS be present in the AA-Request (AAR, Section 3.1) command if the NAS
differentiates among its ports. NAS-Port-Id is intended for use by differentiates among its ports. NAS-Port-Id is intended for use by
NASes that cannot conveniently number their ports. NASes that cannot conveniently number their ports.
4.2.4. NAS-Port-Type AVP 4.2.4. NAS-Port-Type AVP
The NAS-Port-Type AVP (AVP Code 61) is of type Enumerated and The NAS-Port-Type AVP (AVP Code 61) is of type Enumerated and
contains the type of the port on which the NAS is authenticating the contains the type of the port on which the NAS is authenticating the
user. This AVP SHOULD be present if the NAS uses the same NAS-Port user. This AVP SHOULD be present if the NAS uses the same NAS-Port
number ranges for different service types concurrently. number ranges for different service types concurrently.
skipping to change at page 28, line 30 skipping to change at page 28, line 30
4.3. NAS Authentication AVPs 4.3. NAS Authentication AVPs
This section defines the AVPs necessary to carry the authentication This section defines the AVPs necessary to carry the authentication
information in the Diameter protocol. The functionality defined here information in the Diameter protocol. The functionality defined here
provides a RADIUS-like AAA service [RFC2865] over a more reliable and provides a RADIUS-like AAA service [RFC2865] over a more reliable and
secure transport, as defined in the base protocol secure transport, as defined in the base protocol
[I-D.ietf-dime-rfc3588bis]. [I-D.ietf-dime-rfc3588bis].
The following table gives the possible flag values for the session The following table gives the possible flag values for the session
level AVPs and specifies whether the AVP MAY be encrypted. level AVPs.
+----------+ +----------+
| AVP Flag | | AVP Flag |
| rules | | rules |
|----+-----| |----+-----|
|MUST| MUST| |MUST| MUST|
Attribute Name Section Defined | | NOT| Attribute Name Section Defined | | NOT|
-----------------------------------------|----+-----| -----------------------------------------|----+-----|
User-Password 4.3.1 | M | V | User-Password 4.3.1 | M | V |
Password-Retry 4.3.2 | M | V | Password-Retry 4.3.2 | M | V |
skipping to change at page 31, line 40 skipping to change at page 31, line 40
specified in the ARAP-Security AVP (Section 4.3.11). specified in the ARAP-Security AVP (Section 4.3.11).
4.4. NAS Authorization AVPs 4.4. NAS Authorization AVPs
This section contains the authorization AVPs supported in the NAS This section contains the authorization AVPs supported in the NAS
Application. The Service-Type AVP SHOULD be present in all messages Application. The Service-Type AVP SHOULD be present in all messages
and, based on its value, additional AVPs defined in this section and and, based on its value, additional AVPs defined in this section and
Section 4.5 MAY be present. Section 4.5 MAY be present.
The following table gives the possible flag values for the session- The following table gives the possible flag values for the session-
level AVPs and specifies whether the AVP MAY be encrypted. level AVPs.
+----------+ +----------+
| AVP Flag | | AVP Flag |
| rules | | rules |
|----+-----| |----+-----|
|MUST| MUST| |MUST| MUST|
Attribute Name Section Defined | | NOT| Attribute Name Section Defined | | NOT|
-----------------------------------------|----+-----| -----------------------------------------|----+-----|
Service-Type 4.4.1 | M | V | Service-Type 4.4.1 | M | V |
Callback-Number 4.4.2 | M | V | Callback-Number 4.4.2 | M | V |
Callback-Id 4.4.3 | M | V | Callback-Id 4.4.3 | M | V |
Idle-Timeout 4.4.4 | M | V | Idle-Timeout 4.4.4 | M | V |
Port-Limit 4.4.5 | M | V | Port-Limit 4.4.5 | M | V |
NAS-Filter-Rule 4.4.6 | M | V | NAS-Filter-Rule 4.4.6 | M | V |
Filter-Id 4.4.7 | M | V | Filter-Id 4.4.7 | M | V |
Configuration-Token 4.4.8 | M | P,V | Configuration-Token 4.4.8 | M | V |
QoS-Filter-Rule 4.4.9 | | | QoS-Filter-Rule 4.4.9 | | |
Framed-Protocol 4.4.10.1 | M | V | Framed-Protocol 4.4.10.1 | M | V |
Framed-Routing 4.4.10.2 | M | V | Framed-Routing 4.4.10.2 | M | V |
Framed-MTU 4.4.10.3 | M | V | Framed-MTU 4.4.10.3 | M | V |
Framed-Compression 4.4.10.4 | M | V | Framed-Compression 4.4.10.4 | M | V |
Framed-IP-Address 4.4.10.5.1 | M | V | Framed-IP-Address 4.4.10.5.1 | M | V |
Framed-IP-Netmask 4.4.10.5.2 | M | V | Framed-IP-Netmask 4.4.10.5.2 | M | V |
Framed-Route 4.4.10.5.3 | M | V | Framed-Route 4.4.10.5.3 | M | V |
Framed-Pool 4.4.10.5.4 | M | V | Framed-Pool 4.4.10.5.4 | M | V |
Framed-Interface-Id 4.4.10.5.5 | M | V | Framed-Interface-Id 4.4.10.5.5 | M | V |
skipping to change at page 35, line 31 skipping to change at page 35, line 31
4.4.9. QoS-Filter-Rule AVP 4.4.9. QoS-Filter-Rule AVP
The QoS-Filter-Rule AVP (AVP Code 407) is of type QoSFilterRule The QoS-Filter-Rule AVP (AVP Code 407) is of type QoSFilterRule
(Section 4.1.1) and provides QoS filter rules that need to be (Section 4.1.1) and provides QoS filter rules that need to be
configured on the NAS for the user. One or more such AVPs MAY be configured on the NAS for the user. One or more such AVPs MAY be
present in an authorization response. present in an authorization response.
The use of this AVP is NOT RECOMMENDED; the AVPs defined by Korhonen, The use of this AVP is NOT RECOMMENDED; the AVPs defined by Korhonen,
et al. [RFC5777] SHOULD be used instead. et al. [RFC5777] SHOULD be used instead.
The following options are defined for the QoSFilterRule filters:
DSCP <color> If action is set to tag (Section 4.1.1) this option DSCP <color> If action is set to tag (Section 4.1.1) this option
MUST be included in the rule. MUST be included in the rule.
Color values are defined in Nichols, et al. [RFC2474]. Exact Color values are defined in Nichols, et al. [RFC2474]. Exact
matching of DSCP values is required (no masks or ranges). matching of DSCP values is required (no masks or ranges).
metering <rate> <color_under> <color_over> The metering option metering <rate> <color_under> <color_over> The metering option
provides Assured Forwarding, as defined in Heinanen, et al. provides Assured Forwarding, as defined in Heinanen, et al.
[RFC2597]. and MUST be present if the action is set to meter [RFC2597]. and MUST be present if the action is set to meter
(Section 4.1.1) The rate option is the throughput, in bits per (Section 4.1.1) The rate option is the throughput, in bits per
skipping to change at page 59, line 49 skipping to change at page 59, line 49
Service-Type | 0-1 | 0-1 | Service-Type | 0-1 | 0-1 |
Session-Id | 1 | 1 | Session-Id | 1 | 1 |
Termination-Cause | 0-1 | 0-1 | Termination-Cause | 0-1 | 0-1 |
Tunnel-Assignment-Id | 0-1 | 0 | Tunnel-Assignment-Id | 0-1 | 0 |
Tunnel-Client-Endpoint | 0-1 | 0 | Tunnel-Client-Endpoint | 0-1 | 0 |
Tunnel-Medium-Type | 0-1 | 0 | Tunnel-Medium-Type | 0-1 | 0 |
Tunnel-Private-Group-Id | 0-1 | 0 | Tunnel-Private-Group-Id | 0-1 | 0 |
Tunnel-Server-Endpoint | 0-1 | 0 | Tunnel-Server-Endpoint | 0-1 | 0 |
Tunnel-Type | 0-1 | 0 | Tunnel-Type | 0-1 | 0 |
User-Name | 0-1 | 0-1 | User-Name | 0-1 | 0-1 |
Vendor-Specific-Application-Id | 0-1 | 0-1 |
---------------------------------------|-----+-----+ ---------------------------------------|-----+-----+
5.2.2. Non-Framed Access Accounting AVP Table 5.2.2. Non-Framed Access Accounting AVP Table
The table in this section is used when the Service-Type AVP The table in this section is used when the Service-Type AVP
(Section 4.4.1) specifies Non-Framed Access. (Section 4.4.1) specifies Non-Framed Access.
+-----------+ +-----------+
| Command | | Command |
|-----+-----+ |-----+-----+
skipping to change at page 61, line 28 skipping to change at page 61, line 28
Origin-State-Id | 0-1 | 0-1 | Origin-State-Id | 0-1 | 0-1 |
Originating-Line-Info | 0-1 | 0 | Originating-Line-Info | 0-1 | 0 |
Proxy-Info | 0+ | 0+ | Proxy-Info | 0+ | 0+ |
QoS-Filter-Rule | 0+ | 0 | QoS-Filter-Rule | 0+ | 0 |
Route-Record | 0+ | 0 | Route-Record | 0+ | 0 |
Result-Code | 0 | 1 | Result-Code | 0 | 1 |
Session-Id | 1 | 1 | Session-Id | 1 | 1 |
Service-Type | 0-1 | 0-1 | Service-Type | 0-1 | 0-1 |
Termination-Cause | 0-1 | 0-1 | Termination-Cause | 0-1 | 0-1 |
User-Name | 0-1 | 0-1 | User-Name | 0-1 | 0-1 |
Vendor-Specific-Application-Id | 0-1 | 0-1 |
---------------------------------------|-----+-----+ ---------------------------------------|-----+-----+
6. IANA Considerations 6. IANA Considerations
This document does not request any action by IANA. Several of the namespaces used in this document are managed by the
Internet Assigned Numbers Authority [IANA], including the AVP Codes
[AVP-Codes], AVP Specific Values [AVP-Vals], Application IDs
[App-Ids], Command Codes [Command-Codes] and RADIUS Attribute Values
[RADIUSTypes].
For the current values allocated, and the policies governing
allocation in those namespaces, please see the above-referenced
registries.
7. Security Considerations 7. Security Considerations
This document describes the extension of Diameter for the NAS This document describes the extension of Diameter for the NAS
application. The security considerations of the Diameter protocol application. The security considerations of the Diameter protocol
itself have been discussed in [I-D.ietf-dime-rfc3588bis]. Use of itself are discussed in [I-D.ietf-dime-rfc3588bis]. Use of this
this application of Diameter MUST take into consideration the application of Diameter MUST take into consideration the security
security issues and requirements of the Base protocol. issues and requirements of the Base protocol.
The use of the User-Password (Section 4.3.1) and Tunnel-Password
(Section 4.5.6) AVPs is not safe in the absence of end-to-end
security; however, end-to-end security for the Diameter protocol is
outside the scope of this document.
This document does not contain a security protocol but does discuss This document does not contain a security protocol but does discuss
how PPP authentication protocols can be carried within the Diameter how PPP authentication protocols can be carried within the Diameter
protocol. The PPP authentication protocols described are PAP and protocol. The PPP authentication protocols described are PAP and
CHAP. CHAP.
The use of PAP SHOULD be discouraged, as it exposes users' passwords The use of PAP SHOULD be discouraged, as it exposes users' passwords
to possibly non-trusted entities. However, PAP is also frequently to possibly non-trusted entities. However, PAP is also frequently
used for use with One-Time Passwords, which do not expose a security used for use with One-Time Passwords, which do not expose a security
risk. risk.
skipping to change at page 62, line 24 skipping to change at page 62, line 36
8.1. Normative References 8.1. Normative References
[ANITypes] NANPA Number Resource Info, "ANI [ANITypes] NANPA Number Resource Info, "ANI
Assignments", <http://www.nanpa.com/ Assignments", <http://www.nanpa.com/
number_resource_info/ number_resource_info/
ani_ii_assignments.html>. ani_ii_assignments.html>.
[I-D.ietf-dime-rfc3588bis] Fajardo, V., Arkko, J., Loughney, J., and [I-D.ietf-dime-rfc3588bis] Fajardo, V., Arkko, J., Loughney, J., and
G. Zorn, "Diameter Base Protocol", G. Zorn, "Diameter Base Protocol",
draft-ietf-dime-rfc3588bis-32 (work in draft-ietf-dime-rfc3588bis-33 (work in
progress), April 2012. progress), May 2012.
[RADIUSTypes] IANA, "RADIUS Types", <http://
www.iana.org/assignments/radius-types>.
[RFC1994] Simpson, W., "PPP Challenge Handshake [RFC1994] Simpson, W., "PPP Challenge Handshake
Authentication Protocol (CHAP)", Authentication Protocol (CHAP)",
RFC 1994, August 1996. RFC 1994, August 1996.
[RFC2119] Bradner, S., "Key words for use in RFCs [RFC2119] Bradner, S., "Key words for use in RFCs
to Indicate Requirement Levels", BCP 14, to Indicate Requirement Levels", BCP 14,
RFC 2119, March 1997. RFC 2119, March 1997.
[RFC2865] Rigney, C., Willens, S., Rubens, A., and [RFC2865] Rigney, C., Willens, S., Rubens, A., and
skipping to change at page 63, line 12 skipping to change at page 63, line 22
Authorization and Accounting (AAA) Authorization and Accounting (AAA)
Transport Profile", RFC 3539, June 2003. Transport Profile", RFC 3539, June 2003.
8.2. Informative References 8.2. Informative References
[ARAP] Apple Computer, "Apple Remote Access [ARAP] Apple Computer, "Apple Remote Access
Protocol (ARAP) Version 2.0 External Protocol (ARAP) Version 2.0 External
Reference Specification", R0612LL/B , Reference Specification", R0612LL/B ,
September 1994. September 1994.
[AVP-Codes] "IANA AAA AVP Codes Registry", <http://
www.iana.org/assignments/aaa-parameters/
aaa-parameters.xml#aaa-parameters-1>.
[AVP-Vals] "IANA AAA AVP Specific Values", <http://
www.iana.org/assignments/aaa-parameters/
aaa-parameters.xml#aaa-parameters-2>.
[App-Ids] "IANA AAA Application IDs Registry", <htt
p://www.iana.org/assignments/
aaa-parameters/
aaa-parameters.xml#aaa-parameters-1>.
[AppleTalk] Sidhu, G., Andrews, R., and A. [AppleTalk] Sidhu, G., Andrews, R., and A.
Oppenheimer, "Inside AppleTalk", Second Oppenheimer, "Inside AppleTalk", Second
Edition Apple Computer, 1990. Edition Apple Computer, 1990.
[Command-Codes] "IANA AAA Command Codes Registry", <http:
//www.iana.org/assignments/
aaa-parameters/
aaa-parameters.xml#command-code-rules>.
[IANA] "Internet Assigned Numbers Authority",
<http://www.iana.org/>.
[IPX] Novell, Inc., "NetWare System Technical [IPX] Novell, Inc., "NetWare System Technical
Interface Overview", #883-000780-001, Interface Overview", #883-000780-001,
June 1989. June 1989.
[ISO.8859-1.1987] International Organization for [ISO.8859-1.1987] International Organization for
Standardization, "Information technology Standardization, "Information technology
- 8-bit single byte coded graphic - - 8-bit single byte coded graphic -
character sets - Part 1: Latin alphabet character sets - Part 1: Latin alphabet
No. 1, JTC1/SC2", ISO Standard 8859-1, No. 1, JTC1/SC2", ISO Standard 8859-1,
1987. 1987.
[LAT] Digital Equipment Corp., "Local Area [LAT] Digital Equipment Corp., "Local Area
Transport (LAT) Specification V5.0", AA- Transport (LAT) Specification V5.0", AA-
NL26A-TE, June 1989. NL26A-TE, June 1989.
[RADIUSTypes] IANA, "IANA Radius Attribute Values
Registry", <http://www.iana.org/
assignments/radius-types-3>.
[RFC1334] Lloyd, B. and W. Simpson, "PPP [RFC1334] Lloyd, B. and W. Simpson, "PPP
Authentication Protocols", RFC 1334, Authentication Protocols", RFC 1334,
October 1992. October 1992.
[RFC1661] Simpson, W., "The Point-to-Point Protocol [RFC1661] Simpson, W., "The Point-to-Point Protocol
(PPP)", STD 51, RFC 1661, July 1994. (PPP)", STD 51, RFC 1661, July 1994.
[RFC1990] Sklower, K., Lloyd, B., McGregor, G., [RFC1990] Sklower, K., Lloyd, B., McGregor, G.,
Carr, D., and T. Coradetti, "The PPP Carr, D., and T. Coradetti, "The PPP
Multilink Protocol (MP)", RFC 1990, Multilink Protocol (MP)", RFC 1990,
 End of changes. 32 change blocks. 
49 lines changed or deleted 129 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/