draft-ietf-dime-rfc4005bis-12.txt   draft-ietf-dime-rfc4005bis-13.txt 
Network Working Group G. Zorn, Ed. Network Working Group G. Zorn, Ed.
Internet-Draft Network Zen Internet-Draft Network Zen
Obsoletes: 4005 (if approved) January 2, 2013 Obsoletes: 4005 (if approved) May 13, 2013
Intended status: Standards Track Intended status: Standards Track
Expires: July 6, 2013 Expires: November 14, 2013
Diameter Network Access Server Application Diameter Network Access Server Application
draft-ietf-dime-rfc4005bis-12 draft-ietf-dime-rfc4005bis-13
Abstract Abstract
This document describes the Diameter protocol application used for This document describes the Diameter protocol application used for
Authentication, Authorization, and Accounting (AAA) services in the Authentication, Authorization, and Accounting (AAA) services in the
Network Access Server (NAS) environment; it obsoletes RFC 4005. When Network Access Server (NAS) environment; it obsoletes RFC 4005. When
combined with the Diameter Base protocol, Transport Profile, and combined with the Diameter Base protocol, Transport Profile, and
Extensible Authentication Protocol specifications, this application Extensible Authentication Protocol specifications, this application
specification satisfies typical network access services requirements. specification satisfies typical network access services requirements.
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 6, 2013. This Internet-Draft will expire on November 14, 2013.
Copyright Notice Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 14 skipping to change at page 2, line 14
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1. Changes from RFC 4005 . . . . . . . . . . . . . . . . . . 5 1.1. Changes from RFC 4005 . . . . . . . . . . . . . . . . . . 5
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6
1.3. Requirements Language . . . . . . . . . . . . . . . . . . 7 1.3. Requirements Language . . . . . . . . . . . . . . . . . . 7
1.4. Advertising Application Support . . . . . . . . . . . . . 7 1.4. Advertising Application Support . . . . . . . . . . . . . 7
1.5. Application Identification . . . . . . . . . . . . . . . . 7 1.5. Application Identification . . . . . . . . . . . . . . . . 8
1.6. Accounting Model . . . . . . . . . . . . . . . . . . . . . 8 1.6. Accounting Model . . . . . . . . . . . . . . . . . . . . . 8
2. NAS Calls, Ports, and Sessions . . . . . . . . . . . . . . . . 8 2. NAS Calls, Ports, and Sessions . . . . . . . . . . . . . . . . 8
2.1. Diameter Session Establishment . . . . . . . . . . . . . . 8 2.1. Diameter Session Establishment . . . . . . . . . . . . . . 8
2.2. Diameter Session Reauthentication or Reauthorization . . . 9 2.2. Diameter Session Reauthentication or Reauthorization . . . 9
2.3. Diameter Session Termination . . . . . . . . . . . . . . . 10 2.3. Diameter Session Termination . . . . . . . . . . . . . . . 10
3. Diameter NAS Application Messages . . . . . . . . . . . . . . 10 3. Diameter NAS Application Messages . . . . . . . . . . . . . . 10
3.1. AA-Request (AAR) Command . . . . . . . . . . . . . . . . . 10 3.1. AA-Request (AAR) Command . . . . . . . . . . . . . . . . . 10
3.2. AA-Answer (AAA) Command . . . . . . . . . . . . . . . . . 12 3.2. AA-Answer (AAA) Command . . . . . . . . . . . . . . . . . 12
3.3. Re-Auth-Request (RAR) Command . . . . . . . . . . . . . . 14 3.3. Re-Auth-Request (RAR) Command . . . . . . . . . . . . . . 14
3.4. Re-Auth-Answer (RAA) Command . . . . . . . . . . . . . . . 15 3.4. Re-Auth-Answer (RAA) Command . . . . . . . . . . . . . . . 15
skipping to change at page 2, line 37 skipping to change at page 2, line 37
3.7. Abort-Session-Request (ASR) Command . . . . . . . . . . . 18 3.7. Abort-Session-Request (ASR) Command . . . . . . . . . . . 18
3.8. Abort-Session-Answer (ASA) Command . . . . . . . . . . . . 19 3.8. Abort-Session-Answer (ASA) Command . . . . . . . . . . . . 19
3.9. Accounting-Request (ACR) Command . . . . . . . . . . . . . 20 3.9. Accounting-Request (ACR) Command . . . . . . . . . . . . . 20
3.10. Accounting-Answer (ACA) Command . . . . . . . . . . . . . 22 3.10. Accounting-Answer (ACA) Command . . . . . . . . . . . . . 22
4. Diameter NAS Application AVPs . . . . . . . . . . . . . . . . 23 4. Diameter NAS Application AVPs . . . . . . . . . . . . . . . . 23
4.1. Derived AVP Data Formats . . . . . . . . . . . . . . . . . 23 4.1. Derived AVP Data Formats . . . . . . . . . . . . . . . . . 23
4.1.1. QoSFilterRule . . . . . . . . . . . . . . . . . . . . 23 4.1.1. QoSFilterRule . . . . . . . . . . . . . . . . . . . . 23
4.2. NAS Session AVPs . . . . . . . . . . . . . . . . . . . . . 24 4.2. NAS Session AVPs . . . . . . . . . . . . . . . . . . . . . 24
4.2.1. Call and Session Information . . . . . . . . . . . . . 24 4.2.1. Call and Session Information . . . . . . . . . . . . . 24
4.2.2. NAS-Port AVP . . . . . . . . . . . . . . . . . . . . . 25 4.2.2. NAS-Port AVP . . . . . . . . . . . . . . . . . . . . . 25
4.2.3. NAS-Port-Id AVP . . . . . . . . . . . . . . . . . . . 25 4.2.3. NAS-Port-Id AVP . . . . . . . . . . . . . . . . . . . 26
4.2.4. NAS-Port-Type AVP . . . . . . . . . . . . . . . . . . 26 4.2.4. NAS-Port-Type AVP . . . . . . . . . . . . . . . . . . 26
4.2.5. Called-Station-Id AVP . . . . . . . . . . . . . . . . 26 4.2.5. Called-Station-Id AVP . . . . . . . . . . . . . . . . 26
4.2.6. Calling-Station-Id AVP . . . . . . . . . . . . . . . . 26 4.2.6. Calling-Station-Id AVP . . . . . . . . . . . . . . . . 26
4.2.7. Connect-Info AVP . . . . . . . . . . . . . . . . . . . 27 4.2.7. Connect-Info AVP . . . . . . . . . . . . . . . . . . . 27
4.2.8. Originating-Line-Info AVP . . . . . . . . . . . . . . 27 4.2.8. Originating-Line-Info AVP . . . . . . . . . . . . . . 27
4.2.9. Reply-Message AVP . . . . . . . . . . . . . . . . . . 28 4.2.9. Reply-Message AVP . . . . . . . . . . . . . . . . . . 28
4.3. NAS Authentication AVPs . . . . . . . . . . . . . . . . . 28 4.3. NAS Authentication AVPs . . . . . . . . . . . . . . . . . 28
4.3.1. User-Password AVP . . . . . . . . . . . . . . . . . . 29 4.3.1. User-Password AVP . . . . . . . . . . . . . . . . . . 29
4.3.2. Password-Retry AVP . . . . . . . . . . . . . . . . . . 29 4.3.2. Password-Retry AVP . . . . . . . . . . . . . . . . . . 29
4.3.3. Prompt AVP . . . . . . . . . . . . . . . . . . . . . . 29 4.3.3. Prompt AVP . . . . . . . . . . . . . . . . . . . . . . 30
4.3.4. CHAP-Auth AVP . . . . . . . . . . . . . . . . . . . . 29 4.3.4. CHAP-Auth AVP . . . . . . . . . . . . . . . . . . . . 30
4.3.5. CHAP-Algorithm AVP . . . . . . . . . . . . . . . . . . 30 4.3.5. CHAP-Algorithm AVP . . . . . . . . . . . . . . . . . . 30
4.3.6. CHAP-Ident AVP . . . . . . . . . . . . . . . . . . . . 30 4.3.6. CHAP-Ident AVP . . . . . . . . . . . . . . . . . . . . 30
4.3.7. CHAP-Response AVP . . . . . . . . . . . . . . . . . . 30 4.3.7. CHAP-Response AVP . . . . . . . . . . . . . . . . . . 30
4.3.8. CHAP-Challenge AVP . . . . . . . . . . . . . . . . . . 30 4.3.8. CHAP-Challenge AVP . . . . . . . . . . . . . . . . . . 31
4.3.9. ARAP-Password AVP . . . . . . . . . . . . . . . . . . 30 4.3.9. ARAP-Password AVP . . . . . . . . . . . . . . . . . . 31
4.3.10. ARAP-Challenge-Response AVP . . . . . . . . . . . . . 30 4.3.10. ARAP-Challenge-Response AVP . . . . . . . . . . . . . 31
4.3.11. ARAP-Security AVP . . . . . . . . . . . . . . . . . . 31 4.3.11. ARAP-Security AVP . . . . . . . . . . . . . . . . . . 31
4.3.12. ARAP-Security-Data AVP . . . . . . . . . . . . . . . . 31 4.3.12. ARAP-Security-Data AVP . . . . . . . . . . . . . . . . 31
4.4. NAS Authorization AVPs . . . . . . . . . . . . . . . . . . 31 4.4. NAS Authorization AVPs . . . . . . . . . . . . . . . . . . 32
4.4.1. Service-Type AVP . . . . . . . . . . . . . . . . . . . 33 4.4.1. Service-Type AVP . . . . . . . . . . . . . . . . . . . 34
4.4.2. Callback-Number AVP . . . . . . . . . . . . . . . . . 33 4.4.2. Callback-Number AVP . . . . . . . . . . . . . . . . . 35
4.4.3. Callback-Id AVP . . . . . . . . . . . . . . . . . . . 34 4.4.3. Callback-Id AVP . . . . . . . . . . . . . . . . . . . 35
4.4.4. Idle-Timeout AVP . . . . . . . . . . . . . . . . . . . 34 4.4.4. Idle-Timeout AVP . . . . . . . . . . . . . . . . . . . 35
4.4.5. Port-Limit AVP . . . . . . . . . . . . . . . . . . . . 34 4.4.5. Port-Limit AVP . . . . . . . . . . . . . . . . . . . . 35
4.4.6. NAS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 34 4.4.6. NAS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 35
4.4.7. Filter-Id AVP . . . . . . . . . . . . . . . . . . . . 34 4.4.7. Filter-Id AVP . . . . . . . . . . . . . . . . . . . . 36
4.4.8. Configuration-Token AVP . . . . . . . . . . . . . . . 35 4.4.8. Configuration-Token AVP . . . . . . . . . . . . . . . 36
4.4.9. QoS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 35 4.4.9. QoS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 36
4.4.10. Framed Access Authorization AVPs . . . . . . . . . . . 36 4.4.10. Framed Access Authorization AVPs . . . . . . . . . . . 37
4.4.10.1. Framed-Protocol AVP . . . . . . . . . . . . . . . 36 4.4.10.1. Framed-Protocol AVP . . . . . . . . . . . . . . . 37
4.4.10.2. Framed-Routing AVP . . . . . . . . . . . . . . . 36 4.4.10.2. Framed-Routing AVP . . . . . . . . . . . . . . . 37
4.4.10.3. Framed-MTU AVP . . . . . . . . . . . . . . . . . 36 4.4.10.3. Framed-MTU AVP . . . . . . . . . . . . . . . . . 37
4.4.10.4. Framed-Compression AVP . . . . . . . . . . . . . 36 4.4.10.4. Framed-Compression AVP . . . . . . . . . . . . . 37
4.4.10.5. IP Access Authorization AVPs . . . . . . . . . . 37 4.4.10.5. IP Access Authorization AVPs . . . . . . . . . . 38
4.4.10.5.1. Framed-IP-Address AVP . . . . . . . . . . . . 37 4.4.10.5.1. Framed-IP-Address AVP . . . . . . . . . . . . 38
4.4.10.5.2. Framed-IP-Netmask AVP . . . . . . . . . . . . 37 4.4.10.5.2. Framed-IP-Netmask AVP . . . . . . . . . . . . 38
4.4.10.5.3. Framed-Route AVP . . . . . . . . . . . . . . 37 4.4.10.5.3. Framed-Route AVP . . . . . . . . . . . . . . 38
4.4.10.5.4. Framed-Pool AVP . . . . . . . . . . . . . . . 38 4.4.10.5.4. Framed-Pool AVP . . . . . . . . . . . . . . . 39
4.4.10.5.5. Framed-Interface-Id AVP . . . . . . . . . . . 38 4.4.10.5.5. Framed-Interface-Id AVP . . . . . . . . . . . 39
4.4.10.5.6. Framed-IPv6-Prefix AVP . . . . . . . . . . . 38 4.4.10.5.6. Framed-IPv6-Prefix AVP . . . . . . . . . . . 39
4.4.10.5.7. Framed-IPv6-Route AVP . . . . . . . . . . . . 38 4.4.10.5.7. Framed-IPv6-Route AVP . . . . . . . . . . . . 39
4.4.10.5.8. Framed-IPv6-Pool AVP . . . . . . . . . . . . 39 4.4.10.5.8. Framed-IPv6-Pool AVP . . . . . . . . . . . . 40
4.4.10.6. IPX Access AVPs . . . . . . . . . . . . . . . . . 39 4.4.10.6. IPX Access AVPs . . . . . . . . . . . . . . . . . 40
4.4.10.6.1. Framed-IPX-Network AVP . . . . . . . . . . . 39 4.4.10.6.1. Framed-IPX-Network AVP . . . . . . . . . . . 40
4.4.10.7. AppleTalk Network Access AVPs . . . . . . . . . . 39 4.4.10.7. AppleTalk Network Access AVPs . . . . . . . . . . 40
4.4.10.7.1. Framed-AppleTalk-Link AVP . . . . . . . . . . 39 4.4.10.7.1. Framed-AppleTalk-Link AVP . . . . . . . . . . 41
4.4.10.7.2. Framed-AppleTalk-Network AVP . . . . . . . . 40 4.4.10.7.2. Framed-AppleTalk-Network AVP . . . . . . . . 41
4.4.10.7.3. Framed-AppleTalk-Zone AVP . . . . . . . . . . 40 4.4.10.7.3. Framed-AppleTalk-Zone AVP . . . . . . . . . . 41
4.4.10.8. AppleTalk Remote Access AVPs . . . . . . . . . . 40 4.4.10.8. AppleTalk Remote Access AVPs . . . . . . . . . . 41
4.4.10.8.1. ARAP-Features AVP . . . . . . . . . . . . . . 40 4.4.10.8.1. ARAP-Features AVP . . . . . . . . . . . . . . 42
4.4.10.8.2. ARAP-Zone-Access AVP . . . . . . . . . . . . 41 4.4.10.8.2. ARAP-Zone-Access AVP . . . . . . . . . . . . 42
4.4.11. Non-Framed Access Authorization AVPs . . . . . . . . . 41 4.4.11. Non-Framed Access Authorization AVPs . . . . . . . . . 42
4.4.11.1. Login-IP-Host AVP . . . . . . . . . . . . . . . . 41 4.4.11.1. Login-IP-Host AVP . . . . . . . . . . . . . . . . 42
4.4.11.2. Login-IPv6-Host AVP . . . . . . . . . . . . . . . 41 4.4.11.2. Login-IPv6-Host AVP . . . . . . . . . . . . . . . 42
4.4.11.3. Login-Service AVP . . . . . . . . . . . . . . . . 42 4.4.11.3. Login-Service AVP . . . . . . . . . . . . . . . . 43
4.4.11.4. TCP Services . . . . . . . . . . . . . . . . . . 42 4.4.11.4. TCP Services . . . . . . . . . . . . . . . . . . 43
4.4.11.4.1. Login-TCP-Port AVP . . . . . . . . . . . . . 42 4.4.11.4.1. Login-TCP-Port AVP . . . . . . . . . . . . . 43
4.4.11.5. LAT Services . . . . . . . . . . . . . . . . . . 42 4.4.11.5. LAT Services . . . . . . . . . . . . . . . . . . 43
4.4.11.5.1. Login-LAT-Service AVP . . . . . . . . . . . . 42 4.4.11.5.1. Login-LAT-Service AVP . . . . . . . . . . . . 43
4.4.11.5.2. Login-LAT-Node AVP . . . . . . . . . . . . . 43 4.4.11.5.2. Login-LAT-Node AVP . . . . . . . . . . . . . 44
4.4.11.5.3. Login-LAT-Group AVP . . . . . . . . . . . . . 43 4.4.11.5.3. Login-LAT-Group AVP . . . . . . . . . . . . . 44
4.4.11.5.4. Login-LAT-Port AVP . . . . . . . . . . . . . 44 4.4.11.5.4. Login-LAT-Port AVP . . . . . . . . . . . . . 45
4.5. NAS Tunneling AVPs . . . . . . . . . . . . . . . . . . . . 44 4.5. NAS Tunneling AVPs . . . . . . . . . . . . . . . . . . . . 45
4.5.1. Tunneling AVP . . . . . . . . . . . . . . . . . . . . 45 4.5.1. Tunneling AVP . . . . . . . . . . . . . . . . . . . . 46
4.5.2. Tunnel-Type AVP . . . . . . . . . . . . . . . . . . . 45 4.5.2. Tunnel-Type AVP . . . . . . . . . . . . . . . . . . . 46
4.5.3. Tunnel-Medium-Type AVP . . . . . . . . . . . . . . . . 46 4.5.3. Tunnel-Medium-Type AVP . . . . . . . . . . . . . . . . 47
4.5.4. Tunnel-Client-Endpoint AVP . . . . . . . . . . . . . . 46 4.5.4. Tunnel-Client-Endpoint AVP . . . . . . . . . . . . . . 47
4.5.5. Tunnel-Server-Endpoint AVP . . . . . . . . . . . . . . 47 4.5.5. Tunnel-Server-Endpoint AVP . . . . . . . . . . . . . . 48
4.5.6. Tunnel-Password AVP . . . . . . . . . . . . . . . . . 47 4.5.6. Tunnel-Password AVP . . . . . . . . . . . . . . . . . 48
4.5.7. Tunnel-Private-Group-Id AVP . . . . . . . . . . . . . 48 4.5.7. Tunnel-Private-Group-Id AVP . . . . . . . . . . . . . 49
4.5.8. Tunnel-Assignment-Id AVP . . . . . . . . . . . . . . . 48 4.5.8. Tunnel-Assignment-Id AVP . . . . . . . . . . . . . . . 49
4.5.9. Tunnel-Preference AVP . . . . . . . . . . . . . . . . 49 4.5.9. Tunnel-Preference AVP . . . . . . . . . . . . . . . . 50
4.5.10. Tunnel-Client-Auth-Id AVP . . . . . . . . . . . . . . 50 4.5.10. Tunnel-Client-Auth-Id AVP . . . . . . . . . . . . . . 51
4.5.11. Tunnel-Server-Auth-Id AVP . . . . . . . . . . . . . . 50 4.5.11. Tunnel-Server-Auth-Id AVP . . . . . . . . . . . . . . 51
4.6. NAS Accounting AVPs . . . . . . . . . . . . . . . . . . . 50 4.6. NAS Accounting AVPs . . . . . . . . . . . . . . . . . . . 51
4.6.1. Accounting-Input-Octets AVP . . . . . . . . . . . . . 51 4.6.1. Accounting-Input-Octets AVP . . . . . . . . . . . . . 52
4.6.2. Accounting-Output-Octets AVP . . . . . . . . . . . . . 51 4.6.2. Accounting-Output-Octets AVP . . . . . . . . . . . . . 52
4.6.3. Accounting-Input-Packets AVP . . . . . . . . . . . . . 52 4.6.3. Accounting-Input-Packets AVP . . . . . . . . . . . . . 53
4.6.4. Accounting-Output-Packets AVP . . . . . . . . . . . . 52 4.6.4. Accounting-Output-Packets AVP . . . . . . . . . . . . 53
4.6.5. Acct-Session-Time AVP . . . . . . . . . . . . . . . . 52 4.6.5. Acct-Session-Time AVP . . . . . . . . . . . . . . . . 53
4.6.6. Acct-Authentic AVP . . . . . . . . . . . . . . . . . . 52 4.6.6. Acct-Authentic AVP . . . . . . . . . . . . . . . . . . 53
4.6.7. Accounting-Auth-Method AVP . . . . . . . . . . . . . . 52 4.6.7. Accounting-Auth-Method AVP . . . . . . . . . . . . . . 53
4.6.8. Acct-Delay-Time AVP . . . . . . . . . . . . . . . . . 52 4.6.8. Acct-Delay-Time AVP . . . . . . . . . . . . . . . . . 53
4.6.9. Acct-Link-Count AVP . . . . . . . . . . . . . . . . . 53 4.6.9. Acct-Link-Count AVP . . . . . . . . . . . . . . . . . 54
4.6.10. Acct-Tunnel-Connection AVP . . . . . . . . . . . . . . 54 4.6.10. Acct-Tunnel-Connection AVP . . . . . . . . . . . . . . 55
4.6.11. Acct-Tunnel-Packets-Lost AVP . . . . . . . . . . . . . 54 4.6.11. Acct-Tunnel-Packets-Lost AVP . . . . . . . . . . . . . 55
5. AVP Occurrence Tables . . . . . . . . . . . . . . . . . . . . 54 5. AVP Occurrence Tables . . . . . . . . . . . . . . . . . . . . 55
5.1. AA-Request/Answer AVP Table . . . . . . . . . . . . . . . 54 5.1. AA-Request/Answer AVP Table . . . . . . . . . . . . . . . 55
5.2. Accounting AVP Tables . . . . . . . . . . . . . . . . . . 57 5.2. Accounting AVP Tables . . . . . . . . . . . . . . . . . . 58
5.2.1. Framed Access Accounting AVP Table . . . . . . . . . . 58 5.2.1. Framed Access Accounting AVP Table . . . . . . . . . . 59
5.2.2. Non-Framed Access Accounting AVP Table . . . . . . . . 60 5.2.2. Non-Framed Access Accounting AVP Table . . . . . . . . 61
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 61 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 62
7. Security Considerations . . . . . . . . . . . . . . . . . . . 62 7. Security Considerations . . . . . . . . . . . . . . . . . . . 63
7.1. Authentication Considerations . . . . . . . . . . . . . . 62 7.1. Authentication Considerations . . . . . . . . . . . . . . 63
7.2. AVP Considerations . . . . . . . . . . . . . . . . . . . . 62 7.2. AVP Considerations . . . . . . . . . . . . . . . . . . . . 63
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 63 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 64
8.1. Normative References . . . . . . . . . . . . . . . . . . . 63 8.1. Normative References . . . . . . . . . . . . . . . . . . . 64
8.2. Informative References . . . . . . . . . . . . . . . . . . 63 8.2. Informative References . . . . . . . . . . . . . . . . . . 65
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 66 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 67
A.1. This Document . . . . . . . . . . . . . . . . . . . . . . 66 A.1. This Document . . . . . . . . . . . . . . . . . . . . . . 67
A.2. RFC 4005 . . . . . . . . . . . . . . . . . . . . . . . . . 66 A.2. RFC 4005 . . . . . . . . . . . . . . . . . . . . . . . . . 68
1. Introduction 1. Introduction
This document describes the Diameter protocol application used for This document describes the Diameter protocol application used for
AAA in the Network Access Server (NAS) environment. When combined AAA in the Network Access Server (NAS) environment. When combined
with the Diameter Base protocol [RFC6733], Transport Profile with the Diameter Base protocol [RFC6733], Transport Profile
[RFC3539], and EAP [RFC4072] specifications, this specification [RFC3539], and EAP [RFC4072] specifications, this specification
satisfies the NAS-related requirements defined in Aboba, et satisfies the NAS-related requirements defined in Aboba, et
al. [RFC2989] and Beadles & Mitton [RFC3169]. al. [RFC2989] and Beadles & Mitton [RFC3169].
skipping to change at page 5, line 28 skipping to change at page 5, line 28
authorization, tunneling, and accounting. The authorization AVPs are authorization, tunneling, and accounting. The authorization AVPs are
further broken down by service type. further broken down by service type.
1.1. Changes from RFC 4005 1.1. Changes from RFC 4005
This document obsoletes RFC 4005 and is not backward compatible with This document obsoletes RFC 4005 and is not backward compatible with
that document. An overview of some of the major changes is given that document. An overview of some of the major changes is given
below. below.
o All of the material regarding RADIUS/Diameter protocol o All of the material regarding RADIUS/Diameter protocol
interactions has been removed. interactions has been removed; however, where AVPs are derived
from RADIUS Attributes, the range and format of those Attribute
values have been retained for ease of transition.
o The Command Code Format (CCF) [RFC6733] for the Accounting-Request o The Command Code Format (CCF) [RFC6733] for the Accounting-Request
and Accounting-Answer messages has been changed to explicitly and Accounting-Answer messages has been changed to explicitly
require the inclusion of the Acct-Application-Id AVP and exclude require the inclusion of the Acct-Application-Id AVP and exclude
the Vendor-Specific-Application-Id AVP. Normally, this type of the Vendor-Specific-Application-Id AVP. Normally, this type of
change would also require the allocation of a new command code and change would require the allocation of a new command code and
consequently, a new application-id (See Section 1.3.3 of consequently, a new application-id (See Section 1.3.3 of
[RFC6733]). However, the presence of an instance of the Acct- [RFC6733]). However, the presence of an instance of the Acct-
Application-Id AVP was required in RFC 4005, as well: Application-Id AVP was required in RFC 4005, as well:
The ACR message [BASE] is sent by the NAS to report its session The ACR message [BASE] is sent by the NAS to report its session
information to a target server downstream. information to a target server downstream.
Either of Acct-Application-Id or Vendor-Specific-Application-Id Either of Acct-Application-Id or Vendor-Specific-Application-Id
AVPs MUST be present. If the Vendor-Specific-Application-Id AVPs MUST be present. If the Vendor-Specific-Application-Id
grouped AVP is present, it must have an Acct-Application-Id grouped AVP is present, it must have an Acct-Application-Id
skipping to change at page 7, line 40 skipping to change at page 7, line 40
In this document, this term is used to describe access services In this document, this term is used to describe access services
that use tunneling methods. that use tunneling methods.
1.3. Requirements Language 1.3. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in RFC "OPTIONAL" in this document are to be interpreted as described in RFC
2119 [RFC2119]. 2119 [RFC2119].
The use of "MUST" and "MUST NOT" in the AVP Flag rules columns of AVP
Tables in this document refers to AVP flags ([RFC6733], Section 4.1)
that:
o MUST be set to 1 in the AVP Header ("MUST" column) and
o MUST NOT be set to 1 ("MUST NOT" column)
1.4. Advertising Application Support 1.4. Advertising Application Support
Diameter nodes conforming to this specification MUST advertise Diameter nodes conforming to this specification MUST advertise
support by including the value of one (1) in the Auth-Application-Id support by including the value of one (1) in the Auth-Application-Id
of the Capabilities-Exchange-Request (CER) message [RFC6733]. of the Capabilities-Exchange-Request (CER) message [RFC6733].
1.5. Application Identification 1.5. Application Identification
When used in this application, the Auth-Application-Id AVP MUST be When used in this application, the Auth-Application-Id AVP MUST be
set to the value one (1) in the following messages set to the value one (1) in the following messages
skipping to change at page 8, line 4 skipping to change at page 8, line 11
Diameter nodes conforming to this specification MUST advertise Diameter nodes conforming to this specification MUST advertise
support by including the value of one (1) in the Auth-Application-Id support by including the value of one (1) in the Auth-Application-Id
of the Capabilities-Exchange-Request (CER) message [RFC6733]. of the Capabilities-Exchange-Request (CER) message [RFC6733].
1.5. Application Identification 1.5. Application Identification
When used in this application, the Auth-Application-Id AVP MUST be When used in this application, the Auth-Application-Id AVP MUST be
set to the value one (1) in the following messages set to the value one (1) in the following messages
o AA-Request (Section 3.1) o AA-Request (Section 3.1)
o Re-Auth-Request(Section 3.3) o Re-Auth-Request(Section 3.3)
o Session-Termination-Request (Section 3.5) o Session-Termination-Request (Section 3.5)
o Abort-Session-Request (Section 3.7) o Abort-Session-Request (Section 3.7)
1.6. Accounting Model 1.6. Accounting Model
It is RECOMMENDED that the coupled accounting model (Section 9.3 of It is RECOMMENDED that the coupled accounting model (RFC 6733,
[RFC6733]) be used with this application; therefore, the value of the Section 9.3) be used with this application; therefore, the value of
Acct-Application-Id AVP in the Accounting-Request (Section 3.10) and the Acct-Application-Id AVP in the Accounting-Request (Section 3.10)
Accounting-Answer (Section 3.9) messages SHOULD be set to one (1). and Accounting-Answer (Section 3.9) messages SHOULD be set to one
(1).
2. NAS Calls, Ports, and Sessions 2. NAS Calls, Ports, and Sessions
The arrival of a new call or service connection at a port of a The arrival of a new call or service connection at a port of a
Network Access Server (NAS) starts a Diameter NAS Application message Network Access Server (NAS) starts a Diameter NAS Application message
exchange. Information about the call, the identity of the user, and exchange. Information about the call, the identity of the user, and
the user's authentication information are packaged into a Diameter the user's authentication information are packaged into a Diameter
AA-Request (AAR) message and sent to a server. AA-Request (AAR) message and sent to a server.
The server processes the information and responds with a Diameter AA- The server processes the information and responds with a Diameter AA-
Answer (AAA) message that contains authorization information for the Answer (AAA) message that contains authorization information for the
NAS, or a failure code (Result-Code AVP). A value of NAS, or a failure code (Result-Code AVP). A value of
DIAMETER_MULTI_ROUND_AUTH indicates an additional authentication DIAMETER_MULTI_ROUND_AUTH indicates an additional authentication
exchange, and several AAR and AAA messages may be exchanged until the exchange, and several AAR and AAA messages may be exchanged until the
transaction completes. transaction completes.
Depending on the value of the Auth-Request-Type AVP, the Diameter
protocol allows authorization-only requests that contain no
authentication information from the client. This capability goes
beyond the Call Check capabilities provided by RADIUS (Section 5.6 of
[RFC2865]) in that no access decision is requested. As a result, a
new session cannot be started as a result of a response to an
authorization-only request without introducing a significant security
vulnerability.
2.1. Diameter Session Establishment 2.1. Diameter Session Establishment
When the authentication or authorization exchange completes When the authentication or authorization exchange completes
successfully, the NAS application SHOULD start a session context. If successfully, the NAS application SHOULD start a session context. If
the Result-Code of DIAMETER_MULTI_ROUND_AUTH is returned, the the Result-Code of DIAMETER_MULTI_ROUND_AUTH is returned, the
exchange continues until a success or error is returned. exchange continues until a success or error is returned.
If accounting is active, the application MUST also send an Accounting If accounting is active, the application MUST also send an Accounting
message [RFC6733]. An Accounting-Record-Type of START_RECORD is sent message [RFC6733]. An Accounting-Record-Type of START_RECORD is sent
for a new session. If a session fails to start, the EVENT_RECORD for a new session. If a session fails to start, the EVENT_RECORD
skipping to change at page 21, line 41 skipping to change at page 21, line 41
* [ Connection-Info ] * [ Connection-Info ]
[ Originating-Line-Info ] [ Originating-Line-Info ]
[ Authorization-Lifetime ] [ Authorization-Lifetime ]
[ Session-Timeout ] [ Session-Timeout ]
[ Idle-Timeout ] [ Idle-Timeout ]
[ Port-Limit ] [ Port-Limit ]
[ Accounting-Realtime-Required ] [ Accounting-Realtime-Required ]
[ Acct-Interim-Interval ] [ Acct-Interim-Interval ]
* [ Filter-Id ] * [ Filter-Id ]
* [ NAS-Filter-Rule ] * [ NAS-Filter-Rule ]
* [ Qos-Filter-Rule ] * [ QoS-Filter-Rule ]
[ Framed-AppleTalk-Link ] [ Framed-AppleTalk-Link ]
[ Framed-AppleTalk-Network ] [ Framed-AppleTalk-Network ]
[ Framed-AppleTalk-Zone ] [ Framed-AppleTalk-Zone ]
[ Framed-Compression ] [ Framed-Compression ]
[ Framed-Interface-Id ] [ Framed-Interface-Id ]
[ Framed-IP-Address ] [ Framed-IP-Address ]
[ Framed-IP-Netmask ] [ Framed-IP-Netmask ]
* [ Framed-IPv6-Prefix ] * [ Framed-IPv6-Prefix ]
[ Framed-IPv6-Pool ] [ Framed-IPv6-Pool ]
* [ Framed-IPv6-Route ] * [ Framed-IPv6-Route ]
skipping to change at page 25, line 20 skipping to change at page 25, line 20
Session-Id Session-Id
Auth-Application-Id Auth-Application-Id
Origin-Host Origin-Host
Origin-Realm Origin-Realm
Auth-Request-Type Auth-Request-Type
Termination-Cause Termination-Cause
The following table gives the possible flag values for the session The following table gives the possible flag values for the session
level AVPs. level AVPs.
+----------+ +-----------+
| AVP Flag | | AVP Flag |
| rules | | Rules |
|----+-----+ |-----+-----+
|MUST| MUST| |MUST | MUST|
Attribute Name Section Defined | | NOT| Attribute Name Section Defined | | NOT|
-----------------------------------------|----+-----| -----------------------------------------|-----+-----|
NAS-Port 4.2.2 | M | V | NAS-Port 4.2.2 | M | V |
NAS-Port-Id 4.2.3 | M | V | NAS-Port-Id 4.2.3 | M | V |
NAS-Port-Type 4.2.4 | M | V | NAS-Port-Type 4.2.4 | M | V |
Called-Station-Id 4.2.5 | M | V | Called-Station-Id 4.2.5 | M | V |
Calling-Station-Id 4.2.6 | M | V | Calling-Station-Id 4.2.6 | M | V |
Connect-Info 4.2.7 | M | V | Connect-Info 4.2.7 | M | V |
Originating-Line-Info 4.2.8 | M | V | Originating-Line-Info 4.2.8 | M | V |
Reply-Message 4.2.9 | M | V | Reply-Message 4.2.9 | M | V |
-----------------------------------------|----+-----| -----------------------------------------|-----+-----|
4.2.2. NAS-Port AVP 4.2.2. NAS-Port AVP
The NAS-Port AVP (AVP Code 5) is of type Unsigned32 and contains the The NAS-Port AVP (AVP Code 5) is of type Unsigned32 and contains the
physical or virtual port number of the NAS which is authenticating physical or virtual port number of the NAS which is authenticating
the user. Note that "port" is meant in its sense as a service the user. Note that "port" is meant in its sense as a service
connection on the NAS, not as an IP protocol identifier. connection on the NAS, not as an IP protocol identifier, and hence
the format and contents of the string that identifies the port are
specific to the NAS implementation.
Either the NAS-Port AVP or the NAS-Port-Id AVP (Section 4.2.3) SHOULD Either the NAS-Port AVP or the NAS-Port-Id AVP (Section 4.2.3) SHOULD
be present in the AA-Request (AAR, Section 3.1) command if the NAS be present in the AA-Request (AAR, Section 3.1) command if the NAS
differentiates among its ports. differentiates among its ports.
4.2.3. NAS-Port-Id AVP 4.2.3. NAS-Port-Id AVP
The NAS-Port-Id AVP (AVP Code 87) is of type UTF8String and consists The NAS-Port-Id AVP (AVP Code 87) is of type UTF8String and consists
of 7-bit ASCII text identifying the port of the NAS authenticating of 7-bit ASCII text identifying the port of the NAS authenticating
the user. Note that "port" is meant in its sense as a service the user. Note that "port" is meant in its sense as a service
skipping to change at page 26, line 24 skipping to change at page 26, line 29
The NAS-Port-Type AVP (AVP Code 61) is of type Enumerated and The NAS-Port-Type AVP (AVP Code 61) is of type Enumerated and
contains the type of the port on which the NAS is authenticating the contains the type of the port on which the NAS is authenticating the
user. This AVP SHOULD be present if the NAS uses the same NAS-Port user. This AVP SHOULD be present if the NAS uses the same NAS-Port
number ranges for different service types concurrently. number ranges for different service types concurrently.
The currently supported values of the NAS-Port-Type AVP are listed in The currently supported values of the NAS-Port-Type AVP are listed in
[RADIUSAttrVals]. [RADIUSAttrVals].
4.2.5. Called-Station-Id AVP 4.2.5. Called-Station-Id AVP
The Called-Station-Id AVP (AVP Code 30) is of type UTF8String and The Called-Station-Id AVP (AVP Code 30) is of type UTF8String
allows the NAS to send a 7-bit ASCII string describing the Layer 2 contains a 7-bit ASCII string sent by the NAS to describe the Layer 2
address the user contacted in the request. For dialup access, this address the user contacted in the request. For dialup access, this
can be a phone number obtained by using the Dialed Number can be a phone number obtained by using the Dialed Number
Identification Service (DNIS) or a similar technology. Note that Identification Service (DNIS) or a similar technology. Note that
this may be different from the phone number the call comes in on. this may be different from the phone number the call comes in on.
For use with IEEE 802 access, the Called-Station-Id MAY contain a MAC For use with IEEE 802 access, the Called-Station-Id MAY contain a MAC
address formatted as described in Congdon, et al. [RFC3580]. address formatted as described in Congdon, et al. [RFC3580].
If the Called-Station-Id AVP is present in an AAR message, Auth- If the Called-Station-Id AVP is present in an AAR message, Auth-
Request-Type AVP is set to AUTHORIZE_ONLY and the User-Name AVP is Request-Type AVP is set to AUTHORIZE_ONLY and the User-Name AVP is
absent, the Diameter Server MAY perform authorization based on this absent, the Diameter Server MAY perform authorization based on this
AVP. This can be used by a NAS to request whether a call should be AVP. This can be used by a NAS to request whether a call should be
answered based on the DNIS result. answered based on the DNIS result.
Further codification of this field's allowed content and usage is Further codification of this field's allowed content and usage is
outside the scope of this specification. outside the scope of this specification.
4.2.6. Calling-Station-Id AVP 4.2.6. Calling-Station-Id AVP
The Calling-Station-Id AVP (AVP Code 31) is of type UTF8String and The Calling-Station-Id AVP (AVP Code 31) is of type UTF8String and
allows the NAS to send a 7-bit ASCII string describing the Layer 2 contains a 7-bit ASCII string sent by the NAS to describe the Layer 2
address from which the user connected in the request. For dialup address from which the user connected in the request. For dialup
access, this is the phone number the call came from, using Automatic access, this is the phone number the call came from, using Automatic
Number Identification (ANI) or a similar technology. For use with Number Identification (ANI) or a similar technology. For use with
IEEE 802 access, the Calling-Station-Id AVP MAY contain a MAC IEEE 802 access, the Calling-Station-Id AVP MAY contain a MAC
address, formated as described in RFC 3580. address, formated as described in RFC 3580.
If the Calling-Station-Id AVP is present in an AAR message, the Auth- If the Calling-Station-Id AVP is present in an AAR message, the Auth-
Request-Type AVP is set to AUTHORIZE_ONLY and the User-Name AVP is Request-Type AVP is set to AUTHORIZE_ONLY and the User-Name AVP is
absent, the Diameter Server MAY perform authorization based on the absent, the Diameter Server MAY perform authorization based on the
value of this AVP. This can be used by a NAS to request whether a value of this AVP. This can be used by a NAS to request whether a
skipping to change at page 33, line 24 skipping to change at page 34, line 24
When used in a request, the Service-Type AVP SHOULD be considered a When used in a request, the Service-Type AVP SHOULD be considered a
hint to the server that the NAS believes the user would prefer the hint to the server that the NAS believes the user would prefer the
kind of service indicated. The server is not required to honor the kind of service indicated. The server is not required to honor the
hint. Furthermore, if the service specified by the server is hint. Furthermore, if the service specified by the server is
supported, but not compatible with the current mode of access, the supported, but not compatible with the current mode of access, the
NAS MUST fail to start the session. The NAS MUST also generate the NAS MUST fail to start the session. The NAS MUST also generate the
appropriate error message(s). appropriate error message(s).
The complete list of defined values that the Service-Type AVP can The complete list of defined values that the Service-Type AVP can
take can be found in [RFC2865] and [RADIUSAttrVals], but the take can be found in Rigney, et al. [RFC2865] and and the relevant
following values require further qualification here: IANA registry [RADIUSAttrVals], but the following values require
further qualification here:
Login (1) Login (1)
The user should be connected to a host. The message MAY The user should be connected to a host. The message MAY
include additional AVPs as defined in Section 4.4.11.4 or include additional AVPs as defined in Section 4.4.11.4 or
Section 4.4.11.5. Section 4.4.11.5.
Framed (2) Framed (2)
A Framed Protocol, such as PPP or SLIP, should be started for A Framed Protocol, such as PPP or SLIP, should be started for
the User. The message MAY include additional AVPs defined in the User. The message MAY include additional AVPs defined in
Section 4.4.10, or Section 4.5 for tunneling services. Section 4.4.10, or Section 4.5 for tunneling services.
Callback Login (3) Callback Login (3)
The user should be disconnected and called back, then connected The user should be disconnected and called back, then connected
to a host. The message MAY include additional AVPs defined in to a host. The message MAY include additional AVPs defined in
this Section. this Section.
Callback Framed (4) Callback Framed (4)
The user should be disconnected and called back, and then a The user should be disconnected and called back, and then a
Framed Protocol, such as PPP or SLIP, should be started for the Framed Protocol, such as PPP or SLIP, should be started for the
User. The message MAY include additional AVPs defined in user. The message MAY include additional AVPs defined in
Section 4.4.10, or Section 4.5 for tunneling services. Section 4.4.10, or Section 4.5 for tunneling services.
4.4.2. Callback-Number AVP 4.4.2. Callback-Number AVP
The Callback-Number AVP (AVP Code 19) is of type UTF8String and The Callback-Number AVP (AVP Code 19) is of type UTF8String and
contains a dialing string to be used for callback. It MAY be used in contains a dialing string to be used for callback, the format of
which is deployment-specific. The Callback-Number AVP MAY be used in
an authentication and/or authorization request as a hint to the an authentication and/or authorization request as a hint to the
server that a Callback service is desired, but the server is not server that a callback service is desired, but the server is not
required to honor the hint in the corresponding response. required to honor the hint in the corresponding response.
The codification of this field's allowed usage range is outside the Any further codification of this field's allowed usage range is
scope of this specification. outside the scope of this specification.
4.4.3. Callback-Id AVP 4.4.3. Callback-Id AVP
The Callback-Id AVP (AVP Code 20) is of type UTF8String and contains The Callback-Id AVP (AVP Code 20) is of type UTF8String and contains
the name of a place to be called, to be interpreted by the NAS. This the name of a place to be called, to be interpreted by the NAS. This
AVP MAY be present in an authentication and/or authorization AVP MAY be present in an authentication and/or authorization
response. response.
This AVP is not roaming-friendly as it assumes that the Callback-Id This AVP is not roaming-friendly as it assumes that the Callback-Id
is configured on the NAS. Using the Callback-Number AVP is configured on the NAS. Using the Callback-Number AVP
(Section 4.4.2) is therefore preferable. (Section 4.4.2) is therefore RECOMMENDED.
4.4.4. Idle-Timeout AVP 4.4.4. Idle-Timeout AVP
The Idle-Timeout AVP (AVP Code 28) is of type Unsigned32 and sets the The Idle-Timeout AVP (AVP Code 28) is of type Unsigned32 and sets the
maximum number of consecutive seconds of idle connection allowable to maximum number of consecutive seconds of idle connection allowable to
the user before termination of the session or before a prompt is the user before termination of the session or before a prompt is
issued. The default is none, or system specific. issued. The default is none, or system specific.
4.4.5. Port-Limit AVP 4.4.5. Port-Limit AVP
skipping to change at page 38, line 19 skipping to change at page 39, line 25
4.4.10.5.4. Framed-Pool AVP 4.4.10.5.4. Framed-Pool AVP
The Framed-Pool AVP (AVP Code 88) is of type OctetString and contains The Framed-Pool AVP (AVP Code 88) is of type OctetString and contains
the name of an assigned address pool that SHOULD be used to assign an the name of an assigned address pool that SHOULD be used to assign an
address for the user. If a NAS does not support multiple address address for the user. If a NAS does not support multiple address
pools, the NAS SHOULD ignore this AVP. Address pools are usually pools, the NAS SHOULD ignore this AVP. Address pools are usually
used for IP addresses but can be used for other protocols if the NAS used for IP addresses but can be used for other protocols if the NAS
supports pools for those protocols. supports pools for those protocols.
Although specified as type OctetString for compatibility with RADIUS Although specified as type OctetString for compatibility with RADIUS
[RFC2865], the encoding of the Data field SHOULD also conform to the [RFC2869], the encoding of the Data field SHOULD also conform to the
rules for the UTF8String Data Format. rules for the UTF8String Data Format.
4.4.10.5.5. Framed-Interface-Id AVP 4.4.10.5.5. Framed-Interface-Id AVP
The Framed-Interface-Id AVP (AVP Code 96) is of type Unsigned64 and The Framed-Interface-Id AVP (AVP Code 96) is of type Unsigned64 and
contains the IPv6 interface identifier to be configured for the user. contains the IPv6 interface identifier to be configured for the user.
It MAY be used in authorization requests as a hint to the server that It MAY be used in authorization requests as a hint to the server that
a specific interface id is desired, but the server is not required to a specific interface id is desired, but the server is not required to
honor the hint in the corresponding response. honor the hint in the corresponding response.
skipping to change at page 50, line 13 skipping to change at page 51, line 13
started. The tunnel with the lowest numerical value in the Value started. The tunnel with the lowest numerical value in the Value
field of this AVP SHOULD be given the highest preference. The values field of this AVP SHOULD be given the highest preference. The values
assigned to two or more instances of the Tunnel-Preference AVP within assigned to two or more instances of the Tunnel-Preference AVP within
a given authorization response MAY be identical. In this case, the a given authorization response MAY be identical. In this case, the
tunnel initiator SHOULD use locally configured metrics to decide tunnel initiator SHOULD use locally configured metrics to decide
which set of AVPs to use. which set of AVPs to use.
4.5.10. Tunnel-Client-Auth-Id AVP 4.5.10. Tunnel-Client-Auth-Id AVP
The Tunnel-Client-Auth-Id AVP (AVP Code 90) is of type UTF8String and The Tunnel-Client-Auth-Id AVP (AVP Code 90) is of type UTF8String and
specifies the name used by the tunnel initiator during the specifies the 7-bit US-ASCII name used by the tunnel initiator during
authentication phase of tunnel establishment. It MAY be used in an the authentication phase of tunnel establishment. It MAY be used in
authorization request as a hint to the server that a specific an authorization request as a hint to the server that a specific
preference is desired, but the server is not required to honor the preference is desired, but the server is not required to honor the
hint in the corresponding response. This AVP MUST be present in the hint in the corresponding response. This AVP MUST be present in the
authorization response if an authentication name other than the authorization response if an authentication name other than the
default is desired. This AVP SHOULD be included in the ACR messages default is desired. This AVP SHOULD be included in the ACR messages
pertaining to the tunneled session. pertaining to the tunneled session.
4.5.11. Tunnel-Server-Auth-Id AVP 4.5.11. Tunnel-Server-Auth-Id AVP
The Tunnel-Server-Auth-Id AVP (AVP Code 91) is of type UTF8String and The Tunnel-Server-Auth-Id AVP (AVP Code 91) is of type UTF8String and
specifies the name used by the tunnel terminator during the specifies the 7-bit US-ASCII name used by the tunnel terminator
authentication phase of tunnel establishment. It MAY be used in an during the authentication phase of tunnel establishment. It MAY be
authorization request as a hint to the server that a specific used in an authorization request as a hint to the server that a
preference is desired, but the server is not required to honor the specific preference is desired, but the server is not required to
hint in the corresponding response. This AVP MUST be present in the honor the hint in the corresponding response. This AVP MUST be
authorization response if an authentication name other than the present in the authorization response if an authentication name other
default is desired. This AVP SHOULD be included in the ACR messages than the default is desired. This AVP SHOULD be included in the ACR
pertaining to the tunneled session. messages pertaining to the tunneled session.
4.6. NAS Accounting AVPs 4.6. NAS Accounting AVPs
Applications implementing this specification use Diameter Accounting Applications implementing this specification use Diameter Accounting
(as defined in [RFC6733]) and the AVPs in the following section. (as defined in [RFC6733]) and the AVPs in the following section.
Service-specific AVP usage is defined in the tables in Section 5. Service-specific AVP usage is defined in the tables in Section 5.
If accounting is active, Accounting Request (ACR) messages SHOULD be If accounting is active, Accounting Request (ACR) messages SHOULD be
sent after the completion of any Authentication or Authorization sent after the completion of any Authentication or Authorization
transaction and at the end of a Session. The value of the transaction and at the end of a Session. The value of the
skipping to change at page 62, line 33 skipping to change at page 63, line 33
risk. risk.
This document also describes how CHAP can be carried within the This document also describes how CHAP can be carried within the
Diameter protocol, which is required for RADIUS backward Diameter protocol, which is required for RADIUS backward
compatibility. The CHAP protocol, as used in a RADIUS environment, compatibility. The CHAP protocol, as used in a RADIUS environment,
facilitates authentication replay attacks. facilitates authentication replay attacks.
The use of the EAP authentication protocols [RFC4072] can offer The use of the EAP authentication protocols [RFC4072] can offer
better security, given a method suitable for the circumstances. better security, given a method suitable for the circumstances.
Depending on the value of the Auth-Request-Type AVP, the Diameter
protocol allows authorization-only requests that contain no
authentication information from the client. This capability goes
beyond the Call Check capabilities provided by RADIUS (Section 5.6 of
[RFC2865]) in that no access decision is requested. As a result, a
new session cannot be started as a result of a response to an
authorization-only request without introducing a significant security
vulnerability.
7.2. AVP Considerations 7.2. AVP Considerations
Diameter AVPs often contain security-sensitive data; for example, Diameter AVPs often contain security-sensitive data; for example,
user passwords and location data, network addresses and cryptographic user passwords and location data, network addresses and cryptographic
keys. With the exception of the Configuration-Token (Section 4.4.8), keys. With the exception of the Configuration-Token (Section 4.4.8),
QoS-Filter-Rule (Section 4.4.9) and Tunneling (Section 4.5.1) AVPs, QoS-Filter-Rule (Section 4.4.9) and Tunneling (Section 4.5.1) AVPs,
all of the AVPs defined in this document are considered to be all of the AVPs defined in this document are considered to be
security-sensitive. security-sensitive.
Diameter messages containing any AVPs considered to be security- Diameter messages containing any AVPs considered to be security-
skipping to change at page 63, line 50 skipping to change at page 65, line 11
[RFC6733] Fajardo, V., Arkko, J., Loughney, J., and G. Zorn, [RFC6733] Fajardo, V., Arkko, J., Loughney, J., and G. Zorn,
"Diameter Base Protocol", RFC 6733, October 2012. "Diameter Base Protocol", RFC 6733, October 2012.
8.2. Informative References 8.2. Informative References
[ARAP] Apple Computer, "Apple Remote Access Protocol [ARAP] Apple Computer, "Apple Remote Access Protocol
(ARAP) Version 2.0 External Reference (ARAP) Version 2.0 External Reference
Specification", R0612LL/B , September 1994. Specification", R0612LL/B , September 1994.
[AVP-Codes] "IANA AAA AVP Codes Registry", <http:// [AVP-Codes] IANA, "IANA AAA AVP Codes Registry", <http://
www.iana.org/assignments/aaa-parameters/ www.iana.org/assignments/aaa-parameters/
aaa-parameters.xml#aaa-parameters-1>. aaa-parameters.xml#aaa-parameters-1>.
[AVP-Vals] "IANA AAA AVP Specific Values", <http:// [AVP-Vals] IANA, "IANA AAA AVP Specific Values", <http://
www.iana.org/assignments/aaa-parameters/ www.iana.org/assignments/aaa-parameters/
aaa-parameters.xml#aaa-parameters-2>. aaa-parameters.xml#aaa-parameters-2>.
[App-Ids] "IANA AAA Application IDs Registry", <http:// [App-Ids] IANA, "IANA AAA Application IDs Registry", <http:/
www.iana.org/assignments/aaa-parameters/ /www.iana.org/assignments/aaa-parameters/
aaa-parameters.xml#aaa-parameters-1>. aaa-parameters.xml#aaa-parameters-1>.
[AppleTalk] Sidhu, G., Andrews, R., and A. Oppenheimer, [AppleTalk] Sidhu, G., Andrews, R., and A. Oppenheimer,
"Inside AppleTalk", Second Edition Apple Computer, "Inside AppleTalk", Second Edition Apple Computer,
1990. 1990.
[BASE] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., [BASE] Calhoun, P., Loughney, J., Guttman, E., Zorn, G.,
and J. Arkko, "Diameter Base Protocol", RFC 3588, and J. Arkko, "Diameter Base Protocol", RFC 3588,
September 2003. September 2003.
[Command-Codes] "IANA AAA Command Codes Registry", <http:// [Command-Codes] IANA, "IANA AAA Command Codes Registry", <http://
www.iana.org/assignments/aaa-parameters/ www.iana.org/assignments/aaa-parameters/
aaa-parameters.xml#command-code-rules>. aaa-parameters.xml#command-code-rules>.
[IANA] "Internet Assigned Numbers Authority", [IANA] IANA, "Internet Assigned Numbers Authority",
<http://www.iana.org/>. <http://www.iana.org/>.
[IPX] Novell, Inc., "NetWare System Technical Interface [IPX] Novell, Inc., "NetWare System Technical Interface
Overview", #883-000780-001, June 1989. Overview", #883-000780-001, June 1989.
[ISO.8859-1.1987] International Organization for Standardization, [ISO.8859-1.1987] International Organization for Standardization,
"Information technology - 8-bit single byte coded "Information technology - 8-bit single byte coded
graphic - character sets - Part 1: Latin alphabet graphic - character sets - Part 1: Latin alphabet
No. 1, JTC1/SC2", ISO Standard 8859-1, 1987. No. 1, JTC1/SC2", ISO Standard 8859-1, 1987.
skipping to change at page 67, line 31 skipping to change at page 68, line 37
employ. employ.
Author's Address Author's Address
Glen Zorn (editor) Glen Zorn (editor)
Network Zen Network Zen
227/358 Thanon Sanphawut 227/358 Thanon Sanphawut
Bang Na, Bangkok 10260 Bang Na, Bangkok 10260
Thailand Thailand
Phone: +66 (0) 909-201060 Phone: +66 (0)8-1000-4155
EMail: glenzorn@gmail.com EMail: glenzorn@gmail.com
 End of changes. 37 change blocks. 
156 lines changed or deleted 172 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/