draft-ietf-radext-chargeable-user-id-00.txt   draft-ietf-radext-chargeable-user-id-01.txt 
Network Working Group F. Adrangi Network Working Group F. Adrangi
Internet-Draft Intel Internet-Draft Intel
Expires: June 9, 2005 A. Lior Expires: June 29, 2005 A. Lior
Bridgewater Systems Bridgewater Systems
J. Korhonen J. Korhonen
Teliasonera Teliasonera
J. Loughney J. Loughney
Nokia Nokia
December 9, 2004 December 29, 2004
Chargeable User Identity Chargeable User Identity
draft-ietf-radext-chargeable-user-id-00 draft-ietf-radext-chargeable-user-id-01
Status of this Memo Status of this Memo
This document is an Internet-Draft and is subject to all provisions This document is an Internet-Draft and is subject to all provisions
of section 3 of RFC 3667. By submitting this Internet-Draft, each of section 3 of RFC 3667. By submitting this Internet-Draft, each
author represents that any applicable patent or other IPR claims of author represents that any applicable patent or other IPR claims of
which he or she is aware have been or will be disclosed, and any of which he or she is aware have been or will be disclosed, and any of
which he or she become aware will be disclosed, in accordance with which he or she become aware will be disclosed, in accordance with
RFC 3668. RFC 3668.
skipping to change at page 1, line 41 skipping to change at page 1, line 41
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on June 9, 2005. This Internet-Draft will expire on June 29, 2005.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2004). Copyright (C) The Internet Society (2004).
Abstract Abstract
This document describes a new RADIUS attribute, Chargeable User This document describes a new RADIUS attribute,
Identity. This attribute can be used by a home network to identity a Chargeable-User-Identity. This attribute can be used by a home
user for the purpose of roaming transactions that occur outside of network to identify a user for the purpose of roaming transactions
the home network. that occur outside of the home network.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 1.2 Terminology . . . . . . . . . . . . . . . . . . . . . . . 5
2. Operation . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2. Operation . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1 Chargeable User Identity (CUI) Attribute . . . . . . . . . 5 2.1 Chargeable-User-Identity (CUI) Attribute . . . . . . . . . 5
3. Diameter RADIUS Interoperability . . . . . . . . . . . . . . . 8 3. Attribute Table . . . . . . . . . . . . . . . . . . . . . . . 7
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 4. Diameter RADIUS Interoperability . . . . . . . . . . . . . . . 7
5. Security considerations . . . . . . . . . . . . . . . . . . . 8 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8 5.1 CUI RADIUS Attribute . . . . . . . . . . . . . . . . . . . 7
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8 5.2 Error-Cause Attribute . . . . . . . . . . . . . . . . . . 7
7.1 Normative references . . . . . . . . . . . . . . . . . . . 8 6. Security considerations . . . . . . . . . . . . . . . . . . . 8
7.2 Informative references . . . . . . . . . . . . . . . . . . 9 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8
8.1 Normative references . . . . . . . . . . . . . . . . . . . 8
8.2 Informative references . . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 9
Intellectual Property and Copyright Statements . . . . . . . . . . 11 Intellectual Property and Copyright Statements . . . . . . . . . . 11
1. Introduction 1. Introduction
Some authentication methods, including EAP-PEAP, EAP-TTLS, EAP-SIM Some authentication methods, including EAP-PEAP, EAP-TTLS, EAP-SIM
and EAP-AKA, can hide the true identity of the user from RADIUS and EAP-AKA, can hide the true identity of the user from RADIUS
servers outside of the user's home network. In these methods, the servers outside of the user's home network. In these methods, the
User-Name(1) attribute contains an anonymous identity (e.g., User-Name(1) attribute contains an anonymous identity (e.g.,
@example.com) sufficient to route the RADIUS packets to the home @example.com) sufficient to route the RADIUS packets to the home
network but otherwise insufficient to identify the user. While this network but otherwise insufficient to identify the user. While this
mechanism is good practice in some circumstances, there are problems mechanism is good practice in some circumstances, there are problems
if local and intermediate networks require a user identity in order if local and intermediate networks require a user identity in order
to enforce usage policies. to enforce usage policies.
For example, local or intermediate networks may limit the number of For example, local or intermediate networks may limit the number of
simultaneous sessions for specific users; they may require a simultaneous sessions for specific users; they may require a
chargeable user identity in order to demonstrate willingness to pay chargeable-user-identity in order to demonstrate willingness to pay
or otherwise limit the potential for fraud. or otherwise limit the potential for fraud.
This implies that an authenticated and unique identity provided by This implies that an authenticated and unique identity provided by
the home network should be able to be conveyed to all parties the home network should be able to be conveyed to all parties
involved in the roaming transaction for correlating the involved in the roaming transaction for correlating the
authentication and accounting packets. authentication and accounting packets.
Providing a unique identity, called the Chargeable User Identity Providing a unique identity, called the Chargeable-User-Identity
(CUI) to intermediaries, is necessary to fulfill certain business (CUI) to intermediaries, is necessary to fulfill certain business
needs. This should not undermine the anonymity of the user. The needs. This should not undermine the anonymity of the user. The
mechanism provided by this draft allows the home operator to meet mechanism provided by this draft allows the home operator to meet
these business requirements by providing a temporal identity these business requirements by providing a temporary identity
representing the subscriber and at the same time protecting the representing the subscriber and at the same time protecting the
anonymity of the subscriber. anonymity of the subscriber.
1.1 Motivation 1.1 Motivation
Several organizations, including WISPr, GSMA, 3GPP, Wi-Fi Alliance, Several organizations, including WISPr, GSMA, 3GPP, Wi-Fi Alliance,
IRAP, have been studying mechanisms to provide roaming services, IRAP, have been studying mechanisms to provide roaming services,
using RADIUS. A mechanism for providing the current deployments with using RADIUS. A mechanism for providing the current deployments with
the capacity to deploy, bill and oversee WPA networks against fraud. the capacity to deploy, bill and oversee WPA networks against fraud.
The CUI attribute has been designed to close operational loopholes in The CUI attribute has been designed to close operational loopholes in
RADIUS specifications that have impacted roaming solutions RADIUS specifications that have impacted roaming solutions
negatively, especially when tunneled protocols with multiple negatively, especially when tunneled protocols with multiple
identities, such as PEAP or TTLS, are used. A chargeable identity identities, such as PEAP or TTLS, are used. Use of the CUI is geared
reflecting the user profile authenticated by the home network is to multi-identity EAP authentications which are, for the most part,
needed in such roaming scenarios. recent deployments. A chargeable identity reflecting the user
profile authenticated by the home network is needed in such roaming
scenarios.
Existing RADIUS servers that do not understand the CUI attribute The CUI support by RADIUS infrastructure is driven by the business
SHOULD silently discard the attribute. Use of the CUI is geared to requirements between roaming entities. Therefore whether a RADIUS
multi-identity EAP authentications which are, for the most part, server/proxy or client accepts or rejects the presence or lack of
recent deployments. presence of the CUI attribute is a matter of business policy.
Some other mechanisms have been proposed in place of the CUI Some other mechanisms have been proposed in place of the CUI
attribute. These mechanisms are insufficient or cause other attribute. These mechanisms are insufficient or cause other
problems. It has been suggested that standard RADIUS Class(25) or problems. It has been suggested that standard RADIUS Class(25) or
User-Name(1) attributes could be used to indicate the Chargeable User User-Name(1) attributes could be used to indicate the
Identity. However, in a complex global roaming environment where Chargeable-User-Identity. However, in a complex global roaming
there could be one or more intermediaries between the NAS and the environment where there could be one or more intermediaries between
home RADIUS server, the use of aforementioned attributes could lead the NAS and the home RADIUS server, the use of aforementioned
to problems as described below. attributes could lead to problems as described below.
- On use of RADIUS Class(25) attribute: - On use of RADIUS Class(25) attribute:
[RFC2865] states "This Attribute is available to be sent by the [RFC2865] states: "This Attribute is available to be sent by the
server to the client in an Access-Accept and SHOULD be sent server to the client in an Access-Accept and SHOULD be sent
unmodified by the client to the accounting server as part of the unmodified by the client to the accounting server as part of the
Accounting-Request packet if accounting is supported. The client Accounting-Request packet if accounting is supported. The client
MUST NOT interpret the attribute locally." So RADIUS clients for MUST NOT interpret the attribute locally." So RADIUS clients or
intermediaries MUST NOT interpret the Class(25) attribute, which intermediaries MUST NOT interpret the Class(25) attribute, which
precludes determining whether it contains a CUI. Additionally, precludes determining whether it contains a CUI. Additionally,
there could be multiple class attributes in a RADIUS packet with there could be multiple class attributes in a RADIUS packet with
unspecified ordering, which makes it hard to the entities outside unspecified ordering, which makes it hard to the entities outside
home network to determine which one contains the CUI. home network to determine which one contains the CUI.
- On use of RADIUS User-Name(1) - On use of RADIUS User-Name(1) attribute:
The home network could use User-Name(1) in the Access-Accept The home network could use User-Name(1) in the Access-Accept
message to convey the CUI to intermediaries and the NAS. However, message to convey the CUI to intermediaries and the NAS. However,
as the Access-Accept packet is routed to the NAS, the User-Name(1) as the Access-Accept packet is routed to the NAS, the User-Name(1)
attribute could be (completely) rewritten by an intermediary and attribute could be (completely) rewritten by an intermediary and
therefore the NAS or other intermediaries along the way will not therefore the NAS or other intermediaries along the way will not
have access to the CUI. Furthermore, the NAS may use the original have access to the CUI. Furthermore, the NAS may use the original
value of the User-Name(1) attribute (the one sent in the value of the User-Name(1) attribute (the one sent in the
Access-Request packet) in the Accounting-Request packets to ensure Access-Request packet) in the Accounting-Request packets to ensure
the billing follows the same path as authentication packets. the billing follows the same path as authentication packets.
The CUI attribute provides a solution to the above problem and avoids The CUI attribute provides a solution to the above problem and avoids
overloading the use of current RADIUS attributes (e.g., User-Name(1) overloading the use of current RADIUS attributes (e.g., User-Name(1)
re-write). CUI is the correct standards-based approach to fixing the re-write). The CUI is the correct standards-based approach to fixing
problems which have arisen with multiple-identity RADIUS the problems which have arisen with multiple-identity RADIUS
authorization and accounting methods. It does not solve all related authorization and accounting methods. It does not solve all related
problems, but does provide networks the ability to bill and oversee problems, but does provide networks the ability to bill and oversee
WPA networks against fraud. When the home network assigns a value to WPA networks against fraud. When the home network assigns a value to
the CUI, it asserts that this value represents a user in the home the CUI, it asserts that this value represents a user in the home
network. The assertion should be temporary. Long enough to be network. The assertion should be temporary. Long enough to be
useful for the external applications and not too long to such that it useful for the external applications and not too long such that it
can be used to identify the user. can be used to identify the user.
1.2 Terminology 1.2 Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
3GPP - Third Generation Partnership Program 3GPP - Third Generation Partnership Program
AAA - Authentication, Authorization and Accounting AAA - Authentication, Authorization and Accounting
CUI - Chargeable User Identity CUI - Chargeable-User-Identity
GSMA - GSM Association GSMA - GSM Association
IRAP - International Roaming Access Protocols Program IRAP - International Roaming Access Protocols Program
NAS - Network Access Server NAS - Network Access Server
PEAP - Protected Extensible Authentication Protocol PEAP - Protected Extensible Authentication Protocol
TTLS - Tunneled Transport Layer Security TTLS - Tunneled Transport Layer Security
WISPr - Wireless ISP Roaming WISPr - Wireless ISP Roaming
WPA - Wi-Fi Protected Access WPA - Wi-Fi Protected Access
2. Operation 2. Operation
This document assumes that the RADIUS protocol operates as specified This document assumes that the RADIUS protocol operates as specified
in [RFC2865], [RFC2866], and the Diameter protocol as specified in in [RFC2865], [RFC2866], dynamic authorization as specified in
[RFC3588]. [RFC3576], and the Diameter protocol as specified in [RFC3588].
2.1 Chargeable User Identity (CUI) Attribute 2.1 Chargeable-User-Identity (CUI) Attribute
This attribute serves as an alias to the user's identity. It is This attribute serves as an alias to the user's real identity. It is
assigned by the home RADIUS server and MAY be sent in Access-Accept provided by the home network as a suplemental or alternative
message. The NAS or the access network AAA server MUST include this information to User-Name(1). RADIUS clients (proxy or NAS) outside
attribute in the Accounting Requests (Start, Interim, and Stop) the home network MUST NOT modify the CUI attribute.
messages if it was included in the Access Accept message and
supported by the NAS. Entities (e.g., NASes, proxies) outside the
home network MUST NOT modify the CUI attribute. Servers which do not
understand the CUI attribute SHOULD silently discard the attribute.
The NAS MAY include the CUI attribute with a null character for its In accordance to business policies, the RADIUS server (a RADIUS
data field in the Access-Request message to indicate its support for proxy, home RADIUS server) may include the CUI attribute in the
this attribute to the home RADIUS server. In cases where the home Access-Accept message destined to a roaming partner.
RADIUS server cannot determine the NAS support for the CUI, if the
home RADIUS server requires the NAS support for CUI for any reason
(e.g., for billing or charging purposes), the home RADIUS server MUST
reject the request by sending an Access-Reject message including an
Error-Cause attribute [RFC3576] with value (to-be-defined) (decimal),
"CUI-Support-Undetermined". Otherwise, if the authentication is
successful, the home RADIUS server MUST send both the User-Name (1)
attribute and the CUI attribute, with the understanding that if the
NAS supports the CUI attribute the CUI attribute will override the
identity portion the User-Name (1) attribute. That is, the
User-Name(1) attribute will be used for routing and the CUI attribute
will be used for identity purposes.
If the RADIUS server includes this attribute in an Access-Accept If an Access-Accept message without the CUI attribute was received by
message it MAY also use this attribute as one of the identity a RADIUS client (NAS or Proxy) that requires the presence of the CUI
attributes in a Disconnect Message and Change of Authorization attribute, then the Access-Accept message MAY be treated as an
message defined by [RFC3576]. Access-Reject message based on local policies.
If the CUI was included in the Access-Accept message, RADIUS client
(Proxy or NAS) that supports the CUI attribute MUST ensure that the
CUI attribute appears in the RADIUS Accounting-Request (Start,
Interim, and Stop).
RADIUS client (Proxy or NAS) that does not support the CUI attribute
MAY ignore this attribute or MAY treat the Access-Accept as
Access-Reject.
If RADIUS client (Proxy or NAS) requires the presence of the CUI
attribute in the Access-Accept, it MUST indicate its requirement by
including this attribute with a nul character for its data field
(hereafter, it is also referred to as a nul CUI) in the
Access-Request message.
If a home RADIUS server that supports the CUI attribute receives an
Access-Request containing a nul CUI, it MUST include the CUI
attribute in the Access-Accept. Otherwise, if the Access-Request
does not contain a null CUI, the home RADIUS server MUST NOT include
the CUI attribute in the Access-Accept.
A RADIUS server (a RADIUS proxy or the home RADIUS server) that
requires the presence of the CUI in the Accounting-Response messages
(Start, Stop, Interims) MAY respond with an Access-Reject message if
it receives an Access-Request messsage from a RADIUS client, or proxy
chain that does not support the CUI attribute. The Access-Reject
message MUST include Error-Cause attribute [RFC3576] with value
(to-be-defined) (decimal), "CUI-Support-Required".
If the NAS supports CUI attribute then the CUI attribute MAY also be
used as one of the identity attribute in Disconnect Message and
Change of Authorization messages defined by [RFC3576]. Determination
of NAS support for the CUI is outside the scope of this document.
A summary of the RADIUS CUI Attribute is given below. A summary of the RADIUS CUI Attribute is given below.
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | String... | Type | Length | String...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type: TBD for Chargeable User Identity. Type: TBD for Chargeable-User-Identity.
Length: >= 3 Length: >= 3
String: String:
The string identifies the CUI of the end-user and is of type The string identifies the CUI of the end-user and is of type
UTF8String. It consists two parts separated by a colon, ':'. The UTF8String. This string value is a reference to a particular
first part determines the CUI type and the second part is the user. The format and the interpretation of the string value , and
actual Chargeable User Identity value. The CUI type is coded as the binding lifetime of the reference to the user is determined
two octet strings representing a hexadecimal number. The CUI based on business agreements. For example, the lifetime can be
value must be at least one octet. In cases where the attribute is set to one billing period. In cases where the attribute is used
used to indicate the NAS support for the CUI, the string value to indicate the NAS support for the CUI, the string value contains
contains a null character. a nul character.
The following User-Identity types have been defined:
00 - E.164 number
The identifier is in international E.164 format (e.g.
MSISDN, according to the ITU-T E.164 numbering plan as defined
in [E164] and [CE164]).
01 - IMSI
The is in international IMSI format according to the ITU-T
E.212 numbering plan as defined in [E212] and [CE212]).
02 - SIP URI
The identifier is in the form of a SIP URI as defined in
[RFC3261].
03 - NAI
The identifier is in the form of a Network Access Identifier as
defined in [rfc2486bis].
04 - Opaque string
Opaque string is a value that is assigned to the user by the
home network in an unspecified format, where the home network
asserts that this value represents a particular user.
05 - reserved
The length of time for which the CUI is valid is outside of the
scope of this specification. It is assumed to be deployment
related. It should typically be long enough to serve some
business needs and short enough such that it minimizes the chance
of revealing the true identity of the user (either directly or
indirectly).
Below are examples of CUI strings with NAI and E.164 Charging
Types:
"03:charging-id@realm.org"
"00:+4689761234"
"04:charging-id"
The real user identity SHOULD NOT be revealed through this 3. Attribute Table
attribute. However, the value of this attribute is determined by
the service provider.
The following table provides a guide to which attribute(s) may be The following table provides a guide to which attribute(s) may be
found in which kinds of packets, and in what quantity. found in which kinds of packets, and in what quantity.
Request Accept Reject Challenge Accounting # Attribute Request Accept Reject Challenge Accounting # Attribute
Request Request
0-1 0-1 0 0 0-1 TBD Chargeable User ID 0-1 0-1 0 0 0-1 TBD Chargeable-User-identity
0 0 0-1 0 0 101 Error-Cause
[Note 1] If the Access-Accept contains CUI then the NAS MUST include [Note 1] If the Access-Accept contains CUI then the NAS MUST include
the CUI in Accounting Requests (Start, Interim and Stop) packets. the CUI in Accounting Requests (Start, Interim and Stop) packets.
[Note 2] The Error-Cause attribute is defined in [RFC3576].
Change of Authorization and Disconnect-Request Change of Authorization and Disconnect-Request
Request ACK NAK # Attribute Request ACK NAK # Attribute
0-1 0 0 TBD Chargeable User 0-1 0 0 TBD Chargeable-User-Identity
[Note 2] Where CUI attribute is included in Disconnect-Request or [Note 3] Where CUI attribute is included in Disconnect-Request or
CoA-Request messages, it is used for session identification purposes CoA-Request messages, it is used for session identification purposes
only. This attribute MUST NOT be used for purposes other than only. This attribute MUST NOT be used for purposes other than
identification (e.g. within CoA-Request messages to request identification (e.g. within CoA-Request messages to request
authorization changes). authorization changes).
3. Diameter RADIUS Interoperability 4. Diameter RADIUS Interoperability
In deployments with both RADIUS and Diameter interworking, a In deployments with both RADIUS and Diameter interworking, a
translation agent will be deployed and operate in accordance to the translation agent will be deployed and operate in accordance to the
NASREQ specification. The Diameter Credit-Control Application's NASREQ specification.
specifies a similar concept, the Subscription-ID AVP [DiameterCC].
4. IANA Considerations 5. IANA Considerations
This document instructs IANA to assign a new RADIUS attribute number 5.1 CUI RADIUS Attribute
for the CUI attribute.
5. Security considerations This document uses the RADIUS [RFC2865] namespace, see
"http://www.iana.org/assignments/radius-types". This document
instructs IANA to assign a new RADIUS attribute number for the CUI
attribute.
CUI TBA
5.2 Error-Cause Attribute
This document instructs IANA to assign a new Error-Cause attribute
[RFC3576],
"CUI-Support-Required" TBA
6. Security considerations
The CUI attribute must be protected against Man-in-the-Middle The CUI attribute must be protected against Man-in-the-Middle
attacks. The CUI appears in Access-Accept and Accounting Requests attacks. The CUI appears in Access-Accept and Accounting-Requests
packets and is protected by the mechanisms that are defined for packets and is protected by the mechanisms that are defined for
RADIUS [RFC2865] and [RFC2866]. Therefore there are no additional RADIUS [RFC2865] and [RFC2866]. Therefore there are no additional
security considerations beyond those already identified in [RFC2865] security considerations beyond those already identified in [RFC2865]
and [RFC2866]. and [RFC2866].
Message-Authenticator(80) and Event-Timestamp can be used to further Message-Authenticator(80) and Event-Timestamp(55) can be used to
protect against Man-in-the-middle attacks. further protect against Man-in-the-middle attacks.
In this document, entities outside the home network are required not
to modify the value of this attribute, however there are no
provisions for protecting against or detecting that a RADIUS Proxy
has modified the attribute.
As the CUI contains an identity that can be used for authorizing and It is strongly recommended that the CUI form used is such that the
accounting of services, this attribute must be protected against real user identity is not revealed. Furthermore, where a reference
snooping. is used to a real user identity, the binding lifetime of that
reference to the real user be kept as short as possible.
6. Acknowledgements 7. Acknowledgements
The authors would like to thank Jari Arkko, Bernard Aboba, David The authors would like to thank Jari Arkko, Bernard Aboba, David
Nelson, Blair Bullock, Sami Ala-Luukko, Lothar Reith, David Nelson, Barney Wolff, Blair Bullock, Sami Ala-Luukko, Lothar Reith,
Mariblanca, Eugene Chang, Greg Weber, and Mark Grayson, for their David Mariblanca, Eugene Chang, Greg Weber, and Mark Grayson, for
feedback and guidance. their feedback and guidance.
7. References 8. References
7.1 Normative references 8.1 Normative references
[RFC2865] Rigney, C., Willens, S., Rubens, A. and W. Simpson, [RFC2865] Rigney, C., Willens, S., Rubens, A. and W. Simpson,
"Remote Authentication Dial In User Service (RADIUS)", RFC "Remote Authentication Dial In User Service (RADIUS)", RFC
2865, June 2000. 2865, June 2000.
[RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[rfc2486bis] [rfc2486bis]
Aboba, B., Beadles, M., Arkko, J. and P. Eronen, "The Aboba, B., Beadles, M., Arkko, J. and P. Eronen, "The
Network Access Identifier", Network Access Identifier",
draft-arkko-roamops-rfc2486bis-02 (work in progress), July draft-arkko-roamops-rfc2486bis-02 (work in progress), July
2004. 2004.
[E164] "The International Public Telecommunication Numbering 8.2 Informative references
Plan", , May 1997.
[CE164] "List of ITU-T Recommendation E.164 assigned country
codes", , June 2000.
[E212] "The international identification plan for mobile
terminals and mobile users", , November 1998.
[CE212] "List of mobile country or geographical area codes", ,
February 1999.
[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
A., Peterson, J., Sparks, R., Handley, M. and E. Schooler,
"SIP: Session Initiation Protocol", RFC 3261, June 2002.
7.2 Informative references
[RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D. and B. [RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D. and B.
Aboba, "Dynamic Authorization Extensions to Remote Aboba, "Dynamic Authorization Extensions to Remote
Authentication Dial In User Service (RADIUS)", RFC 3576, Authentication Dial In User Service (RADIUS)", RFC 3576,
July 2003. July 2003.
[RFC3588] Calhoun, P., Loughney, J., Guttman, E., Zorn, G. and J. [RFC3588] Calhoun, P., Loughney, J., Guttman, E., Zorn, G. and J.
Arkko, "Diameter Base Protocol", RFC 3588, September 2003. Arkko, "Diameter Base Protocol", RFC 3588, September 2003.
[DiameterCC]
Hakala, H., Koskinen, j., Stura, M. and J. Loughney, "The
Network Access Identifier",
draft-ietf-aaa-diameter-cc-06.txt (work in progress),
July 2004.
Authors' Addresses Authors' Addresses
Farid Adrangi Farid Adrangi
Intel Corporation Intel Corporation
2111 N.E. 25th Avenue 2111 N.E. 25th Avenue
Hillsboro, OR 97124 Hillsboro, OR 97124
USA USA
Phone: +1 503-712-1791 Phone: +1 503-712-1791
EMail: farid.adrangi@intel.com EMail: farid.adrangi@intel.com
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/