draft-ietf-radext-chargeable-user-id-03.txt   draft-ietf-radext-chargeable-user-id-04.txt 
Network Working Group F. Adrangi Network Working Group F. Adrangi
Internet-Draft Intel Internet-Draft Intel
Expires: September 2, 2005 A. Lior Expires: September 23, 2005 A. Lior
Bridgewater Systems Bridgewater Systems
J. Korhonen J. Korhonen
Teliasonera Teliasonera
J. Loughney J. Loughney
Nokia Nokia
March 2005 March 22, 2005
Chargeable User Identity Chargeable User Identity
draft-ietf-radext-chargeable-user-id-03 draft-ietf-radext-chargeable-user-id-04
Status of this Memo Status of this Memo
This document is an Internet-Draft and is subject to all provisions This document is an Internet-Draft and is subject to all provisions
of Section 3 of RFC 3667. By submitting this Internet-Draft, each of Section 3 of RFC 3667. By submitting this Internet-Draft, each
author represents that any applicable patent or other IPR claims of author represents that any applicable patent or other IPR claims of
which he or she is aware have been or will be disclosed, and any of which he or she is aware have been or will be disclosed, and any of
which he or she become aware will be disclosed, in accordance with which he or she become aware will be disclosed, in accordance with
RFC 3668. RFC 3668.
skipping to change at page 1, line 40 skipping to change at page 1, line 41
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on September 2, 2005. This Internet-Draft will expire on September 23, 2005.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2005). Copyright (C) The Internet Society (2005).
Abstract Abstract
This document describes a new RADIUS attribute, This document describes a new RADIUS attribute,
Chargeable-User-Identity. This attribute can be used by a home Chargeable-User-Identity. This attribute can be used by a home
network to identify a user for the purpose of roaming transactions network to identify a user for the purpose of roaming transactions
skipping to change at page 3, line 14 skipping to change at page 3, line 14
1. Introduction 1. Introduction
Some authentication methods, including EAP-PEAP, EAP-TTLS, EAP-SIM Some authentication methods, including EAP-PEAP, EAP-TTLS, EAP-SIM
and EAP-AKA, can hide the true identity of the user from RADIUS and EAP-AKA, can hide the true identity of the user from RADIUS
servers outside of the user's home network. In these methods, the servers outside of the user's home network. In these methods, the
User-Name(1) attribute contains an anonymous identity (e.g., User-Name(1) attribute contains an anonymous identity (e.g.,
@example.com) sufficient to route the RADIUS packets to the home @example.com) sufficient to route the RADIUS packets to the home
network but otherwise insufficient to identify the user. While this network but otherwise insufficient to identify the user. While this
mechanism is good practice in some circumstances, there are problems mechanism is good practice in some circumstances, there are problems
if local and intermediate networks require a user identity. if local and intermediate networks require a surrogate identity to
bind the current session.
This document introduces an attribute that serves as an alias or This document introduces an attribute that serves as an alias or
handle (hereafter, it is called Chargeable-User-Identity) to the real handle (hereafter, it is called Chargeable-User-Identity) to the real
user's identity. Chargeable-User-Identity can be used outside the user's identity. Chargeable-User-Identity can be used outside the
home network in scenarios that traditionaly relied on User-Name(1) to home network in scenarios that traditionaly relied on User-Name(1) to
correlate a session to a user. correlate a session to a user.
For example, local or intermediate networks may limit the number of For example, local or intermediate networks may limit the number of
simultaneous sessions for specific users; they may require a simultaneous sessions for specific users; they may require a
Chargeable-User-Identity in order to demonstrate willingness to pay Chargeable-User-Identity in order to demonstrate willingness to pay
or otherwise limit the potential for fraud. or otherwise limit the potential for fraud.
This implies that an authenticated and unique identity provided by This implies that a unique identity provided by the home network
the home network should be able to be conveyed to all parties should be able to be conveyed to all parties involved in the roaming
involved in the roaming transaction for correlating the transaction for correlating the authentication and accounting
authentication and accounting packets. packets.
Providing a unique identity, Chargeable-User-Identity (CUI), to Providing a unique identity, Chargeable-User-Identity (CUI), to
intermediaries, is necessary to fulfill certain business needs. This intermediaries, is necessary to fulfill certain business needs. This
should not undermine the anonymity of the user. The mechanism should not undermine the anonymity of the user. The mechanism
provided by this draft allows the home operator to meet these provided by this draft allows the home operator to meet these
business requirements by providing a temporary identity representing business requirements by providing a temporary identity representing
the subscriber and at the same time protecting the anonymity of the the subscriber and at the same time protecting the anonymity of the
subscriber. subscriber.
When the home network assigns a value to the CUI, it asserts that When the home network assigns a value to the CUI, it asserts that
skipping to change at page 4, line 7 skipping to change at page 4, line 8
Several organizations, including WISPr, GSMA, 3GPP, Wi-Fi Alliance, Several organizations, including WISPr, GSMA, 3GPP, Wi-Fi Alliance,
IRAP, have been studying mechanisms to provide roaming services, IRAP, have been studying mechanisms to provide roaming services,
using RADIUS. Missing elements include mechanisms for billing and using RADIUS. Missing elements include mechanisms for billing and
fraud prevention. fraud prevention.
The CUI attribute is intended to close operational loopholes in The CUI attribute is intended to close operational loopholes in
RADIUS specifications that have impacted roaming solutions RADIUS specifications that have impacted roaming solutions
negatively. Use of the CUI is geared toward EAP methods supporting negatively. Use of the CUI is geared toward EAP methods supporting
privacy (such as PEAP and EAP-TTLS), which are, for the most part, privacy (such as PEAP and EAP-TTLS), which are, for the most part,
recent deployments. A chargeable identity reflecting the user recent deployments. A chargeable identity reflecting the user
profile authenticated by the home network is needed in such roaming profile by the home network is needed in such roaming scenarios.
scenarios.
1.1 Motivation 1.1 Motivation
Some other mechanisms have been proposed in place of the CUI Some other mechanisms have been proposed in place of the CUI
attribute. These mechanisms are insufficient or cause other attribute. These mechanisms are insufficient or cause other
problems. It has been suggested that standard RADIUS Class(25) or problems. It has been suggested that standard RADIUS Class(25) or
User-Name(1) attributes could be used to indicate the CUI. However, User-Name(1) attributes could be used to indicate the CUI. However,
in a complex global roaming environment where there could be one or in a complex global roaming environment where there could be one or
more intermediaries between the NAS and the home RADIUS server, the more intermediaries between the NAS and the home RADIUS server, the
use of aforementioned attributes could lead to problems as described use of aforementioned attributes could lead to problems as described
skipping to change at page 7, line 8 skipping to change at page 7, line 8
| Type | Length | String... | Type | Length | String...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type: TBD for Chargeable-User-Identity. Type: TBD for Chargeable-User-Identity.
Length: >= 3 Length: >= 3
String: String:
The string identifies the CUI of the end-user and is of type The string identifies the CUI of the end-user and is of type
UTF8String. This string value is a reference to a particular UTF8String. This string value is a reference to a particular
user. The format and the interpretation of the string value , and user. The format and content of the string value is determined by
the binding lifetime of the reference to the user is determined the Home RADIUS server. The binding lifetime of the reference to
based on business agreements. For example, the lifetime can be the user is determined based on business agreements. For example,
set to one billing period. In cases where the attribute is used the lifetime can be set to one billing period. RADIUS entities
to indicate the NAS support for the CUI, the string value contains other than the Home RADIUS server MUST treat the CUI content as an
a nul character. opaque token, and SHOULD NOT perform operations on its content
other than a binary equality comparison test, between two
instances of CUI. In cases where the attribute is used to
indicate the NAS support for the CUI, the string value contains a
nul character.
3. Attribute Table 3. Attribute Table
The following table provides a guide to which attribute(s) may be The following table provides a guide to which attribute(s) may be
found in which kinds of packets, and in what quantity. found in which kinds of packets, and in what quantity.
Request Accept Reject Challenge Accounting # Attribute Request Accept Reject Challenge Accounting # Attribute
Request Request
0-1 0-1 0 0 0-1 TBD Chargeable-User-identity 0-1 0-1 0 0 0-1 TBD Chargeable-User-identity
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/