draft-ietf-radext-chargeable-user-id-04.txt   draft-ietf-radext-chargeable-user-id-05.txt 
Network Working Group F. Adrangi Network Working Group F. Adrangi
Internet-Draft Intel Internet-Draft Intel
Expires: September 23, 2005 A. Lior Expires: October 3, 2005 A. Lior
Bridgewater Systems Bridgewater Systems
J. Korhonen J. Korhonen
Teliasonera Teliasonera
J. Loughney J. Loughney
Nokia Nokia
March 22, 2005 April 2005
Chargeable User Identity Chargeable User Identity
draft-ietf-radext-chargeable-user-id-04 draft-ietf-radext-chargeable-user-id-05
Status of this Memo Status of this Memo
This document is an Internet-Draft and is subject to all provisions This document is an Internet-Draft and is subject to all provisions
of Section 3 of RFC 3667. By submitting this Internet-Draft, each of Section 3 of RFC 3667. By submitting this Internet-Draft, each
author represents that any applicable patent or other IPR claims of author represents that any applicable patent or other IPR claims of
which he or she is aware have been or will be disclosed, and any of which he or she is aware have been or will be disclosed, and any of
which he or she become aware will be disclosed, in accordance with which he or she become aware will be disclosed, in accordance with
RFC 3668. RFC 3668.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as other groups may also distribute working documents as Internet-
Internet-Drafts. Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on September 23, 2005. This Internet-Draft will expire on October 3, 2005.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2005). Copyright (C) The Internet Society (2005).
Abstract Abstract
This document describes a new RADIUS attribute, This document describes a new RADIUS attribute, Chargeable-User-
Chargeable-User-Identity. This attribute can be used by a home Identity. This attribute can be used by a home network to identify a
network to identify a user for the purpose of roaming transactions user for the purpose of roaming transactions that occur outside of
that occur outside of the home network. the home network.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . 4 1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2 Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 1.2 Terminology . . . . . . . . . . . . . . . . . . . . . . . 5
2. Operation . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2. Operation . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1 Chargeable-User-Identity (CUI) Attribute . . . . . . . . . 5 2.1 Chargeable-User-Identity (CUI) Attribute . . . . . . . . . 5
2.2 CUI Attribute . . . . . . . . . . . . . . . . . . . . . . 6 2.2 CUI Attribute . . . . . . . . . . . . . . . . . . . . . . 7
3. Attribute Table . . . . . . . . . . . . . . . . . . . . . . . 7 3. Attribute Table . . . . . . . . . . . . . . . . . . . . . . . 7
4. Diameter Consideration . . . . . . . . . . . . . . . . . . . . 7 4. Diameter Consideration . . . . . . . . . . . . . . . . . . . . 7
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
6. Security considerations . . . . . . . . . . . . . . . . . . . 7 6. Security considerations . . . . . . . . . . . . . . . . . . . 8
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8
8.1 Normative references . . . . . . . . . . . . . . . . . . . 8 8.1 Normative references . . . . . . . . . . . . . . . . . . . 8
8.2 Informative references . . . . . . . . . . . . . . . . . . 8 8.2 Informative references . . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 9 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 9
Intellectual Property and Copyright Statements . . . . . . . . 10 Intellectual Property and Copyright Statements . . . . . . . . 11
1. Introduction 1. Introduction
Some authentication methods, including EAP-PEAP, EAP-TTLS, EAP-SIM Some authentication methods, including EAP-PEAP, EAP-TTLS, EAP-SIM
and EAP-AKA, can hide the true identity of the user from RADIUS and EAP-AKA, can hide the true identity of the user from RADIUS
servers outside of the user's home network. In these methods, the servers outside of the user's home network. In these methods, the
User-Name(1) attribute contains an anonymous identity (e.g., User-Name(1) attribute contains an anonymous identity (e.g.,
@example.com) sufficient to route the RADIUS packets to the home @example.com) sufficient to route the RADIUS packets to the home
network but otherwise insufficient to identify the user. While this network but otherwise insufficient to identify the user. While this
mechanism is good practice in some circumstances, there are problems mechanism is good practice in some circumstances, there are problems
skipping to change at page 3, line 38 skipping to change at page 3, line 38
This implies that a unique identity provided by the home network This implies that a unique identity provided by the home network
should be able to be conveyed to all parties involved in the roaming should be able to be conveyed to all parties involved in the roaming
transaction for correlating the authentication and accounting transaction for correlating the authentication and accounting
packets. packets.
Providing a unique identity, Chargeable-User-Identity (CUI), to Providing a unique identity, Chargeable-User-Identity (CUI), to
intermediaries, is necessary to fulfill certain business needs. This intermediaries, is necessary to fulfill certain business needs. This
should not undermine the anonymity of the user. The mechanism should not undermine the anonymity of the user. The mechanism
provided by this draft allows the home operator to meet these provided by this draft allows the home operator to meet these
business requirements by providing a temporary identity representing business requirements by providing a temporary identity representing
the subscriber and at the same time protecting the anonymity of the the user and at the same time protecting the anonymity of the user.
subscriber.
When the home network assigns a value to the CUI, it asserts that When the home network assigns a value to the CUI, it asserts that
this value represents a user in the home network. The assertion this value represents a user in the home network. The assertion
should be temporary. Long enough to be useful for the external should be temporary. Long enough to be useful for the external
applications and not too long such that it can be used to identify applications and not too long such that it can be used to identify
the user. the user.
Several organizations, including WISPr, GSMA, 3GPP, Wi-Fi Alliance, Several organizations, including WISPr, GSMA, 3GPP, Wi-Fi Alliance,
IRAP, have been studying mechanisms to provide roaming services, IRAP, have been studying mechanisms to provide roaming services,
using RADIUS. Missing elements include mechanisms for billing and using RADIUS. Missing elements include mechanisms for billing and
skipping to change at page 4, line 44 skipping to change at page 4, line 43
- On the use of RADIUS User-Name(1) attribute: - On the use of RADIUS User-Name(1) attribute:
The User-Name(1) attribute included in the Access-Request packet The User-Name(1) attribute included in the Access-Request packet
may be used for the purpose of routing the Access-Request packet, may be used for the purpose of routing the Access-Request packet,
and in the process may be rewritten by intermediaries. As a and in the process may be rewritten by intermediaries. As a
result, a RADIUS server receiving an Access-Request packet relayed result, a RADIUS server receiving an Access-Request packet relayed
by a proxy cannot assume that the User-Name(1) attribute remained by a proxy cannot assume that the User-Name(1) attribute remained
unmodified. unmodified.
On the other hand, rewriting of a User-Name(1) attribute sent On the other hand, rewriting of a User-Name(1) attribute sent
within an Access-Accept packet occurs more rarely, since a within an Access-Accept packet occurs more rarely, since a Proxy-
Proxy-State(33) attribute can be used to route the Access-Accept State(33) attribute can be used to route the Access-Accept packet
packet without parsing the User-Name(1) attribute. As a result, a without parsing the User-Name(1) attribute. As a result, a RADIUS
RADIUS server cannot assume that a proxy stripping routing server cannot assume that a proxy stripping routing information
information from a User-Name(1) attribute within an Access-Request from a User-Name(1) attribute within an Access-Request packet will
packet will add this information to a User-Name(1) attribute add this information to a User-Name(1) attribute included within
included within an Access-Accept packet. The result is that when an Access-Accept packet. The result is that when a User-Name(1)
a User-Name(1) attribute is sent in an Access-Accept packet it is attribute is sent in an Access-Accept packet it is possible that
possible that the Access-Request packet and Accounting-Request the Access-Request packet and Accounting-Request packets will
packets will follow different paths. Where this outcome is follow different paths. Where this outcome is undesirable, the
undesirable, the RADIUS client should use the original RADIUS client should use the original User-Name(1) in accounting
User-Name(1) in accounting packets. Therfore, another mechanism packets. Therefore, another mechanism is required to convey a CUI
is required to convey a CUI within an Access-Accept packet to the within an Access-Accept packet to the RADIUS client, so that the
RADIUS client, so that the CUI can be included in the accounting CUI can be included in the accounting packets.
packets.
The CUI attribute provides a solution to the above problems and The CUI attribute provides a solution to the above problems and
avoids overloading RADIUS User-Name(1) attribute or changing the avoids overloading RADIUS User-Name(1) attribute or changing the
usage of existing RADIUS Class(25) attribute. The CUI therefore usage of existing RADIUS Class(25) attribute. The CUI therefore
provides a standard approach to billing and fraud prevention when EAP provides a standard approach to billing and fraud prevention when EAP
methods supporting privacy are used. It does not solve all related methods supporting privacy are used. It does not solve all related
problems, but does provide for billing and fraud prevention. problems, but does provide for billing and fraud prevention.
1.2 Terminology 1.2 Terminology
skipping to change at page 5, line 46 skipping to change at page 5, line 44
2. Operation 2. Operation
This document assumes that the RADIUS protocol operates as specified This document assumes that the RADIUS protocol operates as specified
in [RFC2865], [RFC2866], dynamic authorization as specified in in [RFC2865], [RFC2866], dynamic authorization as specified in
[RFC3576], and the Diameter protocol as specified in [RFC3588]. [RFC3576], and the Diameter protocol as specified in [RFC3588].
2.1 Chargeable-User-Identity (CUI) Attribute 2.1 Chargeable-User-Identity (CUI) Attribute
The CUI attribute serves as an alias to the user's real identity, The CUI attribute serves as an alias to the user's real identity,
representing a chargeable identity as defined and provided by the representing a chargeable identity as defined and provided by the
home network as a supplemental or alternative information to home network as a supplemental or alternative information to User-
User-Name(1). Typically the CUI represents the identity of the Name(1). Typically the CUI represents the identity of the actual
actual user but it may also indicate other chargeable identities such user but it may also indicate other chargeable identities such as a
as a group of users. RADIUS clients (proxy or NAS) outside the home group of users. RADIUS clients (proxy or NAS) outside the home
network MUST NOT modify the CUI attribute. network MUST NOT modify the CUI attribute.
The RADIUS server (a RADIUS proxy, home RADIUS server) may include The RADIUS server (a RADIUS proxy, home RADIUS server) may include
the CUI attribute in the Access-Accept packet destined to a roaming the CUI attribute in the Access-Accept packet destined to a roaming
partner. The CUI support by RADIUS infrastructure is driven by the partner. The CUI support by RADIUS infrastructure is driven by the
business requirements between roaming entities. Therefore a RADIUS business requirements between roaming entities. Therefore a RADIUS
server supporting this specification may not choose to send the CUI server supporting this specification may choose not to send the CUI
in response to an Access-Request packet from a given NAS, even if the in response to an Access-Request packet from a given NAS, even if the
NAS has indicated that it supports CUI. NAS has indicated that it supports CUI.
If an Access-Accept packet without the CUI attribute was received by If an Access-Accept packet without the CUI attribute was received by
a RADIUS client that requested the CUI attribute, then the a RADIUS client that requested the CUI attribute, then the Access-
Access-Accept packet MAY be treated as an Access-Reject. Accept packet MAY be treated as an Access-Reject.
If the CUI was included in an Access-Accept packet, RADIUS clients If the CUI was included in an Access-Accept packet, RADIUS clients
supporting the CUI attribute MUST ensure that the CUI attribute supporting the CUI attribute MUST ensure that the CUI attribute
appears in the RADIUS Accounting-Request (Start, Interim, and Stop). appears in the RADIUS Accounting-Request (Start, Interim, and Stop).
RFC 2865 includes the following statements about behaviors of RADIUS RFC 2865 includes the following statements about behaviors of RADIUS
client and server with respect to unsupported attributes: client and server with respect to unsupported attributes:
- "A RADIUS client MAY ignore Attributes with an unknown Type." - "A RADIUS client MAY ignore Attributes with an unknown Type."
- "A RADIUS server MAY ignore Attributes with an unknown Type." - "A RADIUS server MAY ignore Attributes with an unknown Type."
Therefore, RADIUS clients or servers that do not support the CUI may Therefore, RADIUS clients or servers that do not support the CUI may
ignore the attribute. A RADIUS client requesting the CUI attribute ignore the attribute.
in an Access-Accept packet MUST include within the Access-Request
packet a CUI attribute with a single NUL character (referred to as a A RADIUS client requesting the CUI attribute in an Access-Accept
nul CUI). packet MUST include within the Access-Request packet a CUI attribute.
For the initial authentication, the CUI attribute will include a
single NUL character (referred to as a nul CUI). And, during re-
authentication, the CUI attribute will include a previously received
CUI value (referred as a non-nul CUI value) in the Access-Accept.
Upon receiving a non-nul CUI value in an Access-Request the home
RADIUS server MAY verify that the value of CUI matches the CUI from
the previous Access-Accept. If the verification fails, then the
RADIUS server SHOULD respond with an Access-Reject message.
If a home RADIUS server that supports the CUI attribute receives an If a home RADIUS server that supports the CUI attribute receives an
Access-Request packet containing a CUI (set to nul or otherwise), it Access-Request packet containing a CUI (set to nul or otherwise), it
MUST include the CUI attribute in the Access-Accept packet. MUST include the CUI attribute in the Access-Accept packet.
Otherwise, if the Access-Request packet does not contain a CUI, the Otherwise, if the Access-Request packet does not contain a CUI, the
home RADIUS server MUST NOT include the CUI attribute in the home RADIUS server SHOULD NOT include the CUI attribute in the
Access-Accept packet. Access-Accept packet. The Access-Request may be sent either in the
initial authentication or during re-authentication.
A NAS that requested the CUI during re-authentication by including
the CUI in the Access-Request, will receive the CUI in the Access-
Accept. The NAS MUST include the value of that CUI in all Accounting
Messages.
2.2 CUI Attribute 2.2 CUI Attribute
A summary of the RADIUS CUI Attribute is given below. A summary of the RADIUS CUI Attribute is given below.
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | String... | Type | Length | String...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
skipping to change at page 8, line 11 skipping to change at page 8, line 25
It is strongly recommended that the CUI format used is such that the It is strongly recommended that the CUI format used is such that the
real user identity is not revealed. Furthermore, where a reference real user identity is not revealed. Furthermore, where a reference
is used to a real user identity, the binding lifetime of that is used to a real user identity, the binding lifetime of that
reference to the real user be kept as short as possible. reference to the real user be kept as short as possible.
The RADIUS entities (RADIUS proxies and clients)outside the home The RADIUS entities (RADIUS proxies and clients)outside the home
netowrk MUST NOT modify the CUI. However, there is no way to detect netowrk MUST NOT modify the CUI. However, there is no way to detect
or prevent this. or prevent this.
If the NAS includes CUI in an Access-Request packet, a If the NAS includes CUI in an Access-Request packet, a man-in-the-
man-in-the-middle may remove it. This will cause the Access-Accept middle may remove it. This will cause the Access-Accept packet to
packet to not include a CUI attribute, which may cause the NAS to not include a CUI attribute, which may cause the NAS to reject the
reject the session. To prevent such a DoS attack, the NAS SHOULD session. To prevent such a DoS attack, the NAS SHOULD include a
include a Message-Authenticator(80) attribute within Access-Request Message-Authenticator(80) attribute within Access-Request packets
packets containing a CUI attribute. containing a CUI attribute.
7. Acknowledgements 7. Acknowledgements
The authors would like to thank Jari Arkko, Bernard Aboba, David The authors would like to thank Jari Arkko, Bernard Aboba, David
Nelson, Barney Wolff, Blair Bullock, Sami Ala-Luukko, Lothar Reith, Nelson, Barney Wolff, Blair Bullock, Sami Ala-Luukko, Lothar Reith,
David Mariblanca, Eugene Chang, Greg Weber, and Mark Grayson, for David Mariblanca, Eugene Chang, Greg Weber, and Mark Grayson, for
their feedback and guidance. their feedback and guidance.
8. References 8. References
8.1 Normative references 8.1 Normative references
[RFC2865] Rigney, C., Willens, S., Rubens, A. and W. Simpson, [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
"Remote Authentication Dial In User Service (RADIUS)", "Remote Authentication Dial In User Service (RADIUS)",
RFC 2865, June 2000. RFC 2865, June 2000.
[RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[rfc2486bis] [rfc2486bis]
Aboba, B., Beadles, M., Arkko, J. and P. Eronen, "The Aboba, B., Beadles, M., Arkko, J., and P. Eronen, "The
Network Access Identifier", Network Access Identifier",
Internet-Draft draft-arkko-roamops-rfc2486bis-02, July draft-arkko-roamops-rfc2486bis-02 (work in progress),
2004. July 2004.
8.2 Informative references 8.2 Informative references
[RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D. and B. [RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B.
Aboba, "Dynamic Authorization Extensions to Remote Aboba, "Dynamic Authorization Extensions to Remote
Authentication Dial In User Service (RADIUS)", RFC 3576, Authentication Dial In User Service (RADIUS)", RFC 3576,
July 2003. July 2003.
[RFC3588] Calhoun, P., Loughney, J., Guttman, E., Zorn, G. and J. [RFC3588] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J.
Arkko, "Diameter Base Protocol", RFC 3588, September 2003. Arkko, "Diameter Base Protocol", RFC 3588, September 2003.
Authors' Addresses Authors' Addresses
Farid Adrangi Farid Adrangi
Intel Corporation Intel Corporation
2111 N.E. 25th Avenue 2111 N.E. 25th Avenue
Hillsboro, OR 97124 Hillsboro, OR 97124
USA USA
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/