draft-ietf-radext-coa-proxy-08.txt   draft-ietf-radext-coa-proxy-09.txt 
.nr HY 0
Network Working Group DeKok, Alan Network Working Group DeKok, Alan
INTERNET-DRAFT FreeRADIUS INTERNET-DRAFT FreeRADIUS
Updates: 5176, 5580 J. Korhonen Updates: 5176, 5580 J. Korhonen
Category: Standards Track Category: Standards Track
<draft-ietf-radext-coa-proxy-08.txt> <draft-ietf-radext-coa-proxy-09.txt>
22 January 2019 22 January 2019
Dynamic Authorization Proxying in Dynamic Authorization Proxying in
Remote Authorization Dial-In User Service Protocol (RADIUS) Remote Authorization Dial-In User Service Protocol (RADIUS)
draft-ietf-radext-coa-proxy-08.txt draft-ietf-radext-coa-proxy-09.txt
Abstract Abstract
RFC 5176 defines Change of Authorization (CoA) and Disconnect Message RFC 5176 defines Change of Authorization (CoA) and Disconnect Message
(DM) behavior for RADIUS. That document suggests that proxying these (DM) behavior for RADIUS. That document suggests that proxying these
messages is possible, but gives no guidance as to how it is done. messages is possible, but gives no guidance as to how it is done.
This specification updates RFC 5176 to correct that omission for This specification updates RFC 5176 to correct that omission for
scenarios where networks use Realm-based proxying as defined in RFC scenarios where networks use Realm-based proxying as defined in RFC
7542. This specification also updates RFC 5580 to allow the 7542. This specification also updates RFC 5580 to allow the
Operator-Name attribute in CoA-Request and Disconnect-Request Operator-Name attribute in CoA-Request and Disconnect-Request
skipping to change at page 3, line 7 skipping to change at page 3, line 7
(http://trustee.ietf.org/license-info/) in effect on the date of (http://trustee.ietf.org/license-info/) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
2. ........................................................... 3
1. Introduction ............................................. 4 1. Introduction ............................................. 4
1.1. Terminology ......................................... 4 1.1. Terminology ......................................... 4
1.2. Requirements Language ............................... 5 1.2. Requirements Language ............................... 5
2. Problem Statement ........................................ 6 2. ........................................................... 6
2.1. Typical RADIUS Proxying ............................. 6 2.1. Typical RADIUS Proxying ............................. 6
2.2. CoA Processing ...................................... 7 2.2. CoA Processing ...................................... 7
2.3. Failure of CoA Proxying ............................. 7 2.3. Failure of CoA Proxying ............................. 7
3. How to Perform CoA Proxying .............................. 8 3. How to Perform CoA Proxying .............................. 8
3.1. Changes to Access-Request and Accounting-Request pack 8 3.1. Changes to Access-Request and Accounting-Request pack 9
3.2. Proxying of CoA-Request and Disconnect-Request packet 9 3.2. Proxying of CoA-Request and Disconnect-Request packet 9
3.3. Reception of CoA-Request and Disconnect-Request packe 10 3.3. Reception of CoA-Request and Disconnect-Request packe 10
3.4. Operator-NAS-Identifier ............................. 11 3.4. Operator-NAS-Identifier ............................. 11
4. Requirements ............................................. 14 4. Requirements ............................................. 14
4.1. Requirements on Home Servers ........................ 14 4.1. Requirements on Home Servers ........................ 14
4.2. Requirements on Visited Networks .................... 14 4.2. Requirements on Visited Networks .................... 14
4.3. Requirements on Proxies ............................. 14 4.3. Requirements on Proxies ............................. 15
4.3.1. Security Requirements on Proxies ............... 15 4.3.1. Security Requirements on Proxies ............... 15
4.3.2. Filtering Requirements on Proxies .............. 16 4.3.2. Filtering Requirements on Proxies .............. 16
5. Functionality ............................................ 17 5. Functionality ............................................ 17
5.1. User Login .......................................... 17 5.1. User Login .......................................... 17
5.2. CoA Proxying ........................................ 17 5.2. CoA Proxying ........................................ 17
6. Security Considerations .................................. 18 6. Security Considerations .................................. 18
6.1. RADIUS Security and Proxies ......................... 18 6.1. RADIUS Security and Proxies ......................... 19
6.2. Security of the Operator-NAS-Identifier Attribute ... 19 6.2. Security of the Operator-NAS-Identifier Attribute ... 19
7. IANA Considerations ...................................... 20 7. IANA Considerations ...................................... 20
8. References ............................................... 20 8. References ............................................... 20
8.1. Normative References ................................ 20 8.1. Normative References ................................ 20
8.2. Informative References .............................. 21 8.2. Informative References .............................. 21
1. Introduction 1. Introduction
RFC 5176 [RFC5176] defines Change of Authorization (CoA) and RFC 5176 [RFC5176] defines Change of Authorization (CoA) and
Disconnect Message (DM) behavior for RADIUS. Section 3.1 of Disconnect Message (DM) behavior for RADIUS. Section 3.1 of
skipping to change at page 6, line 5 skipping to change at page 6, line 5
intermediary proxies. intermediary proxies.
1.2. Requirements Language 1.2. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
2. Problem Statement 2.
Problem Statement
This section describes how RADIUS proxying works, how CoA packets This section describes how RADIUS proxying works, how CoA packets
work, and why CoA proxying as discussed in [RFC5176] is insufficient work, and why CoA proxying as discussed in [RFC5176] is insufficient
to create a working system. to create a working system.
2.1. Typical RADIUS Proxying 2.1. Typical RADIUS Proxying
When a RADIUS server proxies an Access-Request packet, it typically When a RADIUS server proxies an Access-Request packet, it typically
does so based on the contents of the User-Name attribute, which does so based on the contents of the User-Name attribute, which
contains a Network Access Identifier (NAI) [RFC7542]. This contains a Network Access Identifier (NAI) [RFC7542]. This
skipping to change at page 8, line 46 skipping to change at page 8, line 47
"1example.com". This information is precisely what is needed by "1example.com". This information is precisely what is needed by
intermediate nodes in order to perform CoA proxying. intermediate nodes in order to perform CoA proxying.
The remainder of this document describes how CoA proxying can be The remainder of this document describes how CoA proxying can be
performed by using the Operator-Name attribute. We describe how the performed by using the Operator-Name attribute. We describe how the
forward path has to change in order to allow reverse path proxying. forward path has to change in order to allow reverse path proxying.
We then describe how reverse path proxying works. And we describe We then describe how reverse path proxying works. And we describe
how Visited Networks and Home Networks have to behave in order for how Visited Networks and Home Networks have to behave in order for
CoA proxying to work. CoA proxying to work.
We note that as a proxied CoA packet is sent only to one destination,
the Operator-Name attribute MUST NOT occur more than once in a
packet. If a packet contains more than one Operator-Name,
implementations MUST treat the second and subsequent attributes as
"invalid attributes", as discussed in Section 2.8 of [RFC6929].
3.1. Changes to Access-Request and Accounting-Request packets 3.1. Changes to Access-Request and Accounting-Request packets
When a Visited Network proxies an Access-Request or Accounting- When a Visited Network proxies an Access-Request or Accounting-
Request packet outside of its network, a Visited Network that wishes Request packet outside of its network, a Visited Network that wishes
to support Realm-based CoA proxying SHOULD include an Operator-Name to support Realm-based CoA proxying SHOULD include an Operator-Name
attribute in the packet, as discussed in Section 4.1 of [RFC5580]. attribute in the packet, as discussed in Section 4.1 of [RFC5580].
The contents of the Operator-Name should be "1", followed by the The contents of the Operator-Name should be "1", followed by the
realm name of the Visited Network. Where the Visited Network has realm name of the Visited Network. Where the Visited Network has
more than one realm name, a "canonical" one SHOULD be chosen, and more than one realm name, a "canonical" one SHOULD be chosen, and
used for all packets. used for all packets.
skipping to change at page 12, line 4 skipping to change at page 12, line 9
The Operator-NAS-Identifier attribute is an opaque token that The Operator-NAS-Identifier attribute is an opaque token that
identifies an individual NAS in a Visited Network. It MAY appear in identifies an individual NAS in a Visited Network. It MAY appear in
the following packets: Access-Request, Accounting-Request, CoA- the following packets: Access-Request, Accounting-Request, CoA-
Request, or Disconnect-Request. Operator-NAS-Identifier MUST NOT Request, or Disconnect-Request. Operator-NAS-Identifier MUST NOT
appear in any other packet. appear in any other packet.
Operator-NAS-Identifier MAY occur in a packet if the packet also Operator-NAS-Identifier MAY occur in a packet if the packet also
contains an Operator-Name attribute. Operator-NAS-Identifier MUST contains an Operator-Name attribute. Operator-NAS-Identifier MUST
NOT appear in a packet if there is no Operator-Name in the packet. NOT appear in a packet if there is no Operator-Name in the packet.
As each proxied CoA packet is sent only to one NAS, the Operator-NAS-
Operator-NAS-Identifier MUST NOT occur more than once in a packet. Identifier attribute MUST NOT occur more than once in a packet. If a
If a packet contains more than one Operator-NAS-Identifier, packet contains more than one Operator-NAS-Identifier,
implementations MUST treat the second and subsequent attributes as implementations MUST treat the second and subsequent attributes as
"invalid attributes", as discussed in Section 2.8 of [RFC6929]. "invalid attributes", as discussed in Section 2.8 of [RFC6929].
Since packets can be proxied only to one destination, there is no
reason to have multiple Operator-Realm attributes in a packet.
An Operator-NAS-Identifer attribute SHOULD be added to an Access- An Operator-NAS-Identifer attribute SHOULD be added to an Access-
Request or Accounting-Request packet by a Visited Network, before Request or Accounting-Request packet by a Visited Network, before
proxying a packet to an external RADIUS server. When the Operator- proxying a packet to an external RADIUS server. When the Operator-
NAS-Identifer attribute is added to a packet, the following NAS-Identifer attribute is added to a packet, the following
attributes SHOULD be deleted from the packet: NAS-IP-Address, NAS- attributes SHOULD be deleted from the packet: NAS-IP-Address, NAS-
IPv6-Address, NAS-Identifier. If these attributes are deleted, the IPv6-Address, NAS-Identifier. If these attributes are deleted, the
proxy MUST then add a NAS-Identifier attribute, in order satisfy the proxy MUST then add a NAS-Identifier attribute, in order satisfy the
requirements of Section 4.1 of [RFC2865], and Section 4.1 of requirements of Section 4.1 of [RFC2865], and Section 4.1 of
[RFC2866]. The contents of the new NAS-Identifier SHOULD be the [RFC2866]. The contents of the new NAS-Identifier SHOULD be the
skipping to change at page 16, line 43 skipping to change at page 16, line 49
causes problems in practice. causes problems in practice.
We update Section 2.3 of [RFC5176] to say that in CoA-Request and We update Section 2.3 of [RFC5176] to say that in CoA-Request and
Disconnect-Request packets, the NAS MUST NOT treat as mandatory any Disconnect-Request packets, the NAS MUST NOT treat as mandatory any
attribute which is known to not affect the users session. For attribute which is known to not affect the users session. For
example, the Proxy-State attribute. Proxy-State is an attribute used example, the Proxy-State attribute. Proxy-State is an attribute used
for proxy-to-proxy signaling. It cannot affect the user's session, for proxy-to-proxy signaling. It cannot affect the user's session,
and therefore Proxy-State (and similar attributes) MUST be ignored by and therefore Proxy-State (and similar attributes) MUST be ignored by
the NAS. the NAS.
When Operator-Realm and/or Operator-NAS-Identifier are received by a When Operator-Name and/or Operator-NAS-Identifier are received by a
proxy, the proxy MUST pass those attributes through unchanged. This proxy, the proxy MUST pass those attributes through unchanged. This
requirement applies to all proxies, including ones that forward any requirement applies to all proxies, including ones that forward any
or all of Access-Request, Accounting-Request, CoA-Request, and or all of Access-Request, Accounting-Request, CoA-Request, and
Disconnect-Request packets. Disconnect-Request packets.
All attributes added by a RADIUS proxy when sending packets from the All attributes added by a RADIUS proxy when sending packets from the
Visited Network to the Home Network Network MUST be removed by the Visited Network to the Home Network Network MUST be removed by the
corresponding CoA proxy from packets traversing the reverse path. corresponding CoA proxy from packets traversing the reverse path.
That is, any attribute editing that is done on the "forward" path That is, any attribute editing that is done on the "forward" path
MUST be undone on the "reverse" path. MUST be undone on the "reverse" path.
The result is that a NAS will only ever receive CoA packets that The result is that a NAS will only ever receive CoA packets that
either contain attributes sent by the NAS to it's local RADIUS either contain attributes sent by the NAS to it's local RADIUS
server, or contain attributes that are sent by the Home Server in server, or contain attributes that are sent by the Home Server in
order to perform a change of authorization. order to perform a change of authorization.
Finally, we extend the above requirement not only to Operator-Name Finally, we extend the above requirement not only to Operator-Name
and Operator-NAS-Identifier, but also to any future attributes that and Operator-NAS-Identifier, but also to any future attributes that
skipping to change at page 20, line 27 skipping to change at page 20, line 36
Description: Operator-NAS-Identifier Description: Operator-NAS-Identifier
Data Type: string Data Type: string
Reference: [ RFC-to-be ] Reference: [ RFC-to-be ]
8. References 8. References
8.1. Normative References 8.1. Normative References
[RFC2119] [RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", RFC 2119, March, 1997, <http://www.rfc- Levels", RFC 2119, March, 1997, <http://www.rfc-edi-
editor.org/info/rfc2119>. tor.org/info/rfc2119>.
[RFC2865] [RFC2865]
Rigney, C., Willens, S., Rubens, A. and W. Simpson, "Remote Rigney, C., Willens, S., Rubens, A. and W. Simpson, "Remote Authen-
Authentication Dial In User Service (RADIUS)", RFC 2865, June 2000, tication Dial In User Service (RADIUS)", RFC 2865, June 2000,
<http://www.rfc-editor.org/info/rfc2865>. <http://www.rfc-editor.org/info/rfc2865>.
[RFC5080] [RFC5080]
Nelson, D., and DeKok, A., "Common Remote Authentication Dial In Nelson, D., and DeKok, A., "Common Remote Authentication Dial In
User Service (RADIUS) Implementation Issues and Suggested Fixes", User Service (RADIUS) Implementation Issues and Suggested Fixes",
RFC 5080, December 2007, <http://www.rfc-editor.org/info/rfc5080>. RFC 5080, December 2007, <http://www.rfc-editor.org/info/rfc5080>.
[RFC5176] [RFC5176]
Chiba, M. et al, "Dynamic Authorization Extensions to Remote Chiba, M. et al, "Dynamic Authorization Extensions to Remote
Authentication Dial In User Service (RADIUS)", RFC 5176, January Authentication Dial In User Service (RADIUS)", RFC 5176, January
2008, <http://www.rfc-editor.org/info/rfc5176>. 2008, <http://www.rfc-editor.org/info/rfc5176>.
[RFC5580] [RFC5580]
Tschofenig H., Ed. "Carrying Location Objects in RADIUS and Tschofenig H., Ed. "Carrying Location Objects in RADIUS and Diame-
Diameter", RFC 5580, August 2009, <http://www.rfc- ter", RFC 5580, August 2009, <http://www.rfc-edi-
editor.org/info/rfc5580>. tor.org/info/rfc5580>.
[RFC6929] [RFC6929]
DeKok A. and Lior, A., "Remote Authentication Dial-In User Service DeKok A. and Lior, A., "Remote Authentication Dial-In User Service
(RADIUS) Protocol Extensions", RFC 6929, April 2013, (RADIUS) Protocol Extensions", RFC 6929, April 2013,
<http://www.rfc-editor.org/info/rfc6929>. <http://www.rfc-editor.org/info/rfc6929>.
[RFC7542] [RFC7542]
DeKok A., "The Network Access Identifier", RFC 7542, May 2015, DeKok A., "The Network Access Identifier", RFC 7542, May 2015,
<http://www.rfc-editor.org/info/rfc7542>. <http://www.rfc-editor.org/info/rfc7542>.
[RFC8044] [RFC8044]
DeKok A., "Data Types in the Remote Authentication Dial-In User DeKok A., "Data Types in the Remote Authentication Dial-In User
Service Protocol (RADIUS)", RFC 8044, January 2017, Service Protocol (RADIUS)", RFC 8044, January 2017,
<http://www.rfc-editor.org/info/rfc8044>. <http://www.rfc-editor.org/info/rfc8044>.
[RFC8174] [RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key
Words", RFC 8174, May 2017, <http://www.rfc- Words", RFC 8174, May 2017, <http://www.rfc-edi-
editor.org/info/rfc8174>. tor.org/info/rfc8174>.
8.2. Informative References 8.2. Informative References
[RFC2866] [RFC2866]
Rigney, C., "RADIUS Accounting", RFC 2866, June 2000, Rigney, C., "RADIUS Accounting", RFC 2866, June 2000,
<http://www.rfc-editor.org/info/rfc2866>. <http://www.rfc-editor.org/info/rfc2866>.
Authors' Addresses Authors' Addresses
Alan DeKok Alan DeKok
 End of changes. 18 change blocks. 
23 lines changed or deleted 31 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/