draft-ietf-radext-design-08.txt   draft-ietf-radext-design-09.txt 
Network Working Group Alan DeKok (ed.) Network Working Group Alan DeKok (ed.)
INTERNET-DRAFT FreeRADIUS INTERNET-DRAFT FreeRADIUS
Category: Best Current Practice G. Weber Category: Best Current Practice G. Weber
<draft-ietf-radext-design-08.txt> Individual Contributor <draft-ietf-radext-design-09.txt> Individual Contributor
Expires: March 6, 2010 Expires: April 12, 2010
6 September 2009 12 October 2009
RADIUS Design Guidelines RADIUS Design Guidelines
draft-ietf-radext-design-08 draft-ietf-radext-design-09
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. This document may contain material provisions of BCP 78 and BCP 79. This document may contain material
from IETF Documents or IETF Contributions published or made publicly from IETF Documents or IETF Contributions published or made publicly
available before November 10, 2008. The person(s) controlling the available before November 10, 2008. The person(s) controlling the
copyright in some of this material may not have granted the IETF copyright in some of this material may not have granted the IETF
Trust the right to allow modifications of such material outside the Trust the right to allow modifications of such material outside the
IETF Standards Process. Without obtaining an adequate license from IETF Standards Process. Without obtaining an adequate license from
the person(s) controlling the copyright in such materials, this the person(s) controlling the copyright in such materials, this
document may not be modified outside the IETF Standards Process, and document may not be modified outside the IETF Standards Process, and
skipping to change at page 1, line 42 skipping to change at page 1, line 42
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on March 6, 2010. This Internet-Draft will expire on April 12, 2010.
Copyright Notice Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of Provisions Relating to IETF Documents in effect on the date of
publication of this document (http://trustee.ietf.org/license-info). publication of this document (http://trustee.ietf.org/license-info).
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 3, line 19 skipping to change at page 3, line 19
1.2. Requirements Language ............................... 4 1.2. Requirements Language ............................... 4
1.3. Applicability ....................................... 5 1.3. Applicability ....................................... 5
2. RADIUS Data Model ........................................ 6 2. RADIUS Data Model ........................................ 6
2.1. Standard Space ...................................... 6 2.1. Standard Space ...................................... 6
2.1.1. Basic Data Types ............................... 6 2.1.1. Basic Data Types ............................... 6
2.1.2. Tagging Mechanism .............................. 8 2.1.2. Tagging Mechanism .............................. 8
2.1.3. Complex Attribute Usage ........................ 8 2.1.3. Complex Attribute Usage ........................ 8
2.1.4. Complex Attributes and Security ................ 11 2.1.4. Complex Attributes and Security ................ 11
2.1.5. Service definitions and RADIUS ................. 11 2.1.5. Service definitions and RADIUS ................. 11
2.2. Vendor Space ........................................ 12 2.2. Vendor Space ........................................ 12
3. Data Model Issues ........................................ 13 3. Data Model Issues ........................................ 14
3.1. Vendor Space ........................................ 14 3.1. Vendor Space ........................................ 14
3.1.1. Interoperability Considerations ................ 16 3.1.1. Interoperability Considerations ................ 16
3.1.2. Vendor Allocations ............................. 16 3.1.2. Vendor Allocations ............................. 17
3.1.3. SDO Allocations ................................ 17 3.1.3. SDO Allocations ................................ 17
3.1.4. Publication of specifications .................. 18 3.1.4. Publication of specifications .................. 18
3.2. Polymorphic Attributes .............................. 18 3.2. Polymorphic Attributes .............................. 18
3.3. RADIUS Operational Model ............................ 19 3.3. RADIUS Operational Model ............................ 19
4. IANA Considerations ...................................... 22 4. IANA Considerations ...................................... 22
5. Security Considerations .................................. 22 5. Security Considerations .................................. 22
6. References ............................................... 23 6. References ............................................... 23
6.1. Normative References ................................ 23 6.1. Normative References ................................ 23
6.2. Informative References .............................. 23 6.2. Informative References .............................. 23
Appendix A - Design Guidelines ............................... 26 Appendix A - Design Guidelines ............................... 26
A.1. Types matching the RADIUS data model ................. 26 A.1. Types matching the RADIUS data model ................. 26
A.1.1. Transport of simple data ........................ 26 A.1.1. Transport of simple data ........................ 26
A.1.2. Opaque data types ............................... 26 A.1.2. Transport of Authentication and Security Data ... 27
A.1.3. Opaque data types ............................... 27
A.2. Improper Data Types .................................. 27 A.2. Improper Data Types .................................. 27
A.2.1. Simple Data Types ............................... 27 A.2.1. Simple Data Types ............................... 28
A.2.2. Complex Data Types .............................. 28 A.2.2. Complex Data Types .............................. 29
A.3. Vendor-Specific formats .............................. 28 A.3. Vendor-Specific formats .............................. 29
A.4. Changes to the RADIUS Operational Model .............. 29 A.4. Changes to the RADIUS Operational Model .............. 29
A.5. Allocation of attributes ............................. 30 A.5. Allocation of attributes ............................. 31
Appendix B - Complex Attributes .............................. 31 Appendix B - Complex Attributes .............................. 32
B.1. CHAP-Password ........................................ 31 B.1. CHAP-Password ........................................ 32
B.2. CHAP-Challenge ....................................... 31 B.2. CHAP-Challenge ....................................... 32
B.3. Tunnel-Password ...................................... 31 B.3. Tunnel-Password ...................................... 32
B.4. ARAP-Password ........................................ 32 B.4. ARAP-Password ........................................ 33
B.5. ARAP-Features ........................................ 32 B.5. ARAP-Features ........................................ 33
B.6. Connect-Info ......................................... 33 B.6. Connect-Info ......................................... 34
B.7. Framed-IPv6-Prefix ................................... 34 B.7. Framed-IPv6-Prefix ................................... 35
B.8. Egress-VLANID ........................................ 34 B.8. Egress-VLANID ........................................ 35
B.9. Egress-VLAN-Name ..................................... 35 B.9. Egress-VLAN-Name ..................................... 36
1. Introduction 1. Introduction
This document provides guidelines for the design of RADIUS attributes This document provides guidelines for the design of RADIUS attributes
both within the IETF as well as within other SDOs. By articulating both within the IETF as well as within other SDOs. By articulating
RADIUS design guidelines, it is hoped that this document will RADIUS design guidelines, it is hoped that this document will
encourage the development and publication of high quality RADIUS encourage the development and publication of high quality RADIUS
attribute specifications. attribute specifications.
However, the advice in this document will not be helpful unless it is However, the advice in this document will not be helpful unless it is
skipping to change at page 6, line 26 skipping to change at page 6, line 26
Section 2.1. Section 2.1.
2. RADIUS Data Model 2. RADIUS Data Model
The Remote Authentication Dial In User Service (RADIUS) defined in The Remote Authentication Dial In User Service (RADIUS) defined in
[RFC2865] and [RFC2866] uses elements known as attributes in order to [RFC2865] and [RFC2866] uses elements known as attributes in order to
represent authentication, authorization and accounting data. represent authentication, authorization and accounting data.
Unlike SNMP, first defined in [RFC1157] and [RFC1155], RADIUS does Unlike SNMP, first defined in [RFC1157] and [RFC1155], RADIUS does
not define a formal data definition language. A handful of basic not define a formal data definition language. A handful of basic
data types are provided, and a data type is associated with an data types are in common use, and a data type is associated with an
attribute when the attribute is defined. attribute when the attribute is defined.
Two distinct attribute spaces are defined: the standard space, and a Two distinct attribute spaces are defined: the standard space, and a
Vendor-Specific space. Attributes in the standard space generally Vendor-Specific space. Attributes in the standard space generally
are composed of a type, length, value (TLV) triplet, although complex are composed of a type, length, value (TLV) triplet, although complex
attributes have also been defined. The Vendor-Specific space is attributes have also been defined. The Vendor-Specific space is
encapsulated within a single attribute type (Vendor-Specific encapsulated within a single attribute type (Vendor-Specific
Attribute). The format of this space is defined by individual Attribute). The format of this space is defined by individual
vendors, but the same TLV encoding used by the standard space is vendors, but the same TLV encoding used by the standard space is
recommended in [RFC2865] Section 5.26. The similarity between recommended in [RFC2865] Section 5.26. The similarity between
skipping to change at page 8, line 31 skipping to change at page 8, line 31
Other limitations of the tagging mechanism are that when integer Other limitations of the tagging mechanism are that when integer
values are tagged, the value portion is reduced to three bytes values are tagged, the value portion is reduced to three bytes
meaning only 24-bit numbers can be represented. The tagging meaning only 24-bit numbers can be represented. The tagging
mechanism does not offer an ability to create nested groups of mechanism does not offer an ability to create nested groups of
attributes. Some RADIUS implementations treat tagged attributes as attributes. Some RADIUS implementations treat tagged attributes as
having additional data types tagged-string and tagged-integer. These having additional data types tagged-string and tagged-integer. These
types increase the complexity of implementing and managing RADIUS types increase the complexity of implementing and managing RADIUS
systems. systems.
New attributes SHOULD NOT use this tagging method because of the For these reasons, the tagging scheme described in RFC 2868 is NOT
limitations described above. RECOMMENDED for use as a generic grouping mechanism.
2.1.3. Complex Attribute Usage 2.1.3. Complex Attribute Usage
The RADIUS attribute encoding is summarized in [RFC2865]: The RADIUS attribute encoding is summarized in [RFC2865]:
0 1 2 0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
| Type | Length | Value ... | Type | Length | Value ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
skipping to change at page 13, line 7 skipping to change at page 13, line 13
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Id (cont) | Vendor type | Vendor length | Vendor-Id (cont) | Vendor type | Vendor length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attribute-Specific... | Attribute-Specific...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Multiple sub-attributes MAY be encoded within a single Vendor- Multiple sub-attributes MAY be encoded within a single Vendor-
Specific attribute, although they do not have to be. Specific attribute, although they do not have to be.
Note that the Vendor type field in the recommended VSA format is only Note that the Vendor type field in the recommended VSA format is only
a single octet, like the RADIUS type field. While this limitation a single octet, like the RADIUS type field. While this limitation
results in an efficient encoding, there are situations in which a results in an efficient encoding, there are situations in which a
vendor or SDO will eventually wish to define more than 255 vendor or SDO will eventually wish to define more than 255
attributes. Also, an SDO can be comprised of multiple subgroups, attributes. Also, an SDO can be comprised of multiple subgroups, each
each of whom can desire autonomy over the definition of attributes of whom can desire autonomy over the definition of attributes within
within their group. In such a situation, a 16-bit Vendor type field their group. The most interoperable way to address these issues is
would be more appropriate: for the vendor or SDO to request allocation of multiple Vendor
identifiers.
0 1 2 3 However, instead of doing this, vendors have defined the following
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 non-standard VSA formats:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Vendor-Id
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Id (cont) | Vendor type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Vendor length | Attribute-Specific...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Other attribute formats are NOT RECOMMENDED. Examples of NOT * Vendor types of 16 bits, followed by an 8 bit length and
RECOMMENDED formats include Vendor types of more than 16 bits, Vendor then attribute-specific data.
lengths of less than 8 bits, Vendor lengths of more than 8 bits, and
Vendor-Specific contents that are not in Type-Length-Value format.
In order to be compatible with the above recommendations for * Vendor types of 32 bits, followed by no length field, and
attribute definitions, it is RECOMMENDED that RADIUS servers support then attribute-specific data.
attributes using a 16-bit Vendor type field.
* Vendor types of the RFC format, but where some VSAs are
defined as "grouped" or TLV attributes. These attributes
are then used to carry sub-attributes.
* "Bare" ASCII strings that immediately follow the Vendor-Id,
without using a Vendor type or Vendor length.
All VSA schemes that do not follow the [RFC2865] recommendations are
NOT RECOMMENDED. These non-standard formats will typically not be
implementable without RADIUS server code changes. This includes all
the above formats, as well as Vendor types of more than 8 bits,
vendor lengths of less than 8 bits, vendor lengths of more than 8
bits and Vendor-Specific contents that are not in Type-Length-Value
format.
Although [RFC2865] does not mandate it, implementations commonly Although [RFC2865] does not mandate it, implementations commonly
assume that the Vendor Id can be used as a key to determine the on- assume that the Vendor Id can be used as a key to determine the on-
the-wire format of a VSA. Vendors therefore SHOULD NOT use multiple the-wire format of a VSA. Vendors therefore SHOULD NOT use multiple
formats for VSAs that are associated with a particular Vendor Id. A formats for VSAs that are associated with a particular Vendor Id. A
vendor wishing to use multiple VSA formats, SHOULD request one Vendor vendor wishing to use multiple VSA formats SHOULD request one Vendor
Id for each VSA format that they will use. Id for each VSA format that they will use.
3. Data Model Issues 3. Data Model Issues
Since the closure of the RADIUS Working Group, the popularity and Since the closure of the RADIUS Working Group, the popularity and
prevalence of RADIUS has continued to grow. In addition to prevalence of RADIUS has continued to grow. In addition to
increasing demand for allocation of attributes within the RADIUS increasing demand for allocation of attributes within the RADIUS
standard attribute space, the number of vendors and SDOs creating new standard attribute space, the number of vendors and SDOs creating new
attributes within the Vendor-Specific attribute space has grown, and attributes within the Vendor-Specific attribute space has grown, and
this has lead to some divergence in approaches to RADIUS attribute this has lead to some divergence in approaches to RADIUS attribute
skipping to change at page 26, line 22 skipping to change at page 26, line 22
A.1. Types matching the RADIUS data model A.1. Types matching the RADIUS data model
A.1.1. Transport of simple data A.1.1. Transport of simple data
Does the data fit within the existing RADIUS data model, as outlined Does the data fit within the existing RADIUS data model, as outlined
below? If so, it SHOULD be encapsulated in a [RFC2865] format RADIUS below? If so, it SHOULD be encapsulated in a [RFC2865] format RADIUS
attribute, or in a [RFC2865] format RADIUS VSA that uses one of the attribute, or in a [RFC2865] format RADIUS VSA that uses one of the
existing RADIUS data types. existing RADIUS data types.
* 32-bit unsigned integer, in network byte order. * 32-bit unsigned integer, in network byte order.
* Enumerated data types, represented as a 32-bit unsigned integer * Enumerated data types, represented as a 32-bit unsigned integer
with a list of name to value mappings. (e.g., Service-Type) with a list of name to value mappings. (e.g., Service-Type)
* 64-bit unsigned integer, in network byte order. * 64-bit unsigned integer, in network byte order.
* IPv4 address in network byte order. * IPv4 address in network byte order.
* IPv6 address in network byte order. * IPv6 address in network byte order.
* IPv6 prefix. * IPv6 prefix.
* time as 32 bit unsigned value, in network byte order, and in * time as 32 bit unsigned value, in network byte order, and in
seconds since 00:00:00 UTC, January 1, 1970. seconds since 00:00:00 UTC, January 1, 1970.
* string (i.e., binary data), totalling 253 octets or less in * string (i.e., binary data), totalling 253 octets or less in
length. This includes the opaque encapsulation of data length. This includes the opaque encapsulation of data
structures defined outside of RADIUS. See also Appendix A.1.2, structures defined outside of RADIUS. See also Appendix A.1.3,
below. below.
* UTF-8 text, totalling 253 octets or less in length. * UTF-8 text, totalling 253 octets or less in length.
* Complex data types for authentication and/or security.
These attributes SHOULD be defined only within the RADIUS
attribute space, and SHOULD NOT be defined within the VSA space.
Note that the length limitations for VSAs of type String and Text are Note that the length limitations for VSAs of type String and Text are
less than 253 octets, due to the additional overhead of the Vendor- less than 253 octets, due to the additional overhead of the Vendor-
Specific format. Specific format.
* Attributes grouped into a logical container. The following data also qualifies as "simple data types":
This does not include nested groups.
* Attributes grouped into a logical container, using the
[RFC2868] tagging mechanism. This approach is NOT
RECOMMENDED (see Section 2.1.2), but is permissible where
the alternatives are worse.
* Attributes requiring the transport of more than 247 octets of * Attributes requiring the transport of more than 247 octets of
Text or String data. This includes the opaque encapsulation Text or String data. This includes the opaque encapsulation
of data structures defined outside of RADIUS. See also Section of data structures defined outside of RADIUS. See also Section
A.1.2, below. A.1.3, below.
A.1.2. Opaque data types Nested groups or attributes do not qualify as "simple data types",
and SHOULD NOT be used.
A.1.2. Transport of Authentication and Security Data
Does the data provide authentication and/or security capabilities, as
outlined below? If so, it SHOULD be encapsulated in a [RFC2865]
format RADIUS attribute. It SHOULD NOT be encapsulated in a
[RFC2865] format RADIUS VSA.
* Complex data types that carry authentication methods which
RADIUS servers are expected to parse and verify as part of
an authentication process.
* Complex data types that carry security information intended
to increase the security of the RADIUS protocol itself.
Any data type carrying authentication and/or security data that is
not meant to be parsed by a RADIUS server is an "opaque data type",
as defined below.
A.1.3. Opaque data types
Does the attribute encapsulate an existing data structure defined Does the attribute encapsulate an existing data structure defined
outside of the RADIUS specifications? Can the attribute be treated outside of the RADIUS specifications? Can the attribute be treated
as opaque data by RADIUS servers (including proxies?) If both as opaque data by RADIUS servers (including proxies?) If both
questions can be answered affirmatively, a complex structure MAY be questions can be answered affirmatively, a complex structure MAY be
used in a RADIUS specification. used in a RADIUS specification.
The specification of the attribute SHOULD define the encapsulating The specification of the attribute SHOULD define the encapsulating
attribute to be of type String. The specification SHOULD refer to an attribute to be of type String. The specification SHOULD refer to an
external document defining the structure. The specification SHOULD external document defining the structure. The specification SHOULD
skipping to change at page 27, line 33 skipping to change at page 28, line 16
Does the attribute use any of the following data types? If so, the Does the attribute use any of the following data types? If so, the
data type SHOULD be replaced with the suggested alternatives, or it data type SHOULD be replaced with the suggested alternatives, or it
SHOULD NOT be used at all. SHOULD NOT be used at all.
* Signed integers of any size. * Signed integers of any size.
SHOULD NOT be used. SHOULD be replaced with one or more SHOULD NOT be used. SHOULD be replaced with one or more
unsigned integer attributes. The definition of the attribute unsigned integer attributes. The definition of the attribute
can contain information that would otherwise go into the sign can contain information that would otherwise go into the sign
value of the integer. value of the integer.
* 8 bit unsigned integers. * 8 bit unsigned integers.
SHOULD be replaced with 32-bit unsigned integer. There is SHOULD be replaced with 32-bit unsigned integer. There is
insufficient justification to save three bytes. insufficient justification to save three bytes.
* 16 bit unsigned integers. * 16 bit unsigned integers.
SHOULD be replaced with 32-bit unsigned integer. There is SHOULD be replaced with 32-bit unsigned integer. There is
insufficient justification to save two bytes. insufficient justification to save two bytes.
* Unsigned integers of size other than 32 or 64. * Unsigned integers of size other than 32 or 64.
SHOULD be replaced by an unsigned integer of 32 or 64 bits. SHOULD be replaced by an unsigned integer of 32 or 64 bits.
There is insufficient justification to define a new size of There is insufficient justification to define a new size of
integer. integer.
* Integers of any size in non-network byte order * Integers of any size in non-network byte order
SHOULD be replaced by unsigned integer of 32 or 64 bits, SHOULD be replaced by unsigned integer of 32 or 64 bits,
in network byte order. There is no reason to transport integers in network byte order. There is no reason to transport integers
in any format other than network byte order. in any format other than network byte order.
* Tagged data types as described in [RFC2868]. * Tagged data types as described in [RFC2868].
These data types SHOULD NOT be used in new specifications. These data types SHOULD NOT be used in new specifications.
* Complex data structures defined only within RADIUS. * Complex data structures defined only within RADIUS.
SHOULD NOT be used. This recommendation does not apply to new SHOULD NOT be used. This recommendation does not apply to new
attributes for authentication or security, as described below attributes for authentication or security, as described below
in Section A.2.2. in Section A.2.2.
* Multi-field text strings. * Multi-field text strings.
Each field SHOULD be encapsulated in a separate attribute. Each field SHOULD be encapsulated in a separate attribute.
* Polymorphic attributes. * Polymorphic attributes.
Multiple attributes, each with a static data type SHOULD be Multiple attributes, each with a static data type SHOULD be
defined instead. defined instead.
* Nested AVPs. * Nested AVPs.
Attributes should be defined in a flat typespace, possibly using Attributes should be defined in a flat typespace, possibly using
a 16-bit Vendor type field (see Section 2.3). a 16-bit Vendor type field (see Section 2.3).
A.2.2. Complex Data Types A.2.2. Complex Data Types
Does the attribute define a complex data type for purposes other than Does the attribute:
authentication or security? If so, this data type SHOULD be replaced
with simpler types, as discussed above in Appendix A.2.1. Also see * define a complex data type
Section 2.1.3 for a discussion of why complex types are problematic.
* That a RADIUS server and/or client is expected to parse?
i.e. A type that cannot be treated as opaque data (Section A.1.3)
* for purposes other than authentication or security?
If so, this data type SHOULD be replaced with simpler types, as
discussed above in Appendix A.2.1. Also see Section 2.1.3 for a
discussion of why complex types are problematic.
A.3. Vendor-Specific formats A.3. Vendor-Specific formats
Does the specification contain Vendor-Specific attributes that match Does the specification contain Vendor-Specific attributes that match
any of the following criteria? If so, the data type should be any of the following criteria? If so, the data type should be
replaced with the suggested alternatives, or should not be used at replaced with the suggested alternatives, or should not be used at
all. all.
* Vendor types of more than 16 bits. * Vendor types of more than 8 bits.
SHOULD NOT be used. Vendor types of 8 or 16 bits SHOULD be used SHOULD NOT be used. Vendor types of 8 bits SHOULD be used
instead. instead.
* Vendor lengths of less than 8 bits. (i.e., zero bits) * Vendor lengths of less than 8 bits. (i.e., zero bits)
SHOULD NOT be used. Vendor lengths of 8 bits SHOULD be used SHOULD NOT be used. Vendor lengths of 8 bits SHOULD be used
instead. instead.
* Vendor lengths of more than 8 bits. * Vendor lengths of more than 8 bits.
SHOULD NOT be used. Vendor lengths of 8 bits SHOULD be used SHOULD NOT be used. Vendor lengths of 8 bits SHOULD be used
instead. instead.
* Vendor-Specific contents that are not in Type-Length-Value * Vendor-Specific contents that are not in Type-Length-Value
format. format.
SHOULD NOT be used. Vendor-Specific attributes SHOULD be in SHOULD NOT be used. Vendor-Specific attributes SHOULD be in
Type-Length-Value format. Type-Length-Value format.
In general, Vendor-Specific attributes SHOULD follow the [RFC2865] In general, Vendor-Specific attributes SHOULD follow the [RFC2865]
suggested format. However, we recognize that SDOs may require more suggested format. Vendor extensions to non-standard formats are NOT
than 256 attributes, which is the limit of the 8-bit [RFC2865] RECOMMENDED as they can negatively affect interoperability.
Vendor-Specific space. Those SDOs SHOULD use Vendor types of 16
bits, as described in Section 2.3. However, SDOs SHOULD NOT use
Vendor types of 16 bits unless there are immediate requirements.
Future-proofing a specification is insufficient grounds for using
16-bit Vendor types.
A.4. Changes to the RADIUS Operational Model A.4. Changes to the RADIUS Operational Model
Does the specification change the RADIUS operation model, as outlined Does the specification change the RADIUS operation model, as outlined
in the list below? If so, then another method of achieving the in the list below? If so, then another method of achieving the
design objectives SHOULD be used. Potential problem areas include: design objectives SHOULD be used. Potential problem areas include:
* Defining new commands in RADIUS using attributes. * Defining new commands in RADIUS using attributes.
The addition of new commands to RADIUS MUST be handled via The addition of new commands to RADIUS MUST be handled via
allocation of a new Code, and not by the use of an attribute. allocation of a new Code, and not by the use of an attribute.
 End of changes. 44 change blocks. 
68 lines changed or deleted 121 lines changed or added

This html diff was produced by rfcdiff 1.37a. The latest version is available from http://tools.ietf.org/tools/rfcdiff/