draft-ietf-radext-rfc3576bis-00.txt | draft-ietf-radext-rfc3576bis-01.txt | |||
---|---|---|---|---|
Network Working Group Murtaza S. Chiba | Network Working Group Murtaza S. Chiba | |||
INTERNET-DRAFT Gopal Dommety | INTERNET-DRAFT Gopal Dommety | |||
Obsoletes: 3576 Mark Eklund | Obsoletes: 3576 Mark Eklund | |||
Category: Informational Cisco Systems, Inc. | Category: Informational Cisco Systems, Inc. | |||
<draft-ietf-radext-rfc3576bis-00.txt> David Mitton | <draft-ietf-radext-rfc3576bis-01.txt> David Mitton | |||
19 January 2007 RSA Security, Inc. | 21 March 2007 RSA Security, Inc. | |||
Bernard Aboba | Bernard Aboba | |||
Microsoft Corporation | Microsoft Corporation | |||
Dynamic Authorization Extensions to Remote Authentication Dial In User | Dynamic Authorization Extensions to Remote Authentication Dial In User | |||
Service (RADIUS) | Service (RADIUS) | |||
By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
skipping to change at page 1, line 36 | skipping to change at page 1, line 36 | |||
and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
This Internet-Draft will expire on July 20, 2007. | This Internet-Draft will expire on September 25, 2007. | |||
Copyright Notice | Copyright Notice | |||
Copyright (C) The IETF Trust (2007). All Rights Reserved. | Copyright (C) The IETF Trust (2007). All Rights Reserved. | |||
Abstract | Abstract | |||
This document describes a currently deployed extension to the Remote | This document describes a currently deployed extension to the Remote | |||
Authentication Dial In User Service (RADIUS) protocol, allowing | Authentication Dial In User Service (RADIUS) protocol, allowing | |||
dynamic changes to a user session, as implemented by network access | dynamic changes to a user session, as implemented by network access | |||
skipping to change at page 2, line 17 | skipping to change at page 2, line 17 | |||
1. Introduction .......................................... 3 | 1. Introduction .......................................... 3 | |||
1.1 Applicability ................................... 3 | 1.1 Applicability ................................... 3 | |||
1.2 Requirements Language ........................... 4 | 1.2 Requirements Language ........................... 4 | |||
1.3 Terminology ..................................... 4 | 1.3 Terminology ..................................... 4 | |||
2. Overview ............................................. 5 | 2. Overview ............................................. 5 | |||
2.1 Disconnect Messages (DM) ........................ 5 | 2.1 Disconnect Messages (DM) ........................ 5 | |||
2.2 Change-of-Authorization Messages (CoA) .......... 5 | 2.2 Change-of-Authorization Messages (CoA) .......... 5 | |||
2.3 Packet Format ................................... 6 | 2.3 Packet Format ................................... 6 | |||
3. Attributes ............................................ 10 | 3. Attributes ............................................ 10 | |||
3.1 State ........................................... 12 | 3.1 State ........................................... 12 | |||
3.2 Message-Authenticator ........................... 13 | 3.2 Message-Authenticator ........................... 12 | |||
3.3 Nonce ........................................... 14 | 3.3 Error-Cause ..................................... 13 | |||
3.4 Error-Cause ..................................... 14 | 3.4 Table of Attributes ............................. 16 | |||
3.5 Table of Attributes ............................. 17 | 4. Diameter Considerations ............................... 20 | |||
4. Diameter Considerations ............................... 21 | 5. IANA Considerations ................................... 22 | |||
5. IANA Considerations ................................... 24 | 6. Security Considerations ............................... 22 | |||
6. Security Considerations ............................... 25 | 6.1 Authorization Issues ............................ 22 | |||
6.1 Authorization Issues ............................ 25 | 6.2 Impersonation ................................... 23 | |||
6.2 Impersonation ................................... 25 | 6.3 IPsec Usage Guidelines .......................... 24 | |||
6.3 IPsec Usage Guidelines .......................... 26 | 6.4 Replay Protection ............................... 27 | |||
6.4 Replay Protection ............................... 29 | 7. Example Traces ........................................ 27 | |||
7. Example Traces ........................................ 29 | 8. References ............................................ 28 | |||
8. References ............................................ 30 | 8.1 Normative References ............................ 28 | |||
8.1 Normative References ............................ 30 | 8.2 Informative References .......................... 29 | |||
8.2 Informative References .......................... 31 | ACKNOWLEDGMENTS .............................................. 30 | |||
ACKNOWLEDGMENTS .............................................. 31 | AUTHORS' ADDRESSES ........................................... 30 | |||
AUTHORS' ADDRESSES ........................................... 32 | Appendix A - Changes from RFC 3576 ........................... 31 | |||
Appendix A - Changes from RFC 3576 ........................... 33 | Full Copyright Statement ..................................... 32 | |||
Intellectual Property Statement .............................. 34 | Intellectual Property ........................................ 32 | |||
Disclaimer of Validity ....................................... 34 | ||||
Copyright Statement .......................................... 34 | ||||
1. Introduction | 1. Introduction | |||
The RADIUS protocol, defined in [RFC2865], does not support | The RADIUS protocol, defined in [RFC2865], does not support | |||
unsolicited messages sent from the RADIUS server to the Network | unsolicited messages sent from the RADIUS server to the Network | |||
Access Server (NAS). | Access Server (NAS). | |||
However, there are many instances in which it is desirable for | However, there are many instances in which it is desirable for | |||
changes to be made to session characteristics, without requiring the | changes to be made to session characteristics, without requiring the | |||
NAS to initiate the exchange. For example, it may be desirable for | NAS to initiate the exchange. For example, it may be desirable for | |||
skipping to change at page 3, line 51 | skipping to change at page 3, line 51 | |||
In order to remedy this problem, a "Reverse Path Forwarding" check is | In order to remedy this problem, a "Reverse Path Forwarding" check is | |||
recommended. See Section 6.1. for details. | recommended. See Section 6.1. for details. | |||
Existing implementations utilize per-packet authentication and | Existing implementations utilize per-packet authentication and | |||
integrity protection algorithms with known weaknesses [MD5Attack]. | integrity protection algorithms with known weaknesses [MD5Attack]. | |||
To provide stronger per-packet authentication and integrity | To provide stronger per-packet authentication and integrity | |||
protection, the use of IPsec is recommended. See Section 6.3 for | protection, the use of IPsec is recommended. See Section 6.3 for | |||
details. | details. | |||
Existing implementations lack replay protection. In order to support | Existing implementations lack replay protection. In order to support | |||
replay detection, it is recommended that a Nonce or Event-Timestamp | replay detection, it is recommended that an Event-Timestamp Attribute | |||
Attribute be added to all packets in situations where IPsec replay | be added to all packets in situations where IPsec replay protection | |||
protection is not employed. See Section 6.4 for details. | is not employed. See Section 6.4 for details. | |||
The approach taken with CoA commands in existing implementations | The approach taken with CoA commands in existing implementations | |||
results in a semantic ambiguity. Existing implementations of the | results in a semantic ambiguity. Existing implementations of the | |||
CoA-Request identify the affected session, as well as supply the | CoA-Request identify the affected session, as well as supply the | |||
authorization changes. Since RADIUS Attributes included within | authorization changes. Since RADIUS Attributes included within | |||
existing implementations of the CoA-Request can be used for session | existing implementations of the CoA-Request can be used for session | |||
identification or authorization change, it may not be clear which | identification or authorization change, it may not be clear which | |||
function a given attribute is serving. | function a given attribute is serving. | |||
The problem does not exist within the Diameter protocol [RFC3588], in | The problem does not exist within the Diameter protocol [RFC3588], in | |||
skipping to change at page 5, line 29 | skipping to change at page 5, line 29 | |||
| | <-------------------- | | | | | <-------------------- | | | |||
| NAS | | RADIUS | | | NAS | | RADIUS | | |||
| | Disconnect-Response | Server | | | | Disconnect-Response | Server | | |||
| | ---------------------> | | | | | ---------------------> | | | |||
+----------+ +----------+ | +----------+ +----------+ | |||
The NAS responds to a Disconnect-Request packet sent by a RADIUS | The NAS responds to a Disconnect-Request packet sent by a RADIUS | |||
server with a Disconnect-ACK if all associated session context is | server with a Disconnect-ACK if all associated session context is | |||
discarded and the user session is no longer connected, or a | discarded and the user session is no longer connected, or a | |||
Disconnect-NAK, if the NAS was unable to disconnect the session and | Disconnect-NAK, if the NAS was unable to disconnect the session and | |||
discard all associated session context. A NAS MUST respond to a | discard all associated session context. A Disconnect-ACK MAY contain | |||
Disconnect-Request including a Service-Type Attribute with an | the Attribute Acct-Terminate-Cause (49) [RFC2866] with the value set | |||
unsupported value with a Disconnect-NAK; an Error-Cause Attribute | to 6 for Admin-Reset. | |||
with value "Unsupported Service" MAY be included. A Disconnect-ACK | ||||
MAY contain the Attribute Acct-Terminate-Cause (49) [RFC2866] with | ||||
the value set to 6 for Admin-Reset. | ||||
A NAS supporting the "Authorize Only" Service-Type within a | ||||
Disconnect-Request responds with a Disconnect-NAK containing a | ||||
Service-Type Attribute with value "Authorize Only" and an Error-Cause | ||||
Attribute with value "Request Initiated". The NAS will then send an | ||||
Access-Request containing a Service-Type Attribute with a value of | ||||
"Authorize Only", along with a State Attribute. The RADIUS server | ||||
MUST reply to this Access-Request with an Access-Reject. | ||||
2.2. Change-of-Authorization Messages (CoA) | 2.2. Change-of-Authorization Messages (CoA) | |||
CoA-Request packets contain information for dynamically changing | CoA-Request packets contain information for dynamically changing | |||
session authorizations. Typically this is used to change data | session authorizations. Typically this is used to change data | |||
filters. The data filters can be of either the ingress or egress | filters. The data filters can be of either the ingress or egress | |||
kind, and are sent in addition to the identification attributes as | kind, and are sent in addition to the identification attributes as | |||
described in section 3. The port used, and packet format (described | described in section 3. The port used, and packet format (described | |||
in Section 2.3), are the same as that for Disconnect-Request packets. | in Section 2.3), are the same as that for Disconnect-Request packets. | |||
The following attributes MAY be sent in a CoA-Request: | The following attributes MAY be sent in a CoA-Request: | |||
Filter-ID (11) - Indicates the name of a data filter list | Filter-ID (11) - Indicates the name of a data filter list | |||
to be applied for the session that the | to be applied for the session that the | |||
identification attributes map to. | identification attributes map to. | |||
NAS-Filter-Rule (TBD) - Provides a filter list to be applied | NAS-Filter-Rule (TBD) - Provides a filter list to be applied | |||
for the session that the identification | for the session that the identification | |||
attributes map to. | attributes map to [RFCFilter]. | |||
+----------+ CoA-Request +----------+ | +----------+ CoA-Request +----------+ | |||
| | <-------------------- | | | | | <-------------------- | | | |||
| NAS | | RADIUS | | | NAS | | RADIUS | | |||
| | CoA-Response | Server | | | | CoA-Response | Server | | |||
| | ---------------------> | | | | | ---------------------> | | | |||
+----------+ +----------+ | +----------+ +----------+ | |||
The NAS responds to a CoA-Request sent by a RADIUS server with a CoA- | The NAS responds to a CoA-Request sent by a RADIUS server with a CoA- | |||
ACK if the NAS is able to successfully change the authorizations for | ACK if the NAS is able to successfully change the authorizations for | |||
the user session, or a CoA-NAK if the Request is unsuccessful. A NAS | the user session, or a CoA-NAK if the Request is unsuccessful. A NAS | |||
MUST respond to a CoA-Request including a Service-Type Attribute with | MUST respond to a CoA-Request including a Service-Type Attribute with | |||
value "Authorize Only" with a CoA-NAK; a CoA-ACK MUST NOT be sent. A | value "Authorize Only" with a CoA-NAK; a CoA-ACK MUST NOT be sent. A | |||
NAS MUST respond to a CoA-Request including a Service-Type Attribute | NAS MUST respond to a CoA-Request including a Service-Type Attribute | |||
with an unsupported value with a CoA-NAK; an Error-Cause Attribute | with an unsupported value with a CoA-NAK; an Error-Cause Attribute | |||
with value "Unsupported Service" MAY be included. | with value "Unsupported Service" MAY be included. | |||
2.3. Packet Format | 2.3. Packet Format | |||
For either Disconnect-Request or CoA-Request packets DP port 3799 is | For either Disconnect-Request or CoA-Request packets UDP port 3799 is | |||
used as the destination port. For responses, the source and | used as the destination port. For responses, the source and | |||
destination ports are reversed. Exactly one RADIUS packet is | destination ports are reversed. Exactly one RADIUS packet is | |||
encapsulated in the UDP Data field. | encapsulated in the UDP Data field. | |||
A summary of the data format is shown below. The fields are | A summary of the data format is shown below. The fields are | |||
transmitted from left to right. | transmitted from left to right. | |||
The packet format consists of the fields: Code, Identifier, Length, | The packet format consists of the fields: Code, Identifier, Length, | |||
Authenticator, and Attributes in Type:Length:Value (TLV) format. All | Authenticator, and Attributes in Type:Length:Value (TLV) format. All | |||
fields hold the same meaning as those described in RADIUS [RFC2865]. | fields hold the same meaning as those described in RADIUS [RFC2865]. | |||
skipping to change at page 7, line 25 | skipping to change at page 7, line 8 | |||
| Attributes ... | | Attributes ... | |||
+-+-+-+-+-+-+-+-+-+-+-+-+- | +-+-+-+-+-+-+-+-+-+-+-+-+- | |||
Code | Code | |||
The Code field is one octet, and identifies the type of RADIUS | The Code field is one octet, and identifies the type of RADIUS | |||
packet. Packets received with an invalid Code field MUST be | packet. Packets received with an invalid Code field MUST be | |||
silently discarded. RADIUS codes (decimal) for this extension are | silently discarded. RADIUS codes (decimal) for this extension are | |||
assigned as follows: | assigned as follows: | |||
40 - Disconnect-Request [RFC2882] | 40 - Disconnect-Request [RFC3575] | |||
41 - Disconnect-ACK [RFC2882] | 41 - Disconnect-ACK [RFC3575] | |||
42 - Disconnect-NAK [RFC2882] | 42 - Disconnect-NAK [RFC3575] | |||
43 - CoA-Request [RFC2882] | 43 - CoA-Request [RFC3575] | |||
44 - CoA-ACK [RFC2882] | 44 - CoA-ACK [RFC3575] | |||
45 - CoA-NAK [RFC2882] | 45 - CoA-NAK [RFC3575] | |||
Identifier | Identifier | |||
The Identifier field is one octet, and aids in matching requests | The Identifier field is one octet, and aids in matching requests | |||
and replies. The RADIUS client can detect a duplicate request if | and replies. RADIUS clients implementing this specification MUST | |||
it has the same server source IP address and source UDP port and | be capable of detecting a duplicate request if it has the same | |||
Identifier within a short span of time. | server source IP address, source UDP port and Identifier within a | |||
short span of time. | ||||
Unlike RADIUS as defined in [RFC2865], the responsibility for | Unlike RADIUS as defined in [RFC2865], the responsibility for | |||
retransmission of Disconnect-Request and CoA-Request packets lies | retransmission of Disconnect-Request and CoA-Request packets lies | |||
with the RADIUS server. If after sending these packets, the | with the RADIUS server. If after sending these packets, the | |||
RADIUS server does not receive a response, it will retransmit. | RADIUS server does not receive a response, it will retransmit. | |||
The Identifier field MUST be changed whenever the content of the | The Identifier field MUST be changed whenever the content of the | |||
Attributes field changes, or whenever a valid reply has been | Attributes field changes, or whenever a valid reply has been | |||
received for a previous request. For retransmissions where the | received for a previous request. For retransmissions where the | |||
contents are identical, the Identifier MUST remain unchanged. | contents are identical, the Identifier MUST remain unchanged. | |||
If the RADIUS server is retransmitting a Disconnect-Request or | If the RADIUS server is retransmitting a Disconnect-Request or | |||
CoA-Request to the same client as before, and the Attributes | CoA-Request to the same client as before, and the Attributes | |||
haven't changed, the same Request Authenticator, Identifier and | haven't changed, the same Request Authenticator, Identifier and | |||
source port MUST be used. If any Attributes have changed, a new | source port MUST be used. If any Attributes have changed, a new | |||
Authenticator and Identifier MUST be used. | Authenticator and Identifier MUST be used. | |||
Note that if the Event-Timestamp Attribute is included, it will be | ||||
updated when the packet is retransmitted, changing the content of | ||||
the Attributes field and requiring a new Identifier and Request | ||||
Authenticator. | ||||
If the Request to a primary proxy fails, a secondary proxy must be | If the Request to a primary proxy fails, a secondary proxy must be | |||
queried, if available. Issues relating to failover algorithms are | queried, if available. Issues relating to failover algorithms are | |||
described in [RFC3539]. Since this represents a new request, a | described in [RFC3539]. Since this represents a new request, a | |||
new Request Authenticator and Identifier MUST be used. However, | new Request Authenticator and Identifier MUST be used. However, | |||
where the RADIUS server is sending directly to the client, | where the RADIUS server is sending directly to the client, | |||
failover typically does not make sense, since Disconnect or CoA | failover typically does not make sense, since Disconnect or CoA | |||
packets need to be delivered to the NAS where the session resides. | packets need to be delivered to the NAS where the session resides. | |||
Length | Length | |||
skipping to change at page 8, line 43 | skipping to change at page 8, line 23 | |||
authenticate packets between the RADIUS server and client. | authenticate packets between the RADIUS server and client. | |||
Request Authenticator | Request Authenticator | |||
In Request packets, the Authenticator value is a 16 octet MD5 | In Request packets, the Authenticator value is a 16 octet MD5 | |||
[RFC1321] checksum, called the Request Authenticator. The | [RFC1321] checksum, called the Request Authenticator. The | |||
Request Authenticator is calculated the same way as for an | Request Authenticator is calculated the same way as for an | |||
Accounting-Request, specified in [RFC2866]. | Accounting-Request, specified in [RFC2866]. | |||
Note that the Request Authenticator of a Disconnect or CoA- | Note that the Request Authenticator of a Disconnect or CoA- | |||
Request cannot be done the same way as the Request | Request cannot be computed the same way as the Request | |||
Authenticator of a RADIUS Access-Request, because there is no | Authenticator of a RADIUS Access-Request, because there is no | |||
User-Password Attribute in a Disconnect-Request or CoA-Request. | User-Password Attribute in a Disconnect-Request or CoA-Request. | |||
Response Authenticator | Response Authenticator | |||
The Authenticator field in a Response packet (e.g. Disconnect- | The Authenticator field in a Response packet (e.g. Disconnect- | |||
ACK, Disconnect-NAK, CoA-ACK, or CoA-NAK) is called the | ACK, Disconnect-NAK, CoA-ACK, or CoA-NAK) is called the | |||
Response Authenticator, and contains a one-way MD5 hash | Response Authenticator, and contains a one-way MD5 hash | |||
calculated over a stream of octets consisting of the Code, | calculated over a stream of octets consisting of the Code, | |||
Identifier, Length, the Request Authenticator field from the | Identifier, Length, the Request Authenticator field from the | |||
skipping to change at page 9, line 40 | skipping to change at page 9, line 20 | |||
MUST NOT occur as a result of an unsuccessful Disconnect-Request; | MUST NOT occur as a result of an unsuccessful Disconnect-Request; | |||
here a Disconnect-NAK MUST be sent. | here a Disconnect-NAK MUST be sent. | |||
Since within this specification attributes may be used for | Since within this specification attributes may be used for | |||
identification, authorization or other purposes, even if a NAS | identification, authorization or other purposes, even if a NAS | |||
implements an attribute for use with RADIUS authentication and | implements an attribute for use with RADIUS authentication and | |||
accounting, it may not support inclusion of that attribute within | accounting, it may not support inclusion of that attribute within | |||
Disconnect-Request or CoA-Request packets, given the difference in | Disconnect-Request or CoA-Request packets, given the difference in | |||
attribute semantics. This is true even for attributes specified | attribute semantics. This is true even for attributes specified | |||
within [RFC2865], [RFC2868], [RFC2869], [RFC3162] or [RFC3579] as | within [RFC2865], [RFC2868], [RFC2869], [RFC3162] or [RFC3579] as | |||
allowable within Access-Accept packets. As a result, attributes | allowable within Access-Accept packets. As a result, if | |||
beyond those specified in Section 3.5 SHOULD NOT be included | attributes beyond those specified in Section 3.5 are included | |||
within Disconnect or CoA packets, since this could produce | within Disconnect-Request or CoA-Request packets, the RADIUS | |||
unpredictable results. | server may receive a Disconnect-NAK/CoA-NAK in response, possibly | |||
containing an Error-Cause attribute with value Unsupported | ||||
Attribute (401). | ||||
If there are any Proxy-State Attributes in a Disconnect-Request or | If there are any Proxy-State Attributes in a Disconnect-Request or | |||
CoA-Request received from the server, the forwarding proxy or NAS | CoA-Request received from the server, the forwarding proxy or NAS | |||
MUST include those Proxy-State Attributes in its response to the | MUST include those Proxy-State Attributes in its response to the | |||
server. | server. | |||
A forwarding proxy or NAS MUST NOT modify existing Proxy-State, | A forwarding proxy or NAS MUST NOT modify existing Proxy-State, | |||
State, or Class Attributes present in the packet. The forwarding | State, or Class Attributes present in the packet. The forwarding | |||
proxy or NAS MUST treat any Proxy-State attributes already in the | proxy or NAS MUST treat any Proxy-State attributes already in the | |||
packet as opaque data. Its operation MUST NOT depend on the | packet as opaque data. Its operation MUST NOT depend on the | |||
skipping to change at page 10, line 41 | skipping to change at page 10, line 24 | |||
In Disconnect-Request and CoA-Request packets, certain attributes are | In Disconnect-Request and CoA-Request packets, certain attributes are | |||
used to uniquely identify the NAS as well as a user session on the | used to uniquely identify the NAS as well as a user session on the | |||
NAS. All NAS identification attributes included in a Request packet | NAS. All NAS identification attributes included in a Request packet | |||
MUST match in order for a Disconnect-Request or CoA-Request to be | MUST match in order for a Disconnect-Request or CoA-Request to be | |||
successful; otherwise a Disconnect-NAK or CoA-NAK SHOULD be sent. | successful; otherwise a Disconnect-NAK or CoA-NAK SHOULD be sent. | |||
For session identification attributes, the User-Name and Acct- | For session identification attributes, the User-Name and Acct- | |||
Session-Id Attributes, if included, MUST match in order for a | Session-Id Attributes, if included, MUST match in order for a | |||
Disconnect-Request or CoA-Request to be successful; other session | Disconnect-Request or CoA-Request to be successful; other session | |||
identification attributes SHOULD match. Where a mismatch of session | identification attributes SHOULD match. Where a mismatch of session | |||
identification attributes is detected, a Disconnect-NAK or CoA-NAK | identification attributes is detected, a Disconnect-NAK or CoA-NAK | |||
SHOULD be sent. The ability to use NAS or session identification | SHOULD be sent. | |||
attributes to map to unique/multiple sessions is beyond the scope of | ||||
this document. Identification attributes include NAS and session | The ability to use NAS or session identification attributes to map to | |||
identification attributes, as described below. | unique/multiple sessions is beyond the scope of this document. | |||
Identification attributes include NAS and session identification | ||||
attributes, as described below. | ||||
NAS identification attributes | NAS identification attributes | |||
Attribute # Reference Description | Attribute # Reference Description | |||
--------- --- --------- ----------- | --------- --- --------- ----------- | |||
NAS-IP-Address 4 [RFC2865] The IPv4 address of the NAS. | NAS-IP-Address 4 [RFC2865] The IPv4 address of the NAS. | |||
NAS-Identifier 32 [RFC2865] String identifying the NAS. | NAS-Identifier 32 [RFC2865] String identifying the NAS. | |||
NAS-IPv6-Address 95 [RFC3162] The IPv6 address of the NAS. | NAS-IPv6-Address 95 [RFC3162] The IPv6 address of the NAS. | |||
Session identification attributes | Session identification attributes | |||
skipping to change at page 11, line 27 | skipping to change at page 11, line 4 | |||
User-Name 1 [RFC2865] The name of the user | User-Name 1 [RFC2865] The name of the user | |||
associated with the session. | associated with the session. | |||
NAS-Port 5 [RFC2865] The port on which the | NAS-Port 5 [RFC2865] The port on which the | |||
session is terminated. | session is terminated. | |||
Framed-IP-Address 8 [RFC2865] The IPv4 address associated | Framed-IP-Address 8 [RFC2865] The IPv4 address associated | |||
with the session. | with the session. | |||
Called-Station-Id 30 [RFC2865] The link address to which | Called-Station-Id 30 [RFC2865] The link address to which | |||
the session is connected. | the session is connected. | |||
Calling-Station-Id 31 [RFC2865] The link address from which | Calling-Station-Id 31 [RFC2865] The link address from which | |||
the session is connected. | the session is connected. | |||
Attribute # Reference Description | ||||
--------- --- --------- ----------- | ||||
Acct-Session-Id 44 [RFC2866] The identifier uniquely | Acct-Session-Id 44 [RFC2866] The identifier uniquely | |||
identifying the session | identifying the session | |||
on the NAS. | on the NAS. | |||
Acct-Multi-Session-Id 50 [RFC2866] The identifier uniquely | Acct-Multi-Session-Id 50 [RFC2866] The identifier uniquely | |||
identifying related sessions. | identifying related sessions. | |||
NAS-Port-Type 61 [RFC2865] The type of port used. | NAS-Port-Type 61 [RFC2865] The type of port used. | |||
NAS-Port-Id 87 [RFC2869] String identifying the port | NAS-Port-Id 87 [RFC2869] String identifying the port | |||
where the session is. | where the session is. | |||
Originating-Line-Info 94 [RFC4005] Provides information on the | Originating-Line-Info 94 [RFC4005] Provides information on the | |||
characteristics of the line | characteristics of the line | |||
skipping to change at page 12, line 8 | skipping to change at page 11, line 37 | |||
To address security concerns described in Section 6.1, and to enable | To address security concerns described in Section 6.1, and to enable | |||
Diameter/RADIUS translation, the User-Name Attribute SHOULD be | Diameter/RADIUS translation, the User-Name Attribute SHOULD be | |||
present in Disconnect-Request or CoA-Request packets; one or more | present in Disconnect-Request or CoA-Request packets; one or more | |||
additional session identification attributes MAY also be present. | additional session identification attributes MAY also be present. | |||
For example, where a Diameter client utilizes the same Session-Id for | For example, where a Diameter client utilizes the same Session-Id for | |||
both authorization and accounting, inclusion of an Acct-Session-Id | both authorization and accounting, inclusion of an Acct-Session-Id | |||
Attribute in a Disconnect-Request or CoA-Request can assist with | Attribute in a Disconnect-Request or CoA-Request can assist with | |||
Diameter/RADIUS translation, since Diameter RAR and ASR commands | Diameter/RADIUS translation, since Diameter RAR and ASR commands | |||
include a Session-Id AVP. | include a Session-Id AVP. | |||
Where a NAS offers multiple services, confusion may result with | ||||
respect to interpretation of a CoA-Request or Disconnect-Request. In | ||||
order to prevent confusion a RADIUS Server SHOULD identify the | ||||
session as specifically as possible. For example, an Acct-Session-Id | ||||
attribute SHOULD be included in Disconnect-Request and CoA-Request | ||||
packets, rather than just the User-Name attribute. | ||||
To address security concerns described in Section 6.2, one or more of | To address security concerns described in Section 6.2, one or more of | |||
the NAS-IP-Address or NAS-IPv6-Address Attributes SHOULD be present | the NAS-IP-Address or NAS-IPv6-Address Attributes SHOULD be present | |||
in Disconnect-Request or CoA-Request packets; the NAS-Identifier | in Disconnect-Request or CoA-Request packets; the NAS-Identifier | |||
Attribute MAY be present in addition. | Attribute MAY be present in addition. | |||
If one or more authorization changes specified in a CoA-Request | If one or more authorization changes specified in a CoA-Request | |||
cannot be carried out, or if one or more attributes or attribute- | cannot be carried out, or if one or more attributes or attribute- | |||
values is unsupported, a CoA-NAK MUST be sent. Similarly, if there | values is unsupported, a CoA-NAK MUST be sent. Similarly, if there | |||
are one or more unsupported attributes or attribute values in a | are one or more unsupported attributes or attribute values in a | |||
Disconnect-Request, a Disconnect-NAK MUST be sent. | Disconnect-Request, a Disconnect-NAK MUST be sent. | |||
A CoA-Request containing a Service-Type Attribute with value | A CoA-Request containing a Service-Type Attribute with value | |||
"Authorize Only" MUST contain only NAS or session identification | "Authorize Only" MUST contain only NAS or session identification | |||
attributes, as well as Service-Type, Nonce and State attributes. If | attributes, as well as Service-Type and State attributes. If other | |||
other attributes are included in such a CoA-Request, implementations | attributes are included in such a CoA-Request, implementations MUST | |||
MUST send a CoA-NAK; an Error-Cause Attribute with value "Unsupported | send a CoA-NAK; an Error-Cause Attribute with value "Unsupported | |||
Attribute" MAY be included. | Attribute" MAY be included. | |||
A Disconnect-Request MUST contain only NAS and session identification | A Disconnect-Request MUST contain only NAS and session identification | |||
attributes (see Section 3), as well as Service-Type, Nonce and State | attributes (see Section 3). If other attributes are included in a | |||
attributes. If other attributes are included in a Disconnect- | Disconnect-Request, implementations MUST send a Disconnect-NAK; an | |||
Request, implementations MUST send a Disconnect-NAK; an Error-Cause | Error-Cause Attribute with value "Unsupported Attribute" MAY be | |||
Attribute with value "Unsupported Attribute" MAY be included. | included. | |||
3.1. State | 3.1. State | |||
[RFC2865] Section 5.44 states: | [RFC2865] Section 5.44 states: | |||
An Access-Request MUST contain either a User-Password or a CHAP- | An Access-Request MUST contain either a User-Password or a CHAP- | |||
Password or State. An Access-Request MUST NOT contain both a | Password or State. An Access-Request MUST NOT contain both a | |||
User-Password and a CHAP-Password. If future extensions allow | User-Password and a CHAP-Password. If future extensions allow | |||
other kinds of authentication information to be conveyed, the | other kinds of authentication information to be conveyed, the | |||
attribute for that can be used in an Access-Request instead of | attribute for that can be used in an Access-Request instead of | |||
User-Password or CHAP-Password. | User-Password or CHAP-Password. | |||
In order to satisfy the requirements of [RFC2865] Section 5.44, an | In order to satisfy the requirements of [RFC2865] Section 5.44, an | |||
Access-Request with Service-Type="Authorize-Only" MUST contain a | Access-Request with Service-Type="Authorize-Only" MUST contain a | |||
State attribute. | State attribute. | |||
In order to provide a State attribute to the NAS, a server sending a | In order to provide a State attribute to the NAS, a server sending a | |||
CoA-Request or Disconnect-Request with a Service-Type value of | CoA-Request with a Service-Type value of "Authorize-Only" MUST | |||
"Authorize-Only" MUST include a State Attribute, and the NAS MUST | include a State Attribute, and the NAS MUST include the State | |||
include the State Attribute unchanged in the Access-Request. A NAS | Attribute unchanged in the Access-Request. A NAS receiving a CoA- | |||
receiving a CoA-Request or Disconnect-Request containing a Service- | Request containing a Service-Type value of "Authorize-Only" but | |||
Type value of "Authorize-Only" but lacking a State attribute MUST | lacking a State attribute MUST send a CoA-NAK and SHOULD include an | |||
send a CoA-NAK or Disconnect-NAK and SHOULD include an Error-Cause | Error-Cause attribute with value 402 (Missing Attribute). | |||
attribute with value 402 (Missing Attribute). | ||||
3.2. Message-Authenticator | 3.2. Message-Authenticator | |||
The Message-Authenticator Attribute MAY be used to authenticate and | The Message-Authenticator Attribute MAY be used to authenticate and | |||
integrity-protect CoA-Request, CoA-ACK, CoA-NAK, Disconnect-Request, | integrity-protect CoA-Request, CoA-ACK, CoA-NAK, Disconnect-Request, | |||
Disconnect-ACK and Disconnect-NAK packets order to prevent spoofing. | Disconnect-ACK and Disconnect-NAK packets order to prevent spoofing. | |||
A RADIUS client receiving a CoA-Request or Disconnect-Request with a | A RADIUS client receiving a CoA-Request or Disconnect-Request with a | |||
Message-Authenticator Attribute present MUST calculate the correct | Message-Authenticator Attribute present MUST calculate the correct | |||
value of the Message-Authenticator and silently discard the packet if | value of the Message-Authenticator and silently discard the packet if | |||
skipping to change at page 14, line 5 | skipping to change at page 13, line 35 | |||
Message-Authenticator = HMAC-MD5 (Type, Identifier, Length, | Message-Authenticator = HMAC-MD5 (Type, Identifier, Length, | |||
Request Authenticator, Attributes) | Request Authenticator, Attributes) | |||
When the HMAC-MD5 message integrity check is calculated the | When the HMAC-MD5 message integrity check is calculated the | |||
Message-Authenticator Attribute should be considered to be sixteen | Message-Authenticator Attribute should be considered to be sixteen | |||
octets of zero. The Request Authenticator is taken from the | octets of zero. The Request Authenticator is taken from the | |||
corresponding CoA/Disconnect-Request. The Message-Authenticator | corresponding CoA/Disconnect-Request. The Message-Authenticator | |||
is calculated and inserted in the packet before the Response | is calculated and inserted in the packet before the Response | |||
Authenticator is calculated. | Authenticator is calculated. | |||
3.3. Nonce | 3.3. Error-Cause | |||
Description | ||||
Since the Request Authenticator field within CoA-Request and | ||||
Disconnect-Request packets does not contain a nonce within the | ||||
Request Authenticator field, these packets are vulnerable to | ||||
replay attack without the countermeasures described in Section | ||||
6.4. As noted in Section 6.4, replay attacks can be addressed by | ||||
using IPsec to protect RADIUS or by adding an Event-Timestamp | ||||
attribute to CoA-Request and Disconnect-Request packets. Since | ||||
use of the Event-Timestamp Attribute requires loose time | ||||
synchronization, where this is not possible an alternative replay | ||||
protection mechanism is required. For this purpose, a Nonce | ||||
Attribute MAY be included within CoA-Request, CoA-ACK, CoA-NAK, | ||||
Disconnect-Request, Disconnect-ACK, Disconnect-NAK and Accounting- | ||||
Request packets. | ||||
A summary of the Nonce Attribute format is shown below. The | ||||
fields are transmitted from left to right. | ||||
0 1 2 3 | ||||
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
| Type | Length | Value | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
Value (cont) | | ||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ||||
Type | ||||
TBD for Nonce | ||||
Length | ||||
6 | ||||
Value | ||||
The Value field is four octets, containing a randomly chosen value | ||||
[RFC4086]. | ||||
3.4. Error-Cause | ||||
Description | Description | |||
It is possible that the NAS cannot honor Disconnect-Request or | It is possible that the NAS cannot honor Disconnect-Request or | |||
CoA-Request packets for some reason. The Error-Cause Attribute | CoA-Request packets for some reason. The Error-Cause Attribute | |||
provides more detail on the cause of the problem. It MAY be | provides more detail on the cause of the problem. It MAY be | |||
included within Disconnect-ACK, Disconnect-NAK and CoA-NAK | included within Disconnect-ACK, Disconnect-NAK and CoA-NAK | |||
packets. | packets. | |||
A summary of the Error-Cause Attribute format is shown below. The | A summary of the Error-Cause Attribute format is shown below. The | |||
skipping to change at page 16, line 40 | skipping to change at page 15, line 33 | |||
"NAS Identification Mismatch" is a fatal error sent if one or more | "NAS Identification Mismatch" is a fatal error sent if one or more | |||
NAS identification attributes (see Section 3) do not match the | NAS identification attributes (see Section 3) do not match the | |||
identity of the NAS receiving the Request. | identity of the NAS receiving the Request. | |||
"Invalid Request" is a fatal error sent if some other aspect of | "Invalid Request" is a fatal error sent if some other aspect of | |||
the Request is invalid, such as if one or more attributes (such as | the Request is invalid, such as if one or more attributes (such as | |||
EAP- Message Attribute(s)) are not formatted properly. | EAP- Message Attribute(s)) are not formatted properly. | |||
"Unsupported Service" is a fatal error sent if a Service-Type | "Unsupported Service" is a fatal error sent if a Service-Type | |||
Attribute included with the Request is sent with an invalid or | Attribute included with the Request is sent with an invalid or | |||
unsupported value. | unsupported value. This error cannot be sent in response to a | |||
Disconnect-Request. | ||||
"Unsupported Extension" is a fatal error sent due to lack of | "Unsupported Extension" is a fatal error sent due to lack of | |||
support for an extension such as Disconnect and/or CoA packets. | support for an extension such as Disconnect and/or CoA packets. | |||
This will typically be sent by a proxy receiving an ICMP port | This will typically be sent by a proxy receiving an ICMP port | |||
unreachable message after attempting to forward a Request to the | unreachable message after attempting to forward a Request to the | |||
NAS. | NAS. | |||
"Administratively Prohibited" is a fatal error sent if the NAS is | "Administratively Prohibited" is a fatal error sent if the NAS is | |||
configured to prohibit honoring of Request packets for the | configured to prohibit honoring of Request packets for the | |||
specified session. | specified session. | |||
skipping to change at page 17, line 28 | skipping to change at page 16, line 22 | |||
Disconnect-NAK. | Disconnect-NAK. | |||
"Other Proxy Processing Error" is a fatal error sent in response | "Other Proxy Processing Error" is a fatal error sent in response | |||
to a Request that could not be processed by a proxy, for reasons | to a Request that could not be processed by a proxy, for reasons | |||
other than routing. | other than routing. | |||
"Resources Unavailable" is a fatal error sent when a Request could | "Resources Unavailable" is a fatal error sent when a Request could | |||
not be honored due to lack of available NAS resources (memory, | not be honored due to lack of available NAS resources (memory, | |||
non- volatile storage, etc.). | non- volatile storage, etc.). | |||
"Request Initiated" is a fatal error sent in response to a Request | "Request Initiated" is a fatal error sent in response to a CoA- | |||
including a Service-Type Attribute with a value of "Authorize | Request including a Service-Type Attribute with a value of | |||
Only". It indicates that the Disconnect-Request or CoA-Request | "Authorize Only". It indicates that the CoA-Request has not been | |||
has not been honored, but that a RADIUS Access-Request including a | honored, but that a RADIUS Access-Request including a Service-Type | |||
Service-Type Attribute with value "Authorize Only" is being sent | Attribute with value "Authorize Only" is being sent to the RADIUS | |||
to the RADIUS server. | server. | |||
3.5. Table of Attributes | 3.4. Table of Attributes | |||
The following table provides a guide to which attributes may be found | The following table provides a guide to which attributes may be found | |||
in which packets, and in what quantity. | in which packets, and in what quantity. | |||
Change-of-Authorization Messages | Change-of-Authorization Messages | |||
Request ACK NAK # Attribute | Request ACK NAK # Attribute | |||
0-1 0 0 1 User-Name [Note 1] | 0-1 0 0 1 User-Name [Note 1] | |||
0-1 0 0 4 NAS-IP-Address [Note 1] | 0-1 0 0 4 NAS-IP-Address [Note 1] | |||
0-1 0 0 5 NAS-Port [Note 1] | 0-1 0 0 5 NAS-Port [Note 1] | |||
0-1 0 0-1 6 Service-Type [Note 6] | 0-1 0 0-1 6 Service-Type [Note 6] | |||
0-1 0 0 7 Framed-Protocol [Note 3] | 0-1 0 0 7 Framed-Protocol [Note 3] | |||
0-1 0 0 8 Framed-IP-Address [Note 1] | 0-1 0 0 8 Framed-IP-Address [Note 1] | |||
0-1 0 0 9 Framed-IP-Netmask [Note 3] | 0-1 0 0 9 Framed-IP-Netmask [Note 3] | |||
0-1 0 0 10 Framed-Routing [Note 3] | 0-1 0 0 10 Framed-Routing [Note 3] | |||
0+ 0 0 11 Filter-ID [Note 3] | 0+ 0 0 11 Filter-ID [Note 3] | |||
Request ACK NAK # Attribute | ||||
Request ACK NAK # Attribute | ||||
0-1 0 0 12 Framed-MTU [Note 3] | 0-1 0 0 12 Framed-MTU [Note 3] | |||
0+ 0 0 13 Framed-Compression [Note 3] | 0+ 0 0 13 Framed-Compression [Note 3] | |||
0+ 0 0 14 Login-IP-Host [Note 3] | 0+ 0 0 14 Login-IP-Host [Note 3] | |||
0-1 0 0 15 Login-Service [Note 3] | 0-1 0 0 15 Login-Service [Note 3] | |||
0-1 0 0 16 Login-TCP-Port [Note 3] | 0-1 0 0 16 Login-TCP-Port [Note 3] | |||
0+ 0 0 18 Reply-Message [Note 2] | 0+ 0 0 18 Reply-Message [Note 2] | |||
Request ACK NAK # Attribute | ||||
Request ACK NAK # Attribute | ||||
0-1 0 0 19 Callback-Number [Note 3] | 0-1 0 0 19 Callback-Number [Note 3] | |||
0-1 0 0 20 Callback-Id [Note 3] | 0-1 0 0 20 Callback-Id [Note 3] | |||
0+ 0 0 22 Framed-Route [Note 3] | 0+ 0 0 22 Framed-Route [Note 3] | |||
0-1 0 0 23 Framed-IPX-Network [Note 3] | 0-1 0 0 23 Framed-IPX-Network [Note 3] | |||
0-1 0-1 0-1 24 State [Note 7] | 0-1 0-1 0-1 24 State [Note 7] | |||
0+ 0 0 25 Class [Note 3] | 0+ 0 0 25 Class [Note 3] | |||
0+ 0 0 26 Vendor-Specific [Note 3] | 0+ 0 0 26 Vendor-Specific [Note 3] | |||
0-1 0 0 27 Session-Timeout [Note 3] | 0-1 0 0 27 Session-Timeout [Note 3] | |||
0-1 0 0 28 Idle-Timeout [Note 3] | 0-1 0 0 28 Idle-Timeout [Note 3] | |||
0-1 0 0 29 Termination-Action [Note 3] | 0-1 0 0 29 Termination-Action [Note 3] | |||
skipping to change at page 18, line 51 | skipping to change at page 17, line 45 | |||
0+ 0 0 69 Tunnel-Password [Note 5] | 0+ 0 0 69 Tunnel-Password [Note 5] | |||
0-1 0 0 71 ARAP-Features [Note 3] | 0-1 0 0 71 ARAP-Features [Note 3] | |||
0-1 0 0 72 ARAP-Zone-Access [Note 3] | 0-1 0 0 72 ARAP-Zone-Access [Note 3] | |||
0+ 0 0 78 Configuration-Token [Note 3] | 0+ 0 0 78 Configuration-Token [Note 3] | |||
0+ 0-1 0 79 EAP-Message [Note 2] | 0+ 0-1 0 79 EAP-Message [Note 2] | |||
0-1 0-1 0-1 80 Message-Authenticator | 0-1 0-1 0-1 80 Message-Authenticator | |||
0+ 0 0 81 Tunnel-Private-Group-ID [Note 5] | 0+ 0 0 81 Tunnel-Private-Group-ID [Note 5] | |||
0+ 0 0 82 Tunnel-Assignment-ID [Note 5] | 0+ 0 0 82 Tunnel-Assignment-ID [Note 5] | |||
0+ 0 0 83 Tunnel-Preference [Note 5] | 0+ 0 0 83 Tunnel-Preference [Note 5] | |||
0-1 0 0 85 Acct-Interim-Interval [Note 3] | 0-1 0 0 85 Acct-Interim-Interval [Note 3] | |||
Request ACK NAK # Attribute | ||||
Request ACK NAK # Attribute | ||||
0-1 0 0 87 NAS-Port-Id [Note 1] | 0-1 0 0 87 NAS-Port-Id [Note 1] | |||
0-1 0 0 88 Framed-Pool [Note 3] | 0-1 0 0 88 Framed-Pool [Note 3] | |||
0+ 0 0 90 Tunnel-Client-Auth-ID [Note 5] | 0+ 0 0 90 Tunnel-Client-Auth-ID [Note 5] | |||
0+ 0 0 91 Tunnel-Server-Auth-ID [Note 5] | 0+ 0 0 91 Tunnel-Server-Auth-ID [Note 5] | |||
0-1 0 0 94 Originating-Line-Info [Note 1] | 0-1 0 0 94 Originating-Line-Info [Note 1] | |||
0-1 0 0 95 NAS-IPv6-Address [Note 1] | 0-1 0 0 95 NAS-IPv6-Address [Note 1] | |||
Request ACK NAK # Attribute | ||||
Request ACK NAK # Attribute | ||||
0-1 0 0 96 Framed-Interface-Id [Note 1] | 0-1 0 0 96 Framed-Interface-Id [Note 1] | |||
0+ 0 0 97 Framed-IPv6-Prefix [Note 1] | 0+ 0 0 97 Framed-IPv6-Prefix [Note 1] | |||
0+ 0 0 98 Login-IPv6-Host [Note 3] | 0+ 0 0 98 Login-IPv6-Host [Note 3] | |||
0+ 0 0 99 Framed-IPv6-Route [Note 3] | 0+ 0 0 99 Framed-IPv6-Route [Note 3] | |||
0-1 0 0 100 Framed-IPv6-Pool [Note 3] | 0-1 0 0 100 Framed-IPv6-Pool [Note 3] | |||
0 0 0+ 101 Error-Cause | 0 0 0+ 101 Error-Cause | |||
0-1 0 0 TBD NAS-Filter-Rule | 0-1 0 0 TBD NAS-Filter-Rule | |||
0-1 0-1 0-1 TBD Nonce [Note 8] | ||||
Request ACK NAK # Attribute | Request ACK NAK # Attribute | |||
Disconnect Messages | Disconnect Messages | |||
Request ACK NAK # Attribute | Request ACK NAK # Attribute | |||
0-1 0 0 1 User-Name [Note 1] | 0-1 0 0 1 User-Name [Note 1] | |||
0-1 0 0 4 NAS-IP-Address [Note 1] | 0-1 0 0 4 NAS-IP-Address [Note 1] | |||
0-1 0 0 5 NAS-Port [Note 1] | 0-1 0 0 5 NAS-Port [Note 1] | |||
0-1 0 0-1 6 Service-Type [Note 6] | 0 0 0 6 Service-Type | |||
0-1 0 0 8 Framed-IP-Address [Note 1] | 0-1 0 0 8 Framed-IP-Address [Note 1] | |||
0+ 0 0 18 Reply-Message [Note 2] | 0+ 0 0 18 Reply-Message [Note 2] | |||
0-1 0-1 0-1 24 State [Note 7] | 0 0 0 24 State | |||
0+ 0 0 25 Class [Note 4] | 0+ 0 0 25 Class [Note 4] | |||
0+ 0 0 26 Vendor-Specific | 0+ 0 0 26 Vendor-Specific | |||
0-1 0 0 30 Called-Station-Id [Note 1] | 0-1 0 0 30 Called-Station-Id [Note 1] | |||
0-1 0 0 31 Calling-Station-Id [Note 1] | 0-1 0 0 31 Calling-Station-Id [Note 1] | |||
0-1 0 0 32 NAS-Identifier [Note 1] | 0-1 0 0 32 NAS-Identifier [Note 1] | |||
0+ 0+ 0+ 33 Proxy-State | 0+ 0+ 0+ 33 Proxy-State | |||
0-1 0 0 44 Acct-Session-Id [Note 1] | 0-1 0 0 44 Acct-Session-Id [Note 1] | |||
0-1 0-1 0 49 Acct-Terminate-Cause | 0-1 0-1 0 49 Acct-Terminate-Cause | |||
0-1 0 0 50 Acct-Multi-Session-Id [Note 1] | 0-1 0 0 50 Acct-Multi-Session-Id [Note 1] | |||
0-1 0-1 0-1 55 Event-Timestamp | 0-1 0-1 0-1 55 Event-Timestamp | |||
0-1 0 0 61 NAS-Port-Type [Note 1] | 0-1 0 0 61 NAS-Port-Type [Note 1] | |||
0+ 0-1 0 79 EAP-Message [Note 2] | 0+ 0-1 0 79 EAP-Message [Note 2] | |||
0-1 0-1 0-1 80 Message-Authenticator | 0-1 0-1 0-1 80 Message-Authenticator | |||
0-1 0 0 87 NAS-Port-Id [Note 1] | 0-1 0 0 87 NAS-Port-Id [Note 1] | |||
0-1 0 0 94 Orginating-Line-Info [Note 1] | 0-1 0 0 94 Orginating-Line-Info [Note 1] | |||
0-1 0 0 95 NAS-IPv6-Address [Note 1] | 0-1 0 0 95 NAS-IPv6-Address [Note 1] | |||
0-1 0 0 96 Framed-Interface-Id [Note 1] | 0-1 0 0 96 Framed-Interface-Id [Note 1] | |||
0+ 0 0 97 Framed-IPv6-Prefix [Note 1] | 0+ 0 0 97 Framed-IPv6-Prefix [Note 1] | |||
0 0+ 0+ 101 Error-Cause | 0 0+ 0+ 101 Error-Cause | |||
0-1 0-1 0-1 TBD Nonce [Note 8] | ||||
Request ACK NAK # Attribute | Request ACK NAK # Attribute | |||
The following table defines the meaning of the above table entries. | The following table defines the meaning of the above table entries. | |||
0 This attribute MUST NOT be present in packet. | 0 This attribute MUST NOT be present in packet. | |||
0+ Zero or more instances of this attribute MAY be present in packet. | 0+ Zero or more instances of this attribute MAY be present in packet. | |||
0-1 Zero or one instance of this attribute MAY be present in packet. | 0-1 Zero or one instance of this attribute MAY be present in packet. | |||
1 Exactly one instance of this attribute MUST be present in packet. | 1 Exactly one instance of this attribute MUST be present in packet. | |||
[Note 1] Where NAS or session identification attributes are included | [Note 1] Where NAS or session identification attributes are included | |||
in Disconnect-Request or CoA-Request packets, they are used for | in Disconnect-Request or CoA-Request packets, they are used for | |||
identification purposes only. These attributes MUST NOT be used for | identification purposes only. These attributes MUST NOT be used for | |||
skipping to change at page 20, line 44 | skipping to change at page 19, line 38 | |||
Accounting Stop packet. If the Disconnect-Request is unsuccessful, | Accounting Stop packet. If the Disconnect-Request is unsuccessful, | |||
then the Class Attribute is not processed. | then the Class Attribute is not processed. | |||
[Note 5] When included within a CoA-Request, these attributes | [Note 5] When included within a CoA-Request, these attributes | |||
represent an authorization change request. Where tunnel attribute(s) | represent an authorization change request. Where tunnel attribute(s) | |||
are included within a successful CoA-Request, all existing tunnel | are included within a successful CoA-Request, all existing tunnel | |||
attributes are removed and replaced by the new attribute(s). | attributes are removed and replaced by the new attribute(s). | |||
[Note 6] Support for the Service-Type of "Authorize Only" is OPTIONAL | [Note 6] Support for the Service-Type of "Authorize Only" is OPTIONAL | |||
on the NAS and RADIUS server. A NAS supporting the "Authorize Only" | on the NAS and RADIUS server. A NAS supporting the "Authorize Only" | |||
Service-Type value within Disconnect-Request or CoA-Request packets | Service-Type value within a CoA-Request packet MUST respond with a | |||
MUST respond with a Disconnect-NAK or CoA-NAK respectively, | CoA-NAK containing a Service-Type Attribute with value "Authorize | |||
containing a Service-Type Attribute with value "Authorize Only", and | Only", and an Error-Cause Attribute with value "Request Initiated". | |||
an Error-Cause Attribute with value "Request Initiated". The NAS | The NAS then sends an Access-Request to the RADIUS server with a | |||
then sends an Access-Request to the RADIUS server with a Service-Type | Service-Type Attribute with value "Authorize Only". This Access- | |||
Attribute with value "Authorize Only". This Access-Request SHOULD | Request SHOULD contain the NAS attributes from the CoA-Request, as | |||
contain the NAS attributes from the Disconnect or CoA-Request, as | well as the session attributes from the CoA-Request legal for | |||
well as the session attributes from the Request legal for inclusion | inclusion in an Access-Request as specified in [RFC2865], [RFC2868], | |||
in an Access-Request as specified in [RFC2865], [RFC2868], [RFC2869] | [RFC2869] and [RFC3162]. As noted in [RFC2869] Section 5.19, a | |||
and [RFC3162]. As noted in [RFC2869] Section 5.19, a Message- | Message-Authenticator attribute SHOULD be included in an Access- | |||
Authenticator attribute SHOULD be included in an Access-Request that | Request that does not contain a User-Password, CHAP-Password, ARAP- | |||
does not contain a User-Password, CHAP-Password, ARAP-Password or | Password or EAP-Message Attribute. The RADIUS server should send | |||
EAP-Message Attribute. The RADIUS server should send back an Access- | back an Access-Accept to (re-)authorize the session or an Access- | |||
Accept to (re-)authorize the session or an Access-Reject to refuse to | Reject to refuse to (re-)authorize it. | |||
(re-)authorize it. | ||||
A NAS that does not support the Service-Type Attribute with the value | A NAS that does not support the Service-Type Attribute with the value | |||
"Authorize Only" within a Disconnect-Request MUST respond with a | ||||
Disconnect-NAK including no Service-Type Attribute; an Error-Cause | ||||
Attribute with value "Unsupported Service" MAY be included. A NAS | ||||
that does not support the Service-Type Attribute with the value | ||||
"Authorize Only" within a CoA-Request MUST respond with a CoA-NAK | "Authorize Only" within a CoA-Request MUST respond with a CoA-NAK | |||
including no Service-Type Attribute; an Error-Cause Attribute with | including no Service-Type Attribute; an Error-Cause Attribute with | |||
value "Unsupported Service" MAY be included. | value "Unsupported Service" MAY be included. | |||
[Note 7] The State Attribute is available to be sent by the RADIUS | [Note 7] The State Attribute is available to be sent by the RADIUS | |||
server to the NAS in a Disconnect-Request or CoA-Request packet and | server to the NAS in a CoA-Request packet and MUST be sent unmodified | |||
MUST be sent unmodified from the NAS to the RADIUS server in a | from the NAS to the RADIUS server in a subsequent ACK or NAK packet. | |||
subsequent ACK or NAK packet. If a Service-Type Attribute with value | If a Service-Type Attribute with value "Authorize Only" is included | |||
"Authorize Only" is included in a Disconnect-Request or CoA-Request | in a CoA-Request then a State Attribute MUST be present, and MUST be | |||
then a State Attribute MUST be present, and MUST be sent unmodified | sent unmodified from the NAS to the RADIUS server in the resulting | |||
from the NAS to the RADIUS server in the resulting Access-Request | Access-Request sent to the RADIUS server, if any. The State | |||
sent to the RADIUS server, if any. The State Attribute is also | Attribute is also available to be sent by the RADIUS server to the | |||
available to be sent by the RADIUS server to the NAS in a CoA-Request | NAS in a CoA-Request that also includes a Termination-Action | |||
that also includes a Termination-Action Attribute with the value of | Attribute with the value of RADIUS-Request. If the client performs | |||
RADIUS-Request. If the client performs the Termination-Action by | the Termination-Action by sending a new Access-Request upon | |||
sending a new Access-Request upon termination of the current session, | termination of the current session, it MUST include the State | |||
it MUST include the State Attribute unchanged in that Access-Request. | Attribute unchanged in that Access-Request. In either usage, the | |||
In either usage, the client MUST NOT interpret the Attribute locally. | client MUST NOT interpret the Attribute locally. A CoA-Request | |||
A Disconnect- Request or CoA-Request packet must have only zero or | packet must have only zero or one State Attribute. Usage of the | |||
one State Attribute. Usage of the State Attribute is implementation | State Attribute is implementation dependent. | |||
dependent. If the RADIUS server does not recognize the State | ||||
Attribute in the Access-Request, then it MUST send an Access-Reject. | ||||
[Note 8] A Nonce Attribute SHOULD be included in a CoA-Request or | ||||
Disconnect-Request packet that is not protected by IPsec or does not | ||||
contain an Event-Timestamp Attribute, so as to prevent replay | ||||
attacks. A Nonce Attribute MAY also be included in CoA-ACK, CoA-NAK, | ||||
Disconnect-ACK, Disconnect-NAK, or Accounting-Request packets. | ||||
4. Diameter Considerations | 4. Diameter Considerations | |||
Due to differences in handling change-of-authorization requests in | Due to differences in handling change-of-authorization requests in | |||
RADIUS and Diameter, it may be difficult or impossible for a | RADIUS and Diameter, it may be difficult or impossible for a | |||
Diameter/RADIUS gateway to successfully translate a Diameter Re-Auth- | Diameter/RADIUS gateway to successfully translate a Diameter Re-Auth- | |||
Request (RAR) to a CoA-Request and vice versa. For example, since a | Request (RAR) to a CoA-Request and vice versa. For example, since a | |||
CoA-Request only initiates an authorization change but does not | CoA-Request only initiates an authorization change but does not | |||
initiate re-authentication, a RAR command containing a Re-Auth- | initiate re-authentication, a RAR command containing a Re-Auth- | |||
Request-Type AVP with value "AUTHORIZE_AUTHENTICATE" cannot be | Request-Type AVP with value "AUTHORIZE_AUTHENTICATE" cannot be | |||
skipping to change at page 23, line 34 | skipping to change at page 22, line 20 | |||
(Ignored) | (Ignored) | |||
401 Unsupported Attribute DIAMETER_AVP_UNSUPPORTED | 401 Unsupported Attribute DIAMETER_AVP_UNSUPPORTED | |||
402 Missing Attribute DIAMETER_MISSING_AVP | 402 Missing Attribute DIAMETER_MISSING_AVP | |||
403 NAS Identification DIAMETER_REALM_NOT_SERVED | 403 NAS Identification DIAMETER_REALM_NOT_SERVED | |||
Mismatch | Mismatch | |||
404 Invalid Request DIAMETER_UNABLE_TO_COMPLY | 404 Invalid Request DIAMETER_UNABLE_TO_COMPLY | |||
405 Unsupported Service DIAMETER_COMMAND_UNSUPPORTED | 405 Unsupported Service DIAMETER_COMMAND_UNSUPPORTED | |||
406 Unsupported Extension DIAMETER_APPLICATION_UNSUPPORTED | 406 Unsupported Extension DIAMETER_APPLICATION_UNSUPPORTED | |||
501 Administratively DIAMETER_AUTHORIZATION_REJECTED | 501 Administratively DIAMETER_AUTHORIZATION_REJECTED | |||
Prohibited | Prohibited | |||
502 Request Not Routable DIAMETER_UNABLE_TO_DELIVER | 502 Request Not Routable (Proxy) DIAMETER_UNABLE_TO_DELIVER | |||
(Proxy) | ||||
503 Session Context Not Found DIAMETER_UNKNOWN_SESSION_ID | 503 Session Context Not Found DIAMETER_UNKNOWN_SESSION_ID | |||
504 Session Context Not DIAMETER_AUTHORIZATION_REJECTED | 504 Session Context Not DIAMETER_AUTHORIZATION_REJECTED | |||
Removable | Removable | |||
505 Other Proxy Processing DIAMETER_UNABLE_TO_COMPLY | 505 Other Proxy Processing DIAMETER_UNABLE_TO_COMPLY | |||
Error | Error | |||
506 Resources Unavailable DIAMETER_RESOURCES_EXCEEDED | 506 Resources Unavailable DIAMETER_RESOURCES_EXCEEDED | |||
507 Request Initiated DIAMETER_SUCCESS | 507 Request Initiated DIAMETER_SUCCESS | |||
Since both the ASR/ASA and Disconnect-Request/Disconnect- | Since both the ASR/ASA and Disconnect-Request/Disconnect- | |||
NAK/Disconnect-ACK exchanges involve just a request and response, | NAK/Disconnect-ACK exchanges involve just a request and response, | |||
inclusion of an "Authorize Only" Service-Type within a Disconnect- | inclusion of an "Authorize Only" Service-Type within a Disconnect- | |||
Request is not needed to assist in Diameter/RADIUS translation, and | Request is not needed to assist in Diameter/RADIUS translation, and | |||
may make translation more difficult. As a result, inclusion of a | may make translation more difficult. As a result, the Service-Type | |||
Service-Type of "Authorize Only" within a Disconnect-Request is NOT | Attribute MUST NOT be used within a Disconnect-Request. | |||
RECOMMENDED. | ||||
5. IANA Considerations | 5. IANA Considerations | |||
This specification does not create any new registries. | This specification contains no actions for IANA. All protocol | |||
parameters required for this document were previously approved as | ||||
This document uses the RADIUS [RFC2865] namespace, see | part of the publication of [RFC3576]. | |||
<http://www.iana.org/assignments/radius-types>. Allocation of one | ||||
update for the section "RADIUS Attribute Types" is requested. The | ||||
RADIUS attribute for which a value is requested is: | ||||
TBD - Nonce | ||||
There are six updates for the section: RADIUS Packet Type Codes. | ||||
These Packet Types are allocated in [RFC3575]: | ||||
40 - Disconnect-Request | ||||
41 - Disconnect-ACK | ||||
42 - Disconnect-NAK | ||||
43 - CoA-Request | ||||
44 - CoA-ACK | ||||
45 - CoA-NAK | ||||
A new Service-Type value for "Authorize Only" (17) is allocated in | ||||
[RFC3576]. This draft also uses the UDP [RFC768] namespace, see | ||||
<http://www.iana.org/assignments/port-numbers>. UDP port 3799 has | ||||
been assigned [RFC3576]. This specification also utilizes the Error- | ||||
Cause Attribute (101) allocated in [RFC3576], with the following | ||||
decimal values: | ||||
# Value | ||||
--- ----- | ||||
201 Residual Session Context Removed | ||||
202 Invalid EAP Packet (Ignored) | ||||
401 Unsupported Attribute | ||||
402 Missing Attribute | ||||
403 NAS Identification Mismatch | ||||
404 Invalid Request | ||||
405 Unsupported Service | ||||
406 Unsupported Extension | ||||
501 Administratively Prohibited | ||||
502 Request Not Routable (Proxy) | ||||
503 Session Context Not Found | ||||
504 Session Context Not Removable | ||||
505 Other Proxy Processing Error | ||||
506 Resources Unavailable | ||||
507 Request Initiated | ||||
6. Security Considerations | 6. Security Considerations | |||
6.1. Authorization Issues | 6.1. Authorization Issues | |||
Where a NAS is shared by multiple providers, it is undesirable for | Where a NAS is shared by multiple providers, it is undesirable for | |||
one provider to be able to send Disconnect-Request or CoA-Requests | one provider to be able to send Disconnect-Request or CoA-Requests | |||
affecting the sessions of another provider. | affecting the sessions of another provider. | |||
A NAS or RADIUS proxy MUST silently discard Disconnect-Request or | A NAS or RADIUS proxy MUST silently discard Disconnect-Request or | |||
skipping to change at page 26, line 39 | skipping to change at page 24, line 28 | |||
a NAT exists between the RADIUS client and proxy, checking the NAS- | a NAT exists between the RADIUS client and proxy, checking the NAS- | |||
IP-Address or NAS-IPv6-Address Attributes may not be feasible. | IP-Address or NAS-IPv6-Address Attributes may not be feasible. | |||
6.3. IPsec Usage Guidelines | 6.3. IPsec Usage Guidelines | |||
In addition to security vulnerabilities unique to Disconnect or CoA | In addition to security vulnerabilities unique to Disconnect or CoA | |||
packets, the protocol exchanges described in this document are | packets, the protocol exchanges described in this document are | |||
susceptible to the same vulnerabilities as RADIUS [RFC2865]. It is | susceptible to the same vulnerabilities as RADIUS [RFC2865]. It is | |||
RECOMMENDED that IPsec be employed to afford better security. | RECOMMENDED that IPsec be employed to afford better security. | |||
Implementations of this specification SHOULD support IPsec [RFC2401] | Implementations of this specification SHOULD support IPsec [RFC4301] | |||
along with IKE [RFC2409] for key management. IPsec ESP [RFC2406] | along with IKEv1 [RFC2409] for key management. IPsec ESP [RFC4303] | |||
with non-null transform SHOULD be supported, and IPsec ESP with a | with non-null transform SHOULD be supported, and IPsec ESP with a | |||
non-null encryption transform and authentication support SHOULD be | non-null encryption transform and authentication support SHOULD be | |||
used to provide per-packet confidentiality, authentication, integrity | used to provide per-packet confidentiality, authentication, integrity | |||
and replay protection. IKE SHOULD be used for key management. | and replay protection. IKE SHOULD be used for key management. | |||
Within RADIUS [RFC2865], a shared secret is used for hiding of | Within RADIUS [RFC2865], a shared secret is used for hiding of | |||
Attributes such as User-Password, as well as in computation of the | Attributes such as User-Password, as well as in computation of the | |||
Response Authenticator. In RADIUS accounting [RFC2866], the shared | Response Authenticator. In RADIUS accounting [RFC2866], the shared | |||
secret is used in computation of both the Request Authenticator and | secret is used in computation of both the Request Authenticator and | |||
the Response Authenticator. | the Response Authenticator. | |||
skipping to change at page 29, line 21 | skipping to change at page 27, line 10 | |||
of security services different from those negotiated with existing | of security services different from those negotiated with existing | |||
IPsec SAs will need to negotiate a new IPsec SA. Separate IPsec SAs | IPsec SAs will need to negotiate a new IPsec SA. Separate IPsec SAs | |||
are also advisable where quality of service considerations dictate | are also advisable where quality of service considerations dictate | |||
different handling RADIUS conversations. Attempting to apply | different handling RADIUS conversations. Attempting to apply | |||
different quality of service to connections handled by the same IPsec | different quality of service to connections handled by the same IPsec | |||
SA can result in reordering, and falling outside the replay window. | SA can result in reordering, and falling outside the replay window. | |||
For a discussion of the issues, see [RFC2983]. | For a discussion of the issues, see [RFC2983]. | |||
6.4. Replay Protection | 6.4. Replay Protection | |||
Where IPsec replay protection is not used, a Nonce or Event-Timestamp | Where IPsec replay protection is not used, an Event-Timestamp (55) | |||
(55) [RFC2869] Attribute SHOULD be included within CoA-Request and | [RFC2869] Attribute SHOULD be included within CoA-Request and | |||
Disconnect-Request packets, and MAY be included within CoA-ACK, CoA- | Disconnect-Request packets, and MAY be included within CoA-ACK, CoA- | |||
NAK, Disconnect-ACK and Disconnect-NAK packets. When the Event- | NAK, Disconnect-ACK and Disconnect-NAK packets. | |||
Timestamp attribute is present, both the NAS and the RADIUS server | ||||
MUST check that the Event-Timestamp Attribute is current within an | ||||
acceptable time window. If the Event-Timestamp Attribute is not | ||||
current, then the packet MUST be silently discarded. This implies | ||||
the need for loose time synchronization within the network, which can | ||||
be achieved by a variety of means, including SNTP, as described in | ||||
[RFC4330]. | ||||
Implementations SHOULD be configurable to discard CoA-Request or | When the Event-Timestamp attribute is present, both the NAS and the | |||
Disconnect-Request packets containing neither a Nonce nor an Event- | RADIUS server MUST check that the Event-Timestamp Attribute is | |||
Timestamp attribute. A default time window of 300 seconds is | current within an acceptable time window. If the Event-Timestamp | |||
recommended. | Attribute is not current, then the packet MUST be silently discarded. | |||
This implies the need for loose time synchronization within the | ||||
network, which can be achieved by a variety of means, including SNTP, | ||||
as described in [RFC4330]. Implementations SHOULD be configurable to | ||||
discard CoA-Request or Disconnect-Request packets not containing an | ||||
Event-Timestamp attribute. | ||||
If the Event-Timestamp Attribute is included, it represents the time | ||||
at which the original packet was sent, and therefore it SHOULD NOT be | ||||
updated when the packet is retransmitted. If the Event-Timestamp | ||||
attribute is not updated, this implies that the Identifier is not | ||||
changed in retransmitted packets. As a result, the ability to detect | ||||
replay within the time window is dependent on support for duplicate | ||||
detection within that same window. As noted in Section 2.3, | ||||
duplicate detection is REQUIRED for RADIUS clients implementing this | ||||
specification. | ||||
The time window used for duplicate detection MUST be the same as the | ||||
window used to detect stale Event-Timestamp Attributes. Since the | ||||
RADIUS Identifier cannot be repeated within the selected time window, | ||||
no more than 256 Requests can be accepted within the time window. As | ||||
a result, the chosen time window will depend on the expected maximum | ||||
volume of CoA/Disconnect-Requests, so that unnecessary discards can | ||||
be avoided. A default time window of 300 seconds should be adequate | ||||
in many circumstances. | ||||
7. Example Traces | 7. Example Traces | |||
Disconnect Request with User-Name: | Disconnect Request with User-Name: | |||
0: xxxx xxxx xxxx xxxx xxxx 2801 001c 1b23 .B.....$.-(....# | 0: xxxx xxxx xxxx xxxx xxxx 2801 001c 1b23 .B.....$.-(....# | |||
16: 624c 3543 ceba 55f1 be55 a714 ca5e 0108 bL5C..U..U...^.. | 16: 624c 3543 ceba 55f1 be55 a714 ca5e 0108 bL5C..U..U...^.. | |||
32: 6d63 6869 6261 | 32: 6d63 6869 6261 | |||
Disconnect Request with Acct-Session-ID: | Disconnect Request with Acct-Session-ID: | |||
0: xxxx xxxx xxxx xxxx xxxx 2801 001e ad0d .B..... ~.(..... | 0: xxxx xxxx xxxx xxxx xxxx 2801 001e ad0d .B..... ~.(..... | |||
16: 8e53 55b6 bd02 a0cb ace6 4e38 77bd 2c0a .SU.......N8w.,. | 16: 8e53 55b6 bd02 a0cb ace6 4e38 77bd 2c0a .SU.......N8w.,. | |||
32: 3930 3233 3435 3637 90234567 | 32: 3930 3233 3435 3637 90234567 | |||
Disconnect Request with Framed-IP-Address: | Disconnect Request with Framed-IP-Address: | |||
0: xxxx xxxx xxxx xxxx xxxx 2801 001a 0bda .B....."2.(..... | 0: xxxx xxxx xxxx xxxx xxxx 2801 001a 0bda .B....."2.(..... | |||
16: 33fe 765b 05f0 fd9c c32a 2f6b 5182 0806 3.v[.....*/kQ... | 16: 33fe 765b 05f0 fd9c c32a 2f6b 5182 0806 3.v[.....*/kQ... | |||
32: 0a00 0203 | 32: 0a00 0203 | |||
8. References | 8. References | |||
8.1. Normative References | 8.1. Normative References | |||
skipping to change at page 30, line 20 | skipping to change at page 28, line 26 | |||
8. References | 8. References | |||
8.1. Normative References | 8.1. Normative References | |||
[RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, | [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, | |||
April 1992. | April 1992. | |||
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
Requirement Levels", RFC 2119, March 1997. | Requirement Levels", RFC 2119, March 1997. | |||
[RFC2401] Atkinson, R. and S. Kent, "Security Architecture for the | ||||
Internet Protocol", RFC 2401, November 1998. | ||||
[RFC2406] Kent, S. and R. Atkinson, "IP Encapsulating Security Payload | ||||
(ESP)", RFC 2406, November 1998 | ||||
[RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange (IKE)", | [RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange (IKE)", | |||
RFC 2409, November 1998 | RFC 2409, November 1998. | |||
[RFC2865] Rigney, C., Rubens, A., Simpson, W. and S. Willens, "Remote | [RFC2865] Rigney, C., Rubens, A., Simpson, W. and S. Willens, "Remote | |||
Authentication Dial In User Service (RADIUS)", RFC 2865, June | Authentication Dial In User Service (RADIUS)", RFC 2865, June | |||
2000. | 2000. | |||
[RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. | [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. | |||
[RFC2869] Rigney, C., Willats W. and P. Calhoun, "RADIUS Extensions", | [RFC2869] Rigney, C., Willats W. and P. Calhoun, "RADIUS Extensions", | |||
RFC 2869, June 2000. | RFC 2869, June 2000. | |||
skipping to change at page 31, line 5 | skipping to change at page 29, line 5 | |||
[RFC3280] Housley, R., Polk, W., Ford, W. and D. Solo, "Internet X.509 | [RFC3280] Housley, R., Polk, W., Ford, W. and D. Solo, "Internet X.509 | |||
Public Key Infrastructure Certificate and Certificate | Public Key Infrastructure Certificate and Certificate | |||
Revocation List (CRL) Profile", RFC 3280, April 2002. | Revocation List (CRL) Profile", RFC 3280, April 2002. | |||
[RFC3575] Aboba, B., "IANA Considerations for RADIUS", RFC 3575, July | [RFC3575] Aboba, B., "IANA Considerations for RADIUS", RFC 3575, July | |||
2003. | 2003. | |||
[RFC3579] Aboba, B. and P. Calhoun, "RADIUS Support for Extensible | [RFC3579] Aboba, B. and P. Calhoun, "RADIUS Support for Extensible | |||
Authentication Protocol (EAP)", RFC 3579, September 2003. | Authentication Protocol (EAP)", RFC 3579, September 2003. | |||
[RFC4086] Eastlake, D., Schiller, J. and S. Crocker, "Randomness | ||||
Requirements for Security", RFc 4086, June 2005. | ||||
[RFC4282] Aboba, B., Beadles, M., Arkko, J. and P. Eronen, "The Network | [RFC4282] Aboba, B., Beadles, M., Arkko, J. and P. Eronen, "The Network | |||
Access Identifier", RFC 4282, December 2005. | Access Identifier", RFC 4282, December 2005. | |||
8.2. Informative References | [RFC4301] Kent, S. and K. Seo, "Security Architecture for the Internet | |||
Protocol", RFC 4301, December 2005. | ||||
[RFC768] Postel, J., "User Datagram Protocol", RFC 768, August 1980. | [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC 4303, | |||
December 2005. | ||||
8.2. Informative References | ||||
[RFC2868] Zorn, G., Leifer, D., Rubens, A., Shriver, J., Holdrege, M. | [RFC2868] Zorn, G., Leifer, D., Rubens, A., Shriver, J., Holdrege, M. | |||
and I. Goyret, "RADIUS Attributes for Tunnel Protocol | and I. Goyret, "RADIUS Attributes for Tunnel Protocol | |||
Support", RFC 2868, June 2000. | Support", RFC 2868, June 2000. | |||
[RFC2882] Mitton, D., "Network Access Server Requirements: Extended | ||||
RADIUS Practices", RFC 2882, July 2000. | ||||
[RFC2983] Black, D. "Differentiated Services and Tunnels", RFC 2983, | [RFC2983] Black, D. "Differentiated Services and Tunnels", RFC 2983, | |||
October 2000. | October 2000. | |||
[RFC3539] Aboba, B. and J. Wood, "Authentication, Authorization and | [RFC3539] Aboba, B. and J. Wood, "Authentication, Authorization and | |||
Accounting Transport Profile", RFC 3539, June 2003. | Accounting Transport Profile", RFC 3539, June 2003. | |||
[RFC3588] Calhoun, P., Loughney, J., Guttman, E., Zorn, G. and J. | [RFC3588] Calhoun, P., Loughney, J., Guttman, E., Zorn, G. and J. | |||
Arkko, "Diameter Base Protocol", RFC 3588, September 2003. | Arkko, "Diameter Base Protocol", RFC 3588, September 2003. | |||
[RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D. and B. Aboba, | [RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D. and B. Aboba, | |||
skipping to change at page 31, line 45 | skipping to change at page 29, line 43 | |||
[RFC4005] Calhoun, P., Zorn, G., Spence, D. and D. Mitton, "Diameter | [RFC4005] Calhoun, P., Zorn, G., Spence, D. and D. Mitton, "Diameter | |||
Network Access Server Application", RFC 4005, August 2005. | Network Access Server Application", RFC 4005, August 2005. | |||
[RFC4330] Mills, D., "Simple Network Time Protocol (SNTP) Version 4 for | [RFC4330] Mills, D., "Simple Network Time Protocol (SNTP) Version 4 for | |||
IPv4, IPv6 and OSI", RFC 4330, January 2006. | IPv4, IPv6 and OSI", RFC 4330, January 2006. | |||
[MD5Attack] | [MD5Attack] | |||
Dobbertin, H., "The Status of MD5 After a Recent Attack", | Dobbertin, H., "The Status of MD5 After a Recent Attack", | |||
CryptoBytes Vol.2 No.2, Summer 1996. | CryptoBytes Vol.2 No.2, Summer 1996. | |||
[RFCFilter] | ||||
Congdon, P., Sanchez, M. and B. Aboba, "RADIUS Filter Rule | ||||
Attribute", draft-ietf-radext-filter-08.txt, Internet draft | ||||
(work in progress), January 2007. | ||||
Acknowledgments | Acknowledgments | |||
This protocol was first developed and distributed by Ascend | This protocol was first developed and distributed by Ascend | |||
Communications. Example code was distributed in their free server | Communications. Example code was distributed in their free server | |||
kit. | kit. | |||
The authors would like to acknowledge the valuable suggestions and | The authors would like to acknowledge the valuable suggestions and | |||
feedback from the following people: | feedback from the following people: | |||
Avi Lior <avi@bridgewatersystems.com>, | Avi Lior <avi@bridgewatersystems.com>, | |||
Randy Bush <randy@psg.net>, | Randy Bush <randy@psg.net>, | |||
Steve Bellovin <smb@research.att.com> | Steve Bellovin <smb@research.att.com> | |||
Glen Zorn <gwz@cisco.com>, | Glen Zorn <gwz@cisco.com>, | |||
Mark Jones <mjones@bridgewatersystems.com>, | Mark Jones <mjones@bridgewatersystems.com>, | |||
Claudio Lapidus <clapidus@hotmail.com>, | Claudio Lapidus <clapidus@hotmail.com>, | |||
Anurag Batta <Anurag_Batta@3com.com>, | Anurag Batta <Anurag_Batta@3com.com>, | |||
Kuntal Chowdhury <chowdury@nortelnetworks.com>, and | Kuntal Chowdhury <chowdury@nortelnetworks.com> | |||
Tim Moore <timmoore@microsoft.com>. | Tim Moore <timmoore@microsoft.com> | |||
Russ Housley <housley@vigilsec.com> | Russ Housley <housley@vigilsec.com> | |||
Joe Salowey <jsalowey@cisco.com> | ||||
Authors' Addresses | Authors' Addresses | |||
Murtaza Chiba | Murtaza Chiba | |||
Cisco Systems, Inc. | Cisco Systems, Inc. | |||
170 West Tasman Dr. | 170 West Tasman Dr. | |||
San Jose CA, 95134 | San Jose CA, 95134 | |||
EMail: mchiba@cisco.com | EMail: mchiba@cisco.com | |||
Phone: +1 408 525 7198 | Phone: +1 408 525 7198 | |||
skipping to change at page 33, line 14 | skipping to change at page 31, line 19 | |||
EMail: bernarda@microsoft.com | EMail: bernarda@microsoft.com | |||
Phone: +1 425 706 6605 | Phone: +1 425 706 6605 | |||
Fax: +1 425 936 7329 | Fax: +1 425 936 7329 | |||
Appendix A - Changes from RFC 3576 | Appendix A - Changes from RFC 3576 | |||
This Appendix lists the major changes between [RFC3576] and this | This Appendix lists the major changes between [RFC3576] and this | |||
document. Minor changes, including style, grammar, spelling, and | document. Minor changes, including style, grammar, spelling, and | |||
editorial changes are not mentioned here. | editorial changes are not mentioned here. | |||
o Defined the Nonce Attribute for replay protection when IPsec is not | o Added details relating to handling of the Proxy-State Attribute. | |||
used and the Event-Timestamp Attribute is not present (Sections 1, | Added requirement for duplicate detection on the RADIUS client | |||
3.3, 6.4). | ||||
o Added details relating to handling of the Proxy-State Attribute | ||||
(Section 2.3). | (Section 2.3). | |||
o Added requirements for inclusion of the State Attribute in CoA- | o Added requirements for inclusion of the State Attribute in CoA- | |||
Request or Disconnect-Request packets with a Service-Type of | Request packets with a Service-Type of "Authorize Only" (Section | |||
"Authorize Only" (Section 3.1). | 3.1). | |||
o Use of a Service-Type value of "Authorize Only" within a | ||||
Disconnect-Request (Section 3.1) is not recommended. | ||||
o Added clarification on the calculation of the Message-Authenticator | o Added clarification on the calculation of the Message-Authenticator | |||
Attribute (Section 3.2). | Attribute (Section 3.2). | |||
o Added statement that support for "Authorize Only" Service-Type is | o Added statement that support for "Authorize Only" Service-Type is | |||
optional (Section 3.5). | optional (Section 3.5). | |||
o Use of a Service-Type Attribute within a Disconnect-Request is | ||||
prohibited (Section 4). | ||||
o Added Diameter Considerations (Section 5). | o Added Diameter Considerations (Section 5). | |||
Intellectual Property Statement | o Clarified that the Event-Timestamp Attribute should not be | |||
recalculated on retransmission. The implications for replay and | ||||
duplicate detection are discussed (Section 6.4). | ||||
Full Copyright Statement | ||||
Copyright (C) The IETF Trust (2007). | ||||
This document is subject to the rights, licenses and restrictions | ||||
contained in BCP 78, and except as set forth therein, the authors | ||||
retain all their rights. | ||||
This document and the information contained herein are provided on an | ||||
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | ||||
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND | ||||
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS | ||||
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF | ||||
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED | ||||
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. | ||||
Intellectual Property | ||||
The IETF takes no position regarding the validity or scope of any | The IETF takes no position regarding the validity or scope of any | |||
Intellectual Property Rights or other rights that might be claimed to | Intellectual Property Rights or other rights that might be claimed to | |||
pertain to the implementation or use of the technology described in | pertain to the implementation or use of the technology described in | |||
this document or the extent to which any license under such rights | this document or the extent to which any license under such rights | |||
might or might not be available; nor does it represent that it has | might or might not be available; nor does it represent that it has | |||
made any independent effort to identify any such rights. Information | made any independent effort to identify any such rights. Information | |||
on the procedures with respect to rights in RFC documents can be | on the procedures with respect to rights in RFC documents can be | |||
found in BCP 78 and BCP 79. | found in BCP 78 and BCP 79. | |||
skipping to change at page 34, line 29 | skipping to change at page 32, line 45 | |||
such proprietary rights by implementers or users of this | such proprietary rights by implementers or users of this | |||
specification can be obtained from the IETF on-line IPR repository at | specification can be obtained from the IETF on-line IPR repository at | |||
http://www.ietf.org/ipr. | http://www.ietf.org/ipr. | |||
The IETF invites any interested party to bring to its attention any | The IETF invites any interested party to bring to its attention any | |||
copyrights, patents or patent applications, or other proprietary | copyrights, patents or patent applications, or other proprietary | |||
rights that may cover technology that may be required to implement | rights that may cover technology that may be required to implement | |||
this standard. Please address the information to the IETF at ietf- | this standard. Please address the information to the IETF at ietf- | |||
ipr@ietf.org. | ipr@ietf.org. | |||
Disclaimer of Validity | ||||
This document and the information contained herein are provided on an | ||||
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | ||||
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND | ||||
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS | ||||
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF | ||||
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED | ||||
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. | ||||
Copyright Statement | ||||
Copyright (C) The IETF Trust (2007). This document is subject to the | ||||
rights, licenses and restrictions contained in BCP 78, and except as | ||||
set forth therein, the authors retain all their rights. | ||||
Acknowledgment | Acknowledgment | |||
Funding for the RFC Editor function is currently provided by the | Funding for the RFC Editor function is provided by the IETF | |||
Internet Society. | Administrative Support Activity (IASA). | |||
Open issues | Open issues | |||
Open issues relating to this specification are tracked on the | Open issues relating to this specification are tracked on the | |||
following web site: | following web site: | |||
http://www.drizzle.com/~aboba/RADEXT/ | http://www.drizzle.com/~aboba/RADEXT/ | |||
End of changes. 58 change blocks. | ||||
292 lines changed or deleted | 207 lines changed or added | |||
This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |