draft-ietf-radext-rfc3576bis-01.txt   draft-ietf-radext-rfc3576bis-02.txt 
Network Working Group Murtaza S. Chiba Network Working Group Murtaza S. Chiba
INTERNET-DRAFT Gopal Dommety INTERNET-DRAFT Gopal Dommety
Obsoletes: 3576 Mark Eklund Obsoletes: 3576 Mark Eklund
Category: Informational Cisco Systems, Inc. Category: Informational Cisco Systems, Inc.
<draft-ietf-radext-rfc3576bis-01.txt> David Mitton <draft-ietf-radext-rfc3576bis-02.txt> David Mitton
21 March 2007 RSA Security, Inc. 24 March 2007 RSA Security, Inc.
Bernard Aboba Bernard Aboba
Microsoft Corporation Microsoft Corporation
Dynamic Authorization Extensions to Remote Authentication Dial In User Dynamic Authorization Extensions to Remote Authentication Dial In User
Service (RADIUS) Service (RADIUS)
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
skipping to change at page 2, line 33 skipping to change at page 2, line 33
6.1 Authorization Issues ............................ 22 6.1 Authorization Issues ............................ 22
6.2 Impersonation ................................... 23 6.2 Impersonation ................................... 23
6.3 IPsec Usage Guidelines .......................... 24 6.3 IPsec Usage Guidelines .......................... 24
6.4 Replay Protection ............................... 27 6.4 Replay Protection ............................... 27
7. Example Traces ........................................ 27 7. Example Traces ........................................ 27
8. References ............................................ 28 8. References ............................................ 28
8.1 Normative References ............................ 28 8.1 Normative References ............................ 28
8.2 Informative References .......................... 29 8.2 Informative References .......................... 29
ACKNOWLEDGMENTS .............................................. 30 ACKNOWLEDGMENTS .............................................. 30
AUTHORS' ADDRESSES ........................................... 30 AUTHORS' ADDRESSES ........................................... 30
Appendix A - Changes from RFC 3576 ........................... 31 Appendix A - Changes from RFC 3576 ........................... 32
Full Copyright Statement ..................................... 32 Full Copyright Statement ..................................... 33
Intellectual Property ........................................ 32 Intellectual Property ........................................ 33
1. Introduction 1. Introduction
The RADIUS protocol, defined in [RFC2865], does not support The RADIUS protocol, defined in [RFC2865], does not support
unsolicited messages sent from the RADIUS server to the Network unsolicited messages sent from the RADIUS server to the Network
Access Server (NAS). Access Server (NAS).
However, there are many instances in which it is desirable for However, there are many instances in which it is desirable for
changes to be made to session characteristics, without requiring the changes to be made to session characteristics, without requiring the
NAS to initiate the exchange. For example, it may be desirable for NAS to initiate the exchange. For example, it may be desirable for
skipping to change at page 9, line 19 skipping to change at page 9, line 19
authorization changes MUST NOT be made. Similarly, a state change authorization changes MUST NOT be made. Similarly, a state change
MUST NOT occur as a result of an unsuccessful Disconnect-Request; MUST NOT occur as a result of an unsuccessful Disconnect-Request;
here a Disconnect-NAK MUST be sent. here a Disconnect-NAK MUST be sent.
Since within this specification attributes may be used for Since within this specification attributes may be used for
identification, authorization or other purposes, even if a NAS identification, authorization or other purposes, even if a NAS
implements an attribute for use with RADIUS authentication and implements an attribute for use with RADIUS authentication and
accounting, it may not support inclusion of that attribute within accounting, it may not support inclusion of that attribute within
Disconnect-Request or CoA-Request packets, given the difference in Disconnect-Request or CoA-Request packets, given the difference in
attribute semantics. This is true even for attributes specified attribute semantics. This is true even for attributes specified
within [RFC2865], [RFC2868], [RFC2869], [RFC3162] or [RFC3579] as as allowable within Access-Accept packets (such as within
allowable within Access-Accept packets. As a result, if [RFC2865],[RFC2868],[RFC2869],[RFC3162],[RFC3579],[RFC4675],
attributes beyond those specified in Section 3.5 are included [RFCFilter][RFCDelegated]). As a result, if unsupported
within Disconnect-Request or CoA-Request packets, the RADIUS attributes are included within Disconnect-Request or CoA-Request
server may receive a Disconnect-NAK/CoA-NAK in response, possibly packets, the RADIUS server may receive a Disconnect-NAK/CoA-NAK in
containing an Error-Cause attribute with value Unsupported response, possibly containing an Error-Cause attribute with value
Attribute (401). Unsupported Attribute (401).
If there are any Proxy-State Attributes in a Disconnect-Request or If there are any Proxy-State Attributes in a Disconnect-Request or
CoA-Request received from the server, the forwarding proxy or NAS CoA-Request received from the server, the forwarding proxy or NAS
MUST include those Proxy-State Attributes in its response to the MUST include those Proxy-State Attributes in its response to the
server. server.
A forwarding proxy or NAS MUST NOT modify existing Proxy-State, A forwarding proxy or NAS MUST NOT modify existing Proxy-State,
State, or Class Attributes present in the packet. The forwarding State, or Class Attributes present in the packet. The forwarding
proxy or NAS MUST treat any Proxy-State attributes already in the proxy or NAS MUST treat any Proxy-State attributes already in the
packet as opaque data. Its operation MUST NOT depend on the packet as opaque data. Its operation MUST NOT depend on the
skipping to change at page 10, line 47 skipping to change at page 10, line 47
NAS-IPv6-Address 95 [RFC3162] The IPv6 address of the NAS. NAS-IPv6-Address 95 [RFC3162] The IPv6 address of the NAS.
Session identification attributes Session identification attributes
Attribute # Reference Description Attribute # Reference Description
--------- --- --------- ----------- --------- --- --------- -----------
User-Name 1 [RFC2865] The name of the user User-Name 1 [RFC2865] The name of the user
associated with the session. associated with the session.
NAS-Port 5 [RFC2865] The port on which the NAS-Port 5 [RFC2865] The port on which the
session is terminated. session is terminated.
Framed-IP-Address 8 [RFC2865] The IPv4 address associated
with the session.
Called-Station-Id 30 [RFC2865] The link address to which Called-Station-Id 30 [RFC2865] The link address to which
the session is connected. the session is connected.
Calling-Station-Id 31 [RFC2865] The link address from which Calling-Station-Id 31 [RFC2865] The link address from which
the session is connected. the session is connected.
Attribute # Reference Description Attribute # Reference Description
--------- --- --------- ----------- --------- --- --------- -----------
Acct-Session-Id 44 [RFC2866] The identifier uniquely Acct-Session-Id 44 [RFC2866] The identifier uniquely
identifying the session identifying the session
on the NAS. on the NAS.
Acct-Multi-Session-Id 50 [RFC2866] The identifier uniquely Acct-Multi-Session-Id 50 [RFC2866] The identifier uniquely
identifying related sessions. identifying related sessions.
NAS-Port-Type 61 [RFC2865] The type of port used. NAS-Port-Type 61 [RFC2865] The type of port used.
NAS-Port-Id 87 [RFC2869] String identifying the port NAS-Port-Id 87 [RFC2869] String identifying the port
where the session is. where the session is.
Originating-Line-Info 94 [RFC4005] Provides information on the Originating-Line-Info 94 [RFC4005] Provides information on the
characteristics of the line characteristics of the line
from which a session from which a session
originated. originated.
Framed-Interface-Id 96 [RFC3162] The IPv6 Interface Identifier
associated with the session;
always sent with
Framed-IPv6-Prefix.
Framed-IPv6-Prefix 97 [RFC3162] The IPv6 prefix associated
with the session, always sent
with Framed-Interface-Id.
To address security concerns described in Section 6.1, and to enable To address security concerns described in Section 6.1, and to enable
Diameter/RADIUS translation, the User-Name Attribute SHOULD be Diameter/RADIUS translation, the User-Name Attribute SHOULD be
present in Disconnect-Request or CoA-Request packets; one or more present in Disconnect-Request or CoA-Request packets; one or more
additional session identification attributes MAY also be present. additional session identification attributes MAY also be present.
For example, where a Diameter client utilizes the same Session-Id for For example, where a Diameter client utilizes the same Session-Id for
both authorization and accounting, inclusion of an Acct-Session-Id both authorization and accounting, inclusion of an Acct-Session-Id
Attribute in a Disconnect-Request or CoA-Request can assist with Attribute in a Disconnect-Request or CoA-Request can assist with
Diameter/RADIUS translation, since Diameter RAR and ASR commands Diameter/RADIUS translation, since Diameter RAR and ASR commands
include a Session-Id AVP. include a Session-Id AVP.
skipping to change at page 16, line 42 skipping to change at page 16, line 42
in which packets, and in what quantity. in which packets, and in what quantity.
Change-of-Authorization Messages Change-of-Authorization Messages
Request ACK NAK # Attribute Request ACK NAK # Attribute
0-1 0 0 1 User-Name [Note 1] 0-1 0 0 1 User-Name [Note 1]
0-1 0 0 4 NAS-IP-Address [Note 1] 0-1 0 0 4 NAS-IP-Address [Note 1]
0-1 0 0 5 NAS-Port [Note 1] 0-1 0 0 5 NAS-Port [Note 1]
0-1 0 0-1 6 Service-Type [Note 6] 0-1 0 0-1 6 Service-Type [Note 6]
0-1 0 0 7 Framed-Protocol [Note 3] 0-1 0 0 7 Framed-Protocol [Note 3]
0-1 0 0 8 Framed-IP-Address [Note 1] 0-1 0 0 8 Framed-IP-Address [Note 3]
0-1 0 0 9 Framed-IP-Netmask [Note 3] 0-1 0 0 9 Framed-IP-Netmask [Note 3]
0-1 0 0 10 Framed-Routing [Note 3] 0-1 0 0 10 Framed-Routing [Note 3]
0+ 0 0 11 Filter-ID [Note 3] 0+ 0 0 11 Filter-ID [Note 3]
0-1 0 0 12 Framed-MTU [Note 3] 0-1 0 0 12 Framed-MTU [Note 3]
0+ 0 0 13 Framed-Compression [Note 3] 0+ 0 0 13 Framed-Compression [Note 3]
0+ 0 0 14 Login-IP-Host [Note 3] 0+ 0 0 14 Login-IP-Host [Note 3]
0-1 0 0 15 Login-Service [Note 3] 0-1 0 0 15 Login-Service [Note 3]
0-1 0 0 16 Login-TCP-Port [Note 3] 0-1 0 0 16 Login-TCP-Port [Note 3]
0+ 0 0 18 Reply-Message [Note 2] 0+ 0 0 18 Reply-Message [Note 2]
Request ACK NAK # Attribute Request ACK NAK # Attribute
skipping to change at page 17, line 28 skipping to change at page 17, line 28
0+ 0+ 0+ 33 Proxy-State 0+ 0+ 0+ 33 Proxy-State
0-1 0 0 34 Login-LAT-Service [Note 3] 0-1 0 0 34 Login-LAT-Service [Note 3]
0-1 0 0 35 Login-LAT-Node [Note 3] 0-1 0 0 35 Login-LAT-Node [Note 3]
0-1 0 0 36 Login-LAT-Group [Note 3] 0-1 0 0 36 Login-LAT-Group [Note 3]
0-1 0 0 37 Framed-AppleTalk-Link [Note 3] 0-1 0 0 37 Framed-AppleTalk-Link [Note 3]
0+ 0 0 38 Framed-AppleTalk-Network [Note 3] 0+ 0 0 38 Framed-AppleTalk-Network [Note 3]
0-1 0 0 39 Framed-AppleTalk-Zone [Note 3] 0-1 0 0 39 Framed-AppleTalk-Zone [Note 3]
0-1 0 0 44 Acct-Session-Id [Note 1] 0-1 0 0 44 Acct-Session-Id [Note 1]
0-1 0 0 50 Acct-Multi-Session-Id [Note 1] 0-1 0 0 50 Acct-Multi-Session-Id [Note 1]
0-1 0-1 0-1 55 Event-Timestamp 0-1 0-1 0-1 55 Event-Timestamp
0+ 0 0 56 Egress-VLANID [Note 3]
0-1 0 0 57 Ingress-Filters [Note 3]
0+ 0 0 58 Egress-VLAN-Name [Note 3]
0-1 0 0 59 User-Priority-Table [Note 3]
0-1 0 0 61 NAS-Port-Type [Note 1] 0-1 0 0 61 NAS-Port-Type [Note 1]
0-1 0 0 62 Port-Limit [Note 3] 0-1 0 0 62 Port-Limit [Note 3]
0-1 0 0 63 Login-LAT-Port [Note 3] 0-1 0 0 63 Login-LAT-Port [Note 3]
0+ 0 0 64 Tunnel-Type [Note 5] 0+ 0 0 64 Tunnel-Type [Note 5]
0+ 0 0 65 Tunnel-Medium-Type [Note 5] 0+ 0 0 65 Tunnel-Medium-Type [Note 5]
0+ 0 0 66 Tunnel-Client-Endpoint [Note 5] 0+ 0 0 66 Tunnel-Client-Endpoint [Note 5]
0+ 0 0 67 Tunnel-Server-Endpoint [Note 5] 0+ 0 0 67 Tunnel-Server-Endpoint [Note 5]
0+ 0 0 69 Tunnel-Password [Note 5] 0+ 0 0 69 Tunnel-Password [Note 5]
0-1 0 0 71 ARAP-Features [Note 3] 0-1 0 0 71 ARAP-Features [Note 3]
0-1 0 0 72 ARAP-Zone-Access [Note 3] 0-1 0 0 72 ARAP-Zone-Access [Note 3]
0+ 0 0 78 Configuration-Token [Note 3] 0+ 0 0 78 Configuration-Token [Note 3]
0+ 0-1 0 79 EAP-Message [Note 2] 0+ 0-1 0 79 EAP-Message [Note 2]
0-1 0-1 0-1 80 Message-Authenticator 0-1 0-1 0-1 80 Message-Authenticator
0+ 0 0 81 Tunnel-Private-Group-ID [Note 5] 0+ 0 0 81 Tunnel-Private-Group-ID [Note 5]
0+ 0 0 82 Tunnel-Assignment-ID [Note 5] 0+ 0 0 82 Tunnel-Assignment-ID [Note 5]
0+ 0 0 83 Tunnel-Preference [Note 5] 0+ 0 0 83 Tunnel-Preference [Note 5]
0-1 0 0 85 Acct-Interim-Interval [Note 3] 0-1 0 0 85 Acct-Interim-Interval [Note 3]
0-1 0 0 87 NAS-Port-Id [Note 1] 0-1 0 0 87 NAS-Port-Id [Note 1]
0-1 0 0 88 Framed-Pool [Note 3] 0-1 0 0 88 Framed-Pool [Note 3]
Request ACK NAK # Attribute
Request ACK NAK # Attribute
0+ 0 0 90 Tunnel-Client-Auth-ID [Note 5] 0+ 0 0 90 Tunnel-Client-Auth-ID [Note 5]
0+ 0 0 91 Tunnel-Server-Auth-ID [Note 5] 0+ 0 0 91 Tunnel-Server-Auth-ID [Note 5]
0-1 0 0 94 Originating-Line-Info [Note 1] 0-1 0 0 94 Originating-Line-Info [Note 1]
0-1 0 0 95 NAS-IPv6-Address [Note 1] 0-1 0 0 95 NAS-IPv6-Address [Note 1]
Request ACK NAK # Attribute 0-1 0 0 96 Framed-Interface-Id [Note 3]
Request ACK NAK # Attribute 0+ 0 0 97 Framed-IPv6-Prefix [Note 8]
0-1 0 0 96 Framed-Interface-Id [Note 1]
0+ 0 0 97 Framed-IPv6-Prefix [Note 1]
0+ 0 0 98 Login-IPv6-Host [Note 3] 0+ 0 0 98 Login-IPv6-Host [Note 3]
0+ 0 0 99 Framed-IPv6-Route [Note 3] 0+ 0 0 99 Framed-IPv6-Route [Note 3]
0-1 0 0 100 Framed-IPv6-Pool [Note 3] 0-1 0 0 100 Framed-IPv6-Pool [Note 8]
0 0 0+ 101 Error-Cause 0 0 0+ 101 Error-Cause
0-1 0 0 TBD NAS-Filter-Rule 0-1 0 0 TBD NAS-Filter-Rule [Note 3]
0+ 0 0 TBD Delegated-IPv6-Prefix [Note 8]
Request ACK NAK # Attribute Request ACK NAK # Attribute
Disconnect Messages Disconnect Messages
Request ACK NAK # Attribute Request ACK NAK # Attribute
0-1 0 0 1 User-Name [Note 1] 0-1 0 0 1 User-Name [Note 1]
0-1 0 0 4 NAS-IP-Address [Note 1] 0-1 0 0 4 NAS-IP-Address [Note 1]
0-1 0 0 5 NAS-Port [Note 1] 0-1 0 0 5 NAS-Port [Note 1]
0 0 0 6 Service-Type 0 0 0 6 Service-Type
0-1 0 0 8 Framed-IP-Address [Note 1]
0+ 0 0 18 Reply-Message [Note 2] 0+ 0 0 18 Reply-Message [Note 2]
0 0 0 24 State 0 0 0 24 State
0+ 0 0 25 Class [Note 4] 0+ 0 0 25 Class [Note 4]
0+ 0 0 26 Vendor-Specific 0+ 0 0 26 Vendor-Specific
0-1 0 0 30 Called-Station-Id [Note 1] 0-1 0 0 30 Called-Station-Id [Note 1]
0-1 0 0 31 Calling-Station-Id [Note 1] 0-1 0 0 31 Calling-Station-Id [Note 1]
0-1 0 0 32 NAS-Identifier [Note 1] 0-1 0 0 32 NAS-Identifier [Note 1]
0+ 0+ 0+ 33 Proxy-State 0+ 0+ 0+ 33 Proxy-State
0-1 0 0 44 Acct-Session-Id [Note 1] 0-1 0 0 44 Acct-Session-Id [Note 1]
0-1 0-1 0 49 Acct-Terminate-Cause 0-1 0-1 0 49 Acct-Terminate-Cause
0-1 0 0 50 Acct-Multi-Session-Id [Note 1] 0-1 0 0 50 Acct-Multi-Session-Id [Note 1]
0-1 0-1 0-1 55 Event-Timestamp 0-1 0-1 0-1 55 Event-Timestamp
0-1 0 0 61 NAS-Port-Type [Note 1] 0-1 0 0 61 NAS-Port-Type [Note 1]
0+ 0-1 0 79 EAP-Message [Note 2] 0+ 0-1 0 79 EAP-Message [Note 2]
0-1 0-1 0-1 80 Message-Authenticator 0-1 0-1 0-1 80 Message-Authenticator
0-1 0 0 87 NAS-Port-Id [Note 1] 0-1 0 0 87 NAS-Port-Id [Note 1]
0-1 0 0 94 Orginating-Line-Info [Note 1] 0-1 0 0 94 Orginating-Line-Info [Note 1]
0-1 0 0 95 NAS-IPv6-Address [Note 1] 0-1 0 0 95 NAS-IPv6-Address [Note 1]
0-1 0 0 96 Framed-Interface-Id [Note 1]
0+ 0 0 97 Framed-IPv6-Prefix [Note 1]
0 0+ 0+ 101 Error-Cause 0 0+ 0+ 101 Error-Cause
Request ACK NAK # Attribute Request ACK NAK # Attribute
The following table defines the meaning of the above table entries. The following table defines the meaning of the above table entries.
0 This attribute MUST NOT be present in packet. 0 This attribute MUST NOT be present in packet.
0+ Zero or more instances of this attribute MAY be present in packet. 0+ Zero or more instances of this attribute MAY be present in packet.
0-1 Zero or one instance of this attribute MAY be present in packet. 0-1 Zero or one instance of this attribute MAY be present in packet.
1 Exactly one instance of this attribute MUST be present in packet. 1 Exactly one instance of this attribute MUST be present in packet.
[Note 1] Where NAS or session identification attributes are included [Note 1] Where NAS or session identification attributes are included
in Disconnect-Request or CoA-Request packets, they are used for in Disconnect-Request or CoA-Request packets, they are used for
identification purposes only. These attributes MUST NOT be used for identification purposes only. These attributes MUST NOT be used for
purposes other than identification (e.g. within CoA-Request packets purposes other than identification (e.g. within CoA-Request packets
to request authorization changes). to request authorization changes).
[Note 2] The Reply-Message Attribute is used to present a displayable [Note 2] The Reply-Message Attribute is used to present a displayable
message to the user. The message is only displayed as a result of a message to the user. The message is only displayed as a result of a
skipping to change at page 20, line 27 skipping to change at page 20, line 28
Attribute is also available to be sent by the RADIUS server to the Attribute is also available to be sent by the RADIUS server to the
NAS in a CoA-Request that also includes a Termination-Action NAS in a CoA-Request that also includes a Termination-Action
Attribute with the value of RADIUS-Request. If the client performs Attribute with the value of RADIUS-Request. If the client performs
the Termination-Action by sending a new Access-Request upon the Termination-Action by sending a new Access-Request upon
termination of the current session, it MUST include the State termination of the current session, it MUST include the State
Attribute unchanged in that Access-Request. In either usage, the Attribute unchanged in that Access-Request. In either usage, the
client MUST NOT interpret the Attribute locally. A CoA-Request client MUST NOT interpret the Attribute locally. A CoA-Request
packet must have only zero or one State Attribute. Usage of the packet must have only zero or one State Attribute. Usage of the
State Attribute is implementation dependent. State Attribute is implementation dependent.
[Note 8] These attributes are typically included in a CoA-Request for
the purposes of renumbering.
4. Diameter Considerations 4. Diameter Considerations
Due to differences in handling change-of-authorization requests in Due to differences in handling change-of-authorization requests in
RADIUS and Diameter, it may be difficult or impossible for a RADIUS and Diameter, it may be difficult or impossible for a
Diameter/RADIUS gateway to successfully translate a Diameter Re-Auth- Diameter/RADIUS gateway to successfully translate a Diameter Re-Auth-
Request (RAR) to a CoA-Request and vice versa. For example, since a Request (RAR) to a CoA-Request and vice versa. For example, since a
CoA-Request only initiates an authorization change but does not CoA-Request only initiates an authorization change but does not
initiate re-authentication, a RAR command containing a Re-Auth- initiate re-authentication, a RAR command containing a Re-Auth-
Request-Type AVP with value "AUTHORIZE_AUTHENTICATE" cannot be Request-Type AVP with value "AUTHORIZE_AUTHENTICATE" cannot be
directly translated to a CoA-Request. A Diameter/RADIUS gateway directly translated to a CoA-Request. A Diameter/RADIUS gateway
skipping to change at page 29, line 39 skipping to change at page 29, line 39
[RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D. and B. Aboba, [RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D. and B. Aboba,
"Dynamic Authorization Extensions to Remote Authentication "Dynamic Authorization Extensions to Remote Authentication
Dial In User Service (RADIUS)", RFC 3576, July 2003. Dial In User Service (RADIUS)", RFC 3576, July 2003.
[RFC4005] Calhoun, P., Zorn, G., Spence, D. and D. Mitton, "Diameter [RFC4005] Calhoun, P., Zorn, G., Spence, D. and D. Mitton, "Diameter
Network Access Server Application", RFC 4005, August 2005. Network Access Server Application", RFC 4005, August 2005.
[RFC4330] Mills, D., "Simple Network Time Protocol (SNTP) Version 4 for [RFC4330] Mills, D., "Simple Network Time Protocol (SNTP) Version 4 for
IPv4, IPv6 and OSI", RFC 4330, January 2006. IPv4, IPv6 and OSI", RFC 4330, January 2006.
[RFC4675] Congdon, P., Sanchez, M. and B. Aboba, "RADIUS Attributes for
Virtual LAN and Priority Support", RFC 4675, September 2006.
[MD5Attack] [MD5Attack]
Dobbertin, H., "The Status of MD5 After a Recent Attack", Dobbertin, H., "The Status of MD5 After a Recent Attack",
CryptoBytes Vol.2 No.2, Summer 1996. CryptoBytes Vol.2 No.2, Summer 1996.
[RFCDelegated]
Salowey, J. and R. Droms, "RADIUS Delegated-IPv6-Prefix
Attribute", draft-ietf-radext-delegated-prefix-05.txt,
Internet draft (work in progress), October 2006.
[RFCFilter] [RFCFilter]
Congdon, P., Sanchez, M. and B. Aboba, "RADIUS Filter Rule Congdon, P., Sanchez, M. and B. Aboba, "RADIUS Filter Rule
Attribute", draft-ietf-radext-filter-08.txt, Internet draft Attribute", draft-ietf-radext-filter-08.txt, Internet draft
(work in progress), January 2007. (work in progress), January 2007.
Acknowledgments Acknowledgments
This protocol was first developed and distributed by Ascend This protocol was first developed and distributed by Ascend
Communications. Example code was distributed in their free server Communications. Example code was distributed in their free server
kit. kit.
skipping to change at page 31, line 23 skipping to change at page 32, line 15
Appendix A - Changes from RFC 3576 Appendix A - Changes from RFC 3576
This Appendix lists the major changes between [RFC3576] and this This Appendix lists the major changes between [RFC3576] and this
document. Minor changes, including style, grammar, spelling, and document. Minor changes, including style, grammar, spelling, and
editorial changes are not mentioned here. editorial changes are not mentioned here.
o Added details relating to handling of the Proxy-State Attribute. o Added details relating to handling of the Proxy-State Attribute.
Added requirement for duplicate detection on the RADIUS client Added requirement for duplicate detection on the RADIUS client
(Section 2.3). (Section 2.3).
o Removed Framed-IP-Address, Framed-Interface-Id and Framed-
IPv6-Prefix from the list of session identification attributes
(Section 3).
o Added requirements for inclusion of the State Attribute in CoA- o Added requirements for inclusion of the State Attribute in CoA-
Request packets with a Service-Type of "Authorize Only" (Section Request packets with a Service-Type of "Authorize Only" (Section
3.1). 3.1).
o Added clarification on the calculation of the Message-Authenticator o Added clarification on the calculation of the Message-Authenticator
Attribute (Section 3.2). Attribute (Section 3.2).
o Added statement that support for "Authorize Only" Service-Type is o Added statement that support for "Authorize Only" Service-Type is
optional (Section 3.5). optional. Updated CoA-Request Attribute Table to include Filter-
Rule, Delegated-IPv6-Prefix, Egress-VLANID, Ingress-Filters, Egress-
VLAN-Name and User-Priority-Table Attributes (Section 3.4).
o Use of a Service-Type Attribute within a Disconnect-Request is o Use of a Service-Type Attribute within a Disconnect-Request is
prohibited (Section 4). prohibited (Section 3.4, 4).
o Clarified use of Framed-IPv6-Prefix, Framed-IPv6-Pool and
Delegated-IPv6-Prefix Attributes in renumbering (Section 3.4).
o Added Diameter Considerations (Section 5). o Added Diameter Considerations (Section 5).
o Clarified that the Event-Timestamp Attribute should not be o Clarified that the Event-Timestamp Attribute should not be
recalculated on retransmission. The implications for replay and recalculated on retransmission. The implications for replay and
duplicate detection are discussed (Section 6.4). duplicate detection are discussed (Section 6.4).
Full Copyright Statement Full Copyright Statement
Copyright (C) The IETF Trust (2007). Copyright (C) The IETF Trust (2007).
 End of changes. 20 change blocks. 
33 lines changed or deleted 47 lines changed or added

This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/