draft-ietf-radext-rfc3576bis-02.txt   draft-ietf-radext-rfc3576bis-03.txt 
Network Working Group Murtaza S. Chiba Network Working Group Murtaza S. Chiba
INTERNET-DRAFT Gopal Dommety INTERNET-DRAFT Gopal Dommety
Obsoletes: 3576 Mark Eklund Obsoletes: 3576 Mark Eklund
Category: Informational Cisco Systems, Inc. Category: Informational Cisco Systems, Inc.
<draft-ietf-radext-rfc3576bis-02.txt> David Mitton <draft-ietf-radext-rfc3576bis-03.txt> David Mitton
24 March 2007 RSA Security, Inc. 28 March 2007 RSA Security, Inc.
Bernard Aboba Bernard Aboba
Microsoft Corporation Microsoft Corporation
Dynamic Authorization Extensions to Remote Authentication Dial In User Dynamic Authorization Extensions to Remote Authentication Dial In User
Service (RADIUS) Service (RADIUS)
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
skipping to change at page 2, line 17 skipping to change at page 2, line 17
1. Introduction .......................................... 3 1. Introduction .......................................... 3
1.1 Applicability ................................... 3 1.1 Applicability ................................... 3
1.2 Requirements Language ........................... 4 1.2 Requirements Language ........................... 4
1.3 Terminology ..................................... 4 1.3 Terminology ..................................... 4
2. Overview ............................................. 5 2. Overview ............................................. 5
2.1 Disconnect Messages (DM) ........................ 5 2.1 Disconnect Messages (DM) ........................ 5
2.2 Change-of-Authorization Messages (CoA) .......... 5 2.2 Change-of-Authorization Messages (CoA) .......... 5
2.3 Packet Format ................................... 6 2.3 Packet Format ................................... 6
3. Attributes ............................................ 10 3. Attributes ............................................ 10
3.1 State ........................................... 12 3.1 State ........................................... 12
3.2 Message-Authenticator ........................... 12 3.2 Message-Authenticator ........................... 13
3.3 Error-Cause ..................................... 13 3.3 Error-Cause ..................................... 13
3.4 Table of Attributes ............................. 16 3.4 Table of Attributes ............................. 16
4. Diameter Considerations ............................... 20 4. Diameter Considerations ............................... 21
5. IANA Considerations ................................... 22 5. IANA Considerations ................................... 23
6. Security Considerations ............................... 22 6. Security Considerations ............................... 23
6.1 Authorization Issues ............................ 22 6.1 Authorization Issues ............................ 23
6.2 Impersonation ................................... 23 6.2 Impersonation ................................... 24
6.3 IPsec Usage Guidelines .......................... 24 6.3 IPsec Usage Guidelines .......................... 24
6.4 Replay Protection ............................... 27 6.4 Replay Protection ............................... 27
7. Example Traces ........................................ 27 7. Example Traces ........................................ 28
8. References ............................................ 28 8. References ............................................ 28
8.1 Normative References ............................ 28 8.1 Normative References ............................ 28
8.2 Informative References .......................... 29 8.2 Informative References .......................... 29
ACKNOWLEDGMENTS .............................................. 30 ACKNOWLEDGMENTS .............................................. 30
AUTHORS' ADDRESSES ........................................... 30 AUTHORS' ADDRESSES ........................................... 31
Appendix A - Changes from RFC 3576 ........................... 32 Appendix A - Changes from RFC 3576 ........................... 32
Full Copyright Statement ..................................... 33 Full Copyright Statement ..................................... 33
Intellectual Property ........................................ 33 Intellectual Property ........................................ 33
1. Introduction 1. Introduction
The RADIUS protocol, defined in [RFC2865], does not support The RADIUS protocol, defined in [RFC2865], does not support
unsolicited messages sent from the RADIUS server to the Network unsolicited messages sent from the RADIUS server to the Network
Access Server (NAS). Access Server (NAS).
skipping to change at page 9, line 13 skipping to change at page 9, line 13
a Disconnect-Request containing one or more unsupported Attributes a Disconnect-Request containing one or more unsupported Attributes
or Attribute values MUST be answered with a Disconnect-NAK. State or Attribute values MUST be answered with a Disconnect-NAK. State
changes resulting from a CoA-Request MUST be atomic: if the changes resulting from a CoA-Request MUST be atomic: if the
Request is successful, a CoA-ACK is sent, and all requested Request is successful, a CoA-ACK is sent, and all requested
authorization changes MUST be made. If the CoA-Request is authorization changes MUST be made. If the CoA-Request is
unsuccessful, a CoA-NAK MUST be sent, and the requested unsuccessful, a CoA-NAK MUST be sent, and the requested
authorization changes MUST NOT be made. Similarly, a state change authorization changes MUST NOT be made. Similarly, a state change
MUST NOT occur as a result of an unsuccessful Disconnect-Request; MUST NOT occur as a result of an unsuccessful Disconnect-Request;
here a Disconnect-NAK MUST be sent. here a Disconnect-NAK MUST be sent.
Since within this specification attributes may be used for Within this specification attributes may be used for
identification, authorization or other purposes, even if a NAS identification, authorization or other purposes. RADIUS Attribue
implements an attribute for use with RADIUS authentication and specifications created after publication of this document SHOULD
accounting, it may not support inclusion of that attribute within state whether an Attribute can be included in CoA or Disconnect
Disconnect-Request or CoA-Request packets, given the difference in messages and if so, which messages it may be included in and
attribute semantics. This is true even for attributes specified whether it serves as an identification or authorization attribute.
as allowable within Access-Accept packets (such as within
[RFC2865],[RFC2868],[RFC2869],[RFC3162],[RFC3579],[RFC4675], Even if a NAS implements an attribute for use with RADIUS
[RFCFilter][RFCDelegated]). As a result, if unsupported authentication and accounting, it may not support inclusion of
attributes are included within Disconnect-Request or CoA-Request that attribute within Disconnect-Request or CoA-Request packets,
packets, the RADIUS server may receive a Disconnect-NAK/CoA-NAK in given the difference in attribute semantics. This is true even
response, possibly containing an Error-Cause attribute with value for attributes specified as allowable within Access-Accept packets
Unsupported Attribute (401). (such as those defined within [RFC2865], [RFC2868], [RFC2869],
[RFC3162], [RFC3579], [RFC4372], [RFC4675], [RFCFilter] and
[RFCDelegated]). If unsupported attributes are included within a
Disconnect/CoA-Request packet, the RADIUS client will send a
Disconnect-NAK/CoA-NAK in response, possibly containing an Error-
Cause attribute with value Unsupported Attribute (401).
If there are any Proxy-State Attributes in a Disconnect-Request or If there are any Proxy-State Attributes in a Disconnect-Request or
CoA-Request received from the server, the forwarding proxy or NAS CoA-Request received from the server, the forwarding proxy or NAS
MUST include those Proxy-State Attributes in its response to the MUST include those Proxy-State Attributes in its response to the
server. server.
A forwarding proxy or NAS MUST NOT modify existing Proxy-State, A forwarding proxy or NAS MUST NOT modify existing Proxy-State,
State, or Class Attributes present in the packet. The forwarding State, or Class Attributes present in the packet. The forwarding
proxy or NAS MUST treat any Proxy-State attributes already in the proxy or NAS MUST treat any Proxy-State attributes already in the
packet as opaque data. Its operation MUST NOT depend on the packet as opaque data. Its operation MUST NOT depend on the
skipping to change at page 10, line 47 skipping to change at page 11, line 4
NAS-IPv6-Address 95 [RFC3162] The IPv6 address of the NAS. NAS-IPv6-Address 95 [RFC3162] The IPv6 address of the NAS.
Session identification attributes Session identification attributes
Attribute # Reference Description Attribute # Reference Description
--------- --- --------- ----------- --------- --- --------- -----------
User-Name 1 [RFC2865] The name of the user User-Name 1 [RFC2865] The name of the user
associated with the session. associated with the session.
NAS-Port 5 [RFC2865] The port on which the NAS-Port 5 [RFC2865] The port on which the
session is terminated. session is terminated.
Attribute # Reference Description
--------- --- --------- -----------
Framed-IP-Address 8 [RFC2865] The IPv4 address associated
with the session.
Called-Station-Id 30 [RFC2865] The link address to which Called-Station-Id 30 [RFC2865] The link address to which
the session is connected. the session is connected.
Calling-Station-Id 31 [RFC2865] The link address from which Calling-Station-Id 31 [RFC2865] The link address from which
the session is connected. the session is connected.
Attribute # Reference Description
--------- --- --------- -----------
Acct-Session-Id 44 [RFC2866] The identifier uniquely Acct-Session-Id 44 [RFC2866] The identifier uniquely
identifying the session identifying the session
on the NAS. on the NAS.
Acct-Multi-Session-Id 50 [RFC2866] The identifier uniquely Acct-Multi-Session-Id 50 [RFC2866] The identifier uniquely
identifying related sessions. identifying related sessions.
NAS-Port-Type 61 [RFC2865] The type of port used. NAS-Port-Type 61 [RFC2865] The type of port used.
NAS-Port-Id 87 [RFC2869] String identifying the port NAS-Port-Id 87 [RFC2869] String identifying the port
where the session is. where the session is.
Chargeable-User- 89 [RFC4372] The CUI associated with the
Identity session. Needed in situations
where a privacy NAI is used,
so that User-Name may not be
unique (e.g. "anonymous").
Originating-Line-Info 94 [RFC4005] Provides information on the Originating-Line-Info 94 [RFC4005] Provides information on the
characteristics of the line characteristics of the line
from which a session from which a session
originated. originated.
Framed-Interface-Id 96 [RFC3162] The IPv6 Interface Identifier
associated with the session;
always sent with
Framed-IPv6-Prefix.
Framed-IPv6-Prefix 97 [RFC3162] The IPv6 prefix associated
with the session, always sent
with Framed-Interface-Id.
To address security concerns described in Section 6.1, and to enable To address security concerns described in Section 6.1, and to enable
Diameter/RADIUS translation, the User-Name Attribute SHOULD be Diameter/RADIUS translation, the User-Name Attribute SHOULD be
present in Disconnect-Request or CoA-Request packets; one or more present in Disconnect-Request or CoA-Request packets; one or more
additional session identification attributes MAY also be present. additional session identification attributes MAY also be present.
For example, where a Diameter client utilizes the same Session-Id for For example, where a Diameter client utilizes the same Session-Id for
both authorization and accounting, inclusion of an Acct-Session-Id both authorization and accounting, inclusion of an Acct-Session-Id
Attribute in a Disconnect-Request or CoA-Request can assist with Attribute in a Disconnect-Request or CoA-Request can assist with
Diameter/RADIUS translation, since Diameter RAR and ASR commands Diameter/RADIUS translation, since Diameter RAR and ASR commands
include a Session-Id AVP. include a Session-Id AVP.
skipping to change at page 16, line 42 skipping to change at page 16, line 48
in which packets, and in what quantity. in which packets, and in what quantity.
Change-of-Authorization Messages Change-of-Authorization Messages
Request ACK NAK # Attribute Request ACK NAK # Attribute
0-1 0 0 1 User-Name [Note 1] 0-1 0 0 1 User-Name [Note 1]
0-1 0 0 4 NAS-IP-Address [Note 1] 0-1 0 0 4 NAS-IP-Address [Note 1]
0-1 0 0 5 NAS-Port [Note 1] 0-1 0 0 5 NAS-Port [Note 1]
0-1 0 0-1 6 Service-Type [Note 6] 0-1 0 0-1 6 Service-Type [Note 6]
0-1 0 0 7 Framed-Protocol [Note 3] 0-1 0 0 7 Framed-Protocol [Note 3]
0-1 0 0 8 Framed-IP-Address [Note 3] 0-1 0 0 8 Framed-IP-Address [Note 1][Note 8]
0-1 0 0 9 Framed-IP-Netmask [Note 3] 0-1 0 0 9 Framed-IP-Netmask [Note 3]
0-1 0 0 10 Framed-Routing [Note 3] 0-1 0 0 10 Framed-Routing [Note 3]
Request ACK NAK # Attribute
Request ACK NAK # Attribute
0+ 0 0 11 Filter-ID [Note 3] 0+ 0 0 11 Filter-ID [Note 3]
0-1 0 0 12 Framed-MTU [Note 3] 0-1 0 0 12 Framed-MTU [Note 3]
0+ 0 0 13 Framed-Compression [Note 3] 0+ 0 0 13 Framed-Compression [Note 3]
0+ 0 0 14 Login-IP-Host [Note 3] 0+ 0 0 14 Login-IP-Host [Note 3]
0-1 0 0 15 Login-Service [Note 3] 0-1 0 0 15 Login-Service [Note 3]
0-1 0 0 16 Login-TCP-Port [Note 3] 0-1 0 0 16 Login-TCP-Port [Note 3]
0+ 0 0 18 Reply-Message [Note 2] 0+ 0 0 18 Reply-Message [Note 2]
Request ACK NAK # Attribute
Request ACK NAK # Attribute
0-1 0 0 19 Callback-Number [Note 3] 0-1 0 0 19 Callback-Number [Note 3]
0-1 0 0 20 Callback-Id [Note 3] 0-1 0 0 20 Callback-Id [Note 3]
0+ 0 0 22 Framed-Route [Note 3] 0+ 0 0 22 Framed-Route [Note 3]
0-1 0 0 23 Framed-IPX-Network [Note 3] 0-1 0 0 23 Framed-IPX-Network [Note 3]
0-1 0-1 0-1 24 State [Note 7] 0-1 0-1 0-1 24 State [Note 7]
0+ 0 0 25 Class [Note 3] 0+ 0 0 25 Class [Note 3]
0+ 0 0 26 Vendor-Specific [Note 3] 0+ 0 0 26 Vendor-Specific [Note 3]
0-1 0 0 27 Session-Timeout [Note 3] 0-1 0 0 27 Session-Timeout [Note 3]
0-1 0 0 28 Idle-Timeout [Note 3] 0-1 0 0 28 Idle-Timeout [Note 3]
0-1 0 0 29 Termination-Action [Note 3] 0-1 0 0 29 Termination-Action [Note 3]
skipping to change at page 17, line 44 skipping to change at page 17, line 51
0-1 0 0 63 Login-LAT-Port [Note 3] 0-1 0 0 63 Login-LAT-Port [Note 3]
0+ 0 0 64 Tunnel-Type [Note 5] 0+ 0 0 64 Tunnel-Type [Note 5]
0+ 0 0 65 Tunnel-Medium-Type [Note 5] 0+ 0 0 65 Tunnel-Medium-Type [Note 5]
0+ 0 0 66 Tunnel-Client-Endpoint [Note 5] 0+ 0 0 66 Tunnel-Client-Endpoint [Note 5]
0+ 0 0 67 Tunnel-Server-Endpoint [Note 5] 0+ 0 0 67 Tunnel-Server-Endpoint [Note 5]
0+ 0 0 69 Tunnel-Password [Note 5] 0+ 0 0 69 Tunnel-Password [Note 5]
0-1 0 0 71 ARAP-Features [Note 3] 0-1 0 0 71 ARAP-Features [Note 3]
0-1 0 0 72 ARAP-Zone-Access [Note 3] 0-1 0 0 72 ARAP-Zone-Access [Note 3]
0+ 0 0 78 Configuration-Token [Note 3] 0+ 0 0 78 Configuration-Token [Note 3]
0+ 0-1 0 79 EAP-Message [Note 2] 0+ 0-1 0 79 EAP-Message [Note 2]
Request ACK NAK # Attribute
Request ACK NAK # Attribute
0-1 0-1 0-1 80 Message-Authenticator 0-1 0-1 0-1 80 Message-Authenticator
0+ 0 0 81 Tunnel-Private-Group-ID [Note 5] 0+ 0 0 81 Tunnel-Private-Group-ID [Note 5]
0+ 0 0 82 Tunnel-Assignment-ID [Note 5] 0+ 0 0 82 Tunnel-Assignment-ID [Note 5]
0+ 0 0 83 Tunnel-Preference [Note 5] 0+ 0 0 83 Tunnel-Preference [Note 5]
0-1 0 0 85 Acct-Interim-Interval [Note 3] 0-1 0 0 85 Acct-Interim-Interval [Note 3]
0-1 0 0 87 NAS-Port-Id [Note 1] 0-1 0 0 87 NAS-Port-Id [Note 1]
0-1 0 0 88 Framed-Pool [Note 3] 0-1 0 0 88 Framed-Pool [Note 3]
Request ACK NAK # Attribute 0-1 0 0 89 Chargeable-User-Identity [Note 1]
Request ACK NAK # Attribute
0+ 0 0 90 Tunnel-Client-Auth-ID [Note 5] 0+ 0 0 90 Tunnel-Client-Auth-ID [Note 5]
0+ 0 0 91 Tunnel-Server-Auth-ID [Note 5] 0+ 0 0 91 Tunnel-Server-Auth-ID [Note 5]
0-1 0 0 94 Originating-Line-Info [Note 1] 0-1 0 0 94 Originating-Line-Info [Note 1]
0-1 0 0 95 NAS-IPv6-Address [Note 1] 0-1 0 0 95 NAS-IPv6-Address [Note 1]
0-1 0 0 96 Framed-Interface-Id [Note 3] 0-1 0 0 96 Framed-Interface-Id [Note 1][Note 8]
0+ 0 0 97 Framed-IPv6-Prefix [Note 8] 0+ 0 0 97 Framed-IPv6-Prefix [Note 1][Note 8]
0+ 0 0 98 Login-IPv6-Host [Note 3] 0+ 0 0 98 Login-IPv6-Host [Note 3]
0+ 0 0 99 Framed-IPv6-Route [Note 3] 0+ 0 0 99 Framed-IPv6-Route [Note 3]
0-1 0 0 100 Framed-IPv6-Pool [Note 8] 0-1 0 0 100 Framed-IPv6-Pool [Note 3]
0 0 0+ 101 Error-Cause 0 0 0+ 101 Error-Cause
0-1 0 0 TBD NAS-Filter-Rule [Note 3] 0-1 0 0 TBD NAS-Filter-Rule [Note 3]
0+ 0 0 TBD Delegated-IPv6-Prefix [Note 8] 0+ 0 0 TBD Delegated-IPv6-Prefix [Note 3]
Request ACK NAK # Attribute Request ACK NAK # Attribute
Disconnect Messages Disconnect Messages
Request ACK NAK # Attribute Request ACK NAK # Attribute
0-1 0 0 1 User-Name [Note 1] 0-1 0 0 1 User-Name [Note 1]
0-1 0 0 4 NAS-IP-Address [Note 1] 0-1 0 0 4 NAS-IP-Address [Note 1]
0-1 0 0 5 NAS-Port [Note 1] 0-1 0 0 5 NAS-Port [Note 1]
0 0 0 6 Service-Type 0 0 0 6 Service-Type
0-1 0 0 8 Framed-IP-Address [Note 1]
0+ 0 0 18 Reply-Message [Note 2] 0+ 0 0 18 Reply-Message [Note 2]
0 0 0 24 State 0 0 0 24 State
0+ 0 0 25 Class [Note 4] 0+ 0 0 25 Class [Note 4]
0+ 0 0 26 Vendor-Specific 0+ 0 0 26 Vendor-Specific
0-1 0 0 30 Called-Station-Id [Note 1] 0-1 0 0 30 Called-Station-Id [Note 1]
0-1 0 0 31 Calling-Station-Id [Note 1] 0-1 0 0 31 Calling-Station-Id [Note 1]
0-1 0 0 32 NAS-Identifier [Note 1] 0-1 0 0 32 NAS-Identifier [Note 1]
0+ 0+ 0+ 33 Proxy-State 0+ 0+ 0+ 33 Proxy-State
0-1 0 0 44 Acct-Session-Id [Note 1] 0-1 0 0 44 Acct-Session-Id [Note 1]
0-1 0-1 0 49 Acct-Terminate-Cause 0-1 0-1 0 49 Acct-Terminate-Cause
0-1 0 0 50 Acct-Multi-Session-Id [Note 1] 0-1 0 0 50 Acct-Multi-Session-Id [Note 1]
0-1 0-1 0-1 55 Event-Timestamp 0-1 0-1 0-1 55 Event-Timestamp
0-1 0 0 61 NAS-Port-Type [Note 1] 0-1 0 0 61 NAS-Port-Type [Note 1]
0+ 0-1 0 79 EAP-Message [Note 2] 0+ 0-1 0 79 EAP-Message [Note 2]
0-1 0-1 0-1 80 Message-Authenticator 0-1 0-1 0-1 80 Message-Authenticator
0-1 0 0 87 NAS-Port-Id [Note 1] 0-1 0 0 87 NAS-Port-Id [Note 1]
Request ACK NAK # Attribute
Request ACK NAK # Attribute
0-1 0 0 89 Chargeable-User-Identity [Note 1]
0-1 0 0 94 Orginating-Line-Info [Note 1] 0-1 0 0 94 Orginating-Line-Info [Note 1]
0-1 0 0 95 NAS-IPv6-Address [Note 1] 0-1 0 0 95 NAS-IPv6-Address [Note 1]
0-1 0 0 96 Framed-Interface-Id [Note 1]
0+ 0 0 97 Framed-IPv6-Prefix [Note 1]
0 0+ 0+ 101 Error-Cause 0 0+ 0+ 101 Error-Cause
Request ACK NAK # Attribute Request ACK NAK # Attribute
The following table defines the meaning of the above table entries. The following table defines the meaning of the above table entries.
0 This attribute MUST NOT be present in packet. 0 This attribute MUST NOT be present in packet.
0+ Zero or more instances of this attribute MAY be present in packet. 0+ Zero or more instances of this attribute MAY be present in packet.
0-1 Zero or one instance of this attribute MAY be present in packet. 0-1 Zero or one instance of this attribute MAY be present in packet.
1 Exactly one instance of this attribute MUST be present in packet. 1 Exactly one instance of this attribute MUST be present in packet.
[Note 1] Where NAS or session identification attributes are included [Note 1] Where NAS or session identification attributes are included
in Disconnect-Request or CoA-Request packets, they are used for in Disconnect-Request or CoA-Request packets, they are used for
identification purposes only. These attributes MUST NOT be used for identification purposes only. These attributes MUST NOT be used for
purposes other than identification (e.g. within CoA-Request packets purposes other than identification (e.g. within CoA-Request packets
to request authorization changes). to request authorization changes).
[Note 2] The Reply-Message Attribute is used to present a displayable [Note 2] The Reply-Message Attribute is used to present a displayable
message to the user. The message is only displayed as a result of a message to the user. The message is only displayed as a result of a
skipping to change at page 20, line 28 skipping to change at page 20, line 42
Attribute is also available to be sent by the RADIUS server to the Attribute is also available to be sent by the RADIUS server to the
NAS in a CoA-Request that also includes a Termination-Action NAS in a CoA-Request that also includes a Termination-Action
Attribute with the value of RADIUS-Request. If the client performs Attribute with the value of RADIUS-Request. If the client performs
the Termination-Action by sending a new Access-Request upon the Termination-Action by sending a new Access-Request upon
termination of the current session, it MUST include the State termination of the current session, it MUST include the State
Attribute unchanged in that Access-Request. In either usage, the Attribute unchanged in that Access-Request. In either usage, the
client MUST NOT interpret the Attribute locally. A CoA-Request client MUST NOT interpret the Attribute locally. A CoA-Request
packet must have only zero or one State Attribute. Usage of the packet must have only zero or one State Attribute. Usage of the
State Attribute is implementation dependent. State Attribute is implementation dependent.
[Note 8] These attributes are typically included in a CoA-Request for [Note 8] Since the Framed-IP-Address, Framed-IPv6-Prefix and Framed-
the purposes of renumbering. Interface-Id attributes are used for identification, these attributes
cannot be updated by including new values within a CoA-Request.
Instead, a CoA-Request with Service-Type="Authorize Only" is used,
and the new values can be supplied in response to the ensuing Access-
Request.
4. Diameter Considerations 4. Diameter Considerations
Due to differences in handling change-of-authorization requests in Due to differences in handling change-of-authorization requests in
RADIUS and Diameter, it may be difficult or impossible for a RADIUS and Diameter, it may be difficult or impossible for a
Diameter/RADIUS gateway to successfully translate a Diameter Re-Auth- Diameter/RADIUS gateway to successfully translate a Diameter Re-Auth-
Request (RAR) to a CoA-Request and vice versa. For example, since a Request (RAR) to a CoA-Request and vice versa. For example, since a
CoA-Request only initiates an authorization change but does not CoA-Request only initiates an authorization change but does not
initiate re-authentication, a RAR command containing a Re-Auth- initiate re-authentication, a RAR command containing a Re-Auth-
Request-Type AVP with value "AUTHORIZE_AUTHENTICATE" cannot be Request-Type AVP with value "AUTHORIZE_AUTHENTICATE" cannot be
skipping to change at page 29, line 39 skipping to change at page 30, line 12
[RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D. and B. Aboba, [RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D. and B. Aboba,
"Dynamic Authorization Extensions to Remote Authentication "Dynamic Authorization Extensions to Remote Authentication
Dial In User Service (RADIUS)", RFC 3576, July 2003. Dial In User Service (RADIUS)", RFC 3576, July 2003.
[RFC4005] Calhoun, P., Zorn, G., Spence, D. and D. Mitton, "Diameter [RFC4005] Calhoun, P., Zorn, G., Spence, D. and D. Mitton, "Diameter
Network Access Server Application", RFC 4005, August 2005. Network Access Server Application", RFC 4005, August 2005.
[RFC4330] Mills, D., "Simple Network Time Protocol (SNTP) Version 4 for [RFC4330] Mills, D., "Simple Network Time Protocol (SNTP) Version 4 for
IPv4, IPv6 and OSI", RFC 4330, January 2006. IPv4, IPv6 and OSI", RFC 4330, January 2006.
[RFC4372] Adrangi, F., Lior, A., Korhonen, J. and J. Loughney,
"Chargeable User Identity", RFC 4372, January 2006.
[RFC4675] Congdon, P., Sanchez, M. and B. Aboba, "RADIUS Attributes for [RFC4675] Congdon, P., Sanchez, M. and B. Aboba, "RADIUS Attributes for
Virtual LAN and Priority Support", RFC 4675, September 2006. Virtual LAN and Priority Support", RFC 4675, September 2006.
[MD5Attack] [MD5Attack]
Dobbertin, H., "The Status of MD5 After a Recent Attack", Dobbertin, H., "The Status of MD5 After a Recent Attack",
CryptoBytes Vol.2 No.2, Summer 1996. CryptoBytes Vol.2 No.2, Summer 1996.
[RFCDelegated] [RFCDelegated]
Salowey, J. and R. Droms, "RADIUS Delegated-IPv6-Prefix Salowey, J. and R. Droms, "RADIUS Delegated-IPv6-Prefix
Attribute", draft-ietf-radext-delegated-prefix-05.txt, Attribute", draft-ietf-radext-delegated-prefix-05.txt,
skipping to change at page 32, line 15 skipping to change at page 32, line 15
Appendix A - Changes from RFC 3576 Appendix A - Changes from RFC 3576
This Appendix lists the major changes between [RFC3576] and this This Appendix lists the major changes between [RFC3576] and this
document. Minor changes, including style, grammar, spelling, and document. Minor changes, including style, grammar, spelling, and
editorial changes are not mentioned here. editorial changes are not mentioned here.
o Added details relating to handling of the Proxy-State Attribute. o Added details relating to handling of the Proxy-State Attribute.
Added requirement for duplicate detection on the RADIUS client Added requirement for duplicate detection on the RADIUS client
(Section 2.3). (Section 2.3).
o Removed Framed-IP-Address, Framed-Interface-Id and Framed- o Added Chargeable-User-Identity as a session identification
IPv6-Prefix from the list of session identification attributes attribute (Section 3).
(Section 3).
o Added requirements for inclusion of the State Attribute in CoA- o Added requirements for inclusion of the State Attribute in CoA-
Request packets with a Service-Type of "Authorize Only" (Section Request packets with a Service-Type of "Authorize Only" (Section
3.1). 3.1).
o Added clarification on the calculation of the Message-Authenticator o Added clarification on the calculation of the Message-Authenticator
Attribute (Section 3.2). Attribute (Section 3.2).
o Added statement that support for "Authorize Only" Service-Type is o Added statement that support for "Authorize Only" Service-Type is
optional. Updated CoA-Request Attribute Table to include Filter- optional (Section 3.4).
Rule, Delegated-IPv6-Prefix, Egress-VLANID, Ingress-Filters, Egress-
VLAN-Name and User-Priority-Table Attributes (Section 3.4). o Updated CoA-Request Attribute Table to include Filter-Rule,
Delegated-IPv6-Prefix, Egress-VLANID, Ingress-Filters, Egress-VLAN-
Name and User-Priority attributes (Section 3.4).
o Added the Chargeable-User-Identity Attribute to both the CoA-
Request and Disconnect-Request Attribute Table (Section 3.4).
o Added note relating to use of Service-Type="Authorize Only" for
renumbering (Section 3.4).
o Use of a Service-Type Attribute within a Disconnect-Request is o Use of a Service-Type Attribute within a Disconnect-Request is
prohibited (Section 3.4, 4). prohibited (Section 3.4, 4).
o Clarified use of Framed-IPv6-Prefix, Framed-IPv6-Pool and
Delegated-IPv6-Prefix Attributes in renumbering (Section 3.4).
o Added Diameter Considerations (Section 5). o Added Diameter Considerations (Section 5).
o Clarified that the Event-Timestamp Attribute should not be o Changed the text to indicate that the Event-Timestamp Attribute
recalculated on retransmission. The implications for replay and should not be recalculated on retransmission. The implications for
duplicate detection are discussed (Section 6.4). replay and duplicate detection are discussed (Section 6.4).
Full Copyright Statement Full Copyright Statement
Copyright (C) The IETF Trust (2007). Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors contained in BCP 78, and except as set forth therein, the authors
retain all their rights. retain all their rights.
This document and the information contained herein are provided on an This document and the information contained herein are provided on an
 End of changes. 29 change blocks. 
51 lines changed or deleted 86 lines changed or added

This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/