| draft-ietf-radext-rfc3576bis-03.txt | draft-ietf-radext-rfc3576bis-04.txt | |||
|---|---|---|---|---|
| Network Working Group Murtaza S. Chiba | Network Working Group Murtaza S. Chiba | |||
| INTERNET-DRAFT Gopal Dommety | INTERNET-DRAFT Gopal Dommety | |||
| Obsoletes: 3576 Mark Eklund | Obsoletes: 3576 Mark Eklund | |||
| Category: Informational Cisco Systems, Inc. | Category: Informational Cisco Systems, Inc. | |||
| <draft-ietf-radext-rfc3576bis-03.txt> David Mitton | <draft-ietf-radext-rfc3576bis-04.txt> David Mitton | |||
| 28 March 2007 RSA Security, Inc. | 10 April 2007 RSA Security, Inc. | |||
| Bernard Aboba | Bernard Aboba | |||
| Microsoft Corporation | Microsoft Corporation | |||
| Dynamic Authorization Extensions to Remote Authentication Dial In User | Dynamic Authorization Extensions to Remote Authentication Dial In User | |||
| Service (RADIUS) | Service (RADIUS) | |||
| By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
| applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
| have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
| aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
| skipping to change at page 1, line 35 | skipping to change at page 1, line 36 | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on September 25, 2007. | This Internet-Draft will expire on October 25, 2007. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (C) The IETF Trust (2007). All Rights Reserved. | Copyright (C) The IETF Trust (2007). All Rights Reserved. | |||
| Abstract | Abstract | |||
| This document describes a currently deployed extension to the Remote | This document describes a currently deployed extension to the Remote | |||
| Authentication Dial In User Service (RADIUS) protocol, allowing | Authentication Dial In User Service (RADIUS) protocol, allowing | |||
| dynamic changes to a user session, as implemented by network access | dynamic changes to a user session, as implemented by network access | |||
| skipping to change at page 5, line 48 | skipping to change at page 5, line 48 | |||
| kind, and are sent in addition to the identification attributes as | kind, and are sent in addition to the identification attributes as | |||
| described in section 3. The port used, and packet format (described | described in section 3. The port used, and packet format (described | |||
| in Section 2.3), are the same as that for Disconnect-Request packets. | in Section 2.3), are the same as that for Disconnect-Request packets. | |||
| The following attributes MAY be sent in a CoA-Request: | The following attributes MAY be sent in a CoA-Request: | |||
| Filter-ID (11) - Indicates the name of a data filter list | Filter-ID (11) - Indicates the name of a data filter list | |||
| to be applied for the session that the | to be applied for the session that the | |||
| identification attributes map to. | identification attributes map to. | |||
| NAS-Filter-Rule (TBD) - Provides a filter list to be applied | NAS-Filter-Rule (92) - Provides a filter list to be applied | |||
| for the session that the identification | for the session that the identification | |||
| attributes map to [RFCFilter]. | attributes map to [RFCFilter]. | |||
| +----------+ CoA-Request +----------+ | +----------+ CoA-Request +----------+ | |||
| | | <-------------------- | | | | | <-------------------- | | | |||
| | NAS | | RADIUS | | | NAS | | RADIUS | | |||
| | | CoA-Response | Server | | | | CoA-Response | Server | | |||
| | | ---------------------> | | | | | ---------------------> | | | |||
| +----------+ +----------+ | +----------+ +----------+ | |||
| skipping to change at page 9, line 26 | skipping to change at page 9, line 26 | |||
| state whether an Attribute can be included in CoA or Disconnect | state whether an Attribute can be included in CoA or Disconnect | |||
| messages and if so, which messages it may be included in and | messages and if so, which messages it may be included in and | |||
| whether it serves as an identification or authorization attribute. | whether it serves as an identification or authorization attribute. | |||
| Even if a NAS implements an attribute for use with RADIUS | Even if a NAS implements an attribute for use with RADIUS | |||
| authentication and accounting, it may not support inclusion of | authentication and accounting, it may not support inclusion of | |||
| that attribute within Disconnect-Request or CoA-Request packets, | that attribute within Disconnect-Request or CoA-Request packets, | |||
| given the difference in attribute semantics. This is true even | given the difference in attribute semantics. This is true even | |||
| for attributes specified as allowable within Access-Accept packets | for attributes specified as allowable within Access-Accept packets | |||
| (such as those defined within [RFC2865], [RFC2868], [RFC2869], | (such as those defined within [RFC2865], [RFC2868], [RFC2869], | |||
| [RFC3162], [RFC3579], [RFC4372], [RFC4675], [RFCFilter] and | [RFC3162], [RFC3579], [RFC4372], [RFC4675], [RFC4818] and | |||
| [RFCDelegated]). If unsupported attributes are included within a | [RFCFilter]). If unsupported attributes are included within a | |||
| Disconnect/CoA-Request packet, the RADIUS client will send a | Disconnect/CoA-Request packet, the RADIUS client will send a | |||
| Disconnect-NAK/CoA-NAK in response, possibly containing an Error- | Disconnect-NAK/CoA-NAK in response, possibly containing an Error- | |||
| Cause attribute with value Unsupported Attribute (401). | Cause attribute with value Unsupported Attribute (401). | |||
| If there are any Proxy-State Attributes in a Disconnect-Request or | If there are any Proxy-State Attributes in a Disconnect-Request or | |||
| CoA-Request received from the server, the forwarding proxy or NAS | CoA-Request received from the server, the forwarding proxy or NAS | |||
| MUST include those Proxy-State Attributes in its response to the | MUST include those Proxy-State Attributes in its response to the | |||
| server. | server. | |||
| A forwarding proxy or NAS MUST NOT modify existing Proxy-State, | A forwarding proxy or NAS MUST NOT modify existing Proxy-State, | |||
| skipping to change at page 11, line 22 | skipping to change at page 11, line 22 | |||
| the session is connected. | the session is connected. | |||
| Acct-Session-Id 44 [RFC2866] The identifier uniquely | Acct-Session-Id 44 [RFC2866] The identifier uniquely | |||
| identifying the session | identifying the session | |||
| on the NAS. | on the NAS. | |||
| Acct-Multi-Session-Id 50 [RFC2866] The identifier uniquely | Acct-Multi-Session-Id 50 [RFC2866] The identifier uniquely | |||
| identifying related sessions. | identifying related sessions. | |||
| NAS-Port-Type 61 [RFC2865] The type of port used. | NAS-Port-Type 61 [RFC2865] The type of port used. | |||
| NAS-Port-Id 87 [RFC2869] String identifying the port | NAS-Port-Id 87 [RFC2869] String identifying the port | |||
| where the session is. | where the session is. | |||
| Chargeable-User- 89 [RFC4372] The CUI associated with the | Chargeable-User- 89 [RFC4372] The CUI associated with the | |||
| Identity session. Needed in situations | Identity session. Needed where a | |||
| where a privacy NAI is used, | privacy NAI is used, so that | |||
| so that User-Name may not be | the User-Name may not be | |||
| unique (e.g. "anonymous"). | unique (e.g. "anonymous"). | |||
| Originating-Line-Info 94 [RFC4005] Provides information on the | Originating-Line-Info 94 [RFC4005] Provides information on the | |||
| characteristics of the line | characteristics of the line | |||
| from which a session | from which a session | |||
| originated. | originated. | |||
| Framed-Interface-Id 96 [RFC3162] The IPv6 Interface Identifier | Framed-Interface-Id 96 [RFC3162] The IPv6 Interface Identifier | |||
| associated with the session; | associated with the session; | |||
| always sent with | always sent with | |||
| Framed-IPv6-Prefix. | Framed-IPv6-Prefix. | |||
| Framed-IPv6-Prefix 97 [RFC3162] The IPv6 prefix associated | Framed-IPv6-Prefix 97 [RFC3162] The IPv6 prefix associated | |||
| skipping to change at page 18, line 15 | skipping to change at page 18, line 15 | |||
| 0-1 0-1 0-1 80 Message-Authenticator | 0-1 0-1 0-1 80 Message-Authenticator | |||
| 0+ 0 0 81 Tunnel-Private-Group-ID [Note 5] | 0+ 0 0 81 Tunnel-Private-Group-ID [Note 5] | |||
| 0+ 0 0 82 Tunnel-Assignment-ID [Note 5] | 0+ 0 0 82 Tunnel-Assignment-ID [Note 5] | |||
| 0+ 0 0 83 Tunnel-Preference [Note 5] | 0+ 0 0 83 Tunnel-Preference [Note 5] | |||
| 0-1 0 0 85 Acct-Interim-Interval [Note 3] | 0-1 0 0 85 Acct-Interim-Interval [Note 3] | |||
| 0-1 0 0 87 NAS-Port-Id [Note 1] | 0-1 0 0 87 NAS-Port-Id [Note 1] | |||
| 0-1 0 0 88 Framed-Pool [Note 3] | 0-1 0 0 88 Framed-Pool [Note 3] | |||
| 0-1 0 0 89 Chargeable-User-Identity [Note 1] | 0-1 0 0 89 Chargeable-User-Identity [Note 1] | |||
| 0+ 0 0 90 Tunnel-Client-Auth-ID [Note 5] | 0+ 0 0 90 Tunnel-Client-Auth-ID [Note 5] | |||
| 0+ 0 0 91 Tunnel-Server-Auth-ID [Note 5] | 0+ 0 0 91 Tunnel-Server-Auth-ID [Note 5] | |||
| 0-1 0 0 92 NAS-Filter-Rule [Note 3] | ||||
| 0-1 0 0 94 Originating-Line-Info [Note 1] | 0-1 0 0 94 Originating-Line-Info [Note 1] | |||
| 0-1 0 0 95 NAS-IPv6-Address [Note 1] | 0-1 0 0 95 NAS-IPv6-Address [Note 1] | |||
| 0-1 0 0 96 Framed-Interface-Id [Note 1][Note 8] | 0-1 0 0 96 Framed-Interface-Id [Note 1][Note 8] | |||
| 0+ 0 0 97 Framed-IPv6-Prefix [Note 1][Note 8] | 0+ 0 0 97 Framed-IPv6-Prefix [Note 1][Note 8] | |||
| 0+ 0 0 98 Login-IPv6-Host [Note 3] | 0+ 0 0 98 Login-IPv6-Host [Note 3] | |||
| 0+ 0 0 99 Framed-IPv6-Route [Note 3] | 0+ 0 0 99 Framed-IPv6-Route [Note 3] | |||
| 0-1 0 0 100 Framed-IPv6-Pool [Note 3] | 0-1 0 0 100 Framed-IPv6-Pool [Note 3] | |||
| 0 0 0+ 101 Error-Cause | 0 0 0+ 101 Error-Cause | |||
| 0-1 0 0 TBD NAS-Filter-Rule [Note 3] | 0+ 0 0 123 Delegated-IPv6-Prefix [Note 3] | |||
| 0+ 0 0 TBD Delegated-IPv6-Prefix [Note 3] | ||||
| Request ACK NAK # Attribute | Request ACK NAK # Attribute | |||
| Disconnect Messages | Disconnect Messages | |||
| Request ACK NAK # Attribute | Request ACK NAK # Attribute | |||
| 0-1 0 0 1 User-Name [Note 1] | 0-1 0 0 1 User-Name [Note 1] | |||
| 0-1 0 0 4 NAS-IP-Address [Note 1] | 0-1 0 0 4 NAS-IP-Address [Note 1] | |||
| 0-1 0 0 5 NAS-Port [Note 1] | 0-1 0 0 5 NAS-Port [Note 1] | |||
| 0 0 0 6 Service-Type | 0 0 0 6 Service-Type | |||
| 0-1 0 0 8 Framed-IP-Address [Note 1] | 0-1 0 0 8 Framed-IP-Address [Note 1] | |||
| skipping to change at page 30, line 18 | skipping to change at page 30, line 18 | |||
| [RFC4330] Mills, D., "Simple Network Time Protocol (SNTP) Version 4 for | [RFC4330] Mills, D., "Simple Network Time Protocol (SNTP) Version 4 for | |||
| IPv4, IPv6 and OSI", RFC 4330, January 2006. | IPv4, IPv6 and OSI", RFC 4330, January 2006. | |||
| [RFC4372] Adrangi, F., Lior, A., Korhonen, J. and J. Loughney, | [RFC4372] Adrangi, F., Lior, A., Korhonen, J. and J. Loughney, | |||
| "Chargeable User Identity", RFC 4372, January 2006. | "Chargeable User Identity", RFC 4372, January 2006. | |||
| [RFC4675] Congdon, P., Sanchez, M. and B. Aboba, "RADIUS Attributes for | [RFC4675] Congdon, P., Sanchez, M. and B. Aboba, "RADIUS Attributes for | |||
| Virtual LAN and Priority Support", RFC 4675, September 2006. | Virtual LAN and Priority Support", RFC 4675, September 2006. | |||
| [MD5Attack] | [RFC4818] Salowey, J. and R. Droms, "RADIUS Delegated-IPv6-Prefix | |||
| Dobbertin, H., "The Status of MD5 After a Recent Attack", | Attribute", RFC 4818, April 2007. | |||
| CryptoBytes Vol.2 No.2, Summer 1996. | ||||
| [RFCDelegated] | ||||
| Salowey, J. and R. Droms, "RADIUS Delegated-IPv6-Prefix | ||||
| Attribute", draft-ietf-radext-delegated-prefix-05.txt, | ||||
| Internet draft (work in progress), October 2006. | ||||
| [RFCFilter] | [RFCFilter] | |||
| Congdon, P., Sanchez, M. and B. Aboba, "RADIUS Filter Rule | Congdon, P., Sanchez, M. and B. Aboba, "RADIUS Filter Rule | |||
| Attribute", draft-ietf-radext-filter-08.txt, Internet draft | Attribute", draft-ietf-radext-filter-08.txt, Internet draft | |||
| (work in progress), January 2007. | (work in progress), January 2007. | |||
| [MD5Attack] | ||||
| Dobbertin, H., "The Status of MD5 After a Recent Attack", | ||||
| CryptoBytes Vol.2 No.2, Summer 1996. | ||||
| Acknowledgments | Acknowledgments | |||
| This protocol was first developed and distributed by Ascend | This protocol was first developed and distributed by Ascend | |||
| Communications. Example code was distributed in their free server | Communications. Example code was distributed in their free server | |||
| kit. | kit. | |||
| The authors would like to acknowledge the valuable suggestions and | The authors would like to acknowledge the valuable suggestions and | |||
| feedback from the following people: | feedback from the following people: | |||
| Avi Lior <avi@bridgewatersystems.com>, | Avi Lior <avi@bridgewatersystems.com>, | |||
| skipping to change at page 32, line 39 | skipping to change at page 32, line 39 | |||
| Delegated-IPv6-Prefix, Egress-VLANID, Ingress-Filters, Egress-VLAN- | Delegated-IPv6-Prefix, Egress-VLANID, Ingress-Filters, Egress-VLAN- | |||
| Name and User-Priority attributes (Section 3.4). | Name and User-Priority attributes (Section 3.4). | |||
| o Added the Chargeable-User-Identity Attribute to both the CoA- | o Added the Chargeable-User-Identity Attribute to both the CoA- | |||
| Request and Disconnect-Request Attribute Table (Section 3.4). | Request and Disconnect-Request Attribute Table (Section 3.4). | |||
| o Added note relating to use of Service-Type="Authorize Only" for | o Added note relating to use of Service-Type="Authorize Only" for | |||
| renumbering (Section 3.4). | renumbering (Section 3.4). | |||
| o Use of a Service-Type Attribute within a Disconnect-Request is | o Use of a Service-Type Attribute within a Disconnect-Request is | |||
| prohibited (Section 3.4,4). | prohibited (Sections 3.4, 4). | |||
| o Added Diameter Considerations (Section 5). | o Added Diameter Considerations (Section 5). | |||
| o Changed the text to indicate that the Event-Timestamp Attribute | o Changed the text to indicate that the Event-Timestamp Attribute | |||
| should not be recalculated on retransmission. The implications for | should not be recalculated on retransmission. The implications for | |||
| replay and duplicate detection are discussed (Section 6.4). | replay and duplicate detection are discussed (Section 6.4). | |||
| Full Copyright Statement | Full Copyright Statement | |||
| Copyright (C) The IETF Trust (2007). | Copyright (C) The IETF Trust (2007). | |||
| End of changes. 11 change blocks. | ||||
| 20 lines changed or deleted | 19 lines changed or added | |||
This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||