--- 1/draft-ietf-radext-rfc3576bis-08.txt 2007-08-01 22:12:10.000000000 +0200 +++ 2/draft-ietf-radext-rfc3576bis-09.txt 2007-08-01 22:12:10.000000000 +0200 @@ -1,22 +1,23 @@ Network Working Group Murtaza S. Chiba INTERNET-DRAFT Gopal Dommety Obsoletes: 3576 Mark Eklund Category: Informational Cisco Systems, Inc. - David Mitton -4 June 2007 RSA Security, Inc. +Expires: January 25, 2008 David Mitton + RSA Security, Inc. Bernard Aboba Microsoft Corporation Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS) + draft-ietf-radext-rfc3576bis-09.txt By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. @@ -25,21 +26,21 @@ and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. - This Internet-Draft will expire on December 25, 2007. + This Internet-Draft will expire on January 25, 2008. Copyright Notice Copyright (C) The IETF Trust (2007). All Rights Reserved. Abstract This document describes a currently deployed extension to the Remote Authentication Dial In User Service (RADIUS) protocol, allowing dynamic changes to a user session, as implemented by network access @@ -1540,83 +1541,80 @@ Fax: +1 425 936 7329 Appendix A - Changes from RFC 3576 This Appendix lists the major changes between [RFC3576] and this document. Minor changes, including style, grammar, spelling, and editorial changes are not mentioned here. o The term "Dynamic Authorization Client" is used instead of RADIUS server where it applies to the originator of CoA and Disconnect- - Request packets. Similarly, the term "Dynamic Authorizatin Server" - is used instead of NAS where it applies to the receiver of CoA and + Request packets. The term "Dynamic Authorization Server" is used + instead of NAS where it applies to the receiver of CoA and Disconnect-Request packets. Definitions of these terms have been added (Section 1.3). o Added requirement for duplicate detection on the Dynamic Authorization Server (Section 2.3). o Clarified expected behavior when session identification attributes match more than one session (Sections 2.3, 3, 3.5, 4). o Added Chargeable-User-Identity as a session identification - attribute. Removed Framed-IP-Address, Framed-IPv6-Prefix, Framed- - Interface-Id and NAS-Port-Type attributes as session identification - attributes. Recommended inclusion of Acct-Session-Id or Acct-Multi- - Session-Id attributes in an Access-Request (Section 3). + attribute. Removed NAS-Port-Type as a session identification + attribute (Section 3). o Added recommendation that an Acct-Session-Id or Acct-Mult-Session- Id Attribute be included in an Access-Request (Section 3). o Added details relating to handling of the Proxy-State Attribute (Section 3.1). o Added clarification that support for a Service-Type Attribute with value "Authorize Only" is optional on both the NAS and Dynamic - Authorization Client (Section 3.2). + Authorization Client (Section 3.2). Use of the Service-Type + Attribute within a Disconnect-Request is prohibited (Sections 3.2, + 3.6). o Added requirement for inclusion of the State Attribute in CoA- Request packets including a Service-Type Attribute with a value of "Authorize Only" (Section 3.3). o Added clarification on the calculation of the Message-Authenticator Attribute (Section 3.4). o Additional Error-Cause Attribute values are allocated for Invalid Attribute Value (407) and Multiple Session Identification Unsupported (508) (Sections 3.5, 4). o Updated the CoA-Request Attribute Table to include Filter-Rule, Delegated-IPv6-Prefix, Egress-VLANID, Ingress-Filters, Egress-VLAN- Name and User-Priority attributes (Section 3.6). o Added the Chargeable-User-Identity Attribute to both the CoA- Request and Disconnect-Request Attribute table (Section 3.6). - o The use of Vendor-Specific Attributes (VSAs) for session - identification and authorization change has been clarified (Section - 3.6). + o Use of Vendor-Specific Attributes (VSAs) for session identification + and authorization change has been clarified (Section 3.6). o Added Note 6 on the use of the CoA-Request for renumbering (Section 3.6). - o Use of the Service-Type Attribute within a Disconnect-Request is - prohibited (Sections 3.2, 3.6). - o Added Diameter Considerations (Section 4). - o Changed the text to indicate that the Event-Timestamp Attribute - should not be recalculated on retransmission. The implications for - replay and duplicate detection are discussed (Section 6.4). + o Event-Timestamp Attribute should not be recalculated on + retransmission. The implications for replay and duplicate detection + are discussed (Section 6.4). - o Operation of the RPF check has been clarified. Use of the RPF - check is optional rather than recommended by default (Section 6.1). + o Operation of the Reverse Path Forwarding (RPF) check has been + clarified. Use of the RPF check is optional rather than recommended + by default (Section 6.1). Full Copyright Statement Copyright (C) The IETF Trust (2007). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an