draft-ietf-radext-rfc3576bis-09.txt   draft-ietf-radext-rfc3576bis-10.txt 
Network Working Group Murtaza S. Chiba Network Working Group Murtaza S. Chiba
INTERNET-DRAFT Gopal Dommety INTERNET-DRAFT Gopal Dommety
Obsoletes: 3576 Mark Eklund Obsoletes: 3576 Mark Eklund
Category: Informational Cisco Systems, Inc. Category: Informational Cisco Systems, Inc.
Expires: January 25, 2008 David Mitton Expires: April 5, 2008 David Mitton
RSA Security, Inc. RSA Security, Inc.
Bernard Aboba Bernard Aboba
Microsoft Corporation Microsoft Corporation
4 October 2007
Dynamic Authorization Extensions to Remote Authentication Dial In User Dynamic Authorization Extensions to Remote Authentication Dial In User
Service (RADIUS) Service (RADIUS)
draft-ietf-radext-rfc3576bis-09.txt draft-ietf-radext-rfc3576bis-10.txt
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
skipping to change at page 1, line 37 skipping to change at page 1, line 38
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on January 25, 2008. This Internet-Draft will expire on April 5, 2008.
Copyright Notice Copyright Notice
Copyright (C) The IETF Trust (2007). All Rights Reserved. Copyright (C) The IETF Trust (2007). All Rights Reserved.
Abstract Abstract
This document describes a currently deployed extension to the Remote This document describes a currently deployed extension to the Remote
Authentication Dial In User Service (RADIUS) protocol, allowing Authentication Dial In User Service (RADIUS) protocol, allowing
dynamic changes to a user session, as implemented by network access dynamic changes to a user session, as implemented by network access
skipping to change at page 2, line 16 skipping to change at page 2, line 16
1. Introduction .......................................... 3 1. Introduction .......................................... 3
1.1 Applicability ................................... 3 1.1 Applicability ................................... 3
1.2 Requirements Language ........................... 4 1.2 Requirements Language ........................... 4
1.3 Terminology ..................................... 4 1.3 Terminology ..................................... 4
2. Overview ............................................. 5 2. Overview ............................................. 5
2.1 Disconnect Messages (DM) ........................ 5 2.1 Disconnect Messages (DM) ........................ 5
2.2 Change-of-Authorization Messages (CoA) .......... 5 2.2 Change-of-Authorization Messages (CoA) .......... 5
2.3 Packet Format ................................... 6 2.3 Packet Format ................................... 6
3. Attributes ............................................ 10 3. Attributes ............................................ 10
3.1 Proxy State ..................................... 12 3.1 Proxy State ..................................... 13
3.2 Authorize Only .................................. 13 3.2 Authorize Only .................................. 13
3.3 State ........................................... 13 3.3 State ........................................... 14
3.4 Message-Authenticator ........................... 14 3.4 Message-Authenticator ........................... 15
3.5 Error-Cause ..................................... 15 3.5 Error-Cause ..................................... 16
3.6 Table of Attributes ............................. 18 3.6 Table of Attributes ............................. 19
4. Diameter Considerations ............................... 22 4. Diameter Considerations ............................... 22
5. IANA Considerations ................................... 24 5. IANA Considerations ................................... 25
6. Security Considerations ............................... 25 6. Security Considerations ............................... 25
6.1 Authorization Issues ............................ 25 6.1 Authorization Issues ............................ 25
6.2 Impersonation ................................... 26 6.2 Impersonation ................................... 26
6.3 IPsec Usage Guidelines .......................... 26 6.3 IPsec Usage Guidelines .......................... 27
6.4 Replay Protection ............................... 29 6.4 Replay Protection ............................... 30
7. Example Traces ........................................ 30 7. Example Traces ........................................ 30
8. References ............................................ 30 8. References ............................................ 31
8.1 Normative References ............................ 30 8.1 Normative References ............................ 31
8.2 Informative References .......................... 31 8.2 Informative References .......................... 32
ACKNOWLEDGMENTS .............................................. 32 ACKNOWLEDGMENTS .............................................. 33
AUTHORS' ADDRESSES ........................................... 33 AUTHORS' ADDRESSES ........................................... 34
Appendix A - Changes from RFC 3576 ........................... 34 Appendix A - Changes from RFC 3576 ........................... 35
Full Copyright Statement ..................................... 36 Full Copyright Statement ..................................... 37
Intellectual Property ........................................ 36 Intellectual Property ........................................ 37
1. Introduction 1. Introduction
The RADIUS protocol, defined in [RFC2865], does not support The RADIUS protocol, defined in [RFC2865], does not support
unsolicited messages sent from the RADIUS server to the Network unsolicited messages sent from the RADIUS server to the Network
Access Server (NAS). Access Server (NAS).
However, there are many instances in which it is desirable for However, there are many instances in which it is desirable for
changes to be made to session characteristics, without requiring the changes to be made to session characteristics, without requiring the
NAS to initiate the exchange. For example, it may be desirable for NAS to initiate the exchange. For example, it may be desirable for
skipping to change at page 5, line 31 skipping to change at page 5, line 31
A Disconnect-Request packet is sent by the Dynamic Authorization A Disconnect-Request packet is sent by the Dynamic Authorization
Client in order to terminate user session(s) on a NAS and discard all Client in order to terminate user session(s) on a NAS and discard all
associated session context. The Disconnect-Request packet is sent to associated session context. The Disconnect-Request packet is sent to
UDP port 3799, and identifies the NAS as well as the user session(s) UDP port 3799, and identifies the NAS as well as the user session(s)
to be terminated by inclusion of the identification attributes to be terminated by inclusion of the identification attributes
described in Section 3. described in Section 3.
+----------+ +----------+ +----------+ +----------+
| | Disconnect-Request | | | | Disconnect-Request | |
| | <-------------------- | Dynamic | | | <-------------------- | |
| NAS | | Authz | | NAS | | DAC |
| | Disconnect-Response | Client | | | Disconnect-Response | |
| | ---------------------> | | | | ---------------------> | |
+----------+ +----------+ +----------+ +----------+
The NAS responds to a Disconnect-Request packet sent by a Dynamic The NAS responds to a Disconnect-Request packet sent by a Dynamic
Authorization Client with a Disconnect-ACK if all associated session Authorization Client with a Disconnect-ACK if all associated session
context is discarded and the user session(s) are no longer connected, context is discarded and the user session(s) are no longer connected,
or a Disconnect-NAK, if the NAS was unable to disconnect one or more or a Disconnect-NAK, if the NAS was unable to disconnect one or more
sessions and discard all associated session context. A Disconnect- sessions and discard all associated session context. A Disconnect-
ACK MAY contain the Attribute Acct-Terminate-Cause (49) [RFC2866] ACK MAY contain the Attribute Acct-Terminate-Cause (49) [RFC2866]
with the value set to 6 for Admin-Reset. with the value set to 6 for Admin-Reset.
skipping to change at page 6, line 18 skipping to change at page 6, line 18
Filter-ID (11) - Indicates the name of a data filter list Filter-ID (11) - Indicates the name of a data filter list
to be applied for the session(s) that the to be applied for the session(s) that the
identification attributes map to. identification attributes map to.
NAS-Filter-Rule (92) - Provides a filter list to be applied NAS-Filter-Rule (92) - Provides a filter list to be applied
for the session(s) that the identification for the session(s) that the identification
attributes map to [RFC4849]. attributes map to [RFC4849].
+----------+ +----------+ +----------+ +----------+
| | CoA-Request | | | | CoA-Request | |
| | <-------------------- | Dynamic | | | <-------------------- | |
| NAS | | Authz | | NAS | | DAC |
| | CoA-Response | Client | | | CoA-Response | |
| | ---------------------> | | | | ---------------------> | |
+----------+ +----------+ +----------+ +----------+
The NAS responds to a CoA-Request sent by a Dynamic Authorization The NAS responds to a CoA-Request sent by a Dynamic Authorization
Client with a CoA-ACK if the NAS is able to successfully change the Client with a CoA-ACK if the NAS is able to successfully change the
authorizations for the user session(s), or a CoA-NAK if the CoA- authorizations for the user session(s), or a CoA-NAK if the CoA-
Request is unsuccessful. A NAS MUST respond to a CoA-Request Request is unsuccessful. A NAS MUST respond to a CoA-Request
including a Service-Type Attribute with an unsupported value with a including a Service-Type Attribute with an unsupported value with a
CoA-NAK; an Error-Cause Attribute with value "Unsupported Service" CoA-NAK; an Error-Cause Attribute with value "Unsupported Service"
SHOULD be included. SHOULD be included.
skipping to change at page 12, line 23 skipping to change at page 12, line 23
To address security concerns described in Section 6.2, one or more of To address security concerns described in Section 6.2, one or more of
the NAS-IP-Address or NAS-IPv6-Address Attributes SHOULD be present the NAS-IP-Address or NAS-IPv6-Address Attributes SHOULD be present
in CoA-Request and Disconnect-Request packets; the NAS-Identifier in CoA-Request and Disconnect-Request packets; the NAS-Identifier
Attribute MAY be present. Attribute MAY be present.
A Disconnect-Request MUST contain only NAS and session identification A Disconnect-Request MUST contain only NAS and session identification
attributes. If other attributes are included in a Disconnect- attributes. If other attributes are included in a Disconnect-
Request, implementations MUST send a Disconnect-NAK; an Error-Cause Request, implementations MUST send a Disconnect-NAK; an Error-Cause
Attribute with value "Unsupported Attribute" MAY be included. Attribute with value "Unsupported Attribute" MAY be included.
The DAC may require access to data from RADIUS authentication or
accounting packets. It uses this data to compose compliant CoA-
Request or Disconnect-Request packets. For example, as described in
Section 3.3, a CoA-Request packet containing a Service-Type Attribute
with value of "Authorize Only" is required to contain a State
Attribute. The NAS will subsequently transmit this attribute to the
RADIUS server in an Access-Request. In order for the DAC to include
a State Attribute that the RADIUS server will subsequently accept,
some coordination between the two parties may be required.
This coordination can be acheived in multiple ways. The DAC may be
co-located with a RADIUS server, in which case it is presumed to have
access to the necessary data. The RADIUS server may also store that
information in a common database. The DAC can then be separated from
the RADIUS server, so long as it has access to that common database.
Where the DAC is not co-located with a RADIUS server, and does not
have access to a common database, the DAC SHOULD send CoA- Request or
Disconnect-Request packets to a RADIUS server acting as a proxy,
rather than sending them directly to the NAS.
A RADIUS server receiving a CoA-Request or Disconnect-Request packet
from the DAC MAY then add or update attributes (such as adding NAS or
session identification attributes or appending a State Attribute),
prior to forwarding the packet. Having CoA/Disconnect-Requests
forwarded by a RADIUS server can also enable upstream RADIUS proxies
to perform a Reverse Path Forwarding (RPF) check (see Section 6.1).
3.1. Proxy State 3.1. Proxy State
If there are any Proxy-State attributes in a Disconnect-Request or If there are any Proxy-State attributes in a Disconnect-Request or
CoA-Request received from the Dynamic Authorization Client, the CoA-Request received from the Dynamic Authorization Client, the
Dynamic Authorization Server MUST include those Proxy-State Dynamic Authorization Server MUST include those Proxy-State
attributes in its response to the Dynamic Authorization Client. attributes in its response to the Dynamic Authorization Client.
A forwarding proxy or NAS MUST NOT modify existing Proxy-State, A forwarding proxy or NAS MUST NOT modify existing Proxy-State,
State, or Class attributes present in the packet. The forwarding State, or Class attributes present in the packet. The forwarding
proxy or NAS MUST treat any Proxy-State attributes already in the proxy or NAS MUST treat any Proxy-State attributes already in the
skipping to change at page 18, line 51 skipping to change at page 19, line 33
0-1 0 0 1 User-Name [Note 1] 0-1 0 0 1 User-Name [Note 1]
0-1 0 0 4 NAS-IP-Address [Note 1] 0-1 0 0 4 NAS-IP-Address [Note 1]
0-1 0 0 5 NAS-Port [Note 1] 0-1 0 0 5 NAS-Port [Note 1]
0-1 0 0-1 6 Service-Type 0-1 0 0-1 6 Service-Type
0-1 0 0 7 Framed-Protocol [Note 3] 0-1 0 0 7 Framed-Protocol [Note 3]
0-1 0 0 8 Framed-IP-Address [Notes 1,6] 0-1 0 0 8 Framed-IP-Address [Notes 1,6]
0-1 0 0 9 Framed-IP-Netmask [Note 3] 0-1 0 0 9 Framed-IP-Netmask [Note 3]
0-1 0 0 10 Framed-Routing [Note 3] 0-1 0 0 10 Framed-Routing [Note 3]
0+ 0 0 11 Filter-ID [Note 3] 0+ 0 0 11 Filter-ID [Note 3]
0-1 0 0 12 Framed-MTU [Note 3] 0-1 0 0 12 Framed-MTU [Note 3]
Request ACK NAK # Attribute
Request ACK NAK # Attribute
0+ 0 0 13 Framed-Compression [Note 3] 0+ 0 0 13 Framed-Compression [Note 3]
0+ 0 0 14 Login-IP-Host [Note 3] 0+ 0 0 14 Login-IP-Host [Note 3]
0-1 0 0 15 Login-Service [Note 3] 0-1 0 0 15 Login-Service [Note 3]
0-1 0 0 16 Login-TCP-Port [Note 3] 0-1 0 0 16 Login-TCP-Port [Note 3]
0+ 0 0 18 Reply-Message [Note 2] 0+ 0 0 18 Reply-Message [Note 2]
0-1 0 0 19 Callback-Number [Note 3] 0-1 0 0 19 Callback-Number [Note 3]
0-1 0 0 20 Callback-Id [Note 3] 0-1 0 0 20 Callback-Id [Note 3]
0+ 0 0 22 Framed-Route [Note 3] 0+ 0 0 22 Framed-Route [Note 3]
0-1 0 0 23 Framed-IPX-Network [Note 3] 0-1 0 0 23 Framed-IPX-Network [Note 3]
0-1 0-1 0-1 24 State 0-1 0-1 0-1 24 State
0+ 0 0 25 Class [Note 3] 0+ 0 0 25 Class [Note 3]
0+ 0 0 26 Vendor-Specific [Note 7] 0+ 0 0 26 Vendor-Specific [Note 7]
0-1 0 0 27 Session-Timeout [Note 3] 0-1 0 0 27 Session-Timeout [Note 3]
0-1 0 0 28 Idle-Timeout [Note 3] 0-1 0 0 28 Idle-Timeout [Note 3]
0-1 0 0 29 Termination-Action [Note 3] 0-1 0 0 29 Termination-Action [Note 3]
0-1 0 0 30 Called-Station-Id [Note 1] 0-1 0 0 30 Called-Station-Id [Note 1]
0-1 0 0 31 Calling-Station-Id [Note 1] 0-1 0 0 31 Calling-Station-Id [Note 1]
0-1 0 0 32 NAS-Identifier [Note 1] 0-1 0 0 32 NAS-Identifier [Note 1]
Request ACK NAK # Attribute
Request ACK NAK # Attribute
0+ 0+ 0+ 33 Proxy-State 0+ 0+ 0+ 33 Proxy-State
0-1 0 0 34 Login-LAT-Service [Note 3] 0-1 0 0 34 Login-LAT-Service [Note 3]
0-1 0 0 35 Login-LAT-Node [Note 3] 0-1 0 0 35 Login-LAT-Node [Note 3]
0-1 0 0 36 Login-LAT-Group [Note 3] 0-1 0 0 36 Login-LAT-Group [Note 3]
0-1 0 0 37 Framed-AppleTalk-Link [Note 3] 0-1 0 0 37 Framed-AppleTalk-Link [Note 3]
0+ 0 0 38 Framed-AppleTalk-Network [Note 3] 0+ 0 0 38 Framed-AppleTalk-Network [Note 3]
0-1 0 0 39 Framed-AppleTalk-Zone [Note 3] 0-1 0 0 39 Framed-AppleTalk-Zone [Note 3]
0-1 0 0 44 Acct-Session-Id [Note 1] 0-1 0 0 44 Acct-Session-Id [Note 1]
0-1 0 0 50 Acct-Multi-Session-Id [Note 1] 0-1 0 0 50 Acct-Multi-Session-Id [Note 1]
0-1 0-1 0-1 55 Event-Timestamp 0-1 0-1 0-1 55 Event-Timestamp
skipping to change at page 19, line 48 skipping to change at page 20, line 30
0-1 0 0 62 Port-Limit [Note 3] 0-1 0 0 62 Port-Limit [Note 3]
0-1 0 0 63 Login-LAT-Port [Note 3] 0-1 0 0 63 Login-LAT-Port [Note 3]
0+ 0 0 64 Tunnel-Type [Note 5] 0+ 0 0 64 Tunnel-Type [Note 5]
0+ 0 0 65 Tunnel-Medium-Type [Note 5] 0+ 0 0 65 Tunnel-Medium-Type [Note 5]
0+ 0 0 66 Tunnel-Client-Endpoint [Note 5] 0+ 0 0 66 Tunnel-Client-Endpoint [Note 5]
0+ 0 0 67 Tunnel-Server-Endpoint [Note 5] 0+ 0 0 67 Tunnel-Server-Endpoint [Note 5]
0+ 0 0 69 Tunnel-Password [Note 5] 0+ 0 0 69 Tunnel-Password [Note 5]
0-1 0 0 71 ARAP-Features [Note 3] 0-1 0 0 71 ARAP-Features [Note 3]
0-1 0 0 72 ARAP-Zone-Access [Note 3] 0-1 0 0 72 ARAP-Zone-Access [Note 3]
0+ 0 0 78 Configuration-Token [Note 3] 0+ 0 0 78 Configuration-Token [Note 3]
Request ACK NAK # Attribute
Request ACK NAK # Attribute
0+ 0-1 0 79 EAP-Message [Note 2] 0+ 0-1 0 79 EAP-Message [Note 2]
0-1 0-1 0-1 80 Message-Authenticator 0-1 0-1 0-1 80 Message-Authenticator
0+ 0 0 81 Tunnel-Private-Group-ID [Note 5] 0+ 0 0 81 Tunnel-Private-Group-ID [Note 5]
0+ 0 0 82 Tunnel-Assignment-ID [Note 5] 0+ 0 0 82 Tunnel-Assignment-ID [Note 5]
0+ 0 0 83 Tunnel-Preference [Note 5] 0+ 0 0 83 Tunnel-Preference [Note 5]
0-1 0 0 85 Acct-Interim-Interval [Note 3] 0-1 0 0 85 Acct-Interim-Interval [Note 3]
0-1 0 0 87 NAS-Port-Id [Note 1] 0-1 0 0 87 NAS-Port-Id [Note 1]
0-1 0 0 88 Framed-Pool [Note 3] 0-1 0 0 88 Framed-Pool [Note 3]
0-1 0 0 89 Chargeable-User-Identity [Note 1] 0-1 0 0 89 Chargeable-User-Identity [Note 1]
0+ 0 0 90 Tunnel-Client-Auth-ID [Note 5] 0+ 0 0 90 Tunnel-Client-Auth-ID [Note 5]
skipping to change at page 20, line 39 skipping to change at page 21, line 15
Request ACK NAK # Attribute Request ACK NAK # Attribute
0-1 0 0 1 User-Name [Note 1] 0-1 0 0 1 User-Name [Note 1]
0-1 0 0 4 NAS-IP-Address [Note 1] 0-1 0 0 4 NAS-IP-Address [Note 1]
0-1 0 0 5 NAS-Port [Note 1] 0-1 0 0 5 NAS-Port [Note 1]
0 0 0 6 Service-Type 0 0 0 6 Service-Type
0 0 0 8 Framed-IP-Address [Note 1] 0 0 0 8 Framed-IP-Address [Note 1]
0+ 0 0 18 Reply-Message [Note 2] 0+ 0 0 18 Reply-Message [Note 2]
0 0 0 24 State 0 0 0 24 State
0+ 0 0 25 Class [Note 4] 0+ 0 0 25 Class [Note 4]
0+ 0 0 26 Vendor-Specific [Note 1] 0+ 0 0 26 Vendor-Specific [Note 7]
0-1 0 0 30 Called-Station-Id [Note 1] 0-1 0 0 30 Called-Station-Id [Note 1]
0-1 0 0 31 Calling-Station-Id [Note 1] 0-1 0 0 31 Calling-Station-Id [Note 1]
0-1 0 0 32 NAS-Identifier [Note 1] 0-1 0 0 32 NAS-Identifier [Note 1]
0+ 0+ 0+ 33 Proxy-State 0+ 0+ 0+ 33 Proxy-State
0-1 0 0 44 Acct-Session-Id [Note 1] 0-1 0 0 44 Acct-Session-Id [Note 1]
0-1 0-1 0 49 Acct-Terminate-Cause 0-1 0-1 0 49 Acct-Terminate-Cause
0-1 0 0 50 Acct-Multi-Session-Id [Note 1] 0-1 0 0 50 Acct-Multi-Session-Id [Note 1]
0-1 0-1 0-1 55 Event-Timestamp 0-1 0-1 0-1 55 Event-Timestamp
0 0 0 61 NAS-Port-Type 0 0 0 61 NAS-Port-Type
0+ 0-1 0 79 EAP-Message [Note 2] 0+ 0-1 0 79 EAP-Message [Note 2]
Request ACK NAK # Attribute
Request ACK NAK # Attribute
0-1 0-1 0-1 80 Message-Authenticator 0-1 0-1 0-1 80 Message-Authenticator
0-1 0 0 87 NAS-Port-Id [Note 1] 0-1 0 0 87 NAS-Port-Id [Note 1]
0-1 0 0 89 Chargeable-User-Identity [Note 1] 0-1 0 0 89 Chargeable-User-Identity [Note 1]
0-1 0 0 95 NAS-IPv6-Address [Note 1] 0-1 0 0 95 NAS-IPv6-Address [Note 1]
0 0 0 96 Framed-Interface-Id [Note 1] 0 0 0 96 Framed-Interface-Id [Note 1]
0 0 0 97 Framed-IPv6-Prefix [Note 1] 0 0 0 97 Framed-IPv6-Prefix [Note 1]
0 0 0+ 101 Error-Cause 0 0 0+ 101 Error-Cause
Request ACK NAK # Attribute Request ACK NAK # Attribute
The following table defines the meaning of the above table entries. The following table defines the meaning of the above table entries.
skipping to change at page 22, line 16 skipping to change at page 22, line 36
Interface-Id attributes are used for session identification, Interface-Id attributes are used for session identification,
renumbering cannot be accomplished by including values of these renumbering cannot be accomplished by including values of these
attributes within a CoA-Request. Instead, a CoA-Request including a attributes within a CoA-Request. Instead, a CoA-Request including a
Service-Type Attribute with a value of "Authorize Only" is sent; new Service-Type Attribute with a value of "Authorize Only" is sent; new
values can be supplied in an Access-Accept sent in response to the values can be supplied in an Access-Accept sent in response to the
ensuing Access-Request. Note that renumbering will not be possible ensuing Access-Request. Note that renumbering will not be possible
in all situations. For example, in order to change an IP address, in all situations. For example, in order to change an IP address,
IPCP or IPv6CP re-negotiation could be required, which is not IPCP or IPv6CP re-negotiation could be required, which is not
supported by all PPP implementations. supported by all PPP implementations.
[Note 7] Within CoA-Request packets, Vendor-Specific Attributes [Note 7] Within Disconnect-Request packets, Vendor-Specific
(VSAs) MAY be used for either session identification or authorization Attributes (VSAs) MAY be used for session identification. Within
change. However, the same Attribute MUST NOT be used for both CoA-Request packets, VSAs MAY be used for either session
purposes simultaneously. identification or authorization change. However, the same Attribute
MUST NOT be used for both purposes simultaneously.
4. Diameter Considerations 4. Diameter Considerations
Due to differences in handling change-of-authorization requests in Due to differences in handling change-of-authorization requests in
RADIUS and Diameter, it may be difficult or impossible for a RADIUS and Diameter, it may be difficult or impossible for a
Diameter/RADIUS gateway to successfully translate a Diameter Re-Auth- Diameter/RADIUS gateway to successfully translate a Diameter Re-Auth-
Request (RAR) to a CoA-Request and vice versa. For example, since a Request (RAR) to a CoA-Request and vice versa. For example, since a
CoA-Request only initiates an authorization change but does not CoA-Request only initiates an authorization change but does not
initiate re-authentication, a RAR command containing a Re-Auth- initiate re-authentication, a RAR command containing a Re-Auth-
Request-Type AVP with value "AUTHORIZE_AUTHENTICATE" cannot be Request-Type AVP with value "AUTHORIZE_AUTHENTICATE" cannot be
skipping to change at page 27, line 22 skipping to change at page 27, line 36
Since in RADIUS a shared secret is used to provide confidentiality as Since in RADIUS a shared secret is used to provide confidentiality as
well as integrity protection and authentication, only use of IPsec well as integrity protection and authentication, only use of IPsec
ESP with a non-null transform can provide security services ESP with a non-null transform can provide security services
sufficient to substitute for RADIUS application-layer security. sufficient to substitute for RADIUS application-layer security.
Therefore, where IPsec AH or ESP null is used, it will typically Therefore, where IPsec AH or ESP null is used, it will typically
still be necessary to configure a RADIUS shared secret. still be necessary to configure a RADIUS shared secret.
Where RADIUS is run over IPsec ESP with a non-null transform, the Where RADIUS is run over IPsec ESP with a non-null transform, the
secret shared between the Dynamic Authorization Server and the secret shared between the Dynamic Authorization Server and the
Dynamic Authorization Client MAY NOT be configured. In this case, a Dynamic Authorization Client may not be configured. In this case, a
shared secret of zero length MUST be assumed. However, a Dynamic shared secret of zero length MUST be assumed. However, a Dynamic
Authorization Client that cannot know whether incoming traffic is Authorization Client that cannot know whether incoming traffic is
IPsec-protected MUST be configured with a non-null RADIUS shared IPsec-protected MUST be configured with a non-null RADIUS shared
secret. secret.
When IPsec ESP is used with RADIUS, per-packet authentication, When IPsec ESP is used with RADIUS, per-packet authentication,
integrity and replay protection MUST be used. 3DES-CBC MUST be integrity and replay protection MUST be used. 3DES-CBC MUST be
supported as an encryption transform and AES-CBC SHOULD be supported. supported as an encryption transform and AES-CBC SHOULD be supported.
AES-CBC SHOULD be offered as a preferred encryption transform if AES-CBC SHOULD be offered as a preferred encryption transform if
supported. HMAC-SHA1-96 MUST be supported as an authentication supported. HMAC-SHA1-96 MUST be supported as an authentication
skipping to change at page 34, line 12 skipping to change at page 35, line 12
Phone: +1 425 706 6605 Phone: +1 425 706 6605
Fax: +1 425 936 7329 Fax: +1 425 936 7329
Appendix A - Changes from RFC 3576 Appendix A - Changes from RFC 3576
This Appendix lists the major changes between [RFC3576] and this This Appendix lists the major changes between [RFC3576] and this
document. Minor changes, including style, grammar, spelling, and document. Minor changes, including style, grammar, spelling, and
editorial changes are not mentioned here. editorial changes are not mentioned here.
o The term "Dynamic Authorization Client" is used instead of RADIUS o The term "Dynamic Authorization Client" is used instead of RADIUS
server where it applies to the originator of CoA and Disconnect- server where it applies to the originator of CoA-Request and
Request packets. The term "Dynamic Authorization Server" is used Disconnect-Request packets. The term "Dynamic Authorization Server"
instead of NAS where it applies to the receiver of CoA and is used instead of NAS where it applies to the receiver of CoA-
Disconnect-Request packets. Definitions of these terms have been Request and Disconnect-Request packets. Definitions of these terms
added (Section 1.3). have been added (Section 1.3).
o Added requirement for duplicate detection on the Dynamic o Added requirement for duplicate detection on the Dynamic
Authorization Server (Section 2.3). Authorization Server (Section 2.3).
o Clarified expected behavior when session identification attributes o Clarified expected behavior when session identification attributes
match more than one session (Sections 2.3, 3, 3.5, 4). match more than one session (Sections 2.3, 3, 3.5, 4).
o Added Chargeable-User-Identity as a session identification o Added Chargeable-User-Identity as a session identification
attribute. Removed NAS-Port-Type as a session identification attribute. Removed NAS-Port-Type as a session identification
attribute (Section 3). attribute (Section 3).
o Added recommendation that an Acct-Session-Id or Acct-Mult-Session- o Added recommendation that an Acct-Session-Id or Acct-Mult-Session-
Id Attribute be included in an Access-Request (Section 3). Id Attribute be included in an Access-Request (Section 3).
o Added discussion of scenarios in which the "Dynamic Authorization
Client" and RADIUS server are not co-located (Section 3).
o Added details relating to handling of the Proxy-State Attribute o Added details relating to handling of the Proxy-State Attribute
(Section 3.1). (Section 3.1).
o Added clarification that support for a Service-Type Attribute with o Added clarification that support for a Service-Type Attribute with
value "Authorize Only" is optional on both the NAS and Dynamic value "Authorize Only" is optional on both the NAS and Dynamic
Authorization Client (Section 3.2). Use of the Service-Type Authorization Client (Section 3.2). Use of the Service-Type
Attribute within a Disconnect-Request is prohibited (Sections 3.2, Attribute within a Disconnect-Request is prohibited (Sections 3.2,
3.6). 3.6).
o Added requirement for inclusion of the State Attribute in CoA- o Added requirement for inclusion of the State Attribute in CoA-
skipping to change at page 35, line 12 skipping to change at page 36, line 15
o Updated the CoA-Request Attribute Table to include Filter-Rule, o Updated the CoA-Request Attribute Table to include Filter-Rule,
Delegated-IPv6-Prefix, Egress-VLANID, Ingress-Filters, Egress-VLAN- Delegated-IPv6-Prefix, Egress-VLANID, Ingress-Filters, Egress-VLAN-
Name and User-Priority attributes (Section 3.6). Name and User-Priority attributes (Section 3.6).
o Added the Chargeable-User-Identity Attribute to both the CoA- o Added the Chargeable-User-Identity Attribute to both the CoA-
Request and Disconnect-Request Attribute table (Section 3.6). Request and Disconnect-Request Attribute table (Section 3.6).
o Use of Vendor-Specific Attributes (VSAs) for session identification o Use of Vendor-Specific Attributes (VSAs) for session identification
and authorization change has been clarified (Section 3.6). and authorization change has been clarified (Section 3.6).
o Added Note 6 on the use of the CoA-Request for renumbering (Section o Added Note 6 on the use of the CoA-Request for renumbering, and
3.6). Note 7 on the use of Vendor-Specific attributes (Section 3.6).
o Added Diameter Considerations (Section 4). o Added Diameter Considerations (Section 4).
o Event-Timestamp Attribute should not be recalculated on o Event-Timestamp Attribute should not be recalculated on
retransmission. The implications for replay and duplicate detection retransmission. The implications for replay and duplicate detection
are discussed (Section 6.4). are discussed (Section 6.4).
o Operation of the Reverse Path Forwarding (RPF) check has been o Operation of the Reverse Path Forwarding (RPF) check has been
clarified. Use of the RPF check is optional rather than recommended clarified. Use of the RPF check is optional rather than recommended
by default (Section 6.1). by default (Section 6.1).
skipping to change at page 36, line 47 skipping to change at page 37, line 47
http://www.ietf.org/ipr. http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at ietf- this standard. Please address the information to the IETF at ietf-
ipr@ietf.org. ipr@ietf.org.
Acknowledgment Acknowledgment
Funding for the RFC Editor function is provided by the IETF Funding for the RFC Editor function is currently provided by the
Administrative Support Activity (IASA). Internet Society.
Open issues Open issues
Open issues relating to this specification are tracked on the Open issues relating to this specification are tracked on the
following web site: following web site:
http://www.drizzle.com/~aboba/RADEXT/ http://www.drizzle.com/~aboba/RADEXT/
 End of changes. 23 change blocks. 
46 lines changed or deleted 75 lines changed or added

This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/