draft-ietf-radext-tcp-transport-04.txt   draft-ietf-radext-tcp-transport-05.txt 
Network Working Group A. DeKok Network Working Group A. DeKok
INTERNET-DRAFT FreeRADIUS INTERNET-DRAFT FreeRADIUS
Category: Experimental Category: Experimental
<draft-ietf-radext-tcp-transport-04.txt> <draft-ietf-radext-tcp-transport-05.txt>
Expires: April 12,2009 Expires: April 12,2009
12 October 2009 19 February 2010
RADIUS Over TCP RADIUS Over TCP
draft-ietf-radext-tcp-transport-04 draft-ietf-radext-tcp-transport-05
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
skipping to change at page 1, line 36 skipping to change at page 1, line 38
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on April 12, 2009. This Internet-Draft will expire on April 12, 2009.
Copyright Notice Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of Provisions Relating to IETF Documents
publication of this document (http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info/) in effect on the date of
Please review these documents carefully, as they describe your rights publication of this document. Please review these documents
and restrictions with respect to this document. carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Abstract Abstract
The Remote Authentication Dial In User Server (RADIUS) Protocol has The Remote Authentication Dial In User Server (RADIUS) Protocol has
traditionally used the User Datagram Protocol (UDP) as it's traditionally used the User Datagram Protocol (UDP) as its underlying
underlying transport layer. This document defines RADIUS over the transport layer. This document defines RADIUS over the Transmission
Transmission Control Protocol (TCP), in order to address transport Control Protocol (TCP), in order to address handling issues related
issues related to RADIUS over TLS [RTLS]. It is not intended to to RADIUS over TLS [RTLS]. It is not intended to define TCP as a
define TCP as a transport protocol for RADIUS in the absence of TLS. transport protocol for RADIUS in the absence of TLS.
Table of Contents Table of Contents
1. Introduction ............................................. 4 1. Introduction ............................................. 4
1.1. Applicability of Reliable Transport ................. 4 1.1. Applicability of Reliable Transport ................. 4
1.2. Terminology ......................................... 6 1.2. Terminology ......................................... 6
1.3. Requirements Language ............................... 7 1.3. Requirements Language ............................... 7
2. Changes to RADIUS ........................................ 7 2. Changes to RADIUS ........................................ 7
2.1. Packet Format ....................................... 7 2.1. Packet Format ....................................... 7
2.2. Assigned Ports for RADIUS Over TCP .................. 8 2.2. Assigned Ports for RADIUS Over TCP .................. 8
2.3. Management Information Base (MIB) ................... 8 2.3. Management Information Base (MIB) ................... 8
2.4. Interaction with RADIUS over TLS .................... 9 2.4. Detecting Live Servers .............................. 9
2.5. RADIUS Proxies ...................................... 9 2.5. Congestion Control Issues ........................... 10
2.6. TCP Specific Issues ................................. 10 2.6. TCP Specific Issues ................................. 10
2.6.1. Duplicates and Retransmissions ................. 11 2.6.1. Duplicates and Retransmissions ................. 11
2.6.2. Head of Line Blocking .......................... 12 2.6.2. Head of Line Blocking .......................... 12
2.6.3. Shared Secrets ................................. 12 2.6.3. Shared Secrets ................................. 12
2.6.4. Malformed Packets and Unknown Clients .......... 13 2.6.4. Malformed Packets and Unknown Clients .......... 13
2.6.5. Limitations of the ID Field .................... 13 2.6.5. Limitations of the ID Field .................... 14
2.6.6. EAP Sessions ................................... 14 2.6.6. EAP Sessions ................................... 14
2.6.7. TCP Applications are not UDP Applications ...... 15 2.6.7. TCP Applications are not UDP Applications ...... 15
3. Diameter Considerations .................................. 15 3. Diameter Considerations .................................. 15
4. IANA Considerations ...................................... 15 4. IANA Considerations ...................................... 15
5. Security Considerations .................................. 15 5. Security Considerations .................................. 15
6. References ............................................... 16 6. References ............................................... 16
6.1. Normative References ................................ 16 6.1. Normative References ................................ 16
6.2. Informative References .............................. 16 6.2. Informative References .............................. 16
1. Introduction 1. Introduction
skipping to change at page 4, line 32 skipping to change at page 4, line 32
packets, making it difficult to deploy RADIUS in a network where packets, making it difficult to deploy RADIUS in a network where
those devices are deployed. those devices are deployed.
* Connectionless transport. Neither clients nor servers receive * Connectionless transport. Neither clients nor servers receive
positive statements that a "connection" is down. This information positive statements that a "connection" is down. This information
has to be deduced instead from the absence of a reply to a has to be deduced instead from the absence of a reply to a
request. request.
As RADIUS is widely deployed, and has been widely deployed for well As RADIUS is widely deployed, and has been widely deployed for well
over a decade, these issues have been minor in some use-cases, and over a decade, these issues have been minor in some use-cases, and
problematic in others.. New systems may be interested in choosing a problematic in others. For use-cases such as inter-server proxying,
different set of trade-offs than those outlined in [RFC2865] Section [RTLS] suggests an alternative transport and security model -- RADIUS
2.4. New systems may also be interested in choosing a more reliable over TLS. This document describes the transport implications of
transport for use-cases such as inter-server proxying. For those running RADIUS over TLS/TCP.
systems, we define RADIUS over TCP
1.1. Applicability of Reliable Transport 1.1. Applicability of Reliable Transport
The intent of this document is to address transport issues related to The intent of this document is to address transport issues related to
RADIUS over TLS [RTLS]. The use of "bare" TCP transport (i.e. RADIUS over TLS [RTLS] in inter-server communications scenarios, such
without TLS) is NOT RECOMMENDED, as there has been little as inter-domain communication between proxies. These situations
implementational or operational experience with it. Additionally, benefit from the confidentiality and ciphersuite negotiation that can
[RFC2865] Section 2.4 contains a list of reasons why UDP was be provided by TLS. Since TLS is already widely available within the
originally chosen as the transport protocol for RADIUS. UDP SHOULD operating systems used by proxies, implementation barriers are low.
be used as transport protocol in all cases where the rationale given
in [RFC2865] Section 2.4 applies.
Deployment experience with RADIUS over TLS indicates that it is most
useful for inter-server communication, such as inter-domain
communication between proxies. These situations benefit from the
confidentiality and ciphersuite negotiation that can be provided by
TLS. Since TLS is already widely available within the operating
systems used by proxies, implementation barriers are low.
RADIUS over TCP has a similar set of use cases. Use of TCP as a
transport between a NAS and RADIUS server is a poor fit, since as
noted in [RFC3539], there is likely to be insufficient traffic for
the congestion window to remain above the minimum value on a long-
term basis. The result is an increase in packets due to ACKs as
compared to UDP, without a corresponding set of benefits.
In server-server communications the traffic levels in both directions
are typically high enough to support a larger congestion window as
well as ACK piggy-backing. Through use of an application-layer
watchdog as described in [RFC3539], it is possible to address the
objections to reliable transport described in [RFC2865] Section 2.4.
However, in these scenarios "bare" TCP does not provide for
confidentiality or enable negotiation of stronger ciphersuites than
are available in RADIUS.
As a result of these considerations, use of RADIUS over TCP SHOULD be In scenarios where RADIUS proxies exchange a large volume of packets
restricted to situations where RADIUS over TLS is employed. RADIUS (10+ packets per second), it is likely that there will be sufficient
over "bare" TCP is NOT RECOMMENDED. traffic to enable the congestion window to be widened beyond the
minimum value on a long-term basis, enabling ACK piggy-backing.
Through use of an application-layer watchdog as described in
[RFC3539], it is possible to address the objections to reliable
transport described in [RFC2865] Section 2.4 without substantial
watchdog traffic, since regular traffic is expected in both
directions.
There are still a number of benefits to using a reliable transport. In addition, use of RADIUS over TLS/TCP has been found to improve
For example, when RADIUS is used to carry EAP conversions [RFC3579], operational performance when used with multi-round trip
the EAP exchanges may involve 5 round trips at the RADIUS application authentication mechanisms such as RADIUS over EAP [RFC3579]. In such
layer. We may assume a probability P of packet loss in each exchanges, it is typical for EAP fragmentation to increase the number
direction (with P having a value of 1% or less). Any one of round-trips required. For example, where EAP-TLS authentication
authentication attempt will then have at least one lost packet, with [RFC5216] is attempted and both the EAP peer and server utilize
a probability of approximately (10 * P). certificate chains of 8KB, as many as 15 round-trips can be required
if RADIUS packets are restricted to 1500 octets in size.
Fragmentation of RADIUS over UDP packets is generally inadvisable due
to lack of fragmentation support within intermediate devices such as
filtering routers, firewalls and NATs. However, since RADIUS over
UDP implementations typically do not support MTU discovery,
fragmentation can occur even when the maximum RADIUS over UDP packet
size is restricted to 1500 octets.
These lost packets require the supplicant and/or the NAS to re- These problems disappear if a 4096 application-layer payload can be
transmit packets at the application layer. The difficulty with this used alongside RADIUS over TLS/TCP. Since most TCP implementations
approach is that retransmission implementations have historically support MTU discovery, the TCP MSS is automatically adjusted to
been poor. Some implementations retransmit packets, others do not, account for the MTU, and the larger congestion window supported by
and others send new packets rather then performing retransmission. TCP may allow multiple TCP segments to be sent within a single
Some implementations are incapable of detecting EAP retransmissions, window.
and will instead treat the retransmitted packet as an error.
These retransmissions have a high likelihood of causing the entire Where the MTU for EAP packets is large, RADIUS/EAP traffic required
authentication session to fail. For a system with a million logins a for an EAP-TLS authentication with 8KB certificate chains may be
day, and having a packet loss probability of P=0.01%, we expect that reduced to 7 round-trips or less, resulting in substantially reduced
0.1% of connections will experience a lost packet. That is, 1,000 authentication times.
user sessions each day will experience authentication failure.
In addition, transport of fragmented UDP packets is a poorly tested In addition, experience indicates that EAP sessions transported over
code path on network devices. Some devices appear to be incapable of RTLS are less likely to abort unsuccessfully. Historically, RADIUS
transporting fragmented UDP packets, meaning that the packet loss over UDP implementations have exhibited poor retransmission behavior.
rate for fragmented packets approaches 100 percent. The net effect Some implementations retransmit packets, others do not, and others
can be to prevent the deployment of authentication methods such as send new packets rather then performing retransmission. Some
EAP-TLS that require large RADIUS packets. implementations are incapable of detecting EAP retransmissions, and
will instead treat the retransmitted packet as an error. As a
result, within RADIUS over UDP implementations, retransmissions have
a high likeilhood of causing an EAP authentication session to fail.
For a system with a million logins a day running EAP-TLS mutual
authentication with 15 round-trips, and having a packet loss
probability of P=0.01%, we expect that 0.3% of connections will
experience at least one lost packet. That is, 3,000 user sessions
each day will experience authentication failure. This is an
unacceptable failure rate for a mass-market network service.
Using a reliable transport method such as TCP means that RADIUS Using a reliable transport method such as TCP means that RADIUS
implementations can remove all application-layer retransmissions, and implementations can remove all application-layer retransmissions, and
instead rely on the Operating System (OS) kernel's well-tested TCP instead rely on the Operating System (OS) kernel's well-tested TCP
transport to ensure reliable delivery. In addition, most TCP transport to ensure Path MTU discovery and reliable delivery. Modern
implementations discover Path MTU better than RADIUS application TCP implementations also implement anti-spoofing provisions, which is
implementations, resulting in significantly fewer fragmented packets. more difficult to do in a UDP application.
Modern TCP implementations also implement anti-spoofing provisions,
which is more difficult to do in UDP applications.
Transporting RADIUS over TCP means that the RADIUS applications can
leverage these additional protections offered by TCP.
However, there are also some drawbacks to using TCP. RADIUS over TCP
has some drawbacks, as noted in [RFC2865] Section 2.4. [RFC3539]
Section 2 discusses further issues with using TCP as a transport for
Authentication, Authorization, and/or Accounting (AAA) protocols such
as RADIUS.
Specifically, as noted in [RFC3539] Section 2.1, for systems In contrast, use of TCP as a transport between a NAS and a RADIUS
originating low numbers of RADIUS request packets, inter-packet server is usually a poor fit. As noted in [RFC3539] Section 2.1, for
spacing is often larger than the packet RTT. In those situations, systems originating low numbers of RADIUS request packets, inter-
RADIUS over TCP SHOULD NOT be used. packet spacing is often larger than the packet RTT, meaning that, the
congestion window will typically stay below the minimum value on a
long-term basis. The result is an increase in packets due to ACKs as
compared to UDP, without a corresponding set of benefits. In
addition, the lack of substantial traffic implies the need for
additional watchdog traffic to confirm reachability.
In general, RADIUS clients generating small amounts of RADIUS traffic As a result, the objections to reliable transport indicated in
SHOULD NOT use TCP. This suggestion will usually apply to most [RFC2865] Section 2.4 continue to apply to NAS-RADIUS server
NASes, and to most clients that originate CoA-Request and Disconnect- communications and UDP SHOULD continue to be used as the transport
Request packets. protocol in this scenario. In addition, it is recommended that
implementations of "RADIUS Dynamic AUthorization Extensions"
[RFC5176] SHOULD continue to utilize UDP transport, since the volume
of dynamic authorization traffic is usually expected to be small.
RADIUS over TCP is most applicable to RADIUS proxies that exchange a Since "bare" TCP does not provide for confidentiality or enable
large volume of packets with RADIUS clients and servers (10's to negotiation of credible ciphersuites, its use is not appropriate for
1000's of packets per second). In those situations, RADIUS over TCP inter-server communications where strong security is required. As a
may be a good fit, and may result in increased network stability and result the use of "bare" TCP transport (i.e. without additional
performance. confidentiality and security) is NOT RECOMMENDED for use in any
situation, and there has been little or no operational experience
with it.
1.2. Terminology 1.2. Terminology
This document uses the following terms: This document uses the following terms:
RADIUS client RADIUS client
A device that provides an access service for a user to a network. A device that provides an access service for a user to a network.
Also referred to as a Network Access Server, or NAS. Also referred to as a Network Access Server, or NAS.
RADIUS server RADIUS server
skipping to change at page 7, line 29 skipping to change at page 7, line 23
Access-Challenge, Accounting-Response, CoA-ACK, etc. Access-Challenge, Accounting-Response, CoA-ACK, etc.
1.3. Requirements Language 1.3. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
2. Changes to RADIUS 2. Changes to RADIUS
Adding TCP as a RADIUS transport has a number of impacts on the RADIUS over TCP involves sending RADIUS application messages over a
protocol, on applications using the protocol, and on networks that TCP connection. In the sections that follow, we discuss the
deploy the protocol. In short, RADIUS over TCP is little more than implications for the RADIUS packet format (Section 2.1), port usage
sending RADIUS formatted messages over a TCP connection. (Section 2.2), RADIUS MIBs (Section 2.3) and RADIUS proxies (Section
2.5). TCP-specific issues are discussed in Section 2.6.
As always, there are additional details that need to be discussed.
This section outlines the various impacts of using RADIUS over TCP,
and the discusses the proposal in more detail.
2.1. Packet Format 2.1. Packet Format
The RADIUS packet format is unchanged from [RFC2865], [RFC2866], and The RADIUS packet format is unchanged from [RFC2865], [RFC2866], and
[RFC5176]. Specifically, all of the following portions of RADIUS [RFC5176]. Specifically, all of the following portions of RADIUS
MUST be unchanged when using RADIUS over TCP: MUST be unchanged when using RADIUS over TCP:
* Packet format * Packet format
* Permitted codes * Permitted codes
* Request Authenticator calculation * Request Authenticator calculation
* Response Authenticator calculation * Response Authenticator calculation
* Minimum packet length * Minimum packet length
* Maximum packet length * Maximum packet length
* Attribute format * Attribute format
* Vendor-Specific Attribute (VSA) format * Vendor-Specific Attribute (VSA) format
* Permitted data types * Permitted data types
* Calculations of dynamic attributes such as CHAP-Challenge, * Calculations of dynamic attributes such as CHAP-Challenge,
or Message-Authenticator. or Message-Authenticator.
* Calculation of "encrypted" attributes such as Tunnel-Password. * Calculation of "encrypted" attributes such as Tunnel-Password.
The use of TLS/TCP transport does not change the calculation of
security-related fields (such as the Response-Authenticator) in
RADIUS [RFC2865] or RADIUS Dynamic Authorization [RFC5176].
Calculation of attributes such as User-Password [RFC2865] or Message-
Authenticator [RFC3579] also does not change.
Clients and servers MUST be able to store and manage shared secrets
based on the key described above, of (IP address, port, transport
protocol).
The changes to RADIUS implementations required to implement this The changes to RADIUS implementations required to implement this
specification are largely limited to the portions that send and specification are largely limited to the portions that send and
receive packets on the network. receive packets on the network.
2.2. Assigned Ports for RADIUS Over TCP 2.2. Assigned Ports for RADIUS Over TCP
IANA has already assigned TCP ports for RADIUS transport, as outlined IANA has already assigned TCP ports for RADIUS and RTLS transport, as
below: outlined below:
* radius 1812/tcp * radius 1812/tcp
* radius-acct 1813/tcp * radius-acct 1813/tcp
* radius-dynauth 3799/tcp * radius-dynauth 3799/tcp
* radsec 2083/tcp
These ports are unused by existing RADIUS applications. Since these ports are unused by existing RADIUS implementations, the
Implementations SHOULD use the assigned values as the default ports assigned values SHOULD be used as the default ports for RADIUS over
for RADIUS over TCP. TCP.
The early deployment of RADIUS was done using UDP port number 1645, The early deployment of RADIUS was done using UDP port number 1645,
which conflicts with the "datametrics" service. Implementations which conflicts with the "datametrics" service. Implementations
using RADIUS over TCP MUST NOT use TCP ports 1645 or 1646 as the using RADIUS over TCP MUST NOT use TCP ports 1645 or 1646 as the
default ports for this specification. default ports for this specification.
The "radsec" port (2083/tcp) SHOULD be used as the default port for
RTLS. The "radius" port (1812/tcp) SHOULD NOT be used for RTLS.
2.3. Management Information Base (MIB) 2.3. Management Information Base (MIB)
The MIB Module definitions in [RFC4668], [RFC4669], [RFC4670], The MIB Module definitions in [RFC4668], [RFC4669], [RFC4670],
[RFC4671], [RFC4672], and [RFC4673] each contain only one reference [RFC4671], [RFC4672], and [RFC4673] each contain only one reference
to UDP. These references are in the DESCRIPTION field of the MIB to UDP. These references are in the DESCRIPTION field of the MIB
Module definition, and are in the form of "The UDP port" or "the UDP Module definition, and are in the form of "The UDP port" or "the UDP
destination port". destination port".
Implementations of RADIUS over TCP SHOULD re-use these MIB Modules to Implementations of RADIUS over TCP SHOULD re-use these MIB Modules to
perform statistics counting for RADIUS over TCP connections. perform statistics counting for RADIUS over TCP connections.
skipping to change at page 9, line 7 skipping to change at page 9, line 10
are identical to the RADIUS services offered over TCP on a particular are identical to the RADIUS services offered over TCP on a particular
IP address and the same (numerical) port. IP address and the same (numerical) port.
Implementations of RADIUS over TCP SHOULD include the protocol (UDP) Implementations of RADIUS over TCP SHOULD include the protocol (UDP)
or (TCP) in the radiusAuthServIdent, radiusAuthClientID, or (TCP) in the radiusAuthServIdent, radiusAuthClientID,
radiusAuthClientIdentifier, radiusAccServIdent, radiusAccClientID, or radiusAuthClientIdentifier, radiusAccServIdent, radiusAccClientID, or
radiusAccClientIdentifier fields of the MIB Module. This information radiusAccClientIdentifier fields of the MIB Module. This information
can help the administrator distinguish capabilities of systems in the can help the administrator distinguish capabilities of systems in the
network. network.
2.4. Interaction with RADIUS over TLS 2.4. Detecting Live Servers
IANA has already assigned TCP ports for RadSec (i.e. RADIUS over TLS
over TCP), as outlined below:
* radsec 2083/tcp
This value SHOULD be used as the default port for RADIUS over TLS.
The "radius" port (1812/tcp) SHOULD NOT be used for RADIUS over TLS.
2.5. RADIUS Proxies
As RADIUS is a "hop by hop" protocol, a RADIUS proxy effectively As RADIUS is a "hop by hop" protocol, a RADIUS proxy effectively
shields the client from any information about downstream servers. shields the client from any information about downstream servers.
While the client may be able to deduce the operational state of the While the client may be able to deduce the operational state of the
local server (i.e. proxy), it cannot make any determination about the local server (i.e. proxy), it cannot make any determination about the
operational state of the downstream servers. operational state of the downstream servers.
If a request is proxied through intermediate proxies, it is not Within RADIUS as defined in [RFC2865], proxies typically only forward
possible to detect which of the later hops is responsible for the traffic between the NAS and RADIUS server, and do not generate their
absence of a reply. An intermediate proxy also cannot signal that own responses. As a result, when a NAS does not receive a response
the outage lies in a later hop because RADIUS does not have the to a request, this could be the result of packet loss between the NAS
ability to carry such signalling information. This issue is further and proxy, a problem on the proxy, loss between the RADIUS proxy and
exacerbated by some proxy implementations that do not reply to a server, or a problem with the server.
client if they do not receive a reply to a proxied request.
When UDP was used as a transport protocol, the absence of a reply can When UDP was used as a transport protocol, the absence of a reply can
cause a client to deduce (incorrectly) that the proxy is unavailable. cause a client to deduce (incorrectly) that the proxy is unavailable.
The client could then fail over to another server, or conclude that The client could then fail over to another server, or conclude that
no "live" servers are available (OKAY state in [RFC3539] Appendix A). no "live" servers are available (OKAY state in [RFC3539] Appendix A).
This situation is made even worse when requests are sent through a This situation is made even worse when requests are sent through a
proxy to multiple destinations. Failures in one destination may proxy to multiple destinations. Failures in one destination may
result in service outages for other destinations, if the client result in service outages for other destinations, if the client
erroneously believes that the proxy is unresponsive. erroneously believes that the proxy is unresponsive.
For RADIUS over TCP, the continued existence of the TCP connection For RADIUS over TLS/TCP, it is RECOMMENDED that implementations
SHOULD be used to deduce that the service on the other end of the utilize the existence of a TCP connection along with the application
connection is still responsive. Further, the application layer layer watchdog defined in [RFC3539] Section 3.4 to determine that the
watchdog defined in [RFC3539] Section 3.4 enables clients to server is "live".
determine that the server is "live", even though it may not have
responded recently to non-watchdog requests.
RADIUS clients using RADIUS over TCP MUST mark a connection DOWN if RADIUS clients using RADIUS over TCP MUST mark a connection DOWN if
the network stack indicates that the connection is no longer active. the network stack indicates that the connection is no longer active.
If the network stack indicates that connection is still active, If the network stack indicates that connection is still active,
Clients MUST NOT decide that it is down until the application layer Clients MUST NOT decide that it is down until the application layer
watchdog algorithm has marked it DOWN ([RFC3539] Appendix A). RADIUS watchdog algorithm has marked it DOWN ([RFC3539] Appendix A). RADIUS
clients using RADIUS over TCP MUST NOT decide that a RADIUS server is clients using RADIUS over TCP MUST NOT decide that a RADIUS server is
unresponsive until all TCP connections to it have been marked DOWN. unresponsive until all TCP connections to it have been marked DOWN.
The above requirements do not forbid the practice of a client pro- The above requirements do not forbid the practice of a client pro-
actively closing connections, or marking a server as DOWN due to an actively closing connections, or marking a server as DOWN due to an
administrative decision. administrative decision.
2.5. Congestion Control Issues
Additional issues with RADIUS proxies involve transport protocol Additional issues with RADIUS proxies involve transport protocol
changes where the proxy receives packets on one transport protocol, changes where the proxy receives packets on one transport protocol,
and forwards them on a different transport protocol. There are and forwards them on a different transport protocol. There are
several situations in which the law of "conservation of packets" several situations in which the law of "conservation of packets"
could be violated on an end-to-end basis (e.g. where more packets could be violated on an end-to-end basis (e.g. where more packets
could enter the system than could leave it on a short-term basis): could enter the system than could leave it on a short-term basis):
* Where TCP is used between proxies, it is possible that the * Where TCP is used between proxies, it is possible that the
bandwidth consumed by incoming UDP packets destined to a given bandwidth consumed by incoming UDP packets destined to a given
upstream server could exceed the sending rate of a single TCP upstream server could exceed the sending rate of a single TCP
skipping to change at page 10, line 42 skipping to change at page 10, line 36
Intrinsically, proxy systems operate with multiple control loops Intrinsically, proxy systems operate with multiple control loops
instead of one end-to-end loop, and so are less stable. This is true instead of one end-to-end loop, and so are less stable. This is true
even for TCP-TCP proxies. As discussed in [RFC3539], the only way to even for TCP-TCP proxies. As discussed in [RFC3539], the only way to
achieve stability equivalent to a single TCP connection is to mimic achieve stability equivalent to a single TCP connection is to mimic
the end-to-end behavior of a single TCP connection. This typically the end-to-end behavior of a single TCP connection. This typically
is not achievable with an application-layer RADIUS implementation, is not achievable with an application-layer RADIUS implementation,
regardless of transport. regardless of transport.
2.6. TCP Specific Issues 2.6. TCP Specific Issues
The guidelines defined in [RFC3539] for implementing an AAA protocol The guidelines defined in [RFC3539] for implementing a AAA protocol
operating over a reliable transport MUST be followed by implementors over reliable transport are applicable to RADIUS over TLS/TCP.
of this specification.
The Application Layer Watchdog defined in [RFC3539] Section 3.4 MUST The Application Layer Watchdog defined in [RFC3539] Section 3.4 MUST
be used. The Status-Server packet [STATUS] MUST be used as the be used. The Status-Server packet [STATUS] MUST be used as the
application layer watchdog message. Implementations MUST reserve one application layer watchdog message. Implementations MUST reserve one
RADIUS ID per connection for the application layer watchdog message. RADIUS ID per connection for the application layer watchdog message.
This restriction is described further below in Section 2.6.4. This restriction is described further below in Section 2.6.4.
Implementations MUST NOT confuse UDP and TCP transport. That is, RADIUS over TLS/TCP Implementations MUST support receiving RADIUS
RADIUS clients and servers MUST be treated as unique based on a key packets over both UDP and TLS/TCP transports originating from the
of the three-tuple (IP address, port, transport protocol). same endpoint. RADIUS packets received over UDP MUST be replied to
Implementations MUST permit different shared secrets to be used for over UDP; RADIUS packets received over TLS/TCP MUST be replied to
UDP and TCP connections to the same destination IP address and over TLS/TCP. That is, RADIUS clients and servers MUST be treated as
numerical port. unique based on a key of the three-tuple (IP address, port, transport
protocol). Implementations MUST permit different shared secrets to
be used for UDP and TCP connections to the same destination IP
address and numerical port.
This requirement does not forbid the traditional practice of using This requirement does not forbid the traditional practice of using
primary and secondary servers in a fail-over relationship. Instead, primary and secondary servers in a fail-over relationship. Instead,
it requires that two services sharing an IP address and numerical it requires that two services sharing an IP address and numerical
port, but differing in transport protocol, MUST be treated as port, but differing in transport protocol, MUST be treated as
independent services for the purpose of fail-over, load-balancing, independent services for the purpose of fail-over, load-balancing,
etc. etc.
Whenever the underlying network stack permits the use of TCP Whenever the underlying network stack permits the use of TCP
keepalive socket options, their use is RECOMMENDED. keepalive socket options, their use is RECOMMENDED.
skipping to change at page 12, line 36 skipping to change at page 12, line 31
Other specifications give additional situations where the packet is Other specifications give additional situations where the packet is
to be considered as a new request. Those recommendations MUST also to be considered as a new request. Those recommendations MUST also
be followed. be followed.
2.6.2. Head of Line Blocking 2.6.2. Head of Line Blocking
When using UDP as a transport for RADIUS, there is no ordering of When using UDP as a transport for RADIUS, there is no ordering of
packets. If a packet sent by a client is lost, that loss has no packets. If a packet sent by a client is lost, that loss has no
effect on subsequent packets sent by that client. effect on subsequent packets sent by that client.
Unlike UDP, TCP is subject to issues related to Head of Line (HoL) Unlike UDP, TLS/TCP is subject to issues related to Head of Line
blocking. This occurs when when a TCP segment is lost and a (HoL) blocking. This occurs when when a TLS/TCP segment is lost and
subsequent TCP segment arrives out of order. While the RADIUS server a subsequent TLS/TCP segment arrives out of order. While the RADIUS
can process RADIUS packets out of order, the semantics of TCP makes server can process RADIUS packets out of order, the semantics of
this impossible. This limitation can lower the maximum packet TLS/TCP makes this impossible. This limitation can lower the maximum
processing rate of RADIUS over TCP. packet processing rate of RADIUS over TLS/TCP.
2.6.3. Shared Secrets 2.6.3. Shared Secrets
The use of shared secrets in calculating the Response Authenticator, The use of TLS/TCP transport does not change the calculation of
and other attributes such as User-Password or Message-Authenticator security-related fields (such as the Response-Authenticator) in
[RFC3579] MUST be unchanged from previous specifications. RADIUS [RFC2865] or RADIUS Dynamic Authorization [RFC5176].
Calculation of attributes such as User-Password [RFC2865] or Message-
Authenticator [RFC3579] also does not change.
Clients and servers MUST be able to store and manage shared secrets Clients and servers MUST be able to store and manage shared secrets
based on the key described above, of (IP address, port, transport based on the key described above, of (IP address, port, transport
protocol). protocol).
2.6.4. Malformed Packets and Unknown Clients 2.6.4. Malformed Packets and Unknown Clients
The RADIUS specifications ([RFC2865], etc.) say that an The RADIUS specifications ([RFC2865], etc.) say that an
implementation should "silently discard" a packet in a number of implementation should "silently discard" a packet in a number of
circumstances. This action has no further consequences for UDP circumstances. This action has no further consequences for UDP
skipping to change at page 13, line 38 skipping to change at page 13, line 38
* Packet that has an Attribute "length" field has value of zero * Packet that has an Attribute "length" field has value of zero
or one (0 or 1). or one (0 or 1).
* Packet where the attributes do not exactly fill the packet * Packet where the attributes do not exactly fill the packet
* Packet where the Request Authenticator fails validation * Packet where the Request Authenticator fails validation
(where validation is required). (where validation is required).
* Packet where the Response Authenticator fails validation * Packet where the Response Authenticator fails validation
(where validation is required). (where validation is required).
* Packet where the Message-Authenticator attribute fails * Packet where the Message-Authenticator attribute fails
validation (when it occurs in a packet). validation (when it occurs in a packet).
TCP connections MAY be closed if any of the circumstances outlined After applying the above rules, there are still situations where the
below are seen. Alternatively, the TCP connection MAY remain open if previous specifications allow a packet to be "silently discarded".
any of the following circumstances are seen, but the invalid packet In these situations, the TCP connections MAY remain open, or MAY be
MUST BE silently discarded. closed, as an implementation choice. However, the invalid packet
MUST be silently discarded.
* Packet with an invalid code field * Packet with an invalid code field
* Response packets that do not match any outstanding request * Response packets that do not match any outstanding request
These requirements minimize the possibility for a misbehaving client These requirements minimize the possibility for a misbehaving client
or server to wreak havoc on the network. or server to wreak havoc on the network.
2.6.5. Limitations of the ID Field 2.6.5. Limitations of the ID Field
The RADIUS ID field is one octet in size. As a result, any one TCP The RADIUS ID field is one octet in size. As a result, any one TCP
skipping to change at page 17, line 5 skipping to change at page 17, line 5
4673, August 2006. 4673, August 2006.
[RFC5080] Nelson, D. and DeKok, A, "Common Remote Authentication Dial In [RFC5080] Nelson, D. and DeKok, A, "Common Remote Authentication Dial In
User Service (RADIUS) Implementation Issues and Suggested User Service (RADIUS) Implementation Issues and Suggested
Fixes", RFC 5080, December 2007. Fixes", RFC 5080, December 2007.
[RFC5176] Chiba, M. et al., "Dynamic Authorization Extensions to Remote [RFC5176] Chiba, M. et al., "Dynamic Authorization Extensions to Remote
Authentication Dial In User Service (RADIUS)", RFC 5176, Authentication Dial In User Service (RADIUS)", RFC 5176,
January 2008. January 2008.
[RFC5216] Simon, D., etc al., "The EAP-TLS Authentication Protocol", RFC
5216, March 2008.
[STATUS] DeKok, A., "Use of Status-Server Packets in the Remote [STATUS] DeKok, A., "Use of Status-Server Packets in the Remote
Authentication Dial In User Service (RADIUS) Protocol", draft- Authentication Dial In User Service (RADIUS) Protocol", draft-
ietf-radext-status-server-04.txt, October 2009 (work in ietf-radext-status-server-06.txt, February 2010 (work in
progress). progress).
[RTLS] Winter, S. et. al., "TLS encryption for RADIUS over TCP [RTLS] Winter, S. et. al., "TLS encryption for RADIUS over TCP
(RadSec)", draft-ietf-radext-radsec-05.txt, July 2009 (work in (RadSec)", draft-ietf-radext-radsec-05.txt, July 2009 (work in
progress). progress).
Acknowledgments Acknowledgments
None at this time. None at this time.
 End of changes. 36 change blocks. 
166 lines changed or deleted 173 lines changed or added

This html diff was produced by rfcdiff 1.38. The latest version is available from http://tools.ietf.org/tools/rfcdiff/