draft-ietf-radext-tcp-transport-09.txt   rfc6613.txt 
Network Working Group A. DeKok Internet Engineering Task Force (IETF) A. DeKok
INTERNET-DRAFT FreeRADIUS Request for Comments: 6613 FreeRADIUS
Category: Experimental Category: Experimental May 2012
<draft-ietf-radext-tcp-transport-09.txt> ISSN: 2070-1721
Expires: April 12, 2011
12 October 2010
RADIUS Over TCP RADIUS over TCP
draft-ietf-radext-tcp-transport-09
Abstract Abstract
The Remote Authentication Dial In User Server (RADIUS) Protocol has The Remote Authentication Dial-In User Server (RADIUS) protocol has,
until now required the User Datagram Protocol (UDP) as the underlying until now, required the User Datagram Protocol (UDP) as the
transport layer. This document defines RADIUS over the Transmission underlying transport layer. This document defines RADIUS over the
Control Protocol (RADIUS/TCP), in order to address handling issues Transmission Control Protocol (RADIUS/TCP), in order to address
related to RADIUS over Transport Layer Security (RADIUS/TLS). It handling issues related to RADIUS over Transport Layer Security
permits TCP to be used as a transport protocol for RADIUS only when a (RADIUS/TLS). It permits TCP to be used as a transport protocol for
transport layer such as TLS or IPsec provides confidentialy and RADIUS only when a transport layer such as TLS or IPsec provides
security. confidentiality and security.
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with
the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Status of This Memo
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six This document is not an Internet Standards Track specification; it is
months and may be updated, replaced, or obsoleted by other published for examination, experimental implementation, and
documents at any time. It is inappropriate to use Internet-Drafts evaluation.
as reference material or to cite them other than as "work in
progress."
The list of current Internet-Drafts can be accessed at This document defines an Experimental Protocol for the Internet
http://www.ietf.org/ietf/1id-abstracts.txt. community. This document is a product of the Internet Engineering
Task Force (IETF). It represents the consensus of the IETF
community. It has received public review and has been approved for
publication by the Internet Engineering Steering Group (IESG). Not
all documents approved by the IESG are a candidate for any level of
Internet Standard; see Section 2 of RFC 5741.
The list of Internet-Draft Shadow Directories can be accessed at Information about the current status of this document, any errata,
http://www.ietf.org/shadow.html. and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc6613.
This Internet-Draft will expire on April 12, 2011 Copyright Notice
Copyright Notice Copyright (c) 2012 IETF Trust and the persons identified as the
Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info/) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with carefully, as they describe your rights and restrictions with respect
respect to this document. Code Components extracted from this to this document. Code Components extracted from this document must
document must include Simplified BSD License text as described in include Simplified BSD License text as described in Section 4.e of
Section 4.e of the Trust Legal Provisions and are provided without the Trust Legal Provisions and are provided without warranty as
warranty as described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction ............................................. 4 1. Introduction ....................................................3
1.1. Applicability of Reliable Transport ................. 5 1.1. Applicability of Reliable Transport ........................4
1.2. Terminology ......................................... 6 1.2. Terminology ................................................6
1.3. Requirements Language ............................... 7 1.3. Requirements Language ......................................6
2. Changes to RADIUS ........................................ 7 2. Changes to RADIUS ...............................................6
2.1. Packet Format ....................................... 8 2.1. Packet Format ..............................................7
2.2. Assigned Ports for RADIUS/TCP ....................... 8 2.2. Assigned Ports for RADIUS/TCP ..............................7
2.3. Management Information Base (MIB) ................... 9 2.3. Management Information Base (MIB) ..........................8
2.4. Detecting Live Servers .............................. 9 2.4. Detecting Live Servers .....................................8
2.5. Congestion Control Issues ........................... 10 2.5. Congestion Control Issues ..................................9
2.6. TCP Specific Issues ................................. 10 2.6. TCP Specific Issues ........................................9
2.6.1. Duplicates and Retransmissions ................. 11 2.6.1. Duplicates and Retransmissions .....................10
2.6.2. Head of Line Blocking .......................... 12 2.6.2. Head of Line Blocking ..............................11
2.6.3. Shared Secrets ................................. 12 2.6.3. Shared Secrets .....................................11
2.6.4. Malformed Packets and Unknown Clients .......... 12 2.6.4. Malformed Packets and Unknown Clients ..............12
2.6.5. Limitations of the ID Field .................... 13 2.6.5. Limitations of the ID Field ........................13
2.6.6. EAP Sessions ................................... 14 2.6.6. EAP Sessions .......................................13
2.6.7. TCP Applications are not UDP Applications ...... 15 2.6.7. TCP Applications Are Not UDP Applications ..........14
3. Diameter Considerations .................................. 15 3. Diameter Considerations ........................................14
4. IANA Considerations ...................................... 15 4. Security Considerations ........................................14
5. Security Considerations .................................. 15 5. References .....................................................15
6. References ............................................... 16 5.1. Normative References ......................................15
6.1. Normative References ................................ 16 5.2. Informative References ....................................15
6.2. Informative References .............................. 16
1. Introduction 1. Introduction
The RADIUS Protocol is defined in [RFC2865] as using the User The RADIUS protocol is defined in [RFC2865] as using the User
Datagram Protocol (UDP) for the underlying transport layer. While Datagram Protocol (UDP) for the underlying transport layer. While
there are a number of benefits to using UDP as outlined in [RFC2865] there are a number of benefits to using UDP as outlined in [RFC2865],
Section 2.4, there are also some limitations: Section 2.4, there are also some limitations:
* Unreliable transport. As a result, systems using RADIUS have to * Unreliable transport. As a result, systems using RADIUS have
implement application-layer timers and re-transmissions, as to implement application-layer timers and retransmissions, as
described in [RFC5080] Section 2.2.1. described in [RFC5080], Section 2.2.1.
* Packet fragmentation. [RFC2865] Section 3 permits RADIUS * Packet fragmentation. [RFC2865], Section 3, permits RADIUS
packets up to 4096 octets in length. These packets are larger packets up to 4096 octets in length. These packets are larger
than the common Internet MTU (576), resulting in fragmentation of than the common Internet MTU (576), resulting in fragmentation
the packets at the IP layer when they are proxied over the of the packets at the IP layer when they are proxied over the
Internet. Transport of fragmented UDP packets appears to be a Internet. Transport of fragmented UDP packets appears to be a
poorly tested code path on network devices. Some devices appear poorly tested code path on network devices. Some devices
to be incapable of transporting fragmented UDP packets, making it appear to be incapable of transporting fragmented UDP packets,
difficult to deploy RADIUS in a network where those devices are making it difficult to deploy RADIUS in a network where those
deployed. devices are deployed.
* Connectionless transport. Neither clients nor servers receive * Connectionless transport. Neither clients nor servers receive
positive statements that a "connection" is down. This information positive statements that a "connection" is down. This
has to be deduced instead from the absence of a reply to a information has to be deduced instead from the absence of a
request. reply to a request.
* Lack of congestion control. Clients can send arbitrary amounts * Lack of congestion control. Clients can send arbitrary amounts
of traffic with little or no feedback. This lack of feedback can of traffic with little or no feedback. This lack of feedback
result in congestive collapse of the network. can result in congestive collapse of the network.
RADIUS has been widely deployed for well over a decade, and continues RADIUS has been widely deployed for well over a decade and continues
to be widely deployed. Experience shows that these issues have been to be widely deployed. Experience shows that these issues have been
minor in some use-cases, and problematic in others. For use-cases minor in some use cases and problematic in others. For use cases
such as inter-server proxying, an alternative transport and security such as inter-server proxying, an alternative transport and security
model -- RADIUS/TLS, as defined in [RADIUS/TLS]. That document model -- RADIUS/TLS, is defined in [RFC6614]. That document
describes the transport implications of running RADIUS/TLS. describes the transport implications of running RADIUS/TLS.
The choice of TCP as a transport protocol is largely driven by the The choice of TCP as a transport protocol is largely driven by the
desire to improve the security of RADIUS by using RADIUS/TLS. For desire to improve the security of RADIUS by using RADIUS/TLS. For
practical reasons, the transport protocol (TCP) is defined separately practical reasons, the transport protocol (TCP) is defined separately
from the security mechanism (TLS). from the security mechanism (TLS).
Since "bare" TCP does not provide for confidentiality or enable Since "bare" TCP does not provide for confidentiality or enable
negotiation of credible ciphersuites, its use is not appropriate for negotiation of credible ciphersuites, its use is not appropriate for
inter-server communications where strong security is required. As a inter-server communications where strong security is required. As a
result "bare" TCP transport MUST NOT be used without TLS, IPsec, or result, "bare" TCP transport MUST NOT be used without TLS, IPsec, or
other secure upper layer. another secure upper layer.
"Bare" TCP transport MAY, however, be used when another method such However, "bare" TCP transport MAY be used when another method such as
as IPSec [RFC4301] is used to provide additional confidentiality and IPsec [RFC4301] is used to provide additional confidentiality and
security. Should experience show that such deployments are useful, security. Should experience show that such deployments are useful,
this specification could be moved to standards track. this specification could be moved to the Standards Track.
1.1. Applicability of Reliable Transport 1.1. Applicability of Reliable Transport
The intent of this document is to address transport issues related to The intent of this document is to address transport issues related to
RADIUS/TLS [RADIUS/TLS] in inter-server communications scenarios, RADIUS/TLS [RFC6614] in inter-server communications scenarios, such
such as inter-domain communication between proxies. These situations as inter-domain communication between proxies. These situations
benefit from the confidentiality and ciphersuite negotiation that can benefit from the confidentiality and ciphersuite negotiation that can
be provided by TLS. Since TLS is already widely available within the be provided by TLS. Since TLS is already widely available within the
operating systems used by proxies, implementation barriers are low. operating systems used by proxies, implementation barriers are low.
In scenarios where RADIUS proxies exchange a large volume of packets, In scenarios where RADIUS proxies exchange a large volume of packets,
it is likely that there will be sufficient traffic to enable the it is likely that there will be sufficient traffic to enable the
congestion window to be widened beyond the minimum value on a long- congestion window to be widened beyond the minimum value on a long-
term basis, enabling ACK piggy-backing. Through use of an term basis, enabling ACK piggybacking. Through use of an
application-layer watchdog as described in [RFC3539], it is possible application-layer watchdog as described in [RFC3539], it is possible
to address the objections to reliable transport described in to address the objections to reliable transport described in
[RFC2865] Section 2.4 without substantial watchdog traffic, since [RFC2865], Section 2.4, without substantial watchdog traffic, since
regular traffic is expected in both directions. regular traffic is expected in both directions.
In addition, use of RADIUS/TLS has been found to improve operational In addition, use of RADIUS/TLS has been found to improve operational
performance when used with multi-round trip authentication mechanisms performance when used with multi-round-trip authentication mechanisms
such as EAP over RADIUS [RFC3579]. In such exchanges, it is typical such as the Extensible Authentication Protocol (EAP) over RADIUS
for EAP fragmentation to increase the number of round-trips required. [RFC3579]. In such exchanges, it is typical for EAP fragmentation to
For example, where EAP-TLS authentication [RFC5216] is attempted and increase the number of round trips required. For example, where EAP-
both the EAP peer and server utilize certificate chains of 8KB, as TLS authentication [RFC5216] is attempted and both the EAP peer and
many as 15 round-trips can be required if RADIUS packets are server utilize certificate chains of 8 KB, as many as 15 round trips
restricted to the common Ethernet MTU (1500 octets) for EAP over LAN can be required if RADIUS packets are restricted to the common
(EAPoL) use-cases. Fragmentation of RADIUS/UDP packets is generally Ethernet MTU (1500 octets) for EAP over LAN (EAPoL) use cases.
inadvisable due to lack of fragmentation support within intermediate Fragmentation of RADIUS/UDP packets is generally inadvisable due to
devices such as filtering routers, firewalls and NATs. However, lack of fragmentation support within intermediate devices such as
since RADIUS/UDP implementations typically do not support MTU filtering routers, firewalls, and NATs. However, since RADIUS/UDP
discovery, fragmentation can occur even when the maximum RADIUS/UDP implementations typically do not support MTU discovery, fragmentation
packet size is restricted to 1500 octets. can occur even when the maximum RADIUS/UDP packet size is restricted
to 1500 octets.
These problems disappear if a 4096 application-layer payload can be These problems disappear if a 4096-octet application-layer payload
used alongside RADIUS/TLS. Since most TCP implementations support can be used alongside RADIUS/TLS. Since most TCP implementations
MTU discovery, the TCP MSS is automatically adjusted to account for support MTU discovery, the TCP Maximum Segment Size (MSS) is
the MTU, and the larger congestion window supported by TCP may allow automatically adjusted to account for the MTU, and the larger
multiple TCP segments to be sent within a single window. Even those congestion window supported by TCP may allow multiple TCP segments to
few TCP stacks which do not perform path MTU discovery can already be sent within a single window. Even those few TCP stacks that do
support arbitrary payloads. not perform Path MTU discovery can already support arbitrary
payloads.
Where the MTU for EAP packets is large, RADIUS/EAP traffic required Where the MTU for EAP packets is large, RADIUS/EAP traffic required
for an EAP-TLS authentication with 8KB certificate chains may be for an EAP-TLS authentication with 8-KB certificate chains may be
reduced to 7 round-trips or less, resulting in substantially reduced reduced to 7 round trips or less, resulting in substantially reduced
authentication times. authentication times.
In addition, experience indicates that EAP sessions transported over In addition, experience indicates that EAP sessions transported over
RADIUS/TLS are less likely to abort unsuccessfully. Historically, RADIUS/TLS are less likely to abort unsuccessfully. Historically,
RADIUS over UDP implementations have exhibited poor retransmission RADIUS-over-UDP (see Section 1.2) implementations have exhibited poor
behavior. Some implementations retransmit packets, others do not, retransmission behavior. Some implementations retransmit packets,
and others send new packets rather then performing retransmission. others do not, and others send new packets rather than performing
Some implementations are incapable of detecting EAP retransmissions, retransmission. Some implementations are incapable of detecting EAP
and will instead treat the retransmitted packet as an error. As a retransmissions, and will instead treat the retransmitted packet as
result, within RADIUS/UDP implementations, retransmissions have a an error. As a result, within RADIUS/UDP implementations,
high likeilhood of causing an EAP authentication session to fail. retransmissions have a high likelihood of causing an EAP
For a system with a million logins a day running EAP-TLS mutual authentication session to fail. For a system with a million logins a
authentication with 15 round-trips, and having a packet loss day running EAP-TLS mutual authentication with 15 round trips, and
probability of P=0.01%, we expect that 0.3% of connections will having a packet loss probability of P=0.01%, we expect that 0.3% of
experience at least one lost packet. That is, 3,000 user sessions connections will experience at least one lost packet. That is, 3,000
each day will experience authentication failure. This is an user sessions each day will experience authentication failure. This
unacceptable failure rate for a mass-market network service. is an unacceptable failure rate for a mass-market network service.
Using a reliable transport method such as TCP means that RADIUS Using a reliable transport method such as TCP means that RADIUS
implementations can remove all application-layer retransmissions, and implementations can remove all application-layer retransmissions, and
instead rely on the Operating System (OS) kernel's well-tested TCP instead rely on the Operating System (OS) kernel's well-tested TCP
transport to ensure Path MTU discovery and reliable delivery. Modern transport to ensure Path MTU discovery and reliable delivery. Modern
TCP implementations also implement anti-spoofing provisions, which is TCP implementations also implement anti-spoofing provisions, which is
more difficult to do in a UDP application. more difficult to do in a UDP application.
In contrast, use of TCP as a transport between a NAS and a RADIUS In contrast, use of TCP as a transport between a Network Access
server is usually a poor fit. As noted in [RFC3539] Section 2.1, for Server (NAS) and a RADIUS server is usually a poor fit. As noted in
systems originating low numbers of RADIUS request packets, inter- [RFC3539], Section 2.1, for systems originating low numbers of RADIUS
packet spacing is often larger than the packet RTT, meaning that, the request packets, inter-packet spacing is often larger than the packet
congestion window will typically stay below the minimum value on a Round-Trip Time (RTT), meaning that, the congestion window will
long-term basis. The result is an increase in packets due to ACKs as typically stay below the minimum value on a long-term basis. The
compared to UDP, without a corresponding set of benefits. In result is an increase in packets due to ACKs as compared to UDP,
addition, the lack of substantial traffic implies the need for without a corresponding set of benefits. In addition, the lack of
additional watchdog traffic to confirm reachability. substantial traffic implies the need for additional watchdog traffic
to confirm reachability.
As a result, the objections to reliable transport indicated in As a result, the objections to reliable transport indicated in
[RFC2865] Section 2.4 continue to apply to NAS-RADIUS server [RFC2865], Section 2.4, continue to apply to NAS-RADIUS server
communications and UDP SHOULD continue to be used as the transport communications, and UDP SHOULD continue to be used as the transport
protocol in this scenario. In addition, it is recommended that protocol in this scenario. In addition, it is recommended that
implementations of "RADIUS Dynamic AUthorization Extensions" implementations of RADIUS Dynamic Authorization Extensions [RFC5176]
[RFC5176] SHOULD continue to utilize UDP transport, since the volume SHOULD continue to utilize UDP transport, since the volume of dynamic
of dynamic authorization traffic is usually expected to be small. authorization traffic is usually expected to be small.
1.2. Terminology 1.2. Terminology
This document uses the following terms: This document uses the following terms:
RADIUS client RADIUS client
A device that provides an access service for a user to a network. A device that provides an access service for a user to a network.
Also referred to as a Network Access Server, or NAS. Also referred to as a Network Access Server, or NAS.
RADIUS server RADIUS server
A device that provides one or more of authentication, A device that provides one or more of authentication,
authorization, and/or accounting (AAA) services to a NAS. authorization, and/or accounting (AAA) services to a NAS.
RADIUS proxy RADIUS proxy
A RADIUS proxy acts as a RADIUS server to the NAS, and a RADIUS A RADIUS proxy acts as a RADIUS server to the NAS, and a RADIUS
client to the RADIUS server. client to the RADIUS server.
RADIUS request packet RADIUS request packet
A packet originated by a RADIUS client to a RADIUS server. e.g. A packet originated by a RADIUS client to a RADIUS server. For
Access-Request, Accounting-Request, CoA-Request, or Disconnect- example, Access-Request, Accounting-Request, CoA-Request, or
Request. Disconnect-Request.
RADIUS response packet RADIUS response packet
A packet sent by a RADIUS server to a RADIUS client, in response to A packet sent by a RADIUS server to a RADIUS client, in response
a RADIUS request packet. e.g. Access-Accept, Access-Reject, to a RADIUS request packet. For example, Access-Accept, Access-
Access-Challenge, Accounting-Response, CoA-ACK, etc. Reject, Access-Challenge, Accounting-Response, or CoA-ACK.
RADIUS/UDP RADIUS/UDP
RADIUS over UDP, as defined in [RFC2865]. RADIUS over UDP, as defined in [RFC2865].
RADIUS/TCP RADIUS/TCP
RADIUS over TCP, as defined in this document. RADIUS over TCP, as defined in this document.
RADIUS/TLS RADIUS/TLS
RADIUS over TLS, as defined in [RADIUS/TLS]. RADIUS over TLS, as defined in [RFC6614].
1.3. Requirements Language 1.3. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
2. Changes to RADIUS 2. Changes to RADIUS
RADIUS/TCP involves sending RADIUS application messages over a TCP RADIUS/TCP involves sending RADIUS application messages over a TCP
connection. In the sections that follow, we discuss the implications connection. In the sections that follow, we discuss the implications
for the RADIUS packet format (Section 2.1), port usage (Section 2.2), for the RADIUS packet format (Section 2.1), port usage (Section 2.2),
RADIUS MIBs (Section 2.3) and RADIUS proxies (Section 2.5). TCP- RADIUS MIBs (Section 2.3), and RADIUS proxies (Section 2.5). TCP-
specific issues are discussed in Section 2.6. specific issues are discussed in Section 2.6.
2.1. Packet Format 2.1. Packet Format
The RADIUS packet format is unchanged from [RFC2865], [RFC2866], and The RADIUS packet format is unchanged from [RFC2865], [RFC2866], and
[RFC5176]. Specifically, all of the following portions of RADIUS [RFC5176]. Specifically, all of the following portions of RADIUS
MUST be unchanged when using RADIUS/TCP: MUST be unchanged when using RADIUS/TCP:
* Packet format * Packet format
* Permitted codes * Permitted codes
* Request Authenticator calculation * Request Authenticator calculation
* Response Authenticator calculation * Response Authenticator calculation
* Minimum packet length * Minimum packet length
* Maximum packet length * Maximum packet length
* Attribute format * Attribute format
* Vendor-Specific Attribute (VSA) format * Vendor-Specific Attribute (VSA) format
* Permitted data types * Permitted data types
* Calculations of dynamic attributes such as CHAP-Challenge, * Calculations of dynamic attributes such as CHAP-Challenge, or
or Message-Authenticator. Message-Authenticator.
* Calculation of "encrypted" attributes such as Tunnel-Password. * Calculation of "encrypted" attributes such as Tunnel-Password.
The use of TLS transport does not change the calculation of security- The use of TLS transport does not change the calculation of security-
related fields (such as the Response-Authenticator) in RADIUS related fields (such as the Response-Authenticator) in RADIUS
[RFC2865] or RADIUS Dynamic Authorization [RFC5176]. Calculation of [RFC2865] or RADIUS Dynamic Authorization [RFC5176]. Calculation of
attributes such as User-Password [RFC2865] or Message-Authenticator attributes such as User-Password [RFC2865] or Message-Authenticator
[RFC3579] also does not change. [RFC3579] also does not change.
Clients and servers MUST be able to store and manage shared secrets Clients and servers MUST be able to store and manage shared secrets
based on the key described above, of (IP address, port, transport based on the key described in Section 2.6, of (IP address, port,
protocol). transport protocol).
The changes to RADIUS implementations required to implement this The changes to RADIUS implementations required to implement this
specification are largely limited to the portions that send and specification are largely limited to the portions that send and
receive packets on the network. receive packets on the network.
2.2. Assigned Ports for RADIUS/TCP 2.2. Assigned Ports for RADIUS/TCP
IANA has already assigned TCP ports for RADIUS transport, as outlined IANA has already assigned TCP ports for RADIUS transport, as outlined
below: below:
skipping to change at page 9, line 17 skipping to change at page 8, line 20
The "radsec" port (2083/tcp) SHOULD be used as the default port for The "radsec" port (2083/tcp) SHOULD be used as the default port for
RADIUS/TLS. The "radius" port (1812/tcp) SHOULD NOT be used for RADIUS/TLS. The "radius" port (1812/tcp) SHOULD NOT be used for
RADIUS/TLS. RADIUS/TLS.
2.3. Management Information Base (MIB) 2.3. Management Information Base (MIB)
The MIB Module definitions in [RFC4668], [RFC4669], [RFC4670], The MIB Module definitions in [RFC4668], [RFC4669], [RFC4670],
[RFC4671], [RFC4672], and [RFC4673] are intended to be used for [RFC4671], [RFC4672], and [RFC4673] are intended to be used for
RADIUS over UDP. As such, they do not support RADIUS/TCP, and will RADIUS over UDP. As such, they do not support RADIUS/TCP, and will
need to be updated in the future. Implementations of RADIUS/TCP need to be updated in the future. Implementations of RADIUS/TCP
SHOULD NOT re-use these MIB Modules to perform statistics counting SHOULD NOT reuse these MIB Modules to perform statistics counting for
for RADIUS/TCP connections. RADIUS/TCP connections.
2.4. Detecting Live Servers 2.4. Detecting Live Servers
As RADIUS is a "hop by hop" protocol, a RADIUS proxy shields the As RADIUS is a "hop-by-hop" protocol, a RADIUS proxy shields the
client from any information about downstream servers. While the client from any information about downstream servers. While the
client may be able to deduce the operational state of the local client may be able to deduce the operational state of the local
server (i.e. proxy), it cannot make any determination about the server (i.e., proxy), it cannot make any determination about the
operational state of the downstream servers. operational state of the downstream servers.
Within RADIUS as defined in [RFC2865], proxies typically only forward Within RADIUS, as defined in [RFC2865], proxies typically only
traffic between the NAS and RADIUS server, and do not generate their forward traffic between the NAS and RADIUS server, and they do not
own responses. As a result, when a NAS does not receive a response generate their own responses. As a result, when a NAS does not
to a request, this could be the result of packet loss between the NAS receive a response to a request, this could be the result of packet
and proxy, a problem on the proxy, loss between the RADIUS proxy and loss between the NAS and proxy, a problem on the proxy, loss between
server, or a problem with the server. the RADIUS proxy and server, or a problem with the server.
When UDP is used as a transport protocol, the absence of a reply can When UDP is used as a transport protocol, the absence of a reply can
cause a client to deduce (incorrectly) that the proxy is unavailable. cause a client to deduce (incorrectly) that the proxy is unavailable.
The client could then fail over to another server, or conclude that The client could then fail over to another server or conclude that no
no "live" servers are available (OKAY state in [RFC3539] Appendix A). "live" servers are available (OKAY state in [RFC3539], Appendix A).
This situation is made even worse when requests are sent through a This situation is made even worse when requests are sent through a
proxy to multiple destinations. Failures in one destination may proxy to multiple destinations. Failures in one destination may
result in service outages for other destinations, if the client result in service outages for other destinations, if the client
erroneously believes that the proxy is unresponsive. erroneously believes that the proxy is unresponsive.
For RADIUS/TLS, it is RECOMMENDED that implementations utilize the For RADIUS/TLS, it is RECOMMENDED that implementations utilize the
existence of a TCP connection along with the application layer existence of a TCP connection along with the application-layer
watchdog defined in [RFC3539] Section 3.4 to determine that the watchdog defined in [RFC3539], Section 3.4, to determine that the
server is "live". server is "live".
RADIUS clients using RADIUS/TCP MUST mark a connection DOWN if the RADIUS clients using RADIUS/TCP MUST mark a connection DOWN if the
network stack indicates that the connection is no longer active. If network stack indicates that the connection is no longer active. If
the network stack indicates that connection is still active, Clients the network stack indicates that the connection is still active,
MUST NOT decide that it is down until the application layer watchdog clients MUST NOT decide that it is down until the application-layer
algorithm has marked it DOWN ([RFC3539] Appendix A). RADIUS clients watchdog algorithm has marked it DOWN ([RFC3539], Appendix A).
using RADIUS/TCP MUST NOT decide that a RADIUS server is unresponsive RADIUS clients using RADIUS/TCP MUST NOT decide that a RADIUS server
until all TCP connections to it have been marked DOWN. is unresponsive until all TCP connections to it have been marked
DOWN.
The above requirements do not forbid the practice of a client pro- The above requirements do not forbid the practice of a client
actively closing connections, or marking a server as DOWN due to an proactively closing connections or marking a server as DOWN due to an
administrative decision. administrative decision.
2.5. Congestion Control Issues 2.5. Congestion Control Issues
Additional issues with RADIUS proxies involve transport protocol Additional issues with RADIUS proxies involve transport protocol
changes where the proxy receives packets on one transport protocol, changes where the proxy receives packets on one transport protocol
and forwards them on a different transport protocol. There are and forwards them on a different transport protocol. There are
several situations in which the law of "conservation of packets" several situations in which the law of "conservation of packets"
could be violated on an end-to-end basis (e.g. where more packets could be violated on an end-to-end basis (e.g., where more packets
could enter the system than could leave it on a short-term basis): could enter the system than could leave it on a short-term basis):
* Where TCP is used between proxies, it is possible that the * Where TCP is used between proxies, it is possible that the
bandwidth consumed by incoming UDP packets destined to a given bandwidth consumed by incoming UDP packets destined to a given
upstream server could exceed the sending rate of a single TCP upstream server could exceed the sending rate of a single TCP
connection to that server, based on the window size/RTT estimate. connection to that server, based on the window size/RTT
estimate.
* It is possible for the incoming rate of TCP packets destined to * It is possible for the incoming rate of TCP packets destined to
a given realm to exceed the UDP throughput achievable using the a given realm to exceed the UDP throughput achievable using the
transport guidelines established in [RFC5080]. This could happen, transport guidelines established in [RFC5080]. This could
for example, where the TCP window between proxies has opened, but happen, for example, where the TCP window between proxies has
packet loss is being experienced on the UDP leg, so that the opened, but packet loss is being experienced on the UDP leg, so
effective congestion window on the UDP side is 1. that the effective congestion window on the UDP side is 1.
Intrinsically, proxy systems operate with multiple control loops Intrinsically, proxy systems operate with multiple control loops
instead of one end-to-end loop, and so are less stable. This is true instead of one end-to-end loop, and so they are less stable. This is
even for TCP-TCP proxies. As discussed in [RFC3539], the only way to true even for TCP-TCP proxies. As discussed in [RFC3539], the only
achieve stability equivalent to a single TCP connection is to mimic way to achieve stability equivalent to a single TCP connection is to
the end-to-end behavior of a single TCP connection. This typically mimic the end-to-end behavior of a single TCP connection. This
is not achievable with an application-layer RADIUS implementation, typically is not achievable with an application-layer RADIUS
regardless of transport. implementation, regardless of transport.
2.6. TCP Specific Issues 2.6. TCP Specific Issues
The guidelines defined in [RFC3539] for implementing a AAA protocol The guidelines defined in [RFC3539] for implementing a AAA protocol
over reliable transport are applicable to RADIUS/TLS. over reliable transport are applicable to RADIUS/TLS.
The Application Layer Watchdog defined in [RFC3539] Section 3.4 MUST The application-layer watchdog defined in [RFC3539], Section 3.4,
be used. The Status-Server packet [RFC5997] MUST be used as the MUST be used. The Status-Server packet [RFC5997] MUST be used as the
application layer watchdog message. Implementations MUST reserve one application-layer watchdog message. Implementations MUST reserve one
RADIUS ID per connection for the application layer watchdog message. RADIUS ID per connection for the application-layer watchdog message.
This restriction is described further below in Section 2.6.4. This restriction is described further in Section 2.6.4.
RADIUS/TLS Implementations MUST support receiving RADIUS packets over RADIUS/TLS implementations MUST support receiving RADIUS packets over
both UDP and TLS transports originating from the same endpoint. both UDP and TCP transports originating from the same endpoint.
RADIUS packets received over UDP MUST be replied to over UDP; RADIUS RADIUS packets received over UDP MUST be replied to over UDP; RADIUS
packets received over TLS MUST be replied to over TLS. That is, packets received over TCP MUST be replied to over TCP. That is,
RADIUS clients and servers MUST be treated as unique based on a key RADIUS clients and servers MUST be treated as unique based on a key
of the three-tuple (IP address, port, transport protocol). of the three-tuple (IP address, port, transport protocol).
Implementations MUST permit different shared secrets to be used for Implementations MUST permit different shared secrets to be used for
UDP and TCP connections to the same destination IP address and UDP and TCP connections to the same destination IP address and
numerical port. numerical port.
This requirement does not forbid the traditional practice of using This requirement does not forbid the traditional practice of using
primary and secondary servers in a fail-over relationship. Instead, primary and secondary servers in a failover relationship. Instead,
it requires that two services sharing an IP address and numerical it requires that two services sharing an IP address and numerical
port, but differing in transport protocol, MUST be treated as port, but differing in transport protocol, MUST be treated as
independent services for the purpose of fail-over, load-balancing, independent services for the purpose of failover, load-balancing,
etc. etc.
Whenever the underlying network stack permits the use of TCP Whenever the underlying network stack permits the use of TCP
keepalive socket options, their use is RECOMMENDED. keepalive socket options, their use is RECOMMENDED.
2.6.1. Duplicates and Retransmissions 2.6.1. Duplicates and Retransmissions
As TCP is a reliable transport, implementations MUST NOT retransmit As TCP is a reliable transport, implementations MUST NOT retransmit
RADIUS request packets over a given TCP connection. Similarly, if RADIUS request packets over a given TCP connection. Similarly, if
there is no response to a RADIUS packet over one TCP connection, there is no response to a RADIUS packet over one TCP connection,
implementations MUST NOT retransmit that packet over a different TCP implementations MUST NOT retransmit that packet over a different TCP
connection to the same destination IP address and port, while the connection to the same destination IP address and port, while the
first connection is in the OKAY state ([RFC3539] Appendix A). first connection is in the OKAY state ([RFC3539], Appendix A).
However, if the TCP connection is broken or closed, retransmissions However, if the TCP connection is broken or closed, retransmissions
over new connections are permissible. RADIUS request packets that over new connections are permissible. RADIUS request packets that
have not yet received a response MAY be transmitted by a RADIUS have not yet received a response MAY be transmitted by a RADIUS
client over a new TCP connection. As this procedure involves using a client over a new TCP connection. As this procedure involves using a
new source port, the ID of the packet MAY change. If the ID changes, new source port, the ID of the packet MAY change. If the ID changes,
any security attributes such as Message-Authenticator MUST be any security attributes such as Message-Authenticator MUST be
recalculated. recalculated.
If a TCP connection is broken or closed, any cached RADIUS response If a TCP connection is broken or closed, any cached RADIUS response
packets ([RFC5080] Section 2.2.2) associated with that connection packets ([RFC5080], Section 2.2.2) associated with that connection
MUST be discarded. A RADIUS server SHOULD stop processing of any MUST be discarded. A RADIUS server SHOULD stop the processing of any
requests associated with that TCP connection. No response to these requests associated with that TCP connection. No response to these
requests can be sent over the TCP connection, so any further requests can be sent over the TCP connection, so any further
processing is pointless. This requirement applies not only to RADIUS processing is pointless. This requirement applies not only to RADIUS
servers, but also to proxies. When a client's connection to a proxy servers, but also to proxies. When a client's connection to a proxy
server is closed, there may be responses from a home server that were server is closed, there may be responses from a home server that were
supposed to be sent by the proxy back over that connection to the supposed to be sent by the proxy back over that connection to the
client. Since the client connection is closed, those responses from client. Since the client connection is closed, those responses from
the home server to the proxy server SHOULD be silently discarded by the home server to the proxy server SHOULD be silently discarded by
the proxy. the proxy.
Despite the above discussion, RADIUS servers SHOULD still perform Despite the above discussion, RADIUS servers SHOULD still perform
duplicate detection on received packets, as described in [RFC5080] duplicate detection on received packets, as described in [RFC5080],
Section 2.2.2. This detection can prevent duplicate processing of Section 2.2.2. This detection can prevent duplicate processing of
packets from non-conformant clients. packets from non-conformant clients.
RADIUS packets SHOULD NOT be re-transmitted to the same destination RADIUS packets SHOULD NOT be retransmitted to the same destination IP
IP and numerical port, but over a different transport protocol. and numerical port, but over a different transport protocol. There
There is no guarantee in RADIUS that the two ports are in any way is no guarantee in RADIUS that the two ports are in any way related.
related. This requirement does not, however, forbid the practice of This requirement does not, however, forbid the practice of putting
putting multiple servers into a fail-over or load-balancing pool. In multiple servers into a failover or load-balancing pool. In that
that situation, RADIUS request MAY be retransmitted to another server situation, RADIUS request MAY be retransmitted to another server that
that is known to be part of the same pool. is known to be part of the same pool.
2.6.2. Head of Line Blocking 2.6.2. Head of Line Blocking
When using UDP as a transport for RADIUS, there is no ordering of When using UDP as a transport for RADIUS, there is no ordering of
packets. If a packet sent by a client is lost, that loss has no packets. If a packet sent by a client is lost, that loss has no
effect on subsequent packets sent by that client. effect on subsequent packets sent by that client.
Unlike UDP, TCP is subject to issues related to Head of Line (HoL) Unlike UDP, TCP is subject to issues related to Head of Line (HoL)
blocking. This occurs when when a TCP segment is lost and a blocking. This occurs when a TCP segment is lost and a subsequent
subsequent TCP segment arrives out of order. While the RADIUS server TCP segment arrives out of order. While the RADIUS server can
can process RADIUS packets out of order, the semantics of TCP makes process RADIUS packets out of order, the semantics of TCP makes this
this impossible. This limitation can lower the maximum packet impossible. This limitation can lower the maximum packet processing
processing rate of RADIUS/TCP. rate of RADIUS/TCP.
2.6.3. Shared Secrets 2.6.3. Shared Secrets
The use of TLS transport does not change the calculation of security- The use of TLS transport does not change the calculation of security-
related fields (such as the Response-Authenticator) in RADIUS related fields (such as the Response-Authenticator) in RADIUS
[RFC2865] or RADIUS Dynamic Authorization [RFC5176]. Calculation of [RFC2865] or RADIUS Dynamic Authorization [RFC5176]. Calculation of
attributes such as User-Password [RFC2865] or Message-Authenticator attributes such as User-Password [RFC2865] or Message-Authenticator
[RFC3579] also does not change. [RFC3579] also does not change.
Clients and servers MUST be able to store and manage shared secrets Clients and servers MUST be able to store and manage shared secrets
based on the key described above, of (IP address, port, transport based on the key described above, at the start of this section (i.e.,
protocol). IP address, port, transport protocol).
2.6.4. Malformed Packets and Unknown Clients 2.6.4. Malformed Packets and Unknown Clients
The RADIUS specifications ([RFC2865], etc.) say that an The RADIUS specifications ([RFC2865], and many others) say that an
implementation should "silently discard" a packet in a number of implementation should "silently discard" a packet in a number of
circumstances. This action has no further consequences for UDP circumstances. This action has no further consequences for UDP
transport, as the "next" packet is completely independent of the transport, as the "next" packet is completely independent of the
previous one. previous one.
When TCP is used as a transport, decoding the "next" packet on a When TCP is used as a transport, decoding the "next" packet on a
connection depends on the proper decoding of the previous packet. As connection depends on the proper decoding of the previous packet. As
a result, the behavior with respect to discarded packets has to a result, the behavior with respect to discarded packets has to
change. change.
Implementations of this specification SHOULD treat the "silently Implementations of this specification SHOULD treat the "silently
discard" texts referenced above as "silently discard and close the discard" texts referenced above as "silently discard and close the
connection." That is, the TCP connection MUST be closed if any of connection". That is, the TCP connection MUST be closed if any of
the following circumstances are seen: the following circumstances are seen:
* Connection from an unknown client * Connection from an unknown client
* Packet where the RADIUS "length" field is less than the minimum * Packet where the RADIUS "Length" field is less than the minimum
RADIUS packet length RADIUS packet length
* Packet where the RADIUS "length" field is more than the maximum * Packet where the RADIUS "Length" field is more than the maximum
RADIUS packet length RADIUS packet length
* Packet that has an Attribute "length" field has value of zero * Packet that has an Attribute "Length" field has value of zero
or one (0 or 1). or one (0 or 1)
* Packet where the attributes do not exactly fill the packet * Packet where the attributes do not exactly fill the packet
* Packet where the Request Authenticator fails validation * Packet where the Request Authenticator fails validation (where
(where validation is required). validation is required)
* Packet where the Response Authenticator fails validation * Packet where the Response Authenticator fails validation (where
(where validation is required). validation is required)
* Packet where the Message-Authenticator attribute fails * Packet where the Message-Authenticator attribute fails
validation (when it occurs in a packet). validation (when it occurs in a packet)
After applying the above rules, there are still two situations where After applying the above rules, there are still two situations where
the previous specifications allow a packet to be "silently discarded" the previous specifications allow a packet to be "silently discarded"
on reception: upon receipt:
* Packets with an invalid code field * Packets with an invalid code field
* Response packets that do not match any outstanding request * Response packets that do not match any outstanding request
In these situations, the TCP connections MAY remain open, or MAY be In these situations, the TCP connections MAY remain open, or they MAY
closed, as an implementation choice. However, the invalid packet be closed, as an implementation choice. However, the invalid packet
MUST be silently discarded. MUST be silently discarded.
These requirements reduce the possibility for a misbehaving client or These requirements reduce the possibility for a misbehaving client or
server to wreak havoc on the network. server to wreak havoc on the network.
2.6.5. Limitations of the ID Field 2.6.5. Limitations of the ID Field
The RADIUS ID field is one octet in size. As a result, any one TCP The RADIUS ID field is one octet in size. As a result, any one TCP
connection can have only 256 "in flight" RADIUS packets at a time. connection can have only 256 "in flight" RADIUS packets at a time.
If more than 256 simultaneous "in flight" packets are required, If more than 256 simultaneous "in flight" packets are required,
additional TCP connections will need to be opened. This limitation additional TCP connections will need to be opened. This limitation
is also noted in [RFC3539] Section 2.4. is also noted in [RFC3539], Section 2.4.
An additional limit is the requirement to send a Status-Server packet An additional limit is the requirement to send a Status-Server packet
over the same TCP connection as is used for normal requests. As over the same TCP connection as is used for normal requests. As
noted in [RFC5997], the response to a Status-Server packet is either noted in [RFC5997], the response to a Status-Server packet is either
an Access-Accept or an Accounting-Response. If all IDs were an Access-Accept or an Accounting-Response. If all IDs were
allocated to normal requests, then there would be no free ID to use allocated to normal requests, then there would be no free ID to use
for the Status-Server packet, and it could not be sent over the for the Status-Server packet, and it could not be sent over the
connection. connection.
Implementations SHOULD reserve ID zero (0) on each TCP connection for Implementations SHOULD reserve ID zero (0) on each TCP connection for
skipping to change at page 14, line 26 skipping to change at page 13, line 36
outstanding packets on one connection. However, doing so is a outstanding packets on one connection. However, doing so is a
violation of a fundamental part of the protocol and MUST NOT be done. violation of a fundamental part of the protocol and MUST NOT be done.
Making that extension here is outside of the scope of this Making that extension here is outside of the scope of this
specification. specification.
2.6.6. EAP Sessions 2.6.6. EAP Sessions
When RADIUS clients send EAP requests using RADIUS/TCP, they SHOULD When RADIUS clients send EAP requests using RADIUS/TCP, they SHOULD
choose the same TCP connection for all packets related to one EAP choose the same TCP connection for all packets related to one EAP
session. This practice ensures that EAP packets are transmitted in session. This practice ensures that EAP packets are transmitted in
order, and that problems with any one TCP connection do affect the order, and that problems with any one TCP connection affect the
minimum number of EAP sessions. minimum number of EAP sessions.
A simple method that may work in many situations is to hash the A simple method that may work in many situations is to hash the
contents of the Calling-Station-Id attribute, which normally contains contents of the Calling-Station-Id attribute, which normally contains
the MAC address. The output of that hash can be used to select a the Media Access Control (MAC) address. The output of that hash can
particular TCP connection. be used to select a particular TCP connection.
However, EAP packets for one EAP session can still be transported However, EAP packets for one EAP session can still be transported
from client to server over multiple paths. Therefore, when a server from client to server over multiple paths. Therefore, when a server
receives a RADIUS request containing an EAP request, it MUST be receives a RADIUS request containing an EAP request, it MUST be
processed without considering the transport protocol. For TCP processed without considering the transport protocol. For TCP
transport, it MUST be processed without considering the source port. transport, it MUST be processed without considering the source port.
The algorithm suggested in [RFC5080] Section 2.1.1 SHOULD be used to The algorithm suggested in [RFC5080], Section 2.1.1 SHOULD be used to
track EAP sessions, as it is independent of source port and transport track EAP sessions, as it is independent of the source port and
protocol. transport protocol.
The retransmission requirements of Section 2.6.1, above, MUST be The retransmission requirements of Section 2.6.1, above, MUST be
applied to RADIUS encapsulated EAP packets. That is, EAP applied to RADIUS-encapsulated EAP packets. That is, EAP
retransmissions MUST NOT result in retransmissions of RADIUS packets retransmissions MUST NOT result in retransmissions of RADIUS packets
over a particular TCP connection. EAP retransmissions MAY result in over a particular TCP connection. EAP retransmissions MAY result in
retransmission of RADIUS packets over a different TCP connection, but retransmission of RADIUS packets over a different TCP connection, but
only when the previous TCP connection is marked DOWN. only when the previous TCP connection is marked DOWN.
2.6.7. TCP Applications are not UDP Applications 2.6.7. TCP Applications Are Not UDP Applications
Implementors should be aware that programming a robust TCP Implementors should be aware that programming a robust TCP
application can be very different from programming a robust UDP application can be very different from programming a robust UDP
application. It is RECOMMENDED that implementors of this application. It is RECOMMENDED that implementors of this
specification familiarize themselves with TCP application programming specification familiarize themselves with TCP application programming
concepts. concepts.
Clients and servers SHOULD implement configurable connection limits. Clients and servers SHOULD implement configurable connection limits.
Clients and servers SHOULD implement configurable rate limiting on Clients and servers SHOULD implement configurable limits on
new connections. Allowing an unbounded number or rate of TCP connection lifetime and idle timeouts. Clients and servers SHOULD
connections may result in resource exhaustion. implement configurable rate limiting on new connections. Allowing an
unbounded number or rate of TCP connections may result in resource
exhaustion.
Further discussion of implementation issues is outside of the scope Further discussion of implementation issues is outside of the scope
of this document. of this document.
3. Diameter Considerations 3. Diameter Considerations
This document defines TCP as a transport layer for RADIUS. It This document defines TCP as a transport layer for RADIUS. It
defines no new RADIUS attributes or codes. The only interaction with defines no new RADIUS attributes or codes. The only interaction with
Diameter is in a RADIUS to Diameter, or in a Diameter to RADIUS Diameter is in a RADIUS-to-Diameter, or in a Diameter-to-RADIUS
gateway. The RADIUS side of such a gateway MAY implement RADIUS/TCP, gateway. The RADIUS side of such a gateway MAY implement RADIUS/TCP,
but this change has no effect on Diameter. but this change has no effect on Diameter.
4. IANA Considerations 4. Security Considerations
This document requires no action by IANA.
5. Security Considerations
As the RADIUS packet format, signing, and client verification are As the RADIUS packet format, signing, and client verification are
unchanged from prior specifications, all of the security issues unchanged from prior specifications, all of the security issues
outlined in previous specifications for RADIUS/UDP are also outlined in previous specifications for RADIUS/UDP are also
applicable here. applicable here.
As noted above, clients and servers SHOULD support configurable As noted above, clients and servers SHOULD support configurable
connection limits. Allowing an unlimited number of connections may connection limits. Allowing an unlimited number of connections may
result in resource exhaustion. result in resource exhaustion.
Implementors should consult [RADIUS/TLS] for issues related the Implementors should consult [RFC6614] for issues related to the
security of RADIUS/TLS, and [RFC5246] for issues related to the security of RADIUS/TLS, and [RFC5246] for issues related to the
security of the TLS protocol. security of the TLS protocol.
Since "bare" TCP does not provide for confidentiality or enable Since "bare" TCP does not provide for confidentiality or enable
negotiation of credible ciphersuites, its use is not appropriate for negotiation of credible ciphersuites, its use is not appropriate for
inter-server communications where strong security is required. As a inter-server communications where strong security is required. As a
result "bare" TCP transport MUST NOT be used without TLS, IPsec, or result, "bare" TCP transport MUST NOT be used without TLS, IPsec, or
other secure upper layer. another secure upper layer.
There are no (at this time) other known security issues for RADIUS
over TCP transport.
6. References
6.1. Normative References There are no (at this time) other known security issues for RADIUS-
over-TCP transport.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 5. References
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote 5.1. Normative References
Authentication Dial In User Service (RADIUS)", RFC 2865, June
2000.
[RFC3539] Aboba, B. et al., "Authentication, Authorization and [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Accounting (AAA) Transport Profile", RFC 3539, June 2003. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RADIUS/TLS] [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
Winter, S. et. al., "TLS encryption for RADIUS over TCP "Remote Authentication Dial In User Service (RADIUS)",
(RadSec)", draft-ietf-radext-radsec-07.txt, July 2010 (work in RFC 2865, June 2000.
progress).
[RFC5997] DeKok, A., "Use of Status-Server Packets in the Remote [RFC3539] Aboba, B. and J. Wood, "Authentication, Authorization
Authentication Dial In User Service (RADIUS) Protocol", RFC and Accounting (AAA) Transport Profile", RFC 3539, June
5997, August, 2010. 2003.
6.2. Informative References [RFC5997] DeKok, A., "Use of Status-Server Packets in the Remote
Authentication Dial In User Service (RADIUS) Protocol",
RFC 5997, August 2010.
[RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. [RFC6614] Winter, S., McCauley, M., Venaas, S., and K. Wierenga,
"Transport Layer Security (TLS) Encryption for RADIUS",
RFC 6614, May 2012.
[RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication Dial 5.2. Informative References
In User Service) Support For Extensible Authentication
Protocol (EAP)", RFC 3579, September 2003.
[RFC4301] Kent, S. and R. Atkinson, "Security Architecture for the [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000.
Internet Protocol", RFC 4301, December, 2005.
[RFC4668] Nelson, D, "RADIUS Authentication Client MIB for IPv6", RFC [RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication
4668, August 2006. Dial In User Service) Support For Extensible
Authentication Protocol (EAP)", RFC 3579, September
2003.
[RFC4669] Nelson, D, "RADIUS Authentication Server MIB for IPv6", RFC [RFC4301] Kent, S. and K. Seo, "Security Architecture for the
4669, August 2006. Internet Protocol", RFC 4301, December 2005.
[RFC4670] Nelson, D, "RADIUS Accounting Client MIB for IPv6", RFC 4670, [RFC4668] Nelson, D., "RADIUS Authentication Client MIB for IPv6",
August 2006. RFC 4668, August 2006.
[RFC4671] Nelson, D, "RADIUS Accounting Server MIB for IPv6", RFC 4671, [RFC4669] Nelson, D., "RADIUS Authentication Server MIB for IPv6",
August 2006. RFC 4669, August 2006.
[RFC4672] Nelson, D, "RADIUS Dynamic Authorization Client MIB", RFC [RFC4670] Nelson, D., "RADIUS Accounting Client MIB for IPv6", RFC
4672, August 2006. 4670, August 2006.
[RFC4673] Nelson, D, "RADIUS Dynamic Authorization Server MIB", RFC [RFC4671] Nelson, D., "RADIUS Accounting Server MIB for IPv6", RFC
4673, August 2006. 4671, August 2006.
[RFC5080] Nelson, D. and DeKok, A, "Common Remote Authentication Dial In [RFC4672] De Cnodder, S., Jonnala, N., and M. Chiba, "RADIUS
User Service (RADIUS) Implementation Issues and Suggested Dynamic Authorization Client MIB", RFC 4672, September
Fixes", RFC 5080, December 2007. 2006.
[RFC5176] Chiba, M. et al., "Dynamic Authorization Extensions to Remote [RFC4673] De Cnodder, S., Jonnala, N., and M. Chiba, "RADIUS
Authentication Dial In User Service (RADIUS)", RFC 5176, Dynamic Authorization Server MIB", RFC 4673, September
January 2008. 2006.
[RFC5216] Simon, D., etc al., "The EAP-TLS Authentication Protocol", RFC [RFC5080] Nelson, D. and A. DeKok, "Common Remote Authentication
5216, March 2008. Dial In User Service (RADIUS) Implementation Issues and
Suggested Fixes", RFC 5080, December 2007.
[RFC5246] Dierks, T., Rescorla, E., "The Transport Layer Security (TLS) [RFC5176] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B.
Protocol Version 1.2", RFC 5246, August 2008. Aboba, "Dynamic Authorization Extensions to Remote
Authentication Dial In User Service (RADIUS)", RFC 5176,
January 2008.
Acknowledgments [RFC5216] Simon, D., Aboba, B., and R. Hurst, "The EAP-TLS
Authentication Protocol", RFC 5216, March 2008.
None at this time. [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer
Security (TLS) Protocol Version 1.2", RFC 5246, August
2008.
Authors' Addresses Author's Address
Alan DeKok Alan DeKok
The FreeRADIUS Server Project The FreeRADIUS Server Project
http://freeradius.org/ http://freeradius.org/
Email: aland@freeradius.org EMail: aland@freeradius.org
Open issues
Open issues relating to this document are tracked on the following
web site:
http://www.drizzle.com/~aboba/RADEXT/
 End of changes. 111 change blocks. 
354 lines changed or deleted 349 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/