| draft-ietf-radext-vlan-00.txt | draft-ietf-radext-vlan-01.txt | |||
|---|---|---|---|---|
| Network Working Group Paul Congdon | Network Working Group Paul Congdon | |||
| INTERNET-DRAFT Mauricio Sanchez | INTERNET-DRAFT Mauricio Sanchez | |||
| Category: Proposed Standard Hewlett-Packard Company | Category: Proposed Standard Hewlett-Packard Company | |||
| <draft-ietf-radext-vlan-00.txt> Bernard Aboba | <draft-ietf-radext-vlan-01.txt> Bernard Aboba | |||
| 20 February 2006 Microsoft Corporation | 22 March 2006 Microsoft Corporation | |||
| RADIUS VLAN and Priority Attributes | RADIUS Attributes for Virtual LAN and Priority Support | |||
| By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
| applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
| have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
| aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| other groups may also distribute working documents as Internet- | other groups may also distribute working documents as Internet- | |||
| Drafts. | Drafts. | |||
| skipping to change at page 1, line 32 | skipping to change at page 1, line 32 | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on August 10, 2006. | This Internet-Draft will expire on September 10, 2006. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (C) The Internet Society 2006. | Copyright (C) The Internet Society 2006. | |||
| Abstract | Abstract | |||
| This document proposes additional attributes for dynamic VLAN | This document proposes additional RADIUS (Remote Authentication Dial | |||
| assignment and prioritization, for use by IEEE 802.1X authenticators. | In User Service) attributes for dynamic Virtual LAN assignment and | |||
| These attributes are usable within either RADIUS or Diameter. | prioritization, for use by IEEE 802.1X authenticators. These | |||
| attributes are usable within either RADIUS or Diameter. | ||||
| Table of Contents | Table of Contents | |||
| 1. Introduction .......................................... 3 | 1. Introduction .......................................... 3 | |||
| 1.1 Terminology ..................................... 3 | 1.1 Terminology ..................................... 3 | |||
| 1.2 Requirements Language ........................... 3 | 1.2 Requirements Language ........................... 3 | |||
| 1.3 Attribute Interpretation ........................ 4 | 1.3 Attribute Interpretation ........................ 4 | |||
| 2. Attributes ............................................ 4 | 2. Attributes ............................................ 4 | |||
| 2.1 Egress-VLANID ................................... 4 | 2.1 Egress-VLANID ................................... 4 | |||
| 2.2 Ingress-Filters ................................. 5 | 2.2 Ingress-Filters ................................. 5 | |||
| 2.3 Egress-VLAN-Name ................................ 6 | 2.3 Egress-VLAN-Name ................................ 6 | |||
| 2.4 User-Priority-Table ............................. 7 | 2.4 User-Priority-Table ............................. 7 | |||
| 3. Table of Attributes ................................... 8 | 3. Table of Attributes ................................... 8 | |||
| 4. IANA Considerations ................................... 8 | 4. Diameter Considerations ............................... 9 | |||
| 5. Security Considerations ............................... 9 | 5. IANA Considerations ................................... 9 | |||
| 6. References ............................................ 9 | 6. Security Considerations ............................... 9 | |||
| 6.1 Normative References ............................ 9 | 7. References ............................................ 10 | |||
| 6.2 Informative References .......................... 10 | 7.1 Normative References ............................ 10 | |||
| ACKNOWLEDGMENTS .............................................. 11 | 7.2 Informative References .......................... 10 | |||
| AUTHORS' ADDRESSES ........................................... 11 | ACKNOWLEDGMENTS .............................................. 12 | |||
| Intellectual Property Statement............................... 12 | AUTHORS' ADDRESSES ........................................... 12 | |||
| Intellectual Property Statement............................... 13 | ||||
| Disclaimer of Validity........................................ 13 | Disclaimer of Validity........................................ 13 | |||
| Full Copyright Statement ..................................... 13 | Full Copyright Statement ..................................... 13 | |||
| 1. Introduction | 1. Introduction | |||
| IEEE 802.1X [IEEE-802.1X] provides "network port authentication" for | IEEE 802.1X [IEEE-802.1X] provides "network port authentication" for | |||
| IEEE 802 [IEEE-802] media, including Ethernet [IEEE-802.3], Token | IEEE 802 [IEEE-802] media, including Ethernet [IEEE-802.3], Token | |||
| Ring and 802.11 wireless LANs [IEEE-802.11i]. | Ring and 802.11 wireless LANs [IEEE-802.11i]. | |||
| This document describes VLAN and re-prioritization attributes that | This document describes Virtual LAN (VLAN) and re-prioritization | |||
| may prove useful for provisioning of access to IEEE 802 local area | attributes that may prove useful for provisioning of access to IEEE | |||
| networks. | 802 local area networks with the Remote Authentication Dialin User | |||
| Service (RADIUS). | ||||
| While [RFC3580] enables support for VLAN assignment based on the | While [RFC3580] enables support for VLAN assignment based on the | |||
| tunnel attributes defined in [RFC2868], it does not provide support | tunnel attributes defined in [RFC2868], it does not provide support | |||
| for a more complete set of VLAN functionality as defined by | for a more complete set of VLAN functionality as defined by | |||
| [IEEE-802.1Q]. The VLAN attributes defined in this document provide | [IEEE-802.1Q]. The attributes defined in this document provide | |||
| support within RADIUS analogous to the management variables supported | support within RADIUS analogous to the management variables supported | |||
| in [IEEE-802.1Q] and MIB objects defined in [RFC2674]. In addition, | in [IEEE-802.1Q] and MIB objects defined in [RFC4363]. In addition, | |||
| this document enables support for a wider range of [IEEE-802.1X] | this document enables support for a wider range of [IEEE-802.1X] | |||
| configurations. | configurations. | |||
| 1.1. Terminology | 1.1. Terminology | |||
| This document uses the following terms: | This document uses the following terms: | |||
| Authenticator | Authenticator | |||
| An authenticator is an entity that requires authentication | The end of the link initiating EAP authentication. The term | |||
| from the supplicant. The authenticator may be connected to | authenticator is used in [RFC3748] and [IEEE-802.1X], and has the | |||
| the supplicant at the other end of a point-to-point LAN | same meaning in this document. | |||
| segment or 802.11 wireless link. | ||||
| Authentication server | backend authentication server | |||
| An authentication server is an entity that provides an | A backend authentication server is an entity that provides an | |||
| authentication service to an authenticator. This service | authentication service to an authenticator. When used, this server | |||
| verifies from the credentials provided by the supplicant, the | typically executes EAP methods for the authenticator. This | |||
| claim of identity made by the supplicant. | terminology is also used in [IEEE-802.1X]. | |||
| Network Access Server (NAS) | ||||
| A device that provides an access service for a user to a network. | ||||
| Supplicant | Supplicant | |||
| A supplicant is an entity that is being authenticated by an | The end of the link that responds to the authenticator in | |||
| authenticator. The supplicant may be connected to the | [IEEE-802.1X]. | |||
| authenticator at one end of a point-to-point LAN segment or | ||||
| 802.11 wireless link. | ||||
| 1.2. Requirements Language | 1.2. Requirements Language | |||
| In this document, several words are used to signify the requirements | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| of the specification. The key words "MUST", "MUST NOT", "REQUIRED", | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", | document are to be interpreted as described in [RFC2119]. | |||
| and "OPTIONAL" in this document are to be interpreted as described in | ||||
| [RFC2119]. | ||||
| 1.3. Attribute Interpretation | 1.3. Attribute Interpretation | |||
| If a NAS conforming to this specification receives an Access-Accept | If a NAS conforming to this specification receives an Access-Accept | |||
| packet containing an attribute defined in this document which it | packet containing an attribute defined in this document which it | |||
| cannot apply, it MUST act as though it had received an Access-Reject. | cannot apply, it MUST act as though it had received an Access-Reject. | |||
| Similarly, [RFC3576] requires that a NAS receiving a CoA-Request | Similarly, [RFC3576] requires that a NAS receiving a CoA-Request | |||
| containing an unsupported attribute reply with a CoA-NAK. It is | containing an unsupported attribute reply with a CoA-NAK. It is | |||
| recommended that an Error-Cause attribute with value set to | recommended that an Error-Cause attribute with value set to | |||
| Unsupported Attribute" (401) be included in the packet. As noted in | "Unsupported Attribute" (401) be included in the packet. As noted in | |||
| [RFC3576], authorization changes are atomic so that this situation | [RFC3576], authorization changes are atomic so that this situation | |||
| does not result in session termination and the pre-existing | does not result in session termination and the pre-existing | |||
| configuration remains unchanged. As a result, no accounting packets | configuration remains unchanged. As a result, no accounting packets | |||
| should be generated. | should be generated. | |||
| 2. Attributes | 2. Attributes | |||
| 2.1. Egress-VLANID | 2.1. Egress-VLANID | |||
| Description | Description | |||
| The Egress-VLANID attribute represents an allowed IEEE 802 Egress | The Egress-VLANID attribute represents an allowed IEEE 802 Egress | |||
| VLANID for this port, indicating if the VLANID is allowed for | VLANID for this port, indicating if the VLANID is allowed for | |||
| tagged or untagged packets as well as the VLANID. | tagged or untagged packets as well as the VLANID. | |||
| Multiple Egress-VLANID attributes MAY be included in an Access- | Multiple Egress-VLANID attributes MAY be included in an Access- | |||
| Accept or CoA-Request packet; this attribute MUST NOT be sent | Request, Access-Accept or CoA-Request packet; this attribute MUST | |||
| within an Access-Request, Access-Challenge, Access-Reject, | NOT be sent within an Access-Challenge, Access-Reject, Disconnect- | |||
| Disconnect-Request, Disconnect-ACK, Disconnect-NAK, CoA-ACK, or | Request, Disconnect-ACK, Disconnect-NAK, CoA-ACK, or CoA-NAK. | |||
| CoA-NAK. Each attribute adds the specified VLAN to the list of | Each attribute adds the specified VLAN to the list of allowed | |||
| allowed egress VLANs for the port. | egress VLANs for the port. | |||
| The Egress-VLANID attribute is shown below. The fields are | The Egress-VLANID attribute is shown below. The fields are | |||
| transmitted from left to right: | transmitted from left to right: | |||
| 0 1 2 3 | 0 1 2 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | Type | Length | Integer | | Type | Length | Integer | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| Integer | | Integer | | |||
| skipping to change at page 5, line 14 | skipping to change at page 5, line 14 | |||
| 6 | 6 | |||
| Integer | Integer | |||
| The Integer field is four octets in length. The format is | The Integer field is four octets in length. The format is | |||
| described below: | described below: | |||
| 0 1 2 3 | 0 1 2 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | VLAN Tag | Pad | VLANID | | | Tag Indic. | Pad | VLANID | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| The VLAN Tag field is one octet in length, and indicates whether | The Tag Indication field is one octet in length, and indicates | |||
| the frames on the VLAN are tagged (0x31) or untagged (0x32). The | whether the frames on the VLAN are tagged (0x31) or untagged | |||
| Pad field is 12-bits in length and MUST be 0 (zero). The VLANID is | (0x32). The Pad field is 12-bits in length and MUST be 0 (zero). | |||
| 12-bits in length and contains the [IEEE-802.1Q] VLAN VID value. | The VLANID is 12-bits in length and contains the [IEEE-802.1Q] | |||
| VLAN VID value. | ||||
| 2.2. Ingress-Filters | 2.2. Ingress-Filters | |||
| Description | Description | |||
| The Ingress-Filters attribute corresponds to Ingress Filter per- | The Ingress-Filters attribute corresponds to Ingress Filter per- | |||
| port variable defined in [IEEE-802.1Q] clause 8.4.5. When the | port variable defined in [IEEE-802.1Q] clause 8.4.5. When the | |||
| attribute has the value "Enabled", the set of VLANs that are | attribute has the value "Enabled", the set of VLANs that are | |||
| allowed to ingress a port must match the set of VLANs that are | allowed to ingress a port must match the set of VLANs that are | |||
| allowed to egress a port. Only a single Ingress-Filters attribute | allowed to egress a port. Only a single Ingress-Filters attribute | |||
| MAY be sent within an Access-Accept or CoA-Request packet; this | MAY be sent within an Access-Request, Access-Accept or CoA-Request | |||
| attribute MUST NOT be sent within an Access-Request, Access- | packet; this attribute MUST NOT be sent within an Access- | |||
| Challenge, Access-Reject, Disconnect-Request, Disconnect-ACK, | Challenge, Access-Reject, Disconnect-Request, Disconnect-ACK, | |||
| Disconnect-NAK, CoA-ACK, or CoA-NAK. | Disconnect-NAK, CoA-ACK, or CoA-NAK. | |||
| The Ingress-Filters attribute is shown below. The fields are | The Ingress-Filters attribute is shown below. The fields are | |||
| transmitted from left to right: | transmitted from left to right: | |||
| 0 1 2 3 | 0 1 2 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | Type | Length | Integer | | Type | Length | Integer | |||
| skipping to change at page 6, line 31 | skipping to change at page 6, line 33 | |||
| to the Egress-VLANID attribute, except that the VLAN-ID itself is | to the Egress-VLANID attribute, except that the VLAN-ID itself is | |||
| not specified or known; rather the VLAN name is used to identify | not specified or known; rather the VLAN name is used to identify | |||
| the VLAN within the system. | the VLAN within the system. | |||
| The Egress-VLAN-Name attribute contains two parts; the first part | The Egress-VLAN-Name attribute contains two parts; the first part | |||
| indicates if frames on the VLAN for this port are to be | indicates if frames on the VLAN for this port are to be | |||
| represented in tagged or untagged format, the second part is the | represented in tagged or untagged format, the second part is the | |||
| VLAN name. | VLAN name. | |||
| Multiple Egress-VLAN-Name attributes MAY be included within an | Multiple Egress-VLAN-Name attributes MAY be included within an | |||
| Access-Accept or CoA-Request packet; this attribute MUST NOT be | Access-Request, Access-Accept or CoA-Request packet; this | |||
| sent within an Access-Request, Access-Challenge, Access-Reject, | attribute MUST NOT be sent within an Access-Challenge, Access- | |||
| Disconnect-Request, Disconnect-ACK, Disconnect-NAK, CoA-ACK, or | Reject, Disconnect-Request, Disconnect-ACK, Disconnect-NAK, CoA- | |||
| CoA-NAK. Each attribute adds the named VLAN to the list of | ACK, or CoA-NAK. Each attribute adds the named VLAN to the list | |||
| allowed egress VLANs for the port. The Egress-VLAN-Name attribute | of allowed egress VLANs for the port. The Egress-VLAN-Name | |||
| is shown below. The fields are transmitted from left to right: | attribute is shown below. The fields are transmitted from left to | |||
| right: | ||||
| 0 1 2 3 | 0 1 2 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | Type | Length | VLAN Tag | String... | | Type | Length | Tag Indic. | String... | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| Type | Type | |||
| TBD | TBD | |||
| Length | Length | |||
| >=4 | >=4 | |||
| VLAN Tag | ||||
| The VLAN tag field is one octet in length, and indicates whether | Tag Indication | |||
| the frames on the VLAN are tagged (0x31) or untagged (0x32). | ||||
| The Tag Indication field is one octet in length, and indicates | ||||
| whether the frames on the VLAN are tagged (0x31) or untagged | ||||
| (0x32). | ||||
| String | String | |||
| The String field is at least one octet in length, and contains the | The String field is at least one octet in length, and contains the | |||
| the VLAN Name as defined in [IEEE-802.1Q] clause 12.10.2.1.3 (a). | the VLAN Name as defined in [IEEE-802.1Q] clause 12.10.2.1.3 (a). | |||
| [RFC3629] UTF-8 encoded 10646 characters are RECOMMENDED, but a | [RFC3629] UTF-8 encoded 10646 characters are RECOMMENDED, but a | |||
| robust implementation SHOULD support the field as undistinguished | robust implementation SHOULD support the field as undistinguished | |||
| octets. | octets. | |||
| 2.4. User-Priority-Table | 2.4. User-Priority-Table | |||
| skipping to change at page 7, line 31 | skipping to change at page 7, line 36 | |||
| [IEEE-802.1D] clause 7.5.1 discusses how to regenerate (or re-map) | [IEEE-802.1D] clause 7.5.1 discusses how to regenerate (or re-map) | |||
| user priority on frames received at a port. This per-port | user priority on frames received at a port. This per-port | |||
| configuration enables a bridge to cause the priority of received | configuration enables a bridge to cause the priority of received | |||
| traffic at a port to be mapped to a particular priority. The | traffic at a port to be mapped to a particular priority. The | |||
| management variables are described in clause 14.6.2.2. | management variables are described in clause 14.6.2.2. | |||
| This attribute represents the IEEE 802 prioritization that will be | This attribute represents the IEEE 802 prioritization that will be | |||
| applied to packets arriving at this port. There are eight | applied to packets arriving at this port. There are eight | |||
| possible user priorities, according to the [IEEE-802] standard. A | possible user priorities, according to the [IEEE-802] standard. A | |||
| single User-Priority-Table attribute MAY be included in an Access- | single User-Priority-Table attribute MAY be included in an Access- | |||
| Accept or CoA-Request packet; this attribute MUST NOT be sent | Request, Access-Accept or CoA-Request packet; this attribute MUST | |||
| within an Access-Request, Access-Challenge, Access-Reject, | NOT be sent within an Access-Challenge, Access-Reject, Disconnect- | |||
| Disconnect-Request, Disconnect-ACK, Disconnect-NAK, CoA-ACK, or | Request, Disconnect-ACK, Disconnect-NAK, CoA-ACK, or CoA-NAK. | |||
| CoA-NAK. | ||||
| The User-Priority-Table attribute is shown below. The fields are | The User-Priority-Table attribute is shown below. The fields are | |||
| transmitted from left to right: | transmitted from left to right: | |||
| 0 1 2 3 | 0 1 2 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | Type | Length | String | | Type | Length | String | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| String | String | |||
| skipping to change at page 8, line 32 | skipping to change at page 8, line 36 | |||
| The [IEEE-8021.D] specification, Annex G, provides a useful | The [IEEE-8021.D] specification, Annex G, provides a useful | |||
| description of traffic type - traffic class mappings. | description of traffic type - traffic class mappings. | |||
| 3. Table of Attributes | 3. Table of Attributes | |||
| The following table provides a guide to which attributes may be found | The following table provides a guide to which attributes may be found | |||
| in which kinds of packets, and in what quantity. | in which kinds of packets, and in what quantity. | |||
| Access- Access- Access- Access- CoA- | Access- Access- Access- Access- CoA- | |||
| Request Accept Reject Challenge Req # Attribute | Request Accept Reject Challenge Req # Attribute | |||
| 0 0+ 0 0 0+ TBD Egress-VLANID | 0+ 0+ 0 0 0+ TBD Egress-VLANID | |||
| 0 0-1 0 0 0-1 TBD Ingress-Filters | 0-1 0-1 0 0 0-1 TBD Ingress-Filters | |||
| 0 0+ 0 0 0+ TBD Egress-VLAN-Name | 0+ 0+ 0 0 0+ TBD Egress-VLAN-Name | |||
| 0 0-1 0 0 0-1 TBD User-Priority-Table | 0-1 0-1 0 0 0-1 TBD User-Priority-Table | |||
| The following table defines the meaning of the above table entries. | The following table defines the meaning of the above table entries. | |||
| 0 This attribute MUST NOT be present in the packet. | 0 This attribute MUST NOT be present in the packet. | |||
| 0+ Zero or more instances of this attribute MAY be | 0+ Zero or more instances of this attribute MAY be | |||
| present in the packet. | present in the packet. | |||
| 0-1 Zero or one instance of this attribute MAY be | 0-1 Zero or one instance of this attribute MAY be | |||
| present in the packet. | present in the packet. | |||
| 4. IANA Considerations | 4. Diameter Considerations | |||
| Diameter needs to define identical attributes with the same Type | ||||
| values. The attributes should be available as part of the NASREQ | ||||
| application [RFC4005], as well as the Diameter EAP application | ||||
| [RFC4072]. | ||||
| 5. IANA Considerations | ||||
| This specification does not create any new registries. | This specification does not create any new registries. | |||
| This document uses the RADIUS [RFC2865] namespace, see | This document uses the RADIUS [RFC2865] namespace, see | |||
| <http://www.iana.org/assignments/radius-types>. Allocation of four | <http://www.iana.org/assignments/radius-types>. Allocation of four | |||
| updates for the section "RADIUS Attribute Types" is requested. The | updates for the section "RADIUS Attribute Types" is requested. The | |||
| RADIUS attributes for which values are requested are: | RADIUS attributes for which values are requested are: | |||
| TBD - Egress-VLANID | TBD - Egress-VLANID | |||
| TBD - Ingress-Filters | TBD - Ingress-Filters | |||
| TBD - Egress-VLAN-Name | TBD - Egress-VLAN-Name | |||
| TBD - User-Priority-Table | TBD - User-Priority-Table | |||
| 5. Security Considerations | 6. Security Considerations | |||
| Since this document describes the use of RADIUS for purposes of | This specification describes the use of RADIUS for purposes of | |||
| authentication and authorization, and accounting in IEEE 802.1X- | authentication, authorization and accounting in networks supporting | |||
| enabled networks, it is vulnerable to all of the threats that are | [IEEE 802.1X]. Threats and security issues for this application are | |||
| present in other RADIUS applications. For a discussion of these | described in [RFC3579] and [RFC3580]; security issues encountered in | |||
| threats, see [RFC2607], [RFC3162], [RFC3579], and [RFC3580]. | roaming are described in [RFC2607]. | |||
| This document specifies new attributes that can be included in | This document specifies new attributes that can be included in | |||
| existing RADIUS packets. These packets are protected as described in | existing RADIUS packets, which are protected as described in | |||
| [RFC3579] and [RFC3576]; see those documents for a more detailed | [RFC3579] and [RFC3576]. See those documents for a more detailed | |||
| description and related security considerations. | description. | |||
| The security mechanisms in [RFC3579] and [RFC3576] are primarily | The security mechanisms described in [RFC3579] and [RFC3576] are | |||
| concerned with an attacker attempting to spoof or modify messages in | focused on preventing an attacker from spoofing packets or modifying | |||
| transit. They do not prevent an authorized RADIUS server or proxy | packets in transit. They do not prevent an authorized RADIUS server | |||
| from inserting attributes with malicious intent. | or proxy from inserting attributes with malicious intent. | |||
| For example, modifications to VLAN attributes may enable access to | VLAN attributes sent by a RADIUS server or proxy may enable access to | |||
| unauthorized VLANs. These vulnerabilities can be limited by | unauthorized VLANs. These vulnerabilities can be limited by | |||
| performing authorization checks at the NAS. For instance, a NAS can | performing authorization checks at the NAS. For example, a NAS can | |||
| be configured to accept only certain VLAN-IDs from a given RADIUS | be configured to accept only certain VLANIDs from a given RADIUS | |||
| server/proxy. | server/proxy. | |||
| 6. References | Similarly, an attacker gaining control of a RADIUS server or proxy | |||
| can modify the user priority table, causing either degradation of | ||||
| quality of service (by downgrading user priority of packets arriving | ||||
| at a port), or denial of service (by raising the level of priority of | ||||
| traffic at multiple ports of a device, oversubscribing the switch or | ||||
| link capabilities). | ||||
| 6.1. Normative references | 7. References | |||
| 7.1. Normative references | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", RFC 2119, March, 1997. | Requirement Levels", RFC 2119, March, 1997. | |||
| [RFC2674] Bell, E., Smith, A., Langille, P., Rijhsinghani, A., | ||||
| McCloghrie, K., Definitions of Managed Objects for Bridges | ||||
| with Traffic Classes, Multicast Filtering and Virtual LAN | ||||
| Extensions", RFC 2674, August 1999. | ||||
| [RFC2865] Rigney, C., Rubens, A., Simpson, W. and S. Willens, "Remote | [RFC2865] Rigney, C., Rubens, A., Simpson, W. and S. Willens, "Remote | |||
| Authentication Dial In User Service (RADIUS)", RFC 2865, June | Authentication Dial In User Service (RADIUS)", RFC 2865, June | |||
| 2000. | 2000. | |||
| [RFC3575] Aboba, B., "IANA Considerations for RADIUS", RFC 3575, July | [RFC3575] Aboba, B., "IANA Considerations for RADIUS", RFC 3575, July | |||
| 2003. | 2003. | |||
| [RFC3629] Yergeau, F., "UTF-8, a transformation of ISO 10646", RFC 2607, | [RFC3629] Yergeau, F., "UTF-8, a transformation of ISO 10646", RFC 2607, | |||
| November 2003. | November 2003. | |||
| [RFC4363] Levi, D. and D. Harrington, "Definitions of Managed Objects | ||||
| for Bridges with Traffic Classes, Multicast Filtering and | ||||
| Virtual LAN Extensions", RFC 4363, January 2006. | ||||
| [IEEE-802] | [IEEE-802] | |||
| IEEE Standards for Local and Metropolitan Area Networks: | IEEE Standards for Local and Metropolitan Area Networks: | |||
| Overview and Architecture, ANSI/IEEE Std 802, 1990. | Overview and Architecture, ANSI/IEEE Std 802, 1990. | |||
| [IEEE-802.1D] | [IEEE-802.1D] | |||
| IEEE Standards for Local and Metropolitan Area Networks: Media | IEEE Standards for Local and Metropolitan Area Networks: Media | |||
| Access Control (MAC) Bridges, IEEE Std 802.1D-2004, June 2004. | Access Control (MAC) Bridges, IEEE Std 802.1D-2004, June 2004. | |||
| [IEEE-802.1Q] | [IEEE-802.1Q] | |||
| IEEE Standards for Local and Metropolitan Area Networks: Draft | IEEE Standards for Local and Metropolitan Area Networks: Draft | |||
| Standard for Virtual Bridged Local Area Networks, | Standard for Virtual Bridged Local Area Networks, | |||
| P802.1Q-2003, January 2003. | P802.1Q-2003, January 2003. | |||
| [IEEE-802.1X] | [IEEE-802.1X] | |||
| IEEE Standards for Local and Metropolitan Area Networks: Port | IEEE Standards for Local and Metropolitan Area Networks: Port | |||
| based Network Access Control, IEEE Std 802.1X-2004, August | based Network Access Control, IEEE Std 802.1X-2004, August | |||
| 2004. | 2004. | |||
| 6.2. Informative references | 7.2. Informative references | |||
| [RFC2607] Aboba, B. and J. Vollbrecht, "Proxy Chaining and Policy | [RFC2607] Aboba, B. and J. Vollbrecht, "Proxy Chaining and Policy | |||
| Implementation in Roaming", RFC 2607, June 1999. | Implementation in Roaming", RFC 2607, June 1999. | |||
| [RFC2868] Zorn, G., Leifer, D., Rubens, A., Shriver, J., Holdrege, M. | [RFC2868] Zorn, G., Leifer, D., Rubens, A., Shriver, J., Holdrege, M. | |||
| and I. Goyret, "RADIUS Attributes for Tunnel Protocol | and I. Goyret, "RADIUS Attributes for Tunnel Protocol | |||
| Support", RFC 2868, June 2000. | Support", RFC 2868, June 2000. | |||
| [RFC3162] Aboba, B., Zorn, G. and D. Mitton, "RADIUS and IPv6", RFC | ||||
| 3162, August 2001. | ||||
| [RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D. and B. Aboba, | [RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D. and B. Aboba, | |||
| "Dynamic Authorization Extensions to Remote Authentication | "Dynamic Authorization Extensions to Remote Authentication | |||
| Dial In User Service (RADIUS)", RFC 3576, July 2003. | Dial In User Service (RADIUS)", RFC 3576, July 2003. | |||
| [RFC3579] Aboba, B. and P. Calhoun, "RADIUS Support for Extensible | [RFC3579] Aboba, B. and P. Calhoun, "RADIUS Support for Extensible | |||
| Authentication Protocol (EAP)", RFC 3579, September 2003. | Authentication Protocol (EAP)", RFC 3579, September 2003. | |||
| [RFC3580] Congdon, P., Aboba, B., Smith, A., Zorn, G., Roese, J., "IEEE | [RFC3580] Congdon, P., Aboba, B., Smith, A., Zorn, G., Roese, J., "IEEE | |||
| 802.1X Remote Authentication Dial In User Service (RADIUS) | 802.1X Remote Authentication Dial In User Service (RADIUS) | |||
| Usage Guidelines", RFC3580, September 2003. | Usage Guidelines", RFC3580, September 2003. | |||
| [RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J. and H. | ||||
| Levkowetz, "Extensible Authentication Protocol (EAP)", RFC | ||||
| 3748, June 2004. | ||||
| [RFC4005] Calhoun, P., Zorn, G., Spence, D. and D. Mitton, "Diameter | ||||
| Network Access Server Application", RFC 4005, August 2005. | ||||
| [RFC4072] Eronen, P., Hiller, T., and G. Zorn, "Diameter Extensible | ||||
| Authentication Protocol (EAP) Application", RFC 4072, August | ||||
| 2005. | ||||
| [IEEE-802.3] | [IEEE-802.3] | |||
| ISO/IEC 8802-3 Information technology - Telecommunications and | ISO/IEC 8802-3 Information technology - Telecommunications and | |||
| information exchange between systems - Local and metropolitan | information exchange between systems - Local and metropolitan | |||
| area networks - Common specifications - Part 3: Carrier Sense | area networks - Common specifications - Part 3: Carrier Sense | |||
| Multiple Access with Collision Detection (CSMA/CD) Access | Multiple Access with Collision Detection (CSMA/CD) Access | |||
| Method and Physical Layer Specifications, (also ANSI/IEEE Std | Method and Physical Layer Specifications, (also ANSI/IEEE Std | |||
| 802.3- 1996), 1996. | 802.3- 1996), 1996. | |||
| [IEEE-802.11] | [IEEE-802.11] | |||
| Information technology - Telecommunications and information | Information technology - Telecommunications and information | |||
| End of changes. 38 change blocks. | ||||
| 98 lines changed or deleted | 122 lines changed or added | |||
This html diff was produced by rfcdiff 1.29, available from http://www.levkowetz.com/ietf/tools/rfcdiff/ | ||||