draft-ietf-radext-vlan-00.txt   draft-ietf-radext-vlan-01.txt 
Network Working Group Paul Congdon Network Working Group Paul Congdon
INTERNET-DRAFT Mauricio Sanchez INTERNET-DRAFT Mauricio Sanchez
Category: Proposed Standard Hewlett-Packard Company Category: Proposed Standard Hewlett-Packard Company
<draft-ietf-radext-vlan-00.txt> Bernard Aboba <draft-ietf-radext-vlan-01.txt> Bernard Aboba
20 February 2006 Microsoft Corporation 22 March 2006 Microsoft Corporation
RADIUS VLAN and Priority Attributes RADIUS Attributes for Virtual LAN and Priority Support
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
skipping to change at page 1, line 32 skipping to change at page 1, line 32
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on August 10, 2006. This Internet-Draft will expire on September 10, 2006.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society 2006. Copyright (C) The Internet Society 2006.
Abstract Abstract
This document proposes additional attributes for dynamic VLAN This document proposes additional RADIUS (Remote Authentication Dial
assignment and prioritization, for use by IEEE 802.1X authenticators. In User Service) attributes for dynamic Virtual LAN assignment and
These attributes are usable within either RADIUS or Diameter. prioritization, for use by IEEE 802.1X authenticators. These
attributes are usable within either RADIUS or Diameter.
Table of Contents Table of Contents
1. Introduction .......................................... 3 1. Introduction .......................................... 3
1.1 Terminology ..................................... 3 1.1 Terminology ..................................... 3
1.2 Requirements Language ........................... 3 1.2 Requirements Language ........................... 3
1.3 Attribute Interpretation ........................ 4 1.3 Attribute Interpretation ........................ 4
2. Attributes ............................................ 4 2. Attributes ............................................ 4
2.1 Egress-VLANID ................................... 4 2.1 Egress-VLANID ................................... 4
2.2 Ingress-Filters ................................. 5 2.2 Ingress-Filters ................................. 5
2.3 Egress-VLAN-Name ................................ 6 2.3 Egress-VLAN-Name ................................ 6
2.4 User-Priority-Table ............................. 7 2.4 User-Priority-Table ............................. 7
3. Table of Attributes ................................... 8 3. Table of Attributes ................................... 8
4. IANA Considerations ................................... 8 4. Diameter Considerations ............................... 9
5. Security Considerations ............................... 9 5. IANA Considerations ................................... 9
6. References ............................................ 9 6. Security Considerations ............................... 9
6.1 Normative References ............................ 9 7. References ............................................ 10
6.2 Informative References .......................... 10 7.1 Normative References ............................ 10
ACKNOWLEDGMENTS .............................................. 11 7.2 Informative References .......................... 10
AUTHORS' ADDRESSES ........................................... 11 ACKNOWLEDGMENTS .............................................. 12
Intellectual Property Statement............................... 12 AUTHORS' ADDRESSES ........................................... 12
Intellectual Property Statement............................... 13
Disclaimer of Validity........................................ 13 Disclaimer of Validity........................................ 13
Full Copyright Statement ..................................... 13 Full Copyright Statement ..................................... 13
1. Introduction 1. Introduction
IEEE 802.1X [IEEE-802.1X] provides "network port authentication" for IEEE 802.1X [IEEE-802.1X] provides "network port authentication" for
IEEE 802 [IEEE-802] media, including Ethernet [IEEE-802.3], Token IEEE 802 [IEEE-802] media, including Ethernet [IEEE-802.3], Token
Ring and 802.11 wireless LANs [IEEE-802.11i]. Ring and 802.11 wireless LANs [IEEE-802.11i].
This document describes VLAN and re-prioritization attributes that This document describes Virtual LAN (VLAN) and re-prioritization
may prove useful for provisioning of access to IEEE 802 local area attributes that may prove useful for provisioning of access to IEEE
networks. 802 local area networks with the Remote Authentication Dialin User
Service (RADIUS).
While [RFC3580] enables support for VLAN assignment based on the While [RFC3580] enables support for VLAN assignment based on the
tunnel attributes defined in [RFC2868], it does not provide support tunnel attributes defined in [RFC2868], it does not provide support
for a more complete set of VLAN functionality as defined by for a more complete set of VLAN functionality as defined by
[IEEE-802.1Q]. The VLAN attributes defined in this document provide [IEEE-802.1Q]. The attributes defined in this document provide
support within RADIUS analogous to the management variables supported support within RADIUS analogous to the management variables supported
in [IEEE-802.1Q] and MIB objects defined in [RFC2674]. In addition, in [IEEE-802.1Q] and MIB objects defined in [RFC4363]. In addition,
this document enables support for a wider range of [IEEE-802.1X] this document enables support for a wider range of [IEEE-802.1X]
configurations. configurations.
1.1. Terminology 1.1. Terminology
This document uses the following terms: This document uses the following terms:
Authenticator Authenticator
An authenticator is an entity that requires authentication The end of the link initiating EAP authentication. The term
from the supplicant. The authenticator may be connected to authenticator is used in [RFC3748] and [IEEE-802.1X], and has the
the supplicant at the other end of a point-to-point LAN same meaning in this document.
segment or 802.11 wireless link.
Authentication server backend authentication server
An authentication server is an entity that provides an A backend authentication server is an entity that provides an
authentication service to an authenticator. This service authentication service to an authenticator. When used, this server
verifies from the credentials provided by the supplicant, the typically executes EAP methods for the authenticator. This
claim of identity made by the supplicant. terminology is also used in [IEEE-802.1X].
Network Access Server (NAS)
A device that provides an access service for a user to a network.
Supplicant Supplicant
A supplicant is an entity that is being authenticated by an The end of the link that responds to the authenticator in
authenticator. The supplicant may be connected to the [IEEE-802.1X].
authenticator at one end of a point-to-point LAN segment or
802.11 wireless link.
1.2. Requirements Language 1.2. Requirements Language
In this document, several words are used to signify the requirements The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
of the specification. The key words "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
"SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", document are to be interpreted as described in [RFC2119].
and "OPTIONAL" in this document are to be interpreted as described in
[RFC2119].
1.3. Attribute Interpretation 1.3. Attribute Interpretation
If a NAS conforming to this specification receives an Access-Accept If a NAS conforming to this specification receives an Access-Accept
packet containing an attribute defined in this document which it packet containing an attribute defined in this document which it
cannot apply, it MUST act as though it had received an Access-Reject. cannot apply, it MUST act as though it had received an Access-Reject.
Similarly, [RFC3576] requires that a NAS receiving a CoA-Request Similarly, [RFC3576] requires that a NAS receiving a CoA-Request
containing an unsupported attribute reply with a CoA-NAK. It is containing an unsupported attribute reply with a CoA-NAK. It is
recommended that an Error-Cause attribute with value set to recommended that an Error-Cause attribute with value set to
Unsupported Attribute" (401) be included in the packet. As noted in "Unsupported Attribute" (401) be included in the packet. As noted in
[RFC3576], authorization changes are atomic so that this situation [RFC3576], authorization changes are atomic so that this situation
does not result in session termination and the pre-existing does not result in session termination and the pre-existing
configuration remains unchanged. As a result, no accounting packets configuration remains unchanged. As a result, no accounting packets
should be generated. should be generated.
2. Attributes 2. Attributes
2.1. Egress-VLANID 2.1. Egress-VLANID
Description Description
The Egress-VLANID attribute represents an allowed IEEE 802 Egress The Egress-VLANID attribute represents an allowed IEEE 802 Egress
VLANID for this port, indicating if the VLANID is allowed for VLANID for this port, indicating if the VLANID is allowed for
tagged or untagged packets as well as the VLANID. tagged or untagged packets as well as the VLANID.
Multiple Egress-VLANID attributes MAY be included in an Access- Multiple Egress-VLANID attributes MAY be included in an Access-
Accept or CoA-Request packet; this attribute MUST NOT be sent Request, Access-Accept or CoA-Request packet; this attribute MUST
within an Access-Request, Access-Challenge, Access-Reject, NOT be sent within an Access-Challenge, Access-Reject, Disconnect-
Disconnect-Request, Disconnect-ACK, Disconnect-NAK, CoA-ACK, or Request, Disconnect-ACK, Disconnect-NAK, CoA-ACK, or CoA-NAK.
CoA-NAK. Each attribute adds the specified VLAN to the list of Each attribute adds the specified VLAN to the list of allowed
allowed egress VLANs for the port. egress VLANs for the port.
The Egress-VLANID attribute is shown below. The fields are The Egress-VLANID attribute is shown below. The fields are
transmitted from left to right: transmitted from left to right:
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Integer | Type | Length | Integer
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Integer | Integer |
skipping to change at page 5, line 14 skipping to change at page 5, line 14
6 6
Integer Integer
The Integer field is four octets in length. The format is The Integer field is four octets in length. The format is
described below: described below:
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| VLAN Tag | Pad | VLANID | | Tag Indic. | Pad | VLANID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The VLAN Tag field is one octet in length, and indicates whether The Tag Indication field is one octet in length, and indicates
the frames on the VLAN are tagged (0x31) or untagged (0x32). The whether the frames on the VLAN are tagged (0x31) or untagged
Pad field is 12-bits in length and MUST be 0 (zero). The VLANID is (0x32). The Pad field is 12-bits in length and MUST be 0 (zero).
12-bits in length and contains the [IEEE-802.1Q] VLAN VID value. The VLANID is 12-bits in length and contains the [IEEE-802.1Q]
VLAN VID value.
2.2. Ingress-Filters 2.2. Ingress-Filters
Description Description
The Ingress-Filters attribute corresponds to Ingress Filter per- The Ingress-Filters attribute corresponds to Ingress Filter per-
port variable defined in [IEEE-802.1Q] clause 8.4.5. When the port variable defined in [IEEE-802.1Q] clause 8.4.5. When the
attribute has the value "Enabled", the set of VLANs that are attribute has the value "Enabled", the set of VLANs that are
allowed to ingress a port must match the set of VLANs that are allowed to ingress a port must match the set of VLANs that are
allowed to egress a port. Only a single Ingress-Filters attribute allowed to egress a port. Only a single Ingress-Filters attribute
MAY be sent within an Access-Accept or CoA-Request packet; this MAY be sent within an Access-Request, Access-Accept or CoA-Request
attribute MUST NOT be sent within an Access-Request, Access- packet; this attribute MUST NOT be sent within an Access-
Challenge, Access-Reject, Disconnect-Request, Disconnect-ACK, Challenge, Access-Reject, Disconnect-Request, Disconnect-ACK,
Disconnect-NAK, CoA-ACK, or CoA-NAK. Disconnect-NAK, CoA-ACK, or CoA-NAK.
The Ingress-Filters attribute is shown below. The fields are The Ingress-Filters attribute is shown below. The fields are
transmitted from left to right: transmitted from left to right:
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Integer | Type | Length | Integer
skipping to change at page 6, line 31 skipping to change at page 6, line 33
to the Egress-VLANID attribute, except that the VLAN-ID itself is to the Egress-VLANID attribute, except that the VLAN-ID itself is
not specified or known; rather the VLAN name is used to identify not specified or known; rather the VLAN name is used to identify
the VLAN within the system. the VLAN within the system.
The Egress-VLAN-Name attribute contains two parts; the first part The Egress-VLAN-Name attribute contains two parts; the first part
indicates if frames on the VLAN for this port are to be indicates if frames on the VLAN for this port are to be
represented in tagged or untagged format, the second part is the represented in tagged or untagged format, the second part is the
VLAN name. VLAN name.
Multiple Egress-VLAN-Name attributes MAY be included within an Multiple Egress-VLAN-Name attributes MAY be included within an
Access-Accept or CoA-Request packet; this attribute MUST NOT be Access-Request, Access-Accept or CoA-Request packet; this
sent within an Access-Request, Access-Challenge, Access-Reject, attribute MUST NOT be sent within an Access-Challenge, Access-
Disconnect-Request, Disconnect-ACK, Disconnect-NAK, CoA-ACK, or Reject, Disconnect-Request, Disconnect-ACK, Disconnect-NAK, CoA-
CoA-NAK. Each attribute adds the named VLAN to the list of ACK, or CoA-NAK. Each attribute adds the named VLAN to the list
allowed egress VLANs for the port. The Egress-VLAN-Name attribute of allowed egress VLANs for the port. The Egress-VLAN-Name
is shown below. The fields are transmitted from left to right: attribute is shown below. The fields are transmitted from left to
right:
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | VLAN Tag | String... | Type | Length | Tag Indic. | String...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type Type
TBD TBD
Length Length
>=4 >=4
VLAN Tag
The VLAN tag field is one octet in length, and indicates whether Tag Indication
the frames on the VLAN are tagged (0x31) or untagged (0x32).
The Tag Indication field is one octet in length, and indicates
whether the frames on the VLAN are tagged (0x31) or untagged
(0x32).
String String
The String field is at least one octet in length, and contains the The String field is at least one octet in length, and contains the
the VLAN Name as defined in [IEEE-802.1Q] clause 12.10.2.1.3 (a). the VLAN Name as defined in [IEEE-802.1Q] clause 12.10.2.1.3 (a).
[RFC3629] UTF-8 encoded 10646 characters are RECOMMENDED, but a [RFC3629] UTF-8 encoded 10646 characters are RECOMMENDED, but a
robust implementation SHOULD support the field as undistinguished robust implementation SHOULD support the field as undistinguished
octets. octets.
2.4. User-Priority-Table 2.4. User-Priority-Table
skipping to change at page 7, line 31 skipping to change at page 7, line 36
[IEEE-802.1D] clause 7.5.1 discusses how to regenerate (or re-map) [IEEE-802.1D] clause 7.5.1 discusses how to regenerate (or re-map)
user priority on frames received at a port. This per-port user priority on frames received at a port. This per-port
configuration enables a bridge to cause the priority of received configuration enables a bridge to cause the priority of received
traffic at a port to be mapped to a particular priority. The traffic at a port to be mapped to a particular priority. The
management variables are described in clause 14.6.2.2. management variables are described in clause 14.6.2.2.
This attribute represents the IEEE 802 prioritization that will be This attribute represents the IEEE 802 prioritization that will be
applied to packets arriving at this port. There are eight applied to packets arriving at this port. There are eight
possible user priorities, according to the [IEEE-802] standard. A possible user priorities, according to the [IEEE-802] standard. A
single User-Priority-Table attribute MAY be included in an Access- single User-Priority-Table attribute MAY be included in an Access-
Accept or CoA-Request packet; this attribute MUST NOT be sent Request, Access-Accept or CoA-Request packet; this attribute MUST
within an Access-Request, Access-Challenge, Access-Reject, NOT be sent within an Access-Challenge, Access-Reject, Disconnect-
Disconnect-Request, Disconnect-ACK, Disconnect-NAK, CoA-ACK, or Request, Disconnect-ACK, Disconnect-NAK, CoA-ACK, or CoA-NAK.
CoA-NAK.
The User-Priority-Table attribute is shown below. The fields are The User-Priority-Table attribute is shown below. The fields are
transmitted from left to right: transmitted from left to right:
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | String | Type | Length | String
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
String String
skipping to change at page 8, line 32 skipping to change at page 8, line 36
The [IEEE-8021.D] specification, Annex G, provides a useful The [IEEE-8021.D] specification, Annex G, provides a useful
description of traffic type - traffic class mappings. description of traffic type - traffic class mappings.
3. Table of Attributes 3. Table of Attributes
The following table provides a guide to which attributes may be found The following table provides a guide to which attributes may be found
in which kinds of packets, and in what quantity. in which kinds of packets, and in what quantity.
Access- Access- Access- Access- CoA- Access- Access- Access- Access- CoA-
Request Accept Reject Challenge Req # Attribute Request Accept Reject Challenge Req # Attribute
0 0+ 0 0 0+ TBD Egress-VLANID 0+ 0+ 0 0 0+ TBD Egress-VLANID
0 0-1 0 0 0-1 TBD Ingress-Filters 0-1 0-1 0 0 0-1 TBD Ingress-Filters
0 0+ 0 0 0+ TBD Egress-VLAN-Name 0+ 0+ 0 0 0+ TBD Egress-VLAN-Name
0 0-1 0 0 0-1 TBD User-Priority-Table 0-1 0-1 0 0 0-1 TBD User-Priority-Table
The following table defines the meaning of the above table entries. The following table defines the meaning of the above table entries.
0 This attribute MUST NOT be present in the packet. 0 This attribute MUST NOT be present in the packet.
0+ Zero or more instances of this attribute MAY be 0+ Zero or more instances of this attribute MAY be
present in the packet. present in the packet.
0-1 Zero or one instance of this attribute MAY be 0-1 Zero or one instance of this attribute MAY be
present in the packet. present in the packet.
4. IANA Considerations 4. Diameter Considerations
Diameter needs to define identical attributes with the same Type
values. The attributes should be available as part of the NASREQ
application [RFC4005], as well as the Diameter EAP application
[RFC4072].
5. IANA Considerations
This specification does not create any new registries. This specification does not create any new registries.
This document uses the RADIUS [RFC2865] namespace, see This document uses the RADIUS [RFC2865] namespace, see
<http://www.iana.org/assignments/radius-types>. Allocation of four <http://www.iana.org/assignments/radius-types>. Allocation of four
updates for the section "RADIUS Attribute Types" is requested. The updates for the section "RADIUS Attribute Types" is requested. The
RADIUS attributes for which values are requested are: RADIUS attributes for which values are requested are:
TBD - Egress-VLANID TBD - Egress-VLANID
TBD - Ingress-Filters TBD - Ingress-Filters
TBD - Egress-VLAN-Name TBD - Egress-VLAN-Name
TBD - User-Priority-Table TBD - User-Priority-Table
5. Security Considerations 6. Security Considerations
Since this document describes the use of RADIUS for purposes of This specification describes the use of RADIUS for purposes of
authentication and authorization, and accounting in IEEE 802.1X- authentication, authorization and accounting in networks supporting
enabled networks, it is vulnerable to all of the threats that are [IEEE 802.1X]. Threats and security issues for this application are
present in other RADIUS applications. For a discussion of these described in [RFC3579] and [RFC3580]; security issues encountered in
threats, see [RFC2607], [RFC3162], [RFC3579], and [RFC3580]. roaming are described in [RFC2607].
This document specifies new attributes that can be included in This document specifies new attributes that can be included in
existing RADIUS packets. These packets are protected as described in existing RADIUS packets, which are protected as described in
[RFC3579] and [RFC3576]; see those documents for a more detailed [RFC3579] and [RFC3576]. See those documents for a more detailed
description and related security considerations. description.
The security mechanisms in [RFC3579] and [RFC3576] are primarily The security mechanisms described in [RFC3579] and [RFC3576] are
concerned with an attacker attempting to spoof or modify messages in focused on preventing an attacker from spoofing packets or modifying
transit. They do not prevent an authorized RADIUS server or proxy packets in transit. They do not prevent an authorized RADIUS server
from inserting attributes with malicious intent. or proxy from inserting attributes with malicious intent.
For example, modifications to VLAN attributes may enable access to VLAN attributes sent by a RADIUS server or proxy may enable access to
unauthorized VLANs. These vulnerabilities can be limited by unauthorized VLANs. These vulnerabilities can be limited by
performing authorization checks at the NAS. For instance, a NAS can performing authorization checks at the NAS. For example, a NAS can
be configured to accept only certain VLAN-IDs from a given RADIUS be configured to accept only certain VLANIDs from a given RADIUS
server/proxy. server/proxy.
6. References Similarly, an attacker gaining control of a RADIUS server or proxy
can modify the user priority table, causing either degradation of
quality of service (by downgrading user priority of packets arriving
at a port), or denial of service (by raising the level of priority of
traffic at multiple ports of a device, oversubscribing the switch or
link capabilities).
6.1. Normative references 7. References
7.1. Normative references
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, March, 1997. Requirement Levels", RFC 2119, March, 1997.
[RFC2674] Bell, E., Smith, A., Langille, P., Rijhsinghani, A.,
McCloghrie, K., Definitions of Managed Objects for Bridges
with Traffic Classes, Multicast Filtering and Virtual LAN
Extensions", RFC 2674, August 1999.
[RFC2865] Rigney, C., Rubens, A., Simpson, W. and S. Willens, "Remote [RFC2865] Rigney, C., Rubens, A., Simpson, W. and S. Willens, "Remote
Authentication Dial In User Service (RADIUS)", RFC 2865, June Authentication Dial In User Service (RADIUS)", RFC 2865, June
2000. 2000.
[RFC3575] Aboba, B., "IANA Considerations for RADIUS", RFC 3575, July [RFC3575] Aboba, B., "IANA Considerations for RADIUS", RFC 3575, July
2003. 2003.
[RFC3629] Yergeau, F., "UTF-8, a transformation of ISO 10646", RFC 2607, [RFC3629] Yergeau, F., "UTF-8, a transformation of ISO 10646", RFC 2607,
November 2003. November 2003.
[RFC4363] Levi, D. and D. Harrington, "Definitions of Managed Objects
for Bridges with Traffic Classes, Multicast Filtering and
Virtual LAN Extensions", RFC 4363, January 2006.
[IEEE-802] [IEEE-802]
IEEE Standards for Local and Metropolitan Area Networks: IEEE Standards for Local and Metropolitan Area Networks:
Overview and Architecture, ANSI/IEEE Std 802, 1990. Overview and Architecture, ANSI/IEEE Std 802, 1990.
[IEEE-802.1D] [IEEE-802.1D]
IEEE Standards for Local and Metropolitan Area Networks: Media IEEE Standards for Local and Metropolitan Area Networks: Media
Access Control (MAC) Bridges, IEEE Std 802.1D-2004, June 2004. Access Control (MAC) Bridges, IEEE Std 802.1D-2004, June 2004.
[IEEE-802.1Q] [IEEE-802.1Q]
IEEE Standards for Local and Metropolitan Area Networks: Draft IEEE Standards for Local and Metropolitan Area Networks: Draft
Standard for Virtual Bridged Local Area Networks, Standard for Virtual Bridged Local Area Networks,
P802.1Q-2003, January 2003. P802.1Q-2003, January 2003.
[IEEE-802.1X] [IEEE-802.1X]
IEEE Standards for Local and Metropolitan Area Networks: Port IEEE Standards for Local and Metropolitan Area Networks: Port
based Network Access Control, IEEE Std 802.1X-2004, August based Network Access Control, IEEE Std 802.1X-2004, August
2004. 2004.
6.2. Informative references 7.2. Informative references
[RFC2607] Aboba, B. and J. Vollbrecht, "Proxy Chaining and Policy [RFC2607] Aboba, B. and J. Vollbrecht, "Proxy Chaining and Policy
Implementation in Roaming", RFC 2607, June 1999. Implementation in Roaming", RFC 2607, June 1999.
[RFC2868] Zorn, G., Leifer, D., Rubens, A., Shriver, J., Holdrege, M. [RFC2868] Zorn, G., Leifer, D., Rubens, A., Shriver, J., Holdrege, M.
and I. Goyret, "RADIUS Attributes for Tunnel Protocol and I. Goyret, "RADIUS Attributes for Tunnel Protocol
Support", RFC 2868, June 2000. Support", RFC 2868, June 2000.
[RFC3162] Aboba, B., Zorn, G. and D. Mitton, "RADIUS and IPv6", RFC
3162, August 2001.
[RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D. and B. Aboba, [RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D. and B. Aboba,
"Dynamic Authorization Extensions to Remote Authentication "Dynamic Authorization Extensions to Remote Authentication
Dial In User Service (RADIUS)", RFC 3576, July 2003. Dial In User Service (RADIUS)", RFC 3576, July 2003.
[RFC3579] Aboba, B. and P. Calhoun, "RADIUS Support for Extensible [RFC3579] Aboba, B. and P. Calhoun, "RADIUS Support for Extensible
Authentication Protocol (EAP)", RFC 3579, September 2003. Authentication Protocol (EAP)", RFC 3579, September 2003.
[RFC3580] Congdon, P., Aboba, B., Smith, A., Zorn, G., Roese, J., "IEEE [RFC3580] Congdon, P., Aboba, B., Smith, A., Zorn, G., Roese, J., "IEEE
802.1X Remote Authentication Dial In User Service (RADIUS) 802.1X Remote Authentication Dial In User Service (RADIUS)
Usage Guidelines", RFC3580, September 2003. Usage Guidelines", RFC3580, September 2003.
[RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J. and H.
Levkowetz, "Extensible Authentication Protocol (EAP)", RFC
3748, June 2004.
[RFC4005] Calhoun, P., Zorn, G., Spence, D. and D. Mitton, "Diameter
Network Access Server Application", RFC 4005, August 2005.
[RFC4072] Eronen, P., Hiller, T., and G. Zorn, "Diameter Extensible
Authentication Protocol (EAP) Application", RFC 4072, August
2005.
[IEEE-802.3] [IEEE-802.3]
ISO/IEC 8802-3 Information technology - Telecommunications and ISO/IEC 8802-3 Information technology - Telecommunications and
information exchange between systems - Local and metropolitan information exchange between systems - Local and metropolitan
area networks - Common specifications - Part 3: Carrier Sense area networks - Common specifications - Part 3: Carrier Sense
Multiple Access with Collision Detection (CSMA/CD) Access Multiple Access with Collision Detection (CSMA/CD) Access
Method and Physical Layer Specifications, (also ANSI/IEEE Std Method and Physical Layer Specifications, (also ANSI/IEEE Std
802.3- 1996), 1996. 802.3- 1996), 1996.
[IEEE-802.11] [IEEE-802.11]
Information technology - Telecommunications and information Information technology - Telecommunications and information
 End of changes. 38 change blocks. 
98 lines changed or deleted 122 lines changed or added

This html diff was produced by rfcdiff 1.29, available from http://www.levkowetz.com/ietf/tools/rfcdiff/