| draft-ietf-radext-vlan-02.txt | draft-ietf-radext-vlan-03.txt | |||
|---|---|---|---|---|
| Network Working Group Paul Congdon | Network Working Group Paul Congdon | |||
| INTERNET-DRAFT Mauricio Sanchez | INTERNET-DRAFT Mauricio Sanchez | |||
| Category: Proposed Standard Hewlett-Packard Company | Category: Proposed Standard Hewlett-Packard Company | |||
| <draft-ietf-radext-vlan-02.txt> Bernard Aboba | <draft-ietf-radext-vlan-03.txt> Bernard Aboba | |||
| 26 March 2006 Microsoft Corporation | 12 April 2006 Microsoft Corporation | |||
| RADIUS Attributes for Virtual LAN and Priority Support | RADIUS Attributes for Virtual LAN and Priority Support | |||
| By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
| applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
| have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
| aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| skipping to change at page 1, line 42 | skipping to change at page 1, line 42 | |||
| This Internet-Draft will expire on October 10, 2006. | This Internet-Draft will expire on October 10, 2006. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (C) The Internet Society 2006. | Copyright (C) The Internet Society 2006. | |||
| Abstract | Abstract | |||
| This document proposes additional RADIUS (Remote Authentication Dial | This document proposes additional RADIUS (Remote Authentication Dial | |||
| In User Service) attributes for dynamic Virtual LAN assignment and | In User Service) attributes for dynamic Virtual LAN assignment and | |||
| prioritization, for use by IEEE 802.1X authenticators. These | prioritization, for use in provisioning of access to IEEE 802 local | |||
| attributes are usable within either RADIUS or Diameter. | area networks. These attributes are usable within either RADIUS or | |||
| Diameter. | ||||
| Table of Contents | Table of Contents | |||
| 1. Introduction .......................................... 3 | 1. Introduction .......................................... 3 | |||
| 1.1 Terminology ..................................... 3 | 1.1 Terminology ..................................... 3 | |||
| 1.2 Requirements Language ........................... 3 | 1.2 Requirements Language ........................... 3 | |||
| 1.3 Attribute Interpretation ........................ 4 | 1.3 Attribute Interpretation ........................ 3 | |||
| 2. Attributes ............................................ 4 | 2. Attributes ............................................ 4 | |||
| 2.1 Egress-VLANID ................................... 4 | 2.1 Egress-VLANID ................................... 4 | |||
| 2.2 Ingress-Filters ................................. 5 | 2.2 Ingress-Filters ................................. 5 | |||
| 2.3 Egress-VLAN-Name ................................ 6 | 2.3 Egress-VLAN-Name ................................ 6 | |||
| 2.4 User-Priority-Table ............................. 7 | 2.4 User-Priority-Table ............................. 7 | |||
| 3. Table of Attributes ................................... 8 | 3. Table of Attributes ................................... 9 | |||
| 4. Diameter Considerations ............................... 9 | 4. Diameter Considerations ............................... 9 | |||
| 5. IANA Considerations ................................... 9 | 5. IANA Considerations ................................... 9 | |||
| 6. Security Considerations ............................... 9 | 6. Security Considerations ............................... 9 | |||
| 7. References ............................................ 10 | 7. References ............................................ 10 | |||
| 7.1 Normative References ............................ 10 | 7.1 Normative References ............................ 10 | |||
| 7.2 Informative References .......................... 10 | 7.2 Informative References .......................... 11 | |||
| ACKNOWLEDGMENTS .............................................. 12 | ACKNOWLEDGMENTS .............................................. 11 | |||
| AUTHORS' ADDRESSES ........................................... 12 | AUTHORS' ADDRESSES ........................................... 12 | |||
| Intellectual Property Statement............................... 13 | Intellectual Property Statement............................... 12 | |||
| Disclaimer of Validity........................................ 13 | Disclaimer of Validity........................................ 13 | |||
| Full Copyright Statement ..................................... 13 | Full Copyright Statement ..................................... 13 | |||
| 1. Introduction | 1. Introduction | |||
| IEEE 802.1X [IEEE-802.1X] provides "network port authentication" for | ||||
| IEEE 802 [IEEE-802] media, including Ethernet [IEEE-802.3], Token | ||||
| Ring and 802.11 wireless LANs [IEEE-802.11][IEEE-802.11i]. | ||||
| This document describes Virtual LAN (VLAN) and re-prioritization | This document describes Virtual LAN (VLAN) and re-prioritization | |||
| attributes that may prove useful for provisioning of access to IEEE | attributes that may prove useful for provisioning of access to IEEE | |||
| 802 local area networks with the Remote Authentication Dialin User | 802 local area networks [IEEE-802] with the Remote Authentication | |||
| Service (RADIUS). | Dialin User Service (RADIUS). | |||
| While [RFC3580] enables support for VLAN assignment based on the | While [RFC3580] enables support for VLAN assignment based on the | |||
| tunnel attributes defined in [RFC2868], it does not provide support | tunnel attributes defined in [RFC2868], it does not provide support | |||
| for a more complete set of VLAN functionality as defined by | for a more complete set of VLAN functionality as defined by | |||
| [IEEE-802.1Q]. The attributes defined in this document provide | [IEEE-802.1Q]. The attributes defined in this document provide | |||
| support within RADIUS analogous to the management variables supported | support within RADIUS analogous to the management variables supported | |||
| in [IEEE-802.1Q] and MIB objects defined in [RFC4363]. In addition, | in [IEEE-802.1Q] and MIB objects defined in [RFC4363]. In addition, | |||
| this document enables support for a wider range of [IEEE-802.1X] | this document enables support for a wider range of [IEEE-802.1X] | |||
| configurations. | configurations. | |||
| 1.1. Terminology | 1.1. Terminology | |||
| This document uses the following terms: | This document uses the following terms: | |||
| Authenticator | ||||
| The end of the link initiating EAP authentication. The term | ||||
| authenticator is used in [RFC3748] and [IEEE-802.1X], and has the | ||||
| same meaning in this document. | ||||
| backend authentication server | ||||
| A backend authentication server is an entity that provides an | ||||
| authentication service to an authenticator. When used, this server | ||||
| typically executes EAP methods for the authenticator. This | ||||
| terminology is also used in [IEEE-802.1X]. | ||||
| Network Access Server (NAS) | Network Access Server (NAS) | |||
| A device that provides an access service for a user to a network. | A device that provides an access service for a user to a network. | |||
| Supplicant | ||||
| The end of the link that responds to the authenticator in | ||||
| [IEEE-802.1X]. | ||||
| 1.2. Requirements Language | 1.2. Requirements Language | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in [RFC2119]. | document are to be interpreted as described in [RFC2119]. | |||
| 1.3. Attribute Interpretation | 1.3. Attribute Interpretation | |||
| If a NAS conforming to this specification receives an Access-Accept | If a NAS conforming to this specification receives an Access-Accept | |||
| packet containing an attribute defined in this document which it | packet containing an attribute defined in this document which it | |||
| skipping to change at page 4, line 30 | skipping to change at page 4, line 15 | |||
| 2. Attributes | 2. Attributes | |||
| 2.1. Egress-VLANID | 2.1. Egress-VLANID | |||
| Description | Description | |||
| The Egress-VLANID attribute represents an allowed IEEE 802 Egress | The Egress-VLANID attribute represents an allowed IEEE 802 Egress | |||
| VLANID for this port, indicating if the VLANID is allowed for | VLANID for this port, indicating if the VLANID is allowed for | |||
| tagged or untagged packets as well as the VLANID. | tagged or untagged packets as well as the VLANID. | |||
| Multiple Egress-VLANID attributes MAY be included in an Access- | Multiple Egress-VLANID attributes MAY be included in Access- | |||
| Request, Access-Accept or CoA-Request packet; this attribute MUST | Request, Access-Accept, CoA-Request or Accounting-Request packets; | |||
| NOT be sent within an Access-Challenge, Access-Reject, Disconnect- | this attribute MUST NOT be sent within an Access-Challenge, | |||
| Request, Disconnect-ACK, Disconnect-NAK, CoA-ACK, or CoA-NAK. | Access-Reject, Disconnect-Request, Disconnect-ACK, Disconnect-NAK, | |||
| Each attribute adds the specified VLAN to the list of allowed | CoA-ACK or CoA-NAK. Each attribute adds the specified VLAN to the | |||
| egress VLANs for the port. | list of allowed egress VLANs for the port. | |||
| The Egress-VLANID attribute is shown below. The fields are | The Egress-VLANID attribute is shown below. The fields are | |||
| transmitted from left to right: | transmitted from left to right: | |||
| 0 1 2 3 | 0 1 2 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | Type | Length | Integer | | Type | Length | Value | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| Integer | | Value (cont) | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| Type | Type | |||
| TBD | TBD | |||
| Length | Length | |||
| 6 | 6 | |||
| Integer | Value | |||
| The Integer field is four octets in length. The format is | The Value field is four octets. The format is described below: | |||
| described below: | ||||
| 0 1 2 3 | 0 1 2 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | Tag Indic. | Pad | VLANID | | | Tag Indic. | Pad | VLANID | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| The Tag Indication field is one octet in length, and indicates | The Tag Indication field is one octet in length, and indicates | |||
| whether the frames on the VLAN are tagged (0x31) or untagged | whether the frames on the VLAN are tagged (0x31) or untagged | |||
| (0x32). The Pad field is 12-bits in length and MUST be 0 (zero). | (0x32). The Pad field is 12-bits in length and MUST be 0 (zero). | |||
| The VLANID is 12-bits in length and contains the [IEEE-802.1Q] | The VLANID is 12-bits in length and contains the [IEEE-802.1Q] | |||
| VLAN VID value. | VLAN VID value. | |||
| 2.2. Ingress-Filters | 2.2. Ingress-Filters | |||
| Description | Description | |||
| The Ingress-Filters attribute corresponds to Ingress Filter per- | The Ingress-Filters attribute corresponds to the Ingress Filter | |||
| port variable defined in [IEEE-802.1Q] clause 8.4.5. When the | per-port variable defined in [IEEE-802.1Q] clause 8.4.5. When the | |||
| attribute has the value "Enabled", the set of VLANs that are | attribute has the value "Enabled", the set of VLANs that are | |||
| allowed to ingress a port must match the set of VLANs that are | allowed to ingress a port must match the set of VLANs that are | |||
| allowed to egress a port. Only a single Ingress-Filters attribute | allowed to egress a port. Only a single Ingress-Filters attribute | |||
| MAY be sent within an Access-Request, Access-Accept or CoA-Request | MAY be sent within an Access-Request, Access-Accept, CoA-Request | |||
| packet; this attribute MUST NOT be sent within an Access- | or Accounting-Request packet; this attribute MUST NOT be sent | |||
| Challenge, Access-Reject, Disconnect-Request, Disconnect-ACK, | within an Access-Challenge, Access-Reject, Disconnect-Request, | |||
| Disconnect-NAK, CoA-ACK, or CoA-NAK. | Disconnect-ACK, Disconnect-NAK, CoA-ACK or CoA-NAK. | |||
| The Ingress-Filters attribute is shown below. The fields are | The Ingress-Filters attribute is shown below. The fields are | |||
| transmitted from left to right: | transmitted from left to right: | |||
| 0 1 2 3 | 0 1 2 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | Type | Length | Integer | | Type | Length | Value | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| Integer | | Value (cont) | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| Type | Type | |||
| TBD | TBD | |||
| Length | Length | |||
| 6 | 6 | |||
| Integer | Value | |||
| Supported values include: | The Value field is four octets. Supported values include: | |||
| 1 - Enabled | 1 - Enabled | |||
| 2 - Disabled | 2 - Disabled | |||
| 2.3. Egress-VLAN-Name | 2.3. Egress-VLAN-Name | |||
| Description | Description | |||
| Clause 12.10.2.1.3 (a) in [IEEE-8021.Q] describes the | Clause 12.10.2.1.3 (a) in [IEEE-8021.Q] describes the | |||
| administratively assigned VLAN Name associated with a VLAN-ID | administratively assigned VLAN Name associated with a VLAN-ID | |||
| skipping to change at page 6, line 33 | skipping to change at page 6, line 23 | |||
| to the Egress-VLANID attribute, except that the VLAN-ID itself is | to the Egress-VLANID attribute, except that the VLAN-ID itself is | |||
| not specified or known; rather the VLAN name is used to identify | not specified or known; rather the VLAN name is used to identify | |||
| the VLAN within the system. | the VLAN within the system. | |||
| The Egress-VLAN-Name attribute contains two parts; the first part | The Egress-VLAN-Name attribute contains two parts; the first part | |||
| indicates if frames on the VLAN for this port are to be | indicates if frames on the VLAN for this port are to be | |||
| represented in tagged or untagged format, the second part is the | represented in tagged or untagged format, the second part is the | |||
| VLAN name. | VLAN name. | |||
| Multiple Egress-VLAN-Name attributes MAY be included within an | Multiple Egress-VLAN-Name attributes MAY be included within an | |||
| Access-Request, Access-Accept or CoA-Request packet; this | Access-Request, Access-Accept, CoA-Request or Accounting-Request | |||
| attribute MUST NOT be sent within an Access-Challenge, Access- | packet; this attribute MUST NOT be sent within an Access- | |||
| Reject, Disconnect-Request, Disconnect-ACK, Disconnect-NAK, CoA- | Challenge, Access-Reject, Disconnect-Request, Disconnect-ACK, | |||
| ACK, or CoA-NAK. Each attribute adds the named VLAN to the list | Disconnect-NAK, CoA-ACK or CoA-NAK. Each attribute adds the named | |||
| of allowed egress VLANs for the port. The Egress-VLAN-Name | VLAN to the list of allowed egress VLANs for the port. The | |||
| attribute is shown below. The fields are transmitted from left to | Egress-VLAN-Name attribute is shown below. The fields are | |||
| right: | transmitted from left to right: | |||
| 0 1 2 3 | 0 1 2 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | Type | Length | Tag Indic. | String... | | Type | Length | Tag Indic. | String... | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| Type | Type | |||
| TBD | TBD | |||
| skipping to change at page 7, line 4 | skipping to change at page 6, line 40 | |||
| 0 1 2 3 | 0 1 2 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | Type | Length | Tag Indic. | String... | | Type | Length | Tag Indic. | String... | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| Type | Type | |||
| TBD | TBD | |||
| Length | Length | |||
| >=4 | >=4 | |||
| Tag Indication | Tag Indication | |||
| The Tag Indication field is one octet in length, and indicates | The Tag Indication field is one octet in length, and indicates | |||
| whether the frames on the VLAN are tagged (0x31) or untagged | whether the frames on the VLAN are tagged (0x31, ASCII '1') or | |||
| (0x32). | untagged (0x32, ASCII '2'). These values were chosen so as to | |||
| make them easier for users to enter. | ||||
| String | String | |||
| The String field is at least one octet in length, and contains the | The String field is at least one octet in length, and contains the | |||
| the VLAN Name as defined in [IEEE-802.1Q] clause 12.10.2.1.3 (a). | the VLAN Name as defined in [IEEE-802.1Q] clause 12.10.2.1.3 (a). | |||
| [RFC3629] UTF-8 encoded 10646 characters are RECOMMENDED, but a | [RFC3629] UTF-8 encoded 10646 characters are RECOMMENDED, but a | |||
| robust implementation SHOULD support the field as undistinguished | robust implementation SHOULD support the field as undistinguished | |||
| octets. | octets. | |||
| 2.4. User-Priority-Table | 2.4. User-Priority-Table | |||
| Description | Description | |||
| [IEEE-802.1D] clause 7.5.1 discusses how to regenerate (or re-map) | [IEEE-802.1D] clause 7.5.1 discusses how to regenerate (or re-map) | |||
| user priority on frames received at a port. This per-port | user priority on frames received at a port. This per-port | |||
| configuration enables a bridge to cause the priority of received | configuration enables a bridge to cause the priority of received | |||
| traffic at a port to be mapped to a particular priority. The | traffic at a port to be mapped to a particular priority. | |||
| management variables are described in clause 14.6.2.2. | [IEEE-802.1D] clause 6.3.9 describes the use of remapping: | |||
| The ability to signal user priority in IEEE 802 LANs allows | ||||
| user priority to be carried with end-to-end significance across | ||||
| a Bridged Local Area Network. This, coupled with a consistent | ||||
| approach to the mapping of user priority to traffic classes and | ||||
| of user priority to access_priority, allows consistent use of | ||||
| priority information, according to the capabilities of the | ||||
| Bridges and MACs in the transmission path... | ||||
| Under normal circumstances, user priority is not modified in | ||||
| transit through the relay function of a Bridge; however, | ||||
| network management can control how user priority is propagated. | ||||
| Table 7-1 provides the ability to map incoming user priority | ||||
| values on a per-Port basis. By default, the regenerated user | ||||
| priority is identical to the incoming user priority. | ||||
| This attribute represents the IEEE 802 prioritization that will be | This attribute represents the IEEE 802 prioritization that will be | |||
| applied to packets arriving at this port. There are eight | applied to packets arriving at this port. There are eight | |||
| possible user priorities, according to the [IEEE-802] standard. A | possible user priorities, according to the [IEEE-802] standard. | |||
| single User-Priority-Table attribute MAY be included in an Access- | [IEEE-802.1D] clause 14.6.2.3.3 specifies the regeneration table | |||
| Request, Access-Accept or CoA-Request packet; this attribute MUST | as 8 values, each an integer in the range 0-7. The management | |||
| NOT be sent within an Access-Challenge, Access-Reject, Disconnect- | variables are described in clause 14.6.2.2. | |||
| Request, Disconnect-ACK, Disconnect-NAK, CoA-ACK, or CoA-NAK. | ||||
| A single User-Priority-Table attribute MAY be included in an | ||||
| Access-Accept or CoA-Request packet; this attribute MUST NOT be | ||||
| sent within an Access-Request, Access-Challenge, Access-Reject, | ||||
| Disconnect-Request, Disconnect-ACK, Disconnect-NAK, CoA-ACK, CoA- | ||||
| NAK or Accounting-Request. Since the regeneration table is only | ||||
| maintained by a bridge conforming to [IEEE-802.1D], this attribute | ||||
| should only be sent to a RADIUS client supporting that | ||||
| specification. | ||||
| The User-Priority-Table attribute is shown below. The fields are | The User-Priority-Table attribute is shown below. The fields are | |||
| transmitted from left to right: | transmitted from left to right: | |||
| 0 1 2 3 | 0 1 2 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | Type | Length | String | | Type | Length | String | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| String | String | |||
| skipping to change at page 8, line 15 | skipping to change at page 8, line 29 | |||
| TBD | TBD | |||
| Length | Length | |||
| 10 | 10 | |||
| String | String | |||
| The String field is 8 octets in length, and includes a table which | The String field is 8 octets in length, and includes a table which | |||
| maps the incoming priority (if one exists - the default is 0) into | maps the incoming priority (if it is set - the default is 0) into | |||
| one of eight regenerated priorities. The first octet maps to | one of eight regenerated priorities. The first octet maps to | |||
| incoming priority 0, the second octet to incoming priority 1, etc. | incoming priority 0, the second octet to incoming priority 1, etc. | |||
| The values in each octet represent the regenerated priority of the | The values in each octet represent the regenerated priority of the | |||
| packet. | packet. | |||
| It is thus possible to either remap incoming priorities to more | It is thus possible to either remap incoming priorities to more | |||
| appropriate values; or to honor the incoming priorities; or to | appropriate values; to honor the incoming priorities; or to | |||
| override any incoming priorities, forcing them to all map to a | override any incoming priorities, forcing them to all map to a | |||
| single chosen priority. | single chosen priority. | |||
| The [IEEE-8021.D] specification, Annex G, provides a useful | The [IEEE-8021.D] specification, Annex G, provides a useful | |||
| description of traffic type - traffic class mappings. | description of traffic type - traffic class mappings. | |||
| 3. Table of Attributes | 3. Table of Attributes | |||
| The following table provides a guide to which attributes may be found | The following table provides a guide to which attributes may be found | |||
| in which kinds of packets, and in what quantity. | in which kinds of packets, and in what quantity. | |||
| Access- Access- Access- Access- CoA- | Access- Access- Access- Access- CoA- Acct- | |||
| Request Accept Reject Challenge Req # Attribute | Request Accept Reject Challenge Req Req # Attribute | |||
| 0+ 0+ 0 0 0+ TBD Egress-VLANID | 0+ 0+ 0 0 0+ 0+ TBD Egress-VLANID | |||
| 0-1 0-1 0 0 0-1 TBD Ingress-Filters | 0-1 0-1 0 0 0-1 0-1 TBD Ingress-Filters | |||
| 0+ 0+ 0 0 0+ TBD Egress-VLAN-Name | 0+ 0+ 0 0 0+ 0+ TBD Egress-VLAN-Name | |||
| 0-1 0-1 0 0 0-1 TBD User-Priority-Table | 0 0-1 0 0 0-1 0 TBD User-Priority-Table | |||
| The following table defines the meaning of the above table entries. | The following table defines the meaning of the above table entries. | |||
| 0 This attribute MUST NOT be present in the packet. | 0 This attribute MUST NOT be present in the packet. | |||
| 0+ Zero or more instances of this attribute MAY be | 0+ Zero or more instances of this attribute MAY be | |||
| present in the packet. | present in the packet. | |||
| 0-1 Zero or one instance of this attribute MAY be | 0-1 Zero or one instance of this attribute MAY be | |||
| present in the packet. | present in the packet. | |||
| 4. Diameter Considerations | 4. Diameter Considerations | |||
| skipping to change at page 9, line 29 | skipping to change at page 9, line 49 | |||
| RADIUS attributes for which values are requested are: | RADIUS attributes for which values are requested are: | |||
| TBD - Egress-VLANID | TBD - Egress-VLANID | |||
| TBD - Ingress-Filters | TBD - Ingress-Filters | |||
| TBD - Egress-VLAN-Name | TBD - Egress-VLAN-Name | |||
| TBD - User-Priority-Table | TBD - User-Priority-Table | |||
| 6. Security Considerations | 6. Security Considerations | |||
| This specification describes the use of RADIUS for purposes of | This specification describes the use of RADIUS for purposes of | |||
| authentication, authorization and accounting in networks supporting | authentication, authorization and accounting in IEEE 802 local area | |||
| [IEEE 802.1X]. Threats and security issues for this application are | networks. Threats and security issues for this application are | |||
| described in [RFC3579] and [RFC3580]; security issues encountered in | described in [RFC3579] and [RFC3580]; security issues encountered in | |||
| roaming are described in [RFC2607]. | roaming are described in [RFC2607]. | |||
| This document specifies new attributes that can be included in | This document specifies new attributes that can be included in | |||
| existing RADIUS packets, which are protected as described in | existing RADIUS packets, which are protected as described in | |||
| [RFC3579] and [RFC3576]. See those documents for a more detailed | [RFC3579] and [RFC3576]. See those documents for a more detailed | |||
| description. | description. | |||
| The security mechanisms described in [RFC3579] and [RFC3576] are | The security mechanisms described in [RFC3579] and [RFC3576] are | |||
| focused on preventing an attacker from spoofing packets or modifying | focused on preventing an attacker from spoofing packets or modifying | |||
| skipping to change at page 10, line 19 | skipping to change at page 10, line 39 | |||
| 7.1. Normative references | 7.1. Normative references | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", RFC 2119, March, 1997. | Requirement Levels", RFC 2119, March, 1997. | |||
| [RFC2865] Rigney, C., Rubens, A., Simpson, W. and S. Willens, "Remote | [RFC2865] Rigney, C., Rubens, A., Simpson, W. and S. Willens, "Remote | |||
| Authentication Dial In User Service (RADIUS)", RFC 2865, June | Authentication Dial In User Service (RADIUS)", RFC 2865, June | |||
| 2000. | 2000. | |||
| [RFC3575] Aboba, B., "IANA Considerations for RADIUS", RFC 3575, July | [RFC3629] Yergeau, F., "UTF-8, a transformation of ISO 10646", RFC 3629, | |||
| 2003. | ||||
| [RFC3629] Yergeau, F., "UTF-8, a transformation of ISO 10646", RFC 2607, | ||||
| November 2003. | November 2003. | |||
| [RFC4363] Levi, D. and D. Harrington, "Definitions of Managed Objects | [RFC4363] Levi, D. and D. Harrington, "Definitions of Managed Objects | |||
| for Bridges with Traffic Classes, Multicast Filtering and | for Bridges with Traffic Classes, Multicast Filtering and | |||
| Virtual LAN Extensions", RFC 4363, January 2006. | Virtual LAN Extensions", RFC 4363, January 2006. | |||
| [IEEE-802] | [IEEE-802] | |||
| IEEE Standards for Local and Metropolitan Area Networks: | IEEE Standards for Local and Metropolitan Area Networks: | |||
| Overview and Architecture, ANSI/IEEE Std 802, 1990. | Overview and Architecture, ANSI/IEEE Std 802, 1990. | |||
| [IEEE-802.1D] | [IEEE-802.1D] | |||
| IEEE Standards for Local and Metropolitan Area Networks: Media | IEEE Standards for Local and Metropolitan Area Networks: Media | |||
| Access Control (MAC) Bridges, IEEE Std 802.1D-2004, June 2004. | Access Control (MAC) Bridges, IEEE Std 802.1D-2004, June 2004. | |||
| [IEEE-802.1Q] | [IEEE-802.1Q] | |||
| IEEE Standards for Local and Metropolitan Area Networks: Draft | IEEE Standards for Local and Metropolitan Area Networks: Draft | |||
| Standard for Virtual Bridged Local Area Networks, | Standard for Virtual Bridged Local Area Networks, | |||
| P802.1Q-2003, January 2003. | P802.1Q-2003, January 2003. | |||
| 7.2. Informative references | ||||
| [IEEE802.1X] | [IEEE802.1X] | |||
| IEEE Standards for Local and Metropolitan Area Networks: Port | IEEE Standards for Local and Metropolitan Area Networks: Port | |||
| based Network Access Control, IEEE Std 802.1X-2004, December | based Network Access Control, IEEE Std 802.1X-2004, December | |||
| 2004. | 2004. | |||
| 7.2. Informative references | ||||
| [RFC2607] Aboba, B. and J. Vollbrecht, "Proxy Chaining and Policy | [RFC2607] Aboba, B. and J. Vollbrecht, "Proxy Chaining and Policy | |||
| Implementation in Roaming", RFC 2607, June 1999. | Implementation in Roaming", RFC 2607, June 1999. | |||
| [RFC2868] Zorn, G., Leifer, D., Rubens, A., Shriver, J., Holdrege, M. | [RFC2868] Zorn, G., Leifer, D., Rubens, A., Shriver, J., Holdrege, M. | |||
| and I. Goyret, "RADIUS Attributes for Tunnel Protocol | and I. Goyret, "RADIUS Attributes for Tunnel Protocol | |||
| Support", RFC 2868, June 2000. | Support", RFC 2868, June 2000. | |||
| [RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D. and B. Aboba, | [RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D. and B. Aboba, | |||
| "Dynamic Authorization Extensions to Remote Authentication | "Dynamic Authorization Extensions to Remote Authentication | |||
| Dial In User Service (RADIUS)", RFC 3576, July 2003. | Dial In User Service (RADIUS)", RFC 3576, July 2003. | |||
| skipping to change at page 11, line 31 | skipping to change at page 11, line 46 | |||
| Levkowetz, "Extensible Authentication Protocol (EAP)", RFC | Levkowetz, "Extensible Authentication Protocol (EAP)", RFC | |||
| 3748, June 2004. | 3748, June 2004. | |||
| [RFC4005] Calhoun, P., Zorn, G., Spence, D. and D. Mitton, "Diameter | [RFC4005] Calhoun, P., Zorn, G., Spence, D. and D. Mitton, "Diameter | |||
| Network Access Server Application", RFC 4005, August 2005. | Network Access Server Application", RFC 4005, August 2005. | |||
| [RFC4072] Eronen, P., Hiller, T., and G. Zorn, "Diameter Extensible | [RFC4072] Eronen, P., Hiller, T., and G. Zorn, "Diameter Extensible | |||
| Authentication Protocol (EAP) Application", RFC 4072, August | Authentication Protocol (EAP) Application", RFC 4072, August | |||
| 2005. | 2005. | |||
| [IEEE-802.3] | ||||
| ISO/IEC 8802-3 Information technology - Telecommunications and | ||||
| information exchange between systems - Local and metropolitan | ||||
| area networks - Common specifications - Part 3: Carrier Sense | ||||
| Multiple Access with Collision Detection (CSMA/CD) Access | ||||
| Method and Physical Layer Specifications, (also ANSI/IEEE Std | ||||
| 802.3- 1996), 1996. | ||||
| [IEEE-802.11] | ||||
| Information technology - Telecommunications and information | ||||
| exchange between systems - Local and metropolitan area | ||||
| networks - Specific Requirements Part 11: Wireless LAN Medium | ||||
| Access Control (MAC) and Physical Layer (PHY) Specifications, | ||||
| IEEE Std. 802.11- 2003, 2003. | ||||
| [IEEE802.11i] | ||||
| Institute of Electrical and Electronics Engineers, "Supplement | ||||
| to Standard for Telecommunications and Information Exchange | ||||
| Between Systems - LAN/MAN Specific Requirements - Part 11: | ||||
| Wireless LAN Medium Access Control (MAC) and Physical Layer | ||||
| (PHY) Specifications: Specification for Enhanced Security", | ||||
| IEEE 802.11i, July 2004. | ||||
| Acknowledgments | Acknowledgments | |||
| The authors would like to acknowledge Joseph Salowey of Cisco, David | The authors would like to acknowledge Joseph Salowey of Cisco, David | |||
| Nelson of Enterasys, Chuck Black of Hewlett Packard, and Ashwin | Nelson of Enterasys, Chuck Black of Hewlett Packard, and Ashwin | |||
| Palekar of Microsoft. | Palekar of Microsoft. | |||
| Authors' Addresses | Authors' Addresses | |||
| Paul Congdon | Paul Congdon | |||
| Hewlett Packard Company | Hewlett Packard Company | |||
| End of changes. 36 change blocks. | ||||
| 106 lines changed or deleted | 88 lines changed or added | |||
This html diff was produced by rfcdiff 1.29, available from http://www.levkowetz.com/ietf/tools/rfcdiff/ | ||||