draft-ietf-radext-vlan-05.txt   draft-ietf-radext-vlan-06.txt 
Network Working Group Paul Congdon Network Working Group Paul Congdon
INTERNET-DRAFT Mauricio Sanchez INTERNET-DRAFT Mauricio Sanchez
Category: Proposed Standard Hewlett-Packard Company Category: Proposed Standard Hewlett-Packard Company
<draft-ietf-radext-vlan-05.txt> Bernard Aboba <draft-ietf-radext-vlan-06.txt> Bernard Aboba
1 May 2006 Microsoft Corporation 11 June 2006 Microsoft Corporation
RADIUS Attributes for Virtual LAN and Priority Support RADIUS Attributes for Virtual LAN and Priority Support
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 32 skipping to change at page 1, line 32
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on November 10, 2006. This Internet-Draft will expire on December 10, 2006.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society 2006. Copyright (C) The Internet Society 2006.
Abstract Abstract
This document proposes additional RADIUS (Remote Authentication Dial This document proposes additional RADIUS (Remote Authentication Dial
In User Service) attributes for dynamic Virtual LAN assignment and In User Service) attributes for dynamic Virtual LAN assignment and
prioritization, for use in provisioning of access to IEEE 802 local prioritization, for use in provisioning of access to IEEE 802 local
skipping to change at page 2, line 15 skipping to change at page 2, line 15
Table of Contents Table of Contents
1. Introduction .......................................... 3 1. Introduction .......................................... 3
1.1 Terminology ..................................... 3 1.1 Terminology ..................................... 3
1.2 Requirements Language ........................... 3 1.2 Requirements Language ........................... 3
1.3 Attribute Interpretation ........................ 3 1.3 Attribute Interpretation ........................ 3
2. Attributes ............................................ 4 2. Attributes ............................................ 4
2.1 Egress-VLANID ................................... 4 2.1 Egress-VLANID ................................... 4
2.2 Ingress-Filters ................................. 5 2.2 Ingress-Filters ................................. 5
2.3 Egress-VLAN-Name ................................ 6 2.3 Egress-VLAN-Name ................................ 6
2.4 User-Priority-Table ............................. 7 2.4 User-Priority-Table ............................. 8
3. Table of Attributes ................................... 9 3. Table of Attributes ................................... 9
4. Diameter Considerations ............................... 10 4. Diameter Considerations ............................... 10
5. IANA Considerations ................................... 10 5. IANA Considerations ................................... 10
6. Security Considerations ............................... 10 6. Security Considerations ............................... 11
7. References ............................................ 11 7. References ............................................ 12
7.1 Normative References ............................ 11 7.1 Normative References ............................ 12
7.2 Informative References .......................... 11 7.2 Informative References .......................... 12
ACKNOWLEDGMENTS .............................................. 12 ACKNOWLEDGMENTS .............................................. 13
AUTHORS' ADDRESSES ........................................... 12 AUTHORS' ADDRESSES ........................................... 13
Intellectual Property Statement............................... 13 Intellectual Property Statement............................... 14
Disclaimer of Validity........................................ 13 Disclaimer of Validity........................................ 14
Full Copyright Statement ..................................... 13 Full Copyright Statement ..................................... 14
1. Introduction 1. Introduction
This document describes Virtual LAN (VLAN) and re-prioritization This document describes Virtual LAN (VLAN) and re-prioritization
attributes that may prove useful for provisioning of access to IEEE attributes that may prove useful for provisioning of access to IEEE
802 local area networks [IEEE-802] with the Remote Authentication 802 local area networks [IEEE-802] with the Remote Authentication
Dialin User Service (RADIUS). Dialin User Service (RADIUS) or Diameter.
While [RFC3580] enables support for VLAN assignment based on the While [RFC3580] enables support for VLAN assignment based on the
tunnel attributes defined in [RFC2868], it does not provide support tunnel attributes defined in [RFC2868], it does not provide support
for a more complete set of VLAN functionality as defined by for a more complete set of VLAN functionality as defined by
[IEEE-802.1Q]. The attributes defined in this document provide [IEEE-802.1Q]. The attributes defined in this document provide
support within RADIUS analogous to the management variables supported support within RADIUS and Diameter analogous to the management
in [IEEE-802.1Q] and MIB objects defined in [RFC4363]. In addition, variables supported in [IEEE-802.1Q] and MIB objects defined in
this document enables support for a wider range of [IEEE-802.1X] [RFC4363]. In addition, this document enables support for a wider
configurations. range of [IEEE-802.1X] configurations.
1.1. Terminology 1.1. Terminology
This document uses the following terms: This document uses the following terms:
Network Access Server (NAS) Network Access Server (NAS)
A device that provides an access service for a user to a network. A device that provides an access service for a user to a network.
Also known as a RADIUS client.
RADIUS server
A RADIUS authentication server is an entity that provides an
authentication service to a NAS.
RADIUS proxy
A RADIUS proxy acts as an authentication server to the NAS, and a
RADIUS client to the RADIUS server.
1.2. Requirements Language 1.2. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
1.3. Attribute Interpretation 1.3. Attribute Interpretation
The attributes described in this document apply to a single instance The attributes described in this document apply to a single instance
skipping to change at page 10, line 7 skipping to change at page 10, line 13
The following table defines the meaning of the above table entries. The following table defines the meaning of the above table entries.
0 This attribute MUST NOT be present in the packet. 0 This attribute MUST NOT be present in the packet.
0+ Zero or more instances of this attribute MAY be 0+ Zero or more instances of this attribute MAY be
present in the packet. present in the packet.
0-1 Zero or one instance of this attribute MAY be 0-1 Zero or one instance of this attribute MAY be
present in the packet. present in the packet.
4. Diameter Considerations 4. Diameter Considerations
Diameter needs to define identical attributes with the same Type When used in Diameter, the attributes defined in this specification
values. The attributes should be available as part of the NASREQ can be used as Diameter AVPs from the Code space 1-255 (RADIUS
application [RFC4005], as well as the Diameter EAP application attribute compatibility space). No additional Diameter Code values
[RFC4072]. are therefore allocated. The data types and flag rules for the
attributes are as follows:
+---------------------+
| AVP Flag rules |
|----+-----+----+-----|----+
| | |SHLD| MUST| |
Attribute Name Value Type |MUST| MAY | NOT| NOT|Encr|
-------------------------------|----+-----+----+-----|----|
Egress-VLANID OctetString| M | P | | V | Y |
Ingress-Filters Enumerated | M | P | | V | Y |
Egress-VLAN-Name UTF8String | M | P | | V | Y |
User-Priority-Table OctetString| M | P | | V | Y |
-------------------------------|----+-----+----+-----|----|
The attributes in this specification have no special translation
requirements for Diameter to RADIUS or RADIUS to Diameter gateways;
they are copied as is, except for changes relating to headers,
alignment, and padding. See also [RFC 3588] Section 4.1 and [RFC
4005] Section 9.
What this specification says about the applicability of the
attributes for RADIUS Access-Request packets applies in Diameter to
AA-Request [RFC 4005] or Diameter-EAP-Request [RFC 4072]. What is
said about Access-Challenge applies in Diameter to AA-Answer [RFC
4005] or Diameter-EAP-Answer [RFC 4072] with Result-Code AVP set to
DIAMETER_MULTI_ROUND_AUTH.
What is said about Access-Accept applies in Diameter to AA-Answer or
Diameter-EAP-Answer messages that indicate success. Similarly, what
is said about RADIUS Access-Reject packets applies in Diameter to AA-
Answer or Diameter-EAP-Answer messages that indicate failure.
What is said about COA-Request applies in Diameter to Re-Auth-Request
[RFC 4005].
What is said about Accounting-Request applies to Diameter Accounting-
Request [RFC 4005] as well.
5. IANA Considerations 5. IANA Considerations
This specification does not create any new registries. This specification does not create any new registries.
This document uses the RADIUS [RFC2865] namespace, see This document uses the RADIUS [RFC2865] namespace, see
<http://www.iana.org/assignments/radius-types>. Allocation of four <http://www.iana.org/assignments/radius-types>. Allocation of four
updates for the section "RADIUS Attribute Types" is requested. The updates for the section "RADIUS Attribute Types" is requested. The
RADIUS attributes for which values are requested are: RADIUS attributes for which values are requested are:
TBD - Egress-VLANID TBD - Egress-VLANID
TBD - Ingress-Filters TBD - Ingress-Filters
TBD - Egress-VLAN-Name TBD - Egress-VLAN-Name
TBD - User-Priority-Table TBD - User-Priority-Table
6. Security Considerations 6. Security Considerations
This specification describes the use of RADIUS for purposes of This specification describes the use of RADIUS and Diameter for
authentication, authorization and accounting in IEEE 802 local area purposes of authentication, authorization and accounting in IEEE 802
networks. Threats and security issues for this application are local area networks. RADIUS threats and security issues for this
described in [RFC3579] and [RFC3580]; security issues encountered in application are described in [RFC3579] and [RFC3580]; security issues
roaming are described in [RFC2607]. encountered in roaming are described in [RFC2607]. For Diameter, the
security issues relating to this application are described in
[RFC4005] and [RFC4072].
This document specifies new attributes that can be included in This document specifies new attributes that can be included in
existing RADIUS packets, which are protected as described in existing RADIUS packets, which are protected as described in
[RFC3579] and [RFC3576]. See those documents for a more detailed [RFC3579] and [RFC3576]. In Diameter, the attributes are protected
as specified in [RFC3588]. See those documents for a more detailed
description. description.
The security mechanisms described in [RFC3579] and [RFC3576] are The security mechanisms supported in RADIUS and Diameter are focused
focused on preventing an attacker from spoofing packets or modifying on preventing an attacker from spoofing packets or modifying packets
packets in transit. They do not prevent an authorized RADIUS server in transit. They do not prevent an authorized RADIUS/Diameter server
or proxy from inserting attributes with malicious intent. or proxy from inserting attributes with malicious intent.
VLAN attributes sent by a RADIUS server or proxy may enable access to VLAN attributes sent by a RADIUS/Diameter server or proxy may enable
unauthorized VLANs. These vulnerabilities can be limited by access to unauthorized VLANs. These vulnerabilities can be limited
performing authorization checks at the NAS. For example, a NAS can by performing authorization checks at the NAS. For example, a NAS
be configured to accept only certain VLANIDs from a given RADIUS can be configured to accept only certain VLANIDs from a given
server/proxy. RADIUS/Diameter server/proxy.
Similarly, an attacker gaining control of a RADIUS server or proxy Similarly, an attacker gaining control of a RADIUS/Diameter server or
can modify the user priority table, causing either degradation of proxy can modify the user priority table, causing either degradation
quality of service (by downgrading user priority of frames arriving of quality of service (by downgrading user priority of frames
at a port), or denial of service (by raising the level of priority of arriving at a port), or denial of service (by raising the level of
traffic at multiple ports of a device, oversubscribing the switch or priority of traffic at multiple ports of a device, oversubscribing
link capabilities). the switch or link capabilities).
7. References 7. References
7.1. Normative references 7.1. Normative references
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, March, 1997. Requirement Levels", RFC 2119, March, 1997.
[RFC2865] Rigney, C., Rubens, A., Simpson, W. and S. Willens, "Remote [RFC2865] Rigney, C., Rubens, A., Simpson, W. and S. Willens, "Remote
Authentication Dial In User Service (RADIUS)", RFC 2865, June Authentication Dial In User Service (RADIUS)", RFC 2865, June
2000. 2000.
[RFC3588] Calhoun, P., Loughney, J., Guttman, E., Zorn, G. and J. Arkko,
"Diameter Base Protocol", RFC 3588, September 2003.
[RFC3629] Yergeau, F., "UTF-8, a transformation of ISO 10646", RFC 3629, [RFC3629] Yergeau, F., "UTF-8, a transformation of ISO 10646", RFC 3629,
November 2003. November 2003.
[RFC4363] Levi, D. and D. Harrington, "Definitions of Managed Objects [RFC4363] Levi, D. and D. Harrington, "Definitions of Managed Objects
for Bridges with Traffic Classes, Multicast Filtering and for Bridges with Traffic Classes, Multicast Filtering and
Virtual LAN Extensions", RFC 4363, January 2006. Virtual LAN Extensions", RFC 4363, January 2006.
[IEEE-802] [IEEE-802]
IEEE Standards for Local and Metropolitan Area Networks: IEEE Standards for Local and Metropolitan Area Networks:
Overview and Architecture, ANSI/IEEE Std 802, 1990. Overview and Architecture, ANSI/IEEE Std 802, 1990.
 End of changes. 14 change blocks. 
42 lines changed or deleted 94 lines changed or added

This html diff was produced by rfcdiff 1.32. The latest version is available from http://www.levkowetz.com/ietf/tools/rfcdiff/