--- 1/draft-ietf-dime-rfc4005bis-01.txt 2010-11-16 08:15:00.000000000 +0100 +++ 2/draft-ietf-dime-rfc4005bis-02.txt 2010-11-16 08:15:00.000000000 +0100 @@ -1,19 +1,19 @@ Network Working Group G. Zorn Internet-Draft Network Zen -Obsoletes: 4005 (if approved) October 15, 2010 +Obsoletes: 4005 (if approved) November 16, 2010 Intended status: Standards Track -Expires: April 18, 2011 +Expires: May 20, 2011 Diameter Network Access Server Application - draft-ietf-dime-rfc4005bis-01 + draft-ietf-dime-rfc4005bis-02 Abstract This document describes the Diameter protocol application used for Authentication, Authorization, and Accounting (AAA) services in the Network Access Server (NAS) environment. When combined with the Diameter Base protocol, Transport Profile, and Extensible Authentication Protocol specifications, this application specification satisfies typical network access services requirements. @@ -25,21 +25,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on April 18, 2011. + This Internet-Draft will expire on May 20, 2011. Copyright Notice Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -67,137 +67,137 @@ 3.5. Session-Termination-Request (STR) Command . . . . . . . . 15 3.6. Session-Termination-Answer (STA) Command . . . . . . . . . 16 3.7. Abort-Session-Request (ASR) Command . . . . . . . . . . . 17 3.8. Abort-Session-Answer (ASA) Command . . . . . . . . . . . . 18 3.9. Accounting-Request (ACR) Command . . . . . . . . . . . . . 19 3.10. Accounting-Answer (ACA) Command . . . . . . . . . . . . . 21 4. Diameter NAS Application AVPs . . . . . . . . . . . . . . . . 22 4.1. Derived AVP Data Formats . . . . . . . . . . . . . . . . . 22 4.1.1. QoSFilterRule . . . . . . . . . . . . . . . . . . . . 22 4.2. NAS Session AVPs . . . . . . . . . . . . . . . . . . . . . 23 - 4.2.1. Call and Session Information . . . . . . . . . . . . . 24 + 4.2.1. Call and Session Information . . . . . . . . . . . . . 23 4.2.2. NAS-Port AVP . . . . . . . . . . . . . . . . . . . . . 24 - 4.2.3. NAS-Port-Id AVP . . . . . . . . . . . . . . . . . . . 25 + 4.2.3. NAS-Port-Id AVP . . . . . . . . . . . . . . . . . . . 24 4.2.4. NAS-Port-Type AVP . . . . . . . . . . . . . . . . . . 25 4.2.5. Called-Station-Id AVP . . . . . . . . . . . . . . . . 25 4.2.6. Calling-Station-Id AVP . . . . . . . . . . . . . . . . 25 4.2.7. Connect-Info AVP . . . . . . . . . . . . . . . . . . . 26 4.2.8. Originating-Line-Info AVP . . . . . . . . . . . . . . 26 4.2.9. Reply-Message AVP . . . . . . . . . . . . . . . . . . 27 4.3. NAS Authentication AVPs . . . . . . . . . . . . . . . . . 27 4.3.1. User-Password AVP . . . . . . . . . . . . . . . . . . 28 4.3.2. Password-Retry AVP . . . . . . . . . . . . . . . . . . 28 - 4.3.3. Prompt AVP . . . . . . . . . . . . . . . . . . . . . . 29 - 4.3.4. CHAP-Auth AVP . . . . . . . . . . . . . . . . . . . . 29 + 4.3.3. Prompt AVP . . . . . . . . . . . . . . . . . . . . . . 28 + 4.3.4. CHAP-Auth AVP . . . . . . . . . . . . . . . . . . . . 28 4.3.5. CHAP-Algorithm AVP . . . . . . . . . . . . . . . . . . 29 4.3.6. CHAP-Ident AVP . . . . . . . . . . . . . . . . . . . . 29 4.3.7. CHAP-Response AVP . . . . . . . . . . . . . . . . . . 29 - 4.3.8. CHAP-Challenge AVP . . . . . . . . . . . . . . . . . . 30 - 4.3.9. ARAP-Password AVP . . . . . . . . . . . . . . . . . . 30 - 4.3.10. ARAP-Challenge-Response AVP . . . . . . . . . . . . . 30 + 4.3.8. CHAP-Challenge AVP . . . . . . . . . . . . . . . . . . 29 + 4.3.9. ARAP-Password AVP . . . . . . . . . . . . . . . . . . 29 + 4.3.10. ARAP-Challenge-Response AVP . . . . . . . . . . . . . 29 4.3.11. ARAP-Security AVP . . . . . . . . . . . . . . . . . . 30 4.3.12. ARAP-Security-Data AVP . . . . . . . . . . . . . . . . 30 - 4.4. NAS Authorization AVPs . . . . . . . . . . . . . . . . . . 31 - 4.4.1. Service-Type AVP . . . . . . . . . . . . . . . . . . . 32 - 4.4.2. Callback-Number AVP . . . . . . . . . . . . . . . . . 33 - 4.4.3. Callback-Id AVP . . . . . . . . . . . . . . . . . . . 34 - 4.4.4. Idle-Timeout AVP . . . . . . . . . . . . . . . . . . . 34 - 4.4.5. Port-Limit AVP . . . . . . . . . . . . . . . . . . . . 34 - 4.4.6. NAS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 34 - 4.4.7. Filter-Id AVP . . . . . . . . . . . . . . . . . . . . 34 - 4.4.8. Configuration-Token AVP . . . . . . . . . . . . . . . 35 - 4.4.9. QoS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 35 - 4.4.10. Framed Access Authorization AVPs . . . . . . . . . . . 35 - 4.4.10.1. Framed-Protocol AVP . . . . . . . . . . . . . . . 36 - 4.4.10.2. Framed-Routing AVP . . . . . . . . . . . . . . . 36 - 4.4.10.3. Framed-MTU AVP . . . . . . . . . . . . . . . . . 36 - 4.4.10.4. Framed-Compression AVP . . . . . . . . . . . . . 36 - 4.4.10.5. IP Access Authorization AVPs . . . . . . . . . . 36 - 4.4.10.5.1. Framed-IP-Address AVP . . . . . . . . . . . . 36 - 4.4.10.5.2. Framed-IP-Netmask AVP . . . . . . . . . . . . 37 - 4.4.10.5.3. Framed-Route AVP . . . . . . . . . . . . . . 37 - 4.4.10.5.4. Framed-Pool AVP . . . . . . . . . . . . . . . 37 - 4.4.10.5.5. Framed-Interface-Id AVP . . . . . . . . . . . 38 - 4.4.10.5.6. Framed-IPv6-Prefix AVP . . . . . . . . . . . 38 - 4.4.10.5.7. Framed-IPv6-Route AVP . . . . . . . . . . . . 38 - 4.4.10.5.8. Framed-IPv6-Pool AVP . . . . . . . . . . . . 39 - 4.4.10.6. IPX Access AVPs . . . . . . . . . . . . . . . . . 39 - 4.4.10.6.1. Framed-IPX-Network AVP . . . . . . . . . . . 39 - 4.4.10.7. AppleTalk Network Access AVPs . . . . . . . . . . 39 - 4.4.10.7.1. Framed-AppleTalk-Link AVP . . . . . . . . . . 39 - 4.4.10.7.2. Framed-AppleTalk-Network AVP . . . . . . . . 40 - 4.4.10.7.3. Framed-AppleTalk-Zone AVP . . . . . . . . . . 40 - 4.4.10.8. AppleTalk Remote Access AVPs . . . . . . . . . . 40 - 4.4.10.8.1. ARAP-Features AVP . . . . . . . . . . . . . . 40 - 4.4.10.8.2. ARAP-Zone-Access AVP . . . . . . . . . . . . 40 - 4.4.11. Non-Framed Access Authorization AVPs . . . . . . . . . 41 - 4.4.11.1. Login-IP-Host AVP . . . . . . . . . . . . . . . . 41 - 4.4.11.2. Login-IPv6-Host AVP . . . . . . . . . . . . . . . 41 - 4.4.11.3. Login-Service AVP . . . . . . . . . . . . . . . . 41 - 4.4.11.4. TCP Services . . . . . . . . . . . . . . . . . . 41 - 4.4.11.4.1. Login-TCP-Port AVP . . . . . . . . . . . . . 42 - 4.4.11.5. LAT Services . . . . . . . . . . . . . . . . . . 42 - 4.4.11.5.1. Login-LAT-Service AVP . . . . . . . . . . . . 42 - 4.4.11.5.2. Login-LAT-Node AVP . . . . . . . . . . . . . 42 - 4.4.11.5.3. Login-LAT-Group AVP . . . . . . . . . . . . . 43 - 4.4.11.5.4. Login-LAT-Port AVP . . . . . . . . . . . . . 43 - 4.5. NAS Tunneling AVPs . . . . . . . . . . . . . . . . . . . . 44 - 4.5.1. Tunneling AVP . . . . . . . . . . . . . . . . . . . . 44 - 4.5.2. Tunnel-Type AVP . . . . . . . . . . . . . . . . . . . 45 - 4.5.3. Tunnel-Medium-Type AVP . . . . . . . . . . . . . . . . 45 - 4.5.4. Tunnel-Client-Endpoint AVP . . . . . . . . . . . . . . 45 - 4.5.5. Tunnel-Server-Endpoint AVP . . . . . . . . . . . . . . 46 - 4.5.6. Tunnel-Password AVP . . . . . . . . . . . . . . . . . 47 - 4.5.7. Tunnel-Private-Group-Id AVP . . . . . . . . . . . . . 47 - 4.5.8. Tunnel-Assignment-Id AVP . . . . . . . . . . . . . . . 47 - 4.5.9. Tunnel-Preference AVP . . . . . . . . . . . . . . . . 49 - 4.5.10. Tunnel-Client-Auth-Id AVP . . . . . . . . . . . . . . 49 - 4.5.11. Tunnel-Server-Auth-Id AVP . . . . . . . . . . . . . . 49 - 4.6. NAS Accounting AVPs . . . . . . . . . . . . . . . . . . . 50 - 4.6.1. Accounting-Input-Octets AVP . . . . . . . . . . . . . 51 - 4.6.2. Accounting-Output-Octets AVP . . . . . . . . . . . . . 51 - 4.6.3. Accounting-Input-Packets AVP . . . . . . . . . . . . . 51 - 4.6.4. Accounting-Output-Packets AVP . . . . . . . . . . . . 51 - 4.6.5. Acct-Session-Time AVP . . . . . . . . . . . . . . . . 51 - 4.6.6. Acct-Authentic AVP . . . . . . . . . . . . . . . . . . 52 - 4.6.7. Accounting-Auth-Method AVP . . . . . . . . . . . . . . 52 - 4.6.8. Acct-Delay-Time AVP . . . . . . . . . . . . . . . . . 52 - 4.6.9. Acct-Link-Count AVP . . . . . . . . . . . . . . . . . 52 - 4.6.10. Acct-Tunnel-Connection AVP . . . . . . . . . . . . . . 53 - 4.6.11. Acct-Tunnel-Packets-Lost AVP . . . . . . . . . . . . . 53 - 5. AVP Occurrence Tables . . . . . . . . . . . . . . . . . . . . 53 - 5.1. AA-Request/Answer AVP Table . . . . . . . . . . . . . . . 54 - 5.2. Accounting AVP Tables . . . . . . . . . . . . . . . . . . 56 - 5.2.1. Framed Access Accounting AVP Table . . . . . . . . . . 57 - 5.2.2. Non-Framed Access Accounting AVP Table . . . . . . . . 59 - 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 60 - 6.1. Command Codes . . . . . . . . . . . . . . . . . . . . . . 60 - 6.2. AVP Codes . . . . . . . . . . . . . . . . . . . . . . . . 61 - 6.3. Application Identifier . . . . . . . . . . . . . . . . . . 61 - 6.4. CHAP-Algorithm AVP Values . . . . . . . . . . . . . . . . 61 - 6.5. Accounting-Auth-Method AVP Values . . . . . . . . . . . . 61 - 7. Security Considerations . . . . . . . . . . . . . . . . . . . 61 - 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 62 - 8.1. Normative References . . . . . . . . . . . . . . . . . . . 62 - 8.2. Informative References . . . . . . . . . . . . . . . . . . 63 - Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 65 - A.1. RFC 4005 . . . . . . . . . . . . . . . . . . . . . . . . . 65 - A.2. RFC 4005bis . . . . . . . . . . . . . . . . . . . . . . . 66 + 4.4. NAS Authorization AVPs . . . . . . . . . . . . . . . . . . 30 + 4.4.1. Service-Type AVP . . . . . . . . . . . . . . . . . . . 31 + 4.4.2. Callback-Number AVP . . . . . . . . . . . . . . . . . 32 + 4.4.3. Callback-Id AVP . . . . . . . . . . . . . . . . . . . 33 + 4.4.4. Idle-Timeout AVP . . . . . . . . . . . . . . . . . . . 33 + 4.4.5. Port-Limit AVP . . . . . . . . . . . . . . . . . . . . 33 + 4.4.6. NAS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 33 + 4.4.7. Filter-Id AVP . . . . . . . . . . . . . . . . . . . . 33 + 4.4.8. Configuration-Token AVP . . . . . . . . . . . . . . . 34 + 4.4.9. QoS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 34 + 4.4.10. Framed Access Authorization AVPs . . . . . . . . . . . 34 + 4.4.10.1. Framed-Protocol AVP . . . . . . . . . . . . . . . 35 + 4.4.10.2. Framed-Routing AVP . . . . . . . . . . . . . . . 35 + 4.4.10.3. Framed-MTU AVP . . . . . . . . . . . . . . . . . 35 + 4.4.10.4. Framed-Compression AVP . . . . . . . . . . . . . 35 + 4.4.10.5. IP Access Authorization AVPs . . . . . . . . . . 35 + 4.4.10.5.1. Framed-IP-Address AVP . . . . . . . . . . . . 35 + 4.4.10.5.2. Framed-IP-Netmask AVP . . . . . . . . . . . . 36 + 4.4.10.5.3. Framed-Route AVP . . . . . . . . . . . . . . 36 + 4.4.10.5.4. Framed-Pool AVP . . . . . . . . . . . . . . . 36 + 4.4.10.5.5. Framed-Interface-Id AVP . . . . . . . . . . . 37 + 4.4.10.5.6. Framed-IPv6-Prefix AVP . . . . . . . . . . . 37 + 4.4.10.5.7. Framed-IPv6-Route AVP . . . . . . . . . . . . 37 + 4.4.10.5.8. Framed-IPv6-Pool AVP . . . . . . . . . . . . 38 + 4.4.10.6. IPX Access AVPs . . . . . . . . . . . . . . . . . 38 + 4.4.10.6.1. Framed-IPX-Network AVP . . . . . . . . . . . 38 + 4.4.10.7. AppleTalk Network Access AVPs . . . . . . . . . . 38 + 4.4.10.7.1. Framed-AppleTalk-Link AVP . . . . . . . . . . 38 + 4.4.10.7.2. Framed-AppleTalk-Network AVP . . . . . . . . 39 + 4.4.10.7.3. Framed-AppleTalk-Zone AVP . . . . . . . . . . 39 + 4.4.10.8. AppleTalk Remote Access AVPs . . . . . . . . . . 39 + 4.4.10.8.1. ARAP-Features AVP . . . . . . . . . . . . . . 39 + 4.4.10.8.2. ARAP-Zone-Access AVP . . . . . . . . . . . . 39 + 4.4.11. Non-Framed Access Authorization AVPs . . . . . . . . . 40 + 4.4.11.1. Login-IP-Host AVP . . . . . . . . . . . . . . . . 40 + 4.4.11.2. Login-IPv6-Host AVP . . . . . . . . . . . . . . . 40 + 4.4.11.3. Login-Service AVP . . . . . . . . . . . . . . . . 40 + 4.4.11.4. TCP Services . . . . . . . . . . . . . . . . . . 40 + 4.4.11.4.1. Login-TCP-Port AVP . . . . . . . . . . . . . 41 + 4.4.11.5. LAT Services . . . . . . . . . . . . . . . . . . 41 + 4.4.11.5.1. Login-LAT-Service AVP . . . . . . . . . . . . 41 + 4.4.11.5.2. Login-LAT-Node AVP . . . . . . . . . . . . . 41 + 4.4.11.5.3. Login-LAT-Group AVP . . . . . . . . . . . . . 42 + 4.4.11.5.4. Login-LAT-Port AVP . . . . . . . . . . . . . 42 + 4.5. NAS Tunneling AVPs . . . . . . . . . . . . . . . . . . . . 43 + 4.5.1. Tunneling AVP . . . . . . . . . . . . . . . . . . . . 43 + 4.5.2. Tunnel-Type AVP . . . . . . . . . . . . . . . . . . . 44 + 4.5.3. Tunnel-Medium-Type AVP . . . . . . . . . . . . . . . . 44 + 4.5.4. Tunnel-Client-Endpoint AVP . . . . . . . . . . . . . . 44 + 4.5.5. Tunnel-Server-Endpoint AVP . . . . . . . . . . . . . . 45 + 4.5.6. Tunnel-Password AVP . . . . . . . . . . . . . . . . . 46 + 4.5.7. Tunnel-Private-Group-Id AVP . . . . . . . . . . . . . 46 + 4.5.8. Tunnel-Assignment-Id AVP . . . . . . . . . . . . . . . 46 + 4.5.9. Tunnel-Preference AVP . . . . . . . . . . . . . . . . 48 + 4.5.10. Tunnel-Client-Auth-Id AVP . . . . . . . . . . . . . . 48 + 4.5.11. Tunnel-Server-Auth-Id AVP . . . . . . . . . . . . . . 48 + 4.6. NAS Accounting AVPs . . . . . . . . . . . . . . . . . . . 49 + 4.6.1. Accounting-Input-Octets AVP . . . . . . . . . . . . . 50 + 4.6.2. Accounting-Output-Octets AVP . . . . . . . . . . . . . 50 + 4.6.3. Accounting-Input-Packets AVP . . . . . . . . . . . . . 50 + 4.6.4. Accounting-Output-Packets AVP . . . . . . . . . . . . 50 + 4.6.5. Acct-Session-Time AVP . . . . . . . . . . . . . . . . 50 + 4.6.6. Acct-Authentic AVP . . . . . . . . . . . . . . . . . . 51 + 4.6.7. Accounting-Auth-Method AVP . . . . . . . . . . . . . . 51 + 4.6.8. Acct-Delay-Time AVP . . . . . . . . . . . . . . . . . 51 + 4.6.9. Acct-Link-Count AVP . . . . . . . . . . . . . . . . . 51 + 4.6.10. Acct-Tunnel-Connection AVP . . . . . . . . . . . . . . 52 + 4.6.11. Acct-Tunnel-Packets-Lost AVP . . . . . . . . . . . . . 52 + 5. AVP Occurrence Tables . . . . . . . . . . . . . . . . . . . . 52 + 5.1. AA-Request/Answer AVP Table . . . . . . . . . . . . . . . 53 + 5.2. Accounting AVP Tables . . . . . . . . . . . . . . . . . . 55 + 5.2.1. Framed Access Accounting AVP Table . . . . . . . . . . 56 + 5.2.2. Non-Framed Access Accounting AVP Table . . . . . . . . 58 + 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 59 + 6.1. Command Codes . . . . . . . . . . . . . . . . . . . . . . 59 + 6.2. AVP Codes . . . . . . . . . . . . . . . . . . . . . . . . 60 + 6.3. Application Identifier . . . . . . . . . . . . . . . . . . 60 + 6.4. CHAP-Algorithm AVP Values . . . . . . . . . . . . . . . . 60 + 6.5. Accounting-Auth-Method AVP Values . . . . . . . . . . . . 60 + 7. Security Considerations . . . . . . . . . . . . . . . . . . . 60 + 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 61 + 8.1. Normative References . . . . . . . . . . . . . . . . . . . 61 + 8.2. Informative References . . . . . . . . . . . . . . . . . . 62 + Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 64 + A.1. RFC 4005 . . . . . . . . . . . . . . . . . . . . . . . . . 64 + A.2. RFC 4005bis . . . . . . . . . . . . . . . . . . . . . . . 65 1. Introduction This document describes the Diameter protocol application used for AAA in the Network Access Server (NAS) environment. When combined with the Diameter Base protocol [I-D.ietf-dime-rfc3588bis], Transport Profile [RFC3539], and EAP [RFC4072] specifications, this - specification satisfies NAS-related requirements defined in [RFC2989] - and [RFC3169]. + specification satisfies the NAS-related requirements defined in + [RFC2989] and [RFC3169]. First, this document describes the operation of a Diameter NAS application. Then it defines the Diameter message Command-Codes. The following sections list the AVPs used in these messages, grouped by common usage. These are session identification, authentication, authorization, tunneling, and accounting. The authorization AVPs are further broken down by service type. 1.1. Terminology @@ -261,21 +261,21 @@ authentication information are packaged into a Diameter AA-Request (AAR) message and sent to a server. The server processes the information and responds with a Diameter AA- Answer (AAA) message that contains authorization information for the NAS, or a failure code (Result-Code AVP). A value of DIAMETER_MULTI_ROUND_AUTH indicates an additional authentication exchange, and several AAR and AAA messages may be exchanged until the transaction completes. - Depending on the vale of the Auth-Request-Type AVP, the Diameter + Depending on the value of the Auth-Request-Type AVP, the Diameter protocol allows authorization-only requests that contain no authentication information from the client. This capability goes beyond the Call Check capabilities provided by RADIUS (Section 5.6 of [RFC2865]) in that no access decision is requested. As a result, service cannot be started as a result of a response to an authorization-only request without introducing a significant security vulnerability. 2.1. Diameter Session Establishment @@ -325,21 +325,21 @@ If accounting is active, every change of authentication or authorization SHOULD generate an accounting message. If the NAS service is a continuation of the prior user context, then an Accounting-Record-Type of INTERIM_RECORD indicating the new session attributes and cumulative status would be appropriate. If a new user or a significant change in authorization is detected by the NAS, then the service may send two messages of the types STOP_RECORD and START_RECORD. Accounting may change the subsession identifiers (Acct-Session-ID, or Acct-Sub-Session-Id) to indicate such sub- sessions. A service may also use a different Session-Id value for - accounting see Section 9.6 of [I-D.ietf-dime-rfc3588bis]. + accounting (see Section 9.6 of [I-D.ietf-dime-rfc3588bis]). However, the Diameter Session-ID AVP value used for the initial authorization exchange MUST be used to generate an STR message when the session context is terminated. 2.3. Diameter Session Termination When a NAS receives an indication that a user's session is being disconnected by the client (e.g., LCP Terminate is received) or an administrative command, the NAS MUST issue a Session-Termination- @@ -379,22 +379,22 @@ | Accounting-Request | ACR | 271 | Section 3.9 | | Accounting-Answer | ACA | 271 | Section 3.10 | +-----------------------------------+---------+------+--------------+ 3.1. AA-Request (AAR) Command The AA-Request (AAR), which is indicated by setting the Command-Code field to 265 and the 'R' bit in the Command Flags field, is used to request authentication and/or authorization for a given NAS user. The type of request is identified through the Auth-Request-Type AVP - [I-D.ietf-dime-rfc3588bis] The recommended value for most RADIUS - interoperability situations is AUTHORIZE_AUTHENTICATE. + [I-D.ietf-dime-rfc3588bis] The recommended value for most situations + is AUTHORIZE_AUTHENTICATE. If Authentication is requested, the User-Name attribute SHOULD be present, as well as any additional authentication AVPs that would carry the password information. A request for authorization SHOULD only include the information from which the authorization will be performed, such as the User-Name, Called-Station-Id, or Calling- Station-Id AVPs. All requests SHOULD contain AVPs uniquely identifying the source of the call, such as Origin-Host and NAS-Port. Certain networks MAY use different AVPs for authorization purposes. A request for authorization will include some AVPs defined in @@ -979,32 +979,26 @@ src and dst The format is as described under IPFilterRule [I-D.ietf-dime-rfc3588bis] The options are described in Section 4.4.9. The rule syntax is a modified subset of ipfw(8) from FreeBSD, and the ipfw.c code may provide a useful base for implementations. 4.2. NAS Session AVPs - Diameter reserves the AVP Codes 0 - 255 for RADIUS functions that are - implemented in Diameter. - - AVPs new to Diameter have code values of 256 and greater. A Diameter - message that includes one of these AVPs may represent functions not - present in the RADIUS environment and may cause interoperability - issues, should the request traverse an AAA system that only supports - the RADIUS protocol. + Diameter reserves the AVP Codes 0 - 255 for RADIUS Attributes that + are implemented in Diameter. 4.2.1. Call and Session Information - This section describes the AVPs specific to NAS Diameter applications + This section describes the AVPs specific to Diameter applications that are needed to identify the call and session context and status information. On a request, this information allows the server to qualify the session. These AVPs are used in addition to the following AVPs from the base protocol specification [I-D.ietf-dime-rfc3588bis]: Session-Id Auth-Application-Id Origin-Host @@ -1158,22 +1152,22 @@ The Reply-Message AVP MAY contain text to prompt the user before another AA-Request attempt. When used in an AA-Answer message containing a Result-Code AVP with the value DIAMETER_MULTI_ROUND_AUTH or in an Re-Auth-Request message, it MAY contain text to prompt the user for a response. 4.3. NAS Authentication AVPs This section defines the AVPs necessary to carry the authentication information in the Diameter protocol. The functionality defined here - provides a RADIUS-like AAA service over a more reliable and secure - transport, as defined in the base protocol + provides a RADIUS-like AAA service [RFC2865] over a more reliable and + secure transport, as defined in the base protocol [I-D.ietf-dime-rfc3588bis]. The following table gives the possible flag values for the session level AVPs and specifies whether the AVP MAY be encrypted. +---------------------+ | AVP Flag rules | |----+-----+----+-----|----+ | | |SHLD| MUST| | Attribute Name Section Defined |MUST| MAY | NOT| NOT|Encr| @@ -1277,27 +1272,27 @@ only present when the Framed-Protocol AVP (Section 4.4.10.1) is included in the message and is set to ARAP. This AVP MUST NOT be present if either the User-Password or the CHAP-Auth AVP is present. See [RFC2869] for more information on the contents of this AVP. 4.3.10. ARAP-Challenge-Response AVP The ARAP-Challenge-Response AVP (AVP Code 84) is of type OctetString and is only present when the Framed-Protocol AVP (Section 4.4.10.1) is included in the message and is set to ARAP. This AVP contains an - 8 octet response to the dial-in client's challenge. The RADIUS + 8 octet response to the dial-in client's challenge. The Diameter server calculates this value by taking the dial-in client's challenge from the high-order 8 octets of the ARAP-Password AVP and performing DES encryption on this value with the authenticating user's password as the key. If the user's password is fewer than 8 octets in length, - the password is padded at the end with NULL octets to a length of - 8before it is used as a key. + the password is padded at the end with NULL octets to a length of 8 + before it is used as a key. 4.3.11. ARAP-Security AVP The ARAP-Security AVP (AVP Code 73) is of type Unsigned32 and MAY be present in the AA-Answer message if the Framed-Protocol AVP (Section 4.4.10.1) is set to the value of ARAP, and the Result-Code AVP ([I-D.ietf-dime-rfc3588bis], Section 7.1) is set to DIAMETER_MULTI_ROUND_AUTH. See [RFC2869] for more information on the contents of this AVP. @@ -1463,23 +1458,23 @@ However, this AVP is not roaming-friendly, as filter naming differs from one service provider to another. In environments where backward compatibility with RADIUS is not required, it is RECOMMENDED that the NAS-Filter-Rule AVP Section 4.4.6 be used instead. 4.4.8. Configuration-Token AVP The Configuration-Token AVP (AVP Code 78) is of type OctetString and - is sent by a Diameter Server to a Diameter Proxy Agent or Translation - Agent in an AA-Answer command to indicate a type of user profile to - be used. It should not be sent to a Diameter Client (NAS). + is sent by a Diameter Server to a Diameter Proxy Agent in an AA- + Answer command to indicate a type of user profile to be used. It + should not be sent to a Diameter Client (NAS). The format of the Data field of this AVP is site specific. 4.4.9. QoS-Filter-Rule AVP The QoS-Filter-Rule AVP (AVP Code 407) is of type QoSFilterRule Section 4.1.1 and provides QoS filter rules that need to be configured on the NAS for the user. One or more such AVPs MAY be present in an authorization response. @@ -2039,26 +2034,23 @@ If Tunnel-Medium-Type is not IPv4 or IPv6, this string is a tag referring to configuration data local to the Diameter client that describes the interface or medium-specific server address to use. 4.5.6. Tunnel-Password AVP The Tunnel-Password AVP (AVP Code 69) is of type OctetString and may contain a password to be used to authenticate to a remote server. - The Tunnel-Password AVP contains sensitive information. This value - is not protected in the same manner as RADIUS [RFC2868]. Diameter - messages are secured by using IPsec or TLS - [I-D.ietf-dime-rfc3588bis]. The Tunnel-Password AVP SHOULD NOT be - used in untrusted proxy environments without encrypting it by using - end-to-end security techniques. + The Tunnel-Password AVP SHOULD NOT be used in untrusted proxy + environments without encrypting it by using end-to-end security + techniques. 4.5.7. Tunnel-Private-Group-Id AVP The Tunnel-Private-Group-Id AVP (AVP Code 81) is of type OctetString and contains the group Id for a particular tunneled session. The Tunnel-Private-Group-Id AVP MAY be included in an authorization request if the tunnel initiator can predetermine the group resulting from a particular connection. It SHOULD be included in the authorization response if this tunnel session is to be treated as belonging to a particular private group. Private groups may be used