--- 1/draft-ietf-dime-rfc4005bis-02.txt 2011-01-02 11:31:23.000000000 +0100 +++ 2/draft-ietf-dime-rfc4005bis-03.txt 2011-01-02 11:31:23.000000000 +0100 @@ -1,19 +1,19 @@ Network Working Group G. Zorn Internet-Draft Network Zen -Obsoletes: 4005 (if approved) November 16, 2010 +Obsoletes: 4005 (if approved) January 2, 2011 Intended status: Standards Track -Expires: May 20, 2011 +Expires: July 6, 2011 Diameter Network Access Server Application - draft-ietf-dime-rfc4005bis-02 + draft-ietf-dime-rfc4005bis-03 Abstract This document describes the Diameter protocol application used for Authentication, Authorization, and Accounting (AAA) services in the Network Access Server (NAS) environment. When combined with the Diameter Base protocol, Transport Profile, and Extensible Authentication Protocol specifications, this application specification satisfies typical network access services requirements. @@ -25,48 +25,48 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on May 20, 2011. + This Internet-Draft will expire on July 6, 2011. Copyright Notice - Copyright (c) 2010 IETF Trust and the persons identified as the + Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 1.2. Requirements Language . . . . . . . . . . . . . . . . . . 6 - 1.3. Advertising Application Support . . . . . . . . . . . . . 6 - 2. NAS Calls, Ports, and Sessions . . . . . . . . . . . . . . . . 6 + 1.3. Advertising Application Support . . . . . . . . . . . . . 7 + 2. NAS Calls, Ports, and Sessions . . . . . . . . . . . . . . . . 7 2.1. Diameter Session Establishment . . . . . . . . . . . . . . 7 - 2.2. Diameter Session Reauthentication or Reauthorization . . . 7 + 2.2. Diameter Session Reauthentication or Reauthorization . . . 8 2.3. Diameter Session Termination . . . . . . . . . . . . . . . 8 - 3. Diameter NAS Application Messages . . . . . . . . . . . . . . 8 + 3. Diameter NAS Application Messages . . . . . . . . . . . . . . 9 3.1. AA-Request (AAR) Command . . . . . . . . . . . . . . . . . 9 3.2. AA-Answer (AAA) Command . . . . . . . . . . . . . . . . . 11 3.3. Re-Auth-Request (RAR) Command . . . . . . . . . . . . . . 13 3.4. Re-Auth-Answer (RAA) Command . . . . . . . . . . . . . . . 14 3.5. Session-Termination-Request (STR) Command . . . . . . . . 15 3.6. Session-Termination-Answer (STA) Command . . . . . . . . . 16 3.7. Abort-Session-Request (ASR) Command . . . . . . . . . . . 17 3.8. Abort-Session-Answer (ASA) Command . . . . . . . . . . . . 18 3.9. Accounting-Request (ACR) Command . . . . . . . . . . . . . 19 3.10. Accounting-Answer (ACA) Command . . . . . . . . . . . . . 21 @@ -79,109 +79,104 @@ 4.2.3. NAS-Port-Id AVP . . . . . . . . . . . . . . . . . . . 24 4.2.4. NAS-Port-Type AVP . . . . . . . . . . . . . . . . . . 25 4.2.5. Called-Station-Id AVP . . . . . . . . . . . . . . . . 25 4.2.6. Calling-Station-Id AVP . . . . . . . . . . . . . . . . 25 4.2.7. Connect-Info AVP . . . . . . . . . . . . . . . . . . . 26 4.2.8. Originating-Line-Info AVP . . . . . . . . . . . . . . 26 4.2.9. Reply-Message AVP . . . . . . . . . . . . . . . . . . 27 4.3. NAS Authentication AVPs . . . . . . . . . . . . . . . . . 27 4.3.1. User-Password AVP . . . . . . . . . . . . . . . . . . 28 4.3.2. Password-Retry AVP . . . . . . . . . . . . . . . . . . 28 - 4.3.3. Prompt AVP . . . . . . . . . . . . . . . . . . . . . . 28 - 4.3.4. CHAP-Auth AVP . . . . . . . . . . . . . . . . . . . . 28 + 4.3.3. Prompt AVP . . . . . . . . . . . . . . . . . . . . . . 29 + 4.3.4. CHAP-Auth AVP . . . . . . . . . . . . . . . . . . . . 29 4.3.5. CHAP-Algorithm AVP . . . . . . . . . . . . . . . . . . 29 4.3.6. CHAP-Ident AVP . . . . . . . . . . . . . . . . . . . . 29 4.3.7. CHAP-Response AVP . . . . . . . . . . . . . . . . . . 29 - 4.3.8. CHAP-Challenge AVP . . . . . . . . . . . . . . . . . . 29 - 4.3.9. ARAP-Password AVP . . . . . . . . . . . . . . . . . . 29 - 4.3.10. ARAP-Challenge-Response AVP . . . . . . . . . . . . . 29 + 4.3.8. CHAP-Challenge AVP . . . . . . . . . . . . . . . . . . 30 + 4.3.9. ARAP-Password AVP . . . . . . . . . . . . . . . . . . 30 + 4.3.10. ARAP-Challenge-Response AVP . . . . . . . . . . . . . 30 4.3.11. ARAP-Security AVP . . . . . . . . . . . . . . . . . . 30 4.3.12. ARAP-Security-Data AVP . . . . . . . . . . . . . . . . 30 - 4.4. NAS Authorization AVPs . . . . . . . . . . . . . . . . . . 30 - 4.4.1. Service-Type AVP . . . . . . . . . . . . . . . . . . . 31 - 4.4.2. Callback-Number AVP . . . . . . . . . . . . . . . . . 32 - 4.4.3. Callback-Id AVP . . . . . . . . . . . . . . . . . . . 33 - 4.4.4. Idle-Timeout AVP . . . . . . . . . . . . . . . . . . . 33 - 4.4.5. Port-Limit AVP . . . . . . . . . . . . . . . . . . . . 33 - 4.4.6. NAS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 33 - 4.4.7. Filter-Id AVP . . . . . . . . . . . . . . . . . . . . 33 - 4.4.8. Configuration-Token AVP . . . . . . . . . . . . . . . 34 - 4.4.9. QoS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 34 - 4.4.10. Framed Access Authorization AVPs . . . . . . . . . . . 34 - 4.4.10.1. Framed-Protocol AVP . . . . . . . . . . . . . . . 35 - 4.4.10.2. Framed-Routing AVP . . . . . . . . . . . . . . . 35 - 4.4.10.3. Framed-MTU AVP . . . . . . . . . . . . . . . . . 35 - 4.4.10.4. Framed-Compression AVP . . . . . . . . . . . . . 35 - 4.4.10.5. IP Access Authorization AVPs . . . . . . . . . . 35 - 4.4.10.5.1. Framed-IP-Address AVP . . . . . . . . . . . . 35 - 4.4.10.5.2. Framed-IP-Netmask AVP . . . . . . . . . . . . 36 - 4.4.10.5.3. Framed-Route AVP . . . . . . . . . . . . . . 36 - 4.4.10.5.4. Framed-Pool AVP . . . . . . . . . . . . . . . 36 - 4.4.10.5.5. Framed-Interface-Id AVP . . . . . . . . . . . 37 - 4.4.10.5.6. Framed-IPv6-Prefix AVP . . . . . . . . . . . 37 - 4.4.10.5.7. Framed-IPv6-Route AVP . . . . . . . . . . . . 37 - 4.4.10.5.8. Framed-IPv6-Pool AVP . . . . . . . . . . . . 38 - 4.4.10.6. IPX Access AVPs . . . . . . . . . . . . . . . . . 38 - 4.4.10.6.1. Framed-IPX-Network AVP . . . . . . . . . . . 38 - 4.4.10.7. AppleTalk Network Access AVPs . . . . . . . . . . 38 - 4.4.10.7.1. Framed-AppleTalk-Link AVP . . . . . . . . . . 38 - 4.4.10.7.2. Framed-AppleTalk-Network AVP . . . . . . . . 39 - 4.4.10.7.3. Framed-AppleTalk-Zone AVP . . . . . . . . . . 39 - 4.4.10.8. AppleTalk Remote Access AVPs . . . . . . . . . . 39 - 4.4.10.8.1. ARAP-Features AVP . . . . . . . . . . . . . . 39 - 4.4.10.8.2. ARAP-Zone-Access AVP . . . . . . . . . . . . 39 - 4.4.11. Non-Framed Access Authorization AVPs . . . . . . . . . 40 - 4.4.11.1. Login-IP-Host AVP . . . . . . . . . . . . . . . . 40 - 4.4.11.2. Login-IPv6-Host AVP . . . . . . . . . . . . . . . 40 - 4.4.11.3. Login-Service AVP . . . . . . . . . . . . . . . . 40 - 4.4.11.4. TCP Services . . . . . . . . . . . . . . . . . . 40 - 4.4.11.4.1. Login-TCP-Port AVP . . . . . . . . . . . . . 41 - 4.4.11.5. LAT Services . . . . . . . . . . . . . . . . . . 41 - 4.4.11.5.1. Login-LAT-Service AVP . . . . . . . . . . . . 41 - 4.4.11.5.2. Login-LAT-Node AVP . . . . . . . . . . . . . 41 - 4.4.11.5.3. Login-LAT-Group AVP . . . . . . . . . . . . . 42 - 4.4.11.5.4. Login-LAT-Port AVP . . . . . . . . . . . . . 42 - 4.5. NAS Tunneling AVPs . . . . . . . . . . . . . . . . . . . . 43 - 4.5.1. Tunneling AVP . . . . . . . . . . . . . . . . . . . . 43 - 4.5.2. Tunnel-Type AVP . . . . . . . . . . . . . . . . . . . 44 - 4.5.3. Tunnel-Medium-Type AVP . . . . . . . . . . . . . . . . 44 - 4.5.4. Tunnel-Client-Endpoint AVP . . . . . . . . . . . . . . 44 - 4.5.5. Tunnel-Server-Endpoint AVP . . . . . . . . . . . . . . 45 - 4.5.6. Tunnel-Password AVP . . . . . . . . . . . . . . . . . 46 - 4.5.7. Tunnel-Private-Group-Id AVP . . . . . . . . . . . . . 46 - 4.5.8. Tunnel-Assignment-Id AVP . . . . . . . . . . . . . . . 46 - 4.5.9. Tunnel-Preference AVP . . . . . . . . . . . . . . . . 48 - 4.5.10. Tunnel-Client-Auth-Id AVP . . . . . . . . . . . . . . 48 - 4.5.11. Tunnel-Server-Auth-Id AVP . . . . . . . . . . . . . . 48 - 4.6. NAS Accounting AVPs . . . . . . . . . . . . . . . . . . . 49 - 4.6.1. Accounting-Input-Octets AVP . . . . . . . . . . . . . 50 - 4.6.2. Accounting-Output-Octets AVP . . . . . . . . . . . . . 50 - 4.6.3. Accounting-Input-Packets AVP . . . . . . . . . . . . . 50 - 4.6.4. Accounting-Output-Packets AVP . . . . . . . . . . . . 50 - 4.6.5. Acct-Session-Time AVP . . . . . . . . . . . . . . . . 50 - 4.6.6. Acct-Authentic AVP . . . . . . . . . . . . . . . . . . 51 - 4.6.7. Accounting-Auth-Method AVP . . . . . . . . . . . . . . 51 - 4.6.8. Acct-Delay-Time AVP . . . . . . . . . . . . . . . . . 51 - 4.6.9. Acct-Link-Count AVP . . . . . . . . . . . . . . . . . 51 - 4.6.10. Acct-Tunnel-Connection AVP . . . . . . . . . . . . . . 52 - 4.6.11. Acct-Tunnel-Packets-Lost AVP . . . . . . . . . . . . . 52 - 5. AVP Occurrence Tables . . . . . . . . . . . . . . . . . . . . 52 - 5.1. AA-Request/Answer AVP Table . . . . . . . . . . . . . . . 53 - 5.2. Accounting AVP Tables . . . . . . . . . . . . . . . . . . 55 - 5.2.1. Framed Access Accounting AVP Table . . . . . . . . . . 56 - 5.2.2. Non-Framed Access Accounting AVP Table . . . . . . . . 58 - 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 59 - 6.1. Command Codes . . . . . . . . . . . . . . . . . . . . . . 59 - 6.2. AVP Codes . . . . . . . . . . . . . . . . . . . . . . . . 60 - 6.3. Application Identifier . . . . . . . . . . . . . . . . . . 60 - 6.4. CHAP-Algorithm AVP Values . . . . . . . . . . . . . . . . 60 - 6.5. Accounting-Auth-Method AVP Values . . . . . . . . . . . . 60 + 4.4. NAS Authorization AVPs . . . . . . . . . . . . . . . . . . 31 + 4.4.1. Service-Type AVP . . . . . . . . . . . . . . . . . . . 33 + 4.4.2. Callback-Number AVP . . . . . . . . . . . . . . . . . 33 + 4.4.3. Callback-Id AVP . . . . . . . . . . . . . . . . . . . 34 + 4.4.4. Idle-Timeout AVP . . . . . . . . . . . . . . . . . . . 34 + 4.4.5. Port-Limit AVP . . . . . . . . . . . . . . . . . . . . 34 + 4.4.6. NAS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 34 + 4.4.7. Filter-Id AVP . . . . . . . . . . . . . . . . . . . . 34 + 4.4.8. Configuration-Token AVP . . . . . . . . . . . . . . . 35 + 4.4.9. QoS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 35 + 4.4.10. Framed Access Authorization AVPs . . . . . . . . . . . 36 + 4.4.10.1. Framed-Protocol AVP . . . . . . . . . . . . . . . 36 + 4.4.10.2. Framed-Routing AVP . . . . . . . . . . . . . . . 36 + 4.4.10.3. Framed-MTU AVP . . . . . . . . . . . . . . . . . 36 + 4.4.10.4. Framed-Compression AVP . . . . . . . . . . . . . 36 + 4.4.10.5. IP Access Authorization AVPs . . . . . . . . . . 36 + 4.4.10.5.1. Framed-IP-Address AVP . . . . . . . . . . . . 37 + 4.4.10.5.2. Framed-IP-Netmask AVP . . . . . . . . . . . . 37 + 4.4.10.5.3. Framed-Route AVP . . . . . . . . . . . . . . 37 + 4.4.10.5.4. Framed-Pool AVP . . . . . . . . . . . . . . . 38 + 4.4.10.5.5. Framed-Interface-Id AVP . . . . . . . . . . . 38 + 4.4.10.5.6. Framed-IPv6-Prefix AVP . . . . . . . . . . . 38 + 4.4.10.5.7. Framed-IPv6-Route AVP . . . . . . . . . . . . 38 + 4.4.10.5.8. Framed-IPv6-Pool AVP . . . . . . . . . . . . 39 + 4.4.10.6. IPX Access AVPs . . . . . . . . . . . . . . . . . 39 + 4.4.10.6.1. Framed-IPX-Network AVP . . . . . . . . . . . 39 + 4.4.10.7. AppleTalk Network Access AVPs . . . . . . . . . . 39 + 4.4.10.7.1. Framed-AppleTalk-Link AVP . . . . . . . . . . 39 + 4.4.10.7.2. Framed-AppleTalk-Network AVP . . . . . . . . 40 + 4.4.10.7.3. Framed-AppleTalk-Zone AVP . . . . . . . . . . 40 + 4.4.10.8. AppleTalk Remote Access AVPs . . . . . . . . . . 40 + 4.4.10.8.1. ARAP-Features AVP . . . . . . . . . . . . . . 40 + 4.4.10.8.2. ARAP-Zone-Access AVP . . . . . . . . . . . . 40 + 4.4.11. Non-Framed Access Authorization AVPs . . . . . . . . . 41 + 4.4.11.1. Login-IP-Host AVP . . . . . . . . . . . . . . . . 41 + 4.4.11.2. Login-IPv6-Host AVP . . . . . . . . . . . . . . . 41 + 4.4.11.3. Login-Service AVP . . . . . . . . . . . . . . . . 41 + 4.4.11.4. TCP Services . . . . . . . . . . . . . . . . . . 42 + 4.4.11.4.1. Login-TCP-Port AVP . . . . . . . . . . . . . 42 + 4.4.11.5. LAT Services . . . . . . . . . . . . . . . . . . 42 + 4.4.11.5.1. Login-LAT-Service AVP . . . . . . . . . . . . 42 + 4.4.11.5.2. Login-LAT-Node AVP . . . . . . . . . . . . . 43 + 4.4.11.5.3. Login-LAT-Group AVP . . . . . . . . . . . . . 43 + 4.4.11.5.4. Login-LAT-Port AVP . . . . . . . . . . . . . 43 + 4.5. NAS Tunneling AVPs . . . . . . . . . . . . . . . . . . . . 44 + 4.5.1. Tunneling AVP . . . . . . . . . . . . . . . . . . . . 44 + 4.5.2. Tunnel-Type AVP . . . . . . . . . . . . . . . . . . . 45 + 4.5.3. Tunnel-Medium-Type AVP . . . . . . . . . . . . . . . . 45 + 4.5.4. Tunnel-Client-Endpoint AVP . . . . . . . . . . . . . . 45 + 4.5.5. Tunnel-Server-Endpoint AVP . . . . . . . . . . . . . . 46 + 4.5.6. Tunnel-Password AVP . . . . . . . . . . . . . . . . . 47 + 4.5.7. Tunnel-Private-Group-Id AVP . . . . . . . . . . . . . 47 + 4.5.8. Tunnel-Assignment-Id AVP . . . . . . . . . . . . . . . 47 + 4.5.9. Tunnel-Preference AVP . . . . . . . . . . . . . . . . 49 + 4.5.10. Tunnel-Client-Auth-Id AVP . . . . . . . . . . . . . . 49 + 4.5.11. Tunnel-Server-Auth-Id AVP . . . . . . . . . . . . . . 49 + 4.6. NAS Accounting AVPs . . . . . . . . . . . . . . . . . . . 50 + 4.6.1. Accounting-Input-Octets AVP . . . . . . . . . . . . . 51 + 4.6.2. Accounting-Output-Octets AVP . . . . . . . . . . . . . 51 + 4.6.3. Accounting-Input-Packets AVP . . . . . . . . . . . . . 51 + 4.6.4. Accounting-Output-Packets AVP . . . . . . . . . . . . 51 + 4.6.5. Acct-Session-Time AVP . . . . . . . . . . . . . . . . 51 + 4.6.6. Acct-Authentic AVP . . . . . . . . . . . . . . . . . . 52 + 4.6.7. Accounting-Auth-Method AVP . . . . . . . . . . . . . . 52 + 4.6.8. Acct-Delay-Time AVP . . . . . . . . . . . . . . . . . 52 + 4.6.9. Acct-Link-Count AVP . . . . . . . . . . . . . . . . . 52 + 4.6.10. Acct-Tunnel-Connection AVP . . . . . . . . . . . . . . 53 + 4.6.11. Acct-Tunnel-Packets-Lost AVP . . . . . . . . . . . . . 53 + 5. AVP Occurrence Tables . . . . . . . . . . . . . . . . . . . . 53 + 5.1. AA-Request/Answer AVP Table . . . . . . . . . . . . . . . 54 + 5.2. Accounting AVP Tables . . . . . . . . . . . . . . . . . . 56 + 5.2.1. Framed Access Accounting AVP Table . . . . . . . . . . 57 + 5.2.2. Non-Framed Access Accounting AVP Table . . . . . . . . 59 + 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 60 7. Security Considerations . . . . . . . . . . . . . . . . . . . 60 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 61 8.1. Normative References . . . . . . . . . . . . . . . . . . . 61 8.2. Informative References . . . . . . . . . . . . . . . . . . 62 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 64 A.1. RFC 4005 . . . . . . . . . . . . . . . . . . . . . . . . . 64 A.2. RFC 4005bis . . . . . . . . . . . . . . . . . . . . . . . 65 1. Introduction @@ -224,41 +219,72 @@ SLIP (Serial Line Interface Protocol) A serial datalink that only supports IP. A design prior to PPP. ARAP (Appletalk Remote Access Protocol) A serial datalink for accessing Appletalk networks [ARAP]. IPX (Internet Packet Exchange) The network protocol used by NetWare networks [IPX]. - LAT (Local Area Transport + L2TP (Layer Two Tunneling Protocol) + + L2TP [RFC3931] provides a dynamic mechanism for tunneling Layer 2 + "circuits" across a packet-oriented data network. + + LAC (L2TP Access Concentrator) + + An L2TP Control Connection Endpoint being used tocross-connect an + L2TP session directly to a data link [RFC3931]. + + LAT (Local Area Transport) A Digital Equipment Corp. LAN protocol for terminal services [LAT]. + LCP (Link Control Protocol) + + One of the three major components of PPP [RFC1661]. LCP is used + to automatically agree upon encapsulation format options, handle + varying limits on sizes of packets, detect a looped-back link and + other common misconfiguration errors, and terminate the link. + Other optional facilities provided are authentication of the + identity of its peer on the link, and determination when a link is + functioning properly and when it is failing. + + PAC (PPTP Access Concentrator) + + A device attached to one or more Public Switched Telephone Network + (PSTN) or Integrated Services Digtal Network (ISDN) lines capable + of PPP operation and of handling PPTP [RFC2637]. + + PPTP (Point-to-Point Tunneling Protocol) + + A protocol which allows PPP to be tunneled through an IP network + [RFC2637]. + VPN (Virtual Private Network) In this document, this term is used to describe access services that use tunneling methods. 1.2. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. 1.3. Advertising Application Support Diameter applications conforming to this specification MUST advertise support by including the value of one (1) in the Auth-Application-Id of the Capabilities-Exchange-Request (CER), AA-Request (AAR), and AA- - Answer (AAA) messages. All other messages are defined by RFC 3588 - and use the Base application id value. + Answer (AAA) messages. All other messages use the Base application + id value [I-D.ietf-dime-rfc3588bis]. 2. NAS Calls, Ports, and Sessions The arrival of a new call or service connection at a port of a Network Access Server (NAS) starts a Diameter NAS message exchange. Information about the call, the identity of the user, and the user's authentication information are packaged into a Diameter AA-Request (AAR) message and sent to a server. The server processes the information and responds with a Diameter AA- @@ -334,25 +360,26 @@ sessions. A service may also use a different Session-Id value for accounting (see Section 9.6 of [I-D.ietf-dime-rfc3588bis]). However, the Diameter Session-ID AVP value used for the initial authorization exchange MUST be used to generate an STR message when the session context is terminated. 2.3. Diameter Session Termination When a NAS receives an indication that a user's session is being - disconnected by the client (e.g., LCP Terminate is received) or an - administrative command, the NAS MUST issue a Session-Termination- - Request (STR) [I-D.ietf-dime-rfc3588bis] to its Diameter Server. - This will ensure that any resources maintained on the servers are - freed appropriately. + disconnected by the client (e.g., an LCP Terminate-Request message + + [RFC1661] is received) or an administrative command, the NAS MUST + issue a Session-Termination-Request (STR) [I-D.ietf-dime-rfc3588bis] + to its Diameter Server. This will ensure that any resources + maintained on the servers are freed appropriately. Furthermore, a NAS that receives an Abort-Session-Request (ASR) [I-D.ietf-dime-rfc3588bis] MUST issue an ASA if the session identified is active and disconnect the PPP (or tunneling) session. If accounting is active, an Accounting STOP_RECORD message [I-D.ietf-dime-rfc3588bis] MUST be sent upon termination of the session context. More information on Diameter Session Termination can be found in @@ -1002,35 +1030,36 @@ Session-Id Auth-Application-Id Origin-Host Origin-Realm Auth-Request-Type Termination-Cause The following table gives the possible flag values for the session level AVPs and specifies whether the AVP MAY be encrypted. - +---------------------+ - | AVP Flag rules | - |----+-----+----+-----|----+ - | | |SHLD| MUST| | - Attribute Name Section Defined |MUST| MAY | NOT| NOT|Encr| - -----------------------------------------|----+-----+----+-----|----| - NAS-Port 4.2.2 | M | P | | V | Y | - NAS-Port-Id 4.2.3 | M | P | | V | Y | - NAS-Port-Type 4.2.4 | M | P | | V | Y | - Called-Station-Id 4.2.5 | M | P | | V | Y | - Calling-Station-Id 4.2.6 | M | P | | V | Y | - Connect-Info 4.2.7 | M | P | | V | Y | - Originating-Line-Info 4.2.8 | | M,P | | V | Y | - Reply-Message 4.2.9 | M | P | | V | Y | - -----------------------------------------|----+-----+----+-----|----| + +----------+ + | AVP Flag | + | rules | + |----+-----+ + |MUST| MUST| + Attribute Name Section Defined | | NOT| + -----------------------------------------|----+-----| + NAS-Port 4.2.2 | M | V | + NAS-Port-Id 4.2.3 | M | V | + NAS-Port-Type 4.2.4 | M | V | + Called-Station-Id 4.2.5 | M | V | + Calling-Station-Id 4.2.6 | M | V | + Connect-Info 4.2.7 | M | V | + Originating-Line-Info 4.2.8 | | V | + Reply-Message 4.2.9 | M | V | + -----------------------------------------|----+-----| 4.2.2. NAS-Port AVP The NAS-Port AVP (AVP Code 5) is of type Unsigned32 and contains the physical or virtual port number of the NAS which is authenticating the user. Note that "port" is meant in its sense as a service connection on the NAS, not as an IP protocol identifier. Either the NAS-Port AVP or the NAS-Port-Id AVP (Section 4.2.3) SHOULD be present in the AA-Request (AAR, Section 3.1) command if the NAS @@ -1067,21 +1096,21 @@ Identification Service (DNIS) or a similar technology. Note that this may be different from the phone number the call comes in on. For use with IEEE 802 access, the Called-Station-Id MAY contain a MAC address formatted as described in [RFC3580]. It SHOULD only be present in authentication and/or authorization requests. If the Called-Station-Id AVP is present in an AAR message, Auth- Request-Type AVP is set to AUTHORIZE_ONLY and the User-Name AVP is absent, the Diameter Server MAY perform authorization based on this AVP. This can be used by a NAS to request whether a call should be - answered based on the DNIS. + answered based on the DNIS result. The codification of this field's allowed usage range is outside the scope of this specification. 4.2.6. Calling-Station-Id AVP The Calling-Station-Id AVP (AVP Code 31) is of type UTF8String and allows the NAS to send the ASCII string describing the Layer 2 address from which the user connected in the request. For dialup access, this is the phone number the call came from, using Automatic @@ -1121,21 +1150,21 @@ Connect-Info AVP may contain information on the number of link layer retransmissions. The exact format of this attribute is implementation specific. 4.2.8. Originating-Line-Info AVP The Originating-Line-Info AVP (AVP Code 94) is of type OctetString and is sent by the NAS system to convey information about the origin of the call from an SS7 system. - The originating line information (OLI) element indicates the nature + The Originating Line Information (OLI) element indicates the nature and/or characteristics of the line from which a call originated (e.g., pay phone, hotel, cellular). Telephone companies are starting to offer OLI to their customers as an option over Primary Rate Interface (PRI). Internet Service Providers (ISPs) can use OLI in addition to Called-Station-Id and Calling-Station-Id attributes to differentiate customer calls and to define different services. The Value field contains two octets (00 - 99). ANSI T1.113 and BELLCORE 394 can be used for additional information about these values and their use. For information on the currently assigned @@ -1159,52 +1188,54 @@ This section defines the AVPs necessary to carry the authentication information in the Diameter protocol. The functionality defined here provides a RADIUS-like AAA service [RFC2865] over a more reliable and secure transport, as defined in the base protocol [I-D.ietf-dime-rfc3588bis]. The following table gives the possible flag values for the session level AVPs and specifies whether the AVP MAY be encrypted. - +---------------------+ - | AVP Flag rules | - |----+-----+----+-----|----+ - | | |SHLD| MUST| | - Attribute Name Section Defined |MUST| MAY | NOT| NOT|Encr| - -----------------------------------------|----+-----+----+-----|----| - User-Password 4.3.1 | M | P | | V | Y | - Password-Retry 4.3.2 | M | P | | V | Y | - Prompt 4.3.3 | M | P | | V | Y | - CHAP-Auth 4.3.4 | M | P | | V | Y | - CHAP-Algorithm 4.3.5 | M | P | | V | Y | - CHAP-Ident 4.3.6 | M | P | | V | Y | - CHAP-Response 4.3.7 | M | P | | V | Y | - CHAP-Challenge 4.3.8 | M | P | | V | Y | - ARAP-Password 4.3.9 | M | P | | V | Y | - ARAP-Challenge-Response 4.3.10 | M | P | | V | Y | - ARAP-Security 4.3.11 | M | P | | V | Y | - ARAP-Security-Data 4.3.12 | M | P | | V | Y | - -----------------------------------------|----+-----+----+-----|----| + +----------+ + | AVP Flag | + | rules | + |----+-----| + |MUST| MUST| + Attribute Name Section Defined | | NOT| + -----------------------------------------|----+-----| + User-Password 4.3.1 | M | V | + Password-Retry 4.3.2 | M | V | + Prompt 4.3.3 | M | V | + CHAP-Auth 4.3.4 | M | V | + CHAP-Algorithm 4.3.5 | M | V | + CHAP-Ident 4.3.6 | M | V | + CHAP-Response 4.3.7 | M | V | + CHAP-Challenge 4.3.8 | M | V | + ARAP-Password 4.3.9 | M | V | + ARAP-Challenge-Response 4.3.10 | M | V | + ARAP-Security 4.3.11 | M | V | + ARAP-Security-Data 4.3.12 | M | V | + -----------------------------------------|----+-----| 4.3.1. User-Password AVP The User-Password AVP (AVP Code 2) is of type OctetString and contains the password of the user to be authenticated, or the user's input in a multi-round authentication exchange. The User-Password AVP contains a user password or one-time password and therefore represents sensitive information. As required in [I-D.ietf-dime-rfc3588bis], Diameter messages are encrypted by using - IPsec or TLS. Unless this AVP is used for one-time passwords, the - User-Password AVP SHOULD NOT be used in untrusted proxy environments - without encrypting it by using end-to-end security techniques. + IPsec [RFC4301] or TLS [RFC5246]. Unless this AVP is used for one- + time passwords, the User-Password AVP SHOULD NOT be used in untrusted + proxy environments without encrypting it by using end-to-end security + techniques. The clear-text password (prior to encryption) MUST NOT be longer than 128 bytes in length. 4.3.2. Password-Retry AVP The Password-Retry AVP (AVP Code 75) is of type Unsigned32 and MAY be included in the AA-Answer if the Result-Code indicates an authentication failure. The value of this AVP indicates how many authentication attempts a user is permitted before being @@ -1309,62 +1339,63 @@ 4.4. NAS Authorization AVPs This section contains the authorization AVPs supported in the NAS Application. The Service-Type AVP SHOULD be present in all messages and, based on its value, additional AVPs defined in this section and Section 4.5 MAY be present. The following table gives the possible flag values for the session level AVPs and specifies whether the AVP MAY be encrypted. - +---------------------+ - | AVP Flag rules | - |----+-----+----+-----|----+ - | | |SHLD| MUST| | - Attribute Name Section Defined |MUST| MAY | NOT| NOT|Encr| - -----------------------------------------|----+-----+----+-----|----| - Service-Type 4.4.1 | M | P | | V | Y | - Callback-Number 4.4.2 | M | P | | V | Y | - Callback-Id 4.4.3 | M | P | | V | Y | - Idle-Timeout 4.4.4 | M | P | | V | Y | - Port-Limit 4.4.5 | M | P | | V | Y | - NAS-Filter-Rule 4.4.6 | M | P | | V | Y | - Filter-Id 4.4.7 | M | P | | V | Y | - Configuration-Token 4.4.8 | M | | | P,V | | - QoS-Filter-Rule 4.4.9 | | | | | | - Framed-Protocol 4.4.10.1 | M | P | | V | Y | - Framed-Routing 4.4.10.2 | M | P | | V | Y | - Framed-MTU 4.4.10.3 | M | P | | V | Y | - Framed-Compression 4.4.10.4 | M | P | | V | Y | - Framed-IP-Address 4.4.10.5.1 | M | P | | V | Y | - Framed-IP-Netmask 4.4.10.5.2 | M | P | | V | Y | - Framed-Route 4.4.10.5.3 | M | P | | V | Y | - Framed-Pool 4.4.10.5.4 | M | P | | V | Y | - Framed-Interface-Id 4.4.10.5.5 | M | P | | V | Y | - Framed-IPv6-Prefix 4.4.10.5.6 | M | P | | V | Y | - Framed-IPv6-Route 4.4.10.5.7 | M | P | | V | Y | - Framed-IPv6-Pool 4.4.10.5.8 | M | P | | V | Y | - Framed-IPX-Network 4.4.10.6.1 | M | P | | V | Y | - Framed-Appletalk-Link 4.4.10.7.1 | M | P | | V | Y | - Framed-Appletalk-Network 4.4.10.7.2 | M | P | | V | Y | - Framed-Appletalk-Zone 4.4.10.7.3 | M | P | | V | Y | - ARAP-Features 4.4.10.8.1 | M | P | | V | Y | - ARAP-Zone-Access 4.4.10.8.2 | M | P | | V | Y | - Login-IP-Host 4.4.11.1 | M | P | | V | Y | - Login-IPv6-Host 4.4.11.2 | M | P | | V | Y | - Login-Service 4.4.11.3 | M | P | | V | Y | - Login-TCP-Port 4.4.11.4.1 | M | P | | V | Y | - Login-LAT-Service 4.4.11.5.1 | M | P | | V | Y | - Login-LAT-Node 4.4.11.5.2 | M | P | | V | Y | - Login-LAT-Group 4.4.11.5.3 | M | P | | V | Y | - Login-LAT-Port 4.4.11.5.4 | M | P | | V | Y | - -----------------------------------------|----+-----+----+-----|----| + +----------+ + | AVP Flag | + | rules | + |----+-----| + |MUST| MUST| + Attribute Name Section Defined | | NOT| + -----------------------------------------|----+-----| + Service-Type 4.4.1 | M | V | + Callback-Number 4.4.2 | M | V | + Callback-Id 4.4.3 | M | V | + Idle-Timeout 4.4.4 | M | V | + Port-Limit 4.4.5 | M | V | + NAS-Filter-Rule 4.4.6 | M | V | + Filter-Id 4.4.7 | M | V | + Configuration-Token 4.4.8 | M | P,V | + QoS-Filter-Rule 4.4.9 | | | + Framed-Protocol 4.4.10.1 | M | V | + Framed-Routing 4.4.10.2 | M | V | + Framed-MTU 4.4.10.3 | M | V | + Framed-Compression 4.4.10.4 | M | V | + Framed-IP-Address 4.4.10.5.1 | M | V | + Framed-IP-Netmask 4.4.10.5.2 | M | V | + Framed-Route 4.4.10.5.3 | M | V | + Framed-Pool 4.4.10.5.4 | M | V | + Framed-Interface-Id 4.4.10.5.5 | M | V | + Framed-IPv6-Prefix 4.4.10.5.6 | M | V | + Framed-IPv6-Route 4.4.10.5.7 | M | V | + Framed-IPv6-Pool 4.4.10.5.8 | M | V | + Framed-IPX-Network 4.4.10.6.1 | M | V | + Framed-Appletalk-Link 4.4.10.7.1 | M | V | + Framed-Appletalk-Network 4.4.10.7.2 | M | V | + Framed-Appletalk-Zone 4.4.10.7.3 | M | V | + ARAP-Features 4.4.10.8.1 | M | V | + ARAP-Zone-Access 4.4.10.8.2 | M | V | + Login-IP-Host 4.4.11.1 | M | V | + Login-IPv6-Host 4.4.11.2 | M | V | + Login-Service 4.4.11.3 | M | V | + Login-TCP-Port 4.4.11.4.1 | M | V | + Login-LAT-Service 4.4.11.5.1 | M | V | + Login-LAT-Node 4.4.11.5.2 | M | V | + Login-LAT-Group 4.4.11.5.3 | M | V | + Login-LAT-Port 4.4.11.5.4 | M | V | + -----------------------------------------|----+-----| 4.4.1. Service-Type AVP The Service-Type AVP (AVP Code 6) is of type Enumerated and contains the type of service the user has requested or the type of service to be provided. One such AVP MAY be present in an authentication and/or authorization request or response. A NAS is not required to implement all of these service types. It MUST treat unknown or unsupported Service-Types received in a response as a failure and end the session with a DIAMETER_INVALID_AVP_VALUE Result-Code. @@ -1632,27 +1663,27 @@ contains the ASCII routing information to be configured for the user on the NAS. Zero or more of these AVPs MAY be present in an authorization response. The string MUST contain an IPv6 address prefix followed by a slash and a decimal length specifier stating how many high order bits of the prefix should be used. This is followed by a space, a gateway address in hexadecimal notation, a space, and one or more metrics separated by spaces; for example, - "2000:0:0:106::/64 2000::106:a00:20ff:fe99:a998 1" + "2001:db8::/32 2001:db8:106:a00:20ff:fe99:a998 1" Whenever the gateway address is the IPv6 unspecified address, the IP address of the user SHOULD be used as the gateway address, such as in: - "2000:0:0:106::/64 :: 1" + "2001:db8::/32 :: 1" 4.4.10.5.8. Framed-IPv6-Pool AVP The Framed-IPv6-Pool AVP (AVP Code 100) is of type OctetString and contains the name of an assigned pool that SHOULD be used to assign an IPv6 prefix for the user. If the access device does not support multiple prefix pools, it MUST ignore this AVP. Although specified as type OctetString for compatibility with RADIUS [RFC3162], the encoding of the Data field SHOULD also conform to the @@ -1810,26 +1841,25 @@ The Login-LAT-Service AVP (AVP Code 34) is of type OctetString and contains the system with which the user is to be connected by LAT. It MAY be used in an authorization request as a hint to the server that a specific service is desired, but the server is not required to honor the hint in the corresponding response. This AVP MUST only be present in the response if the Login-Service AVP states that LAT is desired. Administrators use this service attribute when dealing with clustered - systems, such as a VAX or Alpha cluster. In these environments, - several different time-sharing hosts share the same resources (disks, - printers, etc.), and administrators often configure each host to - offer access (service) to each of the shared resources. In this - case, each host in the cluster advertises its services through LAT - broadcasts. + systems. In these environments, several different time-sharing hosts + share the same resources (disks, printers, etc.), and administrators + often configure each host to offer access (service) to each of the + shared resources. In this case, each host in the cluster advertises + its services through LAT broadcasts. Sophisticated users often know which service providers (machines) are faster and tend to use a node name when initiating a LAT connection. Some administrators want particular users to use certain machines as a primitive form of load balancing (although LAT knows how to do load balancing itself). The String field contains the identity of the LAT service to use. The LAT Architecture allows this string to contain $ (dollar), - (hyphen), . (period), _ (underscore), numerics, upper- and lowercase @@ -1899,38 +1929,39 @@ elsewhere in the network. This is typically transparent to the service user, and the tunnel characteristics may be described by the remote AAA server, based on the user's authorization information. Several tunnel characteristics may be returned, and the NAS implementation may choose one. See [RFC2868] and [RFC2867] for further information. The following table gives the possible flag values for the session level AVPs and specifies whether the AVP MAY be encrypted. - +---------------------+ - | AVP Flag rules | - |----+-----+----+-----|----+ - | | |SHLD| MUST| | - Attribute Name Section Defined |MUST| MAY | NOT| NOT|Encr| - -----------------------------------------|----+-----+----+-----|----| - Tunneling 4.5.1 | M | P | | V | N | - Tunnel-Type 4.5.2 | M | P | | V | Y | - Tunnel-Medium-Type 4.5.3 | M | P | | V | Y | - Tunnel-Client-Endpoint 4.5.4 | M | P | | V | Y | - Tunnel-Server-Endpoint 4.5.5 | M | P | | V | Y | - Tunnel-Password 4.5.6 | M | P | | V | Y | - Tunnel-Private-Group-Id 4.5.7 | M | P | | V | Y | - Tunnel-Assignment-Id 4.5.8 | M | P | | V | Y | - Tunnel-Preference 4.5.9 | M | P | | V | Y | - Tunnel-Client-Auth-Id 4.5.10 | M | P | | V | Y | - Tunnel-Server-Auth-Id 4.5.11 | M | P | | V | Y | - -----------------------------------------|----+-----+----+-----|----| + +----------+ + | AVP Flag | + | rules | + |----+-----| + |MUST| MUST| + Attribute Name Section Defined | | NOT | + -----------------------------------------|----+-----| + Tunneling 4.5.1 | M | V | + Tunnel-Type 4.5.2 | M | V | + Tunnel-Medium-Type 4.5.3 | M | V | + Tunnel-Client-Endpoint 4.5.4 | M | V | + Tunnel-Server-Endpoint 4.5.5 | M | V | + Tunnel-Password 4.5.6 | M | V | + Tunnel-Private-Group-Id 4.5.7 | M | V | + Tunnel-Assignment-Id 4.5.8 | M | V | + Tunnel-Preference 4.5.9 | M | V | + Tunnel-Client-Auth-Id 4.5.10 | M | V | + Tunnel-Server-Auth-Id 4.5.11 | M | V | + -----------------------------------------|----+-----| 4.5.1. Tunneling AVP The Tunneling AVP (AVP Code 401) is of type Grouped and contains the following AVPs, used to describe a compulsory tunnel service ([RFC2868], [RFC2867]). Its data field has the following ABNF grammar: Tunneling ::= < AVP Header: 401 > { Tunnel-Type } @@ -1960,21 +1991,21 @@ unknown or unsupported Tunnel-Types, the tunnel initiator MUST behave as though a response were received with the Result-Code indicating a failure. The supported values are listed in [RADIUSTypes]. 4.5.3. Tunnel-Medium-Type AVP The Tunnel-Medium-Type AVP (AVP Code 65) is of type Enumerated and contains the transport medium to use when creating a tunnel for - protocols (such as L2TP [RFC2661]) that can operate over multiple + protocols (such as L2TP [RFC3931]) that can operate over multiple transports. It MAY be used in an authorization request as a hint to the server that a specific medium is desired, but the server is not required to honor the hint in the corresponding response. The supported values are listed in [RADIUSTypes]. 4.5.4. Tunnel-Client-Endpoint AVP The Tunnel-Client-Endpoint AVP (AVP Code 66) is of type UTF8String and contains the address of the initiator end of the tunnel. It MAY @@ -2057,21 +2088,21 @@ to associate a tunneled session with a particular group of users. For example, it MAY be used to facilitate routing of unregistered IP addresses through a particular interface. This AVP SHOULD be included in the ACR messages that pertain to the tunneled session. 4.5.8. Tunnel-Assignment-Id AVP The Tunnel-Assignment-Id AVP (AVP Code 82) is of type OctetString and is used to indicate to the tunnel initiator the particular tunnel to which a session is to be assigned. Some tunneling protocols, such as - PPTP [RFC2637] and L2TP [RFC2661], allow for sessions between the + PPTP [RFC2637] and L2TP [RFC3931], allow for sessions between the same two tunnel endpoints to be multiplexed over the same tunnel and also for a given session to use its own dedicated tunnel. This attribute provides a mechanism for Diameter to inform the tunnel initiator (e.g., PAC, LAC) whether to assign the session to a multiplexed tunnel or to a separate tunnel. Furthermore, it allows for sessions sharing multiplexed tunnels to be assigned to different multiplexed tunnels. A particular tunneling implementation may assign differing characteristics to particular tunnels. For example, different @@ -2135,22 +2166,22 @@ For example, suppose that AVPs describing two tunnels are returned by the server, one with a Tunnel-Type of PPTP and the other with a Tunnel-Type of L2TP. If the tunnel initiator supports only one of the Tunnel-Types returned, it will initiate a tunnel of that type. If, however, it supports both tunnel protocols, it SHOULD use the value of the Tunnel-Preference AVP to decide which tunnel should be started. The tunnel with the lowest numerical value in the Value field of this AVP SHOULD be given the highest preference. The values assigned to two or more instances of the Tunnel-Preference AVP within a given authorization response MAY be identical. In this case, the - tunnel initiator SHOULD use locally configured metrics to decidewhich - set of AVPs to use. + tunnel initiator SHOULD use locally configured metrics to decide + which set of AVPs to use. 4.5.10. Tunnel-Client-Auth-Id AVP The Tunnel-Client-Auth-Id AVP (AVP Code 90) is of type UTF8String and specifies the name used by the tunnel initiator during the authentication phase of tunnel establishment. It MAY be used in an authorization request as a hint to the server that a specific preference is desired, but the server is not required to honor the hint in the corresponding response. This AVP MUST be present in the authorization response if an authentication name other than the @@ -2188,38 +2219,39 @@ additional Authentications or Authorizations occur in later transactions, the first exchange should generate a START_RECORD, and the later an INTERIM_RECORD. For a given session, there MUST only be one set of matching START and STOP records, with any number of INTERIM_RECORDS in between, or one EVENT_RECORD indicating the reason a session wasn't started. The following table gives the possible flag values for the session level AVPs and specifies whether the AVP MAY be encrypted. - +---------------------+ - | AVP Flag rules | - |----+-----+----+-----|----+ - Section | | |SHLD| MUST| | - Attribute Name Defined |MUST| MAY | NOT| NOT|Encr| - -----------------------------------------|----+-----+----+-----|----| - Accounting-Input-Octets 4.6.1 | M | P | | V | Y | - Accounting-Output-Octets 4.6.2 | M | P | | V | Y | - Accounting-Input-Packets 4.6.3 | M | P | | V | Y | - Accounting-Output-Packets 4.6.4 | M | P | | V | Y | - Acct-Session-Time 4.6.5 | M | P | | V | Y | - Acct-Authentic 4.6.6 | M | P | | V | Y | - Accounting-Auth-Method 4.6.7 | M | P | | V | Y | - Acct-Delay-Time 4.6.8 | M | P | | V | Y | - Acct-Link-Count 4.6.9 | M | P | | V | Y | - Acct-Tunnel-Connection 4.6.10 | M | P | | V | Y | - Acct-Tunnel-Packets-Lost 4.6.11 | M | P | | V | Y | - -----------------------------------------|----+-----+----+-----|----| + +----------+ + | AVP Flag | + | rules | + |----+-----| + Section |MUST| MUST| + Attribute Name Defined | | NOT| + -----------------------------------------|----+-----| + Accounting-Input-Octets 4.6.1 | M | V | + Accounting-Output-Octets 4.6.2 | M | V | + Accounting-Input-Packets 4.6.3 | M | V | + Accounting-Output-Packets 4.6.4 | M | V | + Acct-Session-Time 4.6.5 | M | V | + Acct-Authentic 4.6.6 | M | V | + Accounting-Auth-Method 4.6.7 | M | V | + Acct-Delay-Time 4.6.8 | M | V | + Acct-Link-Count 4.6.9 | M | V | + Acct-Tunnel-Connection 4.6.10 | M | V | + Acct-Tunnel-Packets-Lost 4.6.11 | M | V | + -----------------------------------------|----+-----| 4.6.1. Accounting-Input-Octets AVP The Accounting-Input-Octets AVP (AVP Code 363) is of type Unsigned64 and contains the number of octets received from the user. For NAS usage, this AVP indicates how many octets have been received from the port in the course of this session. It can only be present in ACR messages with an Accounting-Record-Type [I-D.ietf-dime-rfc3588bis] of INTERIM_RECORD or STOP_RECORD. @@ -2351,21 +2383,21 @@ 5. AVP Occurrence Tables The following tables present the AVPs used by NAS applications in NAS messages and specify in which Diameter messages they may or may not be present. Messages and AVPs defined in the base Diameter protocol [I-D.ietf-dime-rfc3588bis] are not described in this document. Note that AVPs that can only be present within a Grouped AVP are not represented in this table. - The table uses the following symbols: + The tables use the following symbols: 0 The AVP MUST NOT be present in the message. 0+ Zero or more instances of the AVP MAY be present in the message. 0-1 Zero or one instance of the AVP MAY be present in the message. 1 Exactly one instance of the AVP MUST be present in the message. 5.1. AA-Request/Answer AVP Table @@ -2643,67 +2675,21 @@ Result-Code | 0 | 1 | Session-Id | 1 | 1 | Service-Type | 0-1 | 0-1 | Termination-Cause | 0-1 | 0-1 | User-Name | 0-1 | 0-1 | Vendor-Specific-Application-Id | 0-1 | 0-1 | ---------------------------------------|-----+-----+ 6. IANA Considerations - This section provides guidance to the Internet Assigned Numbers - Authority (IANA) regarding registration of values related to the - Diameter protocol, in accordance with BCP 26 [RFC5226]. - - This document defines values in the namespaces that have been created - and defined in the Diameter Base [I-D.ietf-dime-rfc3588bis]. The - IANA Considerations section of that document details the assignment - criteria. Values assigned in this document, or by future IANA - action, must be coordinated within this shared namespace. - -6.1. Command Codes - - This specification assigns the value 265 from the Command Code - namespace defined in [I-D.ietf-dime-rfc3588bis]. See Sections 3.1 - and 3.2 for the assignment of the namespace in this specification. - -6.2. AVP Codes - - This specification assigns the values 363 - 366 and 400 - 408 from - the AVP Code namespace defined in [I-D.ietf-dime-rfc3588bis]. See - Section 4 for the assignment of the namespace in this specification. - Note that the values 363 - 366 are jointly, but consistently, - assigned in [RFC4004]. This document also creates one new namespace - to be managed by IANA, as described in Section 6.5 - - This specification also specifies the use of AVPs in the 0 - 255 - range, which are listed in [RADIUSTypes] These values are assigned - according to the policy stated in Section 6 of [RFC2865], as amended - by [RFC3575]. - -6.3. Application Identifier - - This specification uses the value one (1) in the Application - Identifier namespace as assigned in [I-D.ietf-dime-rfc3588bis]. See - Section 1.3 above for more information. - -6.4. CHAP-Algorithm AVP Values - - As defined in Section 4.3.4, the CHAP-Algorithm AVP (AVP Code 403) - uses the values of the "PPP AUTHENTICATION ALGORITHMS" namespace - defined in [RFC1994]. - -6.5. Accounting-Auth-Method AVP Values - - As defined in Section 4.6.7 the Accounting-Auth-Method AVP (AVP Code - 406) defines the values 1 - 5. All remaining values are available - for assignment via the IETF Review policy [RFC5226]. + This document does not request any action by IANA. 7. Security Considerations This document describes the extension of Diameter for the NAS application. The security considerations of the Diameter protocol itself have been discussed in [I-D.ietf-dime-rfc3588bis]. Use of this application of Diameter MUST take into consideration the security issues and requirements of the Base protocol. This document does not contain a security protocol but does discuss @@ -2757,25 +2743,20 @@ [RFC3162] Aboba, B., Zorn, G., and D. Mitton, "RADIUS and IPv6", RFC 3162, August 2001. [RFC3516] Nerenberg, L., "IMAP4 Binary Content Extension", RFC 3516, April 2003. [RFC3539] Aboba, B. and J. Wood, "Authentication, Authorization and Accounting (AAA) Transport Profile", RFC 3539, June 2003. - [RFC5226] Narten, T. and H. Alvestrand, "Guidelines - for Writing an IANA Considerations - Section in RFCs", BCP 26, RFC 5226, - May 2008. - 8.2. Informative References [ARAP] Apple Computer, "Apple Remote Access Protocol (ARAP) Version 2.0 External Reference Specification", R0612LL/B , September 1994. [AppleTalk] Sidhu, G., Andrews, R., and A. Oppenheimer, "Inside AppleTalk", Second Edition Apple Computer, 1990. @@ -2817,25 +2798,20 @@ [RFC2597] Heinanen, J., Baker, F., Weiss, W., and J. Wroclawski, "Assured Forwarding PHB Group", RFC 2597, June 1999. [RFC2637] Hamzeh, K., Pall, G., Verthein, W., Taarud, J., Little, W., and G. Zorn, "Point-to-Point Tunneling Protocol", RFC 2637, July 1999. - [RFC2661] Townsley, W., Valencia, A., Rubens, A., - Pall, G., Zorn, G., and B. Palter, "Layer - Two Tunneling Protocol "L2TP"", RFC 2661, - August 1999. - [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. [RFC2867] Zorn, G., Aboba, B., and D. Mitton, "RADIUS Accounting Modifications for Tunnel Protocol Support", RFC 2867, June 2000. [RFC2868] Zorn, G., Leifer, D., Rubens, A., Shriver, J., Holdrege, M., and I. Goyret, @@ -2866,40 +2842,43 @@ [RFC3169] Beadles, M. and D. Mitton, "Criteria for Evaluating Network Access Server Protocols", RFC 3169, September 2001. [RFC3246] Davie, B., Charny, A., Bennet, J., Benson, K., Le Boudec, J., Courtney, W., Davari, S., Firoiu, V., and D. Stiliadis, "An Expedited Forwarding PHB (Per-Hop Behavior)", RFC 3246, March 2002. - [RFC3575] Aboba, B., "IANA Considerations for - RADIUS (Remote Authentication Dial In - User Service)", RFC 3575, July 2003. - [RFC3580] Congdon, P., Aboba, B., Smith, A., Zorn, G., and J. Roese, "IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines", RFC 3580, September 2003. - [RFC4004] Calhoun, P., Johansson, T., Perkins, C., - Hiller, T., and P. McCann, "Diameter - Mobile IPv4 Application", RFC 4004, - August 2005. + [RFC3931] Lau, J., Townsley, M., and I. Goyret, + "Layer Two Tunneling Protocol - Version 3 + (L2TPv3)", RFC 3931, March 2005. [RFC4072] Eronen, P., Hiller, T., and G. Zorn, "Diameter Extensible Authentication Protocol (EAP) Application", RFC 4072, August 2005. + [RFC4301] Kent, S. and K. Seo, "Security + Architecture for the Internet Protocol", + RFC 4301, December 2005. + + [RFC5246] Dierks, T. and E. Rescorla, "The + Transport Layer Security (TLS) Protocol + Version 1.2", RFC 5246, August 2008. + Appendix A. Acknowledgements A.1. RFC 4005 The authors would like to thank Carl Rigney, Allan C. Rubens, William Allen Simpson, and Steve Willens for their work on the original RADIUS protocol, from which many of the concepts in this specification were derived. Thanks, also, to Carl Rigney for [RFC2866] and [RFC2869]; Ward Willats for [RFC2869]; Glen Zorn, Bernard Aboba, and Dave Mitton for [RFC2867] and [RFC3162]; and Dory