| draft-ietf-dime-rfc4005bis-07.txt | draft-ietf-dime-rfc4005bis-08.txt | |||
|---|---|---|---|---|
| Network Working Group G. Zorn, Ed. | Network Working Group G. Zorn, Ed. | |||
| Internet-Draft Network Zen | Internet-Draft Network Zen | |||
| Obsoletes: 4005 (if approved) February 4, 2012 | Obsoletes: 4005 (if approved) April 23, 2012 | |||
| Intended status: Standards Track | Intended status: Standards Track | |||
| Expires: August 7, 2012 | Expires: October 25, 2012 | |||
| Diameter Network Access Server Application | Diameter Network Access Server Application | |||
| draft-ietf-dime-rfc4005bis-07 | draft-ietf-dime-rfc4005bis-08 | |||
| Abstract | Abstract | |||
| This document describes the Diameter protocol application used for | This document describes the Diameter protocol application used for | |||
| Authentication, Authorization, and Accounting (AAA) services in the | Authentication, Authorization, and Accounting (AAA) services in the | |||
| Network Access Server (NAS) environment; it obsoletes RFC 4005. When | Network Access Server (NAS) environment; it obsoletes RFC 4005. When | |||
| combined with the Diameter Base protocol, Transport Profile, and | combined with the Diameter Base protocol, Transport Profile, and | |||
| Extensible Authentication Protocol specifications, this application | Extensible Authentication Protocol specifications, this application | |||
| specification satisfies typical network access services requirements. | specification satisfies typical network access services requirements. | |||
| skipping to change at page 1, line 36 | skipping to change at page 1, line 36 | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on August 7, 2012. | This Internet-Draft will expire on October 25, 2012. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2012 IETF Trust and the persons identified as the | Copyright (c) 2012 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 3, line 23 | skipping to change at page 3, line 23 | |||
| 4.4.5. Port-Limit AVP . . . . . . . . . . . . . . . . . . . . 34 | 4.4.5. Port-Limit AVP . . . . . . . . . . . . . . . . . . . . 34 | |||
| 4.4.6. NAS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 34 | 4.4.6. NAS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 34 | |||
| 4.4.7. Filter-Id AVP . . . . . . . . . . . . . . . . . . . . 34 | 4.4.7. Filter-Id AVP . . . . . . . . . . . . . . . . . . . . 34 | |||
| 4.4.8. Configuration-Token AVP . . . . . . . . . . . . . . . 35 | 4.4.8. Configuration-Token AVP . . . . . . . . . . . . . . . 35 | |||
| 4.4.9. QoS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 35 | 4.4.9. QoS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 35 | |||
| 4.4.10. Framed Access Authorization AVPs . . . . . . . . . . . 36 | 4.4.10. Framed Access Authorization AVPs . . . . . . . . . . . 36 | |||
| 4.4.10.1. Framed-Protocol AVP . . . . . . . . . . . . . . . 36 | 4.4.10.1. Framed-Protocol AVP . . . . . . . . . . . . . . . 36 | |||
| 4.4.10.2. Framed-Routing AVP . . . . . . . . . . . . . . . 36 | 4.4.10.2. Framed-Routing AVP . . . . . . . . . . . . . . . 36 | |||
| 4.4.10.3. Framed-MTU AVP . . . . . . . . . . . . . . . . . 36 | 4.4.10.3. Framed-MTU AVP . . . . . . . . . . . . . . . . . 36 | |||
| 4.4.10.4. Framed-Compression AVP . . . . . . . . . . . . . 36 | 4.4.10.4. Framed-Compression AVP . . . . . . . . . . . . . 36 | |||
| 4.4.10.5. IP Access Authorization AVPs . . . . . . . . . . 36 | 4.4.10.5. IP Access Authorization AVPs . . . . . . . . . . 37 | |||
| 4.4.10.5.1. Framed-IP-Address AVP . . . . . . . . . . . . 37 | 4.4.10.5.1. Framed-IP-Address AVP . . . . . . . . . . . . 37 | |||
| 4.4.10.5.2. Framed-IP-Netmask AVP . . . . . . . . . . . . 37 | 4.4.10.5.2. Framed-IP-Netmask AVP . . . . . . . . . . . . 37 | |||
| 4.4.10.5.3. Framed-Route AVP . . . . . . . . . . . . . . 37 | 4.4.10.5.3. Framed-Route AVP . . . . . . . . . . . . . . 37 | |||
| 4.4.10.5.4. Framed-Pool AVP . . . . . . . . . . . . . . . 38 | 4.4.10.5.4. Framed-Pool AVP . . . . . . . . . . . . . . . 38 | |||
| 4.4.10.5.5. Framed-Interface-Id AVP . . . . . . . . . . . 38 | 4.4.10.5.5. Framed-Interface-Id AVP . . . . . . . . . . . 38 | |||
| 4.4.10.5.6. Framed-IPv6-Prefix AVP . . . . . . . . . . . 38 | 4.4.10.5.6. Framed-IPv6-Prefix AVP . . . . . . . . . . . 38 | |||
| 4.4.10.5.7. Framed-IPv6-Route AVP . . . . . . . . . . . . 38 | 4.4.10.5.7. Framed-IPv6-Route AVP . . . . . . . . . . . . 38 | |||
| 4.4.10.5.8. Framed-IPv6-Pool AVP . . . . . . . . . . . . 39 | 4.4.10.5.8. Framed-IPv6-Pool AVP . . . . . . . . . . . . 39 | |||
| 4.4.10.6. IPX Access AVPs . . . . . . . . . . . . . . . . . 39 | 4.4.10.6. IPX Access AVPs . . . . . . . . . . . . . . . . . 39 | |||
| 4.4.10.6.1. Framed-IPX-Network AVP . . . . . . . . . . . 39 | 4.4.10.6.1. Framed-IPX-Network AVP . . . . . . . . . . . 39 | |||
| 4.4.10.7. AppleTalk Network Access AVPs . . . . . . . . . . 39 | 4.4.10.7. AppleTalk Network Access AVPs . . . . . . . . . . 39 | |||
| 4.4.10.7.1. Framed-AppleTalk-Link AVP . . . . . . . . . . 39 | 4.4.10.7.1. Framed-AppleTalk-Link AVP . . . . . . . . . . 39 | |||
| 4.4.10.7.2. Framed-AppleTalk-Network AVP . . . . . . . . 40 | 4.4.10.7.2. Framed-AppleTalk-Network AVP . . . . . . . . 40 | |||
| 4.4.10.7.3. Framed-AppleTalk-Zone AVP . . . . . . . . . . 40 | 4.4.10.7.3. Framed-AppleTalk-Zone AVP . . . . . . . . . . 40 | |||
| 4.4.10.8. AppleTalk Remote Access AVPs . . . . . . . . . . 40 | 4.4.10.8. AppleTalk Remote Access AVPs . . . . . . . . . . 40 | |||
| 4.4.10.8.1. ARAP-Features AVP . . . . . . . . . . . . . . 40 | 4.4.10.8.1. ARAP-Features AVP . . . . . . . . . . . . . . 40 | |||
| 4.4.10.8.2. ARAP-Zone-Access AVP . . . . . . . . . . . . 40 | 4.4.10.8.2. ARAP-Zone-Access AVP . . . . . . . . . . . . 41 | |||
| 4.4.11. Non-Framed Access Authorization AVPs . . . . . . . . . 41 | 4.4.11. Non-Framed Access Authorization AVPs . . . . . . . . . 41 | |||
| 4.4.11.1. Login-IP-Host AVP . . . . . . . . . . . . . . . . 41 | 4.4.11.1. Login-IP-Host AVP . . . . . . . . . . . . . . . . 41 | |||
| 4.4.11.2. Login-IPv6-Host AVP . . . . . . . . . . . . . . . 41 | 4.4.11.2. Login-IPv6-Host AVP . . . . . . . . . . . . . . . 41 | |||
| 4.4.11.3. Login-Service AVP . . . . . . . . . . . . . . . . 41 | 4.4.11.3. Login-Service AVP . . . . . . . . . . . . . . . . 42 | |||
| 4.4.11.4. TCP Services . . . . . . . . . . . . . . . . . . 42 | 4.4.11.4. TCP Services . . . . . . . . . . . . . . . . . . 42 | |||
| 4.4.11.4.1. Login-TCP-Port AVP . . . . . . . . . . . . . 42 | 4.4.11.4.1. Login-TCP-Port AVP . . . . . . . . . . . . . 42 | |||
| 4.4.11.5. LAT Services . . . . . . . . . . . . . . . . . . 42 | 4.4.11.5. LAT Services . . . . . . . . . . . . . . . . . . 42 | |||
| 4.4.11.5.1. Login-LAT-Service AVP . . . . . . . . . . . . 42 | 4.4.11.5.1. Login-LAT-Service AVP . . . . . . . . . . . . 42 | |||
| 4.4.11.5.2. Login-LAT-Node AVP . . . . . . . . . . . . . 43 | 4.4.11.5.2. Login-LAT-Node AVP . . . . . . . . . . . . . 43 | |||
| 4.4.11.5.3. Login-LAT-Group AVP . . . . . . . . . . . . . 43 | 4.4.11.5.3. Login-LAT-Group AVP . . . . . . . . . . . . . 43 | |||
| 4.4.11.5.4. Login-LAT-Port AVP . . . . . . . . . . . . . 43 | 4.4.11.5.4. Login-LAT-Port AVP . . . . . . . . . . . . . 44 | |||
| 4.5. NAS Tunneling AVPs . . . . . . . . . . . . . . . . . . . . 44 | 4.5. NAS Tunneling AVPs . . . . . . . . . . . . . . . . . . . . 44 | |||
| 4.5.1. Tunneling AVP . . . . . . . . . . . . . . . . . . . . 44 | 4.5.1. Tunneling AVP . . . . . . . . . . . . . . . . . . . . 45 | |||
| 4.5.2. Tunnel-Type AVP . . . . . . . . . . . . . . . . . . . 45 | 4.5.2. Tunnel-Type AVP . . . . . . . . . . . . . . . . . . . 45 | |||
| 4.5.3. Tunnel-Medium-Type AVP . . . . . . . . . . . . . . . . 45 | 4.5.3. Tunnel-Medium-Type AVP . . . . . . . . . . . . . . . . 46 | |||
| 4.5.4. Tunnel-Client-Endpoint AVP . . . . . . . . . . . . . . 45 | 4.5.4. Tunnel-Client-Endpoint AVP . . . . . . . . . . . . . . 46 | |||
| 4.5.5. Tunnel-Server-Endpoint AVP . . . . . . . . . . . . . . 46 | 4.5.5. Tunnel-Server-Endpoint AVP . . . . . . . . . . . . . . 47 | |||
| 4.5.6. Tunnel-Password AVP . . . . . . . . . . . . . . . . . 47 | 4.5.6. Tunnel-Password AVP . . . . . . . . . . . . . . . . . 47 | |||
| 4.5.7. Tunnel-Private-Group-Id AVP . . . . . . . . . . . . . 47 | 4.5.7. Tunnel-Private-Group-Id AVP . . . . . . . . . . . . . 47 | |||
| 4.5.8. Tunnel-Assignment-Id AVP . . . . . . . . . . . . . . . 47 | 4.5.8. Tunnel-Assignment-Id AVP . . . . . . . . . . . . . . . 48 | |||
| 4.5.9. Tunnel-Preference AVP . . . . . . . . . . . . . . . . 49 | 4.5.9. Tunnel-Preference AVP . . . . . . . . . . . . . . . . 49 | |||
| 4.5.10. Tunnel-Client-Auth-Id AVP . . . . . . . . . . . . . . 49 | 4.5.10. Tunnel-Client-Auth-Id AVP . . . . . . . . . . . . . . 50 | |||
| 4.5.11. Tunnel-Server-Auth-Id AVP . . . . . . . . . . . . . . 49 | 4.5.11. Tunnel-Server-Auth-Id AVP . . . . . . . . . . . . . . 50 | |||
| 4.6. NAS Accounting AVPs . . . . . . . . . . . . . . . . . . . 50 | 4.6. NAS Accounting AVPs . . . . . . . . . . . . . . . . . . . 50 | |||
| 4.6.1. Accounting-Input-Octets AVP . . . . . . . . . . . . . 51 | 4.6.1. Accounting-Input-Octets AVP . . . . . . . . . . . . . 51 | |||
| 4.6.2. Accounting-Output-Octets AVP . . . . . . . . . . . . . 51 | 4.6.2. Accounting-Output-Octets AVP . . . . . . . . . . . . . 51 | |||
| 4.6.3. Accounting-Input-Packets AVP . . . . . . . . . . . . . 51 | 4.6.3. Accounting-Input-Packets AVP . . . . . . . . . . . . . 51 | |||
| 4.6.4. Accounting-Output-Packets AVP . . . . . . . . . . . . 51 | 4.6.4. Accounting-Output-Packets AVP . . . . . . . . . . . . 52 | |||
| 4.6.5. Acct-Session-Time AVP . . . . . . . . . . . . . . . . 51 | 4.6.5. Acct-Session-Time AVP . . . . . . . . . . . . . . . . 52 | |||
| 4.6.6. Acct-Authentic AVP . . . . . . . . . . . . . . . . . . 52 | 4.6.6. Acct-Authentic AVP . . . . . . . . . . . . . . . . . . 52 | |||
| 4.6.7. Accounting-Auth-Method AVP . . . . . . . . . . . . . . 52 | 4.6.7. Accounting-Auth-Method AVP . . . . . . . . . . . . . . 52 | |||
| 4.6.8. Acct-Delay-Time AVP . . . . . . . . . . . . . . . . . 52 | 4.6.8. Acct-Delay-Time AVP . . . . . . . . . . . . . . . . . 52 | |||
| 4.6.9. Acct-Link-Count AVP . . . . . . . . . . . . . . . . . 52 | 4.6.9. Acct-Link-Count AVP . . . . . . . . . . . . . . . . . 53 | |||
| 4.6.10. Acct-Tunnel-Connection AVP . . . . . . . . . . . . . . 53 | 4.6.10. Acct-Tunnel-Connection AVP . . . . . . . . . . . . . . 53 | |||
| 4.6.11. Acct-Tunnel-Packets-Lost AVP . . . . . . . . . . . . . 53 | 4.6.11. Acct-Tunnel-Packets-Lost AVP . . . . . . . . . . . . . 54 | |||
| 5. AVP Occurrence Tables . . . . . . . . . . . . . . . . . . . . 53 | 5. AVP Occurrence Tables . . . . . . . . . . . . . . . . . . . . 54 | |||
| 5.1. AA-Request/Answer AVP Table . . . . . . . . . . . . . . . 54 | 5.1. AA-Request/Answer AVP Table . . . . . . . . . . . . . . . 54 | |||
| 5.2. Accounting AVP Tables . . . . . . . . . . . . . . . . . . 56 | 5.2. Accounting AVP Tables . . . . . . . . . . . . . . . . . . 57 | |||
| 5.2.1. Framed Access Accounting AVP Table . . . . . . . . . . 57 | 5.2.1. Framed Access Accounting AVP Table . . . . . . . . . . 58 | |||
| 5.2.2. Non-Framed Access Accounting AVP Table . . . . . . . . 59 | 5.2.2. Non-Framed Access Accounting AVP Table . . . . . . . . 60 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 60 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 61 | |||
| 7. Security Considerations . . . . . . . . . . . . . . . . . . . 60 | 7. Security Considerations . . . . . . . . . . . . . . . . . . . 61 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 61 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 62 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . . 61 | 8.1. Normative References . . . . . . . . . . . . . . . . . . . 62 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . . 62 | 8.2. Informative References . . . . . . . . . . . . . . . . . . 63 | |||
| Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 64 | Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 65 | |||
| A.1. RFC 4005 . . . . . . . . . . . . . . . . . . . . . . . . . 64 | A.1. RFC 4005 . . . . . . . . . . . . . . . . . . . . . . . . . 65 | |||
| A.2. RFC 4005bis . . . . . . . . . . . . . . . . . . . . . . . 65 | A.2. RFC 4005bis . . . . . . . . . . . . . . . . . . . . . . . 66 | |||
| 1. Introduction | 1. Introduction | |||
| This document describes the Diameter protocol application used for | This document describes the Diameter protocol application used for | |||
| AAA in the Network Access Server (NAS) environment. When combined | AAA in the Network Access Server (NAS) environment. When combined | |||
| with the Diameter Base protocol [I-D.ietf-dime-rfc3588bis], Transport | with the Diameter Base protocol [I-D.ietf-dime-rfc3588bis], Transport | |||
| Profile [RFC3539], and EAP [RFC4072] specifications, this | Profile [RFC3539], and EAP [RFC4072] specifications, this | |||
| specification satisfies the NAS-related requirements defined in | specification satisfies the NAS-related requirements defined in | |||
| [RFC2989] and [RFC3169]. | Aboba, et al. [RFC2989] and Beadles & Mitton [RFC3169]. | |||
| First, this document describes the operation of a Diameter NAS | First, this document describes the operation of a Diameter NAS | |||
| application. Then it defines the Diameter message Command-Codes. | application. Then it defines the Diameter message Command-Codes. | |||
| The following sections list the AVPs used in these messages, grouped | The following sections list the AVPs used in these messages, grouped | |||
| by common usage. These are session identification, authentication, | by common usage. These are session identification, authentication, | |||
| authorization, tunneling, and accounting. The authorization AVPs are | authorization, tunneling, and accounting. The authorization AVPs are | |||
| further broken down by service type. | further broken down by service type. | |||
| 1.1. Terminology | 1.1. Terminology | |||
| skipping to change at page 26, line 31 | skipping to change at page 26, line 31 | |||
| 4.2.5. Called-Station-Id AVP | 4.2.5. Called-Station-Id AVP | |||
| The Called-Station-Id AVP (AVP Code 30) is of type UTF8String and | The Called-Station-Id AVP (AVP Code 30) is of type UTF8String and | |||
| allows the NAS to send the ASCII string describing the Layer 2 | allows the NAS to send the ASCII string describing the Layer 2 | |||
| address the user contacted in the request. For dialup access, this | address the user contacted in the request. For dialup access, this | |||
| can be a phone number obtained by using the Dialed Number | can be a phone number obtained by using the Dialed Number | |||
| Identification Service (DNIS) or a similar technology. Note that | Identification Service (DNIS) or a similar technology. Note that | |||
| this may be different from the phone number the call comes in on. | this may be different from the phone number the call comes in on. | |||
| For use with IEEE 802 access, the Called-Station-Id MAY contain a MAC | For use with IEEE 802 access, the Called-Station-Id MAY contain a MAC | |||
| address formatted as described in [RFC3580]. | address formatted as described in Congdon, et al. [RFC3580]. | |||
| If the Called-Station-Id AVP is present in an AAR message, Auth- | If the Called-Station-Id AVP is present in an AAR message, Auth- | |||
| Request-Type AVP is set to AUTHORIZE_ONLY and the User-Name AVP is | Request-Type AVP is set to AUTHORIZE_ONLY and the User-Name AVP is | |||
| absent, the Diameter Server MAY perform authorization based on this | absent, the Diameter Server MAY perform authorization based on this | |||
| AVP. This can be used by a NAS to request whether a call should be | AVP. This can be used by a NAS to request whether a call should be | |||
| answered based on the DNIS result. | answered based on the DNIS result. | |||
| The codification of this field's allowed usage range is outside the | The codification of this field's allowed usage range is outside the | |||
| scope of this specification. | scope of this specification. | |||
| 4.2.6. Calling-Station-Id AVP | 4.2.6. Calling-Station-Id AVP | |||
| The Calling-Station-Id AVP (AVP Code 31) is of type UTF8String and | The Calling-Station-Id AVP (AVP Code 31) is of type UTF8String and | |||
| allows the NAS to send the ASCII string describing the Layer 2 | allows the NAS to send the ASCII string describing the Layer 2 | |||
| address from which the user connected in the request. For dialup | address from which the user connected in the request. For dialup | |||
| access, this is the phone number the call came from, using Automatic | access, this is the phone number the call came from, using Automatic | |||
| Number Identification (ANI) or a similar technology. For use with | Number Identification (ANI) or a similar technology. For use with | |||
| IEEE 802 access, the Calling-Station-Id AVP MAY contain a MAC | IEEE 802 access, the Calling-Station-Id AVP MAY contain a MAC | |||
| address, formated as described in [RFC3580]. | address, formated as described in RFC 3580. | |||
| If the Calling-Station-Id AVP is present in an AAR message, the Auth- | If the Calling-Station-Id AVP is present in an AAR message, the Auth- | |||
| Request-Type AVP is set to AUTHORIZE_ONLY and the User-Name AVP is | Request-Type AVP is set to AUTHORIZE_ONLY and the User-Name AVP is | |||
| absent, the Diameter Server MAY perform authorization based on the | absent, the Diameter Server MAY perform authorization based on the | |||
| value of this AVP. This can be used by a NAS to request whether a | value of this AVP. This can be used by a NAS to request whether a | |||
| call should be answered based on the Layer 2 address (ANI, MAC | call should be answered based on the Layer 2 address (ANI, MAC | |||
| Address, etc.) | Address, etc.) | |||
| The codification of this field's allowed usage range is outside the | The codification of this field's allowed usage range is outside the | |||
| scope of this specification. | scope of this specification. | |||
| skipping to change at page 29, line 12 | skipping to change at page 29, line 12 | |||
| ARAP-Security-Data 4.3.12 | M | V | | ARAP-Security-Data 4.3.12 | M | V | | |||
| -----------------------------------------|----+-----| | -----------------------------------------|----+-----| | |||
| 4.3.1. User-Password AVP | 4.3.1. User-Password AVP | |||
| The User-Password AVP (AVP Code 2) is of type OctetString and | The User-Password AVP (AVP Code 2) is of type OctetString and | |||
| contains the password of the user to be authenticated, or the user's | contains the password of the user to be authenticated, or the user's | |||
| input in a multi-round authentication exchange. | input in a multi-round authentication exchange. | |||
| The User-Password AVP contains a user password or one-time password | The User-Password AVP contains a user password or one-time password | |||
| and therefore represents sensitive information. As required in | and therefore represents sensitive information. As required by | |||
| [I-D.ietf-dime-rfc3588bis], Diameter messages are encrypted by using | Fajardo, et al. [I-D.ietf-dime-rfc3588bis], Diameter messages are | |||
| IPsec [RFC4301] or TLS [RFC5246]. Unless this AVP is used for one- | encrypted by using IPsec [RFC4301] or TLS [RFC5246]. Unless this AVP | |||
| time passwords, the User-Password AVP SHOULD NOT be used in untrusted | is used for one-time passwords, the User-Password AVP SHOULD NOT be | |||
| proxy environments without encrypting it by using end-to-end security | used in untrusted proxy environments without encrypting it by using | |||
| techniques. | end-to-end security techniques. | |||
| The clear-text password (prior to encryption) MUST NOT be longer than | The clear-text password (prior to encryption) MUST NOT be longer than | |||
| 128 bytes in length. | 128 bytes in length. | |||
| 4.3.2. Password-Retry AVP | 4.3.2. Password-Retry AVP | |||
| The Password-Retry AVP (AVP Code 75) is of type Unsigned32 and MAY be | The Password-Retry AVP (AVP Code 75) is of type Unsigned32 and MAY be | |||
| included in the AA-Answer if the Result-Code indicates an | included in the AA-Answer if the Result-Code indicates an | |||
| authentication failure. The value of this AVP indicates how many | authentication failure. The value of this AVP indicates how many | |||
| authentication attempts a user is permitted before being | authentication attempts a user is permitted before being | |||
| skipping to change at page 30, line 46 | skipping to change at page 30, line 46 | |||
| The CHAP-Challenge AVP (AVP Code 60) is of type OctetString and | The CHAP-Challenge AVP (AVP Code 60) is of type OctetString and | |||
| contains the CHAP Challenge sent by the NAS to the CHAP peer | contains the CHAP Challenge sent by the NAS to the CHAP peer | |||
| [RFC1994]. | [RFC1994]. | |||
| 4.3.9. ARAP-Password AVP | 4.3.9. ARAP-Password AVP | |||
| The ARAP-Password AVP (AVP Code 70) is of type OctetString and is | The ARAP-Password AVP (AVP Code 70) is of type OctetString and is | |||
| only present when the Framed-Protocol AVP (Section 4.4.10.1) is | only present when the Framed-Protocol AVP (Section 4.4.10.1) is | |||
| included in the message and is set to ARAP. This AVP MUST NOT be | included in the message and is set to ARAP. This AVP MUST NOT be | |||
| present if either the User-Password or the CHAP-Auth AVP is present. | present if either the User-Password or the CHAP-Auth AVP is present. | |||
| See [RFC2869] for more information on the contents of this AVP. | See Rigney, et al. [RFC2869] for more information on the contents of | |||
| this AVP. | ||||
| 4.3.10. ARAP-Challenge-Response AVP | 4.3.10. ARAP-Challenge-Response AVP | |||
| The ARAP-Challenge-Response AVP (AVP Code 84) is of type OctetString | The ARAP-Challenge-Response AVP (AVP Code 84) is of type OctetString | |||
| and is only present when the Framed-Protocol AVP (Section 4.4.10.1) | and is only present when the Framed-Protocol AVP (Section 4.4.10.1) | |||
| is included in the message and is set to ARAP. This AVP contains an | is included in the message and is set to ARAP. This AVP contains an | |||
| 8 octet response to the dial-in client's challenge. The Diameter | 8 octet response to the dial-in client's challenge. The Diameter | |||
| server calculates this value by taking the dial-in client's challenge | server calculates this value by taking the dial-in client's challenge | |||
| from the high-order 8 octets of the ARAP-Password AVP and performing | from the high-order 8 octets of the ARAP-Password AVP and performing | |||
| DES encryption on this value with the authenticating user's password | DES encryption on this value with the authenticating user's password | |||
| as the key. If the user's password is fewer than 8 octets in length, | as the key. If the user's password is fewer than 8 octets in length, | |||
| the password is padded at the end with NULL octets to a length of 8 | the password is padded at the end with NULL octets to a length of 8 | |||
| before it is used as a key. | before it is used as a key. | |||
| 4.3.11. ARAP-Security AVP | 4.3.11. ARAP-Security AVP | |||
| The ARAP-Security AVP (AVP Code 73) is of type Unsigned32 and MAY be | The ARAP-Security AVP (AVP Code 73) is of type Unsigned32 and MAY be | |||
| present in the AA-Answer message if the Framed-Protocol AVP | present in the AA-Answer message if the Framed-Protocol AVP | |||
| (Section 4.4.10.1) is set to the value of ARAP, and the Result-Code | (Section 4.4.10.1) is set to the value of ARAP, and the Result-Code | |||
| AVP ([I-D.ietf-dime-rfc3588bis], Section 7.1) is set to | AVP ([I-D.ietf-dime-rfc3588bis], Section 7.1) is set to | |||
| DIAMETER_MULTI_ROUND_AUTH. See [RFC2869] for more information on the | DIAMETER_MULTI_ROUND_AUTH. See RFC 2869 for more information on the | |||
| contents of this AVP. | contents of this AVP. | |||
| 4.3.12. ARAP-Security-Data AVP | 4.3.12. ARAP-Security-Data AVP | |||
| The ARAP-Security-Data AVP (AVP Code 74) is of type OctetString and | The ARAP-Security-Data AVP (AVP Code 74) is of type OctetString and | |||
| MAY be present in the AA-Request or AA-Answer message if the Framed- | MAY be present in the AA-Request or AA-Answer message if the Framed- | |||
| Protocol AVP (Section 4.4.10.1) is set to the value of ARAP and the | Protocol AVP (Section 4.4.10.1) is set to the value of ARAP and the | |||
| Result-Code AVP ([I-D.ietf-dime-rfc3588bis], Section 7.1) is set to | Result-Code AVP ([I-D.ietf-dime-rfc3588bis], Section 7.1) is set to | |||
| DIAMETER_MULTI_ROUND_AUTH. This AVP contains the security module | DIAMETER_MULTI_ROUND_AUTH. This AVP contains the security module | |||
| challenge or response associated with the ARAP Security Module | challenge or response associated with the ARAP Security Module | |||
| skipping to change at page 35, line 29 | skipping to change at page 35, line 29 | |||
| The format of the Data field of this AVP is site specific. | The format of the Data field of this AVP is site specific. | |||
| 4.4.9. QoS-Filter-Rule AVP | 4.4.9. QoS-Filter-Rule AVP | |||
| The QoS-Filter-Rule AVP (AVP Code 407) is of type QoSFilterRule | The QoS-Filter-Rule AVP (AVP Code 407) is of type QoSFilterRule | |||
| (Section 4.1.1) and provides QoS filter rules that need to be | (Section 4.1.1) and provides QoS filter rules that need to be | |||
| configured on the NAS for the user. One or more such AVPs MAY be | configured on the NAS for the user. One or more such AVPs MAY be | |||
| present in an authorization response. | present in an authorization response. | |||
| The use of this AVP is NOT RECOMMENDED; the AVPs defined by Korhonen, | The use of this AVP is NOT RECOMMENDED; the AVPs defined by Korhonen, | |||
| et al. [RFC5777] SHOULD be used instead. | et al. [RFC5777] SHOULD be used instead. | |||
| DSCP <color> If action is set to tag (Section 4.1.1) this option | DSCP <color> If action is set to tag (Section 4.1.1) this option | |||
| MUST be included in the rule. | MUST be included in the rule. | |||
| Color values are defined in [RFC2474]. Exact matching of DSCP | Color values are defined in Nichols, et al. [RFC2474]. Exact | |||
| values is required (no masks or ranges). | matching of DSCP values is required (no masks or ranges). | |||
| metering <rate> <color_under> <color_over> The metering option | metering <rate> <color_under> <color_over> The metering option | |||
| provides Assured Forwarding, as defined in [RFC2597]. and MUST | provides Assured Forwarding, as defined in Heinanen, et al. | |||
| be present if the action is set to meter (Section 4.1.1) The | [RFC2597]. and MUST be present if the action is set to meter | |||
| rate option is the throughput, in bits per second, used by the | (Section 4.1.1) The rate option is the throughput, in bits per | |||
| access device to mark packets. Traffic over the rate is marked | second, used by the access device to mark packets. Traffic | |||
| with the color_over codepoint, and traffic under the rate is | over the rate is marked with the color_over codepoint, and | |||
| marked with the color_under codepoint. The color_under and | traffic under the rate is marked with the color_under | |||
| color_over options contain the drop preferences and MUST | codepoint. The color_under and color_over options contain the | |||
| conform to the recommended codepoint keywords described in | drop preferences and MUST conform to the recommended codepoint | |||
| [RFC2597] (e.g., AF13). | keywords described in RFC 2597 (e.g., AF13). | |||
| The metering option also supports the strict limit on traffic | The metering option also supports the strict limit on traffic | |||
| required by Expedited Forwarding, as defined in [RFC3246]. The | required by Expedited Forwarding, as defined in Davie, et | |||
| color_over option may contain the keyword "drop" to prevent | al. [RFC3246]. The color_over option may contain the keyword | |||
| forwarding of traffic that exceeds the rate parameter. | "drop" to prevent forwarding of traffic that exceeds the rate | |||
| parameter. | ||||
| 4.4.10. Framed Access Authorization AVPs | 4.4.10. Framed Access Authorization AVPs | |||
| This section lists the authorization AVPs necessary to support framed | This section lists the authorization AVPs necessary to support framed | |||
| access, such as PPP and SLIP. AVPs defined in this section MAY be | access, such as PPP and SLIP. AVPs defined in this section MAY be | |||
| present in a message if the Service-Type AVP was set to "Framed" or | present in a message if the Service-Type AVP was set to "Framed" or | |||
| "Callback Framed". | "Callback Framed". | |||
| 4.4.10.1. Framed-Protocol AVP | 4.4.10.1. Framed-Protocol AVP | |||
| skipping to change at page 40, line 37 | skipping to change at page 40, line 43 | |||
| The codification of this field's allowed range is outside the scope | The codification of this field's allowed range is outside the scope | |||
| of this specification. | of this specification. | |||
| 4.4.10.8. AppleTalk Remote Access AVPs | 4.4.10.8. AppleTalk Remote Access AVPs | |||
| The AVPs defined in this section are used when the user requests, or | The AVPs defined in this section are used when the user requests, or | |||
| is being granted, access to the AppleTalk network via the AppleTalk | is being granted, access to the AppleTalk network via the AppleTalk | |||
| Remote Access Protocol [ARAP]. They are only present if the Framed- | Remote Access Protocol [ARAP]. They are only present if the Framed- | |||
| Protocol AVP (Section 4.4.10.1) is set to ARAP. Section 2.2 of RFC | Protocol AVP (Section 4.4.10.1) is set to ARAP. Section 2.2 of RFC | |||
| 2869 [RFC2869] describes the operational use of these attributes. | 2869 describes the operational use of these attributes. | |||
| 4.4.10.8.1. ARAP-Features AVP | 4.4.10.8.1. ARAP-Features AVP | |||
| The ARAP-Features AVP (AVP Code 71) is of type OctetString and MAY be | The ARAP-Features AVP (AVP Code 71) is of type OctetString and MAY be | |||
| present in the AA-Accept message if the Framed-Protocol AVP is set to | present in the AA-Accept message if the Framed-Protocol AVP is set to | |||
| the value of ARAP. See [RFC2869] for more information about the | the value of ARAP. See RFC 2869 for more information about the | |||
| format of this AVP. | format of this AVP. | |||
| 4.4.10.8.2. ARAP-Zone-Access AVP | 4.4.10.8.2. ARAP-Zone-Access AVP | |||
| The ARAP-Zone-Access AVP (AVP Code 72) is of type Enumerated and MAY | The ARAP-Zone-Access AVP (AVP Code 72) is of type Enumerated and MAY | |||
| be present in the AA-Accept message if the Framed-Protocol AVP is set | be present in the AA-Accept message if the Framed-Protocol AVP is set | |||
| to the value of ARAP. | to the value of ARAP. | |||
| The supported values are listed in [RADIUSTypes] and defined in | The supported values are listed in [RADIUSTypes] and defined in RFC | |||
| [RFC2869]. | 2869. | |||
| 4.4.11. Non-Framed Access Authorization AVPs | 4.4.11. Non-Framed Access Authorization AVPs | |||
| This section contains the authorization AVPs that are needed to | This section contains the authorization AVPs that are needed to | |||
| support terminal server functionality. AVPs defined in this section | support terminal server functionality. AVPs defined in this section | |||
| MAY be present in a message if the Service-Type AVP was set to | MAY be present in a message if the Service-Type AVP was set to | |||
| "Login" or "Callback Login". | "Login" or "Callback Login". | |||
| 4.4.11.1. Login-IP-Host AVP | 4.4.11.1. Login-IP-Host AVP | |||
| skipping to change at page 41, line 49 | skipping to change at page 42, line 10 | |||
| 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF and 0. The value | 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF and 0. The value | |||
| 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF indicates that the NAS SHOULD | 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF indicates that the NAS SHOULD | |||
| allow the user to select an address. The value 0 indicates that the | allow the user to select an address. The value 0 indicates that the | |||
| NAS SHOULD select a host to connect the user to. | NAS SHOULD select a host to connect the user to. | |||
| 4.4.11.3. Login-Service AVP | 4.4.11.3. Login-Service AVP | |||
| The Login-Service AVP (AVP Code 15) is of type Enumerated and | The Login-Service AVP (AVP Code 15) is of type Enumerated and | |||
| contains the service that should be used to connect the user to the | contains the service that should be used to connect the user to the | |||
| login host. This AVP SHOULD only be present in authorization | login host. This AVP SHOULD only be present in authorization | |||
| responses. The supported values are listed in [RFC2869]. | responses. The supported values are listed in RFC 2869. | |||
| 4.4.11.4. TCP Services | 4.4.11.4. TCP Services | |||
| The AVP described in the following section MAY be present if the | The AVP described in the following section MAY be present if the | |||
| Login-Service AVP is set to Telnet, Rlogin, TCP Clear, or TCP Clear | Login-Service AVP is set to Telnet, Rlogin, TCP Clear, or TCP Clear | |||
| Quiet. | Quiet. | |||
| 4.4.11.4.1. Login-TCP-Port AVP | 4.4.11.4.1. Login-TCP-Port AVP | |||
| The Login-TCP-Port AVP (AVP Code 16) is of type Unsigned32 and | The Login-TCP-Port AVP (AVP Code 16) is of type Unsigned32 and | |||
| skipping to change at page 44, line 21 | skipping to change at page 44, line 30 | |||
| All LAT string comparisons are case insensitive. | All LAT string comparisons are case insensitive. | |||
| 4.5. NAS Tunneling AVPs | 4.5. NAS Tunneling AVPs | |||
| Some NASes support compulsory tunnel services in which the incoming | Some NASes support compulsory tunnel services in which the incoming | |||
| connection data is conveyed by an encapsulation method to a gateway | connection data is conveyed by an encapsulation method to a gateway | |||
| elsewhere in the network. This is typically transparent to the | elsewhere in the network. This is typically transparent to the | |||
| service user, and the tunnel characteristics may be described by the | service user, and the tunnel characteristics may be described by the | |||
| remote AAA server, based on the user's authorization information. | remote AAA server, based on the user's authorization information. | |||
| Several tunnel characteristics may be returned, and the NAS | Several tunnel characteristics may be returned, and the NAS | |||
| implementation may choose one. See [RFC2868] and [RFC2867] for | implementation may choose one. See Zorn, et al. [RFC2868] and Zorn, | |||
| further information. | Aboba & Mitton [RFC2867] for further information. | |||
| The following table gives the possible flag values for the session | The following table gives the possible flag values for the session | |||
| level AVPs and specifies whether the AVP MAY be encrypted. | level AVPs and specifies whether the AVP MAY be encrypted. | |||
| +----------+ | +----------+ | |||
| | AVP Flag | | | AVP Flag | | |||
| | rules | | | rules | | |||
| |----+-----| | |----+-----| | |||
| |MUST| MUST| | |MUST| MUST| | |||
| Attribute Name Section Defined | | NOT | | Attribute Name Section Defined | | NOT | | |||
| skipping to change at page 61, line 24 | skipping to change at page 62, line 24 | |||
| 8.1. Normative References | 8.1. Normative References | |||
| [ANITypes] NANPA Number Resource Info, "ANI | [ANITypes] NANPA Number Resource Info, "ANI | |||
| Assignments", <http://www.nanpa.com/ | Assignments", <http://www.nanpa.com/ | |||
| number_resource_info/ | number_resource_info/ | |||
| ani_ii_assignments.html>. | ani_ii_assignments.html>. | |||
| [I-D.ietf-dime-rfc3588bis] Fajardo, V., Arkko, J., Loughney, J., and | [I-D.ietf-dime-rfc3588bis] Fajardo, V., Arkko, J., Loughney, J., and | |||
| G. Zorn, "Diameter Base Protocol", | G. Zorn, "Diameter Base Protocol", | |||
| draft-ietf-dime-rfc3588bis-29 (work in | draft-ietf-dime-rfc3588bis-32 (work in | |||
| progress), August 2011. | progress), April 2012. | |||
| [RADIUSTypes] IANA, "RADIUS Types", <http:// | [RADIUSTypes] IANA, "RADIUS Types", <http:// | |||
| www.iana.org/assignments/radius-types>. | www.iana.org/assignments/radius-types>. | |||
| [RFC1994] Simpson, W., "PPP Challenge Handshake | [RFC1994] Simpson, W., "PPP Challenge Handshake | |||
| Authentication Protocol (CHAP)", | Authentication Protocol (CHAP)", | |||
| RFC 1994, August 1996. | RFC 1994, August 1996. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs | [RFC2119] Bradner, S., "Key words for use in RFCs | |||
| to Indicate Requirement Levels", BCP 14, | to Indicate Requirement Levels", BCP 14, | |||
| End of changes. 32 change blocks. | ||||
| 66 lines changed or deleted | 68 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||