draft-ietf-dime-rfc4005bis-13.txt   draft-ietf-dime-rfc4005bis-14.txt 
Network Working Group G. Zorn, Ed. Network Working Group G. Zorn, Ed.
Internet-Draft Network Zen Internet-Draft Network Zen
Obsoletes: 4005 (if approved) May 13, 2013 Obsoletes: 4005 (if approved) November 28, 2013
Intended status: Standards Track Intended status: Standards Track
Expires: November 14, 2013 Expires: June 1, 2014
Diameter Network Access Server Application Diameter Network Access Server Application
draft-ietf-dime-rfc4005bis-13 draft-ietf-dime-rfc4005bis-14
Abstract Abstract
This document describes the Diameter protocol application used for This document describes the Diameter protocol application used for
Authentication, Authorization, and Accounting (AAA) services in the Authentication, Authorization, and Accounting (AAA) services in the
Network Access Server (NAS) environment; it obsoletes RFC 4005. When Network Access Server (NAS) environment; it obsoletes RFC 4005. When
combined with the Diameter Base protocol, Transport Profile, and combined with the Diameter Base protocol, Transport Profile, and
Extensible Authentication Protocol specifications, this application Extensible Authentication Protocol specifications, this application
specification satisfies typical network access services requirements. specification satisfies typical network access services requirements.
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 14, 2013. This Internet-Draft will expire on June 1, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Changes from RFC 4005 . . . . . . . . . . . . . . . . . . 5 1.1. Changes from RFC 4005 . . . . . . . . . . . . . . . . . . 5
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6
1.3. Requirements Language . . . . . . . . . . . . . . . . . . 7 1.3. Requirements Language . . . . . . . . . . . . . . . . . . 7
1.4. Advertising Application Support . . . . . . . . . . . . . 7 1.4. Advertising Application Support . . . . . . . . . . . . . 8
1.5. Application Identification . . . . . . . . . . . . . . . . 8 1.5. Application Identification . . . . . . . . . . . . . . . 8
1.6. Accounting Model . . . . . . . . . . . . . . . . . . . . . 8 1.6. Accounting Model . . . . . . . . . . . . . . . . . . . . 8
2. NAS Calls, Ports, and Sessions . . . . . . . . . . . . . . . . 8 2. NAS Calls, Ports, and Sessions . . . . . . . . . . . . . . . 8
2.1. Diameter Session Establishment . . . . . . . . . . . . . . 8 2.1. Diameter Session Establishment . . . . . . . . . . . . . 8
2.2. Diameter Session Reauthentication or Reauthorization . . . 9 2.2. Diameter Session Reauthentication or Reauthorization . . 9
2.3. Diameter Session Termination . . . . . . . . . . . . . . . 10 2.3. Diameter Session Termination . . . . . . . . . . . . . . 10
3. Diameter NAS Application Messages . . . . . . . . . . . . . . 10 3. Diameter NAS Application Messages . . . . . . . . . . . . . . 10
3.1. AA-Request (AAR) Command . . . . . . . . . . . . . . . . . 10 3.1. AA-Request (AAR) Command . . . . . . . . . . . . . . . . 11
3.2. AA-Answer (AAA) Command . . . . . . . . . . . . . . . . . 12 3.2. AA-Answer (AAA) Command . . . . . . . . . . . . . . . . . 12
3.3. Re-Auth-Request (RAR) Command . . . . . . . . . . . . . . 14 3.3. Re-Auth-Request (RAR) Command . . . . . . . . . . . . . . 14
3.4. Re-Auth-Answer (RAA) Command . . . . . . . . . . . . . . . 15 3.4. Re-Auth-Answer (RAA) Command . . . . . . . . . . . . . . 15
3.5. Session-Termination-Request (STR) Command . . . . . . . . 16 3.5. Session-Termination-Request (STR) Command . . . . . . . . 16
3.6. Session-Termination-Answer (STA) Command . . . . . . . . . 17 3.6. Session-Termination-Answer (STA) Command . . . . . . . . 17
3.7. Abort-Session-Request (ASR) Command . . . . . . . . . . . 18 3.7. Abort-Session-Request (ASR) Command . . . . . . . . . . . 17
3.8. Abort-Session-Answer (ASA) Command . . . . . . . . . . . . 19 3.8. Abort-Session-Answer (ASA) Command . . . . . . . . . . . 18
3.9. Accounting-Request (ACR) Command . . . . . . . . . . . . . 20 3.9. Accounting-Request (ACR) Command . . . . . . . . . . . . 19
3.10. Accounting-Answer (ACA) Command . . . . . . . . . . . . . 22 3.10. Accounting-Answer (ACA) Command . . . . . . . . . . . . . 21
4. Diameter NAS Application AVPs . . . . . . . . . . . . . . . . 23 4. Diameter NAS Application AVPs . . . . . . . . . . . . . . . . 22
4.1. Derived AVP Data Formats . . . . . . . . . . . . . . . . . 23 4.1. Derived AVP Data Formats . . . . . . . . . . . . . . . . 22
4.1.1. QoSFilterRule . . . . . . . . . . . . . . . . . . . . 23 4.1.1. QoSFilterRule . . . . . . . . . . . . . . . . . . . . 22
4.2. NAS Session AVPs . . . . . . . . . . . . . . . . . . . . . 24 4.2. NAS Session AVPs . . . . . . . . . . . . . . . . . . . . 23
4.2.1. Call and Session Information . . . . . . . . . . . . . 24 4.2.1. Call and Session Information . . . . . . . . . . . . 24
4.2.2. NAS-Port AVP . . . . . . . . . . . . . . . . . . . . . 25 4.2.2. NAS-Port AVP . . . . . . . . . . . . . . . . . . . . 24
4.2.3. NAS-Port-Id AVP . . . . . . . . . . . . . . . . . . . 26 4.2.3. NAS-Port-Id AVP . . . . . . . . . . . . . . . . . . . 25
4.2.4. NAS-Port-Type AVP . . . . . . . . . . . . . . . . . . 26 4.2.4. NAS-Port-Type AVP . . . . . . . . . . . . . . . . . . 25
4.2.5. Called-Station-Id AVP . . . . . . . . . . . . . . . . 26 4.2.5. Called-Station-Id AVP . . . . . . . . . . . . . . . . 25
4.2.6. Calling-Station-Id AVP . . . . . . . . . . . . . . . . 26 4.2.6. Calling-Station-Id AVP . . . . . . . . . . . . . . . 25
4.2.7. Connect-Info AVP . . . . . . . . . . . . . . . . . . . 27 4.2.7. Connect-Info AVP . . . . . . . . . . . . . . . . . . 26
4.2.8. Originating-Line-Info AVP . . . . . . . . . . . . . . 27 4.2.8. Originating-Line-Info AVP . . . . . . . . . . . . . . 26
4.2.9. Reply-Message AVP . . . . . . . . . . . . . . . . . . 28 4.2.9. Reply-Message AVP . . . . . . . . . . . . . . . . . . 27
4.3. NAS Authentication AVPs . . . . . . . . . . . . . . . . . 28 4.3. NAS Authentication AVPs . . . . . . . . . . . . . . . . . 27
4.3.1. User-Password AVP . . . . . . . . . . . . . . . . . . 29 4.3.1. User-Password AVP . . . . . . . . . . . . . . . . . . 28
4.3.2. Password-Retry AVP . . . . . . . . . . . . . . . . . . 29 4.3.2. Password-Retry AVP . . . . . . . . . . . . . . . . . 28
4.3.3. Prompt AVP . . . . . . . . . . . . . . . . . . . . . . 30 4.3.3. Prompt AVP . . . . . . . . . . . . . . . . . . . . . 28
4.3.4. CHAP-Auth AVP . . . . . . . . . . . . . . . . . . . . 30 4.3.4. CHAP-Auth AVP . . . . . . . . . . . . . . . . . . . . 29
4.3.5. CHAP-Algorithm AVP . . . . . . . . . . . . . . . . . . 30 4.3.5. CHAP-Algorithm AVP . . . . . . . . . . . . . . . . . 29
4.3.6. CHAP-Ident AVP . . . . . . . . . . . . . . . . . . . . 30 4.3.6. CHAP-Ident AVP . . . . . . . . . . . . . . . . . . . 29
4.3.7. CHAP-Response AVP . . . . . . . . . . . . . . . . . . 30 4.3.7. CHAP-Response AVP . . . . . . . . . . . . . . . . . . 29
4.3.8. CHAP-Challenge AVP . . . . . . . . . . . . . . . . . . 31 4.3.8. CHAP-Challenge AVP . . . . . . . . . . . . . . . . . 29
4.3.9. ARAP-Password AVP . . . . . . . . . . . . . . . . . . 31 4.3.9. ARAP-Password AVP . . . . . . . . . . . . . . . . . . 30
4.3.10. ARAP-Challenge-Response AVP . . . . . . . . . . . . . 31 4.3.10. ARAP-Challenge-Response AVP . . . . . . . . . . . . . 30
4.3.11. ARAP-Security AVP . . . . . . . . . . . . . . . . . . 31 4.3.11. ARAP-Security AVP . . . . . . . . . . . . . . . . . . 30
4.3.12. ARAP-Security-Data AVP . . . . . . . . . . . . . . . . 31 4.3.12. ARAP-Security-Data AVP . . . . . . . . . . . . . . . 30
4.4. NAS Authorization AVPs . . . . . . . . . . . . . . . . . . 32 4.4. NAS Authorization AVPs . . . . . . . . . . . . . . . . . 30
4.4.1. Service-Type AVP . . . . . . . . . . . . . . . . . . . 34 4.4.1. Service-Type AVP . . . . . . . . . . . . . . . . . . 32
4.4.2. Callback-Number AVP . . . . . . . . . . . . . . . . . 35 4.4.2. Callback-Number AVP . . . . . . . . . . . . . . . . . 33
4.4.3. Callback-Id AVP . . . . . . . . . . . . . . . . . . . 35 4.4.3. Callback-Id AVP . . . . . . . . . . . . . . . . . . . 33
4.4.4. Idle-Timeout AVP . . . . . . . . . . . . . . . . . . . 35 4.4.4. Idle-Timeout AVP . . . . . . . . . . . . . . . . . . 33
4.4.5. Port-Limit AVP . . . . . . . . . . . . . . . . . . . . 35 4.4.5. Port-Limit AVP . . . . . . . . . . . . . . . . . . . 33
4.4.6. NAS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 35 4.4.6. NAS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 33
4.4.7. Filter-Id AVP . . . . . . . . . . . . . . . . . . . . 36 4.4.7. Filter-Id AVP . . . . . . . . . . . . . . . . . . . . 34
4.4.8. Configuration-Token AVP . . . . . . . . . . . . . . . 36 4.4.8. Configuration-Token AVP . . . . . . . . . . . . . . . 34
4.4.9. QoS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 36 4.4.9. QoS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 34
4.4.10. Framed Access Authorization AVPs . . . . . . . . . . . 37 4.4.10. Framed Access Authorization AVPs . . . . . . . . . . 35
4.4.10.1. Framed-Protocol AVP . . . . . . . . . . . . . . . 37 4.4.10.1. Framed-Protocol AVP . . . . . . . . . . . . . . 35
4.4.10.2. Framed-Routing AVP . . . . . . . . . . . . . . . 37 4.4.10.2. Framed-Routing AVP . . . . . . . . . . . . . . . 35
4.4.10.3. Framed-MTU AVP . . . . . . . . . . . . . . . . . 37 4.4.10.3. Framed-MTU AVP . . . . . . . . . . . . . . . . . 36
4.4.10.4. Framed-Compression AVP . . . . . . . . . . . . . 37 4.4.10.4. Framed-Compression AVP . . . . . . . . . . . . . 36
4.4.10.5. IP Access Authorization AVPs . . . . . . . . . . 38 4.4.10.5. IP Access Authorization AVPs . . . . . . . . . . 36
4.4.10.5.1. Framed-IP-Address AVP . . . . . . . . . . . . 38 4.4.10.5.1. Framed-IP-Address AVP . . . . . . . . . . . 36
4.4.10.5.2. Framed-IP-Netmask AVP . . . . . . . . . . . . 38 4.4.10.5.2. Framed-IP-Netmask AVP . . . . . . . . . . . 36
4.4.10.5.3. Framed-Route AVP . . . . . . . . . . . . . . 38 4.4.10.5.3. Framed-Route AVP . . . . . . . . . . . . . . 37
4.4.10.5.4. Framed-Pool AVP . . . . . . . . . . . . . . . 39 4.4.10.5.4. Framed-Pool AVP . . . . . . . . . . . . . . 37
4.4.10.5.5. Framed-Interface-Id AVP . . . . . . . . . . . 39 4.4.10.5.5. Framed-Interface-Id AVP . . . . . . . . . . 37
4.4.10.5.6. Framed-IPv6-Prefix AVP . . . . . . . . . . . 39 4.4.10.5.6. Framed-IPv6-Prefix AVP . . . . . . . . . . . 38
4.4.10.5.7. Framed-IPv6-Route AVP . . . . . . . . . . . . 39 4.4.10.5.7. Framed-IPv6-Route AVP . . . . . . . . . . . 38
4.4.10.5.8. Framed-IPv6-Pool AVP . . . . . . . . . . . . 40 4.4.10.5.8. Framed-IPv6-Pool AVP . . . . . . . . . . . . 38
4.4.10.6. IPX Access AVPs . . . . . . . . . . . . . . . . . 40 4.4.10.6. IPX Access AVPs . . . . . . . . . . . . . . . . 38
4.4.10.6.1. Framed-IPX-Network AVP . . . . . . . . . . . 40 4.4.10.6.1. Framed-IPX-Network AVP . . . . . . . . . . . 38
4.4.10.7. AppleTalk Network Access AVPs . . . . . . . . . . 40 4.4.10.7. AppleTalk Network Access AVPs . . . . . . . . . 39
4.4.10.7.1. Framed-AppleTalk-Link AVP . . . . . . . . . . 41 4.4.10.7.1. Framed-AppleTalk-Link AVP . . . . . . . . . 39
4.4.10.7.2. Framed-AppleTalk-Network AVP . . . . . . . . 41 4.4.10.7.2. Framed-AppleTalk-Network AVP . . . . . . . . 39
4.4.10.7.3. Framed-AppleTalk-Zone AVP . . . . . . . . . . 41 4.4.10.7.3. Framed-AppleTalk-Zone AVP . . . . . . . . . 39
4.4.10.8. AppleTalk Remote Access AVPs . . . . . . . . . . 41 4.4.10.8. AppleTalk Remote Access AVPs . . . . . . . . . . 40
4.4.10.8.1. ARAP-Features AVP . . . . . . . . . . . . . . 42 4.4.10.8.1. ARAP-Features AVP . . . . . . . . . . . . . 40
4.4.10.8.2. ARAP-Zone-Access AVP . . . . . . . . . . . . 42 4.4.10.8.2. ARAP-Zone-Access AVP . . . . . . . . . . . . 40
4.4.11. Non-Framed Access Authorization AVPs . . . . . . . . . 42 4.4.11. Non-Framed Access Authorization AVPs . . . . . . . . 40
4.4.11.1. Login-IP-Host AVP . . . . . . . . . . . . . . . . 42 4.4.11.1. Login-IP-Host AVP . . . . . . . . . . . . . . . 40
4.4.11.2. Login-IPv6-Host AVP . . . . . . . . . . . . . . . 42 4.4.11.2. Login-IPv6-Host AVP . . . . . . . . . . . . . . 41
4.4.11.3. Login-Service AVP . . . . . . . . . . . . . . . . 43 4.4.11.3. Login-Service AVP . . . . . . . . . . . . . . . 41
4.4.11.4. TCP Services . . . . . . . . . . . . . . . . . . 43 4.4.11.4. TCP Services . . . . . . . . . . . . . . . . . . 41
4.4.11.4.1. Login-TCP-Port AVP . . . . . . . . . . . . . 43 4.4.11.4.1. Login-TCP-Port AVP . . . . . . . . . . . . . 41
4.4.11.5. LAT Services . . . . . . . . . . . . . . . . . . 43 4.4.11.5. LAT Services . . . . . . . . . . . . . . . . . . 41
4.4.11.5.1. Login-LAT-Service AVP . . . . . . . . . . . . 43 4.4.11.5.1. Login-LAT-Service AVP . . . . . . . . . . . 41
4.4.11.5.2. Login-LAT-Node AVP . . . . . . . . . . . . . 44 4.4.11.5.2. Login-LAT-Node AVP . . . . . . . . . . . . . 42
4.4.11.5.3. Login-LAT-Group AVP . . . . . . . . . . . . . 44 4.4.11.5.3. Login-LAT-Group AVP . . . . . . . . . . . . 43
4.4.11.5.4. Login-LAT-Port AVP . . . . . . . . . . . . . 45 4.4.11.5.4. Login-LAT-Port AVP . . . . . . . . . . . . . 43
4.5. NAS Tunneling AVPs . . . . . . . . . . . . . . . . . . . . 45 4.5. NAS Tunneling AVPs . . . . . . . . . . . . . . . . . . . 43
4.5.1. Tunneling AVP . . . . . . . . . . . . . . . . . . . . 46 4.5.1. Tunneling AVP . . . . . . . . . . . . . . . . . . . . 44
4.5.2. Tunnel-Type AVP . . . . . . . . . . . . . . . . . . . 46 4.5.2. Tunnel-Type AVP . . . . . . . . . . . . . . . . . . . 44
4.5.3. Tunnel-Medium-Type AVP . . . . . . . . . . . . . . . . 47 4.5.3. Tunnel-Medium-Type AVP . . . . . . . . . . . . . . . 45
4.5.4. Tunnel-Client-Endpoint AVP . . . . . . . . . . . . . . 47 4.5.4. Tunnel-Client-Endpoint AVP . . . . . . . . . . . . . 45
4.5.5. Tunnel-Server-Endpoint AVP . . . . . . . . . . . . . . 48 4.5.5. Tunnel-Server-Endpoint AVP . . . . . . . . . . . . . 46
4.5.6. Tunnel-Password AVP . . . . . . . . . . . . . . . . . 48 4.5.6. Tunnel-Password AVP . . . . . . . . . . . . . . . . . 47
4.5.7. Tunnel-Private-Group-Id AVP . . . . . . . . . . . . . 49 4.5.7. Tunnel-Private-Group-Id AVP . . . . . . . . . . . . . 47
4.5.8. Tunnel-Assignment-Id AVP . . . . . . . . . . . . . . . 49 4.5.8. Tunnel-Assignment-Id AVP . . . . . . . . . . . . . . 47
4.5.9. Tunnel-Preference AVP . . . . . . . . . . . . . . . . 50 4.5.9. Tunnel-Preference AVP . . . . . . . . . . . . . . . . 48
4.5.10. Tunnel-Client-Auth-Id AVP . . . . . . . . . . . . . . 51 4.5.10. Tunnel-Client-Auth-Id AVP . . . . . . . . . . . . . . 49
4.5.11. Tunnel-Server-Auth-Id AVP . . . . . . . . . . . . . . 51 4.5.11. Tunnel-Server-Auth-Id AVP . . . . . . . . . . . . . . 49
4.6. NAS Accounting AVPs . . . . . . . . . . . . . . . . . . . 51 4.6. NAS Accounting AVPs . . . . . . . . . . . . . . . . . . . 49
4.6.1. Accounting-Input-Octets AVP . . . . . . . . . . . . . 52 4.6.1. Accounting-Input-Octets AVP . . . . . . . . . . . . . 50
4.6.2. Accounting-Output-Octets AVP . . . . . . . . . . . . . 52 4.6.2. Accounting-Output-Octets AVP . . . . . . . . . . . . 51
4.6.3. Accounting-Input-Packets AVP . . . . . . . . . . . . . 53 4.6.3. Accounting-Input-Packets AVP . . . . . . . . . . . . 51
4.6.4. Accounting-Output-Packets AVP . . . . . . . . . . . . 53 4.6.4. Accounting-Output-Packets AVP . . . . . . . . . . . . 51
4.6.5. Acct-Session-Time AVP . . . . . . . . . . . . . . . . 53 4.6.5. Acct-Session-Time AVP . . . . . . . . . . . . . . . . 51
4.6.6. Acct-Authentic AVP . . . . . . . . . . . . . . . . . . 53 4.6.6. Acct-Authentic AVP . . . . . . . . . . . . . . . . . 51
4.6.7. Accounting-Auth-Method AVP . . . . . . . . . . . . . . 53 4.6.7. Accounting-Auth-Method AVP . . . . . . . . . . . . . 52
4.6.8. Acct-Delay-Time AVP . . . . . . . . . . . . . . . . . 53 4.6.8. Acct-Delay-Time AVP . . . . . . . . . . . . . . . . . 52
4.6.9. Acct-Link-Count AVP . . . . . . . . . . . . . . . . . 54 4.6.9. Acct-Link-Count AVP . . . . . . . . . . . . . . . . . 52
4.6.10. Acct-Tunnel-Connection AVP . . . . . . . . . . . . . . 55 4.6.10. Acct-Tunnel-Connection AVP . . . . . . . . . . . . . 53
4.6.11. Acct-Tunnel-Packets-Lost AVP . . . . . . . . . . . . . 55 4.6.11. Acct-Tunnel-Packets-Lost AVP . . . . . . . . . . . . 53
5. AVP Occurrence Tables . . . . . . . . . . . . . . . . . . . . 55 5. AVP Occurrence Tables . . . . . . . . . . . . . . . . . . . . 53
5.1. AA-Request/Answer AVP Table . . . . . . . . . . . . . . . 55 5.1. AA-Request/Answer AVP Table . . . . . . . . . . . . . . . 54
5.2. Accounting AVP Tables . . . . . . . . . . . . . . . . . . 58 5.2. Accounting AVP Tables . . . . . . . . . . . . . . . . . . 56
5.2.1. Framed Access Accounting AVP Table . . . . . . . . . . 59 5.2.1. Framed Access Accounting AVP Table . . . . . . . . . 56
5.2.2. Non-Framed Access Accounting AVP Table . . . . . . . . 61 5.2.2. Non-Framed Access Accounting AVP Table . . . . . . . 58
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 62 6. Unicode Considerations . . . . . . . . . . . . . . . . . . . 60
7. Security Considerations . . . . . . . . . . . . . . . . . . . 63 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 60
7.1. Authentication Considerations . . . . . . . . . . . . . . 63 8. Security Considerations . . . . . . . . . . . . . . . . . . . 61
7.2. AVP Considerations . . . . . . . . . . . . . . . . . . . . 63 8.1. Authentication Considerations . . . . . . . . . . . . . . 61
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 64 8.2. AVP Considerations . . . . . . . . . . . . . . . . . . . 62
8.1. Normative References . . . . . . . . . . . . . . . . . . . 64 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 62
8.2. Informative References . . . . . . . . . . . . . . . . . . 65 9.1. Normative References . . . . . . . . . . . . . . . . . . 62
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 67 9.2. Informative References . . . . . . . . . . . . . . . . . 63
A.1. This Document . . . . . . . . . . . . . . . . . . . . . . 67 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 66
A.2. RFC 4005 . . . . . . . . . . . . . . . . . . . . . . . . . 68 A.1. This Document . . . . . . . . . . . . . . . . . . . . . . 66
A.2. RFC 4005 . . . . . . . . . . . . . . . . . . . . . . . . 66
1. Introduction 1. Introduction
This document describes the Diameter protocol application used for This document describes the Diameter protocol application used for
AAA in the Network Access Server (NAS) environment. When combined AAA in the Network Access Server (NAS) environment. When combined
with the Diameter Base protocol [RFC6733], Transport Profile with the Diameter Base protocol [RFC6733], Transport Profile
[RFC3539], and EAP [RFC4072] specifications, this specification [RFC3539], and EAP [RFC4072] specifications, this specification
satisfies the NAS-related requirements defined in Aboba, et satisfies the NAS-related requirements defined in Aboba, et
al. [RFC2989] and Beadles & Mitton [RFC3169]. al. [RFC2989] and Beadles & Mitton [RFC3169].
skipping to change at page 9, line 11 skipping to change at page 9, line 16
message [RFC6733]. An Accounting-Record-Type of START_RECORD is sent message [RFC6733]. An Accounting-Record-Type of START_RECORD is sent
for a new session. If a session fails to start, the EVENT_RECORD for a new session. If a session fails to start, the EVENT_RECORD
message is sent with the reason for the failure described. message is sent with the reason for the failure described.
Note that the return of an unsupportable Accounting-Realtime-Required Note that the return of an unsupportable Accounting-Realtime-Required
value [RFC6733] would result in a failure to establish the session. value [RFC6733] would result in a failure to establish the session.
2.2. Diameter Session Reauthentication or Reauthorization 2.2. Diameter Session Reauthentication or Reauthorization
The Diameter Base protocol allows users to be periodically The Diameter Base protocol allows users to be periodically
reauthenticated and/or reauthorized. In such instances, the reauthenticated and/or reauthorized. In such instances, the Session-
Session-Id AVP in the AAR message MUST be the same as the one present Id AVP in the AAR message MUST be the same as the one present in the
in the original authentication/authorization message. original authentication/authorization message.
A Diameter server informs the NAS of the maximum time allowed before A Diameter server informs the NAS of the maximum time allowed before
reauthentication or reauthorization via the Authorization-Lifetime reauthentication or reauthorization via the Authorization-Lifetime
AVP [RFC6733]. A NAS MAY reauthenticate and/or reauthorize before AVP [RFC6733]. A NAS MAY reauthenticate and/or reauthorize before
the end, but A NAS MUST reauthenticate and/or reauthorize at the end the end, but A NAS MUST reauthenticate and/or reauthorize at the end
of the period provided by the Authorization-Lifetime AVP. The of the period provided by the Authorization-Lifetime AVP. The
failure of a reauthentication exchange will terminate the service. failure of a reauthentication exchange will terminate the service.
Furthermore, it is possible for Diameter servers to issue an Furthermore, it is possible for Diameter servers to issue an
unsolicited reauthentication and/or reauthorization request (e.g., unsolicited reauthentication and/or reauthorization request (e.g.,
skipping to change at page 10, line 30 skipping to change at page 10, line 34
More information on Diameter Session Termination can be found in More information on Diameter Session Termination can be found in
Sections 8.4 and 8.5 of [RFC6733]. Sections 8.4 and 8.5 of [RFC6733].
3. Diameter NAS Application Messages 3. Diameter NAS Application Messages
This section defines the Diameter message Command-Code [RFC6733] This section defines the Diameter message Command-Code [RFC6733]
values that MUST be supported by all Diameter implementations values that MUST be supported by all Diameter implementations
conforming to this specification. The Command Codes are as follows: conforming to this specification. The Command Codes are as follows:
+-----------------------------------+---------+------+--------------+ +-----------------------------+---------+------+--------------+
| Command Name | Abbrev. | Code | Reference | | Command Name | Abbrev. | Code | Reference |
+-----------------------------------+---------+------+--------------+ +-----------------------------+---------+------+--------------+
| AA-Request | AAR | 265 | Section 3.1 | | AA-Request | AAR | 265 | Section 3.1 |
| AA-Answer | AAA | 265 | Section 3.2 | | AA-Answer | AAA | 265 | Section 3.2 |
| Re-Auth-Request | RAR | 258 | Section 3.3 | | Re-Auth-Request | RAR | 258 | Section 3.3 |
| Re-Auth-Answer | RAA | 258 | Section 3.4 | | Re-Auth-Answer | RAA | 258 | Section 3.4 |
| Session-Termination-Request | STR | 275 | Section 3.5 | | Session-Termination-Request | STR | 275 | Section 3.5 |
| Session-Termination-Answer | STA | 275 | Section 3.6 | | Session-Termination-Answer | STA | 275 | Section 3.6 |
| Abort-Session-Request | ASR | 274 | Section 3.7 | | Abort-Session-Request | ASR | 274 | Section 3.7 |
| Abort-Session-Answer | ASA | 274 | Section 3.8 | | Abort-Session-Answer | ASA | 274 | Section 3.8 |
| Accounting-Request | ACR | 271 | Section 3.9 | | Accounting-Request | ACR | 271 | Section 3.9 |
| Accounting-Answer | ACA | 271 | Section 3.10 | | Accounting-Answer | ACA | 271 | Section 3.10 |
+-----------------------------------+---------+------+--------------+ +-----------------------------+---------+------+--------------+
Note that the message formats in the following sub-sections use the Note that the message formats in the following sub-sections use the
standard Diameter Command Code Format ([RFC6733], Section 3.2). standard Diameter Command Code Format ([RFC6733], Section 3.2).
3.1. AA-Request (AAR) Command 3.1. AA-Request (AAR) Command
The AA-Request (AAR), which is indicated by setting the Command-Code The AA-Request (AAR), which is indicated by setting the Command-Code
field to 265 and the 'R' bit in the Command Flags field, is used to field to 265 and the 'R' bit in the Command Flags field, is used to
request authentication and/or authorization for a given NAS user. request authentication and/or authorization for a given NAS user.
The type of request is identified through the Auth-Request-Type AVP The type of request is identified through the Auth-Request-Type AVP
[RFC6733]. The recommended value for most situations is [RFC6733]. The recommended value for most situations is
AUTHORIZE_AUTHENTICATE. AUTHORIZE_AUTHENTICATE.
If Authentication is requested, the User-Name attribute SHOULD be If Authentication is requested, the User-Name attribute SHOULD be
present, as well as any additional authentication AVPs that would present, as well as any additional authentication AVPs that would
carry the password information. A request for authorization SHOULD carry the password information. A request for authorization SHOULD
only include the information from which the authorization will be only include the information from which the authorization will be
performed, such as the User-Name, Called-Station-Id, or Calling- performed, such as the User-Name, Called-Station-Id, or Calling-
Station-Id AVPs. All requests SHOULD contain AVPs uniquely Station-Id AVPs. All requests SHOULD contain AVPs uniquely
skipping to change at page 12, line 36 skipping to change at page 12, line 41
* [ Login-IPv6-Host ] * [ Login-IPv6-Host ]
[ Login-LAT-Group ] [ Login-LAT-Group ]
[ Login-LAT-Node ] [ Login-LAT-Node ]
[ Login-LAT-Port ] [ Login-LAT-Port ]
[ Login-LAT-Service ] [ Login-LAT-Service ]
* [ Tunneling ] * [ Tunneling ]
* [ Proxy-Info ] * [ Proxy-Info ]
* [ Route-Record ] * [ Route-Record ]
* [ AVP ] * [ AVP ]
Figure 1
3.2. AA-Answer (AAA) Command 3.2. AA-Answer (AAA) Command
The AA-Answer (AAA) message is indicated by setting the Command-Code The AA-Answer (AAA) message is indicated by setting the Command-Code
field to 265 and clearing the 'R' bit in the Command Flags field. It field to 265 and clearing the 'R' bit in the Command Flags field. It
is sent in response to the AA-Request (AAR) message. If is sent in response to the AA-Request (AAR) message. If
authorization was requested, a successful response will include the authorization was requested, a successful response will include the
authorization AVPs appropriate for the service being provided, as authorization AVPs appropriate for the service being provided, as
defined in Section 4.4. defined in Section 4.4.
For authentication exchanges requiring more than a single round trip, For authentication exchanges requiring more than a single round trip,
skipping to change at page 14, line 34 skipping to change at page 14, line 42
[ Login-TCP-Port ] [ Login-TCP-Port ]
* [ NAS-Filter-Rule ] * [ NAS-Filter-Rule ]
* [ QoS-Filter-Rule ] * [ QoS-Filter-Rule ]
* [ Tunneling ] * [ Tunneling ]
* [ Redirect-Host ] * [ Redirect-Host ]
[ Redirect-Host-Usage ] [ Redirect-Host-Usage ]
[ Redirect-Max-Cache-Time ] [ Redirect-Max-Cache-Time ]
* [ Proxy-Info ] * [ Proxy-Info ]
* [ AVP ] * [ AVP ]
Figure 2
3.3. Re-Auth-Request (RAR) Command 3.3. Re-Auth-Request (RAR) Command
A Diameter server can initiate re-authentication and/or re- A Diameter server can initiate re-authentication and/or re-
authorization for a particular session by issuing a Re-Auth-Request authorization for a particular session by issuing a Re-Auth-Request
(RAR) message [RFC6733]. (RAR) message [RFC6733].
For example, for pre-paid services, the Diameter server that For example, for pre-paid services, the Diameter server that
originally authorized a session may need some confirmation that the originally authorized a session may need some confirmation that the
user is still using the services. user is still using the services.
skipping to change at page 15, line 40 skipping to change at page 15, line 45
[ Originating-Line-Info ] [ Originating-Line-Info ]
[ Acct-Session-Id ] [ Acct-Session-Id ]
[ Acct-Multi-Session-Id ] [ Acct-Multi-Session-Id ]
[ State ] [ State ]
* [ Class ] * [ Class ]
[ Reply-Message ] [ Reply-Message ]
* [ Proxy-Info ] * [ Proxy-Info ]
* [ Route-Record ] * [ Route-Record ]
* [ AVP ] * [ AVP ]
Figure 3
3.4. Re-Auth-Answer (RAA) Command 3.4. Re-Auth-Answer (RAA) Command
The Re-Auth-Answer (RAA) message [RFC6733] is sent in response to the The Re-Auth-Answer (RAA) message [RFC6733] is sent in response to the
RAR. The Result-Code AVP MUST be present and indicates the RAR. The Result-Code AVP MUST be present and indicates the
disposition of the request. disposition of the request.
A successful RAA transaction MUST be followed by an AAR message. A successful RAA transaction MUST be followed by an AAR message.
Message Format Message Format
skipping to change at page 16, line 34 skipping to change at page 16, line 36
[ Authorization-Lifetime ] [ Authorization-Lifetime ]
[ Auth-Grace-Period ] [ Auth-Grace-Period ]
[ Re-Auth-Request-Type ] [ Re-Auth-Request-Type ]
[ State ] [ State ]
* [ Class ] * [ Class ]
* [ Reply-Message ] * [ Reply-Message ]
[ Prompt ] [ Prompt ]
* [ Proxy-Info ] * [ Proxy-Info ]
* [ AVP ] * [ AVP ]
Figure 4
3.5. Session-Termination-Request (STR) Command 3.5. Session-Termination-Request (STR) Command
The Session-Termination-Request (STR) message [RFC6733] is sent by The Session-Termination-Request (STR) message [RFC6733] is sent by
the NAS to inform the Diameter Server that an authenticated and/or the NAS to inform the Diameter Server that an authenticated and/or
authorized session is being terminated. authorized session is being terminated.
Message Format Message Format
<ST-Request> ::= < Diameter Header: 275, REQ, PXY > <ST-Request> ::= < Diameter Header: 275, REQ, PXY >
< Session-Id > < Session-Id >
skipping to change at page 17, line 14 skipping to change at page 17, line 4
Message Format Message Format
<ST-Request> ::= < Diameter Header: 275, REQ, PXY > <ST-Request> ::= < Diameter Header: 275, REQ, PXY >
< Session-Id > < Session-Id >
{ Origin-Host } { Origin-Host }
{ Origin-Realm } { Origin-Realm }
{ Destination-Realm } { Destination-Realm }
{ Auth-Application-Id } { Auth-Application-Id }
{ Termination-Cause } { Termination-Cause }
[ User-Name ] [ User-Name ]
[ Destination-Host ] [ Destination-Host ]
* [ Class ] * [ Class ]
[ Origin-AAA-Protocol ] [ Origin-AAA-Protocol ]
[ Origin-State-Id ] [ Origin-State-Id ]
* [ Proxy-Info ] * [ Proxy-Info ]
* [ Route-Record ] * [ Route-Record ]
* [ AVP ] * [ AVP ]
Figure 5
3.6. Session-Termination-Answer (STA) Command 3.6. Session-Termination-Answer (STA) Command
The Session-Termination-Answer (STA) message [RFC6733] is sent by the The Session-Termination-Answer (STA) message [RFC6733] is sent by the
Diameter Server to acknowledge the notification that the session has Diameter Server to acknowledge the notification that the session has
been terminated. The Result-Code AVP MUST be present and MAY contain been terminated. The Result-Code AVP MUST be present and MAY contain
an indication that an error occurred while the STR was being an indication that an error occurred while the STR was being
serviced. serviced.
Upon sending the STA, the Diameter Server MUST release all resources Upon sending the STA, the Diameter Server MUST release all resources
for the session indicated by the Session-Id AVP. Any intermediate for the session indicated by the Session-Id AVP. Any intermediate
skipping to change at page 18, line 25 skipping to change at page 17, line 49
[ Error-Reporting-Host ] [ Error-Reporting-Host ]
* [ Failed-AVP ] * [ Failed-AVP ]
[ Origin-AAA-Protocol ] [ Origin-AAA-Protocol ]
[ Origin-State-Id ] [ Origin-State-Id ]
* [ Redirect-Host ] * [ Redirect-Host ]
[ Redirect-Host-Usase ] [ Redirect-Host-Usase ]
[ Redirect-Max-Cache-Time ] [ Redirect-Max-Cache-Time ]
* [ Proxy-Info ] * [ Proxy-Info ]
* [ AVP ] * [ AVP ]
3.7. Abort-Session-Request (ASR) Command Figure 6
3.7. Abort-Session-Request (ASR) Command
The Abort-Session-Request (ASR) message [RFC6733] can be sent by any The Abort-Session-Request (ASR) message [RFC6733] can be sent by any
Diameter server to the NAS providing session service to request that Diameter server to the NAS providing session service to request that
the session identified by the Session-Id be stopped. the session identified by the Session-Id be stopped.
Message Format Message Format
<AS-Request> ::= < Diameter Header: 274, REQ, PXY > <AS-Request> ::= < Diameter Header: 274, REQ, PXY >
< Session-Id > < Session-Id >
{ Origin-Host } { Origin-Host }
{ Origin-Realm } { Origin-Realm }
skipping to change at page 19, line 39 skipping to change at page 18, line 42
[ Originating-Line-Info ] [ Originating-Line-Info ]
[ Acct-Session-Id ] [ Acct-Session-Id ]
[ Acct-Multi-Session-Id ] [ Acct-Multi-Session-Id ]
[ State ] [ State ]
* [ Class ] * [ Class ]
* [ Reply-Message ] * [ Reply-Message ]
* [ Proxy-Info ] * [ Proxy-Info ]
* [ Route-Record ] * [ Route-Record ]
* [ AVP ] * [ AVP ]
Figure 7
3.8. Abort-Session-Answer (ASA) Command 3.8. Abort-Session-Answer (ASA) Command
The ASA message [RFC6733] is sent in response to the ASR. The The ASA message [RFC6733] is sent in response to the ASR. The
Result-Code AVP MUST be present and indicates the disposition of the Result-Code AVP MUST be present and indicates the disposition of the
request. request.
If the session identified by Session-Id in the ASR was successfully If the session identified by Session-Id in the ASR was successfully
terminated, Result-Code is set to DIAMETER_SUCCESS. If the session terminated, Result-Code is set to DIAMETER_SUCCESS. If the session
is not currently active, the Result-Code AVP is set to is not currently active, the Result-Code AVP is set to
DIAMETER_UNKNOWN_SESSION_ID. If the access device does not stop the DIAMETER_UNKNOWN_SESSION_ID. If the access device does not stop the
skipping to change at page 20, line 25 skipping to change at page 19, line 29
[ State] [ State]
[ Error-Message ] [ Error-Message ]
[ Error-Reporting-Host ] [ Error-Reporting-Host ]
* [ Failed-AVP ] * [ Failed-AVP ]
* [ Redirected-Host ] * [ Redirected-Host ]
[ Redirected-Host-Usage ] [ Redirected-Host-Usage ]
[ Redirected-Max-Cache-Time ] [ Redirected-Max-Cache-Time ]
* [ Proxy-Info ] * [ Proxy-Info ]
* [ AVP ] * [ AVP ]
Figure 8
3.9. Accounting-Request (ACR) Command 3.9. Accounting-Request (ACR) Command
The ACR message [RFC6733] is sent by the NAS to report its session The ACR message [RFC6733] is sent by the NAS to report its session
information to a target server downstream. information to a target server downstream.
The Acct-Application-Id AVP MUST be present. The Acct-Application-Id AVP MUST be present.
The AVPs listed in the Base protocol specification [RFC6733] MUST be The AVPs listed in the Base protocol specification [RFC6733] MUST be
assumed to be present, as appropriate. NAS service-specific assumed to be present, as appropriate. NAS service-specific
accounting AVPs SHOULD be present as described in Section 4.6 and the accounting AVPs SHOULD be present as described in Section 4.6 and the
skipping to change at page 22, line 23 skipping to change at page 21, line 30
[ Login-LAT-Node ] [ Login-LAT-Node ]
[ Login-LAT-Port ] [ Login-LAT-Port ]
[ Login-LAT-Service ] [ Login-LAT-Service ]
[ Login-Service ] [ Login-Service ]
[ Login-TCP-Port ] [ Login-TCP-Port ]
* [ Tunneling ] * [ Tunneling ]
* [ Proxy-Info ] * [ Proxy-Info ]
* [ Route-Record ] * [ Route-Record ]
* [ AVP ] * [ AVP ]
Figure 9
3.10. Accounting-Answer (ACA) Command 3.10. Accounting-Answer (ACA) Command
The ACA message [RFC6733] is used to acknowledge an Accounting- The ACA message [RFC6733] is used to acknowledge an Accounting-
Request command. The Accounting-Answer command contains the same Request command. The Accounting-Answer command contains the same
Session-Id as the Request. Session-Id as the Request.
Only the target Diameter Server or home Diameter Server SHOULD Only the target Diameter Server or home Diameter Server SHOULD
respond with the Accounting-Answer command. respond with the Accounting-Answer command.
The Acct-Application-Id AVP MUST be present. The Acct-Application-Id AVP MUST be present.
skipping to change at page 23, line 39 skipping to change at page 22, line 33
[ NAS-Port-Id ] [ NAS-Port-Id ]
[ NAS-Port-Type ] [ NAS-Port-Type ]
[ Service-Type ] [ Service-Type ]
[ Termination-Cause ] [ Termination-Cause ]
[ Accounting-Realtime-Required ] [ Accounting-Realtime-Required ]
[ Acct-Interim-Interval ] [ Acct-Interim-Interval ]
* [ Class ] * [ Class ]
* [ Proxy-Info ] * [ Proxy-Info ]
* [ AVP ] * [ AVP ]
Figure 10
4. Diameter NAS Application AVPs 4. Diameter NAS Application AVPs
The following sections define a new derived AVP data format, a set of The following sections define a new derived AVP data format, a set of
application-specific AVPs and describe the use of AVPs defined in application-specific AVPs and describe the use of AVPs defined in
other documents by the Diameter NAS Application. other documents by the Diameter NAS Application.
4.1. Derived AVP Data Formats 4.1. Derived AVP Data Formats
4.1.1. QoSFilterRule 4.1.1. QoSFilterRule
skipping to change at page 24, line 24 skipping to change at page 23, line 19
Rules for the appropriate direction are evaluated in order; the first Rules for the appropriate direction are evaluated in order; the first
matched rule terminates the evaluation. Each packet is evaluated matched rule terminates the evaluation. Each packet is evaluated
once. If no rule matches, the packet is treated as best effort. An once. If no rule matches, the packet is treated as best effort. An
access device unable to interpret or apply a QoS rule SHOULD NOT access device unable to interpret or apply a QoS rule SHOULD NOT
terminate the session. terminate the session.
QoSFilterRule filters MUST follow the following format: QoSFilterRule filters MUST follow the following format:
action dir proto from src to dst [options] action dir proto from src to dst [options]
where where
action action
tag Mark packet with a specific DSCP [RFC2474]
meter Meter traffic tag Mark packet with a specific DSCP [RFC2474]
meter Meter traffic
dir The format is as described under IPFilterRule dir The format is as described under IPFilterRule
[RFC6733] [RFC6733]
proto The format is as described under IPFilterRule proto The format is as described under IPFilterRule
[RFC6733] [RFC6733]
src and dst The format is as described under IPFilterRule src and dst The format is as described under IPFilterRule
[RFC6733] [RFC6733]
skipping to change at page 25, line 20 skipping to change at page 24, line 25
Session-Id Session-Id
Auth-Application-Id Auth-Application-Id
Origin-Host Origin-Host
Origin-Realm Origin-Realm
Auth-Request-Type Auth-Request-Type
Termination-Cause Termination-Cause
The following table gives the possible flag values for the session The following table gives the possible flag values for the session
level AVPs. level AVPs.
+-----------+ +-----------+
| AVP Flag | | AVP Flag |
| Rules | | Rules |
|-----+-----+ |-----+-----+
|MUST | MUST| |MUST | MUST|
Attribute Name Section Defined | | NOT| Attribute Name Section Defined | | NOT|
-----------------------------------------|-----+-----| -----------------------------------------|-----+-----|
NAS-Port 4.2.2 | M | V | NAS-Port 4.2.2 | M | V |
NAS-Port-Id 4.2.3 | M | V | NAS-Port-Id 4.2.3 | M | V |
NAS-Port-Type 4.2.4 | M | V | NAS-Port-Type 4.2.4 | M | V |
Called-Station-Id 4.2.5 | M | V | Called-Station-Id 4.2.5 | M | V |
Calling-Station-Id 4.2.6 | M | V | Calling-Station-Id 4.2.6 | M | V |
Connect-Info 4.2.7 | M | V | Connect-Info 4.2.7 | M | V |
Originating-Line-Info 4.2.8 | M | V | Originating-Line-Info 4.2.8 | M | V |
Reply-Message 4.2.9 | M | V | Reply-Message 4.2.9 | M | V |
-----------------------------------------|-----+-----| -----------------------------------------|-----+-----|
4.2.2. NAS-Port AVP 4.2.2. NAS-Port AVP
The NAS-Port AVP (AVP Code 5) is of type Unsigned32 and contains the The NAS-Port AVP (AVP Code 5) is of type Unsigned32 and contains the
physical or virtual port number of the NAS which is authenticating physical or virtual port number of the NAS which is authenticating
the user. Note that "port" is meant in its sense as a service the user. Note that "port" is meant in its sense as a service
connection on the NAS, not as an IP protocol identifier, and hence connection on the NAS, not as an IP protocol identifier, and hence
the format and contents of the string that identifies the port are the format and contents of the string that identifies the port are
specific to the NAS implementation. specific to the NAS implementation.
skipping to change at page 30, line 36 skipping to change at page 29, line 27
{ CHAP-Ident } { CHAP-Ident }
[ CHAP-Response ] [ CHAP-Response ]
* [ AVP ] * [ AVP ]
4.3.5. CHAP-Algorithm AVP 4.3.5. CHAP-Algorithm AVP
The CHAP-Algorithm AVP (AVP Code 403) is of type Enumerated and The CHAP-Algorithm AVP (AVP Code 403) is of type Enumerated and
contains the algorithm identifier used in the computation of the CHAP contains the algorithm identifier used in the computation of the CHAP
response [RFC1994]. The following values are currently supported: response [RFC1994]. The following values are currently supported:
CHAP with MD5 5 The CHAP response is computed by using the procedure CHAP with MD5 5
described in [RFC1994] This algorithm requires that the CHAP-
Response AVP (Section 4.3.7) MUST be present in the CHAP-Auth AVP The CHAP response is computed by using the procedure described in
[RFC1994] This algorithm requires that the CHAP-Response AVP
(Section 4.3.7) MUST be present in the CHAP-Auth AVP
(Section 4.3.4). (Section 4.3.4).
4.3.6. CHAP-Ident AVP 4.3.6. CHAP-Ident AVP
The CHAP-Ident AVP (AVP Code 404) is of type OctetString and contains The CHAP-Ident AVP (AVP Code 404) is of type OctetString and contains
the 1 octet CHAP Identifier used in the computation of the CHAP the 1 octet CHAP Identifier used in the computation of the CHAP
response [RFC1994] response [RFC1994]
4.3.7. CHAP-Response AVP 4.3.7. CHAP-Response AVP
skipping to change at page 34, line 29 skipping to change at page 32, line 29
supported, but not compatible with the current mode of access, the supported, but not compatible with the current mode of access, the
NAS MUST fail to start the session. The NAS MUST also generate the NAS MUST fail to start the session. The NAS MUST also generate the
appropriate error message(s). appropriate error message(s).
The complete list of defined values that the Service-Type AVP can The complete list of defined values that the Service-Type AVP can
take can be found in Rigney, et al. [RFC2865] and and the relevant take can be found in Rigney, et al. [RFC2865] and and the relevant
IANA registry [RADIUSAttrVals], but the following values require IANA registry [RADIUSAttrVals], but the following values require
further qualification here: further qualification here:
Login (1) Login (1)
The user should be connected to a host. The message MAY
include additional AVPs as defined in Section 4.4.11.4 or The user should be connected to a host. The message MAY
Section 4.4.11.5. include additional AVPs as defined in Section 4.4.11.4 or
Section 4.4.11.5.
Framed (2) Framed (2)
A Framed Protocol, such as PPP or SLIP, should be started for
the User. The message MAY include additional AVPs defined in A Framed Protocol, such as PPP or SLIP, should be started
Section 4.4.10, or Section 4.5 for tunneling services. for the User. The message MAY include additional AVPs
defined in Section 4.4.10, or Section 4.5 for tunneling
services.
Callback Login (3) Callback Login (3)
The user should be disconnected and called back, then connected
to a host. The message MAY include additional AVPs defined in The user should be disconnected and called back, then
this Section. connected to a host. The message MAY include additional
AVPs defined in this Section.
Callback Framed (4) Callback Framed (4)
The user should be disconnected and called back, and then a
Framed Protocol, such as PPP or SLIP, should be started for the The user should be disconnected and called back, and then a
user. The message MAY include additional AVPs defined in Framed Protocol, such as PPP or SLIP, should be started for
Section 4.4.10, or Section 4.5 for tunneling services. the user. The message MAY include additional AVPs defined
in Section 4.4.10, or Section 4.5 for tunneling services.
4.4.2. Callback-Number AVP 4.4.2. Callback-Number AVP
The Callback-Number AVP (AVP Code 19) is of type UTF8String and The Callback-Number AVP (AVP Code 19) is of type UTF8String and
contains a dialing string to be used for callback, the format of contains a dialing string to be used for callback, the format of
which is deployment-specific. The Callback-Number AVP MAY be used in which is deployment-specific. The Callback-Number AVP MAY be used in
an authentication and/or authorization request as a hint to the an authentication and/or authorization request as a hint to the
server that a callback service is desired, but the server is not server that a callback service is desired, but the server is not
required to honor the hint in the corresponding response. required to honor the hint in the corresponding response.
skipping to change at page 36, line 42 skipping to change at page 34, line 46
The QoS-Filter-Rule AVP (AVP Code 407) is of type QoSFilterRule The QoS-Filter-Rule AVP (AVP Code 407) is of type QoSFilterRule
(Section 4.1.1) and provides QoS filter rules that need to be (Section 4.1.1) and provides QoS filter rules that need to be
configured on the NAS for the user. One or more such AVPs MAY be configured on the NAS for the user. One or more such AVPs MAY be
present in an authorization response. present in an authorization response.
The use of this AVP is NOT RECOMMENDED; the AVPs defined by Korhonen, The use of this AVP is NOT RECOMMENDED; the AVPs defined by Korhonen,
et al. [RFC5777] SHOULD be used instead. et al. [RFC5777] SHOULD be used instead.
The following options are defined for the QoSFilterRule filters: The following options are defined for the QoSFilterRule filters:
DSCP <color> If action is set to tag (Section 4.1.1) this option DSCP <color>
MUST be included in the rule.
If action is set to tag (Section 4.1.1) this option MUST be
included in the rule.
Color values are defined in Nichols, et al. [RFC2474]. Exact Color values are defined in Nichols, et al. [RFC2474]. Exact
matching of DSCP values is required (no masks or ranges). matching of DSCP values is required (no masks or ranges).
metering <rate> <color_under> <color_over> The metering option metering <rate> <color_under> <color_over>
provides Assured Forwarding, as defined in Heinanen, et al.
[RFC2597]. and MUST be present if the action is set to meter The metering option provides Assured Forwarding, as defined in
(Section 4.1.1) The rate option is the throughput, in bits per Heinanen, et al. [RFC2597]. and MUST be present if the action
second, used by the access device to mark packets. Traffic is set to meter (Section 4.1.1) The rate option is the
over the rate is marked with the color_over codepoint, and throughput, in bits per second, used by the access device to
traffic under the rate is marked with the color_under mark packets. Traffic over the rate is marked with the
codepoint. The color_under and color_over options contain the color_over codepoint, and traffic under the rate is marked with
drop preferences and MUST conform to the recommended codepoint the color_under codepoint. The color_under and color_over
keywords described in RFC 2597 (e.g., AF13). options contain the drop preferences and MUST conform to the
recommended codepoint keywords described in RFC 2597 (e.g.,
AF13).
The metering option also supports the strict limit on traffic The metering option also supports the strict limit on traffic
required by Expedited Forwarding, as defined in Davie, et required by Expedited Forwarding, as defined in Davie, et
al. [RFC3246]. The color_over option may contain the keyword al. [RFC3246]. The color_over option may contain the keyword
"drop" to prevent forwarding of traffic that exceeds the rate "drop" to prevent forwarding of traffic that exceeds the rate
parameter. parameter.
4.4.10. Framed Access Authorization AVPs 4.4.10. Framed Access Authorization AVPs
This section lists the authorization AVPs necessary to support framed This section lists the authorization AVPs necessary to support framed
skipping to change at page 54, line 40 skipping to change at page 53, line 7
with Accounting-Record-Type = STOP_RECORD and with the same Acct- with Accounting-Record-Type = STOP_RECORD and with the same Acct-
Multi-Session-Id and unique Session-Ids equals the largest value of Multi-Session-Id and unique Session-Ids equals the largest value of
Acct-Link-Count seen in those Accounting-Requests, all STOP_RECORD Acct-Link-Count seen in those Accounting-Requests, all STOP_RECORD
Accounting-Requests for that multilink service have been received. Accounting-Requests for that multilink service have been received.
The following example, showing eight Accounting-Requests, illustrates The following example, showing eight Accounting-Requests, illustrates
how the Acct-Link-Count AVP is used. In the table below, only the how the Acct-Link-Count AVP is used. In the table below, only the
relevant AVPs are shown, although additional AVPs containing relevant AVPs are shown, although additional AVPs containing
accounting information will be present in the Accounting-Requests. accounting information will be present in the Accounting-Requests.
Acct-Multi- Accounting- Acct- Acct-Multi- Accounting- Acct-
Session-Id Session-Id Record-Type Link-Count Session-Id Session-Id Record-Type Link-Count
-------------------------------------------------------- --------------------------------------------------------
"...10" "...10" START_RECORD 1 "...10" "...10" START_RECORD 1
"...10" "...11" START_RECORD 2 "...10" "...11" START_RECORD 2
"...10" "...11" STOP_RECORD 2 "...10" "...11" STOP_RECORD 2
"...10" "...12" START_RECORD 3 "...10" "...12" START_RECORD 3
"...10" "...13" START_RECORD 4 "...10" "...13" START_RECORD 4
"...10" "...12" STOP_RECORD 4 "...10" "...12" STOP_RECORD 4
"...10" "...13" STOP_RECORD 4 "...10" "...13" STOP_RECORD 4
"...10" "...10" STOP_RECORD 4 "...10" "...10" STOP_RECORD 4
4.6.10. Acct-Tunnel-Connection AVP 4.6.10. Acct-Tunnel-Connection AVP
The Acct-Tunnel-Connection AVP (AVP Code 68) is of type OctetString The Acct-Tunnel-Connection AVP (AVP Code 68) is of type OctetString
and contains the identifier assigned to the tunnel session. This and contains the identifier assigned to the tunnel session. This
AVP, along with the Tunnel-Client-Endpoint (Section 4.5.4) and AVP, along with the Tunnel-Client-Endpoint (Section 4.5.4) and
Tunnel-Server-Endpoint (Section 4.5.5) AVPs, may be used to provide a Tunnel-Server-Endpoint (Section 4.5.5) AVPs, may be used to provide a
means to uniquely identify a tunnel session for auditing purposes. means to uniquely identify a tunnel session for auditing purposes.
The format of the identifier in this AVP depends upon the value of The format of the identifier in this AVP depends upon the value of
skipping to change at page 60, line 4 skipping to change at page 57, line 29
Calling-Station-Id | 0-1 | 0 | Calling-Station-Id | 0-1 | 0 |
Class | 0+ | 0+ | Class | 0+ | 0+ |
Connection-Info | 0+ | 0 | Connection-Info | 0+ | 0 |
Destination-Host | 0-1 | 0 | Destination-Host | 0-1 | 0 |
Destination-Realm | 1 | 0 | Destination-Realm | 1 | 0 |
Event-Timestamp | 0-1 | 0-1 | Event-Timestamp | 0-1 | 0-1 |
Error-Message | 0 | 0-1 | Error-Message | 0 | 0-1 |
Error-Reporting-Host | 0 | 0-1 | Error-Reporting-Host | 0 | 0-1 |
Failed-AVP | 0 | 0+ | Failed-AVP | 0 | 0+ |
---------------------------------------|-----+-----+ ---------------------------------------|-----+-----+
+-----------+
| Command | +-----------+
|-----+-----+ | Command |
Attribute Name | ACR | ACA | |-----+-----+
---------------------------------------|-----+-----+ Attribute Name | ACR | ACA |
Framed-AppleTalk-Link | 0-1 | 0 | ---------------------------------------|-----+-----+
Framed-AppleTalk-Network | 0-1 | 0 | Framed-AppleTalk-Link | 0-1 | 0 |
Framed-AppleTalk-Zone | 0-1 | 0 | Framed-AppleTalk-Network | 0-1 | 0 |
Framed-Compression | 0-1 | 0 | Framed-AppleTalk-Zone | 0-1 | 0 |
Framed-IP-Address | 0-1 | 0 | Framed-Compression | 0-1 | 0 |
Framed-IP-Netmask | 0-1 | 0 | Framed-IP-Address | 0-1 | 0 |
Framed-IPv6-Prefix | 0+ | 0 | Framed-IP-Netmask | 0-1 | 0 |
Framed-IPv6-Pool | 0-1 | 0 | Framed-IPv6-Prefix | 0+ | 0 |
Framed-IPX-Network | 0-1 | 0 | Framed-IPv6-Pool | 0-1 | 0 |
Framed-MTU | 0-1 | 0 | Framed-IPX-Network | 0-1 | 0 |
Framed-Pool | 0-1 | 0 | Framed-MTU | 0-1 | 0 |
Framed-Protocol | 0-1 | 0 | Framed-Pool | 0-1 | 0 |
Framed-Route | 0-1 | 0 | Framed-Protocol | 0-1 | 0 |
Framed-Routing | 0-1 | 0 | Framed-Route | 0-1 | 0 |
NAS-Filter-Rule | 0+ | 0 | Framed-Routing | 0-1 | 0 |
NAS-Identifier | 0-1 | 0-1 | NAS-Filter-Rule | 0+ | 0 |
NAS-IP-Address | 0-1 | 0-1 | NAS-Identifier | 0-1 | 0-1 |
NAS-IPv6-Address | 0-1 | 0-1 | NAS-IP-Address | 0-1 | 0-1 |
NAS-Port | 0-1 | 0-1 | NAS-IPv6-Address | 0-1 | 0-1 |
NAS-Port-Id | 0-1 | 0-1 | NAS-Port | 0-1 | 0-1 |
NAS-Port-Type | 0-1 | 0-1 | NAS-Port-Id | 0-1 | 0-1 |
Origin-AAA-Protocol | 0-1 | 0-1 | NAS-Port-Type | 0-1 | 0-1 |
Origin-Host | 1 | 1 | Origin-AAA-Protocol | 0-1 | 0-1 |
Origin-Realm | 1 | 1 | Origin-Host | 1 | 1 |
Origin-State-Id | 0-1 | 0-1 | Origin-Realm | 1 | 1 |
Originating-Line-Info | 0-1 | 0 | Origin-State-Id | 0-1 | 0-1 |
Proxy-Info | 0+ | 0+ | Originating-Line-Info | 0-1 | 0 |
QoS-Filter-Rule | 0+ | 0 | Proxy-Info | 0+ | 0+ |
Route-Record | 0+ | 0 | QoS-Filter-Rule | 0+ | 0 |
Result-Code | 0 | 1 | Route-Record | 0+ | 0 |
Service-Type | 0-1 | 0-1 | Result-Code | 0 | 1 |
Session-Id | 1 | 1 | Service-Type | 0-1 | 0-1 |
Termination-Cause | 0-1 | 0-1 | Session-Id | 1 | 1 |
Tunnel-Assignment-Id | 0-1 | 0 | Termination-Cause | 0-1 | 0-1 |
Tunnel-Client-Endpoint | 0-1 | 0 | Tunnel-Assignment-Id | 0-1 | 0 |
Tunnel-Medium-Type | 0-1 | 0 | Tunnel-Client-Endpoint | 0-1 | 0 |
Tunnel-Private-Group-Id | 0-1 | 0 | Tunnel-Medium-Type | 0-1 | 0 |
Tunnel-Server-Endpoint | 0-1 | 0 | Tunnel-Private-Group-Id | 0-1 | 0 |
Tunnel-Type | 0-1 | 0 | Tunnel-Server-Endpoint | 0-1 | 0 |
User-Name | 0-1 | 0-1 | Tunnel-Type | 0-1 | 0 |
---------------------------------------|-----+-----+ User-Name | 0-1 | 0-1 |
---------------------------------------|-----+-----+
5.2.2. Non-Framed Access Accounting AVP Table 5.2.2. Non-Framed Access Accounting AVP Table
The table in this section is used when the Service-Type AVP The table in this section is used when the Service-Type AVP
(Section 4.4.1) specifies Non-Framed Access. (Section 4.4.1) specifies Non-Framed Access.
+-----------+ +-----------+
| Command | | Command |
|-----+-----+ |-----+-----+
Attribute Name | ACR | ACA | Attribute Name | ACR | ACA |
---------------------------------------|-----+-----+ ---------------------------------------|-----+-----+
Accounting-Auth-Method | 0-1 | 0 | Accounting-Auth-Method | 0-1 | 0 |
Accounting-Input-Octets | 1 | 0 | Accounting-Input-Octets | 1 | 0 |
Accounting-Output-Octets | 1 | 0 | Accounting-Output-Octets | 1 | 0 |
Accounting-Record-Type | 1 | 1 | Accounting-Record-Type | 1 | 1 |
Accounting-Record-Number | 0-1 | 0-1 | Accounting-Record-Number | 0-1 | 0-1 |
Accounting-Realtime-Required | 0-1 | 0-1 | Accounting-Realtime-Required | 0-1 | 0-1 |
Accounting-Sub-Session-Id | 0-1 | 0-1 | Accounting-Sub-Session-Id | 0-1 | 0-1 |
Acct-Application-Id | 0-1 | 0-1 | Acct-Application-Id | 0-1 | 0-1 |
Acct-Session-Id | 1 | 0-1 | Acct-Session-Id | 1 | 0-1 |
Acct-Multi-Session-Id | 0-1 | 0-1 | Acct-Multi-Session-Id | 0-1 | 0-1 |
Acct-Authentic | 1 | 0 | Acct-Authentic | 1 | 0 |
Acct-Delay-Time | 0-1 | 0 | Acct-Delay-Time | 0-1 | 0 |
Acct-Interim-Interval | 0-1 | 0-1 | Acct-Interim-Interval | 0-1 | 0-1 |
Acct-Link-Count | 0-1 | 0 | Acct-Link-Count | 0-1 | 0 |
Acct-Session-Time | 1 | 0 | Acct-Session-Time | 1 | 0 |
Authorization-Lifetime | 0-1 | 0 | Authorization-Lifetime | 0-1 | 0 |
Callback-Id | 0-1 | 0 | Callback-Id | 0-1 | 0 |
Callback-Number | 0-1 | 0 | Callback-Number | 0-1 | 0 |
Called-Station-Id | 0-1 | 0 | Called-Station-Id | 0-1 | 0 |
Calling-Station-Id | 0-1 | 0 | Calling-Station-Id | 0-1 | 0 |
Class | 0+ | 0+ | Class | 0+ | 0+ |
Connection-Info | 0+ | 0 | Connection-Info | 0+ | 0 |
Destination-Host | 0-1 | 0 | Destination-Host | 0-1 | 0 |
Destination-Realm | 1 | 0 | Destination-Realm | 1 | 0 |
Event-Timestamp | 0-1 | 0-1 | Event-Timestamp | 0-1 | 0-1 |
Error-Message | 0 | 0-1 | Error-Message | 0 | 0-1 |
Error-Reporting-Host | 0 | 0-1 | Error-Reporting-Host | 0 | 0-1 |
Failed-AVP | 0 | 0+ | Failed-AVP | 0 | 0+ |
Login-IP-Host | 0+ | 0 | Login-IP-Host | 0+ | 0 |
Login-IPv6-Host | 0+ | 0 | Login-IPv6-Host | 0+ | 0 |
Login-LAT-Service | 0-1 | 0 | Login-LAT-Service | 0-1 | 0 |
Login-LAT-Node | 0-1 | 0 | Login-LAT-Node | 0-1 | 0 |
Login-LAT-Group | 0-1 | 0 | Login-LAT-Group | 0-1 | 0 |
Login-LAT-Port | 0-1 | 0 | Login-LAT-Port | 0-1 | 0 |
Login-Service | 0-1 | 0 | Login-Service | 0-1 | 0 |
Login-TCP-Port | 0-1 | 0 | Login-TCP-Port | 0-1 | 0 |
---------------------------------------|-----+-----+ ---------------------------------------|-----+-----+
+-----------+
| Command |
|-----+-----+
Attribute Name | ACR | ACA |
---------------------------------------|-----+-----+
NAS-Identifier | 0-1 | 0-1 |
NAS-IP-Address | 0-1 | 0-1 |
NAS-IPv6-Address | 0-1 | 0-1 |
NAS-Port | 0-1 | 0-1 |
NAS-Port-Id | 0-1 | 0-1 |
NAS-Port-Type | 0-1 | 0-1 |
Origin-AAA-Protocol | 0-1 | 0-1 |
Origin-Host | 1 | 1 |
Origin-Realm | 1 | 1 |
Origin-State-Id | 0-1 | 0-1 |
Originating-Line-Info | 0-1 | 0 |
Proxy-Info | 0+ | 0+ |
QoS-Filter-Rule | 0+ | 0 |
Route-Record | 0+ | 0 |
Result-Code | 0 | 1 |
Session-Id | 1 | 1 |
Service-Type | 0-1 | 0-1 |
Termination-Cause | 0-1 | 0-1 |
User-Name | 0-1 | 0-1 |
---------------------------------------|-----+-----+
6. IANA Considerations +-----------+
| Command |
|-----+-----+
Attribute Name | ACR | ACA |
---------------------------------------|-----+-----+
NAS-Identifier | 0-1 | 0-1 |
NAS-IP-Address | 0-1 | 0-1 |
NAS-IPv6-Address | 0-1 | 0-1 |
NAS-Port | 0-1 | 0-1 |
NAS-Port-Id | 0-1 | 0-1 |
NAS-Port-Type | 0-1 | 0-1 |
Origin-AAA-Protocol | 0-1 | 0-1 |
Origin-Host | 1 | 1 |
Origin-Realm | 1 | 1 |
Origin-State-Id | 0-1 | 0-1 |
Originating-Line-Info | 0-1 | 0 |
Proxy-Info | 0+ | 0+ |
QoS-Filter-Rule | 0+ | 0 |
Route-Record | 0+ | 0 |
Result-Code | 0 | 1 |
Session-Id | 1 | 1 |
Service-Type | 0-1 | 0-1 |
Termination-Cause | 0-1 | 0-1 |
User-Name | 0-1 | 0-1 |
---------------------------------------|-----+-----+
6. Unicode Considerations
A number of the AVPs in this RFC use the UTF8String type specified in
the Diameter Base protocol [RFC6733]. Implementation differences in
Unicode input processing may result in the same Unicode input
characters generating different UTF-8 strings that fail to match when
compared for equality. This may result in interoperability problems
between a network access server and a Diameter server when a UTF-8
string entered locally is compared with one received via Diameter.
Many of the uses of UTF8String in this RFC are limited to the 7-bit
ASCII-compatible subset of UTF-8 where this class of Unicode string
comparison problems does not arise.
Careful preparation of Unicode strings can increase the likelihood
that string comparison will work in ways that make sense for typical
users throughout the world; [RFC3454] is an example a framework for
such Unicode string preparation. The Diameter application specified
in this RFC has been deployed with use of Unicode in accordance with
[RFC4005], which does not require any Unicode string preparation. As
a result, additional requirements for Unicode string preparation in
this RFC would not be backwards compatible with existing usage.
The Diameter server and the network access servers that it serves can
be assumed to be under common administrative control, and all of the
UTF-8 strings involved are part of the configuration of these
servers. Therefore administrative interfaces for implementations of
this RFC:
a. SHOULD accept direct UTF-8 input of all configuration strings for
AVPs that allow Unicode characters beyond the 7-bit ASCII-
compatible subset of Unicode (in addition to any provisions for
accepting Unicode characters for processing into UTF-8), and
b. SHOULD make all such configuration strings available as UTF-8
strings
This functionality enables an administrator who encounters Unicode
string comparison problems to copy one instance of aproblematic UTF-8
string from one server to the other, after which the two (now
identical) copies should compare as expected.
7. IANA Considerations
Several of the namespaces used in this document are managed by the Several of the namespaces used in this document are managed by the
Internet Assigned Numbers Authority [IANA], including the AVP Codes Internet Assigned Numbers Authority [IANA], including the AVP Codes
[AVP-Codes], AVP Specific Values [AVP-Vals], Application IDs [AVP-Codes], AVP Specific Values [AVP-Vals], Application IDs
[App-Ids], Command Codes [Command-Codes] and RADIUS Attribute Values [App-Ids], Command Codes [Command-Codes] and RADIUS Attribute Values
[RADIUSAttrVals]. [RADIUSAttrVals].
For the current values allocated, and the policies governing For the current values allocated, and the policies governing
allocation in those namespaces, please see the above-referenced allocation in those namespaces, please see the above-referenced
registries. registries.
IANA Note: Please change all the references in the registries listed IANA Note: Please change all the references in the registries listed
above that are currently pointing to RFC 4005 to point to this above that are currently pointing to RFC 4005 to point to this
skipping to change at page 63, line 5 skipping to change at page 61, line 23
IANA Note: Please change all the references in the registries listed IANA Note: Please change all the references in the registries listed
above that are currently pointing to RFC 4005 to point to this above that are currently pointing to RFC 4005 to point to this
document instead; please change the reference for for the value '1' document instead; please change the reference for for the value '1'
in the "Application IDs" sub-registry of the "Authentication, in the "Application IDs" sub-registry of the "Authentication,
Authorization, and Accounting (AAA) Parameters" registry to point to Authorization, and Accounting (AAA) Parameters" registry to point to
this document, as well. this document, as well.
RFC Editor: Please remove both this note and the IANA note above RFC Editor: Please remove both this note and the IANA note above
before publication. before publication.
7. Security Considerations 8. Security Considerations
This document describes the extension of Diameter for the NAS This document describes the extension of Diameter for the NAS
application. Security considerations regarding the Diameter protocol application. Security considerations regarding the Diameter protocol
itself are discussed in [RFC6733]. Use of this application of itself are discussed in [RFC6733]. Use of this application of
Diameter MUST take into consideration the security issues and Diameter MUST take into consideration the security issues and
requirements of the Base protocol. requirements of the Base protocol.
7.1. Authentication Considerations 8.1. Authentication Considerations
This document does not contain a security protocol but does discuss This document does not contain a security protocol but does discuss
how PPP authentication protocols can be carried within the Diameter how PPP authentication protocols can be carried within the Diameter
protocol. The PPP authentication protocols described are PAP and protocol. The PPP authentication protocols described are PAP and
CHAP. CHAP.
The use of PAP SHOULD be discouraged, as it exposes users' passwords The use of PAP SHOULD be discouraged, as it exposes users' passwords
to possibly non-trusted entities. However, PAP is also frequently to possibly non-trusted entities. However, PAP is also frequently
used for use with One-Time Passwords, which do not expose a security used for use with One-Time Passwords, which do not expose a security
risk. risk.
skipping to change at page 63, line 42 skipping to change at page 62, line 11
Depending on the value of the Auth-Request-Type AVP, the Diameter Depending on the value of the Auth-Request-Type AVP, the Diameter
protocol allows authorization-only requests that contain no protocol allows authorization-only requests that contain no
authentication information from the client. This capability goes authentication information from the client. This capability goes
beyond the Call Check capabilities provided by RADIUS (Section 5.6 of beyond the Call Check capabilities provided by RADIUS (Section 5.6 of
[RFC2865]) in that no access decision is requested. As a result, a [RFC2865]) in that no access decision is requested. As a result, a
new session cannot be started as a result of a response to an new session cannot be started as a result of a response to an
authorization-only request without introducing a significant security authorization-only request without introducing a significant security
vulnerability. vulnerability.
7.2. AVP Considerations 8.2. AVP Considerations
Diameter AVPs often contain security-sensitive data; for example, Diameter AVPs often contain security-sensitive data; for example,
user passwords and location data, network addresses and cryptographic user passwords and location data, network addresses and cryptographic
keys. With the exception of the Configuration-Token (Section 4.4.8), keys. With the exception of the Configuration-Token (Section 4.4.8),
QoS-Filter-Rule (Section 4.4.9) and Tunneling (Section 4.5.1) AVPs, QoS-Filter-Rule (Section 4.4.9) and Tunneling (Section 4.5.1) AVPs,
all of the AVPs defined in this document are considered to be all of the AVPs defined in this document are considered to be
security-sensitive. security-sensitive.
Diameter messages containing any AVPs considered to be security- Diameter messages containing any AVPs considered to be security-
sensitive MUST only be sent protected via mutually authenticated TLS sensitive MUST only be sent protected via mutually authenticated TLS
skipping to change at page 64, line 15 skipping to change at page 62, line 33
intermediate nodes unless there is end-to-end security between the intermediate nodes unless there is end-to-end security between the
originator and recipient or the originator has locally trusted originator and recipient or the originator has locally trusted
configuration that indicates that end-to-end security is not needed. configuration that indicates that end-to-end security is not needed.
For example, end-to-end security may not be required in the case For example, end-to-end security may not be required in the case
where an intermediary node is known to be operated as part of the where an intermediary node is known to be operated as part of the
same administrative domain as the endpoints so that an ability to same administrative domain as the endpoints so that an ability to
successfully compromise the intermediary would imply a high successfully compromise the intermediary would imply a high
probability of being able to compromise the endpoints as well. Note probability of being able to compromise the endpoints as well. Note
that no end-to-end security mechanism is specified in this document. that no end-to-end security mechanism is specified in this document.
8. References 9. References
8.1. Normative References 9.1. Normative References
[ANITypes] NANPA Number Resource Info, "ANI Assignments", <ht [ANITypes]
tp://www.nanpa.com/number_resource_info/ NANPA Number Resource Info, "ANI Assignments", <http://
ani_ii_assignments.html>. www.nanpa.com/number_resource_info/
ani_ii_assignments.html>.
[RFC1994] Simpson, W., "PPP Challenge Handshake [RFC1994] Simpson, W., "PPP Challenge Handshake Authentication
Authentication Protocol (CHAP)", RFC 1994, Protocol (CHAP)", RFC 1994, August 1996.
August 1996.
[RFC2119] Bradner, S., "Key words for use in RFCs to [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Indicate Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119, March 1997.
March 1997.
[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
Simpson, "Remote Authentication Dial In User "Remote Authentication Dial In User Service (RADIUS)", RFC
Service (RADIUS)", RFC 2865, June 2000. 2865, June 2000.
[RFC3162] Aboba, B., Zorn, G., and D. Mitton, "RADIUS and [RFC3162] Aboba, B., Zorn, G., and D. Mitton, "RADIUS and IPv6", RFC
IPv6", RFC 3162, August 2001. 3162, August 2001.
[RFC3516] Nerenberg, L., "IMAP4 Binary Content Extension", [RFC3516] Nerenberg, L., "IMAP4 Binary Content Extension", RFC 3516,
RFC 3516, April 2003. April 2003.
[RFC3539] Aboba, B. and J. Wood, "Authentication, [RFC3539] Aboba, B. and J. Wood, "Authentication, Authorization and
Authorization and Accounting (AAA) Transport Accounting (AAA) Transport Profile", RFC 3539, June 2003.
Profile", RFC 3539, June 2003.
[RFC5777] Korhonen, J., Tschofenig, H., Arumaithurai, M., [RFC5777] Korhonen, J., Tschofenig, H., Arumaithurai, M., Jones, M.,
Jones, M., and A. Lior, "Traffic Classification and A. Lior, "Traffic Classification and Quality of
and Quality of Service (QoS) Attributes for Service (QoS) Attributes for Diameter", RFC 5777, February
Diameter", RFC 5777, February 2010. 2010.
[RFC6733] Fajardo, V., Arkko, J., Loughney, J., and G. Zorn, [RFC6733] Fajardo, V., Arkko, J., Loughney, J., and G. Zorn,
"Diameter Base Protocol", RFC 6733, October 2012. "Diameter Base Protocol", RFC 6733, October 2012.
8.2. Informative References 9.2. Informative References
[ARAP] Apple Computer, "Apple Remote Access Protocol [ARAP] Apple Computer, "Apple Remote Access Protocol (ARAP)
(ARAP) Version 2.0 External Reference Version 2.0 External Reference Specification", R0612LL/B ,
Specification", R0612LL/B , September 1994. September 1994.
[AVP-Codes] IANA, "IANA AAA AVP Codes Registry", <http:// [AVP-Codes]
www.iana.org/assignments/aaa-parameters/ IANA, "IANA AAA AVP Codes Registry", <http://www.iana.org/
aaa-parameters.xml#aaa-parameters-1>. assignments/aaa-parameters/aaa-parameters.xml#aaa-
parameters-1>.
[AVP-Vals] IANA, "IANA AAA AVP Specific Values", <http:// [AVP-Vals]
www.iana.org/assignments/aaa-parameters/ IANA, "IANA AAA AVP Specific Values", <http://www.iana.org
aaa-parameters.xml#aaa-parameters-2>. /assignments/aaa-parameters/aaa-parameters.xml#aaa-
parameters-2>.
[App-Ids] IANA, "IANA AAA Application IDs Registry", <http:/ [App-Ids] IANA, "IANA AAA Application IDs Registry", <http://
/www.iana.org/assignments/aaa-parameters/ www.iana.org/assignments/aaa-parameters/aaa-parameters.xml
aaa-parameters.xml#aaa-parameters-1>. #aaa-parameters-1>.
[AppleTalk] Sidhu, G., Andrews, R., and A. Oppenheimer, [AppleTalk]
"Inside AppleTalk", Second Edition Apple Computer, Sidhu, G., Andrews, R., and A. Oppenheimer, "Inside
1990. AppleTalk", Second Edition Apple Computer, 1990.
[BASE] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., [BASE] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J.
and J. Arkko, "Diameter Base Protocol", RFC 3588, Arkko, "Diameter Base Protocol", RFC 3588, September 2003.
September 2003.
[Command-Codes] IANA, "IANA AAA Command Codes Registry", <http:// [Command-Codes]
www.iana.org/assignments/aaa-parameters/ IANA, "IANA AAA Command Codes Registry", <http://
aaa-parameters.xml#command-code-rules>. www.iana.org/assignments/aaa-parameters/aaa-parameters.xml
#command-code-rules>.
[IANA] IANA, "Internet Assigned Numbers Authority", [IANA] IANA, "Internet Assigned Numbers Authority",
<http://www.iana.org/>. <http://www.iana.org/>.
[IPX] Novell, Inc., "NetWare System Technical Interface [IPX] Novell, Inc., "NetWare System Technical Interface
Overview", #883-000780-001, June 1989. Overview", #883-000780-001, June 1989.
[ISO.8859-1.1987] International Organization for Standardization, [ISO.8859-1.1987]
"Information technology - 8-bit single byte coded International Organization for Standardization,
graphic - character sets - Part 1: Latin alphabet "Information technology - 8-bit single byte coded graphic
No. 1, JTC1/SC2", ISO Standard 8859-1, 1987. - character sets - Part 1: Latin alphabet No. 1, JTC1/
SC2", ISO Standard 8859-1, 1987.
[LAT] Digital Equipment Corp., "Local Area Transport [LAT] Digital Equipment Corp., "Local Area Transport (LAT)
(LAT) Specification V5.0", AA-NL26A-TE, Specification V5.0", AA-NL26A-TE, June 1989.
June 1989.
[RADIUSAttrVals] IANA, "IANA Radius Attribute Values Registry", <ht [RADIUSAttrVals]
tp://www.iana.org/assignments/radius-types/ IANA, "IANA Radius Attribute Values Registry", <http://
radius-types.xml#radius-types-3>. www.iana.org/assignments/radius-types/radius-types.xml
#radius-types-3>.
[RFC1334] Lloyd, B. and W. Simpson, "PPP Authentication [RFC1334] Lloyd, B. and W. Simpson, "PPP Authentication Protocols",
Protocols", RFC 1334, October 1992. RFC 1334, October 1992.
[RFC1661] Simpson, W., "The Point-to-Point Protocol (PPP)", [RFC1661] Simpson, W., "The Point-to-Point Protocol (PPP)", STD 51,
STD 51, RFC 1661, July 1994. RFC 1661, July 1994.
[RFC1990] Sklower, K., Lloyd, B., McGregor, G., Carr, D., [RFC1990] Sklower, K., Lloyd, B., McGregor, G., Carr, D., and T.
and T. Coradetti, "The PPP Multilink Protocol Coradetti, "The PPP Multilink Protocol (MP)", RFC 1990,
(MP)", RFC 1990, August 1996. August 1996.
[RFC2474] Nichols, K., Blake, S., Baker, F., and D. Black, [RFC2474] Nichols, K., Blake, S., Baker, F., and D. Black,
"Definition of the Differentiated Services Field "Definition of the Differentiated Services Field (DS
(DS Field) in the IPv4 and IPv6 Headers", Field) in the IPv4 and IPv6 Headers", RFC 2474, December
RFC 2474, December 1998. 1998.
[RFC2548] Zorn, G., "Microsoft Vendor-specific RADIUS [RFC2548] Zorn, G., "Microsoft Vendor-specific RADIUS Attributes",
Attributes", RFC 2548, March 1999. RFC 2548, March 1999.
[RFC2597] Heinanen, J., Baker, F., Weiss, W., and J. [RFC2597] Heinanen, J., Baker, F., Weiss, W., and J. Wroclawski,
Wroclawski, "Assured Forwarding PHB Group", "Assured Forwarding PHB Group", RFC 2597, June 1999.
RFC 2597, June 1999.
[RFC2637] Hamzeh, K., Pall, G., Verthein, W., Taarud, J., [RFC2637] Hamzeh, K., Pall, G., Verthein, W., Taarud, J., Little,
Little, W., and G. Zorn, "Point-to-Point Tunneling W., and G. Zorn, "Point-to-Point Tunneling Protocol", RFC
Protocol", RFC 2637, July 1999. 2637, July 1999.
[RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000.
June 2000.
[RFC2867] Zorn, G., Aboba, B., and D. Mitton, "RADIUS [RFC2867] Zorn, G., Aboba, B., and D. Mitton, "RADIUS Accounting
Accounting Modifications for Tunnel Protocol Modifications for Tunnel Protocol Support", RFC 2867, June
Support", RFC 2867, June 2000. 2000.
[RFC2868] Zorn, G., Leifer, D., Rubens, A., Shriver, J., [RFC2868] Zorn, G., Leifer, D., Rubens, A., Shriver, J., Holdrege,
Holdrege, M., and I. Goyret, "RADIUS Attributes M., and I. Goyret, "RADIUS Attributes for Tunnel Protocol
for Tunnel Protocol Support", RFC 2868, June 2000. Support", RFC 2868, June 2000.
[RFC2869] Rigney, C., Willats, W., and P. Calhoun, "RADIUS [RFC2869] Rigney, C., Willats, W., and P. Calhoun, "RADIUS
Extensions", RFC 2869, June 2000. Extensions", RFC 2869, June 2000.
[RFC2881] Mitton, D. and M. Beadles, "Network Access Server [RFC2881] Mitton, D. and M. Beadles, "Network Access Server
Requirements Next Generation (NASREQNG) NAS Requirements Next Generation (NASREQNG) NAS Model", RFC
Model", RFC 2881, July 2000. 2881, July 2000.
[RFC2989] Aboba, B., Calhoun, P., Glass, S., Hiller, T., [RFC2989] Aboba, B., Calhoun, P., Glass, S., Hiller, T., McCann, P.,
McCann, P., Shiino, H., Walsh, P., Zorn, G., Shiino, H., Walsh, P., Zorn, G., Dommety, G., Perkins, C.,
Dommety, G., Perkins, C., Patil, B., Mitton, D., Patil, B., Mitton, D., Manning, S., Beadles, M., Chen, X.,
Manning, S., Beadles, M., Chen, X., Sivalingham, Sivalingham, S., Hameed, A., Munson, M., Jacobs, S., Lim,
S., Hameed, A., Munson, M., Jacobs, S., Lim, B., B., Hirschman, B., Hsu, R., Koo, H., Lipford, M.,
Hirschman, B., Hsu, R., Koo, H., Lipford, M., Campbell, E., Xu, Y., Baba, S., and E. Jaques, "Criteria
Campbell, E., Xu, Y., Baba, S., and E. Jaques, for Evaluating AAA Protocols for Network Access", RFC
"Criteria for Evaluating AAA Protocols for Network 2989, November 2000.
Access", RFC 2989, November 2000.
[RFC3169] Beadles, M. and D. Mitton, "Criteria for [RFC3169] Beadles, M. and D. Mitton, "Criteria for Evaluating
Evaluating Network Access Server Protocols", Network Access Server Protocols", RFC 3169, September
RFC 3169, September 2001. 2001.
[RFC3246] Davie, B., Charny, A., Bennet, J., Benson, K., Le [RFC3246] Davie, B., Charny, A., Bennet, J., Benson, K., Le Boudec,
Boudec, J., Courtney, W., Davari, S., Firoiu, V., J., Courtney, W., Davari, S., Firoiu, V., and D.
and D. Stiliadis, "An Expedited Forwarding PHB Stiliadis, "An Expedited Forwarding PHB (Per-Hop
(Per-Hop Behavior)", RFC 3246, March 2002. Behavior)", RFC 3246, March 2002.
[RFC3580] Congdon, P., Aboba, B., Smith, A., Zorn, G., and [RFC3454] , .
J. Roese, "IEEE 802.1X Remote Authentication Dial
In User Service (RADIUS) Usage Guidelines",
RFC 3580, September 2003.
[RFC3931] Lau, J., Townsley, M., and I. Goyret, "Layer Two [RFC3580] Congdon, P., Aboba, B., Smith, A., Zorn, G., and J. Roese,
Tunneling Protocol - Version 3 (L2TPv3)", "IEEE 802.1X Remote Authentication Dial In User Service
RFC 3931, March 2005. (RADIUS) Usage Guidelines", RFC 3580, September 2003.
[RFC4072] Eronen, P., Hiller, T., and G. Zorn, "Diameter [RFC3931] Lau, J., Townsley, M., and I. Goyret, "Layer Two Tunneling
Extensible Authentication Protocol (EAP) Protocol - Version 3 (L2TPv3)", RFC 3931, March 2005.
Application", RFC 4072, August 2005.
[RFC4301] Kent, S. and K. Seo, "Security Architecture for [RFC4072] Eronen, P., Hiller, T., and G. Zorn, "Diameter Extensible
the Internet Protocol", RFC 4301, December 2005. Authentication Protocol (EAP) Application", RFC 4072,
August 2005.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer [RFC4301] Kent, S. and K. Seo, "Security Architecture for the
Security (TLS) Protocol Version 1.2", RFC 5246, Internet Protocol", RFC 4301, December 2005.
August 2008.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008.
Appendix A. Acknowledgements Appendix A. Acknowledgements
A.1. This Document A.1. This Document
The vast majority of the text in this document was taken directly The vast majority of the text in this document was taken directly
from RFC 4005; the editor owes a debt of gratitude to the authors from RFC 4005; the editor owes a debt of gratitude to the authors
thereof (especially Dave Mitton, who somehow managed to make nroff thereof (especially Dave Mitton, who somehow managed to make nroff
paginate the AVP Occurance Tables correctly!). paginate the AVP Occurance Tables correctly!).
Thanks (in no particular order) to Jai-Jin Lim, Liu Hans, Sebastien Thanks (in no particular order) to Jai-Jin Lim, Liu Hans, Sebastien
Decugis, Jouni Korhonen, Mark Jones, Hannes Tschofenig, Dave Crocker, Decugis, Jouni Korhonen, Mark Jones, Hannes Tschofenig, Dave Crocker,
David Black, Barry Leiba, Peter Saint-Andre and Stefan Winter for David Black, Barry Leiba, Peter Saint-Andre, Stefan Winter and Lionel
their useful reviews and helpful comments. Morand for their useful reviews and helpful comments.
A.2. RFC 4005 A.2. RFC 4005
The authors would like to thank Carl Rigney, Allan C. Rubens, William The authors would like to thank Carl Rigney, Allan C. Rubens, William
Allen Simpson, and Steve Willens for their work on the original Allen Simpson, and Steve Willens for their work on the original
RADIUS protocol, from which many of the concepts in this RADIUS protocol, from which many of the concepts in this
specification were derived. Thanks, also, to Carl Rigney for specification were derived. Thanks, also, to Carl Rigney for
[RFC2866] and [RFC2869]; Ward Willats for [RFC2869]; Glen Zorn, [RFC2866] and [RFC2869]; Ward Willats for [RFC2869]; Glen Zorn,
Bernard Aboba, and Dave Mitton for [RFC2867] and [RFC3162]; and Dory Bernard Aboba, and Dave Mitton for [RFC2867] and [RFC3162]; and Dory
Leifer, John Shriver, Matt Holdrege, Allan Rubens, Glen Zorn and Leifer, John Shriver, Matt Holdrege, Allan Rubens, Glen Zorn and
 End of changes. 83 change blocks. 
456 lines changed or deleted 531 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/