The RADIUS-Diameter Gateway (RADIA) Application

The Diameter Network Access Server (NASREQ) Application specifies methods to deal with various interactions between the RADIUS and Diameter protocols. In particular, the translation of RADIUS messages and attributes to and from Diameter commands and Attribute-Value Pairs (AVPs) is described at some length. However, there is a fundamental and insurmountable problem with attempting to translate Diameter protocol elements into RADIUS protocol elements: a single Diameter AVP may be much larger than an entire RADIUS message. Various workarounds have been proposed to ameliorate this proble, including limiting the size of Diameter elements that might require translation into RADIUS and returning an error upon receipt of an untranslatable AVP. The former approach uneccessarily limits the utility of, for example, the NASREQ application in pure Diameter deployments while the latter can result in the denial of service to otherwise legitimate users. This document describes a simple method to solve the problems of interaction between RADIUS and Diameter by taking advantage of the fact thata RADIUS message can fit into a single Diameter AVP.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.

The following sections define the syntax, semantics and usage of the RADIA application.

Servers and proxies supporting the RADIUS-Diameter Gateway application MUST advertise support by including the value <AID> in the Auth-Application-Id of the Capabilities-Exchange-Request (CER), Accounting-Request (ACR), Accounting-Answer (ACA), RADIA-Request (RDR), and RADIA-Answer (RDA) messages.

Session usage in the RADIA application is identical to that in NASREQ.

The RADIA application defines two new commands: Gateway-Request (RDR) and Gateway-Answer (RDA). The following sections describe these commands.

The peer sends the RADIA-Request (RDR) command, indicated by the Command-Code field set to <CC1> and the Command Flags' 'R' bit set, in order to transmit a RADIUS message (encapsulated in the Radius-Message AVP) toward its final destination. The Radius-Message AVP will generally encapsulate a RADIUS request message (e.g., Access-Request). Message format:

<RDR> ::= < Diameter Header: CC1, REQ, PXY > { Origin-Host } { Origin-Realm } { Destination-Realm } { Auth-Application-Id } { Radius-Message} [ Destination-Host ] * [ Proxy-Info ] * [ Route-Record ] * [ AVP ]

The peer sends the RADIA-Answer (RDA) command, indicated by the Command-Code field set to <CC2> and the Command Flags' 'R' bit set, in order to transmit a RADIUS message (encapsulated in the Radius-Message AVP) toward its final destination. The Radius-Message AVP will generally encapsulate a RADIUS reply message (e.g., Access-Accept). Message format:

<RDA> ::= < Diameter Header: CC2, REQ, PXY > { Origin-Host } { Origin-Realm } { Destination-Realm } { Auth-Application-Id } { Radius-Message} [ Destination-Host ] * [ Proxy-Info ] * [ Route-Record ] * [ AVP ]

This section describes the single AVP specific to the RADIUS-Diameter Gateway application.

The Radius-Message AVP (AVP code <AVP>) is of type OctetString. The 'M' bit MUST be set and the 'V' bit MUST NOT be set. The AVP contains a complete RADIUS message.

The protocol defined in this specification has no effect upon the security of either Diameter or RADIUS.

Upon publication of this memo as an RFC, IANA is requested to assign values as described in the following sections.

An application identifier for Diameter RADIUS-Diameter Gateway (<AID>, ) must be assigned according to the policy specified in Section 11.3 of RFC 3588.

Command codes must be assigned for the RADIA-Request (RDR) (<CC1>, ) and RADIA-Answer (RDA) (<CC2>, ) commands according to the policy specified in RFC 3588, Section 11.2.1.

A code must be assigned for the following AVP using the policy specified in RFC 3588, Section 11.1.1: Radius-Message (<AVP>, ).