idnits 2.17.1 draft-aboba-radius-ipv6-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents -- however, there's a paragraph with a matching beginning. Boilerplate error? == The page length should not exceed 58 lines per page, but there was 8 longer pages, the longest (page 2) being 60 lines == It seems as if not all pages are separated by form feeds - found 0 form feeds but 9 pages Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Abstract section. ** The document seems to lack an Introduction section. ** The document seems to lack a Security Considerations section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack an Authors' Addresses Section. ** There are 18 instances of lines with control characters in the document. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 72: '...tion of the user, and SHOULD be unique...' RFC 2119 keyword, line 75: '... IP-Address MAY be present in an Acc...' RFC 2119 keyword, line 76: '...t then NAS-Identifier MUST be present....' RFC 2119 keyword, line 111: '...for the user. It MAY be used in Access...' RFC 2119 keyword, line 112: '... MAY be used in an Access-Request pa...' (12 more instances...) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 422 has weird spacing: '...>, and expir...' -- The exact meaning of the all-uppercase expression 'MAY NOT' is not defined in RFC 2119. If it is intended as a requirements expression, it should be rewritten using one of the combinations defined in RFC 2119; otherwise it should not be all-uppercase. == The expression 'MAY NOT', while looking like RFC 2119 requirements text, is not defined in RFC 2119, and should not be used. Consider using 'MUST NOT' instead (if that is what you mean). Found 'MAY NOT' in this paragraph: However, where RADIUS is run over IPSEC ESP with a non-null transform, the secret shared between the NAS and the RADIUS server MAY NOT be configured. In this case, a shared secret of zero length MUST be assumed. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- Couldn't find a document date in the document -- date freshness check skipped. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Missing reference section? '11' on line 318 looks like a reference -- Missing reference section? '1' on line 288 looks like a reference -- Missing reference section? '2' on line 291 looks like a reference -- Missing reference section? '3' on line 328 looks like a reference -- Missing reference section? '4' on line 339 looks like a reference -- Missing reference section? '5' on line 300 looks like a reference -- Missing reference section? '6' on line 340 looks like a reference -- Missing reference section? '7' on line 338 looks like a reference -- Missing reference section? '8' on line 309 looks like a reference -- Missing reference section? '9' on line 330 looks like a reference -- Missing reference section? '10' on line 315 looks like a reference Summary: 10 errors (**), 0 flaws (~~), 5 warnings (==), 14 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group Bernard Aboba 3 INTERNET-DRAFT Microsoft 4 Category: Standards Track Glen Zorn 5 Cisco Systems 6 26 August 2000 Dave Mitton 7 Nortel Networks 9 RADIUS and IPv6 11 This document is an Internet-Draft and is in full conformance with all 12 provisions of Section 10 of RFC2026. 14 Internet-Drafts are working documents of the Internet Engineering Task 15 Force (IETF), its areas, and its working groups. Note that other groups 16 may also distribute working documents as Internet- Drafts. 18 Internet-Drafts are draft documents valid for a maximum of six months 19 and may be updated, replaced, or obsoleted by other documents at any 20 time. It is inappropriate to use Internet-Drafts as reference material 21 or to cite them other than as "work in progress." 23 The list of current Internet-Drafts can be accessed at 24 http://www.ietf.org/ietf/1id-abstracts.txt 26 The list of Internet-Draft Shadow Directories can be accessed at 27 http://www.ietf.org/shadow.html. 29 11.. Copyright Notice 31 Copyright (C) The Internet Society (2000). All Rights Reserved. 33 22.. Abstract 35 This document specifies the operation of RADIUS when run over IPv6 as 36 well as the RADIUS attributes used to support IPv6 network access. A 37 companion document, draft-itojun-ipv6-dialup-radius-0x.txt, describes 38 scenarios in which these attributes may be used. 40 33.. Introduction 42 This document specifies the operation of RADIUS when run over IPv6 as 43 well as the RADIUS attributes used to support IPv6 network access. A 44 companion document, draft-itojun-ipv6-dialup-radius-0x.txt [11], 45 describes scenarios in which these attributes may be used. 47 Note that the RADIUS server does not know a priori whether the NAS will 48 be using IPv4, IPv6, or both. Therefore it is presumed that the IPv6 49 attributes described in this document may be sent along with 50 IPv4-related attributes within the same RADIUS message and that the NAS 51 will decide which attributes to use. 53 The NAS can provide IPv6 access natively, or alternatively, via a tunnel 54 (6BONE). The choice of method for providing IPv6 access has no effect on 55 RADIUS usage per se, although if it is desired that an IPv6 within IPv4 56 tunnel be opened to a particular location, then tunnel attributes should 57 be utilized, as described in [7]-[8]. 59 33..11.. Requirements language 61 In this document, the key words "MAY", "MUST, "MUST NOT", "optional", 62 "recommended", "SHOULD", and "SHOULD NOT", are to be interpreted as 63 described in [1]. 65 44.. Attributes 67 44..11.. NAS-IPv6-Address 69 Description 71 This Attribute indicates the identifying IPv6 Address of the NAS 72 which is requesting authentication of the user, and SHOULD be unique 73 to the NAS within the scope of the RADIUS server. NAS-IPv6-Address 74 is only used in Access-Request packets. NAS-IPv6-Address and/or NAS- 75 IP-Address MAY be present in an Access-Request packet; however, if 76 neither attribute is present then NAS-Identifier MUST be present. 78 A summary of the NAS-IPv6-Address Attribute format is shown below. The 79 fields are transmitted from left to right. 81 0 1 2 3 82 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 83 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 84 | Type | Length | Address 85 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 86 Address 87 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 88 Address 89 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 90 Address 91 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 92 Address | 93 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 95 Type 96 TBD for NAS-IPv6-Address 98 Length 100 18 102 Address 104 The Address field is 16 octets. 106 44..22.. Framed-Interface-Id 108 Description 110 This Attribute indicates the IPv6 interface identifier to be 111 configured for the user. It MAY be used in Access-Accept packets. It 112 MAY be used in an Access-Request packet as a hint by the NAS to the 113 server that it would prefer that address, but the server is not 114 required to honor the hint. 116 A summary of the Framed-Interface-Id Attribute format is shown below. 117 The fields are transmitted from left to right. 119 0 1 2 3 120 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 121 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 122 | Type | Length | Address 123 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 124 Address 125 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 126 Address | 127 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 129 Type 131 TBD for Framed-Interface-Id 133 Length 135 10 137 Address 139 The Address field is 8 octets. 141 44..33.. Framed-IPv6-Prefix 143 Description 145 This Attribute indicates the IPv6 prefix to be configured for the 146 user. It MAY be used in Access-Accept packets. It MAY be used in an 147 Access-Request packet as a hint by the NAS to the server that it 148 would prefer that address, but the server is not required to honor 149 the hint. 151 A summary of the Framed-IPv6-Prefix Attribute format is shown below. 152 The fields are transmitted from left to right. 154 0 1 2 3 155 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 156 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 157 | Type | Length | Reserved | Prefix | 158 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 159 Address 160 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 161 Address 162 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 163 Address 164 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 165 Address | 166 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 168 Type 170 TBD for Framed-IPv6-Prefix 172 Length 174 At least 2 and no larger than 20. 176 Reserved 178 This field is reserved and MUST be set to zero. 180 Prefix 182 The length of the prefix, in bits. At least 0 and no larger than 128. 184 Address 186 The Address field is up to 16 octets in length. Bits outside of the 187 prefix length, if included, must be zero. 189 44..44.. Login-IPv6-Host 191 Description 193 This Attribute indicates the system with which to connect the user, 194 when the Login-Service Attribute is included. It MAY be used in 195 Access-Accept packets. It MAY be used in an Access-Request packet as 196 a hint to the server that the NAS would prefer to use that host, but 197 the server is not required to honor the hint. 199 A summary of the Login-IPv6-Host Attribute format is shown below. The 200 fields are transmitted from left to right. 202 0 1 2 3 203 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 204 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 205 | Type | Length | Address 206 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 207 Address 208 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 209 Address 210 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 211 Address 212 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 213 Address | 214 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 216 Type 218 TBD for Login-IPv6-Host 220 Length 222 18. 224 Address 226 The Address field is 16 octets in length. The value 227 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF indicates that the NAS SHOULD 228 allow the user to select an address. The value 0 indicates that the 229 NAS SHOULD select a host to connect the user to. Other values 230 indicate the address the NAS SHOULD connect the user to. 232 44..55.. Framed-IPv6-Route 234 Description 236 This Attribute provides routing information to be configured for the 237 user on the NAS. It is used in the Access-Accept packet and can 238 appear multiple times. 240 A summary of the Framed-IPv6-Route Attribute format is shown below. The 241 fields are transmitted from left to right. 243 0 1 2 244 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 245 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- 246 | Type | Length | Text ... 247 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- 249 Type 251 TBD for Framed-IPv6-Route 253 Length 255 >=3 257 Text 259 The Text field is one or more octets, and its contents are 260 implementation dependent. It is intended to be human readable and 261 MUST NOT affect operation of the protocol. It is recommended that 262 the message contain UTF-8 encoded 10646 [2] characters. 264 For IPv6 routes, it SHOULD contain a destination prefix optionally 265 followed by a slash and a decimal length specifier stating how many 266 high order bits of the prefix to use. That is followed by a space, a 267 gateway address, a space, and one or more metrics separated by 268 spaces. 270 Whenever the gateway address is specified as zero the IP address of 271 the user SHOULD be used as the gateway address. 273 55.. Table of Attributes 275 The following table provides a guide to which attributes may be found in 276 which kinds of packets, and in what quantity. 278 Request Accept Reject Challenge # Attribute 279 0-1 0 0 0 TBD NAS-IPv6-Address 280 0-1 0-1 0 0 TBD Framed-Interface-Id 281 0-1 0-1 0 0 TBD Framed-IPv6-Prefix 282 0+ 0+ 0 0 TBD Login-IPv6-Host 283 0 0+ 0 0 TBD Framed-IPv6-Route 284 Request Accept Reject Challenge # Attribute 286 66.. References 288 [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement 289 Levels", RFC 2119, March, 1997. 291 [2] Yergeau, F., "UTF-8, a transformation format of Unicode and ISO 292 10646", RFC 2044, October 1996. 294 [3] Aboba, B., and Vollbrecht, J., "Proxy Chaining and Policy 295 Implementation in Roaming", RFC 2607, June 1999. 297 [4] Rigney, C., Rubens, A., Simpson, W., Willens, S., "Remote 298 Authentication Dial In User Service (RADIUS)", RFC 2865, June 2000. 300 [5] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. 302 [6] Rigney, C., Willats, W., Calhoun, P., "RADIUS Extensions", RFC 303 2869, June 2000. 305 [7] Zorn, G., Leifer, D., Rubens, A., Shriver, J., Holdrege, M., 306 Goyret, I., "RADIUS Attributes for Tunnel Protocol Support", RFC 307 2868, June 2000. 309 [8] Zorn, G., Mitton, D., Aboba, B., "RADIUS Accounting Modifications 310 for Tunnel Protocol Support", RFC 2867, June 2000. 312 [9] Kent S., Atkinson, R., "Security Architecture for the Internet 313 Protocol", RFC 2401, November 1998. 315 [10] Alvestrand, H. and T. Narten, "Guidelines for Writing an IANA 316 Considerations Section in RFCs", BCP 26, RFC 2434, October 1998. 318 [11] Hagino, J., Yamamoto, K., "A RADIUS attribute for IPv6 dialup PPP 319 with static address assignment", draft-itojun-ipv6-dialup- 320 radius-00.txt, July 2000. 322 77.. Security Considerations 324 This draft describes the use of RADIUS for the purposes of 325 authentication, authorization and accounting in IPv6-enabled networks. 326 In such networks, the RADIUS protocol may run either over IPv4 or over 327 IPv6. Known security vulnerabilities of the RADIUS protocol are 328 described in [6] and [3]. 330 Since IPSEC [9] is mandatory to implement for IPv6, it is expected that 331 running RADIUS implementations supporting IPv6 will typically run over 332 IPSEC. Where RADIUS is run over IPSEC and where certificates are used 333 for authentication, it may be desirable to avoid management of RADIUS 334 shared secrets, so as to leverage the improved scalability of public key 335 infrastructure. 337 Within RADIUS, a shared secret is used for hiding of attributes such as 338 User-Password [4] and Tunnel-Password [7]. In addition, the shared 339 secret is used in computation of the Response Authenticator [4], as well 340 as the Message-Authenticator attribute [6]. Therefore, in RADIUS a 341 shared secret is used to provide confidentiality as well as integrity 342 protection and authentication. As a result, only use of IPSEC ESP with a 343 non-null transform can provide security services sufficient to 344 substitute for RADIUS application-layer security. Therefore, where IPSEC 345 AH or ESP null is used, it will typically still be necessary to 346 configure a RADIUS shared secret. 348 However, where RADIUS is run over IPSEC ESP with a non-null transform, 349 the secret shared between the NAS and the RADIUS server MAY NOT be 350 configured. In this case, a shared secret of zero length MUST be 351 assumed. 353 88.. IANA Considerations 355 This draft requires the assignment of five new RADIUS attribute numbers 356 for the following attributes: 358 NAS-IPv6-Address 359 Framed-Interface-Id 360 Framed-IPv6-Prefix 361 Login-IPv6-Host 362 Framed-IPv6-Route 364 99.. Acknowledgments 366 The authors would like to acknowledge Jun-ichiro itojun Hagino of IIJ 367 Research Laboratory, Darran Potter of Cisco and Carl Rigney of Lucent 368 for contributions to this document. 370 1100.. Authors' Addresses 372 Bernard Aboba 373 Microsoft Corporation 374 One Microsoft Way 375 Redmond, WA 98052 377 EMail: bernarda@microsoft.com 378 Phone: +1 425 936 6605 379 Fax: +1 425 936 7329 380 Glen Zorn 381 Cisco Systems, Inc. 382 500 108th Avenue N.E., Suite 500 383 Bellevue, WA 98004 385 Phone: +1 425 468 0955 386 Email: gwz@cisco.com 388 Dave Mitton 389 Nortel Networks 390 880 Technology Park Drive 391 Billerica, MA 01821 393 Phone: +1 978 288 4570 394 Fax: +1 978 288 3030 395 EMail: dmitton@nortelnetworks.com 397 1111.. Full Copyright Statement 399 Copyright (C) The Internet Society (2000). All Rights Reserved. 400 This document and translations of it may be copied and furnished to 401 others, and derivative works that comment on or otherwise explain it or 402 assist in its implementation may be prepared, copied, published and 403 distributed, in whole or in part, without restriction of any kind, 404 provided that the above copyright notice and this paragraph are included 405 on all such copies and derivative works. However, this document itself 406 may not be modified in any way, such as by removing the copyright notice 407 or references to the Internet Society or other Internet organizations, 408 except as needed for the purpose of developing Internet standards in 409 which case the procedures for copyrights defined in the Internet 410 Standards process must be followed, or as required to translate it into 411 languages other than English. The limited permissions granted above are 412 perpetual and will not be revoked by the Internet Society or its 413 successors or assigns. This document and the information contained 414 herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE 415 INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR 416 IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 417 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 418 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." 420 1122.. Expiration Date 422 This memo is filed as , and expires 423 May 1, 2001.