idnits 2.17.1 draft-aboba-radius-ipv6-05.txt: ** The Abstract section seems to be numbered Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents -- however, there's a paragraph with a matching beginning. Boilerplate error? == The page length should not exceed 58 lines per page, but there was 9 longer pages, the longest (page 2) being 60 lines == It seems as if not all pages are separated by form feeds - found 0 form feeds but 10 pages Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** There are 5 instances of too long lines in the document, the longest one being 6 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 432 has weird spacing: '...>, and expir...' == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The exact meaning of the all-uppercase expression 'MAY NOT' is not defined in RFC 2119. If it is intended as a requirements expression, it should be rewritten using one of the combinations defined in RFC 2119; otherwise it should not be all-uppercase. == The expression 'MAY NOT', while looking like RFC 2119 requirements text, is not defined in RFC 2119, and should not be used. Consider using 'MUST NOT' instead (if that is what you mean). Found 'MAY NOT' in this paragraph: However, where RADIUS is run over IPSEC ESP with a non-null transform, the secret shared between the NAS and the RADIUS server MAY NOT be configured. In this case, a shared secret of zero length MUST be assumed. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- Couldn't find a document date in the document -- date freshness check skipped. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: '5' is defined on line 306, but no explicit reference was found in the text == Unused Reference: '10' is defined on line 321, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2044 (ref. '2') (Obsoleted by RFC 2279) ** Downref: Normative reference to an Informational RFC: RFC 2607 (ref. '3') ** Downref: Normative reference to an Informational RFC: RFC 2866 (ref. '5') ** Downref: Normative reference to an Informational RFC: RFC 2867 (ref. '6') ** Downref: Normative reference to an Informational RFC: RFC 2868 (ref. '7') ** Downref: Normative reference to an Informational RFC: RFC 2869 (ref. '8') ** Obsolete normative reference: RFC 2401 (ref. '9') (Obsoleted by RFC 4301) ** Obsolete normative reference: RFC 2434 (ref. '10') (Obsoleted by RFC 5226) -- Possible downref: Normative reference to a draft: ref. '11' ** Obsolete normative reference: RFC 2472 (ref. '12') (Obsoleted by RFC 5072, RFC 5172) Summary: 15 errors (**), 0 flaws (~~), 8 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group Bernard Aboba 3 INTERNET-DRAFT Microsoft 4 Category: Standards Track Glen Zorn 5 Cisco Systems 6 9 January 2001 Dave Mitton 7 Nortel Networks 9 RADIUS and IPv6 11 This document is an Internet-Draft and is in full conformance with all 12 provisions of Section 10 of RFC2026. 14 Internet-Drafts are working documents of the Internet Engineering Task 15 Force (IETF), its areas, and its working groups. Note that other groups 16 may also distribute working documents as Internet- Drafts. 18 Internet-Drafts are draft documents valid for a maximum of six months 19 and may be updated, replaced, or obsoleted by other documents at any 20 time. It is inappropriate to use Internet-Drafts as reference material 21 or to cite them other than as "work in progress." 23 The list of current Internet-Drafts can be accessed at 24 http://www.ietf.org/ietf/1id-abstracts.txt 26 The list of Internet-Draft Shadow Directories can be accessed at 27 http://www.ietf.org/shadow.html. 29 1. Copyright Notice 31 Copyright (C) The Internet Society (2001). All Rights Reserved. 33 2. Abstract 35 This document specifies the operation of RADIUS when run over IPv6 as 36 well as the RADIUS attributes used to support IPv6 network access. 38 3. Introduction 40 This document specifies the operation of RADIUS [4]-[8] over IPv6 [12] 41 as well as the RADIUS attributes used to support IPv6 network access. 42 Scenarios involving the use of these attributes are described in [11]. 44 Note that a NAS sending a RADIUS Access-Request may not know a-priori 45 whether the host will be using IPv4, IPv6, or both. For example, within 46 PPP, NCP occurs after LCP, so that address assignment will not occur 47 until after RADIUS authentication and authorization has completed. 49 Therefore it is presumed that the IPv6 attributes described in this 50 document MAY be sent along with IPv4-related attributes within the same 51 RADIUS message and that the NAS will decide which attributes to use. The 52 NAS SHOULD only allocate addresses that the client can actually use, 53 however. For example, there is no need for the NAS to reserve use of an 54 IPv4 address for a host that only supports IPv6; similarly, an IPv4-only 55 host does not require allocation of an IPv6 address. 57 The NAS can provide IPv6 access natively, or alternatively, via a tunnel 58 (6BONE). The choice of method for providing IPv6 access has no effect on 59 RADIUS usage per se, although if it is desired that an IPv6 within IPv4 60 tunnel be opened to a particular location, then tunnel attributes should 61 be utilized, as described in [6],[7]. 63 3.1. Requirements language 65 In this document, the key words "MAY", "MUST, "MUST NOT", "optional", 66 "recommended", "SHOULD", and "SHOULD NOT", are to be interpreted as 67 described in [1]. 69 4. Attributes 71 4.1. NAS-IPv6-Address 73 Description 75 This Attribute indicates the identifying IPv6 Address of the NAS 76 which is requesting authentication of the user, and SHOULD be unique 77 to the NAS within the scope of the RADIUS server. NAS-IPv6-Address 78 is only used in Access-Request packets. NAS-IPv6-Address and/or NAS- 79 IP-Address MAY be present in an Access-Request packet; however, if 80 neither attribute is present then NAS-Identifier MUST be present. 82 A summary of the NAS-IPv6-Address Attribute format is shown below. The 83 fields are transmitted from left to right. 85 0 1 2 3 86 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 87 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 88 | Type | Length | Address 89 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 90 Address 91 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 92 Address 93 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 94 Address 95 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 96 Address | 97 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 99 Type 101 TBD for NAS-IPv6-Address 103 Length 105 18 107 Address 109 The Address field is 16 octets. 111 4.2. Framed-Interface-Id 113 Description 115 This Attribute indicates the IPv6 interface identifier to be 116 configured for the user. It MAY be used in Access-Accept packets. It 117 MAY be used in an Access-Request packet as a hint by the NAS to the 118 server that it would prefer that address, but the server is not 119 required to honor the hint. 121 A summary of the Framed-Interface-Id Attribute format is shown below. 122 The fields are transmitted from left to right. 124 0 1 2 3 125 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 126 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 127 | Type | Length | Address 128 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 129 Address 130 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 131 Address | 132 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 134 Type 136 TBD for Framed-Interface-Id 138 Length 140 10 142 Address 144 The Address field is 8 octets. 146 4.3. Framed-IPv6-Prefix 148 Description 150 This Attribute indicates the IPv6 prefix to be configured for the 151 user. It MAY be used in Access-Accept packets. It MAY be used in an 152 Access-Request packet as a hint by the NAS to the server that it 153 would prefer that address, but the server is not required to honor 154 the hint. 156 A summary of the Framed-IPv6-Prefix Attribute format is shown below. 157 The fields are transmitted from left to right. 159 0 1 2 3 160 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 161 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 162 | Type | Length | Reserved | Prefix | 163 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 164 Address 165 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 166 Address 167 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 168 Address 169 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 170 Address | 171 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 173 Type 175 TBD for Framed-IPv6-Prefix 177 Length 179 At least 2 and no larger than 20. 181 Reserved 183 This field is reserved and MUST be set to zero. 185 Prefix 187 The length of the prefix, in bits. At least 0 and no larger than 128. 189 Address 191 The Address field is up to 16 octets in length. Bits outside of the 192 prefix length, if included, must be zero. 194 4.4. Login-IPv6-Host 196 Description 198 This Attribute indicates the system with which to connect the user, 199 when the Login-Service Attribute is included. It MAY be used in 200 Access-Accept packets. It MAY be used in an Access-Request packet as 201 a hint to the server that the NAS would prefer to use that host, but 202 the server is not required to honor the hint. 204 A summary of the Login-IPv6-Host Attribute format is shown below. The 205 fields are transmitted from left to right. 207 0 1 2 3 208 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 209 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 210 | Type | Length | Address 211 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 212 Address 213 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 214 Address 215 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 216 Address 217 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 218 Address | 219 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 221 Type 223 TBD for Login-IPv6-Host 225 Length 227 18. 229 Address 231 The Address field is 16 octets in length. The value 232 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF indicates that the NAS SHOULD 233 allow the user to select an address. The value 0 indicates that the 234 NAS SHOULD select a host to connect the user to. Other values 235 indicate the address the NAS SHOULD connect the user to. 237 4.5. Framed-IPv6-Route 239 Description 241 This Attribute provides routing information to be configured for the 242 user on the NAS. It is used in the Access-Accept packet and can 243 appear multiple times. 245 A summary of the Framed-IPv6-Route Attribute format is shown below. The 246 fields are transmitted from left to right. 248 0 1 2 249 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 250 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- 251 | Type | Length | Text ... 252 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- 254 Type 256 TBD for Framed-IPv6-Route 258 Length 260 >=3 262 Text 264 The Text field is one or more octets, and its contents are 265 implementation dependent. It is intended to be human readable and 266 MUST NOT affect operation of the protocol. It is recommended that 267 the message contain UTF-8 encoded 10646 [2] characters. 269 For IPv6 routes, it SHOULD contain a destination prefix optionally 270 followed by a slash and a decimal length specifier stating how many 271 high order bits of the prefix to use. That is followed by a space, a 272 gateway address, a space, and one or more metrics separated by 273 spaces. 275 Whenever the gateway address is specified as zero the IP address of 276 the user SHOULD be used as the gateway address. 278 5. Table of Attributes 280 The following table provides a guide to which attributes may be found in 281 which kinds of packets, and in what quantity. 283 Request Accept Reject Challenge Accounting # Attribute 284 Request 285 0-1 0 0 0 0-1 TBD NAS-IPv6-Address 286 0-1 0-1 0 0 0-1 TBD Framed-Interface-Id 287 0-1 0-1 0 0 0-1 TBD Framed-IPv6-Prefix 288 0+ 0+ 0 0 0+ TBD Login-IPv6-Host 289 0 0+ 0 0 0+ TBD Framed-IPv6-Route 290 Request Accept Reject Challenge # Attribute 292 6. References 294 [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement 295 Levels", RFC 2119, March, 1997. 297 [2] Yergeau, F., "UTF-8, a transformation format of Unicode and ISO 298 10646", RFC 2044, October 1996. 300 [3] Aboba, B., and Vollbrecht, J., "Proxy Chaining and Policy 301 Implementation in Roaming", RFC 2607, June 1999. 303 [4] Rigney, C., Rubens, A., Simpson, W., Willens, S., "Remote 304 Authentication Dial In User Service (RADIUS)", RFC 2865, June 2000. 306 [5] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. 308 [6] Zorn, G., Mitton, D., Aboba, B., "RADIUS Accounting Modifications 309 for Tunnel Protocol Support", RFC 2867, June 2000. 311 [7] Zorn, G., Leifer, D., Rubens, A., Shriver, J., Holdrege, M., 312 Goyret, I., "RADIUS Attributes for Tunnel Protocol Support", RFC 313 2868, June 2000. 315 [8] Rigney, C., Willats, W., Calhoun, P., "RADIUS Extensions", RFC 316 2869, June 2000. 318 [9] Kent S., Atkinson, R., "Security Architecture for the Internet 319 Protocol", RFC 2401, November 1998. 321 [10] Alvestrand, H. and T. Narten, "Guidelines for Writing an IANA 322 Considerations Section in RFCs", BCP 26, RFC 2434, October 1998. 324 [11] Hagino, J., Yamamoto, K., "A RADIUS attribute for IPv6 dialup PPP 325 with static address assignment", draft-itojun-ipv6-dialup- 326 radius-00.txt, July 2000. 328 [12] Haskin, D., and Allen, E., "IP Version 6 over PPP", RFC 2472, 329 December 1998. 331 7. Security Considerations 333 This draft describes the use of RADIUS for the purposes of 334 authentication, authorization and accounting in IPv6-enabled networks. 335 In such networks, the RADIUS protocol may run either over IPv4 or over 336 IPv6. Known security vulnerabilities of the RADIUS protocol are 337 described in [6] and [3]. 339 Since IPSEC [9] is mandatory to implement for IPv6, it is expected that 340 running RADIUS implementations supporting IPv6 will typically run over 341 IPSEC. Where RADIUS is run over IPSEC and where certificates are used 342 for authentication, it may be desirable to avoid management of RADIUS 343 shared secrets, so as to leverage the improved scalability of public key 344 infrastructure. 346 Within RADIUS, a shared secret is used for hiding of attributes such as 347 User-Password [4] and Tunnel-Password [7]. In addition, the shared 348 secret is used in computation of the Response Authenticator [4], as well 349 as the Message-Authenticator attribute [8]. Therefore, in RADIUS a 350 shared secret is used to provide confidentiality as well as integrity 351 protection and authentication. As a result, only use of IPSEC ESP with a 352 non-null transform can provide security services sufficient to 353 substitute for RADIUS application-layer security. Therefore, where IPSEC 354 AH or ESP null is used, it will typically still be necessary to 355 configure a RADIUS shared secret. 357 However, where RADIUS is run over IPSEC ESP with a non-null transform, 358 the secret shared between the NAS and the RADIUS server MAY NOT be 359 configured. In this case, a shared secret of zero length MUST be 360 assumed. 362 8. IANA Considerations 364 This draft requires the assignment of five new RADIUS attribute numbers 365 for the following attributes: 367 NAS-IPv6-Address 368 Framed-Interface-Id 369 Framed-IPv6-Prefix 370 Login-IPv6-Host 371 Framed-IPv6-Route 373 9. Acknowledgments 375 The authors would like to acknowledge Jun-ichiro itojun Hagino of IIJ 376 Research Laboratory, Darran Potter of Cisco and Carl Rigney of Lucent 377 for contributions to this document. 379 10. Authors' Addresses 381 Bernard Aboba 382 Microsoft Corporation 383 One Microsoft Way 384 Redmond, WA 98052 386 EMail: bernarda@microsoft.com 387 Phone: +1 425 936 6605 388 Fax: +1 425 936 7329 390 Glen Zorn 391 Cisco Systems, Inc. 392 500 108th Avenue N.E., Suite 500 393 Bellevue, WA 98004 395 Phone: +1 425 468 0955 396 Email: gwz@cisco.com 398 Dave Mitton 399 Nortel Networks 400 880 Technology Park Drive 401 Billerica, MA 01821 403 Phone: +1 978 288 4570 404 Fax: +1 978 288 3030 405 EMail: dmitton@nortelnetworks.com 407 11. Full Copyright Statement 409 Copyright (C) The Internet Society (2001). All Rights Reserved. 410 This document and translations of it may be copied and furnished to 411 others, and derivative works that comment on or otherwise explain it or 412 assist in its implementation may be prepared, copied, published and 413 distributed, in whole or in part, without restriction of any kind, 414 provided that the above copyright notice and this paragraph are included 415 on all such copies and derivative works. However, this document itself 416 may not be modified in any way, such as by removing the copyright notice 417 or references to the Internet Society or other Internet organizations, 418 except as needed for the purpose of developing Internet standards in 419 which case the procedures for copyrights defined in the Internet 420 Standards process must be followed, or as required to translate it into 421 languages other than English. The limited permissions granted above are 422 perpetual and will not be revoked by the Internet Society or its 423 successors or assigns. This document and the information contained 424 herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE 425 INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR 426 IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 427 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 428 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." 430 12. Expiration Date 432 This memo is filed as , and expires 433 September 1, 2001.