idnits 2.17.1 

draft-calhoun-diameter-authent-08.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** Looks like you're using RFC 2026 boilerplate.  This must be updated to
     follow RFC 3978/3979, as updated by RFC 4748.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  ** The document seems to lack a 1id_guidelines paragraph about
     Internet-Drafts being working documents. 

  ** The document seems to lack a 1id_guidelines paragraph about the list of
     current Internet-Drafts -- however, there's a paragraph with a matching
     beginning. Boilerplate error?

  ** The document seems to lack a 1id_guidelines paragraph about the list of
     Shadow Directories -- however, there's a paragraph with a matching
     beginning. Boilerplate error?

  == The page length should not exceed 58 lines per page, but there was 53
     longer pages, the longest (page 2) being 60 lines

  == It seems as if not all pages are separated by form feeds - found 0 form
     feeds but 54 pages


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** The document seems to lack a Security Considerations section.

  ** The document seems to lack an IANA Considerations section.  (See Section
     2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
     when there are no actions for IANA.)

  ** The document seems to lack separate sections for Informative/Normative
     References.  All references will be assumed normative when checking for
     downward references.

  ** There are 21 instances of too long lines in the document, the longest
     one being 1 character in excess of 72.

  ** The abstract seems to contain references ([4], [1]), which it shouldn't.
      Please replace those with straight textual mentions of the documents in
     question.

  == There are 2 instances of lines with private range IPv4 addresses in the
     document.  If these are generic example addresses, they should be changed
     to use any of the ranges defined in RFC 6890 (or successor): 192.0.2.x,
     198.51.100.x or 203.0.113.x.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not
     match the current year

  == Line 2416 has weird spacing: '... copied  and  ...'

  == Line 2417 has weird spacing: '...s,  and  deriv...'

  == Line 2418 has weird spacing: '...blished  and...'

  == Line 2419 has weird spacing: '...ed,  in  whole...'

  == Line 2420 has weird spacing: '...hat the  above...'

  == (5 more instances...)

  == The document seems to lack the recommended RFC 2119 boilerplate, even if
     it appears to use RFC 2119 keywords. 

     (The document does seem to have the reference to RFC 2119 which the
     ID-Checklist requires).
  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- Couldn't find a document date in the document -- date freshness check
     skipped.


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  == Missing Reference: '25' is mentioned on line 1893, but not defined

  == Unused Reference: '11' is defined on line 2344, but no explicit
     reference was found in the text

  == Unused Reference: '13' is defined on line 2350, but no explicit
     reference was found in the text

  ** Obsolete normative reference: RFC 2138 (ref. '1') (Obsoleted by RFC 2865)

  == Outdated reference: A later version (-18) exists of
     draft-calhoun-diameter-08

  -- Possible downref: Normative reference to a draft: ref. '2' 

  ** Obsolete normative reference: RFC 2486 (ref. '3') (Obsoleted by RFC 4282)

  ** Downref: Normative reference to an Informational RFC: RFC 2477 (ref. '4')

  -- Possible downref: Normative reference to a draft: ref. '5' 

  -- Possible downref: Non-RFC (?) normative reference: ref. '8'

  ** Obsolete normative reference: RFC 1717 (ref. '9') (Obsoleted by RFC 1990)

  == Outdated reference: A later version (-08) exists of
     draft-calhoun-diameter-res-mgmt-02

  -- Possible downref: Normative reference to a draft: ref. '10' 

  == Outdated reference: A later version (-09) exists of
     draft-calhoun-diameter-framework-02

  -- Possible downref: Normative reference to a draft: ref. '11' 

  == Outdated reference: A later version (-04) exists of
     draft-calhoun-diameter-proxy-02

  -- Possible downref: Normative reference to a draft: ref. '13' 

  ** Downref: Normative reference to an Informational RFC: RFC 2637 (ref.
     '14')

  ** Downref: Normative reference to an Historic RFC: RFC 2341 (ref. '15')

  ** Obsolete normative reference: RFC 2373 (ref. '17') (Obsoleted by RFC
     3513)

  ** Obsolete normative reference: RFC 2401 (ref. '18') (Obsoleted by RFC
     4301)

  ** Obsolete normative reference: RFC 1827 (ref. '21') (Obsoleted by RFC
     2406)

  ** Downref: Normative reference to an Informational RFC: RFC 1701 (ref.
     '22')

  ** Downref: Normative reference to an Informational RFC: RFC 1853 (ref.
     '23')

  ** Obsolete normative reference: RFC 1700 (ref. '24') (Obsoleted by RFC
     3232)


     Summary: 21 errors (**), 0 flaws (~~), 18 warnings (==), 8 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------

1	INTERNET DRAFT                                            Pat R. Calhoun
2	Category: Standards Track                          Sun Microsystems, Inc.
3	Title: draft-calhoun-diameter-authent-08.txt              William Bulley
4	Date: October 1999                                    Merit Network, Inc.

6	                                DIAMETER
7	                      Dial-Up (ROAMOPS) Extensions

9	Status of this Memo

11	   This document is an individual contribution for consideration by the
12	   AAA Working Group of the Internet Engineering Task Force.  Comments
13	   should be submitted to the diameter@ipass.com mailing list.

15	   Distribution of this memo is unlimited.

17	   This document is an Internet-Draft and is in full conformance with
18	   all provisions of Section 10 of RFC2026.  Internet-Drafts are working
19	   documents of the Internet Engineering Task Force (IETF), its areas,
20	   and its working groups.  Note that other groups may also distribute
21	   working documents as Internet-Drafts.

23	   Internet-Drafts are draft documents valid for a maximum of six months
24	   and may be updated, replaced, or obsoleted by other documents at any
25	   time.  It is inappropriate to use Internet-Drafts as reference
26	   material or to cite them other than as "work in progress."

28	   The list of current Internet-Drafts can be accessed at:

30	      http://www.ietf.org/ietf/1id-abstracts.txt

32	   The list of Internet-Draft Shadow Directories can be accessed at:

34	      http://www.ietf.org/shadow.html.

36	Abstract

38	   This document describes the DIAMETER Dial-up User Authentication
39	   Extension that is used for ROAMOPS [4] purposes. This specification
40	   was carefully designed to ease the burden of servers that must act as
41	   RADIUS/DIAMETER gateways, by re-using the same address space that
42	   RADIUS has defined [1]. Further, by re-using the same address space,
43	   it allows a single server to read the same dictiionary for both
44	   DIAMETER and RADIUS. This backward compatibility will hopefully
45	   facilitate deployment of DIAMETER.

47	Table of Contents

49	      1.0  Introduction
50	            1.1  Copyright Statement
51	            1.2  Requirements language
52	            1.3  Changes in version -06
53	            1.4  Changes in version -07
54	      2.0  Command Codes
55	            2.1  AA-Request (AAR)
56	            2.2  AA-Answer (AAA)
57	            2.3  AA-Challenge-Ind (ACI)
58	      3.0  DIAMETER AVPs
59	            3.1  User-Name
60	            3.2  User-Password
61	            3.3  CHAP-Password
62	            3.4  NAS-Port
63	            3.5  Service-Type
64	            3.6  Framed-Protocol
65	            3.7  Framed-IP-Address
66	            3.8  Framed-IP-Netmask
67	            3.9  Framed-Routing
68	            3.10 Filter-Id
69	            3.11 Framed-MTU
70	            3.12 Framed-Compression
71	            3.13 Login-IP-Host
72	            3.14 Login-Service
73	            3.15 Login-TCP-Port
74	            3.16 Reply-Message
75	            3.17 Callback-Number
76	            3.18 Callback-Id
77	            3.19 Framed-Route
78	            3.20 Framed-IPX-Network
79	            3.21 Idle-Timeout
80	            3.22 Called-Station-Id
81	            3.23 Calling-Station-Id
82	            3.24 Login-LAT-Service
83	            3.25 Login-LAT-Node
84	            3.26 Login-LAT-Group
85	            3.27 Framed-AppleTalk-Link
86	            3.28 Framed-AppleTalk-Network
87	            3.29 Framed-AppleTalk-Zone
88	            3.30 CHAP-Challenge
89	            3.31 NAS-Port-Type
90	            3.32 Port-Limit
91	            3.33 Login-LAT-Port
92	            3.34 Tunnel-Type
93	            3.35 Tunnel-Medium-Type
94	            3.36 Tunnel-Client-Endpoint
95	            3.37 Tunnel-Server-Endpoint
96	            3.38 Tunnel-Password
97	            3.39 Tunnel-Private-Group-ID
98	            3.40 Tunnel-Assignment-ID
99	            3.41 Tunnel-Preference
100	            3.42 Tunnel-Client-Auth-ID
101	            3.43 Tunnel-Server-Auth-ID
102	            3.44 Filter-Rule
103	            3.46 Table of AVPs
104	      4.0  Protocol Definition
105	            4.1  Feature Advertisement/Discovery
106	            4.2  Authorization Procedure
107	            4.3  Integration with Resource-Management
108	      5.0  References
109	      6.0  Acknowledgements
110	      7.0  Authors' Addresses
111	      8.0  Full Copyright Statement

113	1.0  Introduction

115	   This document describes the DIAMETER Dial-up User Authentication
116	   Extension that is used for ROAMOPS [4] purposes. This specification
117	   was carefully designed to ease the burden of servers that must act as
118	   RADIUS/DIAMETER gateways, by re-using the same address space that
119	   RADIUS has defined [1]. Further, by re-using the same address space,
120	   it allows a single server to read the same dictiionary for both
121	   DIAMETER and RADIUS. This backward compatibility will hopefully
122	   facilitate deployment of DIAMETER.

124	   The Extension number for this draft is one (1). This value is used in
125	   the Extension-Id AVP as defined in [2].

127	1.1  Copyright Statement

129	   Copyright   (C) The Internet Society 1999.  All Rights Reserved.

131	1.2  Requirements language

133	   In this document, the key words "MAY", "MUST, "MUST NOT", "optional",
134	   "recommended", "SHOULD", and "SHOULD NOT", are to be interpreted as
135	   described in [12].

137	1.3  Changes in version -06
138	   The following changes have been made to version 06:

140	      - Changes to AVP Header Flags

142	      - Change to the document title

144	      - Changed the Command-Specific AVP Flags in all command codes
145	      defined.

147	      - Added a reference to RFC 1994 (CHAP)

149	1.4  Changes in version -07

151	   The following changes have been made to version 07:

153	      - Changed the Filter-Rule AVP from 280 to 300

155	      - Changed the Framed-Password-Policy AVP from 280 to 301

157	1.5  Changes in version -08

159	   The following changes have been mde to version 08:

161	      - Removed the Framed-Password-Policy AVP since it is no longer
162	      needed with the removal of the DDR/DDA commands.

164	      - Fixed up the text in most of all AVPs where the statement
165	      introducing the AVP format was present prior to the header.

167	      - Added the various AVPs necessary to support Tunneling.

169	2.0  Command Codes

171	   This document defines the following DIAMETER Commands. All DIAMETER
172	   implementations supporting this extension MUST support all of the
173	   following commands:

175	      Command Name          Command Code
176	      -----------------------------------
177	      AA-Request                263
178	      AA-Answer                 264
179	      AA-Challenge-Ind          265

181	2.1  AA-Request (AAR)
182	   Description

184	      The AA-Request message is used in order to request authentication
185	      and authorization for a given user.

187	      If Authentication is requested the User-Name attribute MUST be
188	      present. If only Authorization is required it is possible to
189	      authorize based on DNIS and ANI instead. However, it is not
190	      possible to authenticate using a User-Name AVP and later
191	      requesting authorization based on DNIS using the same Session-Id
192	      (although the inverse is legal).

194	      Note that the flag field MAY be used in this command in order to
195	      indicate that either Authentication-Only or Authorization-Only is
196	      required for the request. If the Authentication-Only bit is set
197	      the response MUST NOT include any authorization information. Both
198	      the Authenticate and Authorize bits MUST NOT be set at the same
199	      time. To ensure that a user is both authenticated and authorized,
200	      neither flag is set.

202	      The AA-Request message MUST include a unique Session-Id AVP. If
203	      The AA-Request is a result of a successful AA-Challenge-Ind the
204	      Session-Id MUST be identical to the one provided in the initial
205	      AA-Request.

207	   Message Format

209	      Section 3.46 contains a complete list of all valid AVPs for this
210	      message.

212	      <AA-Request> ::= <DIAMETER Header>
213	                       <AA-Request Command AVP>
214	                       <Session-Id AVP>
215	                       <Host-IP-Address AVP>
216	                       [<Host-Name AVP>]
217	                       [<Proxy-State AVP>]
218	                       [<Class AVP>]
219	                       [<State AVP>]
220	                       {<User-Name AVP> ||
221	                        <Called-Station-Id AVP }
222	                       <Miscellaneous AVPs>
223	                       <Timestamp AVP>
224	                       <Nonce AVP>
225	                       {<Integrity-Check-Vector AVP> ||
226	                        <Digital-Signature AVP }

228	   The length of the DIAMETER Command AVP must be 12 when the Command
229	   Code is set to 263 (AA-Request).

231	   The following Command-specific bits may be set in the AA-Request's
232	   Command Flag field of the AVP Header:

234	      The 'C' (Authentication-only) bit may be set to indicate that only
235	      authentication of the user is required, and that no authorization
236	      should be performed. Additionally, no authorization information is
237	      expected in the AA-Response command.

239	      The 'Z' (Authorization-Only) bit may be set to indicate that only
240	      authorization of the user is requested and that no authentication
241	      is required. When this bit is set, no user authentication AVPs
242	      (i.e.  User-Password, etc.) will be present in the request.

244	2.2  AA-Answer (AAA)

246	   Description

248	      The AA-Answer message is used in order to indicate that
249	      Authentication and/or authorization was successful. If
250	      authorization was requested a list of AVPs with the authorization
251	      information MUST be attached to the message (see section 3.36).

253	      The AA-Answer message MUST include the Session-Id AVP that was
254	      present in the AA-Request. The AA-Answer MUST also include the
255	      Host-Name AVP and the Result-Code AVP to indicate the status of
256	      the session. The following error codes are defined for this
257	      message:

259	         DIAMETER_ERROR_UNKNOWN_DOMAIN       1
260	            This error code is used to indicate to the initiator of the
261	            request that the requested domain is unknown and cannot be
262	            resolved.

264	         DIAMETER_ERROR_USER_UNKNOWN         2
265	            This error code is used to indicate to the initiator that
266	            the username request is not valid.

268	         DIAMETER_ERROR_BAD_PASSWORD         3
269	            This error code indicates that the password provided is
270	            invalid.

272	         DIAMETER_ERROR_CANNOT_AUTHORIZE     4
273	            This error code is used to indicate that the user cannot be
274	            authorized due to the fact that the user has expended the
275	            servers local resources.  This could be a result that the
276	            server believes that the user already has an active session,
277	            or that the user has already spent the number of credits in
278	            his/her account, etc.

280	      Note that the flag field MUST be set to the same value that was
281	      found in the AA-Request message.

283	   Message Format

285	      Section 3.46 contains a complete list of all valid AVPs for this
286	      message.

288	      <AA-Answer> ::= <DIAMETER Header>
289	                       <AA-Answer Command AVP>
290	                       <Session-Id AVP>
291	                       <Result-Code AVP>
292	                       [<Error-Code AVP>]
293	                       <Host-IP-Address AVP>
294	                       [<Host-Name AVP>]
295	                       [<Session-Timeout AVP>]
296	                       [<Proxy-State AVP>]
297	                       [<Class AVP>]
298	                       [<State AVP>]
299	                       <Miscellaneous AVPs>
300	                       <Timestamp AVP>
301	                       <Nonce AVP>
302	                       {<Integrity-Check-Vector AVP> ||
303	                        <Digital-Signature AVP }

305	   The length of the DIAMETER Command AVP must be 12 when the Command
306	   Code is set to 264 (AA-Answer).

308	   The following Command-specific bits may be set in the AA-Request's
309	   Command Flag field of the AVP Header:

311	      The 'C' (Authentication-only) bit may be set to indicate that only
312	      authentication of the user is required, and that no authorization
313	      should be performed. Additionally, no authorization information is
314	      expected in the AA-Response command.

316	      The 'Z' (Authorization-Only) bit may be set to indicate that only
317	      authorization of the user is requested and that no authentication
318	      is required. When this bit is set, no user authentication AVPs
319	      (i.e.  User-Password, etc.) will be present in the request.

321	2.3  AA-Challenge-Ind (AACI)

323	   Description
324	      If the DIAMETER server desires to send the user a challenge
325	      requiring a response, then the DIAMETER server MUST respond to the
326	      AA-Request by transmitting a message with the Code field set to
327	      265 (AA-Challenge-Ind).

329	      The message MAY have one or more Reply-Message AVP, and MAY have a
330	      single State AVP, or none.  No other AVPs are permitted in an AA-
331	      Challenge-Ind other than the Integrity-Check-Vector or Digital-
332	      Signature AVP as defined in [2].

334	      On receipt of an AA-Challenge-Ind, the Identifier field is matched
335	      with a pending AA-Request. Invalid messages are silently
336	      discarded.

338	      The receipt of a valid AA-Challenge-Ind indicates that a new AA-
339	      Request SHOULD be sent. The NAS MAY display the text message, if
340	      any, to the user, and then prompt the user for a response.  It
341	      then sends its original Acess-Request with a new request ID, with
342	      the User-Password AVP replaced by the user's response (encrypted),
343	      and including the State AVP from the AA-Challenge-Ind, if any.
344	      Only zero or one instances of the State Attribute can be present
345	      in an AA-Request.

347	      A NAS which supports PAP MAY forward the Reply-Message to the
348	      dialin client and accept a PAP response which it can use as though
349	      the user had entered the response.  If the NAS cannot do so, it
350	      should treat the AA-Challenge-Ind as though it had received an
351	      AA-Answer with a Result-Code AVP set to a value other than
352	      DIAMETER_SUCCESS instead.

354	      It is preferable to use EAP [5] instead of the AA-Challenge-Ind,
355	      yet it has been maintained for backward compatibility.

357	      The AA-Challenge-Ind message MUST include the Session-Id AVP that
358	      was present in the AA-Request and MUST include the same flag value
359	      that was found in the AA-Request.

361	      Section 3.46 contains a complete list of all valid AVPs for this
362	      message.

364	      AA-Challenge-Ind ::= <DIAMETER Header>
365	                           <AA-Challenge-Ind Command AVP>
366	                           <Session-Id AVP>
367	                           <Result-Code AVP>
368	                           [<Error-Code AVP>]
369	                           <Host-IP-Address AVP>
370	                           [<Host-Name AVP>]
371	                           [<Proxy-State AVP>]
372	                           [<Class AVP>]
373	                           [<State AVP>]
374	                           <Reply-Message AVPs>
375	                           <Timestamp AVP>
376	                           <Nonce AVP>
377	                           {<Integrity-Check-Vector AVP> ||
378	                            <Digital-Signature AVP }

380	   The length of the DIAMETER Command AVP must be 12 when the Command
381	   Code is set to  265 (AA-Challenge-Ind).

383	   The following Command-specific bits may be set in the AA-Request's
384	   Command Flag field of the AVP Header:

386	      The 'C' (Authentication-only) bit may be set to indicate that only
387	      authentication of the user is required, and that no authorization
388	      should be performed. Additionally, no authorization information is
389	      expected in the AA-Response command.

391	      The 'Z' (Authorization-Only) bit may be set to indicate that only
392	      authorization of the user is requested and that no authentication
393	      is required. When this bit is set, no user authentication AVPs
394	      (i.e.  User-Password, etc.) will be present in the request.

396	3.0  DIAMETER AVPs

398	   This section will define the mandatory AVPs which MUST be supported
399	   by all DIAMETER implementations supporting this extension. The
400	   following AVPs are defined in this document:

402	      Attribute Name       Attribute Code    Definition in Section
403	      ------------------------------------------------------------
404	      User-Name                   1                   3.1
405	      User-Password               2                   3.2
406	      CHAP-Password               3                   3.3
407	      NAS-Port                    5                   3.4
408	      Service-Type                6                   3.5
409	      Framed-Protocol             7                   3.6
410	      Framed-IP-Address           8                   3.7
411	      Framed-IP-Netmask           9                   3.8
412	      Framed-Routing             10                   3.9
413	      Filter-Id                  11                   3.10
414	      Framed-MTU                 12                   3.11
415	      Framed-Compression         13                   3.12
416	      Login-IP-Host              14                   3.13
417	      Login-Service              15                   3.14
418	      Login-TCP-Port             16                   3.15
419	      Reply-Message              18                   3.16
420	      Callback-Number            19                   3.17
421	      Callback-Id                20                   3.18
422	      Framed-Route               22                   3.19
423	      Framed-IPX-Network         23                   3.20
424	      Idle-Timeout               28                   3.21
425	      Called-Station-Id          30                   3.22
426	      Calling-Station-Id         31                   3.23
427	      Login-LAT-Service          34                   3.24
428	      Login-LAT-Node             35                   3.25
429	      Login-LAT-Group            36                   3.26
430	      Framed-AppleTalk-Link      37                   3.27
431	      Framed-AppleTalk-Network   38                   3.28
432	      Framed-AppleTalk-Zone      39                   3.29
433	      CHAP-Challenge             60                   3.30
434	      NAS-Port-Type              61                   3.31
435	      Port-Limit                 62                   3.32
436	      Login-LAT-Port             63                   3.33
437	      Tunnel-Type                64                   3.34
438	      Tunnel-Medium-Type         65                   3.35
439	      Tunnel-Client-Endpoint     66                   3.36
440	      Tunnel-Server-Endpoint     67                   3.37
441	      Tunnel-Password            69                   3.38
442	      Tunnel-Private-Group-ID    81                   3.39
443	      Tunnel-Assignment-ID       82                   3.40
444	      Tunnel-Preference          83                   3.41
445	      Tunnel-Client-Auth-ID      90                   3.42
446	      Tunnel-Server-Auth-ID      91                   3.43
447	      Filter-Rule               300                   3.44

449	3.1  User-Name

451	   Description

453	      This AVP indicates the name of the user to be authenticated.  It
454	      is normally used in AA-Request messages, but MAY be present in the
455	      AA-Answer message.

457	   AVP Format
458	      0                   1                   2                   3
459	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
460	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
461	                         AVP Header (AVP Code = 1)
462	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
463	      |   String ...
464	      +-+-+-+-+-+-+-+-+

466	      AVP Flags

468	         The 'M' bit MUST be set. The 'H' MAY be set, but the 'E' bit
469	         MUST NOT be set since proxy servers would have no knowledge of
470	         the user's domain. The 'V', 'T' and the 'P' bits MUST NOT be
471	         set.

473	      String

475	         The String field is one or more octets. All DIAMETER systems
476	         SHOULD support User-Name lengths of at least 63 octets. The
477	         format of the User-Name SHOULD follow the format defined in
478	         [3].

480	3.2  User-Password

482	   Description

484	      This AVP indicates the password of the user to be authenticated,
485	      or the user's input following an AA-Challenge.  It is only used in
486	      AA-Request messages.

488	      This AVP MUST be encrypted using one of the methods described in
489	      [2]. The use of this AVP with shared secret encryption is strongly
490	      discouraged by the author due to the security implications in a
491	      proxy environment, yet the support of this attribute has been
492	      retained for RADIUS backward compability.

494	   AVP Format

496	      0                   1                   2                   3
497	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
498	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
499	                         AVP Header (AVP Code = 2)
500	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
501	      |    Data ...
502	      +-+-+-+-+-+-+-+-+

504	      AVP Length
505	         The length of this attribute MUST be at least 24 and MUST be no
506	         larger than 136.

508	      AVP Flags

510	         The 'M' bit MUST be set. Either the 'H' or the 'E' bit MUST be
511	         set depending upon the security model used. The 'V', 'T' and
512	         the 'P' bits MUST NOT be set.

514	         The AVP Flags field MUST have bit one (Mandatory Support) set.
515	         One of the AVP Encryption bits MUST be set.

517	      Data

519	         The Data field is between 16 and 128 octets long, inclusive.

521	3.3  CHAP-Password

523	   Description

525	      This AVP indicates the response value provided by a PPP
526	      Challenge-Handshake Authentication Protocol (CHAP) user in
527	      response to the challenge. It is only used in AA-Request messages.

529	      If the CHAP-Password AVP is found in a message, the CHAP-Challenge
530	      AVP (60) MUST be present as well.

532	   AVP Format

534	      0                   1                   2                   3
535	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
536	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
537	                         AVP Header (AVP Code = 3)
538	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
539	      |  CHAP Ident   |    Data ...
540	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

542	      AVP Length

544	         The length of this attribute MUST be 25.

546	      AVP Flags

548	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
549	         upon the security model used. The 'V', 'T' and the 'P' bits
550	         MUST NOT be set.

552	      CHAP Ident

554	         This field is one octet, and contains the CHAP Identifier from
555	         the user's CHAP Response.

557	      Data

559	         The Data field is 16 octets, and contains the CHAP Response
560	         from the user. The actual computation of the CHAP challenge can
561	         be found in [6].

563	3.4  NAS-Port

565	   Description

567	      This AVP indicates the physical port number of the NAS which is
568	      authenticating the user. It is normally only used in AA-Request
569	      messages (see section 2.2 for more info). Note that this is using
570	      "port" in its sense of a physical connection on the NAS, not in
571	      the sense of a TCP or UDP port number. Either NAS-Port or NAS-
572	      Port-Type (61) or both SHOULD be present in an AA-Request message,
573	      if the NAS differentiates among its ports.

575	   AVP Format

577	      0                   1                   2                   3
578	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
579	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
580	                         AVP Header (AVP Code = 5)
581	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
582	      |                           Integer32                           |
583	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

585	      AVP Flags

587	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
588	         upon the security model used. The 'V', 'T' and the 'P' bits
589	         MUST NOT be set.

591	      Integer32

593	         The Integer32 field is four octets.

595	3.5  Service-Type

597	   Description
598	      This AVP indicates the type of service the user has requested, or
599	      the type of service to be provided. It MAY be used in both AA-
600	      Request and AA-Answer messages. A NAS is not required to implement
601	      all of these service types, and MUST treat unknown or unsupported
602	      Service-Types as though an AA-Answer with a Result-Code other than
603	      DIAMETER-SUCCESS had been received instead.

605	   AVP Format

607	      0                   1                   2                   3
608	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
609	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
610	                         AVP Header (AVP Code = 6)
611	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
612	      |                           Integer32                           |
613	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

615	      AVP Flags

617	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
618	         upon the security model used. The 'V', 'T' and the 'P' bits
619	         MUST NOT be set.

621	      Integer32

623	         The Integer32 field is four octets.

625	            1      Login
626	            2      Framed
627	            3      Callback Login
628	            4      Callback Framed
629	            5      Outbound
630	            6      Administrative
631	            7      NAS Prompt
632	            8      Authenticate Only
633	            9      Callback NAS Prompt

635	            The service types are defined as follows when used in an
636	            AA-Answer. When used in an AA-Request, they should be
637	            considered to be a hint to the DIAMETER server that the NAS
638	            has reason to believe the user would prefer the kind of
639	            service indicated, but the server is not required to honor
640	            the hint.

642	            Login               The user should be connected to a host.

644	            Framed              A Framed Protocol should be started for
645	                                the User, such as PPP or SLIP.

647	            Callback Login      The user should be disconnected and
648	                                calledback, then connected to a host.

650	            Callback Framed     The user should be disconnected and
651	                                called back, then a Framed Protocol
652	                                should be started for the User, such as
653	                                PPP or SLIP.

655	            Outbound            The user should be granted access to
656	                                outgoing devices.

658	            Administrative      The user should be granted access to the
659	                                administrative interface to the NAS from
660	                                which privileged commands can be
661	                                executed.

663	            NAS Prompt          The user should be provided a command
664	                                prompt on the NAS from which non-
665	                                privileged commands can be executed.

667	            Authenticate Only   Only Authentication is requested, and no
668	                                authorization information needs to be
669	                                returned in the AA-Answer (typically
670	                                used by proxy servers rather than the
671	                                NAS itself).This SHOULD NOT be used in
672	                                DIAMETER, yet it is maintained for
673	                                backward compatibility.

675	            Callback NAS Prompt The user should be disconnected and
676	                                called back, then provided a command
677	                                prompt on the NAS from which non-
678	                                privileged commands can be executed.

680	3.6  Framed-Protocol

682	   Description

684	      This AVP indicates the framing to be used for framed access.  It
685	      MAY be used in both AA-Request and AA-Answer messages.

687	   AVP Format
688	      0                   1                   2                   3
689	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
690	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
691	                         AVP Header (AVP Code = 7)
692	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
693	      |                           Integer32                           |
694	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

696	      AVP Flags

698	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
699	         upon the security model used. The 'V', 'T' and the 'P' bits
700	         MUST NOT be set.

702	      Integer32

704	         The Integer32 field is four octets.

706	            1      PPP
707	            2      SLIP
708	            3      AppleTalk Remote Access Protocol (ARAP)
709	            4      Gandalf proprietary SingleLink/MultiLink protocol
710	            5      Xylogics proprietary IPX/SLIP

712	3.7  Framed-IP-Address

714	   Description

716	      This AVP indicates the address to be configured for the user. It
717	      MAY be used in AA-Request messages as a hint by the NAS to the
718	      server that it would prefer that address, but the server is not
719	      required to honor the hint.

721	   AVP Format

723	      0                   1                   2                   3
724	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
725	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
726	                         AVP Header (AVP Code = 8)
727	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
728	      |                            Address                            |
729	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

731	      AVP Flags

733	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
734	         upon the security model used. The 'V', 'T' and the 'P' bits
735	         MUST NOT be set.

737	      Address

739	         The Address field is four octets. The value 0xFFFFFFFF
740	         indicates that the NAS should allow the user to select an
741	         address (e.g.  Negotiated). The value 0xFFFFFFFE indicates that
742	         the NAS should select an address for the user (e.g. Assigned
743	         from a pool of addresses kept by the NAS). Other valid values
744	         indicate that the NAS should use that value as the user's IP
745	         address.

747	3.8  Framed-IP-Netmask

749	   Description

751	      This AVP indicates the IP netmask to be configured for the user
752	      when the user is a router to a network. It MUST be used in AA-
753	      Answer messages if the Framed-IP-Address AVP was returned with a
754	      value other than 0xFFFFFFFF. It MAY be used in an AA-Request
755	      message as a hint by the NAS to the server that it would prefer
756	      that netmask, but the server is not required to honor the hint.

758	   AVP Format

760	      0                   1                   2                   3
761	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
762	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
763	                         AVP Header (AVP Code = 9)
764	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
765	      |                            Address                            |
766	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

768	      AVP Flags

770	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
771	         upon the security model used. The 'V', 'T' and the 'P' bits
772	         MUST NOT be set.

774	      Address

776	         The Address field is four octets specifying the IP netmask of
777	         the user.

779	3.9  Framed-Routing
780	   Description

782	      This AVP indicates the routing method for the user, when the user
783	      is a router to a network. It is only used in AA-Answer messages.

785	   AVP Format

787	      0                   1                   2                   3
788	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
789	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
790	                         AVP Header (AVP Code = 10)
791	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
792	      |                            Integer32                          |
793	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

795	      AVP Flags

797	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
798	         upon the security model used. The 'V', 'T' and the 'P' bits
799	         MUST NOT be set.

801	      Integer32

803	         The Integer32 field is four octets.

805	            0      None
806	            1      Send routing packets
807	            2      Listen for routing packets
808	            3      Send and Listen

810	3.10  Filter-Id

812	   Description

814	      This AVP indicates the name of the filter list for this user. Zero
815	      or more Filter-Id attributes MAY be sent in an AA-Answer message.

817	      Identifying a filter list by name allows the filter to be used on
818	      different NASes without regard to filter-list implementation
819	      details. However, this AVP is not roaming friendly since filter
820	      naming differs from one service provider to another.

822	      It is strongly encouraged to support the Filter-Rule AVP instead.

824	   AVP Format
825	      0                   1                   2                   3
826	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
827	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
828	                         AVP Header (AVP Code = 11)
829	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
830	      |   String ...
831	      +-+-+-+-+-+-+-+-+

833	      AVP Flags

835	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
836	         upon the security model used. The 'V', 'T' and the 'P' bits
837	         MUST NOT be set.

839	      String

841	         The String field is one or more octets, and its contents are
842	         implementation dependent. It is intended to be human readable
843	         and MUST NOT affect operation of the protocol. It is
844	         recommended that the message contain displayable ASCII
845	         characters from the range 32 through 126 decimal.

847	3.11  Framed-MTU

849	   Description

851	      This AVP indicates the Maximum Transmission Unit to be configured
852	      for the user, when it is not negotiated by some other means (such
853	      as PPP). It is only used in AA-Answer messages.

855	   AVP Format

857	      0                   1                   2                   3
858	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
859	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
860	                         AVP Header (AVP Code = 12)
861	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
862	      |                           Integer32                           |
863	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

865	      AVP Flags

867	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
868	         upon the security model used. The 'V', 'T' and the 'P' bits
869	         MUST NOT be set.

871	      Integer32
872	         The Integer32 field is four octets. Despite the size of the
873	         field, values range from 64 to 65535.

875	3.12  Framed-Compression

877	   Description

879	      This AVP indicates a compression protocol to be used for the link.
880	      It MAY be used in AA-Answer messages. It MAY be used in an AA-
881	      Request message as a hint to the server that the NAS would prefer
882	      to use that compression, but the server is not required to honor
883	      the hint.

885	      More than one compression protocol AVP MAY be sent. It is the
886	      responsibility of the NAS to apply the proper compression protocol
887	      to appropriate link traffic.

889	   AVP Format

891	      0                   1                   2                   3
892	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
893	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
894	                         AVP Header (AVP Code = 13)
895	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
896	      |                           Integer32                           |
897	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

899	      AVP Flags

901	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
902	         upon the security model used. The 'V', 'T' and the 'P' bits
903	         MUST NOT be set.

905	      Integer32

907	         The Integer32 field is four octets.

909	            0      None
910	            1      VJ TCP/IP header compression [7]
911	            2      IPX header compression

913	3.13  Login-IP-Host

915	   Description

917	      This AVP indicates the system with which to connect the user, when
918	      the Login-Service AVP is included. It MAY be used in AA-Answer
919	      messages. It MAY be used in an AA-Request message as a hint to the
920	      server that the NAS would prefer to use that host, but the server
921	      is not required to honor the hint.

923	   AVP Format

925	      0                   1                   2                   3
926	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
927	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
928	                         AVP Header (AVP Code = 14)
929	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
930	      |                            Address                            |
931	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

933	      AVP Flags

935	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
936	         upon the security model used. The 'V', 'T' and the 'P' bits
937	         MUST NOT be set.

939	      Address

941	         The Address field is four octets. The value 0xFFFFFFFF
942	         indicates that the NAS SHOULD allow the user to select an
943	         address. The value zero indicates that the NAS SHOULD select a
944	         host to connect the user to. Other values indicate the address
945	         the NAS SHOULD connect the user to.

947	3.14  Login-Service

949	   Description

951	      This AVP indicates the service which should be used to connect the
952	      user to the login host. It is only used in AA-Answer messages.

954	   AVP Format

956	      0                   1                   2                   3
957	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
958	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
959	                         AVP Header (AVP Code = 15)
960	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
961	      |                           Integer32                           |
962	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

964	      AVP Flags
965	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
966	         upon the security model used. The 'V', 'T' and the 'P' bits
967	         MUST NOT be set.

969	      Integer32

971	         The Integer32 field is four octets.

973	            0      Telnet
974	            1      Rlogin
975	            2      TCP Clear
976	            3      PortMaster (proprietary)
977	            4      LAT

979	3.15  Login-TCP-Port

981	   Description

983	      This AVP indicates the TCP port with which the user is to be
984	      connected, when the Login-Service AVP is also present. It is only
985	      used in AA-Answer messages.

987	   AVP Format

989	      0                   1                   2                   3
990	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
991	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
992	                         AVP Header (AVP Code = 16)
993	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
994	      |                           Integer32                           |
995	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

997	      AVP Flags

999	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1000	         upon the security model used. The 'V', 'T' and the 'P' bits
1001	         MUST NOT be set.

1003	      Integer32

1005	         The Integer32 field is four octets. Despite the size of the
1006	         field, values range from zero to 65535.

1008	3.16  Reply-Message

1010	   Description
1011	      This AVP indicates text which MAY be displayed to the user.

1013	      When used in an AA-Answer message with a successful Result-Code
1014	      AVP it indicates the success message. When found in the same
1015	      message with a Result-Code other than DIAMETER-SUCCESS it contains
1016	      the failure message.

1018	      It MAY indicate a dialog message to prompt the user before another
1019	      AA-Request attempt.

1021	      When used in an AA-Challenge, it MAY indicate a dialog message to
1022	      prompt the user for a response.

1024	      Multiple Reply-Message's MAY be included and if any are displayed,
1025	      they MUST be displayed in the same order as they appear in the
1026	      message.

1028	   AVP Format

1030	      0                   1                   2                   3
1031	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1032	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1033	                         AVP Header (AVP Code = 18)
1034	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1035	      |   String ...
1036	      +-+-+-+-+-+-+-+-+

1038	      AVP Flags

1040	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1041	         upon the security model used. The 'V', 'T' and the 'P' bits
1042	         MUST NOT be set.

1044	      String

1046	         The String field is one or more octets, and its contents are
1047	         implementation dependent. It is intended to be human readable,
1048	         and MUST NOT affect operation of the protocol. It is
1049	         recommended that the message contain displayable ASCII
1050	         characters from the range 10, 13, and 32 through 126 decimal.
1051	         Mechanisms for extension to other character sets are beyond the
1052	         scope of this specification.

1054	3.17  Callback-Number

1056	   Description
1057	      This AVP indicates a dialing string to be used for callback.  It
1058	      MAY be used in AA-Answer messages. It MAY be used in an AA-Request
1059	      message as a hint to the server that a Callback service is
1060	      desired, but the server is not required to honor the hint.

1062	   AVP Format

1064	      0                   1                   2                   3
1065	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1066	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1067	                         AVP Header (AVP Code = 19)
1068	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1069	      |   String ...
1070	      +-+-+-+-+-+-+-+-+

1072	      AVP Flags

1074	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1075	         upon the security model used. The 'V', 'T' and the 'P' bits
1076	         MUST NOT be set.

1078	      String

1080	         The String field is one or more octets. The actual format of
1081	         the information is site or application specific, and a robust
1082	         implementation SHOULD support the field as undistinguished
1083	         octets.

1085	         The codification of the range of allowed usage of this field is
1086	         outside the scope of this specification.

1088	3.18  Callback-Id

1090	   Description

1092	      This AVP indicates the name of a place to be called, to be
1093	      interpreted by the NAS. It MAY be used in AA-Answer messages.

1095	      This AVP is not roaming friendly since it assumes that the
1096	      Callback-Id is configured on the NAS. It is therefore preferable
1097	      to use the Callback-Number AVP instead.

1099	   AVP Format
1100	      0                   1                   2                   3
1101	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1102	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1103	                         AVP Header (AVP Code = 20)
1104	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1105	      |   String ...
1106	      +-+-+-+-+-+-+-+-+

1108	      AVP Flags

1110	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1111	         upon the security model used. The 'V', 'T' and the 'P' bits
1112	         MUST NOT be set.

1114	      String

1116	         The String field is one or more octets. The actual format of
1117	         the information is site or application specific, and a robust
1118	         implementation SHOULD support the field as undistinguished
1119	         octets.  The codification of the range of allowed usage of this
1120	         field is outside the scope of this specification.

1122	3.19  Framed-IP-Route

1124	   Description

1126	      This AVP provides routing information to be configured for the
1127	      user on the NAS. It is used in the AA-Answer message and can
1128	      appear multiple times.

1130	   AVP Format

1132	      0                   1                   2                   3
1133	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1134	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1135	                         AVP Header (AVP Code = 22)
1136	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1137	      |   String ...
1138	      +-+-+-+-+-+-+-+-+

1140	      AVP Flags

1142	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1143	         upon the security model used. The 'V', 'T' and the 'P' bits
1144	         MUST NOT be set.

1146	      String
1147	         It MUST contain a destination prefix in dotted quad form
1148	         optionally followed by a slash and a decimal length specifier
1149	         stating how many high order bits of the prefix should be used.
1150	         That is followed by a space, a gateway address in dotted quad
1151	         form, a space, and one or more metrics separated by spaces. For
1152	         example, "192.168.1.0/24 192.168.1.1 1".

1154	         The length specifier may be omitted in which case it should
1155	         default to 8 bits for class A prefixes, 16 bits for class B
1156	         prefixes, and 24 bits for class C prefixes. For example,
1157	         "192.168.1.0 192.168.1.1 1".

1159	         Whenever the gateway address is specified as "0.0.0.0" the IP
1160	         address of the user SHOULD be used as the gateway address.

1162	3.20  Framed-IPX-Network

1164	   Description

1166	      This AVP indicates the IPX Network number to be configured for the
1167	      user. It is used in AA-Answer messages.

1169	   AVP Format

1171	      0                   1                   2                   3
1172	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1173	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1174	                         AVP Header (AVP Code = 23)
1175	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1176	      |                           Integer32                           |
1177	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

1179	      AVP Flags

1181	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1182	         upon the security model used. The 'V', 'T' and the 'P' bits
1183	         MUST NOT be set.

1185	      Integer32

1187	         The Integer32 field is four octets. The value 0xFFFFFFFF
1188	         indicates that the NAS should allow the user to select an
1189	         address (e.g.  Negotiated). The value 0xFFFFFFFE indicates that
1190	         the NAS should select an address for the user (e.g. assigned
1191	         from a pool of one or more IPX networks kept by the NAS). Other
1192	         values should be used as the IPX network for the link to the
1193	         user.

1195	3.21  Idle-Timeout

1197	   Description

1199	      This AVP sets the maximum number of consecutive seconds of idle
1200	      connection allowed to the user before termination of the session
1201	      or prompt. This AVP is available to be sent by the server to the
1202	      client in an AA-Answer or AA-Challenge.

1204	   AVP Format

1206	      0                   1                   2                   3
1207	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1208	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1209	                         AVP Header (AVP Code = 28)
1210	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1211	      |                           Integer32                           |
1212	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

1214	      AVP Flags

1216	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1217	         upon the security model used. The 'V', 'T' and the 'P' bits
1218	         MUST NOT be set.

1220	      Integer32

1222	         The Integer32 field is 4 octets, containing a 32-bit unsigned
1223	         integer with the maximum number of consecutive seconds of idle
1224	         time this user should be permitted before being disconnected by
1225	         the NAS.

1227	3.22  Called-Station-Id

1229	   Description

1231	      This AVP allows the NAS to send in the AA-Request message the
1232	      phone number that the user called, using Dialed Number
1233	      Identification (DNIS) or similar technology. Note that this may be
1234	      different from the phone number the call comes in on. It is only
1235	      used in AA-Request messages.

1237	      If the Authorization-Only flag is set in the message and the
1238	      User-Name AVP is absent, the DIAMETER Server MUST perform
1239	      authorization based on this field. This can be used by a NAS to
1240	      request whether a call should be answered based on the DNIS.

1242	   AVP Format

1244	      0                   1                   2                   3
1245	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1246	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1247	                         AVP Header (AVP Code = 30)
1248	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1249	      |   String ...
1250	      +-+-+-+-+-+-+-+-+

1252	      AVP Flags

1254	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1255	         upon the security model used. The 'V', 'T' and the 'P' bits
1256	         MUST NOT be set.

1258	      String

1260	         The String field is one or more octets, containing the phone
1261	         number that the user's call came in on.

1263	         The actual format of the information is site or application
1264	         specific. Printable ASCII is recommended, but a robust
1265	         implementation SHOULD support the field as undistinguished
1266	         octets.

1268	         The codification of the range of allowed usage of this field is
1269	         outside the scope of this specification.

1271	3.23  Calling-Station-Id

1273	   Description

1275	      This AVP allows the NAS to send in the AA-Request message the
1276	      phone number that the call came from, using Automatic Number
1277	      Identification (ANI) or similar technology. It is only used in
1278	      AA-Request messages.

1280	      If the Authorization-Only flag is set in the message and the
1281	      User-Name AVP is absent, the DIAMETER Server must perform
1282	      authorization based on this field. This can be used by a NAS to
1283	      request whether a call should be answered based on the ANI.

1285	   AVP Format
1286	      0                   1                   2                   3
1287	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1288	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1289	                         AVP Header (AVP Code = 31)
1290	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1291	      |   String ...
1292	      +-+-+-+-+-+-+-+-+

1294	      AVP Flags

1296	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1297	         upon the security model used. The 'V', 'T' and the 'P' bits
1298	         MUST NOT be set.

1300	      String

1302	         The String field is one or more octets, containing the phone
1303	         number that the user placed the call from.

1305	         The actual format of the information is site or application
1306	         specific. Printable ASCII is recommended, but a robust
1307	         implementation SHOULD support the field as undistinguished
1308	         octets.

1310	         The codification of the range of allowed usage of this field is
1311	         outside the scope of this specification.

1313	3.24  Login-LAT-Service

1315	   Description

1317	      This AVP indicates the system with which the user is to be
1318	      connected by LAT. It MAY be used in AA-Answer messages, but only
1319	      when LAT is specified as the Login-Service. It MAY be used in an
1320	      AA-Request message as a hint to the server, but the server is not
1321	      required to honor the hint.

1323	      Administrators use the service attribute when dealing with
1324	      clustered systems, such as a VAX or Alpha cluster. In such an
1325	      environment several different time sharing hosts share the same
1326	      resources (disks, printers, etc.), and administrators often
1327	      configure each to offer access (service) to each of the shared
1328	      resources. In this case, each host in the cluster advertises its
1329	      services through LAT broadcasts.

1331	      Sophisticated users often know which service providers (machines)
1332	      are faster and tend to use a node name when initiating a LAT
1333	      connection. Alternately, some administrators want particular users
1334	      to use certain machines as a primitive form of load balancing
1335	      (although LAT knows how to do load balancing itself).

1337	   AVP Format

1339	      0                   1                   2                   3
1340	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1341	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1342	                         AVP Header (AVP Code = 34)
1343	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1344	      |   String ...
1345	      +-+-+-+-+-+-+-+-+

1347	      AVP Flags

1349	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1350	         upon the security model used. The 'V', 'T' and the 'P' bits
1351	         MUST NOT be set.

1353	      String

1355	         The String field is one or more octets, and contains the
1356	         identity of the LAT service to use. The LAT Architecture allows
1357	         this string to contain $ (dollar), - (hyphen), . (period), _
1358	         (underscore), numerics, upper and lower case alphabetics, and
1359	         the ISO Latin-1 character set extension [8]. All LAT string
1360	         comparisons are case insensitive.

1362	3.25  Login-LAT-Node

1364	   Description

1366	      This AVP indicates the Node with which the user is to be
1367	      automatically connected by LAT. It MAY be used in AA-Answer
1368	      messages, but only when LAT is specified as the Login-Service. It
1369	      MAY be used in an AA-Request message as a hint to the server, but
1370	      the server is not required to honor the hint.

1372	   AVP Format
1373	      0                   1                   2                   3
1374	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1375	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1376	                         AVP Header (AVP Code = 35)
1377	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1378	      |   String ...
1379	      +-+-+-+-+-+-+-+-+

1381	      AVP Flags

1383	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1384	         upon the security model used. The 'V', 'T' and the 'P' bits
1385	         MUST NOT be set.

1387	      String

1389	         The String field is one or more octets, and contains the
1390	         identity of the LAT Node to connect the user to. The LAT
1391	         Architecture allows this string to contain $ (dollar), -
1392	         (hyphen), . (period), _ (underscore), numerics, upper and lower
1393	         case alphabetics, and the ISO Latin-1 character set extension.
1394	         All LAT string comparisons are case insensitive.

1396	3.26  Login-LAT-Group

1398	   Description

1400	      This AVP contains a string identifying the LAT group codes which
1401	      this user is authorized to use. It MAY be used in AA-Answer
1402	      messages, but only when LAT is specified as the Login-Service. It
1403	      MAY be used in an AA-Request message as a hint to the server, but
1404	      the server is not required to honor the hint.

1406	      LAT supports 256 different group codes, which LAT uses as a form
1407	      of access rights. LAT encodes the group codes as a 256 bit bitmap.

1409	      Administrators can assign one or more of the group code bits at
1410	      the LAT service provider; it will only accept LAT connections that
1411	      have these group codes set in the bit map. The administrators
1412	      assign a bitmap of authorized group codes to each user; LAT gets
1413	      these from the operating system, and uses these in its requests to
1414	      the service providers.

1416	   AVP Format
1417	      0                   1                   2                   3
1418	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1419	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1420	                         AVP Header (AVP Code = 36)
1421	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1422	      |    Data ...
1423	      +-+-+-+-+-+-+-+-+

1425	      AVP Length

1427	         The length of this attribute MUST be 40.

1429	      AVP Flags

1431	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1432	         upon the security model used. The 'V', 'T' and the 'P' bits
1433	         MUST NOT be set.

1435	      Data

1437	         The Data field is a 32 octet bit map, most significant octet
1438	         first. A robust implementation SHOULD support the field as
1439	         undistinguished octets.

1441	         The codification of the range of allowed usage of this field is
1442	         outside the scope of this specification.

1444	3.27  Framed-AppleTalk-Link

1446	   Description

1448	      This AVP indicates the AppleTalk network number which should be
1449	      used for the serial link to the user, which is another AppleTalk
1450	      router. It is only used in AA-Answer messages. It is never used
1451	      when the user is not another router.

1453	   AVP Format

1455	      0                   1                   2                   3
1456	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1457	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1458	                         AVP Header (AVP Code = 37)
1459	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1460	      |                           Integer32                           |
1461	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

1463	      AVP Flags
1464	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1465	         upon the security model used. The 'V', 'T' and the 'P' bits
1466	         MUST NOT be set.

1468	      Integer32

1470	         The Integer32 field is four octets. Despite the size of the
1471	         field, values range from zero to 65535. The special value of
1472	         zero indicates that this is an unnumbered serial link. A value
1473	         of one to 65535 means that the serial line between the NAS and
1474	         the user should be assigned that value as an AppleTalk network
1475	         number.

1477	3.28  Framed-AppleTalk-Network

1479	   Description

1481	      This AVP indicates the AppleTalk Network number which the NAS
1482	      should probe to allocate an AppleTalk node for the user. It is
1483	      only used in AA-Answer messages. It is never used when the user is
1484	      another router. Multiple instances of this AVP indicate that the
1485	      NAS may probe using any of the network numbers specified.

1487	   AVP Format

1489	      0                   1                   2                   3
1490	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1491	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1492	                         AVP Header (AVP Code = 38)
1493	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1494	      |                           Integer32                           |
1495	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

1497	      AVP Flags

1499	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1500	         upon the security model used. The 'V', 'T' and the 'P' bits
1501	         MUST NOT be set.

1503	      Integer32

1505	         The Integer32 field is four octets. Despite the size of the
1506	         field, values range from zero to 65535. The special value zero
1507	         indicates that the NAS should assign a network for the user,
1508	         using its default cable range. A value between one and 65535
1509	         (inclusive) indicates the AppleTalk Network the NAS should
1510	         probe to find an address for the user.

1512	3.29  Framed-AppleTalk-Zone

1514	   Description

1516	      This AVP indicates the AppleTalk Default Zone to be used for this
1517	      user. It is only used in AA-Answer messages. Multiple instances of
1518	      this attribute in the same message are not allowed.

1520	   AVP Format

1522	      0                   1                   2                   3
1523	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1524	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1525	                         AVP Header (AVP Code = 39)
1526	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1527	      |    Data ...
1528	      +-+-+-+-+-+-+-+-+

1530	      AVP Flags

1532	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1533	         upon the security model used. The 'V', 'T' and the 'P' bits
1534	         MUST NOT be set.

1536	      String

1538	         The name of the Default AppleTalk Zone to be used for this
1539	         user.  A robust implementation SHOULD support the field as
1540	         undistinguished octets.

1542	         The codification of the range of allowed usage of this field is
1543	         outside the scope of this specification.

1545	3.30  CHAP-Challenge

1547	   Description

1549	      This AVP contains the CHAP Challenge sent by the NAS to a PPP
1550	      Challenge-Handshake Authentication Protocol (CHAP) user. It is
1551	      only used in AA-Request messages.

1553	   AVP Format
1554	      0                   1                   2                   3
1555	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1556	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1557	                         AVP Header (AVP Code = 60)
1558	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1559	      |    Data ...
1560	      +-+-+-+-+-+-+-+-+

1562	      AVP Length

1564	         The length of this attribute MUST be at least 24.

1566	      AVP Flags

1568	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1569	         upon the security model used. The 'V', 'T' and the 'P' bits
1570	         MUST NOT be set.

1572	      Data

1574	         The Data field contains the CHAP Challenge.

1576	3.31  NAS-Port-Type

1578	   Description

1580	      This AVP indicates the type of the physical port of the NAS which
1581	      is authenticating the user. It can be used instead of or in
1582	      addition to the NAS-Port (5) attribute. It is only used in AA-
1583	      Request messages. Either NAS-Port (5) or NAS-Port-Type or both
1584	      SHOULD be present in an AA-Request message, if the NAS
1585	      differentiates among its ports.

1587	   AVP Format

1589	      0                   1                   2                   3
1590	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1591	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1592	                         AVP Header (AVP Code = 61)
1593	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1594	      |                           Integer32                           |
1595	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

1597	      AVP Flags

1599	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1600	         upon the security model used. The 'V', 'T' and the 'P' bits
1601	         MUST NOT be set.

1603	      Integer32

1605	         The Integer32 field is four octets. "Virtual" refers to a
1606	         connection to the NAS via some transport protocol, instead of
1607	         through a physical port. For example, if a user telnetted into
1608	         a NAS to authenticate himself as an Outbound-User, the AA-
1609	         Request might include NAS-Port-Type = Virtual as a hint to the
1610	         DIAMETER server that the user was not on a physical port.

1612	            0       Async
1613	            1       Sync
1614	            2       ISDN Sync
1615	            3       ISDN Async V.120
1616	            4       ISDN Async V.110
1617	            5       Virtual

1619	3.32  Port-Limit

1621	   Description

1623	      This AVP sets the maximum number of ports to be provided to the
1624	      user by the NAS. This AVP MAY be sent by the server to the client
1625	      in an AA-Answer message. It is intended for use in conjunction
1626	      with Multilink PPP [9] or similar uses. It MAY also be sent by the
1627	      NAS to the server as a hint that that many ports are desired for
1628	      use, but the server is not required to honor the hint.

1630	   AVP Format

1632	      0                   1                   2                   3
1633	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1634	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1635	                         AVP Header (AVP Code = 62)
1636	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1637	      |                           Integer32                           |
1638	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

1640	      Type

1642	      AVP Flags

1644	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1645	         upon the security model used. The 'V', 'T' and the 'P' bits
1646	         MUST NOT be set.

1648	      Integer32

1650	         The Integer32 field is four octets, containing a 32-bit
1651	         unsigned integer with the maximum number of ports this user
1652	         should be allowed to connect to on the NAS.

1654	3.33  Login-LAT-Port

1656	   Description

1658	      This AVP indicates the Port with which the user is to be connected
1659	      by LAT. It MAY be used in AA-Answer messages, but only when LAT is
1660	      specified as the Login-Service. It MAY be used in an AA-Request
1661	      message as a hint to the server, but the server is not required to
1662	      honor the hint.

1664	   AVP Format

1666	      0                   1                   2                   3
1667	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1668	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1669	                         AVP Header (AVP Code = 63)
1670	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1671	      |   String ...
1672	      +-+-+-+-+-+-+-+-+

1674	      AVP Flags

1676	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1677	         upon the security model used. The 'V', 'T' and the 'P' bits
1678	         MUST NOT be set.

1680	      String

1682	         The String field is one or more octets, and contains the
1683	         identity of the LAT port to use. The LAT Architecture allows
1684	         this string to contain $ (dollar), - (hyphen), . (period), _
1685	         (underscore), numerics, upper and lower case alphabetics, and
1686	         the ISO Latin-1 character set extension. All LAT string
1687	         comparisons are case insensitive.

1689	3.34  Tunnel-Type

1691	   Description

1693	   This AVP indicates the tunneling protocol(s) to be used (in the case
1694	   of a tunnel initiator) or the the tunneling protocol in use (in the
1695	   case of a tunnel terminator).  It MAY be included in both AA-Request
1696	   and AA-Answer.  The Tunnel-Type SHOULD also be present in the
1697	   corresponding ADIF Record within the Accounting-Request. If the
1698	   Tunnel-Type AVP is present in an AA-Request message sent from a
1699	   tunnel initiator, it SHOULD be taken as a hint to the DIAMETER server
1700	   as to the tunnelling protocols supported by the tunnel end-point; the
1701	   DIAMETER server MAY ignore the hint, however. A tunnel initiator is
1702	   not required to implement any of these tunnel types; if a tunnel
1703	   initiator receives an AA-Answer message which contains only unknown
1704	   or unsupported Tunnel-Types, the tunnel initiator MUST behave as
1705	   though an AA-Answer with a failure Result-Code had been received
1706	   instead.

1708	   If the Tunnel-Type AVP is present in an AA-Request message sent from
1709	   a tunnel terminator, it SHOULD be taken to signify the tunnelling
1710	   protocol in use.  In this case, if the DIAMETER server determines
1711	   that the use of the communicated protocol is not authorized, it MAY
1712	   return an AA-Answer with a failure Result-Code message.  If a tunnel
1713	   terminator receives an AA-Answer message which contains one or more
1714	   Tunnel-Type AVPs, none of which represent the tunneling protocol in
1715	   use, the tunnel terminator SHOULD behave as though an AA-Answer with
1716	   a failure Result-Code had been received instead.

1718	   AVP Format

1720	      0                   1                   2                   3
1721	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1722	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1723	                         AVP Header (AVP Code = 64)
1724	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1725	      |                           Integer32                           |
1726	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

1728	      AVP Flags

1730	         The 'M' and 'T' bits MUST be set. The 'H' and 'E' MAY be set
1731	         depending upon the security model used. The 'V', and 'P' bits
1732	         MUST NOT be set.

1734	      Integer32

1736	         The Value field is three octets and contains one of the
1737	         following values, indicating the type of tunnel to be started.

1739	            1      Point-to-Point Tunneling Protocol (PPTP) [14] 2
1740	            Layer Two Forwarding (L2F) [15] 3      Layer Two Tunneling
1741	            Protocol (L2TP) [16] 4      Ascend Tunnel Management
1742	            Protocol (ATMP) [17] 5      Virtual Tunneling Protocol (VTP)
1743	            6      IP Authentication Header in the Tunnel-mode (AH) [18]
1744	            7      IP-in-IP Encapsulation (IP-IP) [19] 8      Minimal
1745	            IP-in-IP Encapsulation (MIN-IP-IP) [20] 9      IP
1746	            Encapsulating Security Payload in the Tunnel-mode (ESP) [21]
1747	            10     Generic Route Encapsulation (GRE) [22] 11     Bay
1748	            Dial Virtual Services (DVS) 12     IP-in-IP Tunneling [23]

1750	3.35  Tunnel-Medium-Type

1752	   Description

1754	      The Tunnel-Medium-Type AVP indicates which transport medium to use
1755	      when creating a tunnel for those protocols (such as L2TP) that can
1756	      operate over multiple transports.  It MAY be included in both AA-
1757	      Request and AA-Answer messages; if it is present in an AA-Request
1758	      message, it SHOULD be taken as a hint to the DIAMETER server as to
1759	      the tunnel media supported by the tunnel end- point.  The DIAMETER
1760	      server MAY ignore the hint, however.

1762	   AVP Format

1764	      0                   1                   2                   3
1765	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1766	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1767	                         AVP Header (AVP Code = 65)
1768	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1769	      |                           Integer32                           |
1770	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

1772	      AVP Flags

1774	         The 'M' and 'T' bits MUST be set. The 'H' and 'E' MAY be set
1775	         depending upon the security model used. The 'V', and 'P' bits
1776	         MUST NOT be set.

1778	      Integer32

1780	         The Value field is three octets and contains one of the values
1781	         listed under "Address Family Numbers" in [24].  For the sake of
1782	         convenience, a relevant excerpt of this list is reproduced
1783	         below.

1785	            1      IPv4 (IP version 4) 2      IPv6 (IP version 6) 3
1786	            NSAP 4      HDLC (8-bit multidrop) 5      BBN 1822 6
1787	            802 (includes all 802 media plus Ethernet "canonical
1788	            format") 7      E.163 (POTS) 8      E.164 (SMDS, Frame
1789	            Relay, ATM) 9      F.69 (Telex) 10     X.121 (X.25, Frame
1790	            Relay) 11     IPX 12     Appletalk 13     Decnet IV 14
1791	            Banyan Vines 15     E.164 with NSAP format subaddress

1793	3.36  Tunnel-Client-Endpoint

1795	   Description

1797	      This AVP contains the address of the initiator end of the tunnel.
1798	      It MAY be included in both AA-Request and AA-Answer messages to
1799	      indicate the address from which a new tunnel is to be initiated.
1800	      If the Tunnel-Client-Endpoint AVP is included in an AA-Request
1801	      message, the DIAMETER server should take the value as a hint; the
1802	      server is not obligated to honor the hint, however.  This AVP
1803	      SHOULD be included in the ADIF Record of the corresponding
1804	      Accounting-Request messages, in which case it indicates the
1805	      address from which the tunnel was initiated.  This AVP, along with
1806	      the Tunnel-Server-Endpoint and Acct-Tunnel-Connection-ID AVP, may
1807	      be used to provide a globally unique means to identify a tunnel
1808	      for accounting and auditing purposes.

1810	   AVP Format

1812	      0                   1                   2                   3
1813	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1814	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1815	                         AVP Header (AVP Code = 66)
1816	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1817	      |   String ...
1818	      +-+-+-+-+-+-+-+-+

1820	      AVP Flags

1822	         The 'M' and 'T' bits MUST be set. The 'H' and 'E' MAY be set
1823	         depending upon the security model used. The 'V' and 'P' bits
1824	         MUST NOT be set.

1826	      String

1828	         The format of the address represented by the String field
1829	         depends upon the value of the Tunnel-Medium-Type attribute.

1831	         If Tunnel-Medium-Type is IPv4 (1), then this string is either
1832	         the fully qualified domain name (FQDN) of the tunnel client
1833	         machine, or it is a "dotted-decimal" IP address.  Conformant
1834	         implementations MUST support the dotted-decimal format and
1835	         SHOULD support the FQDN format for IP addresses.

1837	         If Tunnel-Medium-Type is IPv6 (2), then this string is either
1838	         the FQDN of the tunnel client machine, or it is a text
1839	         representation of the address in either the preferred or
1840	         alternate form [25].  Conformant implementations MUST support
1841	         the preferred form and SHOULD support both the alternate text
1842	         form and the FQDN format for IPv6 addresses.

1844	         If Tunnel-Medium-Type is neither IPv4 nor IPv6, this string is
1845	         a tag referring to configuration data local to the DIAMETER
1846	         client that describes the interface and medium-specific address
1847	         to use.

1849	3.37  Tunnel-Server-Endpoint

1851	   Description

1853	      This AVP indicates the address of the server end of the tunnel.
1854	      The Tunnel-Server-Endpoint AVP MAY be included (as a hint to the
1855	      DIAMETER server) in the AA-Request message and MUST be included in
1856	      the successful AA-Response message if the initiation of a tunnel
1857	      is desired.  It SHOULD be included in the corresponding ADIF-
1858	      Record in the subsequent Accounting-Request messages.  This AVP,
1859	      along with the Tunnel-Client-Endpoint and Session-Id AVP [2], may
1860	      be used to provide a globally unique means to identify a tunnel
1861	      for accounting and auditing purposes.

1863	   AVP Format

1865	      0                   1                   2                   3
1866	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1867	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1868	                         AVP Header (AVP Code = 67)
1869	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1870	      |   String ...
1871	      +-+-+-+-+-+-+-+-+

1873	      AVP Flags

1875	         The 'M' and 'T' bits MUST be set. The 'H' and 'E' MAY be set
1876	         depending upon the security model used. The 'V' and 'P' bits
1877	         MUST NOT be set.

1879	      String

1881	         The format of the address represented by the String field
1882	         depends upon the value of the Tunnel-Medium-Type attribute.

1884	         If Tunnel-Medium-Type is IPv4 (1), then this string is either
1885	         the fully qualified domain name (FQDN) of the tunnel client
1886	         machine, or it is a "dotted-decimal" IP address.  Conformant
1887	         implementations MUST support the dotted-decimal format and
1888	         SHOULD support the FQDN format for IP addresses.

1890	         If Tunnel-Medium-Type is IPv6 (2), then this string is either
1891	         the FQDN of the tunnel client machine, or it is a text
1892	         representation of the address in either the preferred or
1893	         alternate form [25].  Conformant implementations MUST support
1894	         the preferred form and SHOULD support both the alternate text
1895	         form and the FQDN format for IPv6 addresses.

1897	         If Tunnel-Medium-Type is not IPv4 or IPv6, this string is a tag
1898	         referring to configuration data local to the DIAMETER client
1899	         that describes the interface and medium-specific address to
1900	         use.

1902	3.38  Tunnel-Password

1904	   Description

1906	      This AVP may contain a password to be used to authenticate to a
1907	      remote server.  It may only be included in an AA-Answer message.

1909	   AVP Format

1911	      0                   1                   2                   3
1912	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1913	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1914	                         AVP Header (AVP Code = 69)
1915	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1916	      |          String ...
1917	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

1919	      AVP Flags

1921	         The 'M' and 'T' bits MUST be set. Either the 'H' and 'E' MUST
1922	         be set depending upon the security model used. The 'V' and 'P'
1923	         bits MUST NOT be set.

1925	      String

1927	         The String field contains the encrypted version of the Tunnel
1928	         Password.

1930	3.39  Tunnel-Private-Group-ID

1932	   Description

1934	      This AVP indicates the group ID for a particular tunneled session.
1935	      The Tunnel-Private-Group-ID AVP MAY be included in the AA-Request
1936	      message if the tunnel initiator can pre- determine the group
1937	      resulting from a particular connection and SHOULD be included in
1938	      the AA-Answer message if this tunnel session is to be treated as
1939	      belonging to a particular private group.  Private groups may be
1940	      used to associate a tunneled session with a particular group of
1941	      users.  For example, it may be used to facilitate routing of
1942	      unregistered IP addresses through a particular interface.  This
1943	      value SHOULD be included the corresponding ADIF-Record in the
1944	      Accounting-Request which pertain to a tunneled session.

1946	   AVP Format

1948	      0                   1                   2                   3
1949	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1950	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1951	                         AVP Header (AVP Code = 81)
1952	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1953	      |   String ...
1954	      +-+-+-+-+-+-+-+-+

1956	      AVP Flags

1958	         The 'M' and 'T' bits MUST be set. The 'H' and 'E' MAY be set
1959	         depending upon the security model used. The 'V' and 'P' bits
1960	         MUST NOT be set.

1962	      String

1964	         This field must be present.  The group is represented by the
1965	         String field.  There is no restriction on the format of group
1966	         IDs.

1968	3.40  Tunnel-Assignment-ID

1970	   Description

1972	      This AVP is used to indicate to the tunnel initiator the
1973	      particular tunnel to which a session is to be assigned.  Some
1974	      tunneling protocols, such as PPTP and L2TP, allow for sessions
1975	      between the same two tunnel endpoints to be multiplexed over the
1976	      same tunnel and also for a given session to utilize its own
1977	      dedicated tunnel.  This attribute provides a mechanism for
1978	      DIAMETER to be used to inform the tunnel initiator (e.g. PAC, LAC)
1979	      whether to assign the session to a multiplexed tunnel or to a
1980	      separate tunnel.  Furthermore, it allows for sessions sharing
1981	      multiplexed tunnels to be assigned to different multiplexed
1982	      tunnels.

1984	      A particular tunneling implementation may assign differing
1985	      characteristics to particular tunnels.  For example, different
1986	      tunnels may be assigned different QOS parameters.  Such tunnels
1987	      may be used to carry either individual or multiple sessions.  The
1988	      Tunnel-Assignment-ID attribute thus allows the DIAMETER server to
1989	      indicate that a particular session is to be assigned to a tunnel
1990	      that provides an appropriate level of service.  It is expected
1991	      that any QOS-related DIAMETER tunneling attributes defined in the
1992	      future that accompany this attribute will be associated by the
1993	      tunnel initiator with the ID given by this attribute.  In the
1994	      meantime, any semantic given to a particular ID string is a matter
1995	      left to local configuration in the tunnel initiator.

1997	      The Tunnel-Assignment-ID AVP is of significance only to DIAMETER
1998	      and the tunnel initiator.  The ID it specifies is intended to be
1999	      of only local use to DIAMETER and the tunnel initiator.  The ID
2000	      assigned by the tunnel initiator is not conveyed to the tunnel
2001	      peer.

2003	      This attribute MAY be included in the AA-Answer.  The tunnel
2004	      initiator receiving this attribute MAY choose to ignore it and
2005	      assign the session to an arbitrary multiplexed or non-multiplexed
2006	      tunnel between the desired endpoints.  This attribute SHOULD also
2007	      be included in the corresponding ADIF-Record in the Accounting-
2008	      Request messages which pertain to a tunneled session.

2010	      If a tunnel initiator supports the Tunnel-Assignment-ID AVP, then
2011	      it should assign a session to a tunnel in the following manner:

2013	         If this AVP is present and a tunnel exists between the
2014	         specified endpoints with the specified ID, then the session
2015	         should be assigned to that tunnel.

2017	         If this AVP is present and no tunnel exists between the
2018	         specified endpoints with the specified ID, then a new tunnel
2019	         should be established for the session and the specified ID
2020	         should be associated with the new tunnel.

2022	         If this AVP is not present, then the session is assigned to an
2023	         unnamed tunnel.  If an unnamed tunnel does not yet exist
2024	         between the specified endpoints then it is established and used
2025	         for this and subsequent sessions established without the
2026	         Tunnel-Assignment-ID attribute.  A tunnel initiator MUST NOT
2027	         assign a session for which a Tunnel-Assignment-ID AVP was not
2028	         specified to a named tunnel (i.e. one that was initiated by a
2029	         session specifying this AVP).

2031	         Note that the same ID may be used to name different tunnels if
2032	         such tunnels are between different endpoints.

2034	   AVP Format

2036	      0                   1                   2                   3
2037	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2038	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2039	                         AVP Header (AVP Code = 82)
2040	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2041	      |   String ...
2042	      +-+-+-+-+-+-+-+-+

2044	      AVP Flags

2046	         The 'M' and 'T' bits MUST be set. The 'H' and 'E' MAY be set
2047	         depending upon the security model used. The 'V' and 'P' bits
2048	         MUST NOT be set.

2050	      String

2052	         This field must be present.  The tunnel ID is represented by
2053	         the String field.  There is no restriction on the format of the
2054	         ID.

2056	3.41  Tunnel-Preference

2058	   Description

2060	      If more than one set of tunneling attributes is returned by the
2061	      DIAMETER server to the tunnel initiator, this AVP SHOULD be
2062	      included in each set to indicate the relative preference assigned
2063	      to each tunnel.  For example, suppose that AVPs describing two
2064	      tunnels are returned by the server, one with a Tunnel-Type of PPTP
2065	      and the other with a Tunnel-Type of L2TP.  If the tunnel initiator
2066	      supports only one of the Tunnel-Types returned, it will initiate a
2067	      tunnel of that type.  If, however, it supports both tunnel
2068	      protocols, it SHOULD use the value of the Tunnel-Preference AVP to
2069	      decide which tunnel should be started.  The tunnel having the
2070	      numerically lowest value in the Value field of this AVP SHOULD be
2071	      given the highest preference.  The values assigned to two or more
2072	      instances of the Tunnel-Preference AVP within a given AA-Answer
2073	      message MAY be identical.  In this case, the tunnel initiator
2074	      SHOULD use locally configured metrics to decide which set of AVPs
2075	      to use.  This AVP MAY be included (as a hint to the server) in
2076	      AA-Request messages, but the DIAMETER server is not required to
2077	      honor this hint.

2079	   AVP Format

2081	      0                   1                   2                   3
2082	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2083	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2084	                         AVP Header (AVP Code = 83)
2085	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2086	      |                           Integer32                           |
2087	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

2089	      AVP Flags

2091	         The 'M' and 'T' bits MUST be set. The 'H' and 'E' MAY be set
2092	         depending upon the security model used. The 'V', and 'P' bits
2093	         MUST NOT be set.

2095	      Integer32

2097	         The Value field is three octets in length and indicates the
2098	         preference to be given to the tunnel to which it refers; higher
2099	         preference is given to lower values, with 0x000000 being most
2100	         preferred and 0xFFFFFF least preferred.

2102	3.42  Tunnel-Client-Auth-ID

2104	   Description

2106	      This AVP specifies the name used by the tunnel initiator during
2107	      the authentication phase of tunnel establishment.  The Tunnel-
2108	      Client-Auth-ID AVP MAY be included (as a hint to the DIAMETER
2109	      server) in the AA-Request message, and MUST be included in the
2110	      AA-Request message if an authentication name other than the
2111	      default is desired.  This AVP SHOULD be included in the
2112	      corresponding ADIF-Record of the Accounting-Request messages which
2113	      pertain to a tunneled session.

2115	   AVP Format
2116	      0                   1                   2                   3
2117	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2118	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2119	                         AVP Header (AVP Code = 90)
2120	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2121	      |   String ...
2122	      +-+-+-+-+-+-+-+-+

2124	      AVP Flags

2126	         The 'M' and 'T' bits MUST be set. The 'H' and 'E' MAY be set
2127	         depending upon the security model used. The 'V' and 'P' bits
2128	         MUST NOT be set.

2130	      String

2132	         This field must be present.  The String field contains the
2133	         authentication name of the tunnel initiator.  The
2134	         authentication name SHOULD be represented in the UTF-8 charset.

2136	3.43  Tunnel-Server-Auth-ID

2138	   Description

2140	      This AVP specifies the name used by the tunnel terminator during
2141	      the authentication phase of tunnel establishment.  The Tunnel-
2142	      Client-Auth-ID AVP MAY be included (as a hint to the DIAMETER
2143	      server) in the AA-Request message, and MUST be included in the
2144	      AA-Request message if an authentication name other than the
2145	      default is desired.  This AVP SHOULD be included in the
2146	      corresponding ADIF-Record of the Accounting-Request messages which
2147	      pertain to a tunneled session.

2149	   AVP Format

2151	      0                   1                   2                   3
2152	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2153	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2154	                         AVP Header (AVP Code = 91)
2155	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2156	      |   String ...
2157	      +-+-+-+-+-+-+-+-+

2159	      AVP Flags

2161	         The 'M' and 'T' bits MUST be set. The 'H' and 'E' MAY be set
2162	         depending upon the security model used. The 'V' and 'P' bits
2163	         MUST NOT be set.

2165	      String

2167	         This field must be present.  The String field contains the
2168	         authentication name of the tunnel terminator.  The
2169	         authentication name SHOULD be represented in the UTF-8 charset.

2171	3.44  Filter-Rule

2173	   Description

2175	      This AVP provides filter rules that need to be configured on the
2176	      NAS for the user. It is used in the AA-Answer message and can
2177	      appear multiple times.

2179	   AVP Format

2181	      0                   1                   2                   3
2182	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2183	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2184	                         AVP Header (AVP Code = 300)
2185	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2186	      |   String ...
2187	      +-+-+-+-+-+-+-+-+

2189	      AVP Flags

2191	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
2192	         upon the security model used. The 'V', 'T' and the 'P' bits
2193	         MUST NOT be set.

2195	      String

2197	         The String field MUST contain a filter rule in the following
2198	         format:  "permit (offset=value AND offset=value) OR
2199	         offset=value" or "deny (offset=value AND offset=value) OR
2200	         offset=value". The keyword "permit" means that the filter will
2201	         allow any traffic that matches the rule, while deny will not
2202	         allow the traffic to be routed. The filter rules can also use
2203	         the keywords "AND" and "OR", for which no additional
2204	         explanation is necessary. The braces "(" and ")" can be used to
2205	         setup grouping of expressions.

2207	3.45  Table of AVPs
2208	   The following table provides a guide to which attributes may be found
2209	   in which kinds of messages, and in what quantity.

2211	              Success  Failed  AA-Chal  #   AVP
2212	      AA-Req  AA-Answ  AA-Answ  Req
2213	       0-1      0-1       0      0      1   User-Name
2214	       0-1      0         0      0      2   User-Password [*1]
2215	       0-1      0         0      0      3   CHAP-Password [*1]
2216	       0-1      0         0      0      5   NAS-Port
2217	       0-1      0-1       0      0      6   Service-Type
2218	       0-1      0-1       0      0      7   Framed-Protocol
2219	       0-1      0-1       0      0      8   Framed-IP-Address
2220	       0-1      0-1       0      0      9   Framed-IP-Netmask
2221	       0        0-1       0      0     10   Framed-Routing
2222	       0        0+        0      0     11   Filter-Id
2223	       0        0-1       0      0     12   Framed-MTU
2224	       0+       0+        0      0     13   Framed-Compression
2225	       0+       0+        0      0     14   Login-IP-Host
2226	       0        0-1       0      0     15   Login-Service
2227	       0        0-1       0      0     16   Login-TCP-Port
2228	       0        0+        0+     0+    18   Reply-Message
2229	       0-1      0-1       0      0     19   Callback-Number
2230	       0        0-1       0      0     20   Callback-Id
2231	       0        0+        0      0     22   Framed-Route
2232	       0        0-1       0      0     23   Framed-IPX-Network
2233	       0        0-1       0      0-1   28   Idle-Timeout
2234	       0-1      0         0      0     30   Called-Station-Id
2235	       0-1      0         0      0     31   Calling-Station-Id
2236	       0-1      0-1       0      0     34   Login-LAT-Service
2237	       0-1      0-1       0      0     35   Login-LAT-Node
2238	       0-1      0-1       0      0     36   Login-LAT-Group
2239	       0        0-1       0      0     37   Framed-AppleTalk-Link
2240	       0        0+        0      0     38   Framed-AppleTalk-Net.
2241	       0        0-1       0      0     39   Framed-AppleTalk-Zone
2242	       0-1      0         0      0     60   CHAP-Challenge
2243	       0-1      0         0      0     61   NAS-Port-Type
2244	       0-1      0-1       0      0     62   Port-Limit
2245	       0-1      0-1       0      0     63   Login-LAT-Port
2246	       0+       0+        0      0     64   Tunnel-Type
2247	       0+       0+        0      0     65   Tunnel-Medium-Type
2248	       0+       0+        0      0     66   Tunnel-Client-Endpoint
2249	       0+       0+        0      0     67   Tunnel-Server-Endpoint
2250	       0+       0+        0      0     69   Tunnel-Password
2251	       0+       0+        0      0     81   Tunnel-Private-Group-ID
2252	       0+       0+        0      0     82   Tunnel-Assignment-ID
2253	       0+       0+        0      0     83   Tunnel-Preference
2254	       0+       0+        0      0     90   Tunnel-Client-Auth-ID
2255	       0+       0+        0      0     91   Tunnel-Server-Auth-ID
2256	       0        0+        0      0    280   Filter-Rule
2257	              Success  Failed  AA-Chal  #   AVP
2258	      AA-Req  AA-Answ  AA-Answ  Req

2260	      [*1] An AA-Request MUST NOT contain both a User-Password and a
2261	      CHAP-Password AVP.

2263	      The following table defines the meaning of the above table
2264	      entries.

2266	          0     This attribute MUST NOT be present in message.
2267	          0+    Zero or more instances of this attribute MAY be present
2268	                in message.
2269	          0-1   Zero or one instance of this attribute MAY be present
2270	                in message.
2271	          1     Exactly one instance of this attribute MUST be present
2272	         in
2273	                message.

2275	4.0  Protocol Definition

2277	   This section will outline how the DIAMETER Authentication Extension
2278	   can be used.

2280	4.1  Feature Advertisement/Discovery

2282	   As defined in [2], the Reboot-Ind and Device-Feature-Query messages
2283	   can be used to inform a peer about locally supported DIAMETER
2284	   Extensions. In order to advertise support of this extension, the
2285	   Extension-Id AVP must be transmitted with a value of one (1).

2287	4.2  Authorization Procedure

2289	   This specification allows two different types of Authorization
2290	   procedures.  The first method is identical to the way RADIUS works
2291	   today and requires the AA-Request to contain the UserName as well as
2292	   either the Password or the CHAP-Password AVPs.

2294	   The second method is used by NASes that send AA-Request whenever they
2295	   receive an incoming call and want to get authorization from the
2296	   DIAMETER Server to answer the call. In this case the AA-Request
2297	   contains the NAS-IP-Address, the Calling-Station-Id and the Called-
2298	   Station-Id AVPs.

2300	   In this case the DIAMETER Server can lookup the combination of the
2301	   Calling-Station-Id and the Called-Station-Id in order to ensure that
2302	   the pair are authorized as per the local policy.

2304	4.3  Integration with Resource-Management

2306	   Document [10] specifies the Resource-Token AVP that is used to carry
2307	   information required for a DIAMETER server to rebuild its state
2308	   information in the event of a crash or some other event that would
2309	   cause the server to loose its state information.

2311	   When creating the Resource-Token AVP, the following AVPs MUST be
2312	   present, in addition to the AVPs listed in [10]; the UserName AVP,
2313	   the NAS-IP- Address, the NAS-Port. Any additional AVP MAY be included
2314	   if the AVP is a resource that is being managed (i.e. Framed-IP-
2315	   Address in the case where the DIAMETER Server is allocating IP
2316	   Addresses out of a centrally managed address pool).

2318	5.0  References

2320	    [1] Rigney, et alia, "RADIUS", RFC-2138, Livingston, April 1997
2321	    [2] Calhoun, Rubens, "DIAMETER Base Protocol",
2322	        draft-calhoun-diameter-08.txt, Work in Progress,
2323	        August 1999.
2324	    [3] Aboba, Beadles "The Network Access Identifier." RFC 2486.
2325	        January 1999.
2326	    [4] Aboba, Zorn, "Criteria for Evaluating Roaming Protocols",
2327	        RFC 2477, January 1999.
2328	    [5] Calhoun, Rubens, Aboba, "DIAMETER Extensible Authentication
2329	        Protocol Extensions", draft-calhoun-diameter-eap-03.txt,
2330	        Work in Progress, August 1999.
2331	    [6] W. Simpson, "PPP Challenge Handshake Authentication
2332	        Protocol (CHAP)", RFC 1994, August 1996.
2333	    [7] Jacobson, "Compressing TCP/IP headers for low-speed serial
2334	        links", RFC 1144, February 1990.
2335	    [8] ISO 8859. International Standard -- Information Processing --
2336	        8-bit Single-Byte Coded Graphic Character Sets -- Part 1: Latin
2337	        Alphabet No. 1, ISO 8859-1:1987.
2338	        <URL:http://www.iso.ch/cate/d16338.html>
2339	    [9] Sklower, Lloyd, McGregor, Carr, "The PPP Multilink Protocol
2340	        (MP)", RFC 1717, November 1994.
2341	    [10] Calhoun, Greene, "DIAMETER Resource Management Extension",
2342	         draft-calhoun-diameter-res-mgmt-02.txt, Work in Progress,
2343	         February 1999.
2344	    [11] Calhoun, Zorn, Pan, "DIAMETER Framework",
2345	         draft-calhoun-diameter-framework-02.txt, Work in Progress,
2346	         December 1998.

2348	    [12] S. Bradner, "Key words for use in RFCs to Indicate
2349	         Requirement Levels", BCP 14, RFC 2119, March 1997.
2350	    [13] P. Calhoun, W. Bulley, "DIAMETER Proxy Server Extensions",
2351	         draft-calhoun-diameter-proxy-02.txt, Work in Progress,
2352	         August 1999.
2353	    [14] Hamzeh, K., Pall, G., Verthein, W., Taarud, J., Little, W.,
2354	         Zorn, G., "Point-to-Point Tunneling Protocol (PPTP)",
2355	         RFC 2637, July 1999
2356	    [15] Valencia, A., Littlewood, M., Kolar, T., "Cisco Layer Two
2357	         Forwarding (Protocol) 'L2F'", RFC 2341, May 1998
2358	    [16] Townsley, W. M., Valencia, A., Rubens, A., Pall, G. S.,
2359	         Zorn, G., Palter, B., "Layer Two Tunnelling Protocol
2360	         (L2TP)", RFC 2661, August 1999
2361	    [17] Hamzeh, K., "Ascend Tunnel Management Protocol - ATMP",
2362	         RFC 2107, February 1997
2363	    [18] Kent, S., Atkinson, R., "Security Architecture for the
2364	         Internet Protocol", RFC 2401, November 1998
2365	    [19] Perkins, C., "IP Encapsulation within IP", RFC 2003,
2366	         October 1996
2367	    [20] Perkins, C., "Minimal Encapsulation within IP", RFC 2004,
2368	         October 1996
2369	    [21] Atkinson, R., "IP Encapsulating Security Payload (ESP)",
2370	         RFC 1827, August 1995
2371	    [22] Hanks, S., Li, T., Farinacci, D., Traina, P., "Generic
2372	         Routing Encapsulation (GRE)", RFC 1701, October 1994
2373	    [23] Simpson, W., "IP in IP Tunneling", RFC 1853, October 1995
2374	    [24] Reynolds, J., Postel, J., "Assigned Numbers", STD 2,
2375	         RFC 1700, October 1994
2376	    [17] Hinden, R., Deering, S., "IP Version 6 Addressing
2377	         Architecture", RFC 2373, July 1998

2379	6.0  Acknowledgements

2381	   The Author wishes to thank Carl Rigney since much of the text in the
2382	   document was shamefully copied from [1] as well as the following
2383	   people for their help in the development of this protocol:

2385	   Nancy Greene, Ryan Moats

2387	7.0  Authors' Addresses

2389	   Questions about this memo can be directed to:

2391	      Pat R. Calhoun
2392	      Network and Security Research Center, Sun Labs
2393	      Sun Microsystems, Inc.
2394	      15 Network Circle
2395	      Menlo Park, California, 94025
2396	      USA

2398	       Phone:  1-650-786-7733
2399	         Fax:  1-650-786-6445
2400	      E-mail:  pcalhoun@eng.sun.com

2402	      William Bulley
2403	      Merit Network, Inc.
2404	      4251 Plymouth Road, Suite C
2405	      Ann Arbor, Michigan, 48105-2785
2406	      USA

2408	       Phone:  1-734-764-9993
2409	         Fax:  1-734-647-3185
2410	      E-mail:  web@merit.edu

2412	8.0  Full Copyright Statement

2414	   Copyright (C) The Internet Society (1999).  All Rights Reserved.

2416	   This document and translations of it may be copied  and  furnished  to
2417	   others,  and  derivative works that comment on or otherwise explain it
2418	   or assist in its implmentation may be prepared, copied, published  and
2419	   distributed,  in  whole  or  in part, without restriction of any kind,
2420	   provided that the  above  copyright  notice  and  this  paragraph  are
2421	   included on all such copies and derivative works.  However, this docu-
2422	   ment itself may not be modified in any way, such as  by  removing  the
2423	   copyright notice or references to the Internet Society or other Inter-
2424	   net organizations, except as needed  for  the  purpose  of  developing
2425	   Internet standards in which case the procedures for copyrights defined
2426	   in the Internet Standards process must be followed, or as required  to
2427	   translate it into languages other than   English.  The limited permis-
2428	   sions granted above are perpetual and  will  not  be  revoked  by  the
2429	   Internet  Society or its successors or assigns.  This document and the
2430	   information contained herein is provided on an "AS IS" basis  and  THE
2431	   INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL
2432	   WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY  WAR-
2433	   RANTY  THAT  THE  USE  OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY
2434	   RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS  FOR  A
2435	   PARTICULAR PURPOSE."