idnits 2.17.1 draft-dekok-radext-tcp-transport-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 15. -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on line 583. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 594. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 601. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 607. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (3 July 2008) is 5748 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-09) exists of draft-ietf-radext-status-server-00 Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group A. DeKok 3 INTERNET-DRAFT FreeRADIUS 4 Category: Proposed Standard 5 6 Expires: January 03, 2009 7 3 July 2008 9 RADIUS Over TCP 10 draft-dekok-radext-tcp-transport-00 12 By submitting this Internet-Draft, each author represents that any 13 applicable patent or other IPR claims of which he or she is aware 14 have been or will be disclosed, and any of which he or she becomes 15 aware will be disclosed, in accordance with Section 6 of BCP 79. 17 Internet-Drafts are working documents of the Internet Engineering 18 Task Force (IETF), its areas, and its working groups. Note that 19 other groups may also distribute working documents as Internet- 20 Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference 25 material or to cite them other than as "work in progress." 27 The list of current Internet-Drafts can be accessed at 28 http://www.ietf.org/ietf/1id-abstracts.txt. 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html. 33 This Internet-Draft will expire on January 03, 2009. 35 Copyright Notice 37 Copyright (C) The IETF Trust (2008). 39 Abstract 41 The Remote Authentication Dial In User Server (RADIUS) Protocol has 42 traditionally used the User Datagram Protocol (UDP) as it's 43 underlying transport layer. This document defines RADIUS over the 44 Transport Control Protocol (TCP). 46 Table of Contents 48 1. Introduction ............................................. 3 49 1.1. Benefits of Reliable Transport ...................... 3 50 1.2. Drawbacks of Reliable Transport ..................... 4 51 1.3. Terminology ......................................... 4 52 1.4. Requirements Language ............................... 5 53 2. Changes to RADIUS ........................................ 5 54 2.1. Packet Format ....................................... 5 55 2.2. TCP Ports ........................................... 5 56 2.3. Management Information Base (MIB) ................... 6 57 2.4. Interaction with RadSec ............................. 6 58 2.4.1. Applicability .................................. 6 59 2.5. RADIUS Proxies ...................................... 7 60 2.6. TCP Specific Issues ................................. 7 61 2.6.1. Duplicates and Retransmissions ................. 8 62 2.6.2. Shared Secrets ................................. 9 63 2.6.3. Malformed Packets and Unknown Clients .......... 9 64 2.6.4. Limits of the ID Field ......................... 10 65 2.6.5. EAP Sessions ................................... 10 66 2.6.6. TCP Applications are not UDP Applications ...... 11 67 3. Diameter Considerations .................................. 11 68 4. IANA Considerations ...................................... 11 69 5. Security Considerations .................................. 11 70 6. References ............................................... 12 71 6.1. Normative References ................................ 12 72 6.2. Informative References .............................. 12 73 Full Copyright Statement ..................................... 14 74 1. Introduction 76 The RADIUS Protocol has been defined in [RFC2865] as using the User 77 Datagram Protocol (UDP) for the underlying transport layer. While 78 there are a number of benefits to using UDP as outlined in [RFC2865] 79 Section 2.4, there are also some limitations: 81 * Unreliable transport. As a result, systems using RADIUS have to 82 implement application-layer timers and re-transmissions, as 83 described in [RFC5080] Section 2.2.1. 85 * Packet fragmentation. [RFC2865] Section 3 permits RADIUS 86 packets to up to 4096 octets in length. These packets are larger 87 than the default Internet MTU (576), resulting in fragmentation of 88 the packets at the IP layer. Transport of fragmented UDP packets 89 appearsto be a poorly tested code path on network devices. Some 90 devices appear to be incapable of transporting fragmented UDP 91 packets, making it difficult to deploy RADIUS in a network where 92 those devices are deployed. 94 * Connectionless transport. Neither clients no servers can 95 reliably detect when the other is down. This information has be 96 deduced from the absence of a reply to a request. 98 As RADIUS is widely deployed, and has been widely deployed for well 99 over a decade, these issues are relatively minor. However, new 100 systems may be interested in choosing a different set of trade-offs 101 than those outlined in [RFC2865] Section 2.4. For those systems, we 102 define RADIUS over TCP. 104 1.1. Benefits of Reliable Transport 106 There are a number of benefits to using a reliable transport. For 107 example, when RADIUs is used to carry EAP conversions [RFC3579], the 108 EAP exchanges may involve 10 round trips at the RADIUS application 109 layer. If we assume a 0.1% probability of packet loss in each 110 direction, then approximately 2% (1 - 0.999^20) of the authentication 111 attempts will have a lost packet. If we assume a 0.01% packet loss, 112 then 0.2% of authentication attempts will result in a lost packet. 114 These lost packets require the supplicant and/or the NAS to re- 115 transmit packets at the application layer. The difficulty with this 116 approach is that retransmission implementations have historically 117 been poor. Some implementations retransmit packets, others do not. 118 Some implementations are incapable of detecting EAP retransmissions, 119 and will instead treat the retransmitted packet as an error. 121 These retransmissions have a high likelihood of causing the entire 122 authentication session to fail. For systems with millions to tens of 123 millions of users, such a high authentication failure rate (0.2% to 124 2%) may be unacceptable. 126 Using TCP as an underlying reliable transport means that the RADIUS 127 implementations can remove all of the application-layer 128 retransmissions, and instead rely on the Operating System (OS) 129 kernel's well-tested TCP transport. 131 1.2. Drawbacks of Reliable Transport 133 No protocol is perfect for all uses. RADIUS over TCP has some 134 drawbacks, as noted in [RFC2865] Section 2.4. [RFC3539] Section 2 135 discusses further issues with using TCP as a transport for 136 Authentication, Authorization, and/or Accounting (AAA) protocols such 137 as RADIUS. 139 The impact of these issues is dicussed in more detail, below. 141 1.3. Terminology 143 This document uses the following terms: 145 Network Access Server (NAS) 146 A device that provides an access service for a user to a network. 148 RADIUS server 149 A RADIUS authentication, authorization, and/or accounting (AAA) 150 server is an entity that provides one or more AAA services to a 151 NAS. 153 RADIUS proxy 154 A RADIUS proxy acts as a RADIUS server to the NAS, and a RADIUS 155 client to the RADIUS server. 157 RADIUS request packet 158 A packet originated by a RADIUS client to a RADIUS server. e.g. 159 Access-Request, Accounting-Request, CoA-Request, or Disconnect- 160 Request. 162 RADIUS response packet 163 A packet sent by a RADIUS server to a RADIUS client, in response to 164 a RADIUS request packet. e.g. Access-Accept, Access-Reject, 165 Access-Challenge, Accounting-Response, CoA-ACK, etc. 167 1.4. Requirements Language 169 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 170 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 171 document are to be interpreted as described in [RFC2119]. 173 2. Changes to RADIUS 175 Adding TCP as a RADIUS transport has a number of impacts on the 176 protocol, on applications using the protocol, and on networks that 177 deploy the protocol. This section outlines those impacts, and 178 defines behaviors. 180 2.1. Packet Format 182 The RADIUS packet format is unchanged from [RFC2865], [RFC2866], and 183 [RFC5176]. Specifically, all of the following portions of RADIUS 184 MUST be unchanged when using RADIUS over TCP: 186 * Packet format 187 * Permitted codes 188 * Request Authenticator calculation 189 * Response Authenticator calculation 190 * Minimum packet length 191 * Maximum packet length 192 * Attribute format 193 * Vendor-Specific Attribute (VSA) format 194 * Permitted data types 195 * Calculations of dynamic attributes such as CHAP-Challenge, 196 or Message-Authenticator. 198 The changes to RADIUS implementations required to implement this 199 specification are largely limited to the code that sends and receives 200 packets on the network. 202 2.2. TCP Ports 204 IANA has already assigned TCP ports for RADIUS transport, as outlined 205 below: 207 * radius 1812/udp 208 * radius-acct 1813/tcp 209 * radius-dynauth 3799/tcp 211 These ports are unused by existing RADIUS applications. 212 Implementations SHOULD use the assigned values as the default ports 213 for RADIUS over TCP. 215 The early deployment of RADIUS was done using UDP port number 1645, 216 which conflicts with the "datametrics" service. Implementations 217 using RADIUS over TCP MUST NOT use TCP ports 1645 or 1646 as the 218 default ports for this specification. 220 2.3. Management Information Base (MIB) 222 The MIB definitions in [RFC4668], [RFC4669], [RFC4670], [RFC4671], 223 [RFC4672], and [RFC4673] each contain only one reference to UDP. 224 These references are in the DESCRIPTION field of the MIB definition, 225 and are in the form of "The UDP port" or "the UDP destination port". 227 Implementations of RADIUS over TCP MAY re-use these MIBs to perform 228 statistics counting for RADIUS over TCP connections. However, 229 implementors are warned that there is no way for these MIBs to 230 distinguish between packets sent over UDP or over TCP transport. 231 Similarly, there is no requirement in RADIUS that the RADIUS services 232 offered over UDP on a particular IP address and port are identical to 233 the RADIUS services offered over TCP on a particular IP address and 234 the same (numerical) port. 236 2.4. Interaction with RadSec 238 IANA has already assigned TCP ports for RadSec transport, as outlined 239 below: 241 * radsec 2083/tcp 243 This value SHOULD be used as the default port for RADIUS over TLS 244 (i.e. RadSec). The "radius" port (1812/tcp) SHOULD NOT be used for 245 RadSec. 247 2.4.1. Applicability 249 As noted in [RFC3539] Section 2.1, for systems originating low 250 numbers of RADIUS request packets, inter-packet spacing is often 251 larger than the RTT. In those situations, RADIUS over TCP SHOULD NOT 252 be used. 254 In general, RADIUS clients generating small amounts of RADIUS traffic 255 SHOULD NOT use TCP. This suggestion will usually apply to most 256 NASes, and to most clients that originate CoA-Request and Disconnect- 257 Request packets. 259 RADIUS over TCP is most applicable to RADIUS proxies that exchange a 260 large volume of packets with RADIUS clients and servers (10's to 261 1000's of packets per second). In those situations, RADIUS over TCP 262 is a good fit, and may result in increased network stability and 263 performance. 265 2.5. RADIUS Proxies 267 As RADIUS is a "hop by hop" protocol, a RADIUS proxy effectively 268 shields the client from any information about downstream servers. 269 While the client may be able to deduce the operational state of the 270 local server (i.e. proxy), it cannot make any determination about the 271 operational state of the downstream servers. 273 If a request is proxied through intermediate proxies, it is not 274 possible to detect which of the later hops is responsible for the 275 absence of a reply. An intermediate proxy also cannot signal that 276 the outage lies in a later hop because RADIUS does not have the 277 ability to carry such signalling information. This issue is further 278 exacerbated by some proxy implementations that do not reply to a 279 client if they do not recieve a reply to a proxied request. 281 When UDP was used as a transport protocol, the absence of a reply can 282 cause a client to deduce (incorrectly) that the proxy is unavailable. 283 The client could then fail over to another server, or conclude that 284 no "live" servers are available. This situation is made even worse 285 when requests are sent through a proxy to multiple destinations. 286 Failures in one destination may result in service outages for other 287 destinations, if the client erroneously believes that the proxy is 288 unresponsive. 290 For RADIUS over TCP, the continued existence of the TCP connection 291 SHOULD be used to deduce that the service on the other end of the 292 connection is still responsive. Further, the application layer 293 watchdog defined in [RFC3539] Section 3.4 enables clients to 294 determine that the server is "live", even though it may not have 295 responded recently to other, non-watchdog requests. 297 RADIUS clients using RADIUS over TCP MUST NOT decide that a 298 connection is down until the application layer watchdog algorithm has 299 marked it DOWN ([RFC3539] Appendix A). RADIUS clients using RADIUS 300 over TCP MUST NOT decide that a RADIUS server is unresponsive until 301 all TCP connections to it have been marked DOWN. 303 2.6. TCP Specific Issues 305 The guidelines defined in [RFC3539] for implementing an AAA protocol 306 operating over a reliable transport MUST be followed by implementors 307 of this specification. 309 The Application Layer Watchdog defined in [RFC3539] Section 3.4 MUST 310 be used. The Status-Server packet [STATUS] MUST be used as the 311 application layer watchdog message. Implementations MUST reserve one 312 RADIUS ID per connection for the application layer watchdog message. 313 This restriction is described further below. 315 Implementations MUST NOT confuse UDP and TCP transport. That is, 316 RADIUS clients and servers MUST be treated as unique based on a key 317 of (IP address, port, transport protocol). Implementations MUST be 318 configurable to have different shared secrets for UDP and TCP to the 319 same destination IP address and numerical port. 321 This requirement does not forbid the traditional practice of using 322 primary and secondary servers in a fail-over relationship. Instead, 323 it requires that two services sharing an IP address and numerical 324 port, but differing in transport protocol, MUST be treated as 325 independent services for the purpose of fail-over, load-balancing, 326 etc. 328 Whenever the underlying operating system permits the use of TCP 329 keepalive socket options, their use is RECOMMENDED. 331 2.6.1. Duplicates and Retransmissions 333 As TCP is a reliable transport, implementors of this specification 334 MUST NOT retransmit RADIUS packets over the same TCP connection. 335 Similarly, if there is no response to a RADIUS packet over one TCP 336 connection, implementations MUST NOT retransmit that packet over a 337 different TCP connection to the same destination IP address and port. 339 However, if the TCP connection is broken or closed, the above 340 requirement can be relaxed somewhat. RADIUS request packets that 341 have not yet received a response MAY be transmitted by a RADIUS 342 client over a new TCP connection. As this procedure involves using a 343 new source port, the ID of the packet MAY change. If the ID changes, 344 any security attributes such as Message-Authenticator MUST be 345 recalculated. 347 If a TCP connection is broken or closed, any cached RADIUS response 348 packets ([RFC5080] Section 2.2.2) associated with that connection 349 MUST be discarded. A RADIUS server SHOULD stop processing any "live" 350 requests associated with that TCP connection. No response to these 351 requests cannot be sent over the TCP connection, so any further 352 processing is pointless. A RADIUS proxy that has a client close it's 353 TCP connection SHOULD silently discard any responses it recieves to a 354 proxied requests that is associated with the original client request. 356 Despite the above requirement, RADIUS servers SHOULD still perform 357 duplicate detection on received packets, as described in [RFC5080] 358 Section 2.2.2. This effort can prevent duplicate processing of 359 packets from non-conformant clients. 361 As noted above, RADIUS packets SHOULD NOT be re-transmitted to the 362 same destination IP and numerical port, but over a different 363 transport layer. There is no guarantee in RADIUS that the two ports 364 are in any way related. This requirement does not forbid the 365 practice of putting multiple servers into a fail-over or load-balance 366 pool. 368 Much of the discussion in this section can be summarized by the 369 following requirement. RADIUS requests MAY be re-transmitted 370 verbatim only if the following 5-tuple (Client IP address, Client 371 port, Transport Protocol, Server IP address, Server port) remains the 372 same. If any field of that 5-typle changes, the packet MUST NOT be 373 considered to be a re-transmission. Instead, the packet MUST be 374 considered to be a new request, and be treated accordingly. (e.g. 375 header calculations, packet signatures, associated timers and 376 counters, etc.) 378 The above requirement is necessary, but not sufficient in all cases. 379 Other specifications give additional situations where the packet is 380 to be considered as a new request. Those recommendations MUST be 381 followed. 383 2.6.2. Shared Secrets 385 The use of shared secrets in calculating the Response Authenticator, 386 and other attributes such as User-Password or Message-Authenticator 387 [RFC3579] MUST be unchanged from previous specifications. 389 Clients and servers MUST be able to store and manage shared secrets 390 based on the key described above, of (IP address, port, transport). 392 2.6.3. Malformed Packets and Unknown Clients 394 The original specifications say that an implement should "silently 395 discard" a packet in a number of circumstances. This action has no 396 further consequences for UDP transport, as the "next" packet is 397 completely independent of the previous one. 399 When TCP is used as a transport, decoding the "next" packet on a 400 connection depends on the proper decoding of the previous packet. As 401 a result, the behavior with respect to discarded packets has to 402 change. 404 Implementations of this specification SHOULD treat the "silently 405 discard" texts referenced above as "silently discard and close the 406 connection." Specifically, the TCP connection MUST be closed if any 407 of the following circumstances are seen: 409 * Packet from an unknown client (using the key as defined above) 410 * Packet with an invalid code field 411 * Packet that is less than the minimim RADIUS packet length 412 * Packet that is more than the minimim RADIUS packet length 413 * A packet that is otherwise malformed, e.g. Attribute Length of 414 0 or 1 415 * Packet where the Request Authenticator fails validation 416 (if applicable) 417 * Packet where the Response Authenticator fails validation 418 * Packet where the Message-Authenticator fails validation 419 * Response packets that do not match any outstanding request 421 These requirements minimize the possibilty for a misbehaving client 422 or server to wreak havoc on the network. 424 2.6.4. Limits of the ID Field 426 The RADIUS ID field is one octet in size. As a result, any one TCP 427 connection can have only 256 "in flight" RADIUS packets at a time. 428 If more than 256 simultaneous "in flight" packets are required, 429 additional TCP connections will need to be opened. This limitation 430 is also noted in [RFC3539] Section 2.4. 432 An additional limit is the requirement to send a Status-Server packet 433 over the same TCP connection as is used for normal requests. As 434 noted in [STATUS], the response to a Status-Server packet is either 435 an Access-Accept, or an Accounting-Response. If all IDs were 436 allocated to normal requests, then there would be no free Id to use 437 for the Status-Server packet, and it could not be sent over the 438 connection. 440 Implementations SHOULD reserve ID zero on each TCP connection for 441 Status-Server packets. This value was picked arbitrarily, as there 442 is no reason to choose any one value over another for this use. 444 It is tempting to extend RADIUS to permit more than 256 outstanding 445 packets on one connection. However, doing so will likely require 446 fundamental changes to the RADIUS protocol, and as such, are outside 447 of the scope of this specification. 449 2.6.5. EAP Sessions 451 When RADIUS clients send EAP requests using RADIUS over TCP, they 452 SHOULD choose the same TCP connection for all packets related to one 453 EAP conversation. A simple method that may often work is hashing the 454 contents of the Calling-Station-Id attribute, which normally contains 455 the MAC accress. The output of that hash can be used to select a 456 particular TCP connection. 458 It may be difficult to implement this suggestion in practice, as busy 459 servers may allocate all RADIUS IDs in one TCP connection in the time 460 between two subsequent EAP packets. It is difficult to suggest 461 simple and reasonable methods to address this issue. 463 2.6.6. TCP Applications are not UDP Applications 465 Implementors should be aware that programming a robust TCP 466 application can be a very different process than programming a robust 467 UDP application. We RECOMMEND that implementors of this 468 specification familiarize themselves with TCP application programming 469 concepts. We RECOMMEND also that existing TCP applications be 470 examined with an eye to robustness, performance, scalability, etc. 472 Clients and servers SHOULD implement configurable connection limits. 473 Allowing an unlimited number of connections may result in resource 474 exhaustion. 476 Further discussion of implementation issues is outside of the scope 477 of this document. 479 3. Diameter Considerations 481 This document defines TCP as a transport layer for RADIUS. It 482 defines no new RADIUS attributes or codes. The only interaction with 483 Diameter is in a RADIUS to Diameter, or in a Diameter to RADIUS 484 gateway. The RADIUS side of such a gateway MAY implement RADIUS over 485 TCP, but this change has no effect on Diameter. 487 4. IANA Considerations 489 This document requires no action by IANA. 491 5. Security Considerations 493 As the RADIUS packet format, signing, and client verification are 494 unchanged from prior specifications, all of the security issues 495 outlined in previous specifications for RADIUS over UDP are also 496 applicable here. 498 As noted above, clients and servers SHOULD support configurable 499 connection limits. Allowing an unlimited number of connections may 500 result in resource exhaustion. 502 There are no (at this time) other known security issues for RADIUS 503 over TCP transport. 505 6. References 507 6.1. Normative References 509 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 510 Requirement Levels", BCP 14, RFC 2119, March 1997. 512 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote 513 Authentication Dial In User Service (RADIUS)", RFC 2865, June 514 2000. 516 [RFC3539] Aboba, B. et al., "Authentication, Authorization and 517 Accounting (AAA) Transport Profile", RFC 3539, June 2003. 519 6.2. Informative References 521 [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. 523 [RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication Dial 524 In User Service) Support For Extensible Authentication 525 Protocol (EAP)", RFC 3579, September 2003. 527 [RFC4668] Nelson, D, "RADIUS Authentication Client MIB for IPv6", RFC 528 4668, August 2006. 530 [RFC4669] Nelson, D, "RADIUS Authentication Server MIB for IPv6", RFC 531 4669, August 2006. 533 [RFC4670] Nelson, D, "RADIUS Accounting Client MIB for IPv6", RFC 4670, 534 August 2006. 536 [RFC4671] Nelson, D, "RADIUS Accounting Server MIB for IPv6", RFC 4671, 537 August 2006. 539 [RFC4672] Nelson, D, "RADIUS Dynamic Authorization Client MIB", RFC 540 4672, August 2006. 542 [RFC4673] Nelson, D, "RADIUS Dynamic Authorization Server MIB", RFC 543 4673, August 2006. 545 [RFC5080] Nelson, D. and DeKok, A, "Common Remote Authentication Dial In 546 User Service (RADIUS) Implementation Issues and Suggested 547 Fixes", RFC 5080, December 2007. 549 [RFC5176] Chiba, M. et al., "Dynamic Authorization Extensions to Remote 550 Authentication Dial In User Service (RADIUS)", RFC 5176, 551 January 2008. 553 [STATUS] DeKok, A., "Use of Status-Server Packets in the Remote 554 Authentication Dial In User Service (RADIUS) Protocol", draft- 555 ietf-radext-status-server-00.txt, June 2008. 557 Acknowledgments 559 None at this time. 561 Authors' Addresses 563 Alan DeKok 564 The FreeRADIUS Server Project 565 http://freeradius.org/ 567 Email: aland@freeradius.org 569 Full Copyright Statement 571 Copyright (C) The IETF Trust (2008). 573 This document is subject to the rights, licenses and restrictions 574 contained in BCP 78, and except as set forth therein, the authors 575 retain all their rights. 577 This document and the information contained herein are provided on an 578 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 579 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND 580 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS 581 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 582 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 583 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 585 Intellectual Property 587 The IETF takes no position regarding the validity or scope of any 588 Intellectual Property Rights or other rights that might be claimed to 589 pertain to the implementation or use of the technology described in 590 this document or the extent to which any license under such rights 591 might or might not be available; nor does it represent that it has 592 made any independent effort to identify any such rights. Information 593 on the procedures with respect to rights in RFC documents can be 594 found in BCP 78 and BCP 79. 596 Copies of IPR disclosures made to the IETF Secretariat and any 597 assurances of licenses to be made available, or the result of an 598 attempt made to obtain a general license or permission for the use of 599 such proprietary rights by implementers or users of this 600 specification can be obtained from the IETF on-line IPR repository at 601 http://www.ietf.org/ipr. 603 The IETF invites any interested party to bring to its attention any 604 copyrights, patents or patent applications, or other proprietary 605 rights that may cover technology that may be required to implement 606 this standard. Please address the information to the IETF at ietf- 607 ipr@ietf.org. 609 Acknowledgment 611 Funding for the RFC Editor function is provided by the IETF 612 Administrative Support Activity (IASA). 614 Open issues 616 Open issues relating to this document are tracked on the following 617 web site: 619 http://www.drizzle.com/~aboba/RADEXT/