idnits 2.17.1 draft-dekok-radext-tcp-transport-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 15. -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on line 639. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 650. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 657. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 663. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (2 November 2008) is 5651 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-09) exists of draft-ietf-radext-status-server-01 Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group A. DeKok 3 INTERNET-DRAFT FreeRADIUS 4 Category: Proposed Standard 5 6 Expires: May 02, 2009 7 2 November 2008 9 RADIUS Over TCP 10 draft-dekok-radext-tcp-transport-01 12 By submitting this Internet-Draft, each author represents that any 13 applicable patent or other IPR claims of which he or she is aware 14 have been or will be disclosed, and any of which he or she becomes 15 aware will be disclosed, in accordance with Section 6 of BCP 79. 17 Internet-Drafts are working documents of the Internet Engineering 18 Task Force (IETF), its areas, and its working groups. Note that 19 other groups may also distribute working documents as Internet- 20 Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference 25 material or to cite them other than as "work in progress." 27 The list of current Internet-Drafts can be accessed at 28 http://www.ietf.org/ietf/1id-abstracts.txt. 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html. 33 This Internet-Draft will expire on May 2, 2009. 35 Copyright Notice 37 Copyright (C) The IETF Trust (2008). 39 Abstract 41 The Remote Authentication Dial In User Server (RADIUS) Protocol has 42 traditionally used the User Datagram Protocol (UDP) as it's 43 underlying transport layer. This document defines RADIUS over the 44 Transmission Control Protocol (TCP). 46 Table of Contents 48 1. Introduction ............................................. 3 49 1.1. Benefits of Reliable Transport ...................... 3 50 1.2. Drawbacks of Reliable Transport ..................... 4 51 1.3. Terminology ......................................... 4 52 1.4. Requirements Language ............................... 5 53 2. Changes to RADIUS ........................................ 5 54 2.1. Packet Format ....................................... 5 55 2.2. Assigned Ports for RADIUS Over TCP .................. 6 56 2.3. Management Information Base (MIB) ................... 6 57 2.4. Interaction with RadSec ............................. 7 58 2.4.1. Applicability .................................. 7 59 2.5. RADIUS Proxies ...................................... 7 60 2.6. TCP Specific Issues ................................. 8 61 2.6.1. Duplicates and Retransmissions ................. 9 62 2.6.2. Shared Secrets ................................. 10 63 2.6.3. Malformed Packets and Unknown Clients .......... 10 64 2.6.4. Limitations of the ID Field .................... 11 65 2.6.5. EAP Sessions ................................... 11 66 2.6.6. TCP Applications are not UDP Applications ...... 12 67 3. Diameter Considerations .................................. 12 68 4. IANA Considerations ...................................... 12 69 5. Security Considerations .................................. 12 70 6. References ............................................... 13 71 6.1. Normative References ................................ 13 72 6.2. Informative References .............................. 13 73 Full Copyright Statement ..................................... 15 74 1. Introduction 76 The RADIUS Protocol has been defined in [RFC2865] as using the User 77 Datagram Protocol (UDP) for the underlying transport layer. While 78 there are a number of benefits to using UDP as outlined in [RFC2865] 79 Section 2.4, there are also some limitations: 81 * Unreliable transport. As a result, systems using RADIUS have to 82 implement application-layer timers and re-transmissions, as 83 described in [RFC5080] Section 2.2.1. 85 * Packet fragmentation. [RFC2865] Section 3 permits RADIUS 86 packets to up to 4096 octets in length. These packets are larger 87 than the default Internet MTU (576), resulting in fragmentation of 88 the packets at the IP layer. Transport of fragmented UDP packets 89 appears to be a poorly tested code path on network devices. Some 90 devices appear to be incapable of transporting fragmented UDP 91 packets, making it difficult to deploy RADIUS in a network where 92 those devices are deployed. 94 * Connectionless transport. Neither clients nor servers can 95 reliably detect when the other is down. This information has to 96 be deduced instead from the absence of a reply to a request. 98 As RADIUS is widely deployed, and has been widely deployed for well 99 over a decade, these issues are relatively minor. However, new 100 systems may be interested in choosing a different set of trade-offs 101 than those outlined in [RFC2865] Section 2.4. For those systems, we 102 define RADIUS over TCP. 104 1.1. Benefits of Reliable Transport 106 There are a number of benefits to using a reliable transport. For 107 example, when RADIUS is used to carry EAP conversions [RFC3579], the 108 EAP exchanges may involve 10 round trips at the RADIUS application 109 layer. If we assume a 0.1% probability of packet loss in each 110 direction, then approximately 2% (1 - 0.999^20) of the authentication 111 attempts will have a lost packet. If we assume a 0.01% packet loss, 112 then 0.2% of authentication attempts will result in a lost packet. 114 These lost packets require the supplicant and/or the NAS to re- 115 transmit packets at the application layer. The difficulty with this 116 approach is that retransmission implementations have historically 117 been poor. Some implementations retransmit packets, others do not, 118 and others send new packets rather then performing retransmission. 119 Some implementations are incapable of detecting EAP retransmissions, 120 and will instead treat the retransmitted packet as an error. 122 These retransmissions have a high likelihood of causing the entire 123 authentication session to fail. For systems with millions to tens of 124 millions of users, such a high authentication failure rate (0.2% to 125 2%) may be unacceptable. 127 In addition, transport of fragmented UDP packets appears to be a 128 poorly tested code path on network devices. Some devices appear to 129 be incapable of transporting fragmented UDP packets, meaning that the 130 packet loss rate for fragmented packets approaches 100 percent. The 131 net effect can be to prevent the deployment of authentication methods 132 such as EAP-TLS that require large RADIUS packets. 134 Using a reliable transport method such as TCP means that RADIUS 135 implementations can remove all application-layer retransmissions, and 136 instead rely on the Operating System (OS) kernel's well-tested TCP 137 transport to ensure reliable delivery. In addition, most TCP 138 implementations discover Path MTU better than RADIUS application 139 implementations, resulting in significantly fewer fragmented packets. 140 Modern TCP implementations also implement anti-spoofing provisions, 141 which is more difficult to do in UDP applications. 143 Transporting RADIUS over TCP means that the RADIUS applications can 144 leverage these additional protections offered by TCP. 146 1.2. Drawbacks of Reliable Transport 148 No protocol is perfect for all uses. RADIUS over TCP has some 149 drawbacks, as noted in [RFC2865] Section 2.4. [RFC3539] Section 2 150 discusses further issues with using TCP as a transport for 151 Authentication, Authorization, and/or Accounting (AAA) protocols such 152 as RADIUS. 154 The impact of these issues is dicussed in more detail below. 156 1.3. Terminology 158 This document uses the following terms: 160 RADIUS client 161 A device that provides an access service for a user to a network. 162 Also referred to as a Network Access Server, or NAS. 164 RADIUS server 165 A RADIUS authentication, authorization, and/or accounting (AAA) 166 server is an entity that provides one or more AAA services to a 167 NAS. 169 RADIUS proxy 170 A RADIUS proxy acts as a RADIUS server to the NAS, and a RADIUS 171 client to the RADIUS server. 173 RADIUS request packet 174 A packet originated by a RADIUS client to a RADIUS server. e.g. 175 Access-Request, Accounting-Request, CoA-Request, or Disconnect- 176 Request. 178 RADIUS response packet 179 A packet sent by a RADIUS server to a RADIUS client, in response to 180 a RADIUS request packet. e.g. Access-Accept, Access-Reject, 181 Access-Challenge, Accounting-Response, CoA-ACK, etc. 183 1.4. Requirements Language 185 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 186 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 187 document are to be interpreted as described in [RFC2119]. 189 2. Changes to RADIUS 191 Adding TCP as a RADIUS transport has a number of impacts on the 192 protocol, on applications using the protocol, and on networks that 193 deploy the protocol. In short, RADIUS over TCP is little more than 194 sending RADIUS formatted messages over a TCP connection. 196 As always, there are additional details that need to be discussed. 197 This section outlines the various impacts of using RADIUS over TCP, 198 and the discusses the proposal in more detail. 200 2.1. Packet Format 202 The RADIUS packet format is unchanged from [RFC2865], [RFC2866], and 203 [RFC5176]. Specifically, all of the following portions of RADIUS 204 MUST be unchanged when using RADIUS over TCP: 206 * Packet format 207 * Permitted codes 208 * Request Authenticator calculation 209 * Response Authenticator calculation 210 * Minimum packet length 211 * Maximum packet length 212 * Attribute format 213 * Vendor-Specific Attribute (VSA) format 214 * Permitted data types 215 * Calculations of dynamic attributes such as CHAP-Challenge, 216 or Message-Authenticator. 218 * Calculation of "encrypted" attributes such as Tunnel-Password. 220 The changes to RADIUS implementations required to implement this 221 specification are largely limited to the portions that send and 222 receive packets on the network. 224 2.2. Assigned Ports for RADIUS Over TCP 226 IANA has already assigned TCP ports for RADIUS transport, as outlined 227 below: 229 * radius 1812/tcp 230 * radius-acct 1813/tcp 231 * radius-dynauth 3799/tcp 233 These ports are unused by existing RADIUS applications. 234 Implementations SHOULD use the assigned values as the default ports 235 for RADIUS over TCP. 237 The early deployment of RADIUS was done using UDP port number 1645, 238 which conflicts with the "datametrics" service. Implementations 239 using RADIUS over TCP MUST NOT use TCP ports 1645 or 1646 as the 240 default ports for this specification. 242 2.3. Management Information Base (MIB) 244 The MIB definitions in [RFC4668], [RFC4669], [RFC4670], [RFC4671], 245 [RFC4672], and [RFC4673] each contain only one reference to UDP. 246 These references are in the DESCRIPTION field of the MIB definition, 247 and are in the form of "The UDP port" or "the UDP destination port". 249 Implementations of RADIUS over TCP SHOULD re-use these MIBs to 250 perform statistics counting for RADIUS over TCP connections. 251 However, implementors are warned that there is no way for these MIBs 252 to distinguish between packets sent over UDP or over TCP transport. 253 Similarly, there is no requirement in RADIUS that the RADIUS services 254 offered over UDP on a particular IP address and port are identical to 255 the RADIUS services offered over TCP on a particular IP address and 256 the same (numerical) port. 258 Implementations of RADIUS over TCP SHOULD include the protocol (UDP) 259 or (TCP) in the radiusAuthServIdent, radiusAuthClientID, 260 radiusAuthClientIdentifier, radiusAccServIdent, radiusAccClientID, or 261 radiusAccClientIdentifier fields of the MIB. This information can 262 help the administrator distinguish capabilities of systems in the 263 network. 265 2.4. Interaction with RadSec 267 IANA has already assigned TCP ports for RadSec (i.e. RADIUS over TLS 268 over TCP), as outlined below: 270 * radsec 2083/tcp 272 This value SHOULD be used as the default port for RADIUS over TLS 273 (i.e. RadSec). The "radius" port (1812/tcp) SHOULD NOT be used for 274 RadSec. 276 2.4.1. Applicability 278 As noted in [RFC3539] Section 2.1, for systems originating low 279 numbers of RADIUS request packets, inter-packet spacing is often 280 larger than the packet RTT. In those situations, RADIUS over TCP 281 SHOULD NOT be used. 283 In general, RADIUS clients generating small amounts of RADIUS traffic 284 SHOULD NOT use TCP. This suggestion will usually apply to most 285 NASes, and to most clients that originate CoA-Request and Disconnect- 286 Request packets. 288 RADIUS over TCP is most applicable to RADIUS proxies that exchange a 289 large volume of packets with RADIUS clients and servers (10's to 290 1000's of packets per second). In those situations, RADIUS over TCP 291 is a good fit, and may result in increased network stability and 292 performance. 294 2.5. RADIUS Proxies 296 As RADIUS is a "hop by hop" protocol, a RADIUS proxy effectively 297 shields the client from any information about downstream servers. 298 While the client may be able to deduce the operational state of the 299 local server (i.e. proxy), it cannot make any determination about the 300 operational state of the downstream servers. 302 If a request is proxied through intermediate proxies, it is not 303 possible to detect which of the later hops is responsible for the 304 absence of a reply. An intermediate proxy also cannot signal that 305 the outage lies in a later hop because RADIUS does not have the 306 ability to carry such signalling information. This issue is further 307 exacerbated by some proxy implementations that do not reply to a 308 client if they do not receive a reply to a proxied request. 310 When UDP was used as a transport protocol, the absence of a reply can 311 cause a client to deduce (incorrectly) that the proxy is unavailable. 312 The client could then fail over to another server, or conclude that 313 no "live" servers are available (OKAY state in [RFC3539] Appendix A). 314 This situation is made even worse when requests are sent through a 315 proxy to multiple destinations. Failures in one destination may 316 result in service outages for other destinations, if the client 317 erroneously believes that the proxy is unresponsive. 319 For RADIUS over TCP, the continued existence of the TCP connection 320 SHOULD be used to deduce that the service on the other end of the 321 connection is still responsive. Further, the application layer 322 watchdog defined in [RFC3539] Section 3.4 enables clients to 323 determine that the server is "live", even though it may not have 324 responded recently to other, non-watchdog requests. 326 RADIUS clients using RADIUS over TCP MUST NOT decide that a 327 connection is down until the application layer watchdog algorithm has 328 marked it DOWN ([RFC3539] Appendix A). RADIUS clients using RADIUS 329 over TCP MUST NOT decide that a RADIUS server is unresponsive until 330 all TCP connections to it have been marked DOWN. 332 2.6. TCP Specific Issues 334 The guidelines defined in [RFC3539] for implementing an AAA protocol 335 operating over a reliable transport MUST be followed by implementors 336 of this specification. 338 The Application Layer Watchdog defined in [RFC3539] Section 3.4 MUST 339 be used. The Status-Server packet [STATUS] MUST be used as the 340 application layer watchdog message. Implementations MUST reserve one 341 RADIUS ID per connection for the application layer watchdog message. 342 This restriction is described further below. 344 Implementations MUST NOT confuse UDP and TCP transport. That is, 345 RADIUS clients and servers MUST be treated as unique based on a key 346 of the three-tuple (IP address, port, transport protocol). 347 Implementations MUST be configurable to have different shared secrets 348 for UDP and TCP to the same destination IP address and numerical 349 port. 351 This requirement does not forbid the traditional practice of using 352 primary and secondary servers in a fail-over relationship. Instead, 353 it requires that two services sharing an IP address and numerical 354 port, but differing in transport protocol, MUST be treated as 355 independent services for the purpose of fail-over, load-balancing, 356 etc. 358 Whenever the underlying operating system permits the use of TCP 359 keepalive socket options, their use is RECOMMENDED. 361 2.6.1. Duplicates and Retransmissions 363 As TCP is a reliable transport, implementors of this specification 364 MUST NOT retransmit RADIUS request packets over the same TCP 365 connection. Similarly, if there is no response to a RADIUS packet 366 over one TCP connection, implementations MUST NOT retransmit that 367 packet over a different TCP connection to the same destination IP 368 address and port, while the first connection is in the OKAY state 369 ([RFC3539] Appendix A). 371 However, if the TCP connection is broken or closed, retransmissions 372 over new connections are permissible. RADIUS request packets that 373 have not yet received a response MAY be transmitted by a RADIUS 374 client over a new TCP connection. As this procedure involves using a 375 new source port, the ID of the packet MAY change. If the ID changes, 376 any security attributes such as Message-Authenticator MUST be 377 recalculated. 379 If a TCP connection is broken or closed, any cached RADIUS response 380 packets ([RFC5080] Section 2.2.2) associated with that connection 381 MUST be discarded. A RADIUS server SHOULD stop processing of any 382 requests associated with that TCP connection. No response to these 383 requests can be sent over the TCP connection, so any further 384 processing is pointless. This requirement applies not only to RADIUS 385 servers, but also to proxies. When a client's connection to a proxy 386 server is closed, there may be responses from a home server that were 387 supposed to be sent by the proxy back over that connection to the 388 client. Since the client connection is closed, those responses from 389 the home server to the proxy server SHOULD be silently discarded by 390 the proxy. 392 Despite the above discussion, RADIUS servers SHOULD still perform 393 duplicate detection on received packets, as described in [RFC5080] 394 Section 2.2.2. This detection can prevent duplicate processing of 395 packets from non-conformant clients. 397 As noted previously, RADIUS packets SHOULD NOT be re-transmitted to 398 the same destination IP and numerical port, but over a different 399 transport layer. There is no guarantee in RADIUS that the two ports 400 are in any way related. This requirement does not forbid the 401 practice of putting multiple servers into a fail-over or load-balance 402 pool. 404 Much of the discussion in this section can be summarized by the 405 following requirement. RADIUS requests MAY be re-transmitted 406 verbatim only if the following 5-tuple (Client IP address, Client 407 port, Transport Protocol, Server IP address, Server port) remains the 408 same. If any field of that 5-tuple changes, the packet MUST NOT be 409 considered to be a re-transmission. Instead, the packet MUST be 410 considered to be a new request, and be treated accordingly. (e.g. 411 header calculations, packet signatures, associated timers and 412 counters, etc.) 414 The above requirement is necessary, but not sufficient in all cases. 415 Other specifications give additional situations where the packet is 416 to be considered as a new request. Those recommendations MUST also 417 be followed. 419 2.6.2. Shared Secrets 421 The use of shared secrets in calculating the Response Authenticator, 422 and other attributes such as User-Password or Message-Authenticator 423 [RFC3579] MUST be unchanged from previous specifications. 425 Clients and servers MUST be able to store and manage shared secrets 426 based on the key described above, of (IP address, port, transport 427 protocol). 429 2.6.3. Malformed Packets and Unknown Clients 431 The RADIUS specifications ([RFC2865], etc.) say that an implemention 432 should "silently discard" a packet in a number of circumstances. 433 This action has no further consequences for UDP transport, as the 434 "next" packet is completely independent of the previous one. 436 When TCP is used as a transport, decoding the "next" packet on a 437 connection depends on the proper decoding of the previous packet. As 438 a result, the behavior with respect to discarded packets has to 439 change. 441 Implementations of this specification SHOULD treat the "silently 442 discard" texts referenced above as "silently discard and close the 443 connection." That is, the TCP connection MUST be closed if any of 444 the following circumstances are seen: 446 * Packet from an unknown client 447 * Packet where the RADIUS "length" field is less than the minimim 448 RADIUS packet length 449 * Packet where the RADIUS "length" field is more than the maximum 450 RADIUS packet length 451 * Packet that has an Attribute "length" field has value of zero 452 or one (0 or 1). 453 * Packet where the attributes do not exactly fill the packet 454 * Packet where the Request Authenticator fails validation 455 (where applicable). 456 * Packet where the Response Authenticator fails validation 457 (where applicable). 458 * Packet where the Message-Authenticator attribute fails 459 validation (where applicable). 461 TCP connections MAY be closed if any of the following circumstances 462 are seen. Alternatively, the TCP connection MAY remain open if any 463 of the following circumstances are seen, but the invalid packet MUST 464 BE silently discarded. 466 * Packet with an invalid code field 467 * Response packets that do not match any outstanding request 469 These requirements minimize the possibility for a misbehaving client 470 or server to wreak havoc on the network. 472 2.6.4. Limitations of the ID Field 474 The RADIUS ID field is one octet in size. As a result, a single TCP 475 connection can only send 256 RADIUS request packets at a time. If 476 those packets are not responded to, no more packets can be sent over 477 that connection. If more packets need to be sent by a client to a 478 server, more TCP connections are needed.. This limitation is also 479 noted in [RFC3539] Section 2.4. 481 An additional limit is the requirement to send a Status-Server packet 482 over the same TCP connection as is used for normal requests. As 483 noted in [STATUS], the response to a Status-Server packet is either 484 an Access-Accept, an Accounting-Response, or a CoA-ACK. If all IDs 485 were allocated to normal requests, then there would be no free Id to 486 use for the Status-Server packet, and it could not be sent over the 487 connection. 489 Implementations SHOULD reserve ID zero on each TCP connection for 490 Status-Server packets. This value was picked arbitrarily, as there 491 is no reason to choose any one value over another for this use. 493 Implementors may be tempted to extend RADIUS to permit more than 256 494 outstanding packets on one connection. However, doing so will likely 495 require fundamental changes to the RADIUS protocol, and as such, is 496 outside of the scope of this specification. 498 2.6.5. EAP Sessions 500 When RADIUS clients send EAP requests using RADIUS over TCP, they 501 SHOULD choose the same TCP connection for all packets related to one 502 EAP conversation. A simple method that may work in many situations 503 is to hash the contents of the Calling-Station-Id attribute, which 504 normally contains the MAC address. The output of that hash can be 505 used to select a particular TCP connection. 507 If this practice is used, then the client SHOULD also reserve one 508 RADIUS Id per TCP connection for a particular EAP session. 510 The retransmission requires of Section 2.6.1, above, MUST be applied 511 to RADIUS encapsulated EAP packets. That is, EAP retransmissions 512 MUST NOT result in retransmissions of RADIUS packets over a 513 particular TCP connection. EAP retransmissions MAY result in 514 retransmission of RADIUS packets over a different TCP connection, but 515 only when the previous TCP connection is marked DOWN as per the 516 algorithm in [RFC3539] Appendix A. 518 2.6.6. TCP Applications are not UDP Applications 520 Implementors should be aware that programming a robust TCP 521 application can be very different from programming a robust UDP 522 application. We RECOMMEND that implementors of this specification 523 familiarize themselves with TCP application programming concepts. We 524 RECOMMEND also that existing TCP applications be examined with an eye 525 to robustness, performance, scalability, etc. 527 Clients and servers SHOULD implement configurable connection limits. 528 Clients and servers SHOULD implement configurable rate limiting on 529 new connections. Allowing an unbounded number or rate of TCP 530 connections may result in resource exhaustion. 532 Further discussion of implementation issues is outside of the scope 533 of this document. 535 3. Diameter Considerations 537 This document defines TCP as a transport layer for RADIUS. It 538 defines no new RADIUS attributes or codes. The only interaction with 539 Diameter is in a RADIUS to Diameter, or in a Diameter to RADIUS 540 gateway. The RADIUS side of such a gateway MAY implement RADIUS over 541 TCP, but this change has no effect on Diameter. 543 4. IANA Considerations 545 This document requires no action by IANA. 547 5. Security Considerations 549 As the RADIUS packet format, signing, and client verification are 550 unchanged from prior specifications, all of the security issues 551 outlined in previous specifications for RADIUS over UDP are also 552 applicable here. 554 As noted above, clients and servers SHOULD support configurable 555 connection limits. Allowing an unlimited number of connections may 556 result in resource exhaustion. 558 There are no (at this time) other known security issues for RADIUS 559 over TCP transport. 561 6. References 563 6.1. Normative References 565 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 566 Requirement Levels", BCP 14, RFC 2119, March 1997. 568 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote 569 Authentication Dial In User Service (RADIUS)", RFC 2865, June 570 2000. 572 [RFC3539] Aboba, B. et al., "Authentication, Authorization and 573 Accounting (AAA) Transport Profile", RFC 3539, June 2003. 575 6.2. Informative References 577 [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. 579 [RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication Dial 580 In User Service) Support For Extensible Authentication 581 Protocol (EAP)", RFC 3579, September 2003. 583 [RFC4668] Nelson, D, "RADIUS Authentication Client MIB for IPv6", RFC 584 4668, August 2006. 586 [RFC4669] Nelson, D, "RADIUS Authentication Server MIB for IPv6", RFC 587 4669, August 2006. 589 [RFC4670] Nelson, D, "RADIUS Accounting Client MIB for IPv6", RFC 4670, 590 August 2006. 592 [RFC4671] Nelson, D, "RADIUS Accounting Server MIB for IPv6", RFC 4671, 593 August 2006. 595 [RFC4672] Nelson, D, "RADIUS Dynamic Authorization Client MIB", RFC 596 4672, August 2006. 598 [RFC4673] Nelson, D, "RADIUS Dynamic Authorization Server MIB", RFC 599 4673, August 2006. 601 [RFC5080] Nelson, D. and DeKok, A, "Common Remote Authentication Dial In 602 User Service (RADIUS) Implementation Issues and Suggested 603 Fixes", RFC 5080, December 2007. 605 [RFC5176] Chiba, M. et al., "Dynamic Authorization Extensions to Remote 606 Authentication Dial In User Service (RADIUS)", RFC 5176, 607 January 2008. 609 [STATUS] DeKok, A., "Use of Status-Server Packets in the Remote 610 Authentication Dial In User Service (RADIUS) Protocol", draft- 611 ietf-radext-status-server-01.txt, June 2008. 613 Acknowledgments 615 None at this time. 617 Authors' Addresses 619 Alan DeKok 620 The FreeRADIUS Server Project 621 http://freeradius.org/ 623 Email: aland@freeradius.org 625 Full Copyright Statement 627 Copyright (C) The IETF Trust (2008). 629 This document is subject to the rights, licenses and restrictions 630 contained in BCP 78, and except as set forth therein, the authors 631 retain all their rights. 633 This document and the information contained herein are provided on an 634 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 635 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND 636 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS 637 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 638 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 639 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 641 Intellectual Property 643 The IETF takes no position regarding the validity or scope of any 644 Intellectual Property Rights or other rights that might be claimed to 645 pertain to the implementation or use of the technology described in 646 this document or the extent to which any license under such rights 647 might or might not be available; nor does it represent that it has 648 made any independent effort to identify any such rights. Information 649 on the procedures with respect to rights in RFC documents can be 650 found in BCP 78 and BCP 79. 652 Copies of IPR disclosures made to the IETF Secretariat and any 653 assurances of licenses to be made available, or the result of an 654 attempt made to obtain a general license or permission for the use of 655 such proprietary rights by implementers or users of this 656 specification can be obtained from the IETF on-line IPR repository at 657 http://www.ietf.org/ipr. 659 The IETF invites any interested party to bring to its attention any 660 copyrights, patents or patent applications, or other proprietary 661 rights that may cover technology that may be required to implement 662 this standard. Please address the information to the IETF at ietf- 663 ipr@ietf.org. 665 Acknowledgment 667 Funding for the RFC Editor function is provided by the IETF 668 Administrative Support Activity (IASA). 670 Open issues 672 Open issues relating to this document are tracked on the following 673 web site: 675 http://www.drizzle.com/~aboba/RADEXT/