idnits 2.17.1 draft-ietf-aaa-diameter-nasreq-11.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 2 instances of lines with private range IPv4 addresses in the document. If these are generic example addresses, they should be changed to use any of the ranges defined in RFC 6890 (or successor): 192.0.2.x, 198.51.100.x or 203.0.113.x. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 2786 has weird spacing: '...rations of th...' == Line 3004 has weird spacing: '...imed to per-...' == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The exact meaning of the all-uppercase expression 'MAY NOT' is not defined in RFC 2119. If it is intended as a requirements expression, it should be rewritten using one of the combinations defined in RFC 2119; otherwise it should not be all-uppercase. == The expression 'MAY NOT', while looking like RFC 2119 requirements text, is not defined in RFC 2119, and should not be used. Consider using 'MUST NOT' instead (if that is what you mean). Found 'MAY NOT' in this paragraph: The following tables present the AVPs defined in this document, and specify in which Diameter messages they MAY, or MAY NOT be present. Note that AVPs that can only be present within a Grouped AVP are not represented in this table. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (February 2003) is 7740 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'DiamTrans' is mentioned on line 196, but not defined == Missing Reference: 'RADIPV6' is mentioned on line 2944, but not defined == Unused Reference: 'AAATrans' is defined on line 2811, but no explicit reference was found in the text == Unused Reference: 'IANA' is defined on line 2835, but no explicit reference was found in the text == Unused Reference: 'NAI' is defined on line 2852, but no explicit reference was found in the text == Unused Reference: 'ExtRADPract' is defined on line 2872, but no explicit reference was found in the text == Unused Reference: 'NASModel' is defined on line 2875, but no explicit reference was found in the text == Unused Reference: 'CDMA2000' is defined on line 2904, but no explicit reference was found in the text == Unused Reference: 'TCPCompress' is defined on line 2908, but no explicit reference was found in the text == Unused Reference: 'L2F' is defined on line 2918, but no explicit reference was found in the text == Unused Reference: 'ATMP' is defined on line 2925, but no explicit reference was found in the text == Unused Reference: 'MSMPPE' is defined on line 2928, but no explicit reference was found in the text == Unused Reference: 'UTF-8' is defined on line 2931, but no explicit reference was found in the text == Unused Reference: 'STD51' is defined on line 2934, but no explicit reference was found in the text -- Unexpected draft version: The latest known version of draft-ietf-aaa-diameter is -16, but you're referring to -17. == Outdated reference: A later version (-12) exists of draft-ietf-aaa-transport-08 -- Possible downref: Non-RFC (?) normative reference: ref. 'RADIUSTypes' ** Obsolete normative reference: RFC 2373 (ref. 'IPv6Addr') (Obsoleted by RFC 3513) ** Obsolete normative reference: RFC 2434 (ref. 'IANAConsid') (Obsoleted by RFC 5226) -- Possible downref: Non-RFC (?) normative reference: ref. 'IANA' -- Possible downref: Non-RFC (?) normative reference: ref. 'ISOLatin' -- Possible downref: Non-RFC (?) normative reference: ref. 'ANITypes' -- Obsolete informational reference (is this intentional?): RFC 2486 (ref. 'NAI') (Obsoleted by RFC 4282) == Outdated reference: A later version (-20) exists of draft-chiba-radius-dynamic-authorization-06 == Outdated reference: A later version (-10) exists of draft-ietf-aaa-eap-01 == Outdated reference: A later version (-20) exists of draft-ietf-aaa-diameter-mobileip-13 -- Obsolete informational reference (is this intentional?): RFC 1717 (ref. 'PPPMP') (Obsoleted by RFC 1990) -- Obsolete informational reference (is this intentional?): RFC 2279 (ref. 'UTF-8') (Obsoleted by RFC 3629) Summary: 3 errors (**), 0 flaws (~~), 24 warnings (==), 11 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 AAA Working Group Pat R. Calhoun 3 Internet-Draft Black Storm Networks 4 Category: Standards Track Glen Zorn 5 Cisco Systems, Inc. 6 David Spence 7 Interlink Networks, Inc. 8 David Mitton 9 Circular Logic 11 February 2003 13 Diameter Network Access Server Application 14 draft-ietf-aaa-diameter-nasreq-11.txt 16 Status of this Memo 18 This document is an Internet-Draft and is in full conformance with 19 all provisions of Section 10 of RFC2026. 21 Internet-Drafts are working documents of the Internet Engineering 22 Task Force (IETF), its areas, and its working groups. Note that 23 other groups may also distribute working documents as Internet- 24 Drafts. 26 Internet-Drafts are draft documents valid for a maximum of six months 27 and may be updated, replaced, or obsoleted by other documents at any 28 time. It is inappropriate to use Internet-Drafts as reference 29 material or to cite them other than as "work in progress." 31 The list of current Internet-Drafts can be accessed at 32 http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft 33 Shadow Directories can be accessed at 34 http://www.ietf.org/shadow.html. 36 This document is a product of the Authentication, Authorization and 37 Accounting (AAA) Working Group of the Internet Engineering Task Force 38 (IETF). Comments are welcome should be submitted to the mailing list 39 aaa-wg@merit.edu. 41 Copyright (C) The Internet Society 2003. All Rights Reserved. 43 Abstract 45 This document describes Diameter applications that are used for 46 Authentication, Authorization and Accounting (AAA) in the Network 47 Access Server (NAS) environment. This application, combined with the 48 Diameter base protocol, Transport Profile, EAP and CMS Security 49 specifications, satisfies typical network access services 50 requirements. 52 Initial deployments of the Diameter protocol are expected to include 53 legacy systems. Therefore, this application was carefully designed to 54 ease the burden of protocol conversion between RADIUS and Diameter. 55 This is achieved by including the RADIUS attribute space, and 56 eliminating the need to perform many attribute translations. 58 Table of Contents 60 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 6 61 1.1. Requirements Language . . . . . . . . . . . . . . . . . . . . 6 62 1.2. Advertising Application Support . . . . . . . . . . . . . . . 6 63 2. NAS Calls, Ports, and Sessions . . . . . . . . . . . . . . . . . 6 64 2.1. Diameter Session Establishment . . . . . . . . . . . . . . . . 7 65 2.2. Diameter Session Re-Authentication or Re-Authorization . . . . 7 66 2.3. Diameter Session Termination . . . . . . . . . . . . . . . . . 8 67 3. NAS Messages . . . . . . . . . . . . . . . . . . . . . . . . . . 8 68 3.1. AA-Request (AAR) Command . . . . . . . . . . . . . . . . . . . 8 69 3.2. AA-Answer (AAA) Command . . . . . . . . . . . . . . . . . . . 10 70 4. NAS Session AVPs . . . . . . . . . . . . . . . . . . . . . . . . 12 71 4.1. Call and Session Information . . . . . . . . . . . . . . . . . 12 72 4.2. NAS-Port AVP . . . . . . . . . . . . . . . . . . . . . . . . . 13 73 4.3. NAS-Port-Id AVP . . . . . . . . . . . . . . . . . . . . . . . 13 74 4.4. NAS-Port-Type AVP . . . . . . . . . . . . . . . . . . . . . . 14 75 4.5. Called-Station-Id AVP . . . . . . . . . . . . . . . . . . . . 14 76 4.6. Calling-Station-Id AVP . . . . . . . . . . . . . . . . . . . . 15 77 4.7. Connect-Info AVP . . . . . . . . . . . . . . . . . . . . . . . 15 78 4.8. Originating-Line-Info AVP . . . . . . . . . . . . . . . . . . 15 79 4.9. Reply-Message AVP . . . . . . . . . . . . . . . . . . . . . . 17 80 4.10. Termination-Action AVP . . . . . . . . . . . . . . . . . . . 17 81 5. NAS Authentication AVPs . . . . . . . . . . . . . . . . . . . . 18 82 5.1. User-Password AVP . . . . . . . . . . . . . . . . . . . . . . 19 83 5.2. Password-Retry AVP . . . . . . . . . . . . . . . . . . . . . . 19 84 5.3. Prompt AVP . . . . . . . . . . . . . . . . . . . . . . . . . . 20 85 5.4. CHAP-Auth AVP . . . . . . . . . . . . . . . . . . . . . . . . 20 86 5.5. CHAP-Algorithm AVP . . . . . . . . . . . . . . . . . . . . . . 20 87 5.6. CHAP-Ident AVP . . . . . . . . . . . . . . . . . . . . . . . . 21 88 5.7. CHAP-Response AVP . . . . . . . . . . . . . . . . . . . . . . 21 89 5.8. CHAP-Challenge AVP . . . . . . . . . . . . . . . . . . . . . . 21 90 5.9. ARAP-Password AVP . . . . . . . . . . . . . . . . . . . . . . 21 91 5.10. ARAP-Challenge-Response AVP . . . . . . . . . . . . . . . . . 21 92 5.11. ARAP-Security AVP . . . . . . . . . . . . . . . . . . . . . . 21 93 5.12. ARAP-Security-Data AVP . . . . . . . . . . . . . . . . . . . 22 94 6. NAS Authorization AVPs . . . . . . . . . . . . . . . . . . . . . 22 95 6.1. Service-Type AVP . . . . . . . . . . . . . . . . . . . . . . . 23 96 6.2. Callback-Number AVP . . . . . . . . . . . . . . . . . . . . . 24 97 6.3. Callback-Id AVP . . . . . . . . . . . . . . . . . . . . . . . 25 98 6.4. Idle-Timeout AVP . . . . . . . . . . . . . . . . . . . . . . . 25 99 6.5. Port-Limit AVP . . . . . . . . . . . . . . . . . . . . . . . . 25 100 6.6. NAS-Filter-Rule AVP . . . . . . . . . . . . . . . . . . . . . 25 101 6.7. Filter-Id AVP . . . . . . . . . . . . . . . . . . . . . . . . 25 102 6.8. Configuration-Token AVP . . . . . . . . . . . . . . . . . . . 26 103 6.9. Framed Access Authorization AVPs . . . . . . . . . . . . . . . 26 104 6.9.1. Framed-Protocol AVP . . . . . . . . . . . . . . . . . . . . 26 105 6.9.2. Framed-Routing AVP . . . . . . . . . . . . . . . . . . . . . 26 106 6.9.3. Framed-MTU AVP . . . . . . . . . . . . . . . . . . . . . . . 27 107 6.9.4. Framed-Compression AVP . . . . . . . . . . . . . . . . . . . 27 108 6.10. IP Access . . . . . . . . . . . . . . . . . . . . . . . . . . 27 109 6.10.1. Framed-IP-Address AVP . . . . . . . . . . . . . . . . . . . 28 110 6.10.2. Framed-IP-Netmask AVP . . . . . . . . . . . . . . . . . . . 28 111 6.10.3. Framed-Route AVP . . . . . . . . . . . . . . . . . . . . . 28 112 6.10.4. Framed-Pool AVP . . . . . . . . . . . . . . . . . . . . . . 29 113 6.10.5. Framed-Interface-Id AVP . . . . . . . . . . . . . . . . . . 29 114 6.10.6. Framed-IPv6-Prefix AVP . . . . . . . . . . . . . . . . . . 29 115 6.10.7. Framed-IPv6-Route AVP . . . . . . . . . . . . . . . . . . . 29 116 6.10.8. Framed-IPv6-Pool AVP . . . . . . . . . . . . . . . . . . . 30 117 6.11. IPX Access . . . . . . . . . . . . . . . . . . . . . . . . . 30 118 6.11.1. Framed-IPX-Network AVP . . . . . . . . . . . . . . . . . . 30 119 6.12. Appletalk Access . . . . . . . . . . . . . . . . . . . . . . 30 120 6.12.1. Framed-AppleTalk-Link AVP . . . . . . . . . . . . . . . . . 31 121 6.12.2. Framed-AppleTalk-Network AVP . . . . . . . . . . . . . . . 31 122 6.12.3. Framed-AppleTalk-Zone AVP . . . . . . . . . . . . . . . . . 31 123 6.13. ARAP Access . . . . . . . . . . . . . . . . . . . . . . . . . 31 124 6.13.1. ARAP-Features AVP . . . . . . . . . . . . . . . . . . . . . 32 125 6.13.2. ARAP-Zone-Access AVP . . . . . . . . . . . . . . . . . . . 32 126 6.14. Non-Framed Access Authorization AVPs . . . . . . . . . . . . 32 127 6.14.1. Login-IP-Host AVP . . . . . . . . . . . . . . . . . . . . . 32 128 6.14.2. Login-IPv6-Host AVP . . . . . . . . . . . . . . . . . . . . 32 129 6.14.3. Login-Service AVP . . . . . . . . . . . . . . . . . . . . . 33 130 6.15. TCP Services . . . . . . . . . . . . . . . . . . . . . . . . 33 131 6.15.1. Login-TCP-Port AVP . . . . . . . . . . . . . . . . . . . . 33 132 6.15.2. LAT Services . . . . . . . . . . . . . . . . . . . . . . . 34 133 6.15.3. Login-LAT-Service AVP . . . . . . . . . . . . . . . . . . . 34 134 6.15.4. Login-LAT-Node AVP . . . . . . . . . . . . . . . . . . . . 34 135 6.15.5. Login-LAT-Group AVP . . . . . . . . . . . . . . . . . . . . 35 136 6.15.6. Login-LAT-Port AVP . . . . . . . . . . . . . . . . . . . . 35 137 7. Tunneling Group AVPs . . . . . . . . . . . . . . . . . . . . . . 36 138 7.1. Tunnel-Type AVP . . . . . . . . . . . . . . . . . . . . . . . 37 139 7.2. Tunnel-Medium-Type AVP . . . . . . . . . . . . . . . . . . . . 37 140 7.3. Tunnel-Client-Endpoint AVP . . . . . . . . . . . . . . . . . . 38 141 7.4. Tunnel-Server-Endpoint AVP . . . . . . . . . . . . . . . . . . 39 142 7.5. Tunnel-Password AVP . . . . . . . . . . . . . . . . . . . . . 39 143 7.6. Tunnel-Private-Group-Id AVP . . . . . . . . . . . . . . . . . 40 144 7.7. Tunnel-Assignment-Id AVP . . . . . . . . . . . . . . . . . . . 40 145 7.8. Tunnel-Preference AVP . . . . . . . . . . . . . . . . . . . . 41 146 7.9. Tunnel-Client-Auth-Id AVP . . . . . . . . . . . . . . . . . . 42 147 7.10. Tunnel-Server-Auth-Id AVP . . . . . . . . . . . . . . . . . . 42 148 8. NAS Accounting . . . . . . . . . . . . . . . . . . . . . . . . . 42 149 8.1. Accounting-Input-Octets AVP . . . . . . . . . . . . . . . . . 43 150 8.2. Accounting-Output-Octets AVP . . . . . . . . . . . . . . . . . 44 151 8.3. Accounting-Input-Packets AVP . . . . . . . . . . . . . . . . . 44 152 8.4. Accounting-Output-Packets AVP . . . . . . . . . . . . . . . . 44 153 8.5. Acct-Session-Time AVP . . . . . . . . . . . . . . . . . . . . 44 154 8.6. Acct-Authentic AVP . . . . . . . . . . . . . . . . . . . . . . 44 155 8.7. Acct-Delay-Time . . . . . . . . . . . . . . . . . . . . . . . 45 156 8.8. Acct-Link-Count . . . . . . . . . . . . . . . . . . . . . . . 45 157 8.9. Acct-Tunnel-Connection AVP . . . . . . . . . . . . . . . . . . 46 158 8.10. Acct-Tunnel-Packets-Lost AVP . . . . . . . . . . . . . . . . 46 159 9. RADIUS/Diameter Protocol Interactions . . . . . . . . . . . . . 46 160 9.1. RADIUS Request Forwarded as Diameter Request . . . . . . . . . 47 161 9.1.1. Diameter Request Forwarded as RADIUS Request . . . . . . . . 50 162 9.2. AVPs Used Only for Compatibility . . . . . . . . . . . . . . . 51 163 9.2.1. NAS-Identifier AVP . . . . . . . . . . . . . . . . . . . . . 51 164 9.2.2. NAS-IP-Address AVP . . . . . . . . . . . . . . . . . . . . . 52 165 9.2.3. NAS-IPv6-Address AVP . . . . . . . . . . . . . . . . . . . . 52 166 9.2.4. State AVP . . . . . . . . . . . . . . . . . . . . . . . . . 53 167 9.2.5. Termination-Cause AVP Code Values . . . . . . . . . . . . . 54 168 9.3. Prohibited RADIUS Attributes . . . . . . . . . . . . . . . . . 56 169 9.4. Translatable Diameter AVPs . . . . . . . . . . . . . . . . . . 56 170 9.5. RADIUS Vendor Specific Attributes . . . . . . . . . . . . . . 56 171 9.5.1. Forwarding a Diameter Vendor AVP as a RADIUS VSA . . . . . . 56 172 9.5.2. Forwarding a RADIUS VSA to a Diameter Vendor AVP . . . . . . 57 173 10. AVP Occurrence Tables . . . . . . . . . . . . . . . . . . . . . 57 174 10.1. AA-Request/Answer AVP Table . . . . . . . . . . . . . . . . . 58 175 10.2. Accounting AVP Tables . . . . . . . . . . . . . . . . . . . . 61 176 10.2.1. Accounting Framed Access AVP Table . . . . . . . . . . . . 61 177 10.2.2. Accounting Non-Framed Access AVP Table . . . . . . . . . . 62 178 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 64 179 11.1. Command Codes . . . . . . . . . . . . . . . . . . . . . . . . 64 180 11.2. AVP Codes . . . . . . . . . . . . . . . . . . . . . . . . . . 64 181 11.3. Application Identifier . . . . . . . . . . . . . . . . . . . 64 182 11.4. CHAP-Algorithm AVP Values . . . . . . . . . . . . . . . . . . 64 183 12. Security Considerations . . . . . . . . . . . . . . . . . . . . 65 184 13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 65 185 13.1. Normative References . . . . . . . . . . . . . . . . . . . . 65 186 13.2. Informative References . . . . . . . . . . . . . . . . . . . 66 187 14. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 68 188 15. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 68 189 Intellectual Property Considerations . . . . . . . . . . . . . . . . 69 190 Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . . 70 191 1. Introduction 193 This document describes Diameter applications that are used for AAA 194 in the Network Access Server (NAS) environment. The Diameter NAS 195 application, when combined with the Diameter base protocol [Base], 196 Transport Profile [DiamTrans] EAP [DiamEAP], and CMS Security 197 [DiamCMS] specifications, satisfies NAS-related requirements defined 198 in RFC2989 [AAACriteria] and RFC3169 [NASCriteria]. 200 Initial deployments of the Diameter protocol are expected to include 201 legacy systems. Therefore, this application was carefully designed to 202 ease the burden of protocol conversion between RADIUS and Diameter. 203 This is achieved by including the RADIUS attribute space, and 204 eliminating the need to perform many attribute translations. 206 This document first describes the operation of a Diamter NAS 207 application. Then it defines the Diameter message Command-Codes. 208 The following sections enumerate the AVPs used in these messages 209 grouped by common usage. These are Session Identification, 210 Authentication, Authorization, and Accounting. The Authorization 211 AVPs are further broken down by service type. Interaction and 212 backwards compatibility issues with RADIUS are discussed in later 213 sections. 215 1.1. Requirements Language 217 In this document, the key words "MAY", "MUST", "MUST NOT", 218 "OPTIONAL", "RECOMMENDED", "SHOULD", and "SHOULD NOT", are to be 219 interpreted as described in [Keywords]. 221 1.2. Advertising Application Support 223 Diameter nodes conforming to this specification MAY advertise support 224 by including the value of one (1) in the Auth-Application-Id or the 225 Acct-Application-Id AVP of the Capabilities-Exchange-Request and 226 Capabilities-Exchange-Answer commands [Base]. 228 2. NAS Calls, Ports, and Sessions 230 The arrival of a new call or service connection at a port of a 231 Network Access Server (NAS) starts a Diameter NAS message exchange. 232 Information about the call, the identity of the user, and his 233 authentication information are packaged into a Diameter AA-Request 234 (AAR) message and sent to a server. 236 The server processes the information and responds with a Diameter AA- 237 Answer (AAA) message which contains authorization information for the 238 NAS, or a failure code (Result-Code AVP). If the value of Result- 239 Code is DIAMETER_MULTI_ROUND_AUTH, an additional authentication 240 exchange is indicated, and several AAR and AAA messages may be 241 exchanged until the transaction completes. 243 Unlike the RADIUS protocol [RADIUS], the Diameter protocol does not 244 require authentication information to be contained in a request from 245 the client. Therefore, it is possible to send a request for 246 authorization only. The type of service depends upon the Auth- 247 Request-Type AVP. This difference MAY cause operational issues in 248 environments that need RADIUS interoperability, and it MAY be 249 necessary that protocol conversion gateways add authentication 250 information when transmitting to a RADIUS server. 252 2.1. Diameter Session Establishment 254 When the authentication or authorization exchange completes 255 successfully, the NAS application SHOULD start a session context, and 256 MAY send an Accounting START_RECORD message [Base]. The failure to 257 start a session SHOULD cause an Accounting EVENT_RECORD message. 259 2.2. Diameter Session Re-Authentication or Re-Authorization 261 The Diameter protocol allows for users to be periodically re- 262 authenticated and/or re-authorized. In such instances, the Session-Id 263 AVP in the AAR message MUST be the same as the one present in the 264 original authentication/authorization message. A Diameter server 265 informs the NAS of the maximum time allowed before re-authentication 266 or re-authorization via the Authorization-Lifetime AVP [Base]. Note, 267 however, that the Authorization-Lifetime AVP SHOULD NOT be used if 268 the AAR message contained a NAS-IP-Address, NAS-IPv6-Address, or NAS- 269 Identifier AVP since this would mean that the NAS is using RADIUS 270 which does not support server-initiated re-authentication or re- 271 authorization. 273 A NAS MUST re-authenticate and/or authorize after the period provided 274 by the server. Furthermore, it is possible for Diameter servers to 275 issue an unsolicited re-authentication and/or re-authorization by 276 issuing an Re-Auth-Request message to the NAS. Upon receipt of such a 277 message, the NAS is instructed to issue a request to re-authenticate 278 and/or re-authorize the client. 280 2.3. Diameter Session Termination 282 When a NAS receives an indication that a user's session is being 283 disconnected (e.g. LCP Terminate is received), the NAS MUST issue a 284 Session-Termination-Request (STR) [Base] to its Diameter Server. This 285 will ensure that any resources maintained on the servers is freed 286 appropriately. 288 Further, a NAS that receives a Abort-Session-Request (ASR) [Base] 289 MUST issue an STR if the session requested is active, and disconnect 290 the PPP (or tunneling) session. 292 Termination of the session context, MUST cause the sending of an 293 Accounting STOP_RECORD message [Base], if accounting is active. 295 More information on Diameter Session Termination is in [Base] section 296 8.4. 298 3. NAS Messages 300 This section defines new Diameter message Command-Code [Base] values 301 that MUST be supported by all Diameter implementations that conform 302 to this specification. The Command Codes are: 304 Command-Name Abbrev. Code Reference 305 -------------------------------------------------------- 306 AA-Request AAR 265 3.1 307 AA-Answer AAA 265 3.2 309 3.1. AA-Request (AAR) Command 311 The AA-Request message (AAR), indicated by the Command-Code field set 312 to 265 and the 'R' bit set in the Command Flags field, is used in 313 order to request authentication and/or authorization for a given NAS 314 user. The type of request is identified through the Auth-Request-Type 315 AVP, and the default mode is both authentication and authorization. 317 If Authentication is requested the User-Name attribute SHOULD be 318 present, as well as any additional authentication AVPs that would 319 carry the password information. A request for authorization only 320 SHOULD include the information from which the authorization will be 321 performed, such as the User-Name, Called-Station-Id, or Calling- 322 Station-Id AVPs. All requests SHOULD contain AVPs uniquely identifing 323 the source of the call, such as Origin-Host, and NAS-Port. Certain 324 networks MAY use different AVPs for authorization purposes. A request 325 for authorization will include some AVPs defined in section 6. 327 It is possible for a single session to be authorized first, then 328 followed by an authentication request. 330 This AA-Request message MAY be the result of a multi-round 331 authentication exchange, which occurs when the AA-Answer message is 332 received with the Result-Code AVP set to DIAMETER_MULTI_ROUND_AUTH. A 333 subsequent AAR message SHOULD be sent, with the User-Password AVP 334 that includes the user's response to the prompt, and MUST include any 335 State AVPs that were present in the AAA message. 337 Message Format 339 ::= < Diameter Header: 265, REQ, PXY > 340 < Session-Id > 341 { Auth-Application-Id } 342 { Origin-Host } 343 { Origin-Realm } 344 { Destination-Realm } 345 { Auth-Request-Type } 346 [ NAS-Port ] 347 [ NAS-Port-Id ] 348 [ Origin-State-Id ] 349 [ Destination-Host ] 350 [ NAS-Identifier ] 351 [ NAS-IP-Address ] 352 [ NAS-IPv6-Address ] 353 [ NAS-Port-Type ] 354 [ Port-Limit ] 355 [ User-Name ] 356 [ User-Password ] 357 [ Service-Type ] 358 [ Idle-Timeout ] 359 [ State ] 360 [ Authorization-Lifetime ] 361 [ Auth-Grace-Period ] 362 [ Auth-Session-State ] 363 [ Session-Timeout ] 364 [ Callback-Number ] 365 [ Called-Station-Id ] 366 [ Calling-Station-Id ] 367 * [ Class ] 368 [ Originating-Line-Info ] 369 [ Connect-Info ] 370 [ CHAP-Auth ] 371 [ CHAP-Challenge ] 372 * [ Framed-Compression ] 374 [ Framed-Interface-Id ] 375 [ Framed-IP-Address ] 376 * [ Framed-IPv6-Prefix ] 377 [ Framed-IP-Netmask ] 378 [ Framed-MTU ] 379 [ Framed-Protocol ] 380 [ ARAP-Password ] 381 [ ARAP-Security ] 382 * [ ARAP-Security-Data ] 383 * [ Login-IP-Host ] 384 * [ Login-IPv6-Host ] 385 [ Login-LAT-Group ] 386 [ Login-LAT-Node ] 387 [ Login-LAT-Port ] 388 [ Login-LAT-Service ] 389 * [ Tunneling ] 390 * [ Proxy-Info ] 391 * [ Route-Record ] 392 * [ AVP ] 394 3.2. AA-Answer (AAA) Command 396 The AA-Answer (AAA) message, is indicated by the Command-Code field 397 set to 265 and the 'R' bit cleared in the Command Flags field, is 398 sent in response to the AA-Request message. If authorization was 399 requested, a successful response will include the authorization AVPs 400 appropriate for the service being provided, as defined in section 6. 402 For authentication exchanges that require more than a single round 403 trip, the server MUST set the Result-Code AVP to 404 DIAMETER_MULTI_ROUND_AUTH. An AAA message with this result code MAY 405 include one or more Reply-Message and MAY include zero or one State 406 AVPs. 408 If the Reply-Message AVP was present, the access device SHOULD 409 display the text message to the user, and MUST prompt the user for a 410 response. If the access device is unable to prompt the user for a 411 new response, which could be achieved via PAP, it MUST treat this 412 answer as an error, and deny access. 414 Message Format 416 ::= < Diameter Header: 265, PXY > 417 < Session-Id > 418 { Auth-Application-Id } 419 { Auth-Request-Type } 420 { Result-Code } 421 { Origin-Host } 422 { Origin-Realm } 423 [ User-Name ] 424 [ Service-Type ] 425 * [ Class ] 426 * [ Configuration-Token ] 427 [ Acct-Interim-Interval ] 428 [ Error-Message ] 429 [ Error-Reporting-Host ] 430 [ Idle-Timeout ] 431 [ Authorization-Lifetime ] 432 [ Auth-Grace-Period ] 433 [ Auth-Session-State ] 434 [ Re-Auth-Request-Type ] 435 [ Session-Timeout ] 436 [ State ] 437 * [ Reply-Message ] 438 [ Termination-Action ] 439 [ Origin-State-Id ] 440 * [ Filter-Id ] 441 [ Password-Retry ] 442 [ Port-Limit ] 443 [ Prompt ] 444 [ ARAP-Challenge-Response ] 445 [ ARAP-Features ] 446 [ ARAP-Security ] 447 * [ ARAP-Security-Data ] 448 [ ARAP-Zone-Access ] 449 [ Callback-Id ] 450 [ Callback-Number ] 451 [ Framed-Appletalk-Link ] 452 * [ Framed-Appletalk-Network ] 453 [ Framed-Appletalk-Zone ] 454 * [ Framed-Compression ] 455 [ Framed-Interface-Id ] 456 [ Framed-IP-Address ] 457 * [ Framed-IPv6-Prefix ] 458 [ Framed-IPv6-Pool ] 459 * [ Framed-IPv6-Route ] 460 [ Framed-IP-Netmask ] 461 * [ Framed-Route ] 463 [ Framed-Pool ] 464 [ Framed-IPX-Network ] 465 [ Framed-MTU ] 466 [ Framed-Protocol ] 467 [ Framed-Routing ] 468 * [ Login-IP-Host ] 469 * [ Login-IPv6-Host ] 470 [ Login-LAT-Group ] 471 [ Login-LAT-Node ] 472 [ Login-LAT-Port ] 473 [ Login-LAT-Service ] 474 [ Login-Service ] 475 [ Login-TCP-Port ] 476 * [ NAS-Filter-Rule ] 477 * [ Tunneling ] 478 * [ Redirect-Host ] 479 [ Redirect-Host-Usage ] 480 [ Redirect-Max-Cache-Time ] 481 * [ Proxy-Info ] 482 * [ AVP ] 484 4. NAS Session AVPs 486 Diameter reserves the AVP Codes 0-255 for RADIUS functions that are 487 implemented in Diameter. 489 AVPs new to Diameter have code values 256 and greater. A Diameter 490 message that includes one of these AVPs MAY cause interoperability 491 issues should the request traverse a AAA node that only supports the 492 RADIUS protocol. However, the Diameter protocol should not be 493 hampered from future developments due to the existing installed base. 495 There are some RADIUS attributes that are not allowed or supported 496 directly in Diameter. See section 9 below for more information. 498 4.1. Call and Session Information 500 This section contains the NAS unique AVPs that are needed to identify 501 call and session context information, and allows the server to set 502 constraints on a session. 504 These AVPs are used in addition to the Base AVPs of: 505 Session-Id 506 Auth-Application-Id 507 Origin-Host 508 Origin-Realm 509 Auth-Request-Type 511 Common session status AVPs are listed here too. 513 The following table describes the Session level AVPs, their AVP Code 514 values, types, possible flag values and whether the AVP MAY be 515 encrypted. 516 +---------------------+ 517 | AVP Flag rules | 518 |----+-----+----+-----|----+ 519 AVP Section | | |SHLD| MUST| | 520 Attribute Name Code Defined Value Type |MUST| MAY | NOT| NOT|Encr| 521 -----------------------------------------|----+-----+----+-----|----| 522 NAS-Port 5 4.2 Unsigned32 | M | P | | V | Y | 523 NAS-Port-Id 87 4.3 UTF8String | M | P | | V | Y | 524 NAS-Port-Type 61 4.4 Enumerated | M | P | | V | Y | 525 Called-Station-Id 30 4.5 UTF8String | M | P | | V | Y | 526 Calling-Station- 31 4.6 UTF8String | M | P | | V | Y | 527 Id | | | | | | 528 Connect-Info 77 4.7 UTF8String | M | P | | V | Y | 529 Originating-Line- 94 4.8 OctetString| | M,P | | V | Y | 530 Info | | | | | | 531 Reply-Message 18 4.9 UTF8String | M | P | | V | Y | 532 Termination- 29 4.10 Enumerated | M | P | | V | Y | 533 Action | | | | | | 534 -----------------------------------------|----+-----+----+-----|----| 536 4.2. NAS-Port AVP 538 The NAS-Port AVP (AVP Code 5) is of type Unsigned32 and contains the 539 physical or virtual port number of the NAS which is authenticating 540 the user. Note that this is using "port" in its sense of a service 541 connection on the NAS, not in the sense of an IP protocol identifier. 543 Either NAS-Port or NAS-Port-Id (AVP Code 87) SHOULD be present in AA- 544 Request commands if the NAS differentiates among its ports. 546 4.3. NAS-Port-Id AVP 548 The NAS-Port-Id AVP (AVP Code 87) is of type UTF8String and consists 549 of ASCII text that identifies the port of the NAS which is 550 authenticating the user. Note that this is using "port" in its sense 551 of a service connection on the NAS, not in the sense of an IP 552 protocol identifier. 554 Either NAS-Port or NAS-Port-Id SHOULD be present in AA-Request 555 commands if the NAS differentiates among its ports. NAS-Port-Id is 556 intended for use by NASes which cannot conveniently number their 557 ports. 559 4.4. NAS-Port-Type AVP 561 The NAS-Port-Type AVP (AVP Code 61) is of type Enumerated and 562 contains the type of the port on which the NAS is authenticating the 563 user. This AVP SHOULD be present if the NAS uses the same NAS-Port 564 number ranges for different service types concurrently. 566 The supported values are defined in [RADIUSTypes]. The following list 567 is informational: 569 0 Async 570 1 Sync 571 2 ISDN Sync 572 3 ISDN Async V.120 573 4 ISDN Async V.110 574 5 Virtual 575 6 PIAFS 576 7 HDLC Clear Channel 577 8 X.25 578 9 X.75 579 10 G.3 Fax 580 11 SDSL - Symmetric DSL 581 12 ADSL-CAP - Asymmetric DSL, Carrierless Amplitude Phase 582 Modulation 583 13 ADSL-DMT - Asymmetric DSL, Discrete Multi-Tone 584 14 IDSL - ISDN Digital Subscriber Line 585 15 Ethernet 586 16 xDSL - Digital Subscriber Line of unknown type 587 17 Cable 588 18 Wireless - Other 589 19 Wireless - IEEE 802.11 591 4.5. Called-Station-Id AVP 593 The Called-Station-Id AVP (AVP Code 30) is of type UTF8String, and 594 allows the NAS to send in the request, the ASCII string of the phone 595 number that the user called, using Dialed Number Identification 596 (DNIS) or a similar technology. Note that this may be different from 597 the phone number the call comes in on. It SHOULD only be present in 598 authentication and/or authorization requests. 600 If the Auth-Request-Type AVP is set to authorization-only and the 601 User-Name AVP is absent, the Diameter Server MAY perform 602 authorization based on this field. This can be used by a NAS to 603 request whether a call should be answered based on the DNIS. 605 The codification of the range of allowed usage of this field is 606 outside the scope of this specification. 608 4.6. Calling-Station-Id AVP 610 The Calling-Station-Id AVP (AVP Code 31) is of type UTF8String, and 611 allows the NAS to send in the request the the ASCII string of the 612 phone number that the call came from, using Automatic Number 613 Identification (ANI) or a similar technology. It SHOULD only be 614 present in authentication and/or authorization requests. 616 If the Auth-Request-Type AVP is set to authorization-only and the 617 User-Name AVP is absent, the Diameter Server MAY perform 618 authorization based on this field. This can be used by a NAS to 619 request whether a call should be answered based on the ANI. 621 The codification of the range of allowed usage of this field is 622 outside the scope of this specification. 624 4.7. Connect-Info AVP 626 The Connect-Info AVP (AVP Code 77) is of type UTF8String and is sent 627 in the AA-Request message, and indicates the nature of the user's 628 connection. The connection speed SHOULD be included at the beginning 629 of the first Connect-Info AVP in the message. If the transmit and 630 receive connection speeds differ, they may both be included in the 631 first AVP with the transmit speed first (the speed the NAS modem 632 transmits at), a slash (/), the receive speed, then optionally other 633 information. 635 For example, "28800 V42BIS/LAPM" or "52000/31200 V90" 637 4.8. Originating-Line-Info AVP 639 The Originating-Line-Info AVP (AVP Code 94 is of type OctetString and 640 is sent by the NAS system to convey information about the origin of 641 the call from an SS7 system. 643 The originating line information (OLI) information element indicates 644 the nature and/or characteristics of the line from which a call 645 originated (e.g. payphone, hotel, cellular). Telephone companies are 646 starting to offer OLI to their customers as an option over Primary 647 Rate Interface (PRI). Internet Service Providers (ISPs) can use OLI 648 in addition to Called-Station-Id and Calling-Station-Id attributes to 649 differentiate customer calls and define different services 651 The Value field contains two octets (00-99). ANSI T1.113 and BELLCORE 652 394 can be used for additional information about those values and 653 their use. For more information on current assignment values see 654 [ANITypes]. 656 Value Description 657 ------------------------------------------------------------ 658 00 Plain Old Telephone Service (POTS) 659 01 Multiparty line (more than 2) 660 02 ANI Failure 661 03 ANI Observed 662 04 ONI Observed 663 05 ANI Failure Observed 664 06 Station Level Rating 665 07 Special Operator Handling Required 666 08 InterLATA Restricted 667 10 Test Call 668 20 Automatic Identified Outward Dialing (AIOD) 669 23 Coin or Non-Coin 670 24 Toll Free Service (Non-Pay origination) 671 25 Toll Free Service (Pay origination) 672 27 Toll Free Service (Coin Control origination) 673 29 Prison/Inmate Service 674 30-32 Intercept 675 30 Intercept (blank) 676 31 Intercept (trouble) 677 32 Intercept (regular) 678 34 Telco Operator Handled Call 679 40-49 Unrestricted Use 680 52 Outward Wide Area Telecommunications Service (OUTWATS) 681 60 Telecommunications Relay Service (TRS)(Unrestricted) 682 61 Cellular/Wireless PCS (Type 1) 683 62 Cellular/Wireless PCS (Type 2) 684 63 Cellular/Wireless PCS (Roaming) 685 66 TRS (Hotel) 686 67 TRS (Restricted) 687 70 Pay Station, No coin control 688 93 Access for private virtual network service 690 4.9. Reply-Message AVP 692 The Reply-Message AVP (AVP Code 18) is of type UTF8String, and 693 contains text which MAY be displayed to the user. When used in an 694 AA-Answer message with a successful Result-Code AVP it indicates a 695 success message. When found in the same message with a Result-Code 696 other than Diameter-SUCCESS it contains a failure message. 698 The Reply-Message AVP MAY indicate a dialog message to prompt the 699 user before another AA-Request attempt. When used in an AA-Answer, it 700 MAY indicate a dialog message to prompt the user for a response. 702 Multiple Reply-Message's MAY be included and if any are displayed, 703 they MUST be displayed in the same order as they appear in the 704 message. 706 4.10. Termination-Action AVP 708 The Termination-Action AVP is of type Enumerated and indicates what 709 action the NAS should take when the specified service is completed. 710 This AVP SHOULD only be present in authorization responses. The 711 following values are supported as listed in [RADIUSTypes]: 713 DEFAULT 0 714 Upon termination of the authorized service the NAS MUST 715 terminate the current session. 717 AA-REQUEST 1 718 Upon termination of the authorized service the NAS MAY send a 719 new AA-Request (AAR) command. When the authorized service 720 terminates, the NAS SHOULD NOT terminate the session or 721 generate a Session-Termination-Request (STR) command. Instead, 722 it SHOULD generate a new AAR command which contains the same 723 value of the Session-Id AVP it sent in the previous AAR 724 command. It SHOULD also include the State AVP from the 725 previous AA-Answer (AAA) command if it contained one. 727 An exception to this rule applies, however, if the authorized 728 service terminates due to the expiry of the Session-Timeout 729 AVP. In this case, the NAS MUST terminate the expired session 730 and MAY generate a new AAR command with a new Session-Id. 732 Note: The Termination-Action AVP is typically used for the login 733 service (Service-Type = 1 or "Login") or by 802.1X supplicants 734 [RAD802.1X] (e.g., NAS-Port-Type = 19 or "Wireless - IEEE 802.11"). 736 When used for the login service, the service typically terminates 737 when the login host clears the connection. The NAS may prompt the 738 user for a new connection and issue a new AA-Request. 740 When used by 802.1X supplicants, the service typically terminates due 741 to the expiry of the Session-Timeout AVP. The access device may then 742 reauthenticate the user with a new AA-Request. The RECOMMENDED way 743 to do this in Diameter is to use the Authorization-Lifetime AVP 744 rather than the Termination-Action AVP. However, the Termination- 745 Action AVP MAY be used when copied from a RADIUS Access-Accept to a 746 Diameter AA-Answer by a Translation Agent. 748 5. NAS Authentication AVPs 750 This section defines the AVPs that are necessary to carry the 751 authentication information in the Diameter protocol. The 752 functionality defined here provides a RADIUS-like AAA service, over a 753 more reliable and secure transport, as defined in the base protocol 754 [Base]. 756 The following table describes the AVPs, their AVP Code values, types, 757 possible flag values and whether the AVP MAY be encrypted. 759 +---------------------+ 760 | AVP Flag rules | 761 |----+-----+----+-----|----+ 762 AVP Section | | |SHLD| MUST| | 763 Attribute Name Code Defined Value Type |MUST| MAY | NOT| NOT|Encr| 764 -----------------------------------------|----+-----+----+-----|----| 765 User-Password 2 5.1 OctetString| M | P | | V | Y | 766 Password-Retry 75 5.2 Unsigned32 | M | P | | V | Y | 767 Prompt 76 5.3 Enumerated | M | P | | V | Y | 768 CHAP-Auth 402 5.4 Grouped | M | P | | V | Y | 769 CHAP-Algorithm 403 5.5 Enumerated | M | P | | V | Y | 770 CHAP-Ident 404 5.6 OctetString| M | P | | V | Y | 771 CHAP-Response 405 5.7 OctetString| M | P | | V | Y | 772 CHAP-Challenge 60 5.8 OctetString| M | P | | V | Y | 773 ARAP-Password 70 5.9 OctetString| M | P | | V | Y | 774 ARAP-Challenge- 84 5.10 OctetString| M | P | | V | Y | 775 Response | | | | | | 776 ARAP-Security 73 5.11 Unsigned32 | M | P | | V | Y | 777 ARAP-Security- 74 5.12 OctetString| M | P | | V | Y | 778 Data | | | | | | 779 -----------------------------------------|----+-----+----+-----|----| 781 5.1. User-Password AVP 783 The User-Password AVP (AVP Code 2) is of type OctetString and 784 contains the password of the user to be authenticated, or the user's 785 input in a multi-round authentication exchange. 787 The User-Password AVP contains a user password or one-time password 788 and therefore represents sensitive information. As required in 789 [Base], Diameter messages are encrypted using IPsec or TLS. Unless 790 this AVP is used for one-time passwords, the User- Password AVP 791 SHOULD NOT be used in untrusted proxy environments without encrypting 792 it using end-to-end security techniques, such as CMS Security 793 [DiamCMS]. 795 The clear-text password (prior to encryption) MUST NOT be longer than 796 128 bytes in length. 798 5.2. Password-Retry AVP 800 The Password-Retry AVP (AVP Code 75) is of type Unsigned32 and MAY be 801 included in the AA-Answer if the Result-Code indicates an 802 authentication failure. The value of this AVP indicates how many 803 authentication attempts a user may be permitted before being 804 disconnected. This AVP is primarily intended for use when the Framed- 805 Protocol AVP (see Section 6.9.1) is set to ARAP. 807 5.3. Prompt AVP 809 The Prompt AVP (AVP Code 76) is of type Enumerated, and MAY be 810 present in the AA-Answer message. When present, it is used by the NAS 811 to determine whether the user's response, when entered, should be 812 echoed. 814 The supported values are listed in [RADIUSTypes]. The following list 815 is informational: 817 0 No Echo 818 1 Echo 820 5.4. CHAP-Auth AVP 822 The CHAP-Auth AVP (AVP Code 402) is of type Grouped and contains the 823 information necessary to authenticate a user using the PPP Challenge- 824 Handshake Authentication Protocol (CHAP) [PPPCHAP]. If the CHAP-Auth 825 AVP is found in a message, the CHAP-Challenge AVP MUST be present as 826 well. The optional AVPs containing the CHAP response depend upon the 827 value of the CHAP-Algorithm AVP. The grouped AVP has the following 828 ABNF grammar: 830 CHAP-Auth ::= < AVP Header: 402 > 831 { CHAP-Algorithm } 832 { CHAP-Ident } 833 [ CHAP-Response ] 834 * [ AVP ] 836 5.5. CHAP-Algorithm AVP 838 The CHAP-Algorithm AVP (AVP Code 403) is of type Enumerated and 839 contains the algorithm identifier used in the computation of the CHAP 840 response [PPPCHAP]. The following values are currently supported: 842 CHAP with MD5 5 843 The CHAP response is computed using the procedure described in 844 [PPPCHAP]. This algorithm requires that CHAP-Response AVP MUST 845 be present in the CHAP-Auth AVP. 847 5.6. CHAP-Ident AVP 849 The CHAP-Ident AVP (AVP Code 404) is of type OctetString and contains 850 the one octet CHAP Identifier used in the computation of the CHAP 851 response [PPPCHAP]. 853 5.7. CHAP-Response AVP 855 The CHAP-Response AVP (AVP Code 405) is of type OctetString and 856 contains the 16 octet authentication data provided by the user in 857 response to the CHAP challenge [PPPCHAP]. 859 5.8. CHAP-Challenge AVP 861 The CHAP-Challenge AVP (AVP Code 60) is of type OctetString and 862 contains the CHAP Challenge sent by the NAS to the CHAP peer 863 [PPPCHAP]. 865 5.9. ARAP-Password AVP 867 The ARAP-Password AVP (AVP Code 70) is of type OctetString and is 868 only present when the Framed-Protocol AVP (see Section 6.9.1) is 869 included in the message and is set to ARAP. This AVP MUST NOT be 870 present if either the User-Password or the CHAP-Auth AVP is present. 871 See [RADIUSExt] for more information on the contents of this AVP. 873 5.10. ARAP-Challenge-Response AVP 875 The ARAP-Challenge-Response AVP (AVP Code 84) is of type OctetString 876 and is only present when the Framed-Protocol AVP (see Section 6.9.1) 877 is included in the message and is set to ARAP. This AVP contains an 8 878 octet response to the dial-in client's challenge. The RADIUS server 879 calculates this value by taking the dial-in client's challenge from 880 the high order 8 octets of the ARAP-Password AVP and performing DES 881 encryption on this value with the authenticating user's password as 882 the key. If the user's password is less than 8 octets in length, the 883 password is padded at the end with NULL octets to a length of 8 884 before using it as a key. 886 5.11. ARAP-Security AVP 888 The ARAP-Security AVP (AVP Code 73) is of type Unsigned32, and MAY be 889 present in the AA-Answer message if the Framed-Protocol AVP (see 890 Section 6.9.1) is set to the value of ARAP, and the Result-Code AVP 891 is set to DIAMETER_MULTI_ROUND_AUTH. See [RADIUSExt] for more 892 information on the format of this AVP. 894 5.12. ARAP-Security-Data AVP 896 The ARAP-Security AVP (AVP Code 74) is of type OctetString, and MAY 897 be present in the AA-Request or AA-Answer message if the Framed- 898 Protocol AVP is set to the value of ARAP, and the Result-Code AVP is 899 set to DIAMETER_MULTI_ROUND_AUTH. This AVP contains the security 900 module challenge or response associated with the ARAP Security Module 901 specified in ARAP-Security. 903 6. NAS Authorization AVPs 905 This section contains the authorization AVPs that are supported in 906 the NAS Application. The Service-Type AVP SHOULD be present in all 907 messages, and based on its value, additional AVPs defined in this 908 section and section 7 MAY be present. 910 Due to space constraints, the short form IPFiltrRule is used to 911 represent IPFilterRule. 912 +---------------------+ 913 | AVP Flag rules | 914 |----+-----+----+-----|----+ 915 AVP Section | | |SHLD| MUST| | 916 Attribute Name Code Defined Value Type |MUST| MAY | NOT| NOT|Encr| 917 -----------------------------------------|----+-----+----+-----|----| 918 Service-Type 6 6.1 Enumerated | M | P | | V | Y | 919 Callback-Number 19 6.2 UTF8String | M | P | | V | Y | 920 Callback-Id 20 6.3 UTF8String | M | P | | V | Y | 921 Idle-Timeout 28 6.4 Unsigned32 | M | P | | V | Y | 922 Port-Limit 62 6.5 Unsigned32 | M | P | | V | Y | 923 NAS-Filter-Rule 400 6.6 IPFiltrRule| M | P | | V | Y | 924 Filter-Id 11 6.7 UTF8String | M | P | | V | Y | 925 Configuration- 78 6.8 OctetString| M | | | P,V | | 926 Token | | | | | | 927 Framed-Protocol 7 6.9.1 Enumerated | M | P | | V | Y | 928 Framed-Routing 10 6.9.2 Enumerated | M | P | | V | Y | 929 Framed-MTU 12 6.9.3 Unsigned32 | M | P | | V | Y | 930 Framed- 13 6.9.4 Enumerated | M | P | | V | Y | 931 Compression | | | | | | 932 Framed-IP-Address 8 6.10.1 OctetString| M | P | | V | Y | 933 Framed-IP-Netmask 9 6.10.2 OctetString| M | P | | V | Y | 934 Framed-Route 22 6.10.3 UTF8String | M | P | | V | Y | 935 Framed-Pool 88 6.10.4 OctetString| M | P | | V | Y | 936 Framed- 96 6.10.5 Unsigned64 | M | P | | V | Y | 937 Interface-Id | | | | | | 938 Framed-IPv6- 97 6.10.6 OctetString| M | P | | V | Y | 939 Prefix | | | | | | 940 Framed-IPv6- 99 6.10.7 UTF8String | M | P | | V | Y | 941 Route | | | | | | 942 Framed-IPv6-Pool 100 6.10.8 OctetString| M | P | | V | Y | 943 Framed-IPX- 23 6.11.1 UTF8String | M | P | | V | Y | 944 Network | | | | | | 945 Framed-Appletalk- 37 6.12.1 Unsigned32 | M | P | | V | Y | 946 Link | | | | | | 947 Framed-Appletalk- 38 6.12.2 Unsigned32 | M | P | | V | Y | 948 Network | | | | | | 949 Framed-Appletalk- 39 6.12.3 OctetString| M | P | | V | Y | 950 Zone | | | | | | 951 ARAP-Features 71 6.13.1 OctetString| M | P | | V | Y | 952 ARAP-Zone-Access 72 6.13.2 Enumerated | M | P | | V | Y | 953 Login-IP-Host 14 6.14.1 OctetString| M | P | | V | Y | 954 Login-IPv6-Host 98 6.14.2 OctetString| M | P | | V | Y | 955 Login-Service 15 6.14.3 Enumerated | M | P | | V | Y | 956 Login-TCP-Port 16 6.15.1 Unsigned32 | M | P | | V | Y | 957 Login-LAT-Service 34 6.16.1 OctetString| M | P | | V | Y | 958 Login-LAT-Node 35 6.16.2 OctetString| M | P | | V | Y | 959 Login-LAT-Group 36 6.16.3 OctetString| M | P | | V | Y | 960 Login-LAT-Port 63 6.16.4 OctetString| M | P | | V | Y | 961 -----------------------------------------|----+-----+----+-----|----| 963 6.1. Service-Type AVP 965 The Service-Type AVP (AVP Code 6) is of type Enumerated and contains 966 the type of service the user has requested, or the type of service to 967 be provided. One such AVP MAY be present in an authentication and/or 968 authorization request or response. A NAS is not required to implement 969 all of these service types, and MUST treat unknown or unsupported 970 Service-Types as though a response with a Result-Code other than 971 Diameter-SUCCESS had been received instead. 973 When used in a request, the Service-Type AVP SHOULD be considered to 974 be a hint to the server that the NAS has reason to believe the user 975 would prefer the kind of service indicated, but the server is not 976 required to honor the hint. The following values have been defined 977 for the Service-Type AVP: 979 The complete list of defined values can be found in [RADIUS] and 980 [RADIUSTypes]. The following list is informational: 982 1 Login 983 2 Framed 984 3 Callback Login 985 4 Callback Framed 986 5 Outbound 987 6 Administrative 988 7 NAS Prompt 989 8 Authenticate Only 990 9 Callback NAS Prompt 991 10 Call Check 992 11 Callback Administrative 993 12 Voice 994 13 Fax 995 14 Modem Relay 997 The following values are further qualified: 999 Login 1 1000 The user should be connected to a host. The message MAY include 1001 additional AVPs defined in sections 6.15 or 6.16. 1003 Framed 2 1004 A Framed Protocol should be started for the User, such as PPP 1005 or SLIP. The message MAY include additional AVPs defined in 1006 sections 6.9, or 7 for tunneling services. 1008 Callback Login 3 1009 The user should be disconnected and called back, then connected 1010 to a host. The message MAY include additional AVPs defined in 1011 this section. 1013 Callback Framed 4 1014 The user should be disconnected and called back, then a Framed 1015 Protocol should be started for the User, such as PPP or SLIP. 1016 The message MAY include additional AVPs defined in sections 1017 6.9, or 7 for tunneling services. 1019 6.2. Callback-Number AVP 1021 The Callback-Number AVP (AVP Code 19) is of type UTF8String, and 1022 contains a dialing string to be used for callback. It MAY be used in 1023 an authentication and/or authorization request as a hint to the 1024 server that a Callback service is desired, but the server is not 1025 required to honor the hint in the corresponding response. 1027 The codification of the range of allowed usage of this field is 1028 outside the scope of this specification. 1030 6.3. Callback-Id AVP 1032 The Callback-Id AVP (AVP Code 20) is of type UTF8String, and contains 1033 the name of a place to be called, to be interpreted by the NAS. This 1034 AVP MAY be present in an authentication and/or authorization 1035 response. 1037 This AVP is not roaming-friendly since it assumes that the Callback- 1038 Id is configured on the NAS. It is therefore preferable to use the 1039 Callback-Number AVP instead. 1041 6.4. Idle-Timeout AVP 1043 The Idle-Timeout AVP (AVP Code 28) is of type Unsigned32 and sets the 1044 maximum number of consecutive seconds of idle connection allowed to 1045 the user before termination of the session or prompt. It MAY be used 1046 in an authentication and/or authorization request (or challenge) as a 1047 hint to the server that an idle timeout is desired, but the server is 1048 not required to honor the hint in the corresponding response. 1050 6.5. Port-Limit AVP 1052 The Port-Limit AVP (AVP Code 62) is of type Unsigned32 and sets the 1053 maximum number of ports to be provided to the user by the NAS. It 1054 MAY be used in an authentication and/or authorization request as a 1055 hint to the server that multilink PPP [PPPMP] service is desired, but 1056 the server is not required to honor the hint in the corresponding 1057 response. 1059 6.6. NAS-Filter-Rule AVP 1061 The NAS-Filter-Rule AVP (AVP Code 400) is of type IPFilterRule, and 1062 provides filter rules that need to be configured on the NAS for the 1063 user. One or more such AVPs MAY be present in an authorization 1064 response. 1066 6.7. Filter-Id AVP 1068 The Filter-Id AVP (AVP Code 11) is of type UTF8String, and contains 1069 the name of the filter list for this user. Zero or more Filter-Id 1070 AVPs MAY be sent in an authorization answer. 1072 Identifying a filter list by name allows the filter to be used on 1073 different NASes without regard to filter-list implementation details. 1074 However, this AVP is not roaming friendly since filter naming differs 1075 from one service provider to another. 1077 In non-RADIUS environments, it is RECOMMENDED that the NAS-Filter- 1078 Rule AVP be used instead. 1080 6.8. Configuration-Token AVP 1082 The Configuration-Token AVP (AVP Code 78) is of type OctetString and 1083 is sent by a Diameter Server to a Diameter Proxy Agent or Translation 1084 Agent in an AA-Answer command to indicate a type of user profile to 1085 be used. It should not be sent to a Diameter Client (NAS). 1087 The format of the Data field of this AVP is site specific. 1089 6.9. Framed Access Authorization AVPs 1091 This section contains the authorization AVPs that are necessary to 1092 support framed access, such as PPP, SLIP, etc. AVPs defined in this 1093 section MAY be present in a message if the Service-Type AVP was set 1094 to "Framed" or "Callback Framed". 1096 6.9.1. Framed-Protocol AVP 1098 The Framed-Protocol AVP (AVP Code 7) is of type Enumerated and 1099 contains the framing to be used for framed access. This AVP MAY be 1100 present in both requests and responses. The supported values are 1101 listed in [RADIUSTypes]. The following list is informational: 1103 1 PPP 1104 2 SLIP 1105 3 AppleTalk Remote Access Protocol (ARAP) 1106 4 Gandalf proprietary SingleLink/MultiLink protocol 1107 5 Xylogics proprietary IPX/SLIP 1108 6 X.75 Synchronous 1110 6.9.2. Framed-Routing AVP 1112 The Framed-Routing AVP (AVP Code 10) is of type Enumerated and 1113 contains the routing method for the user, when the user is a router 1114 to a network. This AVP SHOULD only be present in authorization 1115 responses. The supported values are listed in [RADIUSTypes]. The 1116 following list is informational: 1118 0 None 1119 1 Send routing packets 1120 2 Listen for routing packets 1121 3 Send and Listen 1123 6.9.3. Framed-MTU AVP 1125 The Framed-MTU AVP (AVP Code 12) is of type Unsigned32 and contains 1126 the Maximum Transmission Unit to be configured for the user, when it 1127 is not negotiated by some other means (such as PPP). This AVP SHOULD 1128 only be present in authorization responses. The MTU value MUST be in 1129 the range of 64 and 65535. 1131 6.9.4. Framed-Compression AVP 1133 The Framed-Compression AVP (AVP Code 13) is of type Enumerated and 1134 contains the compression protocol to be used for the link. It MAY be 1135 used in an authorization request as a hint to the server that a 1136 specific compression type is desired, but the server is not required 1137 to honor the hint in the corresponding response. 1139 More than one compression protocol AVP MAY be sent. It is the 1140 responsibility of the NAS to apply the proper compression protocol to 1141 appropriate link traffic. 1143 The supported values are listed in [RADIUSTypes]. The following list 1144 is informational: 1146 0 None 1147 1 VJ TCP/IP header compression 1148 2 IPX header compression 1149 3 Stac-LZS compression 1151 6.10. IP Access 1153 The AVPs defined in this section are used when the user requests, or 1154 is being granted, access to IP. They are only present if the Framed- 1155 Protocol AVP (see Section 6.9.1) is set to PPP, SLIP, Gandalf 1156 proprietarySingleLink/MultiLink protocol, or X.75 Synchronous. 1158 6.10.1. Framed-IP-Address AVP 1160 The Framed-IP-Address AVP (AVP Code 8) [RADIUS] is of type 1161 OctetString and contains an IPv4 address, of the type specified in 1162 the attribute value, to be configured for the user. It MAY be used in 1163 an authorization request as a hint to the server that a specific 1164 address is desired, but the server is not required to honor the hint 1165 in the corresponding response. 1167 Two IPv4 addresses have special significance; 0xFFFFFFFF and 1168 0xFFFFFFFE. The value 0xFFFFFFFF indicates that the NAS should allow 1169 the user to select an address (e.g. Negotiated). The value 0xFFFFFFFE 1170 indicates that the NAS should select an address for the user (e.g. 1171 Assigned from a pool of addresses kept by the NAS). 1173 6.10.2. Framed-IP-Netmask AVP 1175 The Framed-IP-Netmask AVP (AVP Code 9) is of type OctetString and 1176 contains the four octets of the IPv4 netmask to be configured for the 1177 user when the user is a router to a network. It MAY be used in an 1178 authorization request as a hint to the server that a specific netmask 1179 is desired, but the server is not required to honor the hint in the 1180 corresponding response. This AVP MUST be present in a response if the 1181 request included this AVP with a value of 0xFFFFFFFF. 1183 6.10.3. Framed-Route AVP 1185 The Framed-Route AVP (AVP Code 22) is of type UTF8String, and 1186 contains the ASCII routing information to be configured for the user 1187 on the NAS. Zero or more such AVPs MAY be present in an authorization 1188 response. 1190 The string MUST contain a destination prefix in dotted quad form 1191 optionally followed by a slash and a decimal length specifier stating 1192 how many high order bits of the prefix should be used. That is 1193 followed by a space, a gateway address in dotted quad form, a space, 1194 and one or more metrics separated by spaces. For example, 1195 "192.168.1.0/24 192.168.1.1 1". 1197 The length specifier may be omitted in which case it should default 1198 to 8 bits for class A prefixes, 16 bits for class B prefixes, and 24 1199 bits for class C prefixes. For example, "192.168.1.0 192.168.1.1 1". 1201 Whenever the gateway address is specified as "0.0.0.0" the IP address 1202 of the user SHOULD be used as the gateway address. 1204 6.10.4. Framed-Pool AVP 1206 The Framed-Pool AVP (AVP Code 88) is of type OctetString and contains 1207 the name of an assigned address pool that SHOULD be used to assign an 1208 address for the user. If a NAS does not support multiple address 1209 pools, the NAS SHOULD ignore this AVP. Address pools are usually 1210 used for IP addresses, but can be used for other protocols if the NAS 1211 supports pools for those protocols. 1213 Although specified as type OctetString for compatibility with RADIUS 1214 [RADIUSExt], the encoding of the Data field SHOULD also conform to 1215 the rules for the UTF8String Data Format. 1217 6.10.5. Framed-Interface-Id AVP 1219 The Framed-Interface-Id AVP (AVP Code 96) is of type Unsigned64 and 1220 contains the IPv6 interface identifier to be configured for the user. 1221 It MAY be used in authorization requests as a hint to the server that 1222 a specific interface id is desired, but the server is not required to 1223 honor the hint in the corresponding response. 1225 6.10.6. Framed-IPv6-Prefix AVP 1227 The Framed-IPv6-Prefix AVP (AVP Code 97) is of type OctetString and 1228 contains the IPv6 prefix to be configured for the user. One or more 1229 AVPs MAY be used in authorization requests as a hint to the server 1230 that a specific IPv6 prefixes are desired, but the server is not 1231 required to honor the hint in the corresponding response. 1233 6.10.7. Framed-IPv6-Route AVP 1235 The Framed-IPv6-Route AVP (AVP Code 99) is of type UTF8String, and 1236 contains the ASCII routing information to be configured for the user 1237 on the NAS. Zero or more such AVPs MAY be present in an authorization 1238 response. 1240 The string MUST contain an IPv6 address prefix followed by a slash 1241 and a decimal length specifier stating how many high order bits of 1242 the prefix should be used. That is followed by a space, a gateway 1243 address in hexadecimal notation, a space, and one or more metrics 1244 separated by spaces. For example: 1245 "2000:0:0:106::/64 2000::106:a00:20ff:fe99:a998 1". 1247 Whenever the gateway address is the IPv6 unspecified address the IP 1248 address of the user SHOULD be used as the gateway address, such as: 1250 "2000:0:0:106::/64 :: 1". 1252 6.10.8. Framed-IPv6-Pool AVP 1254 The Framed-IPv6-Pool AVP (AVP Code 100) is of type OctetString, and 1255 contains the name of an assigned pool that SHOULD be used to assign 1256 an IPv6 prefix for the user. If the access device does not support 1257 multiple prefix pools, it MUST ignore this AVP. 1259 Although specified as type OctetString for compatibility with RADIUS 1260 [RADIUSIPv6], the encoding of the Data field SHOULD also conform to 1261 the rules for the UTF8String Data Format. 1263 6.11. IPX Access 1265 The AVPs defined in this section are used when the user requests, or 1266 is being granted, access to IPX. They are only present if the Framed- 1267 Protocol AVP (see Section 6.9.1) is set to PPP, Xylogics proprietary 1268 IPX/SLIP, Gandalf proprietarySingleLink/MultiLink protocol, or X.75 1269 Synchronous. 1271 6.11.1. Framed-IPX-Network AVP 1273 The Framed-IPX-Network AVP (AVP Code 23) is of type UTF8String, and 1274 contains the IPX Network number to be configured for the user. It MAY 1275 be used in an authorization request as a hint to the server that a 1276 specific address is desired, but the server is not required to honor 1277 the hint in the corresponding response. 1279 Two addresses have special significance; 0xFFFFFFFF and 0xFFFFFFFE. 1280 The value 0xFFFFFFFF indicates that the NAS should allow the user to 1281 select an address (e.g. Negotiated). The value 0xFFFFFFFE indicates 1282 that the NAS should select an address for the user (e.g. assigned 1283 from a pool of one or more IPX networks kept by the NAS). 1285 6.12. Appletalk Access 1287 The AVPs defined in this section are used when the user requests, or 1288 is being granted, access to Appletalk. They are only present if the 1289 Framed-Protocol AVP (see Section 6.9.1) is set to PPP, Gandalf 1290 proprietary, SingleLink/MultiLink protocol, or X.75 Synchronous. 1292 6.12.1. Framed-AppleTalk-Link AVP 1294 The Framed-AppleTalk-Link AVP (AVP Code 37) is of type Unsigned32 and 1295 contains the AppleTalk network number which should be used for the 1296 serial link to the user, which is another AppleTalk router. This AVP 1297 MUST only be present in an authorization response and is never used 1298 when the user is not another router. 1300 Despite the size of the field, values range from zero to 65535. The 1301 special value of zero indicates that this is an unnumbered serial 1302 link. A value of one to 65535 means that the serial line between the 1303 NAS and the user should be assigned that value as an AppleTalk 1304 network number. 1306 6.12.2. Framed-AppleTalk-Network AVP 1308 The Framed-AppleTalk-Network AVP (AVP Code 38) is of type Unsigned32 1309 and contains the AppleTalk Network number which the NAS should probe 1310 to allocate an AppleTalk node for the user. This AVP MUST only be 1311 present in an authorization response and is never used when the user 1312 is not another router. Multiple instances of this AVP indicate that 1313 the NAS may probe using any of the network numbers specified. 1315 Despite the size of the field, values range from zero to 65535. The 1316 special value zero indicates that the NAS should assign a network for 1317 the user, using its default cable range. A value between one and 1318 65535 (inclusive) indicates the AppleTalk Network the NAS should 1319 probe to find an address for the user. 1321 6.12.3. Framed-AppleTalk-Zone AVP 1323 The Framed-AppleTalk-Zone AVP (AVP Code 39) is of type OctetString 1324 and contains the AppleTalk Default Zone to be used for this user. 1325 This AVP MUST only be present in an authorization response. Multiple 1326 instances of this AVP in the same message are not allowed. 1328 The codification of the range of allowed usage of this field is 1329 outside the scope of this specification. 1331 6.13. ARAP Access 1333 The AVPs defined in this section are used when the user requests, or 1334 is being granted, access to ARAP. They are only present if the 1335 Framed-Protocol AVP (see Section 6.9.1) is set to AppleTalk Remote 1336 Access Protocol (ARAP). 1338 6.13.1. ARAP-Features AVP 1340 The ARAP-Features AVP (AVP Code 71) is of type OctetString, and MAY 1341 be present in the AA-Accept message if the Framed-Protocol AVP is set 1342 to the value of ARAP. See [RADIUSExt] for more information of the 1343 format of this AVP. 1345 6.13.2. ARAP-Zone-Access AVP 1347 The ARAP-Zone-Access AVP (AVP Code 72) is of type Enumerated, and MAY 1348 be present in the AA-Accept message if the Framed-Protocol AVP is set 1349 to the value of ARAP. 1351 The supported values are listed in [RADIUSTypes], and are defined in 1352 [RADIUSExt]. 1354 6.14. Non-Framed Access Authorization AVPs 1356 This section contains the authorization AVPs that are needed to 1357 support terminal server functionality. AVPs defined in this section 1358 MAY be present in a message if the Service-Type AVP was set to 1359 "Login" or "Callback Login". 1361 6.14.1. Login-IP-Host AVP 1363 The Login-IP-Host AVP (AVP Code 14) [RADIUS] is of type OctetString 1364 and contains the IPv4 address of a host with which to connect the 1365 user when the Login-Service AVP is included. It MAY be used in an 1366 AA-Request command as a hint to the Diameter Server that a specific 1367 host is desired, but the Diameter Server is not required to honor the 1368 hint in the AA-Answer. 1370 Two addresses have special significance: All ones and 0. The value 1371 of all ones indicates that the NAS SHOULD allow the user to select an 1372 address. The value 0 indicates that the NAS SHOULD select a host to 1373 connect the user to. 1375 6.14.2. Login-IPv6-Host AVP 1377 The Login-IPv6-Host AVP (AVP Code 98) [RADIUSIPv6] is of type 1378 OctetString and contains the IPv6 address of a host with which to 1379 connect the user when the Login-Service AVP is included. It MAY be 1380 used in an AA-Request command as a hint to the Diameter Server that a 1381 specific host is desired, but the Diameter Server is not required to 1382 honor the hint in the AA-Answer. 1384 Two addresses have special significance: 1385 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF and 0. The value 1386 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF indicates that the NAS SHOULD 1387 allow the user to select an address. The value 0 indicates that the 1388 NAS SHOULD select a host to connect the user to. 1390 6.14.3. Login-Service AVP 1392 The Login-Service AVP (AVP Code 15) is of type Enumerated and 1393 contains the service which should be used to connect the user to the 1394 login host. This AVP SHOULD only be present in authorization 1395 responses. 1397 The supported values are listed in [RADIUSTypes]. The following list 1398 is informational: 1400 0 Telnet 1401 1 Rlogin 1402 2 TCP Clear 1403 3 PortMaster (proprietary) 1404 4 LAT 1405 5 X25-PAD 1406 6 X25-T3POS 1407 8 TCP Clear Quiet (suppresses any NAS-generated connect 1408 string) 1410 6.15. TCP Services 1412 The AVPs described in this section MAY be present if the Login- 1413 Service AVP is set to Telnet, Rlogin, TCP Clear or TCP Clear Quiet. 1415 6.15.1. Login-TCP-Port AVP 1417 The Login-TCP-Port AVP (AVP Code 16) is of type Unsigned32 and 1418 contains the TCP port with which the user is to be connected, when 1419 the Login-Service AVP is also present. This AVP SHOULD only be 1420 present in authorization responses. The value MUST NOT be greater 1421 than 65535. 1423 6.15.2. LAT Services 1425 The AVP described in this section MAY be present if the Login-Service 1426 AVP is set to LAT. 1428 6.15.3. Login-LAT-Service AVP 1430 The Login-LAT-Service AVP (AVP Code 34) is of type OctetString and 1431 contains the system with which the user is to be connected by LAT. It 1432 MAY be used in an authorization request as a hint to the server that 1433 a specific service is desired, but the server is not required to 1434 honor the hint in the corresponding response. This AVP MUST only be 1435 present in the response if the Login-Service AVP states that LAT is 1436 desired. 1438 Administrators use the service attribute when dealing with clustered 1439 systems, such as a VAX or Alpha cluster. In such an environment 1440 several different time sharing hosts share the same resources (disks, 1441 printers, etc.), and administrators often configure each to offer 1442 access (service) to each of the shared resources. In this case, each 1443 host in the cluster advertises its services through LAT broadcasts. 1445 Sophisticated users often know which service providers (machines) are 1446 faster and tend to use a node name when initiating a LAT connection. 1447 Alternately, some administrators want particular users to use certain 1448 machines as a primitive form of load balancing (although LAT knows 1449 how to do load balancing itself). 1451 The String field contains the identity of the LAT service to use. 1452 The LAT Architecture allows this string to contain $ (dollar), - 1453 (hyphen), . (period), _ (underscore), numerics, upper and lower case 1454 alphabetics, and the ISO Latin-1 character set extension [ISOLatin]. 1455 All LAT string comparisons are case insensitive. 1457 6.15.4. Login-LAT-Node AVP 1459 The Login-LAT-Node AVP (AVP Code 35) is of type OctetString and 1460 contains the Node with which the user is to be automatically 1461 connected by LAT. It MAY be used in an authorization request as a 1462 hint to the server that a specific LAT node is desired, but the 1463 server is not required to honor the hint in the corresponding 1464 response. This AVP MUST only be present in a response if the Service- 1465 Type AVP is set to LAT. 1467 The String field contains the identity of the LAT service to use. 1468 The LAT Architecture allows this string to contain $ (dollar), - 1469 (hyphen), . (period), _ (underscore), numerics, upper and lower case 1470 alphabetics, and the ISO Latin-1 character set extension [ISOLatin]. 1471 All LAT string comparisons are case insensitive. 1473 6.15.5. Login-LAT-Group AVP 1475 The Login-LAT-Group AVP (AVP Code 36) is of type OctetString and 1476 contains a string identifying the LAT group codes which this user is 1477 authorized to use. It MAY be used in an authorization request as a 1478 hint to the server that a specific group is desired, but the server 1479 is not required to honor the hint in the corresponding response. This 1480 AVP MUST only be present in a response if the Service-Type AVP is set 1481 to LAT. 1483 LAT supports 256 different group codes, which LAT uses as a form of 1484 access rights. LAT encodes the group codes as a 256 bit bitmap. 1486 Administrators can assign one or more of the group code bits at the 1487 LAT service provider; it will only accept LAT connections that have 1488 these group codes set in the bit map. The administrators assign a 1489 bitmap of authorized group codes to each user; LAT gets these from 1490 the operating system, and uses these in its requests to the service 1491 providers. 1493 The codification of the range of allowed usage of this field is 1494 outside the scope of this specification. 1496 6.15.6. Login-LAT-Port AVP 1498 The Login-LAT-Port AVP (AVP Code 63) is of type OctetString and 1499 contains the Port with which the user is to be connected by LAT. It 1500 MAY be used in an authorization request as a hint to the server that 1501 a specific port is desired, but the server is not required to honor 1502 the hint in the corresponding response. This AVP MUST only be present 1503 in a response if the Service-Type AVP is set to LAT. 1505 The String field contains the identity of the LAT service to use. 1506 The LAT Architecture allows this string to contain $ (dollar), - 1507 (hyphen), . (period), _ (underscore), numerics, upper and lower case 1508 alphabetics, and the ISO Latin-1 character set extension [ISOLatin]. 1509 All LAT string comparisons are case insensitive. 1511 7. Tunneling Group AVPs 1513 The Tunneling AVP (AVP Code 401) is of type Grouped and contains the 1514 following AVPs used to describe a compulsory tunnel service 1515 [RADTunnels],[RADTunlAcct]. Its Data field has the following ABNF 1516 grammar: 1518 Tunneling ::= < AVP Header: 401 > 1519 { Tunnel-Type } 1520 { Tunnel-Medium-Type } 1521 { Tunnel-Client-Endpoint } 1522 { Tunnel-Server-Endpoint } 1523 [ Tunnel-Preference ] 1524 [ Tunnel-Client-Auth-Id ] 1525 [ Tunnel-Server-Auth-Id ] 1526 [ Tunnel-Assignment-Id ] 1527 [ Tunnel-Password ] 1528 [ Tunnel-Private-Group-Id ] 1530 +---------------------+ 1531 | AVP Flag rules | 1532 |----+-----+----+-----|----+ 1533 AVP Section | | |SHLD| MUST| | 1534 Attribute Name Code Defined Value Type |MUST| MAY | NOT| NOT |Encr| 1535 -----------------------------------------|----+-----+----+-----|----| 1536 Tunneling 401 7.0 Grouped | M | P | | V | N | 1537 Tunnel-Type 64 7.1 Enumerated | M | P | | V | Y | 1538 Tunnel-Medium- 65 7.2 Enumerated | M | P | | V | Y | 1539 Type | | | | | | 1540 Tunnel-Client- 66 7.3 UTF8String | M | P | | V | Y | 1541 Endpoint | | | | | | 1542 Tunnel-Server- 67 7.4 UTF8String | M | P | | V | Y | 1543 Endpoint | | | | | | 1544 Tunnel-Password 69 7.5 OctetString| M | P | | V | Y | 1545 Tunnel-Private- 81 7.6 UTF8String | M | P | | V | Y | 1546 Group-Id | | | | | | 1547 Tunnel- 82 7.7 OctetString| M | P | | V | Y | 1548 Assignment-Id | | | | | | 1549 Tunnel-Preference 83 7.8 Unsigned32 | M | P | | V | Y | 1550 Tunnel-Client- 90 7.9 Unsigned32 | M | P | | V | Y | 1551 Auth-Id | | | | | | 1552 Tunnel-Server- 91 7.10 OctetString| M | P | | V | Y | 1553 Auth-Id | | | | | | 1554 -----------------------------------------|----+-----+----+-----|----| 1555 7.1. Tunnel-Type AVP 1557 The Tunnel-Type AVP (AVP Code 64) is of type Enumerated and contains 1558 the tunneling protocol(s) to be used (in the case of a tunnel 1559 initiator) or the tunneling protocol in use (in the case of a tunnel 1560 terminator). It MAY be used in an authorization request as a hint to 1561 the server that a specific tunnel type is desired, but the server is 1562 not required to honor the hint in the corresponding response. 1564 The Tunnel-Type AVP SHOULD also be included in Accounting-Request 1565 messages. 1567 A tunnel initiator is not required to implement any of these tunnel 1568 types; if a tunnel initiator receives a response that contains only 1569 unknown or unsupported Tunnel-Types, the tunnel initiator MUST behave 1570 as though a response was received with the Result-Code indicating a 1571 failure. 1573 The supported values are listed in [RADIUSTypes]. The following list 1574 is informational: 1576 1 Point-to-Point Tunneling Protocol (PPTP) 1577 2 Layer Two Forwarding (L2F) 1578 3 Layer Two Tunneling Protocol (L2TP) 1579 4 Ascend Tunnel Management Protocol (ATMP) 1580 5 Virtual Tunneling Protocol (VTP) 1581 6 IP Authentication Header in the Tunnel-mode (AH) 1582 7 IP-in-IP Encapsulation (IP-IP) 1583 8 Minimal IP-in-IP Encapsulation (MIN-IP-IP) 1584 9 IP Encapsulating Security Payload in the Tunnel-mode (ESP) 1585 10 Generic Route Encapsulation (GRE) 1586 11 Bay Dial Virtual Services (DVS) 1587 12 IP-in-IP Tunneling 1588 13 Virtual LANs (VLAN) 1590 7.2. Tunnel-Medium-Type AVP 1592 The Tunnel-Medium-Type AVP (AVP Code 65) is of type Enumerated and 1593 contains the transport medium to use when creating a tunnel for those 1594 protocols (such as L2TP) that can operate over multiple transports. 1595 It MAY be used in an authorization request as a hint to the server 1596 that a specific medium is desired, but the server is not required to 1597 honor the hint in the corresponding response. 1599 The supported values are listed in [RADIUSTypes]. The following list 1600 is informational: 1602 1 IPv4 (IP version 4) 1603 2 IPv6 (IP version 6) 1604 3 NSAP 1605 4 HDLC (8-bit multidrop) 1606 5 BBN 1822 1607 6 802 (includes all 802 media plus Ethernet "canonical 1608 format") 1609 7 E.163 (POTS) 1610 8 E.164 (SMDS, Frame Relay, ATM) 1611 9 F.69 (Telex) 1612 10 X.121 (X.25, Frame Relay) 1613 11 IPX 1614 12 Appletalk 1615 13 Decnet IV 1616 14 Banyan Vines 1617 15 E.164 with NSAP format subaddress 1619 7.3. Tunnel-Client-Endpoint AVP 1621 The Tunnel-Client-Endpoint AVP (AVP Code 66) is of type UTF8String, 1622 and contains the address of the initiator end of the tunnel. It MAY 1623 be used in an authorization request as a hint to the server that a 1624 specific endpoint is desired, but the server is not required to honor 1625 the hint in the corresponding response. 1627 This AVP SHOULD be included in the corresponding Accounting-Request 1628 messages, in which case it indicates the address from which the 1629 tunnel was initiated. This AVP, along with the Tunnel-Server-Endpoint 1630 and Session-Id AVP [Base], MAY be used to provide a globally unique 1631 means to identify a tunnel for accounting and auditing purposes. 1633 If Tunnel-Medium-Type is IPv4 (1), then this string is either the 1634 fully qualified domain name (FQDN) of the tunnel client machine, or 1635 it is a "dotted-decimal" IP address. Conformant implementations MUST 1636 support the dotted-decimal format and SHOULD support the FQDN format 1637 for IP addresses. 1639 If Tunnel-Medium-Type is IPv6 (2), then this string is either the 1640 FQDN of the tunnel client machine, or it is a text representation of 1641 the address in either the preferred or alternate form [IPv6Addr]. 1642 Conformant implementations MUST support the preferred form and SHOULD 1643 support both the alternate text form and the FQDN format for IPv6 1644 addresses. 1646 If Tunnel-Medium-Type is neither IPv4 nor IPv6, this string is a tag 1647 referring to configuration data local to the Diameter client that 1648 describes the interface and medium-specific address to use. 1650 7.4. Tunnel-Server-Endpoint AVP 1652 The Tunnel-Server-Endpoint AVP (AVP Code 67) is of UTF8String, and 1653 contains the address of the server end of the tunnel. It MAY be used 1654 in an authorization request as a hint to the server that a specific 1655 endpoint is desired, but the server is not required to honor the hint 1656 in the corresponding response. 1658 This AVP SHOULD be included in the corresponding Accounting-Request 1659 messages, in which case it indicates the address from which the 1660 tunnel was initiated. This AVP, along with the Tunnel-Client-Endpoint 1661 and Session-Id AVP [Base], MAY be used to provide a globally unique 1662 means to identify a tunnel for accounting and auditing purposes. 1664 If Tunnel-Medium-Type is IPv4 (1), then this string is either the 1665 fully qualified domain name (FQDN) of the tunnel client machine, or 1666 it is a "dotted-decimal" IP address. Conformant implementations MUST 1667 support the dotted-decimal format and SHOULD support the FQDN format 1668 for IP addresses. 1670 If Tunnel-Medium-Type is IPv6 (2), then this string is either the 1671 FQDN of the tunnel client machine, or it is a text representation of 1672 the address in either the preferred or alternate form [IPv6Addr]. 1673 Conformant implementations MUST support the preferred form and SHOULD 1674 support both the alternate text form and the FQDN format for IPv6 1675 addresses. 1677 If Tunnel-Medium-Type is not IPv4 or IPv6, this string is a tag 1678 referring to configuration data local to the Diameter client that 1679 describes the interface and medium-specific address to use. 1681 7.5. Tunnel-Password AVP 1683 The Tunnel-Password AVP (AVP Code 69) is of type OctetString and may 1684 contain a password to be used to authenticate to a remote server. 1685 The Tunnel-Password AVP contains sensitive information. This value is 1686 not protected in the same manner as RADIUS [RADTunnels]. 1688 As required in [Base], Diameter messages are encrypted using IPsec or 1689 TLS. The Tunnel-Password AVP SHOULD NOT be used in untrusted proxy 1690 environments without encrypting it using end-to-end security 1691 techniques, such as CMS Security [DiamCMS]. 1693 7.6. Tunnel-Private-Group-Id AVP 1695 The Tunnel-Private-Group-Id AVP (AVP Code 81) is of type UTF8String, 1696 and contains the group Id for a particular tunneled session. The 1697 Tunnel-Private-Group-Id AVP MAY be included in an authorization 1698 request if the tunnel initiator can pre-determine the group resulting 1699 from a particular connection and SHOULD be included in the 1700 authorization response if this tunnel session is to be treated as 1701 belonging to a particular private group. Private groups may be used 1702 to associate a tunneled session with a particular group of users. 1703 For example, it MAY be used to facilitate routing of unregistered IP 1704 addresses through a particular interface. This AVP SHOULD be 1705 included in the Accounting-Request messages which pertain to the 1706 tunneled session. 1708 7.7. Tunnel-Assignment-Id AVP 1710 The Tunnel-Assignment-Id AVP (AVP Code 82) is of type OctetString and 1711 is used to indicate to the tunnel initiator the particular tunnel to 1712 which a session is to be assigned. Some tunneling protocols, such as 1713 [PPTP] and [L2TP], allow for sessions between the same two tunnel 1714 endpoints to be multiplexed over the same tunnel and also for a given 1715 session to utilize its own dedicated tunnel. This attribute provides 1716 a mechanism for Diameter to be used to inform the tunnel initiator 1717 (e.g. PAC, LAC) whether to assign the session to a multiplexed 1718 tunnel or to a separate tunnel. Furthermore, it allows for sessions 1719 sharing multiplexed tunnels to be assigned to different multiplexed 1720 tunnels. 1722 A particular tunneling implementation may assign differing 1723 characteristics to particular tunnels. For example, different 1724 tunnels may be assigned different QOS parameters. Such tunnels may 1725 be used to carry either individual or multiple sessions. The Tunnel- 1726 Assignment-Id attribute thus allows the Diameter server to indicate 1727 that a particular session is to be assigned to a tunnel that provides 1728 an appropriate level of service. It is expected that any QOS-related 1729 Diameter tunneling attributes defined in the future that accompany 1730 this attribute will be associated by the tunnel initiator with the Id 1731 given by this attribute. In the meantime, any semantic given to a 1732 particular Id string is a matter left to local configuration in the 1733 tunnel initiator. 1735 The Tunnel-Assignment-Id AVP is of significance only to Diameter and 1736 the tunnel initiator. The Id it specifies is intended to be of only 1737 local use to Diameter and the tunnel initiator. The Id assigned by 1738 the tunnel initiator is not conveyed to the tunnel peer. 1740 This attribute MAY be included in authorization responses. The tunnel 1741 initiator receiving this attribute MAY choose to ignore it and assign 1742 the session to an arbitrary multiplexed or non-multiplexed tunnel 1743 between the desired endpoints. This AVP SHOULD also be included in 1744 the Accounting-Request messages which pertain to the tunneled 1745 session. 1747 If a tunnel initiator supports the Tunnel-Assignment-Id AVP, then it 1748 should assign a session to a tunnel in the following manner: 1750 - If this AVP is present and a tunnel exists between the specified 1751 endpoints with the specified Id, then the session should be 1752 assigned to that tunnel. 1754 - If this AVP is present and no tunnel exists between the 1755 specified endpoints with the specified Id, then a new tunnel 1756 should be established for the session and the specified Id 1757 should be associated with the new tunnel. 1759 - If this AVP is not present, then the session is assigned to an 1760 unnamed tunnel. If an unnamed tunnel does not yet exist between 1761 the specified endpoints then it is established and used for this 1762 and subsequent sessions established without the Tunnel- 1763 Assignment-Id attribute. A tunnel initiator MUST NOT assign a 1764 session for which a Tunnel-Assignment-Id AVP was not specified 1765 to a named tunnel (i.e. one that was initiated by a session 1766 specifying this AVP). 1768 Note that the same Id may be used to name different tunnels if such 1769 tunnels are between different endpoints. 1771 7.8. Tunnel-Preference AVP 1773 The Tunnel-Preference AVP (AVP Code 83) is of type Unsigned32 and is 1774 used to identify the relative preference assigned to each tunnel when 1775 more than one set of tunneling AVPs is returned within separate 1776 Grouped-AVP AVPs. It MAY be used in an authorization request as a 1777 hint to the server that a specific preference is desired, but the 1778 server is not required to honor the hint in the corresponding 1779 response. 1781 For example, suppose that AVPs describing two tunnels are returned by 1782 the server, one with a Tunnel-Type of PPTP and the other with a 1783 Tunnel-Type of L2TP. If the tunnel initiator supports only one of 1784 the Tunnel-Types returned, it will initiate a tunnel of that type. 1785 If, however, it supports both tunnel protocols, it SHOULD use the 1786 value of the Tunnel-Preference AVP to decide which tunnel should be 1787 started. The tunnel having the numerically lowest value in the Value 1788 field of this AVP SHOULD be given the highest preference. The values 1789 assigned to two or more instances of the Tunnel-Preference AVP within 1790 a given authorization response MAY be identical. In this case, the 1791 tunnel initiator SHOULD use locally configured metrics to decide 1792 which set of AVPs to use. 1794 7.9. Tunnel-Client-Auth-Id AVP 1796 The Tunnel-Client-Auth-Id AVP (AVP Code 90) is of type Unsigned32 and 1797 specifies the name used by the tunnel initiator during the 1798 authentication phase of tunnel establishment. It MAY be used in an 1799 authorization request as a hint to the server that a specific 1800 preference is desired, but the server is not required to honor the 1801 hint in the corresponding response. This AVP MUST be present in the 1802 authorization response if an authentication name other than the 1803 default is desired. This AVP SHOULD be included in the Accounting- 1804 Request messages which pertain to the tunneled session. 1806 7.10. Tunnel-Server-Auth-Id AVP 1808 The Tunnel-Server-Auth-Id AVP (AVP Code 91) is of type OctetString 1809 and specifies the name used by the tunnel terminator during the 1810 authentication phase of tunnel establishment. It MAY be used in an 1811 authorization request as a hint to the server that a specific 1812 preference is desired, but the server is not required to honor the 1813 hint in the corresponding response. This AVP MUST be present in the 1814 authorization response if an authentication name other than the 1815 default is desired. This AVP SHOULD be included in the the 1816 Accounting-Request messages which pertain to the tunneled session. 1818 8. NAS Accounting 1820 Applications implementing this specification use Diameter Accounting 1821 as defined in the Base [Base] with the addition of the AVPs in the 1822 following section. 1824 Accounting Request messages (ACR) SHOULD be sent after any 1825 Authentication or Authorization transaction and at the end of a 1826 Session. The Accounting-Record-Type value indicates the type of 1827 event. All other AVPs identify the session and provide additional 1828 information relevant to the event. 1830 If Authentication and Authorization are contained in one message 1831 (typical case), then one START_RECORD should be sent. If 1832 Authentication and Authorization occur in seperate transactions, the 1833 first message should generate a START_RECORD, and the later, an 1834 INTERIM_RECORD. For a given session, there should only be one set of 1835 matching START and STOP records, with any number of INTERIM_RECORDS 1836 in between, or one EVENT_RECORD. 1838 The following table describes the AVPs, their AVP Code values, types, 1839 possible flag values and whether the AVP MAY be encrypted. 1841 +---------------------+ 1842 | AVP Flag rules | 1843 |----+-----+----+-----|----+ 1844 AVP Section | | |SHLD| MUST| | 1845 Attribute Name Code Defined Value Type |MUST| MAY | NOT| NOT|Encr| 1846 -----------------------------------------|----+-----+----+-----|----| 1847 Accounting- 363 8.1 Unsigned64 | M | P | | V | Y | 1848 Input-Octets | | | | | | 1849 Accounting- 364 8.2 Unsigned64 | M | P | | V | Y | 1850 Output-Octets | | | | | | 1851 Accounting- 365 8.3 Unsigned64 | M | P | | V | Y | 1852 Input-Packets | | | | | | 1853 Accounting- 366 8.4 Unsigned64 | M | P | | V | Y | 1854 Output-Packets | | | | | | 1855 Acct-Session-Time 46 8.5 Unsigned32 | M | P | | V | Y | 1856 Acct-Authentic 45 8.6 Enumerated | M | P | | V | Y | 1857 Acct-Delay-Time 41 8.7 Unsigned32 | M | P | | V | Y | 1858 Acct-Link-Count 51 8.8 Unsigned32 | M | P | | V | Y | 1859 Acct-Tunnel- 68 8.9 OctetString| M | P | | V | Y | 1860 Connection | | | | | | 1861 Acct-Tunnel- 86 8.10 Unsigned32 | M | P | | V | Y | 1862 Packets-Lost | | | | | | 1863 -----------------------------------------|----+-----+----+-----|----| 1865 8.1. Accounting-Input-Octets AVP 1867 The Accounting-Input-Octets AVP (AVP Code 363) is of type Unsigned64, 1868 and contains the number of octets received from the user. 1870 For NAS usage, this AVP indicates how many octets have been received 1871 from the port in the course of this session and can only be present 1872 in ACR messages with an Accounting-Record-Type of INTERIM_RECORD or 1873 STOP_RECORD. 1875 8.2. Accounting-Output-Octets AVP 1877 The Accounting-Output-Octets AVP (AVP Code 364) is of type 1878 Unsigned64, and contains the number of octets sent to the user. 1880 For NAS usage, this AVP indicates how many octets have been sent to 1881 the port in the course of this session and can only be present in ACR 1882 messages with an Accounting-Record-Type of INTERIM_RECORD or 1883 STOP_RECORD. 1885 8.3. Accounting-Input-Packets AVP 1887 The Accounting-Input-Packets (AVP Code 365) is of type Unsigned64, 1888 and contains the number of packets received from the user. 1890 For NAS usage, this AVP indicates how many packets have been received 1891 from the port over the course of a session being provided to a Framed 1892 User and can only be present in ACR messages with an Accounting- 1893 Record-Type of INTERIM_RECORD or STOP_RECORD. 1895 8.4. Accounting-Output-Packets AVP 1897 The Accounting-Output-Packets (AVP Code 366) is of type Unsigned64, 1898 and contains the number of IP packets sent to the user. 1900 For NAS usage, this AVP indicates how many packets have been sent to 1901 the port over the course of a session being provided to a Framed User 1902 and can only be present in ACR messages with an Accounting-Record- 1903 Type of INTERIM_RECORD or STOP_RECORD. 1905 8.5. Acct-Session-Time AVP 1907 The Acct-Session-Time AVP (AVP Code 46) is of type Unsigned32, and 1908 indicates the length of the current session in seconds. It can only 1909 be present in ACR messages with an Accounting-Record-Type of 1910 INTERIM_RECORD or STOP_RECORD. 1912 8.6. Acct-Authentic AVP 1914 The Acct-Authentic AVP (AVP Code 45) is of type Enumerated, and 1915 specifies how the user was authenticated. The supported values are 1916 listed in [RADIUSTypes]. The following list is informational: 1918 1 RADIUS 1919 2 Local 1920 3 Remote 1921 4 Diameter 1923 8.7. Acct-Delay-Time 1925 The Acct-Delay-Time AVP (AVP Code 41) is of type Unsigned32 and 1926 indicates the number of seconds during which the Diameter client has 1927 been trying to send the Accounting-Request (ACR) which contains it. 1928 The accounting server may subtract this value from the time the ACR 1929 arrives at the server to calculate the approximate time of the event 1930 that caused the ACR to be generated. 1932 This AVP is not used for retransmissions at the transport level (TCP 1933 or SCTP). Rather, it may be used when an ACR command cannot be 1934 transmitted because there is no appropriate peer to transmit it to or 1935 was rejected because it could not be delivered to its destination. 1936 In these cases, the command MAY be buffered and transmitted some time 1937 later when an appropriate peer-connection is available or after 1938 sufficient time has passed that the destination-host may be reachable 1939 and operational. If the ACR is resent in this way the Acct-Delay- 1940 Time AVP SHOULD be included. The value of this AVP indicates the 1941 number of seconds that elapsed between the time of the first attempt 1942 at transmission and the current attempt at transmission. 1944 8.8. Acct-Link-Count 1946 The Acct-Link-Count AVP (AVP Code 51) is of type Unsigned32 and 1947 indicates the total number of links that have been active (current or 1948 closed) in a given multilink session, at the time the accounting 1949 record is generated. This AVP MAY be included in Accounting-Requests 1950 for any session which may be part of a multilink service. 1952 The Acct-Link-Count AVP may be used to make it easier for an 1953 accounting server to know when it has all the records for a given 1954 multilink service. When the number of Accounting-Requests received 1955 with Accounting-Record-Type = STOP_RECORD and the same Acct-Multi- 1956 Session-Id and unique Session-Id's equals the largest value of Acct- 1957 Link-Count seen in those Accounting-Requests, all STOP_RECORD 1958 Accounting-Requests for that multilink service have been received. 1960 The following example showing eight Accounting-Requests illustrates 1961 how the Acct-Link-Count AVP is used. In the table below, only the 1962 relevant AVPs are shown although additional AVPs containing 1963 accounting information will also be present in the Accounting- 1964 Requests. 1966 Acct-Multi- Accounting- Acct- 1967 Session-Id Session-Id Record-Type Link-Count 1968 -------------------------------------------------------- 1969 "...10" "...10" START_RECORD 1 1970 "...10" "...11" START_RECORD 2 1971 "...10" "...11" STOP_RECORD 2 1972 "...10" "...12" START_RECORD 3 1973 "...10" "...13" START_RECORD 4 1974 "...10" "...12" STOP_RECORD 4 1975 "...10" "...13" STOP_RECORD 4 1976 "...10" "...10" STOP_RECORD 4 1978 8.9. Acct-Tunnel-Connection AVP 1980 The Acct-Tunnel-Connection AVP (AVP Code 68) is of type OctetString, 1981 and contains the identifier assigned to the tunnel session. This AVP, 1982 along with the Tunnel-Client-Endpoint and Tunnel-Server-Endpoint 1983 AVPs, may be used to provide a means to uniquely identify a tunnel 1984 session for auditing purposes. 1986 The format of the identifier in this AVP depends upon the value of 1987 the Tunnel-Type AVP. For example, to fully identify an L2TP tunnel 1988 connection, the L2TP Tunnel Id and Call Id might be encoded in this 1989 field. The exact encoding of this field is implementation dependent. 1991 8.10. Acct-Tunnel-Packets-Lost AVP 1993 The Acct-Tunnel-Packets-Lost AVP (AVP Code 86) is of type Unsigned32 1994 and contains the number of packets lost on a given link. 1996 9. RADIUS/Diameter Protocol Interactions 1998 This section describes some basic guidelines that may be used by 1999 servers that act as AAA Translation Agents. A complete description of 2000 all the differences between RADIUS and Diameter is beyond the scope 2001 of this section and document. Note that this document does not 2002 restrict implementations from creating additional methods, as long as 2003 the translation function doesn't violate the RADIUS or the Diameter 2004 protocols. 2006 +---------------------+ 2007 | AVP Flag rules | 2008 |----+-----+----+-----|----+ 2009 AVP Section | | |SHLD| MUST| | 2010 Attribute Name Code Defined Value Type |MUST| MAY | NOT| NOT|Encr| 2011 -----------------------------------------|----+-----+----+-----|----| 2012 NAS-Identifier 32 9.2.1 UTF8String | M | P | | V | Y | 2013 NAS-IP-Address 4 9.2.2 OctetString| M | P | | V | Y | 2014 NAS-IPv6-Address 95 9.2.3 OctetString| M | P | | V | Y | 2015 State 24 9.2.4 OctetString| M | P | | V | Y | 2016 Termination- 295 9.2.5 Enumerated | M | P | | V | Y | 2017 Cause | | | | | | 2018 -----------------------------------------|----+-----+----+-----|----| 2020 There are primarily two different situations that must be handled; 2021 one where a RADIUS request is received that must be forwarded as a 2022 Diameter request, and the inverse. RADIUS does not support a peer- 2023 to-peer architecture and server initiated operations are generally 2024 not supported. See [RADDynAuth] for an alternative. 2026 Some RADIUS attributes are encrypted. RADIUS security and encryption 2027 techniques are applied on a hop-per-hop basis. A Diameter agent will 2028 have to decrypt RADIUS attribute data entering the Diameter system 2029 and if that information is forwarded, MUST secure it using Diameter 2030 specific techniques. 2032 Note that this section uses the two terms; AVP and attribute in a 2033 consise manner. The former is used to signify a Diameter AVP, while 2034 the latter is used to signify a RADIUS attribute. 2036 9.1. RADIUS Request Forwarded as Diameter Request 2038 This section describes the actions that should be followed when a 2039 Translation Agent receives a RADIUS message that is to be translated 2040 to a Diameter message. 2042 It is important to note that RADIUS servers are assumed to be 2043 stateless, and this section maintains that assumption. It is also 2044 quite possible for the RADIUS messages that comprise the session 2045 (i.e. authentication and accounting messages) will be handled by 2046 different Translation Agents in the proxy network. Therefore, a 2047 RADIUS/Diameter Translation Agent SHOULD NOT assume to track session 2048 state information. 2050 When a Translation Agent receives a RADIUS message, the following 2051 steps should be taken: 2053 - If a Message-Authenticator attribute is present, it MUST be 2054 checked and discarded. The gateway system SHOULD generate and 2055 include a Message-Authenticator in return responses to this 2056 system. 2057 - The transport address of the sender MUST be checked against the 2058 NAS identifying attributes. See the description of NAS- 2059 Identifier and NAS-IP-Address below. 2060 - The Diameter Origin-Host and Origin-Realm AVPs MUST be created 2061 and added using the information from the NAS-Identifier 2062 attribute, and/or the FQDN corresponding to the NAS-IP-Address 2063 attribute. The AAA protocol specified in the identity would be 2064 set to "RADIUS". 2065 - The Proxy-Info group SHOULD be added with the local server's 2066 identity being specified in the Proxy-Host AVP. This should 2067 ensure that the response is returned to this system. 2068 - The Destination-Realm AVP is created from the information found 2069 in the RADIUS User-Name attribute. 2070 - The Translation Agent must maintain transaction state 2071 information relevant to the RADIUS request, such as the 2072 Identifier field in the RADIUS header, any existing RADIUS 2073 Proxy-State attribute as well as the source IP address and port 2074 number of the UDP packet. These may be maintained locally in a 2075 state table, or may be saved in a Proxy-Info AVP group. 2076 - If the RADIUS request contained a State attribute, and the 2077 prefix of the data is "Diameter/", the data following the prefix 2078 contains the Diameter Session-Id. If no such attributes are 2079 present, and the RADIUS command is an Access-Request, a new 2080 Session-Id is created. The Session-Id is included in the 2081 Session-Id AVP. 2082 - If the RADIUS User-Password attribute is present, the password 2083 must be unencrypted using the link's RADIUS shared secret. And 2084 forwarded using Diameter security. 2085 - If the RADIUS CHAP-Password attribute is present, the Ident and 2086 Data portion of the attribute are used to create the CHAP-Auth 2087 grouped AVP. 2088 - If the RADIUS message contains an address attribute, (e.g. 2089 Framed-IP-Address, Login-IP-Host, Login-IPv6-Host, NAS-IP- 2090 Address, NAS-IPv6-Address) it MUST be converted to the 2091 appropriate Diameter AVP and Address type. 2092 - If the RADIUS message contains Tunnel information [RADTunnels], 2093 the attributes or tagged groups should each be converted to a 2094 Diameter Tunneling Grouped AVP set. If the tunnel information 2095 contains a Tunnel-Password attribute, the RADIUS encryption must 2096 be resolved, and the password forwarded using Diameter security 2097 methods. 2098 - If the RADIUS message received is an Accounting-Request, the 2099 Acct-Status-Type attribute value must be converted to a 2100 Accounting-Record-Type AVP value. If the Acct-Status-Type 2101 attribute value is STOP, the local server MUST issue a Session- 2102 Termination-Request message once the Diameter Accounting-Answer 2103 message has been received. 2104 - If the Accounting message contains a Acct-Termination-Cause 2105 attribute, it should be translated to the equivalent 2106 Termination-Cause AVP value. (see below) 2107 - If the RADIUS message contains the Accounting-Input-Octets, 2108 Accounting-Input-Packets, Accounting-Output-Octets or 2109 Accounting-Output-Packets, these attributes must be converted to 2110 the Diameter equivalent ones. Further, if the Acct-Input- 2111 Gigawords or Acct-Output-Gigawords attributes are present, these 2112 must be used to properly compute the Diameter accounting AVPs. 2114 The corresponding Diameter response is always guaranteed to be 2115 received by the same Translation Agent that translated the original 2116 request, due to the contents of the Origin-Host AVP in the Diameter 2117 request. The following steps are applied to the response message 2118 during the Diameter to RADIUS translation: 2120 - If the Diameter Command-Code is set to AA-Answer and the Result- 2121 Code AVP is set to DIAMETER_MULTI_ROUND_AUTH, the gateway must 2122 send a RADIUS Access-Challenge with the Diameter Session-Id and 2123 the Origin-Host AVPs encapsulated in the RADIUS State attribute, 2124 with the prefix "Diameter/". This is necessary in order to 2125 ensure that the Translation Agent that will receive the 2126 subsequent RADIUS Access-Request will have access to the Session 2127 Identifier, and be able to set the Destination-Host to the 2128 correct value. If the Multi-Round-Time-Out AVP is present, the 2129 value of the AVP MUST be inserted in the RADIUS Session-Timeout 2130 AVP. 2131 - If the Command-Code is set to AA-Answer, the Diameter Session-Id 2132 AVP is saved in a new RADIUS Class attribute, whose format 2133 consists of the string "Diameter/" followed by the Diameter 2134 Session Identifier. This will ensure that the subsequent 2135 Accounting messages, which could be received by any Translation 2136 Agent, would have access to the original Diameter Session 2137 Identifier. 2138 - If a Proxy-State attribute was present in the RADIUS request, 2139 the same attribute is added in the response. This information 2140 may be found in the Proxy-Info AVP group, or in a local state 2141 table. 2142 - If state information regarding the RADIUS request was saved in a 2143 Proxy-Info AVP or local state table, the RADIUS Identifier and 2144 UDP IP Address and port number are extracted and used in issuing 2145 the RADIUS reply. 2147 9.1.1. Diameter Request Forwarded as RADIUS Request 2149 When a server receives a Diameter request that is to be forwarded to 2150 a RADIUS entity, the following steps are an example of the steps that 2151 may be followed: 2153 - The Origin-Host AVP's value is inserted in the NAS-Identifier 2154 attribute. 2155 - The following information MUST be present in the corresponding 2156 Diameter response, and therefore MUST be saved either in a local 2157 state table, or it MAY be encoded in a RADIUS Proxy-State 2158 attribute: 2159 1. Origin-Host AVP 2160 2. Session-Id AVP 2161 3. Proxy-Info AVP 2162 4. Route-Record AVPs (in the proper order) 2163 5. Any other AVP that MUST be present in the response, and 2164 has no corresponding RADIUS attribute. 2165 - If the CHAP-Auth AVP is present, the grouped AVPs are used to 2166 create the RADIUS CHAP-Password attribute data. 2167 - If the User-Password AVP is present, the data should be 2168 encrypted using RADIUS rules. Likewise for any other encrypted 2169 attribute values. 2170 - AVPs that are of the type Address, must be translated to the 2171 corresponding RADIUS attribute. 2172 - If the Accounting-Input-Octets, Accounting-Input-Packets, 2173 Accounting-Output-Octets or Accounting-Output-Packets AVPs are 2174 present, these must be translated to the corresponding RADIUS 2175 attributes. Further, the value of the Diameter AVPs do not fit 2176 within a 32-bit RADIUS attribute, the RADIUS Acct-Input- 2177 Gigawords and Acct-Output-Gigawords must be used. 2178 - If the RADIUS link supports the Message-Authenticator attribute 2179 [RADIUSExt] it SHOULD be generated and added to the request. 2181 When the corresponding response is received by the Translation Agent, 2182 which is guaranteed in the RADIUS protocol, the following steps may 2183 be followed: 2185 - If the RADIUS code is set to Access-Challenge, a Diameter AA- 2186 Answer message is created with the Result-Code set to 2187 DIAMETER_MULTI_ROUND_AUTH. If the Session-Timeout AVP is present 2188 in the RADIUS message, its value is inserted in the Multi-Round- 2189 Time-Out AVP. 2190 - If a Proxy-State attribute is present, extract the encoded 2191 information, otherwise retrieve the original Proxy-Info AVP 2192 group information from the local state table. 2193 - The request's Origin-Host information is added to the 2194 Destination-Host AVP. 2195 - The Acct-Session-Id information is added to the Session-Id AVP. 2196 - The Route-Record AVPs MUST be added to the Diameter message, in 2197 the same order they were present in the request. 2198 - If a Proxy-Info AVP was present in the request, the same AVP 2199 MUST be added to the response. 2200 - If the RADIUS State attributes are present, these attributes 2201 must be present in the Diameter response. 2202 - Any other AVPs that were saved, and MUST be present in the 2203 response, are added to the message. 2205 9.2. AVPs Used Only for Compatibility 2207 The AVPs defined in this section SHOULD only used for backwards 2208 compatibility when a Diameter/RADIUS translation function is invoked, 2209 and are not typically originated by Diameter systems during normal 2210 operations. 2212 9.2.1. NAS-Identifier AVP 2214 The NAS-Identifier AVP (AVP Code 32) [RADIUS] is of type UTF8String 2215 and contains the identity of the NAS providing service to the user. 2216 This AVP SHOULD only be added by a RADIUS/Diameter Translation Agent. 2217 When this AVP is present, the Origin-Host AVP identifies the 2218 RADIUS/Diameter Translation Agent rather than the NAS providing 2219 service to the user. 2221 In RADIUS it would be possible for a rogue NAS to forge the NAS- 2222 Identifier attribute. Diameter/RADIUS translation agents SHOULD 2223 attempt to check a received NAS-Identifier attribute against the 2224 source address of the RADIUS packet, by doing an A/AAAA RR query. If 2225 the NAS-Identifier attribute contains an FQDN, then such a query 2226 would resolve to an IP address matching the source address. However, 2227 the NAS-Identifier attribute is not required to contain an FQDN, so 2228 such a query could fail. In this case, an error should be logged, but 2229 no other action taken, other than doing a reverse lookup on the 2230 source address and inserting the resulting FQDN into the Route-Record 2231 AVP. 2233 Diameter agents and servers SHOULD check whether a NAS-Identifier AVP 2234 corresponds to an entry in the Record-Route AVP. If no match is 2235 found, then an error is logged, but no other action is taken. 2237 9.2.2. NAS-IP-Address AVP 2239 The NAS-IP-Address AVP (AVP Code 4) [RADIUS] is of type OctetString, 2240 and contains the IP Address of the NAS providing service to the user. 2241 This AVP SHOULD only be added by a RADIUS/Diameter Translation Agent. 2242 When this AVP is present, the Origin-Host AVP identifies the 2243 RADIUS/Diameter Translation Agent rather than the NAS providing 2244 service to the user. 2246 In RADIUS it would be possible for a rogue NAS to forge the NAS-IP- 2247 Address attribute value. Diameter/RADIUS translation agents MUST 2248 check a received NAS-IP-Address or NAS-IPv6-Address attribute against 2249 the source address of the RADIUS packet. If they do not match, and 2250 the Diameter/RADIUS translation agent does not know whether the 2251 packet was sent by a RADIUS proxy or NAS (e.g. no Proxy-State 2252 attribute) then by default it is assumed that the source address 2253 corresponds to a RADIUS proxy, and that the NAS Address is behind 2254 that proxy, potentially with some additional RADIUS proxies in 2255 between. The Diameter/RADIUS translation agent MUST insert entries 2256 in the Route-Record AVP corresponding to the apparent route. This 2257 implies doing a reverse lookup on the source address and NAS-IP- 2258 Address, or NAS-IPv6-Address attributes in order to determine the 2259 corresponding FQDNs. 2261 If the source address and the NAS-IP-Address, or NAS-IPv6-Address do 2262 not match, and the Diameter/RADIUS translation agent knows that it is 2263 talking directly to the NAS (e.g. no RADIUS proxies between it and 2264 the NAS), then the error should be logged, and the packet MUST be 2265 discarded. 2267 Diameter agents and servers MUST check whether the NAS-IP-Address AVP 2268 corresponds to an entry in the Record-Route AVP. This is done by 2269 doing a reverse lookup (PTR RR) for the NAS-IP-Address to retrieve 2270 the corresponding FQDN, and checking for a match with the Record- 2271 Route AVP. If no match is found, then an error is logged, but no 2272 other action is taken. 2274 9.2.3. NAS-IPv6-Address AVP 2276 The NAS-IPv6-Address AVP (AVP Code 95) [RADIUSIPv6] is of type 2277 OctetString, and contains the IPv6 Address of the NAS providing 2278 service to the user. This AVP SHOULD only be added by a 2279 RADIUS/Diameter Translation Agent. When this AVP is present, the 2280 Origin-Host AVP identifies the RADIUS/Diameter Translation Agent 2281 rather than the NAS providing service to the user. 2283 In RADIUS it would be possible for a rogue NAS to forge the NAS- 2284 IPv6-Address attribute. Diameter/RADIUS translation agents MUST check 2285 a received NAS-IPv6-Address attribute against the source address of 2286 the RADIUS packet. If they do not match, and the Diameter/RADIUS 2287 translation agent does not know whether the packet was sent by a 2288 RADIUS proxy or NAS (e.g. no Proxy-State attribute) then by default 2289 it is assumed that the source address corresponds to a RADIUS proxy, 2290 and that the NAS-IPv6-Address is behind that proxy, potentially with 2291 some additional RADIUS proxies in between. The Diameter/RADIUS 2292 translation agent MUST insert entries in the Route-Record AVP 2293 corresponding to the apparent route. This implies doing a reverse 2294 lookup on the source address and NAS-IP-Address attributes in order 2295 to determine the corresponding FQDNs. 2297 If the source address and the NAS-IPv6-Address do not match, and the 2298 Diameter/RADIUS translation agent knows that it is talking directly 2299 to the NAS (e.g. no RADIUS proxies between it and the NAS), then the 2300 error should be logged, and the packet MUST be discarded. 2302 Diameter agents and servers MUST check whether the NAS-IPv6-Address 2303 AVP corresponds to an entry in the Record-Route AVP. This is done by 2304 doing a reverse lookup (PTR RR) for the NAS-IPv6-Address to retrieve 2305 the corresponding FQDN, and checking for a match with the Record- 2306 Route AVP. If no match is found, then an error is logged, but no 2308 9.2.4. State AVP 2310 The State AVP (AVP Code 24) [RADIUS] is of type OctetString and has 2311 two uses in the Diameter NAS application. 2313 The State AVP MAY be sent by a Diameter Server to a NAS in an AA- 2314 Response command that contains a Result-Code of 2315 DIAMETER_MULTI_ROUND_AUTH. If so, the NAS MUST return it unmodified 2316 in the subsquent AA-Request command. 2318 The State AVP MAY also be sent by a Diameter Server to a NAS in an 2319 AA-Response command that also includes a Termination-Action AVP with 2320 the value of AA-REQUEST. If the NAS performs the Termination-Action 2321 by sending a new AA-Request command upon termination of the current 2322 service, it MUST return the State AVP unmodified in the new request 2323 command. 2325 In either usage the NAS MUST NOT interpret the AVP locally. Usage of 2326 the State AVP is implementation dependent. 2328 9.2.5. Termination-Cause AVP Code Values 2330 This section defines a mapping between Termination-Cause AVP code 2331 values and RADIUS Acct-Terminate-Cause attribute code values from RFC 2332 2866 [RADIUSAcct] and [RADIUSTypes], thereby allowing a 2333 RADIUS/Diameter Translation Agent to convert between the attribute 2334 and AVP values. This section thus extends the definitions in the 2335 "Termination-Cause AVP" section of the Base Diameter specification. 2337 The table in this section defines the mapping between Termination- 2338 Cause AVP and RADIUS Acct-Terminate-Cause causes. 2339 +-----------------------+ 2340 | Value | 2341 +-----------+-----------+ 2342 Cause Value Name | RADIUS | Diameter | 2343 ------------------------------|-----------+-----------+ 2344 User Request | 1 | 11 | 2345 Lost Carrier | 2 | 12 | 2346 Lost Service | 3 | 13 | 2347 Idle Timeout | 4 | 14 | 2348 Session Timeout | 5 | 15 | 2349 Admin Reset | 6 | 16 | 2350 Admin Reboot | 7 | 17 | 2351 Port Error | 8 | 18 | 2352 NAS Error | 9 | 19 | 2353 NAS Request | 10 | 20 | 2354 NAS Reboot | 11 | 21 | 2355 Port Unneeded | 12 | 22 | 2356 Port Preempted | 13 | 23 | 2357 Port Suspended | 14 | 24 | 2358 Service Unavailable | 15 | 25 | 2359 Callback | 16 | 26 | 2360 User Error | 17 | 27 | 2361 Host Request | 18 | 28 | 2362 Supplicant Restart | 19 | 29 | [RAD802.1X] 2363 Reauthentication Failure | 20 | 30 | [RAD802.1X] 2364 Port Reinit | 21 | 31 | [RAD802.1X] 2365 Port Disabled | 22 | 32 | [RAD802.1X] 2366 ------------------------------|-----------+-----------+ 2368 From RFC 2866, the termination causes are as follows: 2370 User Request User requested termination of service, for 2371 example with LCP Terminate or by logging out. 2373 Lost Carrier DCD was dropped on the port. 2375 Lost Service Service can no longer be provided; for 2376 example, user's connection to a host was 2377 interrupted. 2379 Idle Timeout Idle timer expired. 2381 Session Timeout Maximum session length timer expired. 2383 Admin Reset Administrator reset the port or session. 2385 Admin Reboot Administrator is ending service on the NAS, 2386 for example prior to rebooting the NAS. 2388 Port Error NAS detected an error on the port which 2389 required ending the session. 2391 NAS Error NAS detected some error (other than on the 2392 port) which required ending the session. 2394 NAS Request NAS ended session for a non-error reason not 2395 otherwise listed here. 2397 NAS Reboot The NAS ended the session in order to reboot 2398 non-administratively ("crash"). 2400 Port Unneeded NAS ended session because resource usage fell 2401 below low-water mark (for example, if a 2402 bandwidth-on-demand algorithm decided that 2403 the port was no longer needed). 2405 Port Preempted NAS ended session in order to allocate the 2406 port to a higher priority use. 2408 Port Suspended NAS ended session to suspend a virtual 2409 session. 2411 Service Unavailable NAS was unable to provide requested service. 2413 Callback NAS is terminating current session in order 2414 to perform callback for a new session. 2416 User Error Input from user is in error, causing 2417 termination of session. 2419 Host Request Login Host terminated session normally. 2421 9.3. Prohibited RADIUS Attributes 2423 The following RADIUS attributes MUST NOT be transfered to a Diameter 2424 message. Many of these are discussed in section 9.1. 2426 Attribute Description Defined Nearest Diameter AVP 2427 ----------------------------------------------------------------- 2428 3 CHAP-Password RFC 2865 CHAP-Auth Group 2429 26 Vendor-Specific RFC 2865 Vendor Specific AVP 2430 40 Acct-Status-Type RFC 2866 Accounting-Record-Type 2431 42 Acct-Input-Octets RFC 2866 Accounting-Input-Octets 2432 43 Acct-Output-Octets RFC 2866 Accounting-Output-Octets 2433 47 Acct-Input-Packets RFC 2866 Accounting-Input-Packets 2434 48 Acct-Output-Packets RFC 2866 Accounting-Output-Packets 2435 49 Acct-Terminate-Cause RFC 2866 Termination-Cause 2436 52 Acct-Input-Gigawords RFC 2869 Accounting-Input-Octets 2437 53 Acct-Output-Gigawords RFC 2869 Accounting-Output-Octets 2438 80 Message-Authenticator RFC 2869 none - check and discard 2440 9.4. Translatable Diameter AVPs 2442 In general, Diameter AVPs that are not RADIUS compatible have code 2443 values greater than 255. The table in the section above shows the 2444 AVPs that can be converted into RADIUS attributes. 2446 Another problem may occur with Diameter AVP values that may be more 2447 than 253 octets in length (eg: Reply-Message). Some RADIUS 2448 attributes allow concatenation of multiple instances to overcome this 2449 limitation. If this is not possible, an attribute error should be 2450 returned. 2452 9.5. RADIUS Vendor Specific Attributes 2454 RADIUS supports the inclusion of Vendor Specific Attributes (VSAs) 2455 through the use of attribute 26. The recommended format [RADIUS] of 2456 the attribute data field includes a 4 octet vendor code followed by a 2457 one octet vendor type field and a one octet length field. The last 2458 two fields MAY be repeated. 2460 9.5.1. Forwarding a Diameter Vendor AVP as a RADIUS VSA 2462 The RADIUS VSA attribute should consist of the following fields; 2464 RADIUS Type = 26, Vendor Specific Attribute 2465 RADIUS Length = total length of attribute (header + data) 2466 RADIUS Vendor code = Diameter Vendor code 2467 RADIUS Vendor type code = low order byte of Diameter AVP code 2468 RADIUS Vendor data length = length of Diameter data 2469 (not including padding) 2471 If the Diameter AVP code is greater than 255, then the RADIUS 2472 speaking code may use a Vendor specific field coding, if it knows one 2473 for that vendor. Otherwise, the AVP will be ignored. Unless it is 2474 flagged as Mandatory, in which case an "DIAMETER_AVP_UNSUPPORTED" 2475 error will be returned, and the message will not be sent. 2477 9.5.2. Forwarding a RADIUS VSA to a Diameter Vendor AVP 2479 The Diameter AVP will consist of the following fields; 2480 Diameter Flags: V=1, M=0, P=0 2481 Diameter Vendor code = RADIUS VSA Vendor code 2482 Diameter AVP code = RADIUS VSA Vendor type code 2483 Diameter AVP length = length of AVP (header + data + padding) 2484 Diameter Data = RADIUS VSA vendor data 2486 If the RADIUS receiving code knows of vendor specific fields 2487 interpretations for the specific vendor, it may employ them to parse 2488 an extended AVP code or data length, Otherwise the recommended 2489 standard fields will be used. 2491 Nested Multiple vendor data fields MUST be expanded into multiple 2492 Diameter AVPs. 2494 10. AVP Occurrence Tables 2496 The following tables present the AVPs defined in this document, and 2497 specify in which Diameter messages they MAY, or MAY NOT be present. 2498 Note that AVPs that can only be present within a Grouped AVP are not 2499 represented in this table. 2501 The table uses the following symbols: 2502 0 The AVP MUST NOT be present in the message. 2503 0+ Zero or more instances of the AVP MAY be present in the 2504 message. 2505 0-1 Zero or one instance of the AVP MAY be present in the 2506 message. 2507 1 One instance of the AVP MUST be present in the message. 2509 10.1. AA-Request/Answer AVP Table 2511 The table in this section is limited to the Command Codes defined in 2512 this specification. 2514 +-----------+ 2515 | Command | 2516 |-----+-----+ 2517 Attribute Name | AAR | AAA | 2518 ------------------------------|-----+-----+ 2519 Acct-Interim-Interval | 0 | 0-1 | 2520 ARAP-Challenge-Response | 0 | 0-1 | 2521 ARAP-Features | 0 | 0-1 | 2522 ARAP-Password | 0-1 | 0 | 2523 ARAP-Security | 0-1 | 0-1 | 2524 ARAP-Security-Data | 0+ | 0+ | 2525 ARAP-Zone-Access | 0 | 0-1 | 2526 Auth-Application-Id | 1 | 1 | 2527 Auth-Grace-Period | 0-1 | 0-1 | 2528 Auth-Request-Type | 1 | 1 | 2529 Auth-Session-State | 0-1 | 0-1 | 2530 Authorization-Lifetime | 0-1 | 0-1 | 2531 Callback-Id | 0 | 0-1 | 2532 Callback-Number | 0-1 | 0-1 | 2533 Called-Station-Id | 0-1 | 0 | 2534 Calling-Station-Id | 0-1 | 0 | 2535 CHAP-Auth | 0-1 | 0 | 2536 CHAP-Challenge | 0-1 | 0 | 2537 Class | 0+ | 0+ | 2538 Configuration-Token | 0 | 0+ | 2539 Connect-Info | 0-1 | 0 | 2540 Destination-Host | 0-1 | 0 | 2541 Destination-Realm | 1 | 0 | 2542 Error-Message | 0 | 0-1 | 2543 Error-Reporting-Host | 0 | 0-1 | 2544 Failed-AVP | 0+ | 0+ | 2545 Filter-Id | 0 | 0+ | 2546 Framed-Appletalk-Link | 0 | 0-1 | 2547 Framed-Appletalk-Network | 0 | 0+ | 2548 Framed-Appletalk-Zone | 0 | 0-1 | 2549 Framed-Compression | 0+ | 0+ | 2550 Framed-Interface-Id | 0-1 | 0-1 | 2551 Framed-IP-Address | 0-1 | 0-1 | 2552 Framed-IP-Netmask | 0-1 | 0-1 | 2553 Framed-IPv6-Prefix | 0+ | 0+ | 2554 Framed-IPv6-Pool | 0 | 0-1 | 2555 Framed-IPv6-Route | 0 | 0+ | 2556 Framed-IPX-Network | 0 | 0-1 | 2557 Framed-MTU | 0-1 | 0-1 | 2558 Framed-Pool | 0 | 0-1 | 2559 Framed-Protocol | 0-1 | 0-1 | 2560 Framed-Route | 0 | 0+ | 2561 ------------------------------|-----+-----+ 2562 +-----------+ 2563 | Command | 2564 |-----+-----+ 2565 Attribute Name | AAR | AAA | 2566 ------------------------------|-----+-----+ 2567 Framed-Routing | 0 | 0-1 | 2568 Idle-Timeout | 0-1 | 0-1 | 2569 Login-IP-Host | 0+ | 0+ | 2570 Login-IPv6-Host | 0+ | 0+ | 2571 Login-LAT-Group | 0-1 | 0-1 | 2572 Login-LAT-Node | 0-1 | 0-1 | 2573 Login-LAT-Port | 0-1 | 0-1 | 2574 Login-LAT-Service | 0-1 | 0-1 | 2575 Login-Service | 0 | 0-1 | 2576 Login-TCP-Port | 0 | 0-1 | 2577 Multi-Round-Time-Out | 0 | 0-1 | 2578 NAS-Filter-Rule | 0 | 0+ | 2579 NAS-Identifier | 0-1 | 0 | 2580 NAS-IP-Address | 0-1 | 0 | 2581 NAS-IPv6-Address | 0-1 | 0 | 2582 NAS-Port | 0-1 | 0 | 2583 NAS-Port-Id | 0-1 | 0 | 2584 NAS-Port-Type | 0-1 | 0 | 2585 Originating-Line-Info | 0-1 | 0 | 2586 Origin-Host | 1 | 1 | 2587 Origin-Realm | 1 | 1 | 2588 Origin-State-Id | 0-1 | 0-1 | 2589 Password-Retry | 0 | 0-1 | 2590 Port-Limit | 0-1 | 0-1 | 2591 Prompt | 0 | 0-1 | 2592 Proxy-Info | 0+ | 0+ | 2593 Re-Auth-Request-Type | 0 | 0-1 | 2594 Redirect-Host | 0 | 0+ | 2595 Redirect-Host-Usage | 0 | 0-1 | 2596 Redirect-Max-Cache-Time | 0 | 0-1 | 2597 Reply-Message | 0 | 0+ | 2598 Result-Code | 0 | 1 | 2599 Route-Record | 0+ | 0 | 2600 Service-Type | 0-1 | 0-1 | 2601 Session-Id | 1 | 1 | 2602 Session-Timeout | 0-1 | 0-1 | 2603 State | 0-1 | 0-1 | 2604 Termination-Action | 0 | 0-1 | 2605 Termination-Cause | 0 | 0-1 | 2606 Tunneling | 0+ | 0+ | 2607 User-Name | 0-1 | 0-1 | 2608 User-Password | 0-1 | 0 | 2609 ------------------------------|-----+-----+ 2611 10.2. Accounting AVP Tables 2613 The tables in this section are used to represent which AVPs defined 2614 in this document are to be present in the Accounting messages, 2615 defined in [Base] and [RADIUSAcct]. 2617 10.2.1. Accounting Framed Access AVP Table 2619 The table in this section is used when the Service-Type specifies 2620 Framed Access. 2622 +-----------+ 2623 | Command | 2624 |-----+-----+ 2625 Attribute Name | ACR | ACA | 2626 ---------------------------------------|-----+-----+ 2627 Accounting-Application-Id | 0-1 | 0-1 | 2628 Accounting-Input-Octets | 1 | 0 | 2629 Accounting-Input-Packets | 1 | 0 | 2630 Accounting-Output-Octets | 1 | 0 | 2631 Accounting-Output-Packets | 1 | 0 | 2632 Accounting-Record-Type | 1 | 1 | 2633 Accounting-Record-Number | 0-1 | 0-1 | 2634 Accounting-Realtime-Required | 0-1 | 0 | 2635 Accounting-Sub-Session-Id | 0-1 | 0-1 | 2636 Acct-Application-Id | 0-1 | 0-1 | 2637 Acct-Session-Id | 0-1 | 0-1 | 2638 Acct-Multi-Session-Id | 0-1 | 0-1 | 2639 Acct-Authentic | 1 | 0 | 2640 Acct-Delay-Time | 0-1 | 0 | 2641 Acct-Interim-Interval | 0-1 | 0 | 2642 Acct-Link-Count | 0-1 | 0 | 2643 Acct-Session-Time | 1 | 0 | 2644 Acct-Tunnel-Connection | 0-1 | 0 | 2645 Acct-Tunnel-Packets-Lost | 0-1 | 0 | 2646 Event-Timestamp | 0-1 | 0-1 | 2647 Error-Reporting-Host | 0 | 0-1 | 2648 Framed-AppleTalk-Link | 0-1 | 0 | 2649 Framed-AppleTalk-Network | 0-1 | 0 | 2650 Framed-AppleTalk-Zone | 0-1 | 0 | 2651 Framed-Compression | 0-1 | 0 | 2652 ---------------------------------------|-----+-----+ 2653 +-----------+ 2654 | Command | 2655 |-----+-----+ 2656 Attribute Name | ACR | ACA | 2657 ---------------------------------------|-----+-----+ 2658 Framed-IP-Address | 0-1 | 0 | 2659 Framed-IP-Netmask | 0-1 | 0 | 2660 Framed-IPv6-Pool | 0-1 | 0 | 2661 Framed-IPX-Network | 0-1 | 0 | 2662 Framed-MTU | 0-1 | 0 | 2663 Framed-Pool | 0-1 | 0 | 2664 Framed-Protocol | 0-1 | 0 | 2665 Framed-Route | 0-1 | 0 | 2666 Framed-Routing | 0-1 | 0 | 2667 NAS-Filter-Rule | 0-1 | 0 | 2668 NAS-Identifier | 0-1 | 0-1 | 2669 NAS-IP-Address | 0-1 | 0-1 | 2670 NAS-IPv6-Address | 0-1 | 0-1 | 2671 NAS-Port | 0-1 | 0-1 | 2672 NAS-Port-Id | 0-1 | 0-1 | 2673 NAS-Port-Type | 0-1 | 0-1 | 2674 Origin-Host | 1 | 1 | 2675 Origin-Realm | 1 | 1 | 2676 Origin-State-Id | 0-1 | 0-1 | 2677 Proxy-Info | 0+ | 0+ | 2678 Route-Record | 0+ | 0+ | 2679 Service-Type | 0-1 | 0-1 | 2680 Termination-Cause | 0-1 | 0-1 | 2681 Tunnel-Assignment-Id | 0-1 | 0 | 2682 Tunnel-Client-Endpoint | 0-1 | 0 | 2683 Tunnel-Medium-Type | 0-1 | 0 | 2684 Tunnel-Private-Group-Id | 0-1 | 0 | 2685 Tunnel-Server-Endpoint | 0-1 | 0 | 2686 Tunnel-Type | 0-1 | 0 | 2687 User-Name | 0-1 | 0-1 | 2688 Vendor-Specific-Application-Id | 0-1 | 0-1 | 2689 ---------------------------------------|-----+-----+ 2691 10.2.2. Accounting Non-Framed Access AVP Table 2693 The table in this section is used when the Service-Type specifies 2694 Non-Framed Access. 2696 +-----------+ 2697 | Command | 2698 |-----+-----+ 2699 Attribute Name | ACR | ACA | 2700 ---------------------------------------|-----+-----+ 2701 Accounting-Application-Id | 0-1 | 0-1 | 2702 Accounting-Input-Octets | 1 | 0 | 2703 Accounting-Output-Octets | 1 | 0 | 2704 Accounting-Record-Type | 1 | 1 | 2705 Accounting-Record-Number | 0-1 | 0-1 | 2706 Accounting-Realtime-Required | 0-1 | 0 | 2707 Accounting-Sub-Session-Id | 0-1 | 0-1 | 2708 Acct-Application-Id | 0-1 | 0-1 | 2709 Acct-Session-Id | 0-1 | 0-1 | 2710 Acct-Multi-Session-Id | 0-1 | 0-1 | 2711 Acct-Authentic | 1 | 0 | 2712 Acct-Delay-Time | 0-1 | 0 | 2713 Acct-Interim-Interval | 0-1 | 0 | 2714 Acct-Link-Count | 0-1 | 0 | 2715 Acct-Session-Time | 1 | 0 | 2716 Event-Timestamp | 0-1 | 0-1 | 2717 Error-Reporting-Host | 0 | 0-1 | 2718 Login-IP-Host | 0+ | 0 | 2719 Login-IPv6-Host | 0+ | 0 | 2720 Login-LAT-Service | 0-1 | 0 | 2721 Login-LAT-Node | 0-1 | 0 | 2722 Login-LAT-Group | 0-1 | 0 | 2723 Login-LAT-Port | 0-1 | 0 | 2724 Login-Service | 0-1 | 0 | 2725 Login-TCP-Port | 0-1 | 0 | 2726 NAS-Identifier | 0-1 | 0-1 | 2727 NAS-IP-Address | 0-1 | 0-1 | 2728 NAS-IPv6-Address | 0-1 | 0-1 | 2729 NAS-Port | 0-1 | 0-1 | 2730 NAS-Port-Id | 0-1 | 0-1 | 2731 NAS-Port-Type | 0-1 | 0-1 | 2732 Origin-Host | 1 | 1 | 2733 Origin-Realm | 1 | 1 | 2734 Origin-State-Id | 0-1 | 0-1 | 2735 Proxy-Info | 0+ | 0+ | 2736 Route-Record | 0+ | 0+ | 2737 Service-Type | 0-1 | 0-1 | 2738 Termination-Cause | 0-1 | 0-1 | 2739 User-Name | 0-1 | 0-1 | 2740 Vendor-Specific-Application-Id | 0-1 | 0-1 | 2741 ---------------------------------------|-----+-----+ 2743 11. IANA Considerations 2745 This section provides guidance to the Internet Assigned Numbers 2746 Authority (IANA) regarding registration of values related to the 2747 Diameter protocol, in accordance with BCP 26 [IANAConsid]. 2749 This document defines values in the namespaces that have created and 2750 defined in the Diameter Base [Base]. The IANA Considerations section 2751 of that document details the assignment criteria. Values assigned in 2752 this document, or by future IANA action, must be coordinated within 2753 this shared namespace. 2755 11.1. Command Codes 2757 This specification assigns the values 265 and 268 from the Command 2758 Code namespace defined in [Base]. See sections 3.1 and 3.2 for the 2759 assignment of the namespace in this specification. 2761 11.2. AVP Codes 2763 This specification assigns the values 363-366 and 400-405 from the 2764 AVP Code namespace defined in [Base]. See sections 4, and 5 for the 2765 assignment of the namespace in this specification. Note that the 2766 values 363-366 are jointly, but consistently, assigned in [DiamMIP]. 2768 This specification also specifies the use of AVPs in the 0-255 range, 2769 which are defined in [RADIUSTypes]. These values are assigned by the 2770 policy in RFC 2865 Section 6. [RADIUS] 2772 11.3. Application Identifier 2774 This specification uses the value one (1) in the Application 2775 Identifier namespace as assigned in [Base]. See section 1.2 above 2776 for more information. 2778 11.4. CHAP-Algorithm AVP Values 2780 As defined in Section 5.5, the CHAP-Algorithm AVP (AVP Code 403) uses 2781 the values of the "PPP AUTHENTICATION ALGORITHMS" namespace defined 2782 in [PPPCHAP]. 2784 12. Security Considerations 2786 The security considerations of the Diameter protocol itself have 2787 been discussed in [Base]. 2789 This document does not contain a security protocol, but does discuss 2790 how PPP authentication protocols can be carried within the Diameter 2791 protocol. The PPP authentication protocols that are described are PAP 2792 and CHAP. 2794 The use of PAP SHOULD be discouraged, since it exposes user's 2795 passwords to possibly non-trusted entities. However, PAP is also 2796 frequently used for use with One-Time Passwords (OTP), which do not 2797 expose a security risk. 2799 This document also describes how CHAP can be carried within the 2800 Diameter protocol, which is required for RADIUS backward 2801 compatibility. The CHAP protocol, as used in a RADIUS environment, 2802 facilitates authentication replay attacks. 2804 13. References 2806 13.1. Normative References 2808 [Base] P. Calhoun, et.al, "Diameter Base Protocol", draft-ietf- 2809 aaa-diameter-17.txt, IETF work in progress, December 2002. 2811 [AAATrans] B. Aboba, J. Wood. "Authentication, Authorization and 2812 Accounting (AAA) Transport Profile", draft-ietf-aaa- 2813 transport-08, IETF work in progress, April 2002 2815 [RADIUS] C. Rigney, A. Rubens, W. Simpson, S. Willens, "Remote 2816 Authentication Dial In User Service (RADIUS)", RFC 2865, 2817 June 2000. 2819 [RADIUSTypes] IANA, "RADIUS Types", URL: 2820 2822 [RADIUSIPv6] B. Aboba, G. Zorn, D. Mitton, "RADIUS and IPv6", RFC 3162, 2823 August 2001. 2825 [IPv6Addr] Hinden, R., Deering, S., "IP Version 6 Addressing 2826 Architecture", RFC 2373, July 1998 2828 [PPPCHAP] W. Simpson, "PPP Challenge Handshake Authentication 2829 Protocol (CHAP)", RFC 1994, August 1996. 2831 [IANAConsid] Narten, Alvestrand, "Guidelines for Writing an IANA 2832 Considerations Section in RFCs", BCP 26, RFC 2434, October 2833 1998 2835 [IANA] IANA Assigned Numbers Database, URL: 2836 2838 [Keywords] S. Bradner, "Key words for use in RFCs to Indicate 2839 Requirement Levels", BCP 14, RFC 2119, March 1997. 2841 [ISOLatin] ISO 8859. International Standard -- Information Processing 2842 -- 8-bit Single-Byte Coded Graphic Character Sets -- Part 2843 1: Latin Alphabet No. 1, ISO 8859-1:1987. URL: 2844 2846 [ANITypes] NANPA Number Resource Info, ANI Assignments, URL: 2847 2850 13.2. Informative References 2852 [NAI] B. Aboba, M. Beadles, "The Network Access Identifier." RFC 2853 2486. January 1999. 2855 [RADIUSAcct] C. Rigney, "RADIUS Accounting", RFC 2866, June 2000. 2857 [RADIUSExt] C. Rigney, W. Willats, P. Calhoun, "RADIUS Extensions", 2858 RFC 2869, June 2000. 2860 [RADTunnels] G. Zorn, D. Leifer, A. Rubens, J. Shriver, M. Holdrege, I. 2861 Goyret, "RADIUS Attributes for Tunnel Protocol Support", 2862 RFC 2868, June 2000. 2864 [RADTunlAcct] G. Zorn, B. Aboba, D. Mitton, "RADIUS Accounting 2865 Modifications for Tunnel Protocol Support", RFC 2867, June 2866 2000. 2868 [RADDynAuth] M. Chiba, M Dommety, M. Eklund, D. Mitton, B. Aboba, 2869 draft-chiba-radius-dynamic-authorization-06.txt", Work in 2870 Progress, Jan 2003 2872 [ExtRADPract] D. Mitton, "Network Access Servers Requirements: Extended 2873 RADIUS Practices", RFC 2882, July 2000. 2875 [NASModel] D. Mitton, M. Beadles, "Network Access Server Requirements 2876 Next Generation (NASREQNG) NAS Model", RFC 2881, July 2877 2000. 2879 [NASCriteria] M. Beadles, D. Mitton, "Criteria for Evaluating Network 2880 Access Server Protocols", RFC 3169, September 2001. 2882 [AAACriteria] Aboba, et al., "Criteria for Evaluating AAA Protocols for 2883 Network Access", RFC 2989, Nov 2000. 2885 [DiamEAP] G. Zorn, "Diameter EAP Application", draft-ietf-aaa- 2886 eap-01.txt, IETF work in progress, August 2002. 2888 [DiamCMS] P. Calhoun, W. Bulley, S. Farrell, "Diameter CMS Security 2889 Application", draft-ietf-aaa-diameter-cms-sec-04.txt, IETF 2890 work in progress, March 2002. 2892 [DiamMIP] P. Calhoun, C. Perkins, T. Johansson, "Diameter Mobile IP 2893 Application", draft-ietf-aaa-diameter-mobileip-13.txt, 2894 IETF work in progress, October 2002. 2896 [RAD802.1X] P. Congdon, et.al "IEEE 802.1X RADIUS Usage Guidelines", 2897 draft-congdon-8021x-RADIUS-20.txt, IETF work in progress, 2898 June 2002. 2900 [802.1X] IEEE Standard for Local and metropolitan networks - Port- 2901 Based Network Access Control, IEEE Std 802.1X-2001, June 2902 2001 2904 [CDMA2000] 3GPP2 "P.S0001-B", Wireless IP Network Standard, October 2905 2002. 2906 http://www.3gpp2.com/Public_html/specs/P.S0001-B_v1.0.pdf 2908 [TCPCompress] Jacobson, "Compressing TCP/IP headers for low-speed serial 2909 links", RFC 1144, February 1990. 2911 [PPPMP] Sklower, Lloyd, McGregor, Carr, "The PPP Multilink 2912 Protocol (MP)", RFC 1717, November 1994. 2914 [PPTP] Hamzeh, K., Pall, G., Verthein, W., Taarud, J., Little, 2915 W., Zorn, G., "Point-to-Point Tunneling Protocol (PPTP)", 2916 RFC 2637, July 1999 2918 [L2F] Valencia, A., Littlewood, M., Kolar, T., "Cisco Layer Two 2919 Forwarding (Protocol) 'L2F'", RFC 2341, May 1998 2921 [L2TP] Townsley, W. M., Valencia, A., Rubens, A., Pall, G. S., 2922 Zorn, G., Palter, B., "Layer Two Tunneling Protocol 2923 (L2TP)", RFC 2661, August 1999 2925 [ATMP] Hamzeh, K., "Ascend Tunnel Management Protocol - ATMP", 2926 RFC 2107, February 1997 2928 [MSMPPE] G. Pall, G. Zorn, "Microsoft Point-To-Point Encryption 2929 (MPPE) Protocol", RFC 3078, March 2001. 2931 [UTF-8] F. Yergeau, "UTF-8, a transformation format of ISO 10646", 2932 RFC 2279, January 1998. 2934 [STD51] W. Simpson, Editor, "The Point-to-Point Protocol (PPP)", 2935 STD 51, RFC 1661, July 1994 2937 14. Acknowledgements 2939 The authors would like to thank Carl Rigney, Allan C. Rubens, William 2940 Allen Simpson, and Steve Willens for their work on the original 2941 RADIUS [RADIUS], from which many of the concepts in this 2942 specification were derived. Thanks, also, to: Carl Rigney for 2943 [RADIUSAcct] and [RADIUSExt]; Ward Willats for [RADIUSExt]; Glen 2944 Zorn, Bernard Aboba and Dave Mitton for [RADTunlAcct] and [RADIPV6]; 2945 Dory Leifer, John Shriver, Matt Holdrege and Ignacio Goyret for their 2946 work on [RADTunnels]. This document stole text and concepts from both 2947 [RADTunnels] and [RADIUSExt]. Thanks go to Carl Williams for 2948 providing IPv6 specific text. 2950 The authors would also like to acknowledge the following people for 2951 their contributions in the development of the Diameter protocol: 2952 Bernard Aboba, Jari Arkko, William Bulley, Kuntal Chowdhury, Daniel 2953 C. Fox, Lol Grant, Nancy Greene, Jeff Hagg, Peter Heitman, Paul 2954 Krumviede, Fergal Ladley, Ryan Moats, Victor Muslin, Kenneth Peirce, 2955 Sumit Vakil, John R. Vollbrecht and Jeff Weisberg. 2957 Finally, Pat Calhoun would like to thank Sun Microsystems since most 2958 of the effort put into this document was done while he was in their 2959 employ. 2961 15. Authors' Addresses 2963 Questions about this memo can be directed to: 2965 Pat R. Calhoun 2966 Black Storm Networks 2967 250 Cambridge Avenue, Suite 200 2968 Palo Alto, California, 94306 2969 USA 2971 Phone: 1 650-617-2932 2972 Fax: 1 650-786-6445 2973 E-mail: pcalhoun@diameter.org 2975 Glen Zorn 2976 Cisco Systems, Inc. 2977 500 108th Avenue N.E., Suite 500 2978 Bellevue, WA 98004 2979 USA 2981 Phone: 1 425-471-4861 2982 E-Mail: gwz@cisco.com 2984 David Spence 2985 Interlink Networks, Inc. 2986 775 Technology Drive, Suite 200 2987 Ann Arbor, MI 48108 2988 USA 2990 Phone: 1 734-821-1203 2991 Fax: 1 734-821-1235 2992 EMail: dspence@interlinknetworks.com 2994 David Mitton 2995 Circular Logic Unlimited 2996 733 Turnpike St #154 2997 North Andover, MA 01845 2999 Email: david@mitton.com 3001 Intellectual Property Considerations 3003 The IETF takes no position regarding the validity or scope of any 3004 intellectual property or other rights that might be claimed to per- 3005 tain to the implementation or use of the technology described in this 3006 document or the extent to which any license under such rights might 3007 or might not be available; neither does it represent that it has made 3008 any effort to identify any such rights. Information on the IETF's 3009 procedures with respect to rights in standards-track and standards- 3010 related documentation can be found in BCP-11. Copies of claims of 3011 rights made available for publication and any assurances of licenses 3012 to be made available, or the result of an attempt made to obtain a 3013 general license or permission for the use of such proprietary rights 3014 by implementers or users of this specification can be obtained from 3015 the IETF Secretariat. 3017 The IETF invites any interested party to bring to its attention any 3018 copyrights, patents or patent applications, or other proprietary 3019 rights which may cover technology that may be required to practice 3020 this standard. Please address the information to the IETF Executive 3021 Director. 3023 Full Copyright Statement 3025 Copyright (C) The Internet Society (2003). All Rights Reserved. 3027 This document and translations of it may be copied and furnished to 3028 others, and derivative works that comment on or otherwise explain it 3029 or assist in its implementation may be prepared, copied, published 3030 and distributed, in whole or in part, without restriction of any 3031 kind, provided that the above copyright notice and this paragraph are 3032 included on all such copies and derivative works. However, this 3033 document itself may not be modified in any way, such as by removing 3034 the copyright notice or references to the Internet Society or other 3035 Internet organizations, except as needed for the purpose of 3036 developing Internet standards in which case the procedures for 3037 copyrights defined in the Internet Standards process must be 3038 followed, or as required to translate it into languages other than 3039 English. The limited permissions granted above are perpetual and will 3040 not be revoked by the Internet Society or its successors or assigns. 3041 This document and the information contained herein is provided on an 3042 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 3043 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 3044 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 3045 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 3046 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.