idnits 2.17.1 draft-ietf-radext-management-authorization-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 17. -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on line 1000. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1011. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1018. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1024. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust Copyright Line does not match the current year == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (July 10, 2008) is 5766 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Obsolete informational reference (is this intentional?): RFC 2616 (Obsoleted by RFC 7230, RFC 7231, RFC 7232, RFC 7233, RFC 7234, RFC 7235) -- Obsolete informational reference (is this intentional?): RFC 3588 (Obsoleted by RFC 6733) -- Obsolete informational reference (is this intentional?): RFC 4005 (Obsoleted by RFC 7155) -- Obsolete informational reference (is this intentional?): RFC 4741 (Obsoleted by RFC 6241) -- Obsolete informational reference (is this intentional?): RFC 4742 (Obsoleted by RFC 6242) Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 12 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group D. Nelson 3 Internet-Draft Elbrys Networks, Inc. 4 Intended status: Standards Track G. Weber 5 Expires: January 11, 2009 Individual Contributor 6 July 10, 2008 8 Remote Authentication Dial-In User Service (RADIUS) Authorization for 9 Network Access Server (NAS) Management 10 draft-ietf-radext-management-authorization-04.txt 12 Status of this Memo 14 By submitting this Internet-Draft, each author represents that any 15 applicable patent or other IPR claims of which he or she is aware 16 have been or will be disclosed, and any of which he or she becomes 17 aware will be disclosed, in accordance with Section 6 of BCP 79. 19 Internet-Drafts are working documents of the Internet Engineering 20 Task Force (IETF), its areas, and its working groups. Note that 21 other groups may also distribute working documents as Internet- 22 Drafts. 24 Internet-Drafts are draft documents valid for a maximum of six months 25 and may be updated, replaced, or obsoleted by other documents at any 26 time. It is inappropriate to use Internet-Drafts as reference 27 material or to cite them other than as "work in progress." 29 The list of current Internet-Drafts can be accessed at 30 http://www.ietf.org/ietf/1id-abstracts.txt. 32 The list of Internet-Draft Shadow Directories can be accessed at 33 http://www.ietf.org/shadow.html. 35 This Internet-Draft will expire on January 11, 2009. 37 Abstract 39 This document specifies Remote Authentication Dial-In User Service 40 (RADIUS) attributes for authorizing management access to a Network 41 Access Server (NAS). Both local and remote management are supported, 42 with granular access rights and management privileges. Specific 43 provisions are made for remote management via framed management 44 protocols, and for management access over a secure transport 45 protocol. 47 Table of Contents 49 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 50 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 51 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 52 4. New Values for Existing RADIUS Attributes . . . . . . . . . . 5 53 4.1. Service-Type . . . . . . . . . . . . . . . . . . . . . . . 5 54 5. New RADIUS Attributes . . . . . . . . . . . . . . . . . . . . 5 55 5.1. Framed-Management-Protocol . . . . . . . . . . . . . . . . 5 56 5.2. Management-Transport-Protection . . . . . . . . . . . . . 7 57 5.3. Management-Policy-Id . . . . . . . . . . . . . . . . . . . 10 58 5.4. Management-Privilege-Level . . . . . . . . . . . . . . . . 11 59 6. Examples of attribute groupings . . . . . . . . . . . . . . . 12 60 7. Diameter Translation Considerations . . . . . . . . . . . . . 14 61 8. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 15 62 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 63 10. Security Considerations . . . . . . . . . . . . . . . . . . . 18 64 10.1. General Considerations . . . . . . . . . . . . . . . . . . 18 65 10.2. RADIUS Proxy Operation Considerations . . . . . . . . . . 19 66 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 19 67 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 20 68 12.1. Normative References . . . . . . . . . . . . . . . . . . . 20 69 12.2. Informative References . . . . . . . . . . . . . . . . . . 20 70 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 22 71 Intellectual Property and Copyright Statements . . . . . . . . . . 23 73 1. Terminology 75 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 76 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 77 document are to be interpreted as described in RFC 2119 [RFC2119]. 79 This document uses terminology from RFC 2865 [RFC2865], RFC 2866 80 [RFC2866] and RFC 5176 [RFC5176]. 82 2. Introduction 84 RFC 2865 [RFC2865] defines the NAS-Prompt (7) and Administrative (6) 85 values of the Service-Type (6) Attribute. Both of these values 86 provide access to the interactive, text-based Command Line Interface 87 (CLI) of the NAS, and were originally developed to control access to 88 the physical console port of the NAS, most often a serial port. 90 Remote access to the CLI of the NAS has been available in NAS 91 implementations for many years, using protocols such as Telnet, 92 Rlogin and the remote terminal service of the Secure SHell (SSH). In 93 order to distinguish local, physical, console access from remote 94 access, the NAS-Port-Type (61) Attribute is generally included in 95 Access-Request and Access-Accept messages, along with the Service- 96 Type (6) Attribute, to indicate the form of access. A NAS-Port-Type 97 (61) Attribute with a value of of Async (0) is used to signify a 98 local serial port connection, while a value of Virtual (5) is used to 99 signify a remote connection, via a remote terminal protocol. This 100 usage provides no selectivity among the various available remote 101 terminal protocols (e.g. Telnet, Rlogin, SSH, etc.). 103 Today, it is common for network devices to support more than the two 104 privilege levels for management access provided by the Service-Type 105 (6) Attribute with values of NAS-Prompt (7) (non-privileged) and 106 Administrative (6) (privileged). Also, other management mechanisms 107 may be used, such as Web-based management, Simple Network Management 108 Protocol (SNMP) and NETCONF. To provide support for these additional 109 features, this specification defines attributes for Framed Management 110 protocols, management protocol security, and management access 111 privilege levels. 113 Remote management via the command line is carried over protocols such 114 as Telnet, Rlogin and the remote terminal service of SSH. Since 115 these protocols are primarily for the delivery of terminal or pseudo- 116 TTY services, the term "Framed Management" is used to describe 117 management protocols supporting techniques other than the command- 118 line. Typically these mechanisms format management information in a 119 binary or textual encoding such as HTML, XML or ASN.1/BER. Examples 120 include Web-based management (HTML over HTTP or HTTPS), NETCONF (XML 121 over SSH/BEEP/SOAP) and SNMP (SMI over ASN.1/BER). Command line 122 interface, menu interface or other text-based (e.g. ASCII or UTF-8) 123 terminal emulation services are not considered to be Framed 124 Management protocols. 126 3. Overview 128 To support the authorization and provisioning of Framed Management 129 access to managed entities, this document introduces a new value for 130 the Service-Type (6) Attribute [RFC2865], and one new attribute. The 131 new value for the Service-Type (6) Attribute is Framed-Management 132 (TBA-1), used for remote device management via a Framed Management 133 protocol. The new attribute is Framed-Management-Protocol (TBA-2), 134 the value of which specifies a particular protocol for use in the 135 remote management session. 137 Two new attributes are introduced in this document in support of 138 granular management access rights or command privilege levels. The 139 Management-Policy-Id (TBA-4) Attribute provides a text string 140 specifying a policy name of local scope, that is assumed to have been 141 pre-provisioned on the NAS. This use of an attribute to specify use 142 of a pre-provisioned policy is similar to the Filter-Id (11) 143 Attribute defined in [RFC2865] Section 5.11. 145 The local application of the Management-Policy-Id (TBA-4) Attribute 146 within the managed entity may take the form of (a) one of an 147 enumeration of command privilege levels, (b) a mapping into an SNMP 148 Access Control Model, such as the View Based Access Control Model 149 (VACM) [RFC3415], or (c) some other set of management access policy 150 rules that is mutually understood by the managed entity and the 151 remote management application. Examples are given in Section 6. 153 The Management-Privilege-Level (TBA-5) Attribute contains an integer- 154 valued management privilege level indication. This attribute serves 155 to modify or augment the management permissions provided by the NAS- 156 Prompt (7) value of the Service-Type (6) Attribute, and thus applies 157 to CLI management. 159 To enable management security requirements to be specified, the 160 Management-Transport-Protection (TBA-3) Attribute is introduced. The 161 value of this attribute indicates the minimum level of secure 162 transport protocol protection required for the provisioning of NAS- 163 Prompt (7), Administrative (6) or Framed-Management (TBA-1) service. 165 4. New Values for Existing RADIUS Attributes 167 4.1. Service-Type 169 The Service-Type (6) Attribute is defined in Section 5.6 of RFC 2865 170 [RFC2865]. This document defines a new value of the Service-Type 171 Attribute, as follows: 173 (TBA-1) Framed-Management 175 The semantics of the Framed-Management service are as follows: 177 Framed-Management A framed management protocol session should 178 be started on the NAS. 180 5. New RADIUS Attributes 182 This document defines four new RADIUS attributes related to 183 management authorization. 185 5.1. Framed-Management-Protocol 187 The Framed-Management-Protocol (TBA-2) Attribute indicates the 188 application-layer management protocol to be used for Framed 189 Management access. It MAY be used in both Access-Request and Access- 190 Accept packets. This attribute is used in conjunction with a 191 Service-Type (6) Attribute with the value of Framed-Management 192 (TBA-1). 194 It is RECOMMENDED that the NAS include an appropriately valued 195 Framed-Management-Protocol (TBA-2) Attribute in an Access-Request 196 packet, indicating the type of management access being requested. It 197 is further RECOMMENDED that the NAS include a Service-Type (6) 198 Attribute with the value Framed-Management (TBA-1) in the same 199 Access-Request packet. The RADIUS server MAY use these attributes as 200 a hint in making its authorization decision. 202 The RADIUS server MAY include a Framed-Management-Protocol (TBA-2) 203 Attribute in an Access-Accept packet that also includes a Service- 204 Type (6) Attribute with a value of Framed-Management (TBA-1), when 205 the RADIUS Server chooses to enforce a management access policy for 206 the authenticated user that dictates one form of management access in 207 preference to others. 209 When a NAS receives a Framed-Management-Protocol (TBA-2) Attribute in 210 an Access-Accept packet, it MUST deliver that specified form of 211 management access or disconnect the session. If the NAS does not 212 support the provisioned management application-layer protocol, or the 213 management access protocol requested by the user does not match that 214 of the Framed-Management-Protocol (TBA-2) Attribute in the Access- 215 Accept packet, the NAS MUST treat the Access-Accept packet as if it 216 had been an Access-Reject. 218 A summary of the Framed-Management-Protocol (TBA-2) Attribute format 219 is shown below. The fields are transmitted from left to right. 221 0 1 2 3 222 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 223 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 224 | Type | Length | Value 225 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 226 Value (cont) | 227 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 229 Type 231 (TBA-2) for Framed-Management-Protocol. 233 Length 235 6 237 Value 239 The Value field is a four octet enumerated value. 241 1 SNMP 242 2 Web-based 243 3 NETCONF 244 4 FTP 245 5 TFTP 246 6 SFTP 247 7 RCP 248 8 SCP 250 All other values are reserved for IANA allocation subject to the 251 provisions of Section 9. 253 The acronyms used in the above table expand as follows: 255 o SNMP: Simple Network Management Protocol. [RFC3411], [RFC3412], 256 [RFC3413], [RFC3414], [RFC3415], [RFC3416], [RFC3417], [RFC3418] 258 o Web-based: Use of an embedded web server in the NAS for management 259 via a generic web browser client. The interface presented to the 260 administrator may be graphical, tabular or textual. The protocol 261 is HTML over HTTP. The protocol may optionally be HTML over 262 HTTPS, i.e. using HTTP over TLS. [HTML] [RFC2616] 264 o NETCONF: Management via the NETCONF protocol using XML over 265 supported transports (e.g. SSH, BEEP, SOAP). As secure transport 266 profiles are defined for NETCONF, the list of transport options 267 may expand. [RFC4741], [RFC4742], [RFC4743], [RFC4744] 269 o FTP: File Transfer Protocol, used to transfer configuration files 270 to and from the NAS. [RFC0959] 272 o TFTP: Trivial File Transfer Protocol, used to transfer 273 configuration files to and from the NAS. [RFC1350] 275 o SFTP: SSH File Transfer Protocol, used to securely transfer 276 configuration files to and from the NAS. SFTP uses the services 277 of SSH. [SFTP] See also Section 3.7, "SSH and File Transfers" of 278 [SSH]. Additional information on the "sftp" program may typically 279 be found in the online documentation ("man" pages) of Unix 280 systems. 282 o RCP: Remote CoPy file copy utility (Unix-based), used to transfer 283 configuration files to and from the NAS. See Section 3.7, "SSH 284 and File Transfers" of [SSH]. Additional information on the "rcp" 285 program may typically be found in the online documentation ("man" 286 pages) of Unix systems. 288 o SCP: Secure CoPy file copy utility (Unix-based), used to transfer 289 configuration files to and from the NAS. The "scp" program is a 290 simple wrapper around SSH. It's basically a patched BSD Unix 291 "rcp" which uses ssh to do the data transfer (instead of using 292 "rcmd"). See Section 3.7, "SSH and File Transfers" of [SSH]. 293 Additional information on the "scp" program may typically be found 294 in the online documentation ("man" pages) of Unix systems. 296 5.2. Management-Transport-Protection 298 The Management-Transport-Protection (TBA-3) Attribute specifies the 299 minimum level of protection that is required for a protected 300 transport used with the framed or non-framed management access 301 session. The protected transport used by the NAS MAY provide a 302 greater level of protection, but MUST NOT provide a lower level of 303 protection. 305 When a secure form of non-framed management access is specified, it 306 means that the remote terminal session is encapsulated in some form 307 of protected transport, or tunnel. It may also mean that an explicit 308 secure mode of operation is required, when the framed management 309 protocol contains an intrinsic secure mode of operation. The 310 Management-Transport-Protection (TBA-3) Attribute does not apply to 311 CLI access via a local serial port, or other non-remote connection. 313 When a secure form of Framed Management access is specified, it means 314 that the application-layer management protocol is encapsulated in 315 some form of protected transport, or tunnel. It may also mean that 316 an explicit secure mode of operation is required, when the Framed 317 Management protocol contains an intrinsic secure mode of operation. 319 A value of "No Protection (1)" indicates that a secure transport 320 protocol is not required, and that the NAS SHOULD accept a connection 321 over any transport associated with the application-layer management 322 protocol. The definitions of management application to transport 323 bindings are defined in the relevant documents that specify those 324 management application protocols. The same "No Protection" semantics 325 are conveyed by omitting this attribute from an Access-Accept packet. 327 Specific protected transport protocols, cipher suites, key agreement 328 methods, or authentication methods are not specified by this 329 attribute. Such provisioning is beyond the scope of this document. 331 It is RECOMMENDED that the NAS include an appropriately valued 332 Management-Transport-Protection (TBA-3) Attribute in an Access- 333 Request packet, indicating the level of transport protection for the 334 management access being requested, when that information is available 335 to the RADIUS client. The RADIUS server MAY use this attribute as a 336 hint in making its authorization decision. 338 The RADIUS server MAY include a Management-Transport-Protection 339 (TBA-3) Attribute in an Access-Accept packet that also includes a 340 Service-Type (6) Attribute with a value of Framed-Management (TBA-1), 341 when the RADIUS Server chooses to enforce an management access 342 security policy for the authenticated user that dictates a minimum 343 level of transport security. 345 When a NAS receives a Management-Transport-Protection (TBA-3) 346 Attribute in an Access-Accept packet, it MUST deliver the management 347 access over a transport with equal or better protection 348 characteristics or disconnect the session. If the NAS does not 349 support protected management transport protocols, or the level of 350 protection available does not match that of the Management-Transport- 351 Protection (TBA-3) Attribute in the Access-Accept packet, the NAS 352 MUST treat the response packet as if it had been an Access-Reject. 354 A summary of the Management-Transport-Protection (TBA-3) Attribute 355 format is shown below. The fields are transmitted from left to 356 right. 358 0 1 2 3 359 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 360 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 361 | Type | Length | Value 362 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 363 Value (cont) | 364 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 366 Type 368 (TBA-3) for Management-Transport-Protection. 370 Length 372 6 374 Value 376 The Value field is a four octet enumerated value. 378 1 No-Protection 379 2 Integrity-Protection 380 3 Integrity-Confidentiality-Protection 382 All other values are reserved for IANA allocation subject to the 383 provisions of Section 9. 385 The names used in the above table are elaborated as follows: 387 o No-Protection: No transport protection is required. Accept 388 connections via any supported transport. 390 o Integrity-Protection: The management transport MUST provide 391 Integrity Protection, i.e. protection from unauthorized 392 modification, using a cryptographic checksum. 394 o Integrity-Confidentiality-Protection: The management transport 395 MUST provide both Integrity Protection and Confidentiality 396 Protection, i.e. protection from unauthorized modification, using 397 a cryptographic checksum, and protection from unauthorized 398 disclosure, using encryption. 400 The configuration or negotiation of acceptable algorithms, modes and 401 credentials for the cryptographic protection mechanisms used in 402 implementing protected management transports is outside the scope of 403 this document. Many such mechanisms have standardized methods of 404 configuration and key management. 406 5.3. Management-Policy-Id 408 The Management-Policy-Id (TBA-4) Attribute indicates the name of the 409 management access policy for this user. Zero or one Management- 410 Policy-Id (TBA-4) Attributes MAY be sent in an Access-Accept packet. 411 Identifying a policy by name allows the policy to be used on 412 different NASes without regard to implementation details. 414 Multiple forms of management access rules may be expressed by the 415 underlying named policy, the definition of which is beyond the scope 416 of this document. The management access policy MAY be applied 417 contextually, based on the nature of the management access method. 418 For example, some named policies may only be valid for application to 419 NAS-Prompt (7) services and some other policies may only be valid for 420 SNMP. 422 The management access policy named in this attribute, received in an 423 Access-Accept packet, MUST be applied to the session authorized by 424 the Access-Accept. If the NAS supports this attribute, but the 425 policy name is unknown, or if the RADIUS client is able to determine 426 that the policy rules are incorrectly formatted, the NAS MUST treat 427 the Access-Accept packet as if it had been an Access-Reject. 429 No precedence relationship is defined for multiple occurrences of the 430 Management-Policy-Id (TBA-4) Attribute. NAS behavior in such cases 431 is undefined. Therefore, two or more occurrences of this attribute 432 SHOULD NOT be included in an Access-Accept or CoA-Request. 434 The content of the Management-Policy-Id (TBA-4) Attribute is expected 435 to be the name of a management access policy of local significance to 436 the NAS, within a namespace of significance to the NAS. In this 437 regard, the behavior is similar to that for the Filter-Id (11) 438 Attribute. The policy names and rules are committed to the local 439 configuration data-store of the NAS, and are provisioned by means 440 beyond the scope of this document, such as via SNMP, NETCONF or CLI. 442 The namespece used in the Management-Policy-Id (TBA-4) Attribute is 443 simple and monolithic. There is no explicit or implicit structure or 444 heirarchy. For example, in the text string "example.com", the "." 445 (period or dot) is just another character. It is expected that text 446 string matching will be performed without parsing the text string 447 into any sub-fields. 449 Overloading or subdividing this simple name with multi-part 450 specifiers (e.g. Access=remote, Level=7) is likely to lead to poor 451 multi-vendor interoperability and SHOULD NOT be utilized. If a 452 simple, unstructured policy name is not sufficient, it is RECOMMENDED 453 that a Vendor Specific (26) Attribute be used instead, rather than 454 overloading the semantics of Management-Policy-Id. 456 A summary of the Management-Policy-Id (TBA-4) Attribute format is 457 shown below. The fields are transmitted from left to right. 459 0 1 2 460 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 461 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- 462 | Type | Length | Text ... 463 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- 465 Type 467 (TBA-4) for Management-Policy-Id. 469 Length 471 >= 3 473 Text 475 The Text field is one or more octets, and its contents are 476 implementation dependent. It is intended to be human readable and 477 MUST NOT affect operation of the protocol. It is recommended that 478 the message contain UTF-8 encoded 10646 [RFC3629] characters. 480 5.4. Management-Privilege-Level 482 The Management-Privilege-Level (TBA-5) Attribute indicates the 483 integer-valued privilege level to be assigned for management access 484 for the authenticated user. Many NASes provide the notion of 485 differentiated management privilege levels denoted by an integer 486 value. The specific access rights conferred by each value are 487 implementation dependent. It MAY be used in both Access-Request and 488 Access-Accept packets. 490 The management access level indicated in this attribute, received in 491 an Access-Accept packet, MUST be applied to the session authorized by 492 the Access-Accept. If the NAS supports this attribute, but the 493 privilege level is unknown, the NAS MUST treat the Access-Accept 494 packet as if it had been an Access-Reject. 496 A summary of the Management-Privilege-Level (TBA-5) Attribute format 497 is show below. The fields are transmitted from left to right. 499 0 1 2 3 500 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 501 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 502 | Type | Length | Value 503 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 504 Value (cont) | 505 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 507 Type 509 (TBA-5) for Management-Privilege-Level. 511 Length 513 6 515 Value 517 The Value field is a four octet Integer, denoting a management 518 privilege level. 520 It is RECOMMENDED to limit use of the Management-Privilege-Level 521 (TBA-5) Attribute to sessions where the Service-Type (6) Attribute 522 has a value of NAS-Prompt (7) (not Administrative). Typically, NASes 523 treat NAS-Prompt as the minimal privilege CLI service and 524 Administrative as full privilege. Using the Management-Privilege- 525 Level (TBA-5) Attribute with a Service-Type (6) Attribute having a 526 value of NAS-Prompt (7) will have the effect of increasing the 527 minimum privilege level. Conversely, it is NOT RECOMMENDED to use 528 this attribute with a Service-Type (6) Attribute with a value of of 529 Administrative (6), which may require decreasing the maximum 530 privilege level. 532 It is NOT RECOMMENDED to use the Management-Privilege-Level (TBA-5) 533 Attribute in combination with a Management-Policy-Id (TBA-4) 534 Attribute or for management access methods other than interactive 535 CLI. The behavior resulting from such an overlay of management 536 access control provisioning is not defined by this document, and in 537 the absence of further specification is likely to lead to unexpected 538 behaviors, especially in multi-vendor environments. 540 6. Examples of attribute groupings 542 1. Unprotected CLI access, via the local console, to the "super- 543 user" access level: 545 * Service-Type (6) = Administrative (6) 546 * NAS-Port-Type (61) = Async (0) 547 * Management-Transport-Protection (TBA-3) = No-Protection (1) 549 2. Unprotected CLI access, via a remote console, to the "super-user" 550 access level: 552 * Service-Type (6) = Administrative (6) 553 * NAS-Port-Type (61) = Virtual (5) 554 * Management-Transport-Protection (TBA-3) = No-Protection (1) 556 3. CLI access, via a fully-protected secure remote terminal service 557 to the non-privileged user access level: 559 * Service-Type (6) = NAS-Prompt (7) 560 * NAS-Port-Type (61) = Virtual (5) 561 * Management-Transport-Protection (TBA-3) = Integrity- 562 Confidentiality-Protection (3) 564 4. CLI access, via a fully-protected secure remote terminal service, 565 to a custom management access level, defined by a policy: 567 * Service-Type (6) = NAS-Prompt (7) 568 * NAS-Port-Type (61) = Virtual (5) 569 * Management-Transport-Protection (TBA-3) = Integrity- 570 Confidentiality-Protection (3) 571 * Management-Policy-Id (TBA-4) = "Network Administrator" 573 5. CLI access, via a fully-protected secure remote terminal service, 574 with a management privilege level of 15: 576 * Service-Type (6) = NAS-Prompt (7) 577 * NAS-Port-Type (61) = Virtual (5) 578 * Management-Transport-Protection (TBA-3) = Integrity- 579 Confidentiality-Protection (3) 580 * Management-Privilege-Level (TBA-5) = 15 582 6. SNMP access, using an Access Control Model specifier, such as a 583 custom VACM View, defined by a policy: 585 * Service-Type (6) = Framed-Management (TBA-1) 586 * NAS-Port-Type (61) = Virtual (5) 587 * Framed-Management-Protocol (TBA-2) = SNMP (1) 588 * Management-Policy-Id (TBA-4) = "SNMP Network Administrator 589 View" 591 There is currently no standardized way of implementing this 592 management policy mapping within SNMP. Such mechanisms are the 593 topic of current research. 595 7. SNMP fully-protected access: 597 * Service-Type (6) = Framed-Management (TBA-1) 598 * NAS-Port-Type (61) = Virtual (5) 599 * Framed-Management-Protocol (TBA-2) = SNMP (1) 600 * Management-Transport-Protection (TBA-3) = Integrity- 601 Confidentiality-Protection (3) 603 8. Web (HTTP/HTML) access: 605 * Service-Type (6) = Framed-Management (TBA-1) 606 * NAS-Port-Type (61) = Virtual (5) 607 * Framed-Management-Protocol (TBA-2) = Web-based (2) 609 9. Secure web access, using a custom management access level, 610 defined by a policy: 612 * Service-Type (6) = Framed-Management (TBA-1) 613 * NAS-Port-Type (61) = Virtual (5) 614 * Framed-Management-Protocol (TBA-2) = Web-based (2) 615 * Management-Transport-Protection (TBA-3) = Integrity- 616 Confidentiality-Protection (3) 617 * Management-Policy-Id (TBA-4) = "Read-only web access" 619 7. Diameter Translation Considerations 621 When used in Diameter, the attributes defined in this specification 622 can be used as Diameter AVPs from the Code space 1-255 (RADIUS 623 attribute compatibility space). No additional Diameter Code values 624 are therefore allocated. The data types and flag rules for the 625 attributes are as follows: 627 +---------------------+ 628 | AVP Flag rules | 629 |----+-----+----+-----|----+ 630 | | |SHLD| MUST| | 631 Attribute Name Value Type |MUST| MAY | NOT| NOT|Encr| 632 ---------------------------------|----+-----+----+-----|----| 633 Service-Type (new value) | | | | | | 634 Enumerated | M | P | | V | Y | 635 Framed-Management-Protocol | | | | | | 636 Enumerated | M | P | | V | Y | 637 Management-Transport-Protection | | | | | | 638 Enumerated | M | P | | V | Y | 639 Management-Policy-Id | | | | | | 640 UTF8String | M | P | | V | Y | 641 Management-Privilege-Level | | | | | | 642 Integer | M | P | | V | Y | 643 ---------------------------------|----+-----+----+-----|----| 645 The attributes in this specification have no special translation 646 requirements for Diameter to RADIUS or RADIUS to Diameter gateways; 647 they are copied as is, except for changes relating to headers, 648 alignment, and padding. See also [RFC3588] Section 4.1 and [RFC4005] 649 Section 9. 651 What this specification says about the applicability of the 652 attributes for RADIUS Access-Request packets applies in Diameter to 653 AA-Request [RFC4005]. 655 What is said about Access-Accept applies in Diameter to AA-Answer 656 messages that indicate success. 658 8. Table of Attributes 660 The following table provides a guide to which attributes may be found 661 in which kinds of packets, and in what quantity. 663 Access Messages 664 Request Accept Reject Challenge # Attribute 665 --------------------------------------------------------------------- 666 0-1 0-1 0 0 TBA-2 Framed-Management-Protocol 667 0-1 0-1 0 0 TBA-3 Management-Transport-Protection 668 0 0-1 0 0 TBA-4 Management-Policy-Id 669 0 0-1 0 0 TBA-5 Management-Privilege-Level 670 Accounting Messages 671 Request Response # Attribute 672 --------------------------------------------------------------------- 673 0-1 0 TBA-2 Framed-Management-Protocol 674 0-1 0 TBA-3 Management-Transport-Protection 675 0-1 0 TBA-4 Management-Policy-Id 676 0-1 0 TBA-5 Management-Privilege-Level 678 Change-of-Authorization Messages 679 Request ACK NAK # Attribute 680 -------------------------------------------------------------------- 681 0-1 0 0 TBA-2 Framed-Management-Protocol (Note 1) 682 0-1 0 0 TBA-3 Management-Transport-Protection (Note 1) 683 0-1 0 0 TBA-4 Management-Policy-Id (Note 2) 684 0-1 0 0 TBA-5 Management-Privilege-Level (Note 2) 686 Disconnect Messages 687 Request ACK NAK # Attribute 688 ---------------------------------------------------------------------- 689 0-1 0 0 TBA-2 Framed-Management-Protocol (Note 1) 690 0-1 0 0 TBA-3 Management-Transport-Protection (Note 1) 691 0 0 0 TBA-4 Management-Policy-Id 692 0 0 0 TBA-5 Management-Privilege-Level 694 (Note 1) Where NAS or session identification attributes are included 695 in Disconnect-Request or CoA-Request packets, they are used for 696 identification purposes only. These attributes MUST NOT be used for 697 purposes other than identification (e.g., within CoA-Request packets 698 to request authorization changes). 700 (Note 2) When included within a CoA-Request, these attributes 701 represent an authorization change request. When one of these 702 attributes is omitted from a CoA-Request, the NAS assumes that the 703 attribute value is to remain unchanged. Attributes included in a 704 CoA-Request replace all existing values of the same attribute(s). 706 The following table defines the meaning of the above table entries. 708 0 This attribute MUST NOT be present in a packet. 709 0+ Zero or more instances of this attribute MAY be present in 710 a packet. 711 0-1 Zero or one instance of this attribute MAY be present in 712 a packet. 713 1 Exactly one instance of this attribute MUST be present in 714 a packet. 716 9. IANA Considerations 718 Note to RFC Editor: Remove the following paragraphs upon publication 719 of this document as an RFC. 721 This document contains placeholders ("TBA-n") for assigned numbers 722 within the RADIUS Attributes Types registry 723 (http://www.iana.org/assignments/radius-types), to be assigned by 724 IANA at the time this document should be published as an RFC. 725 o New enumerated value for the existing Service-Type Attribute: 726 * Framed-Management (TBA-1) 727 o New RADIUS Attribute Types: 728 * Framed-Management-Protocol (TBA-2) 729 * Management-Transport-Protection (TBA-3) 730 * Management-Policy-Id (TBA-4) 731 * Management-Privilege-Level (TBA-5) 733 The enumerated values of the newly assigned RADIUS Attribute Types as 734 defined in this document are to be assigned at the same time as the 735 new Attribute Types. 737 For the Framed-Management-Protocol Attribute: 739 1 SNMP 740 2 Web-based 741 3 NETCONF 742 4 FTP 743 5 TFTP 744 6 SFTP 745 7 RCP 746 8 SCP 748 For the Management-Transport-Protection Attribute: 750 1 No-Protection 751 2 Integrity-Protection 752 3 Integrity-Confidentiality-Protection 754 Note to RFC Editor: Retain the following paragraph upon publication 755 of this document as an RFC. 757 Assignments of additional enumerated values for the RADIUS attributes 758 defined in this document are to be processed as described in 759 [RFC3575], subject to the additional requirement of a published 760 specification. 762 10. Security Considerations 764 10.1. General Considerations 766 This specification describes the use of RADIUS and Diameter for 767 purposes of authentication, authorization and accounting for 768 management access to devices within networks. RADIUS threats and 769 security issues for this application are described in [RFC3579] and 770 [RFC3580]; security issues encountered in roaming are described in 771 [RFC2607]. For Diameter, the security issues relating to this 772 application are described in [RFC4005] and [RFC4072]. 774 This document specifies new attributes that can be included in 775 existing RADIUS packets, which may be protected as described in 776 [RFC3579] and [RFC5176]. In Diameter, the attributes are protected 777 as specified in [RFC3588]. See those documents for a more detailed 778 description. 780 The security mechanisms supported in RADIUS and Diameter are focused 781 on preventing an attacker from spoofing packets or modifying packets 782 in transit. They do not prevent an authorized RADIUS/Diameter server 783 or proxy from inserting attributes with malicious intent. 785 A legacy NAS may not recognize the attributes in this document that 786 supplement the provisioning of CLI management access. If the value 787 of the Service-Type Attribute is NAS-Prompt or Administrative, the 788 legacy NAS may silently discard such attributes, while permitting the 789 user to access the CLI management interface(s) of the NAS. This can 790 lead to users improperly receiving authorized management access to 791 the NAS, or access with greater levels of access rights than were 792 intended. RADIUS servers SHOULD attempt to ascertain whether or not 793 the NAS supports these attributes before sending them in an Access- 794 Accept provisioning CLI access. 796 It is possible that certain NAS implementations may not be able to 797 determine the protection properties of the underlying transport 798 protocol as specified by the Management-Transport-Protection 799 Attribute. This may be a limitation of the standard application 800 programming interface of the underlying transport implementation or 801 of the integration of the transport into the NAS implementation. In 802 either event, NASes conforming to this specification, which cannot 803 determine the protection state of the remote management connection 804 MUST treat an Access-Accept message containing a Management- 805 Transport-Protection Attribute containing a value other than No- 806 Protection (1) as if it were an Access-Reject message, unless 807 specifically overridden by local policy configuration. 809 10.2. RADIUS Proxy Operation Considerations 811 The device management access authorization attributes presented in 812 this document present certain considerations when used in RADIUS 813 proxy environments. These considerations are not different from 814 those that exist in RFC 2865 [RFC2865] with respect to the Service- 815 Type Attribute values of Administrative and NAS-Prompt. 817 Most RADIUS proxy environments are also multi-party environments. In 818 multi-party proxy environments it is important to distinguish which 819 entities have the authority to provision management access to the 820 edge devices, i.e. NASes, and which entities only have authority to 821 provision network access services of various sorts. 823 It may be important that operators of the NAS are able to ensure that 824 access to the CLI, or other management interfaces of the NAS, is only 825 provisioned to their own employees or contractors. One way for the 826 NAS to enforce this requirement is to use only local, non-proxy 827 RADIUS servers for management access requests. Proxy RADIUS servers 828 could be used for non-management access requests, based on local 829 policy. This "bifurcation" of RADIUS authentication and 830 authorization is a simple case of separate administrative realms. 831 The NAS may be designed so as to maintain separate lists of RADIUS 832 servers for management AAA use and for non-management AAA use. 834 An alternate method of enforcing this requirement would be for the 835 first-hop RADIUS proxy server, operated by the owner of the NAS, to 836 filter out any RADIUS attributes that provision management access 837 rights that originate from "up-stream" proxy servers not operated by 838 the NAS owner. Access-Accept messages that provision such locally 839 un-authorized management access MAY be treated as if they were an 840 Access-Reject by the first-hop proxy server. 842 These issues are not of concern when all the RADIUS servers, local 843 and proxy, used by the NAS are under the sole administrative control 844 of the NAS owner. 846 11. Acknowledgments 848 Many thanks to all reviewers, including Bernard Aboba, Alan DeKok, 849 David Harrington, Mauricio Sanchez, Juergen Schoenwaelder, Barney 850 Wolff and Glen Zorn. 852 12. References 853 12.1. Normative References 855 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 856 Requirement Levels", BCP 14, RFC 2119, March 1997. 858 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, 859 "Remote Authentication Dial In User Service (RADIUS)", 860 RFC 2865, June 2000. 862 [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 863 10646", STD 63, RFC 3629, November 2003. 865 12.2. Informative References 867 [HTML] Raggett, D., Le Hors, A., and I. Jacobs, "The HTML 4.01 868 Specification, W3C", December 1999. 870 [RFC0959] Postel, J. and J. Reynolds, "File Transfer Protocol", 871 STD 9, RFC 959, October 1985. 873 [RFC1350] Sollins, K., "The TFTP Protocol (Revision 2)", STD 33, 874 RFC 1350, July 1992. 876 [RFC2607] Aboba, B. and J. Vollbrecht, "Proxy Chaining and Policy 877 Implementation in Roaming", RFC 2607, June 1999. 879 [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., 880 Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext 881 Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. 883 [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. 885 [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An 886 Architecture for Describing Simple Network Management 887 Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, 888 December 2002. 890 [RFC3412] Case, J., Harrington, D., Presuhn, R., and B. Wijnen, 891 "Message Processing and Dispatching for the Simple Network 892 Management Protocol (SNMP)", STD 62, RFC 3412, 893 December 2002. 895 [RFC3413] Levi, D., Meyer, P., and B. Stewart, "Simple Network 896 Management Protocol (SNMP) Applications", STD 62, 897 RFC 3413, December 2002. 899 [RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model 900 (USM) for version 3 of the Simple Network Management 901 Protocol (SNMPv3)", STD 62, RFC 3414, December 2002. 903 [RFC3415] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based 904 Access Control Model (VACM) for the Simple Network 905 Management Protocol (SNMP)", STD 62, RFC 3415, 906 December 2002. 908 [RFC3416] Presuhn, R., "Version 2 of the Protocol Operations for the 909 Simple Network Management Protocol (SNMP)", STD 62, 910 RFC 3416, December 2002. 912 [RFC3417] Presuhn, R., "Transport Mappings for the Simple Network 913 Management Protocol (SNMP)", STD 62, RFC 3417, 914 December 2002. 916 [RFC3418] Presuhn, R., "Management Information Base (MIB) for the 917 Simple Network Management Protocol (SNMP)", STD 62, 918 RFC 3418, December 2002. 920 [RFC3575] Aboba, B., "IANA Considerations for RADIUS (Remote 921 Authentication Dial In User Service)", RFC 3575, 922 July 2003. 924 [RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication 925 Dial In User Service) Support For Extensible 926 Authentication Protocol (EAP)", RFC 3579, September 2003. 928 [RFC3580] Congdon, P., Aboba, B., Smith, A., Zorn, G., and J. Roese, 929 "IEEE 802.1X Remote Authentication Dial In User Service 930 (RADIUS) Usage Guidelines", RFC 3580, September 2003. 932 [RFC3588] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J. 933 Arkko, "Diameter Base Protocol", RFC 3588, September 2003. 935 [RFC4005] Calhoun, P., Zorn, G., Spence, D., and D. Mitton, 936 "Diameter Network Access Server Application", RFC 4005, 937 August 2005. 939 [RFC4072] Eronen, P., Hiller, T., and G. Zorn, "Diameter Extensible 940 Authentication Protocol (EAP) Application", RFC 4072, 941 August 2005. 943 [RFC4741] Enns, R., "NETCONF Configuration Protocol", RFC 4741, 944 December 2006. 946 [RFC4742] Wasserman, M. and T. Goddard, "Using the NETCONF 947 Configuration Protocol over Secure SHell (SSH)", RFC 4742, 948 December 2006. 950 [RFC4743] Goddard, T., "Using NETCONF over the Simple Object Access 951 Protocol (SOAP)", RFC 4743, December 2006. 953 [RFC4744] Lear, E. and K. Crozier, "Using the NETCONF Protocol over 954 the Blocks Extensible Exchange Protocol (BEEP)", RFC 4744, 955 December 2006. 957 [RFC5176] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B. 958 Aboba, "Dynamic Authorization Extensions to Remote 959 Authentication Dial In User Service (RADIUS)", RFC 5176, 960 January 2008. 962 [SFTP] Galbraith, J. and O. Saarenmaa, "SSH File Transfer 963 Protocol", July 2006. 965 [SSH] Barrett, D., Silverman, R., and R. Byrnes, "SSH, the 966 Secure Shell: The Definitive Guide, Second Edition, 967 O'Reilly and Associates", May 2005. 969 Authors' Addresses 971 David B. Nelson 972 Elbrys Networks, Inc. 973 75 Rochester Avenue, Unit 3 974 Portsmouth, NH 03801 975 USA 977 Email: d.b.nelson@comcast.net 979 Greg Weber 980 Individual Contributor 981 Knoxville, TN 37932 982 USA 984 Email: gdweber@gmail.com 986 Full Copyright Statement 988 Copyright (C) The IETF Trust (2008). 990 This document is subject to the rights, licenses and restrictions 991 contained in BCP 78, and except as set forth therein, the authors 992 retain all their rights. 994 This document and the information contained herein are provided on an 995 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 996 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND 997 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS 998 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 999 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1000 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1002 Intellectual Property 1004 The IETF takes no position regarding the validity or scope of any 1005 Intellectual Property Rights or other rights that might be claimed to 1006 pertain to the implementation or use of the technology described in 1007 this document or the extent to which any license under such rights 1008 might or might not be available; nor does it represent that it has 1009 made any independent effort to identify any such rights. Information 1010 on the procedures with respect to rights in RFC documents can be 1011 found in BCP 78 and BCP 79. 1013 Copies of IPR disclosures made to the IETF Secretariat and any 1014 assurances of licenses to be made available, or the result of an 1015 attempt made to obtain a general license or permission for the use of 1016 such proprietary rights by implementers or users of this 1017 specification can be obtained from the IETF on-line IPR repository at 1018 http://www.ietf.org/ipr. 1020 The IETF invites any interested party to bring to its attention any 1021 copyrights, patents or patent applications, or other proprietary 1022 rights that may cover technology that may be required to implement 1023 this standard. Please address the information to the IETF at 1024 ietf-ipr@ietf.org.