idnits 2.17.1 draft-ietf-radext-tcp-transport-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** The document seems to lack a License Notice according IETF Trust Provisions of 28 Dec 2009, Section 6.b.i or Provisions of 12 Sep 2009 Section 6.b -- however, there's a paragraph with a matching beginning. Boilerplate error? (You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Feb 2009 rather than one of the newer Notices. See https://trustee.ietf.org/license-info/.) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (1 March 2009) is 5535 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-09) exists of draft-ietf-radext-status-server-03 == Outdated reference: A later version (-12) exists of draft-ietf-radext-radsec-03 Summary: 1 error (**), 0 flaws (~~), 5 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group A. DeKok 3 INTERNET-DRAFT FreeRADIUS 4 Category: Proposed Standard 5 6 Expires: September 1, 2009 7 1 March 2009 9 RADIUS Over TCP 10 draft-ietf-radext-tcp-transport-03 12 This Internet-Draft is submitted to IETF in full conformance with the 13 provisions of BCP 78 and BCP 79. This document may contain material 14 from IETF Documents or IETF Contributions published or made publicly 15 available before November 10, 2008. The person(s) controlling the 16 copyright in some of this material may not have granted the IETF 17 Trust the right to allow modifications of such material outside the 18 IETF Standards Process. Without obtaining an adequate license from 19 the person(s) controlling the copyright in such materials, this 20 document may not be modified outside the IETF Standards Process, and 21 derivative works of it may not be created outside the IETF Standards 22 Process, except to format it for publication as an RFC or to 23 translate it into languages other than English. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF), its areas, and its working groups. Note that 27 other groups may also distribute working documents as Internet- 28 Drafts. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 The list of current Internet-Drafts can be accessed at 36 http://www.ietf.org/ietf/1id-abstracts.txt. 38 The list of Internet-Draft Shadow Directories can be accessed at 39 http://www.ietf.org/shadow.html. 41 This Internet-Draft will expire on September 1, 2009. 43 Copyright Notice 45 Copyright (c) 2009 IETF Trust and the persons identified as the 46 document authors. All rights reserved. 48 This document is subject to BCP 78 and the IETF Trust's Legal 49 Provisions Relating to IETF Documents in effect on the date of 50 publication of this document (http://trustee.ietf.org/license-info). 51 Please review these documents carefully, as they describe your rights 52 and restrictions with respect to this document. 54 Abstract 56 The Remote Authentication Dial In User Server (RADIUS) Protocol has 57 traditionally used the User Datagram Protocol (UDP) as it's 58 underlying transport layer. This document defines RADIUS over the 59 Transmission Control Protocol (TCP). 61 Table of Contents 63 1. Introduction ............................................. 4 64 1.1. Applicability of Reliable Transport ................. 4 65 1.2. Terminology ......................................... 6 66 1.3. Requirements Language ............................... 6 67 2. Changes to RADIUS ........................................ 6 68 2.1. Packet Format ....................................... 7 69 2.2. Assigned Ports for RADIUS Over TCP .................. 7 70 2.3. Management Information Base (MIB) ................... 7 71 2.4. Interaction with RadSec ............................. 8 72 2.5. RADIUS Proxies ...................................... 8 73 2.6. TCP Specific Issues ................................. 10 74 2.6.1. Duplicates and Retransmissions ................. 10 75 2.6.2. Shared Secrets ................................. 11 76 2.6.3. Malformed Packets and Unknown Clients .......... 12 77 2.6.4. Limitations of the ID Field .................... 12 78 2.6.5. EAP Sessions ................................... 13 79 2.6.6. TCP Applications are not UDP Applications ...... 13 80 3. Diameter Considerations .................................. 14 81 4. IANA Considerations ...................................... 14 82 5. Security Considerations .................................. 14 83 6. References ............................................... 14 84 6.1. Normative References ................................ 14 85 6.2. Informative References .............................. 15 87 1. Introduction 89 The RADIUS Protocol has been defined in [RFC2865] as using the User 90 Datagram Protocol (UDP) for the underlying transport layer. While 91 there are a number of benefits to using UDP as outlined in [RFC2865] 92 Section 2.4, there are also some limitations: 94 * Unreliable transport. As a result, systems using RADIUS have to 95 implement application-layer timers and re-transmissions, as 96 described in [RFC5080] Section 2.2.1. 98 * Packet fragmentation. [RFC2865] Section 3 permits RADIUS 99 packets up to 4096 octets in length. These packets are larger 100 than the default Internet MTU (576), resulting in fragmentation of 101 the packets at the IP layer. Transport of fragmented UDP packets 102 appears to be a poorly tested code path on network devices. Some 103 devices appear to be incapable of transporting fragmented UDP 104 packets, making it difficult to deploy RADIUS in a network where 105 those devices are deployed. 107 * Connectionless transport. Neither clients nor servers can 108 reliably detect when the other is down. This information has to 109 be deduced instead from the absence of a reply to a request. 111 As RADIUS is widely deployed, and has been widely deployed for well 112 over a decade, these issues are relatively minor. However, new 113 systems may be interested in choosing a different set of trade-offs 114 than those outlined in [RFC2865] Section 2.4. For those systems, we 115 define RADIUS over TCP. 117 1.1. Applicability of Reliable Transport 119 The intent of this document is to address transport issues related to 120 RadSec [RADSEC]. The use of "bare" TCP transport is NOT RECOMMENDED, 121 as there has been little implementational or operational experience 122 with it. Additionally, [RFC2865] Section 2.4 contains a list of 123 reasons why UDP was originally chosen as the transport protocol for 124 RADIUS. UDP SHOULD be used as transport protocol in all cases where 125 the rationale given in [RFC2865] Section 2.4 applies. 127 There are a number of benefits to using a reliable transport. For 128 example, when RADIUS is used to carry EAP conversions [RFC3579], the 129 EAP exchanges may involve 5 round trips at the RADIUS application 130 layer. We may assume a probability P of packet loss in each 131 direction (with P having a value of 1% or less). Any one 132 authentication attempt will then have at least one lost packet, with 133 a probability of approximately (10 * P). 135 These lost packets require the supplicant and/or the NAS to re- 136 transmit packets at the application layer. The difficulty with this 137 approach is that retransmission implementations have historically 138 been poor. Some implementations retransmit packets, others do not, 139 and others send new packets rather then performing retransmission. 140 Some implementations are incapable of detecting EAP retransmissions, 141 and will instead treat the retransmitted packet as an error. 143 These retransmissions have a high likelihood of causing the entire 144 authentication session to fail. For a system with a million logins a 145 day, and having a packet loss probability of P=0.01%, we expect that 146 0.1% of connections will experience a lost packet. That is, 1,000 147 user sessions each day will experience authentication failure. 149 In addition, transport of fragmented UDP packets is a poorly tested 150 code path on network devices. Some devices appear to be incapable of 151 transporting fragmented UDP packets, meaning that the packet loss 152 rate for fragmented packets approaches 100 percent. The net effect 153 can be to prevent the deployment of authentication methods such as 154 EAP-TLS that require large RADIUS packets. 156 Using a reliable transport method such as TCP means that RADIUS 157 implementations can remove all application-layer retransmissions, and 158 instead rely on the Operating System (OS) kernel's well-tested TCP 159 transport to ensure reliable delivery. In addition, most TCP 160 implementations discover Path MTU better than RADIUS application 161 implementations, resulting in significantly fewer fragmented packets. 162 Modern TCP implementations also implement anti-spoofing provisions, 163 which is more difficult to do in UDP applications. 165 Transporting RADIUS over TCP means that the RADIUS applications can 166 leverage these additional protections offered by TCP. 168 However, there are also some drawbacks to using TCP. RADIUS over TCP 169 has some drawbacks, as noted in [RFC2865] Section 2.4. [RFC3539] 170 Section 2 discusses further issues with using TCP as a transport for 171 Authentication, Authorization, and/or Accounting (AAA) protocols such 172 as RADIUS. 174 Specifically, as noted in [RFC3539] Section 2.1, for systems 175 originating low numbers of RADIUS request packets, inter-packet 176 spacing is often larger than the packet RTT. In those situations, 177 RADIUS over TCP SHOULD NOT be used. 179 In general, RADIUS clients generating small amounts of RADIUS traffic 180 SHOULD NOT use TCP. This suggestion will usually apply to most 181 NASes, and to most clients that originate CoA-Request and Disconnect- 182 Request packets. 184 RADIUS over TCP is most applicable to RADIUS proxies that exchange a 185 large volume of packets with RADIUS clients and servers (10's to 186 1000's of packets per second). In those situations, RADIUS over TCP 187 may be a good fit, and may result in increased network stability and 188 performance. 190 1.2. Terminology 192 This document uses the following terms: 194 RADIUS client 195 A device that provides an access service for a user to a network. 196 Also referred to as a Network Access Server, or NAS. 198 RADIUS server 199 A RADIUS authentication, authorization, and/or accounting (AAA) 200 server is an entity that provides one or more AAA services to a 201 NAS. 203 RADIUS proxy 204 A RADIUS proxy acts as a RADIUS server to the NAS, and a RADIUS 205 client to the RADIUS server. 207 RADIUS request packet 208 A packet originated by a RADIUS client to a RADIUS server. e.g. 209 Access-Request, Accounting-Request, CoA-Request, or Disconnect- 210 Request. 212 RADIUS response packet 213 A packet sent by a RADIUS server to a RADIUS client, in response to 214 a RADIUS request packet. e.g. Access-Accept, Access-Reject, 215 Access-Challenge, Accounting-Response, CoA-ACK, etc. 217 1.3. Requirements Language 219 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 220 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 221 document are to be interpreted as described in [RFC2119]. 223 2. Changes to RADIUS 225 Adding TCP as a RADIUS transport has a number of impacts on the 226 protocol, on applications using the protocol, and on networks that 227 deploy the protocol. In short, RADIUS over TCP is little more than 228 sending RADIUS formatted messages over a TCP connection. 230 As always, there are additional details that need to be discussed. 231 This section outlines the various impacts of using RADIUS over TCP, 232 and the discusses the proposal in more detail. 234 2.1. Packet Format 236 The RADIUS packet format is unchanged from [RFC2865], [RFC2866], and 237 [RFC5176]. Specifically, all of the following portions of RADIUS 238 MUST be unchanged when using RADIUS over TCP: 240 * Packet format 241 * Permitted codes 242 * Request Authenticator calculation 243 * Response Authenticator calculation 244 * Minimum packet length 245 * Maximum packet length 246 * Attribute format 247 * Vendor-Specific Attribute (VSA) format 248 * Permitted data types 249 * Calculations of dynamic attributes such as CHAP-Challenge, 250 or Message-Authenticator. 251 * Calculation of "encrypted" attributes such as Tunnel-Password. 253 The changes to RADIUS implementations required to implement this 254 specification are largely limited to the portions that send and 255 receive packets on the network. 257 2.2. Assigned Ports for RADIUS Over TCP 259 IANA has already assigned TCP ports for RADIUS transport, as outlined 260 below: 262 * radius 1812/tcp 263 * radius-acct 1813/tcp 264 * radius-dynauth 3799/tcp 266 These ports are unused by existing RADIUS applications. 267 Implementations SHOULD use the assigned values as the default ports 268 for RADIUS over TCP. 270 The early deployment of RADIUS was done using UDP port number 1645, 271 which conflicts with the "datametrics" service. Implementations 272 using RADIUS over TCP MUST NOT use TCP ports 1645 or 1646 as the 273 default ports for this specification. 275 2.3. Management Information Base (MIB) 277 The MIB Module definitions in [RFC4668], [RFC4669], [RFC4670], 278 [RFC4671], [RFC4672], and [RFC4673] each contain only one reference 279 to UDP. These references are in the DESCRIPTION field of the MIB 280 Module definition, and are in the form of "The UDP port" or "the UDP 281 destination port". 283 Implementations of RADIUS over TCP SHOULD re-use these MIB Modules to 284 perform statistics counting for RADIUS over TCP connections. 285 However, implementors are warned that there is no way for these MIB 286 Modules to distinguish between packets sent over UDP or over TCP 287 transport. Similarly, there is no requirement in RADIUS that the 288 RADIUS services offered over UDP on a particular IP address and port 289 are identical to the RADIUS services offered over TCP on a particular 290 IP address and the same (numerical) port. 292 Implementations of RADIUS over TCP SHOULD include the protocol (UDP) 293 or (TCP) in the radiusAuthServIdent, radiusAuthClientID, 294 radiusAuthClientIdentifier, radiusAccServIdent, radiusAccClientID, or 295 radiusAccClientIdentifier fields of the MIB Module. This information 296 can help the administrator distinguish capabilities of systems in the 297 network. 299 2.4. Interaction with RadSec 301 IANA has already assigned TCP ports for RadSec (i.e. RADIUS over TLS 302 over TCP), as outlined below: 304 * radsec 2083/tcp 306 This value SHOULD be used as the default port for RADIUS over TLS 307 (i.e. RadSec). The "radius" port (1812/tcp) SHOULD NOT be used for 308 RadSec. 310 2.5. RADIUS Proxies 312 As RADIUS is a "hop by hop" protocol, a RADIUS proxy effectively 313 shields the client from any information about downstream servers. 314 While the client may be able to deduce the operational state of the 315 local server (i.e. proxy), it cannot make any determination about the 316 operational state of the downstream servers. 318 If a request is proxied through intermediate proxies, it is not 319 possible to detect which of the later hops is responsible for the 320 absence of a reply. An intermediate proxy also cannot signal that 321 the outage lies in a later hop because RADIUS does not have the 322 ability to carry such signalling information. This issue is further 323 exacerbated by some proxy implementations that do not reply to a 324 client if they do not receive a reply to a proxied request. 326 When UDP was used as a transport protocol, the absence of a reply can 327 cause a client to deduce (incorrectly) that the proxy is unavailable. 329 The client could then fail over to another server, or conclude that 330 no "live" servers are available (OKAY state in [RFC3539] Appendix A). 331 This situation is made even worse when requests are sent through a 332 proxy to multiple destinations. Failures in one destination may 333 result in service outages for other destinations, if the client 334 erroneously believes that the proxy is unresponsive. 336 For RADIUS over TCP, the continued existence of the TCP connection 337 SHOULD be used to deduce that the service on the other end of the 338 connection is still responsive. Further, the application layer 339 watchdog defined in [RFC3539] Section 3.4 enables clients to 340 determine that the server is "live", even though it may not have 341 responded recently to other, non-watchdog requests. 343 RADIUS clients using RADIUS over TCP MUST NOT decide that a 344 connection is down until the application layer watchdog algorithm has 345 marked it DOWN ([RFC3539] Appendix A). RADIUS clients using RADIUS 346 over TCP MUST NOT decide that a RADIUS server is unresponsive until 347 all TCP connections to it have been marked DOWN. 349 Additional issues with RADIUS proxies involve transport protocol 350 changes where the proxy receives packets on one transport protocol, 351 and forwards them on a different transport protocol. There are 352 several situations in which the law of "conservation of packets" 353 could be violated on an end-to-end basis (e.g. where more packets 354 could enter the system than could leave it on a short-term basis): 356 * Where TCP is used between proxies, it is possible that the 357 bandwidth consumed by incoming UDP packets destined to a given 358 upstream server could exceed the sending rate of a single TCP 359 connection to that server, based on the window size/RTT estimate. 361 * It is possible for the incoming rate of TCP packets destined to 362 a given realm to exceed the UDP throughput achievable using the 363 transport guidelines established in [RFC5080]. This could happen, 364 for example, where the TCP window between proxies has opened, but 365 packet loss is being experienced on the UDP leg, so that the 366 effective congestion window on the UDP side is 1. 368 Intrinsically, proxy systems operate with multiple control loops 369 instead of one end-to-end loop, and so are less stable. This is true 370 even for TCP-TCP proxies. As discussed in [RFC3539], the only way to 371 achieve stability equivalent to a single TCP connection is to mimic 372 the end-to-end behavior of a single TCP connection. This typically 373 is not achievable with an application-layer RADIUS implementation, 374 regardless of transport. 376 2.6. TCP Specific Issues 378 The guidelines defined in [RFC3539] for implementing an AAA protocol 379 operating over a reliable transport MUST be followed by implementors 380 of this specification. 382 The Application Layer Watchdog defined in [RFC3539] Section 3.4 MUST 383 be used. The Status-Server packet [STATUS] MUST be used as the 384 application layer watchdog message. Implementations MUST reserve one 385 RADIUS ID per connection for the application layer watchdog message. 386 This restriction is described further below. 388 Implementations MUST NOT confuse UDP and TCP transport. That is, 389 RADIUS clients and servers MUST be treated as unique based on a key 390 of the three-tuple (IP address, port, transport protocol). 391 Implementations MUST be configurable to have different shared secrets 392 for UDP and TCP to the same destination IP address and numerical 393 port. 395 This requirement does not forbid the traditional practice of using 396 primary and secondary servers in a fail-over relationship. Instead, 397 it requires that two services sharing an IP address and numerical 398 port, but differing in transport protocol, MUST be treated as 399 independent services for the purpose of fail-over, load-balancing, 400 etc. 402 Whenever the underlying operating system permits the use of TCP 403 keepalive socket options, their use is RECOMMENDED. 405 2.6.1. Duplicates and Retransmissions 407 As TCP is a reliable transport, implementors of this specification 408 MUST NOT retransmit RADIUS request packets over the same TCP 409 connection. Similarly, if there is no response to a RADIUS packet 410 over one TCP connection, implementations MUST NOT retransmit that 411 packet over a different TCP connection to the same destination IP 412 address and port, while the first connection is in the OKAY state 413 ([RFC3539] Appendix A). 415 However, if the TCP connection is broken or closed, retransmissions 416 over new connections are permissible. RADIUS request packets that 417 have not yet received a response MAY be transmitted by a RADIUS 418 client over a new TCP connection. As this procedure involves using a 419 new source port, the ID of the packet MAY change. If the ID changes, 420 any security attributes such as Message-Authenticator MUST be 421 recalculated. 423 If a TCP connection is broken or closed, any cached RADIUS response 424 packets ([RFC5080] Section 2.2.2) associated with that connection 425 MUST be discarded. A RADIUS server SHOULD stop processing of any 426 requests associated with that TCP connection. No response to these 427 requests can be sent over the TCP connection, so any further 428 processing is pointless. This requirement applies not only to RADIUS 429 servers, but also to proxies. When a client's connection to a proxy 430 server is closed, there may be responses from a home server that were 431 supposed to be sent by the proxy back over that connection to the 432 client. Since the client connection is closed, those responses from 433 the home server to the proxy server SHOULD be silently discarded by 434 the proxy. 436 Despite the above discussion, RADIUS servers SHOULD still perform 437 duplicate detection on received packets, as described in [RFC5080] 438 Section 2.2.2. This detection can prevent duplicate processing of 439 packets from non-conformant clients. 441 As noted previously, RADIUS packets SHOULD NOT be re-transmitted to 442 the same destination IP and numerical port, but over a different 443 transport layer. There is no guarantee in RADIUS that the two ports 444 are in any way related. This requirement does not forbid the 445 practice of putting multiple servers into a fail-over or load-balance 446 pool. 448 Much of the discussion in this section can be summarized by the 449 following requirement. RADIUS requests MAY be re-transmitted 450 verbatim only if the following 5-tuple (Client IP address, Client 451 port, Transport Protocol, Server IP address, Server port) remains the 452 same. If any field of that 5-tuple changes, the packet MUST NOT be 453 considered to be a re-transmission. Instead, the packet MUST be 454 considered to be a new request, and be treated accordingly. This 455 involves updating header calculations, packet signatures, associated 456 timers and counters, etc. 458 The above requirement is necessary, but not sufficient in all cases. 459 Other specifications give additional situations where the packet is 460 to be considered as a new request. Those recommendations MUST also 461 be followed. 463 2.6.2. Shared Secrets 465 The use of shared secrets in calculating the Response Authenticator, 466 and other attributes such as User-Password or Message-Authenticator 467 [RFC3579] MUST be unchanged from previous specifications. 469 Clients and servers MUST be able to store and manage shared secrets 470 based on the key described above, of (IP address, port, transport 471 protocol). 473 2.6.3. Malformed Packets and Unknown Clients 475 The RADIUS specifications ([RFC2865], etc.) say that an 476 implementation should "silently discard" a packet in a number of 477 circumstances. This action has no further consequences for UDP 478 transport, as the "next" packet is completely independent of the 479 previous one. 481 When TCP is used as a transport, decoding the "next" packet on a 482 connection depends on the proper decoding of the previous packet. As 483 a result, the behavior with respect to discarded packets has to 484 change. 486 Implementations of this specification SHOULD treat the "silently 487 discard" texts referenced above as "silently discard and close the 488 connection." That is, the TCP connection MUST be closed if any of 489 the following circumstances are seen: 491 * Packet from an unknown client 492 * Packet where the RADIUS "length" field is less than the minimum 493 RADIUS packet length 494 * Packet where the RADIUS "length" field is more than the maximum 495 RADIUS packet length 496 * Packet that has an Attribute "length" field has value of zero 497 or one (0 or 1). 498 * Packet where the attributes do not exactly fill the packet 499 * Packet where the Request Authenticator fails validation 500 (where applicable). 501 * Packet where the Response Authenticator fails validation 502 (where applicable). 503 * Packet where the Message-Authenticator attribute fails 504 validation (where applicable). 506 TCP connections MAY be closed if any of the following circumstances 507 are seen. Alternatively, the TCP connection MAY remain open if any 508 of the following circumstances are seen, but the invalid packet MUST 509 BE silently discarded. 511 * Packet with an invalid code field 512 * Response packets that do not match any outstanding request 514 These requirements minimize the possibility for a misbehaving client 515 or server to wreak havoc on the network. 517 2.6.4. Limitations of the ID Field 519 The RADIUS ID field is one octet in size. As a result, any one TCP 520 connection can have only 256 "in flight" RADIUS packets at a time. 522 If more than 256 simultaneous "in flight" packets are required, 523 additional TCP connections will need to be opened. This limitation 524 is also noted in [RFC3539] Section 2.4. 526 An additional limit is the requirement to send a Status-Server packet 527 over the same TCP connection as is used for normal requests. As 528 noted in [STATUS], the response to a Status-Server packet is either 529 an Access-Accept or an Accounting-Response. If all IDs were 530 allocated to normal requests, then there would be no free Id to use 531 for the Status-Server packet, and it could not be sent over the 532 connection. 534 Implementations SHOULD reserve ID zero on each TCP connection for 535 Status-Server packets. This value was picked arbitrarily, as there 536 is no reason to choose any one value over another for this use. 538 Implementors may be tempted to extend RADIUS to permit more than 256 539 outstanding packets on one connection. However, doing so will likely 540 require fundamental changes to the RADIUS protocol, and as such, is 541 outside of the scope of this specification. 543 2.6.5. EAP Sessions 545 When RADIUS clients send EAP requests using RADIUS over TCP, they 546 SHOULD choose the same TCP connection for all packets related to one 547 EAP conversation. A simple method that may work in many situations 548 is to hash the contents of the Calling-Station-Id attribute, which 549 normally contains the MAC address. The output of that hash can be 550 used to select a particular TCP connection. 552 If this practice is used, then the client SHOULD also reserve one 553 RADIUS Id per TCP connection for a particular EAP session. 555 The retransmission requirements of Section 2.6.1, above, MUST be 556 applied to RADIUS encapsulated EAP packets. That is, EAP 557 retransmissions MUST NOT result in retransmissions of RADIUS packets 558 over a particular TCP connection. EAP retransmissions MAY result in 559 retransmission of RADIUS packets over a different TCP connection, but 560 only when the previous TCP connection is marked DOWN as per the 561 algorithm in [RFC3539] Appendix A. 563 2.6.6. TCP Applications are not UDP Applications 565 Implementors should be aware that programming a robust TCP 566 application can be very different from programming a robust UDP 567 application. We RECOMMEND that implementors of this specification 568 familiarize themselves with TCP application programming concepts. We 569 RECOMMEND also that existing TCP applications be examined with an eye 570 to robustness, performance, scalability, etc. 572 Clients and servers SHOULD implement configurable connection limits. 573 Clients and servers SHOULD implement configurable rate limiting on 574 new connections. Allowing an unbounded number or rate of TCP 575 connections may result in resource exhaustion. 577 Further discussion of implementation issues is outside of the scope 578 of this document. 580 3. Diameter Considerations 582 This document defines TCP as a transport layer for RADIUS. It 583 defines no new RADIUS attributes or codes. The only interaction with 584 Diameter is in a RADIUS to Diameter, or in a Diameter to RADIUS 585 gateway. The RADIUS side of such a gateway MAY implement RADIUS over 586 TCP, but this change has no effect on Diameter. 588 4. IANA Considerations 590 This document requires no action by IANA. 592 5. Security Considerations 594 As the RADIUS packet format, signing, and client verification are 595 unchanged from prior specifications, all of the security issues 596 outlined in previous specifications for RADIUS over UDP are also 597 applicable here. 599 As noted above, clients and servers SHOULD support configurable 600 connection limits. Allowing an unlimited number of connections may 601 result in resource exhaustion. 603 There are no (at this time) other known security issues for RADIUS 604 over TCP transport. 606 6. References 608 6.1. Normative References 610 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 611 Requirement Levels", BCP 14, RFC 2119, March 1997. 613 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote 614 Authentication Dial In User Service (RADIUS)", RFC 2865, June 615 2000. 617 [RFC3539] Aboba, B. et al., "Authentication, Authorization and 618 Accounting (AAA) Transport Profile", RFC 3539, June 2003. 620 6.2. Informative References 622 [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. 624 [RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication Dial 625 In User Service) Support For Extensible Authentication 626 Protocol (EAP)", RFC 3579, September 2003. 628 [RFC4668] Nelson, D, "RADIUS Authentication Client MIB for IPv6", RFC 629 4668, August 2006. 631 [RFC4669] Nelson, D, "RADIUS Authentication Server MIB for IPv6", RFC 632 4669, August 2006. 634 [RFC4670] Nelson, D, "RADIUS Accounting Client MIB for IPv6", RFC 4670, 635 August 2006. 637 [RFC4671] Nelson, D, "RADIUS Accounting Server MIB for IPv6", RFC 4671, 638 August 2006. 640 [RFC4672] Nelson, D, "RADIUS Dynamic Authorization Client MIB", RFC 641 4672, August 2006. 643 [RFC4673] Nelson, D, "RADIUS Dynamic Authorization Server MIB", RFC 644 4673, August 2006. 646 [RFC5080] Nelson, D. and DeKok, A, "Common Remote Authentication Dial In 647 User Service (RADIUS) Implementation Issues and Suggested 648 Fixes", RFC 5080, December 2007. 650 [RFC5176] Chiba, M. et al., "Dynamic Authorization Extensions to Remote 651 Authentication Dial In User Service (RADIUS)", RFC 5176, 652 January 2008. 654 [STATUS] DeKok, A., "Use of Status-Server Packets in the Remote 655 Authentication Dial In User Service (RADIUS) Protocol", draft- 656 ietf-radext-status-server-03.txt, March 2009 (work in 657 progress). 659 [RADSEC] Winter, S. et. al., "TLS encryption for RADIUS over TCP 660 (RadSec)", draft-ietf-radext-radsec-03.txt, Februrary 2009 661 (work in progress). 663 Acknowledgments 664 None at this time. 666 Authors' Addresses 668 Alan DeKok 669 The FreeRADIUS Server Project 670 http://freeradius.org/ 672 Email: aland@freeradius.org 674 Open issues 676 Open issues relating to this document are tracked on the following 677 web site: 679 http://www.drizzle.com/~aboba/RADEXT/