idnits 2.17.1 draft-ietf-radext-tcp-transport-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([RTLS]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document date (27 April 2010) is 5111 days in the past. Is this intentional? Checking references for intended status: Experimental ---------------------------------------------------------------------------- == Outdated reference: A later version (-09) exists of draft-ietf-radext-status-server-07 == Outdated reference: A later version (-12) exists of draft-ietf-radext-radsec-06 Summary: 1 error (**), 0 flaws (~~), 4 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group A. DeKok 3 INTERNET-DRAFT FreeRADIUS 4 Category: Experimental 5 6 Expires: November 27, 2010 7 27 April 2010 9 RADIUS Over TCP 10 draft-ietf-radext-tcp-transport-06 12 Status of this Memo 14 This Internet-Draft is submitted to IETF in full conformance with the 15 provisions of BCP 78 and BCP 79. 17 Internet-Drafts are working documents of the Internet Engineering 18 Task Force (IETF), its areas, and its working groups. Note that 19 other groups may also distribute working documents as Internet- 20 Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference 25 material or to cite them other than as "work in progress." 27 The list of current Internet-Drafts can be accessed at 28 http://www.ietf.org/ietf/1id-abstracts.txt. 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html. 33 This Internet-Draft will expire on November 27, 2010 35 Copyright Notice 37 Copyright (c) 2010 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (http://trustee.ietf.org/license-info/) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 Abstract 52 The Remote Authentication Dial In User Server (RADIUS) Protocol has 53 traditionally used the User Datagram Protocol (UDP) as its underlying 54 transport layer. This document defines RADIUS over the Transmission 55 Control Protocol (TCP), in order to address handling issues related 56 to RADIUS over Transport Layer Security [RTLS]. It is not intended 57 to define TCP as a transport protocol for RADIUS in the absence of 58 TLS. 60 Table of Contents 62 1. Introduction ............................................. 4 63 1.1. Applicability of Reliable Transport ................. 5 64 1.2. Terminology ......................................... 6 65 1.3. Requirements Language ............................... 7 66 2. Changes to RADIUS ........................................ 7 67 2.1. Packet Format ....................................... 7 68 2.2. Assigned Ports for RADIUS Over TCP .................. 8 69 2.3. Management Information Base (MIB) ................... 8 70 2.4. Detecting Live Servers .............................. 9 71 2.5. Congestion Control Issues ........................... 9 72 2.6. TCP Specific Issues ................................. 10 73 2.6.1. Duplicates and Retransmissions ................. 11 74 2.6.2. Head of Line Blocking .......................... 12 75 2.6.3. Shared Secrets ................................. 12 76 2.6.4. Malformed Packets and Unknown Clients .......... 12 77 2.6.5. Limitations of the ID Field .................... 13 78 2.6.6. EAP Sessions ................................... 14 79 2.6.7. TCP Applications are not UDP Applications ...... 14 80 3. Diameter Considerations .................................. 15 81 4. IANA Considerations ...................................... 15 82 5. Security Considerations .................................. 15 83 6. References ............................................... 15 84 6.1. Normative References ................................ 15 85 6.2. Informative References .............................. 15 87 1. Introduction 89 The RADIUS Protocol has been defined in [RFC2865] as using the User 90 Datagram Protocol (UDP) for the underlying transport layer. While 91 there are a number of benefits to using UDP as outlined in [RFC2865] 92 Section 2.4, there are also some limitations: 94 * Unreliable transport. As a result, systems using RADIUS have to 95 implement application-layer timers and re-transmissions, as 96 described in [RFC5080] Section 2.2.1. 98 * Packet fragmentation. [RFC2865] Section 3 permits RADIUS 99 packets up to 4096 octets in length. These packets are larger 100 than the common Internet MTU (576), resulting in fragmentation of 101 the packets at the IP layer when they are proxied over the 102 Internet. Transport of fragmented UDP packets appears to be a 103 poorly tested code path on network devices. Some devices appear 104 to be incapable of transporting fragmented UDP packets, making it 105 difficult to deploy RADIUS in a network where those devices are 106 deployed. 108 * Connectionless transport. Neither clients nor servers receive 109 positive statements that a "connection" is down. This information 110 has to be deduced instead from the absence of a reply to a 111 request. 113 As RADIUS is widely deployed, and has been widely deployed for well 114 over a decade, these issues have been minor in some use-cases, and 115 problematic in others. For use-cases such as inter-server proxying, 116 [RTLS] suggests an alternative transport and security model -- RADIUS 117 over TLS. That document describes the transport implications of 118 running RADIUS over TLS. 120 Since "bare" TCP does not provide for confidentiality or enable 121 negotiation of credible ciphersuites, its use is not appropriate for 122 inter-server communications where strong security is required. As a 123 result the use of "bare" TCP transport (i.e., without additional 124 confidentiality and security) is NOT RECOMMENDED, as there has been 125 little or no operational experience with it. 127 "Bare" TCP transport MAY, however, be used when another method such 128 as IPSec [RFC4301] is used to provide additional confidentiality and 129 security. Should experience show that such deployments are useful, 130 this specification could be moved to standards track. 132 1.1. Applicability of Reliable Transport 134 The intent of this document is to address transport issues related to 135 RADIUS over TLS [RTLS] in inter-server communications scenarios, such 136 as inter-domain communication between proxies. These situations 137 benefit from the confidentiality and ciphersuite negotiation that can 138 be provided by TLS. Since TLS is already widely available within the 139 operating systems used by proxies, implementation barriers are low. 141 In scenarios where RADIUS proxies exchange a large volume of packets 142 (10+ packets per second), it is likely that there will be sufficient 143 traffic to enable the congestion window to be widened beyond the 144 minimum value on a long-term basis, enabling ACK piggy-backing. 145 Through use of an application-layer watchdog as described in 146 [RFC3539], it is possible to address the objections to reliable 147 transport described in [RFC2865] Section 2.4 without substantial 148 watchdog traffic, since regular traffic is expected in both 149 directions. 151 In addition, use of RADIUS over TLS has been found to improve 152 operational performance when used with multi-round trip 153 authentication mechanisms such as RADIUS over EAP [RFC3579]. In such 154 exchanges, it is typical for EAP fragmentation to increase the number 155 of round-trips required. For example, where EAP-TLS authentication 156 [RFC5216] is attempted and both the EAP peer and server utilize 157 certificate chains of 8KB, as many as 15 round-trips can be required 158 if RADIUS packets are restricted to the common Ethernet MTU (1500 159 octets) for EAP over LAN (EAPoL) use-cases. Fragmentation of RADIUS 160 over UDP packets is generally inadvisable due to lack of 161 fragmentation support within intermediate devices such as filtering 162 routers, firewalls and NATs. However, since RADIUS over UDP 163 implementations typically do not support MTU discovery, fragmentation 164 can occur even when the maximum RADIUS over UDP packet size is 165 restricted to 1500 octets. 167 These problems disappear if a 4096 application-layer payload can be 168 used alongside RADIUS over TLS. Since most TCP implementations 169 support MTU discovery, the TCP MSS is automatically adjusted to 170 account for the MTU, and the larger congestion window supported by 171 TCP may allow multiple TCP segments to be sent within a single 172 window. 174 Where the MTU for EAP packets is large, RADIUS/EAP traffic required 175 for an EAP-TLS authentication with 8KB certificate chains may be 176 reduced to 7 round-trips or less, resulting in substantially reduced 177 authentication times. 179 In addition, experience indicates that EAP sessions transported over 180 RTLS are less likely to abort unsuccessfully. Historically, RADIUS 181 over UDP implementations have exhibited poor retransmission behavior. 182 Some implementations retransmit packets, others do not, and others 183 send new packets rather then performing retransmission. Some 184 implementations are incapable of detecting EAP retransmissions, and 185 will instead treat the retransmitted packet as an error. As a 186 result, within RADIUS over UDP implementations, retransmissions have 187 a high likeilhood of causing an EAP authentication session to fail. 188 For a system with a million logins a day running EAP-TLS mutual 189 authentication with 15 round-trips, and having a packet loss 190 probability of P=0.01%, we expect that 0.3% of connections will 191 experience at least one lost packet. That is, 3,000 user sessions 192 each day will experience authentication failure. This is an 193 unacceptable failure rate for a mass-market network service. 195 Using a reliable transport method such as TCP means that RADIUS 196 implementations can remove all application-layer retransmissions, and 197 instead rely on the Operating System (OS) kernel's well-tested TCP 198 transport to ensure Path MTU discovery and reliable delivery. Modern 199 TCP implementations also implement anti-spoofing provisions, which is 200 more difficult to do in a UDP application. 202 In contrast, use of TCP as a transport between a NAS and a RADIUS 203 server is usually a poor fit. As noted in [RFC3539] Section 2.1, for 204 systems originating low numbers of RADIUS request packets, inter- 205 packet spacing is often larger than the packet RTT, meaning that, the 206 congestion window will typically stay below the minimum value on a 207 long-term basis. The result is an increase in packets due to ACKs as 208 compared to UDP, without a corresponding set of benefits. In 209 addition, the lack of substantial traffic implies the need for 210 additional watchdog traffic to confirm reachability. 212 As a result, the objections to reliable transport indicated in 213 [RFC2865] Section 2.4 continue to apply to NAS-RADIUS server 214 communications and UDP SHOULD continue to be used as the transport 215 protocol in this scenario. In addition, it is recommended that 216 implementations of "RADIUS Dynamic AUthorization Extensions" 217 [RFC5176] SHOULD continue to utilize UDP transport, since the volume 218 of dynamic authorization traffic is usually expected to be small. 220 1.2. Terminology 222 This document uses the following terms: 224 RADIUS client 225 A device that provides an access service for a user to a network. 226 Also referred to as a Network Access Server, or NAS. 228 RADIUS server 229 A device that provides one or more of authentication, 230 authorization, and/or accounting (AAA) services to a NAS. 232 RADIUS proxy 233 A RADIUS proxy acts as a RADIUS server to the NAS, and a RADIUS 234 client to the RADIUS server. 236 RADIUS request packet 237 A packet originated by a RADIUS client to a RADIUS server. e.g. 238 Access-Request, Accounting-Request, CoA-Request, or Disconnect- 239 Request. 241 RADIUS response packet 242 A packet sent by a RADIUS server to a RADIUS client, in response to 243 a RADIUS request packet. e.g. Access-Accept, Access-Reject, 244 Access-Challenge, Accounting-Response, CoA-ACK, etc. 246 1.3. Requirements Language 248 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 249 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 250 document are to be interpreted as described in [RFC2119]. 252 2. Changes to RADIUS 254 RADIUS over TCP involves sending RADIUS application messages over a 255 TCP connection. In the sections that follow, we discuss the 256 implications for the RADIUS packet format (Section 2.1), port usage 257 (Section 2.2), RADIUS MIBs (Section 2.3) and RADIUS proxies (Section 258 2.5). TCP-specific issues are discussed in Section 2.6. 260 2.1. Packet Format 262 The RADIUS packet format is unchanged from [RFC2865], [RFC2866], and 263 [RFC5176]. Specifically, all of the following portions of RADIUS 264 MUST be unchanged when using RADIUS over TCP: 266 * Packet format 267 * Permitted codes 268 * Request Authenticator calculation 269 * Response Authenticator calculation 270 * Minimum packet length 271 * Maximum packet length 272 * Attribute format 273 * Vendor-Specific Attribute (VSA) format 274 * Permitted data types 275 * Calculations of dynamic attributes such as CHAP-Challenge, 276 or Message-Authenticator. 277 * Calculation of "encrypted" attributes such as Tunnel-Password. 279 The use of TLS transport does not change the calculation of security- 280 related fields (such as the Response-Authenticator) in RADIUS 281 [RFC2865] or RADIUS Dynamic Authorization [RFC5176]. Calculation of 282 attributes such as User-Password [RFC2865] or Message-Authenticator 283 [RFC3579] also does not change. 285 Clients and servers MUST be able to store and manage shared secrets 286 based on the key described above, of (IP address, port, transport 287 protocol). 289 The changes to RADIUS implementations required to implement this 290 specification are largely limited to the portions that send and 291 receive packets on the network. 293 2.2. Assigned Ports for RADIUS Over TCP 295 IANA has already assigned TCP ports for RADIUS and RTLS transport, as 296 outlined below: 298 * radius 1812/tcp 299 * radius-acct 1813/tcp 300 * radius-dynauth 3799/tcp 301 * radsec 2083/tcp 303 Since these ports are unused by existing RADIUS implementations, the 304 assigned values MUST be used as the default ports for RADIUS over 305 TCP. 307 The early deployment of RADIUS was done using UDP port number 1645, 308 which conflicts with the "datametrics" service. Implementations 309 using RADIUS over TCP MUST NOT use TCP ports 1645 or 1646 as the 310 default ports for this specification. 312 The "radsec" port (2083/tcp) SHOULD be used as the default port for 313 RTLS. The "radius" port (1812/tcp) SHOULD NOT be used for RTLS. 315 2.3. Management Information Base (MIB) 317 The MIB Module definitions in [RFC4668], [RFC4669], [RFC4670], 318 [RFC4671], [RFC4672], and [RFC4673] are intended to be used for 319 RADIUS over UDP. As such, they do not support RADIUS over TCP, and 320 will need to be updated in the future. Implementations of RADIUS 321 over TCP SHOULD NOT re-use these MIB Modules to perform statistics 322 counting for RADIUS over TCP connections.w 324 2.4. Detecting Live Servers 326 As RADIUS is a "hop by hop" protocol, a RADIUS proxy effectively 327 shields the client from any information about downstream servers. 328 While the client may be able to deduce the operational state of the 329 local server (i.e. proxy), it cannot make any determination about the 330 operational state of the downstream servers. 332 Within RADIUS as defined in [RFC2865], proxies typically only forward 333 traffic between the NAS and RADIUS server, and do not generate their 334 own responses. As a result, when a NAS does not receive a response 335 to a request, this could be the result of packet loss between the NAS 336 and proxy, a problem on the proxy, loss between the RADIUS proxy and 337 server, or a problem with the server. 339 When UDP was used as a transport protocol, the absence of a reply can 340 cause a client to deduce (incorrectly) that the proxy is unavailable. 341 The client could then fail over to another server, or conclude that 342 no "live" servers are available (OKAY state in [RFC3539] Appendix A). 343 This situation is made even worse when requests are sent through a 344 proxy to multiple destinations. Failures in one destination may 345 result in service outages for other destinations, if the client 346 erroneously believes that the proxy is unresponsive. 348 For RADIUS over TLS, it is RECOMMENDED that implementations utilize 349 the existence of a TCP connection along with the application layer 350 watchdog defined in [RFC3539] Section 3.4 to determine that the 351 server is "live". 353 RADIUS clients using RADIUS over TCP MUST mark a connection DOWN if 354 the network stack indicates that the connection is no longer active. 355 If the network stack indicates that connection is still active, 356 Clients MUST NOT decide that it is down until the application layer 357 watchdog algorithm has marked it DOWN ([RFC3539] Appendix A). RADIUS 358 clients using RADIUS over TCP MUST NOT decide that a RADIUS server is 359 unresponsive until all TCP connections to it have been marked DOWN. 361 The above requirements do not forbid the practice of a client pro- 362 actively closing connections, or marking a server as DOWN due to an 363 administrative decision. 365 2.5. Congestion Control Issues 367 Additional issues with RADIUS proxies involve transport protocol 368 changes where the proxy receives packets on one transport protocol, 369 and forwards them on a different transport protocol. There are 370 several situations in which the law of "conservation of packets" 371 could be violated on an end-to-end basis (e.g. where more packets 372 could enter the system than could leave it on a short-term basis): 374 * Where TCP is used between proxies, it is possible that the 375 bandwidth consumed by incoming UDP packets destined to a given 376 upstream server could exceed the sending rate of a single TCP 377 connection to that server, based on the window size/RTT estimate. 379 * It is possible for the incoming rate of TCP packets destined to 380 a given realm to exceed the UDP throughput achievable using the 381 transport guidelines established in [RFC5080]. This could happen, 382 for example, where the TCP window between proxies has opened, but 383 packet loss is being experienced on the UDP leg, so that the 384 effective congestion window on the UDP side is 1. 386 Intrinsically, proxy systems operate with multiple control loops 387 instead of one end-to-end loop, and so are less stable. This is true 388 even for TCP-TCP proxies. As discussed in [RFC3539], the only way to 389 achieve stability equivalent to a single TCP connection is to mimic 390 the end-to-end behavior of a single TCP connection. This typically 391 is not achievable with an application-layer RADIUS implementation, 392 regardless of transport. 394 2.6. TCP Specific Issues 396 The guidelines defined in [RFC3539] for implementing a AAA protocol 397 over reliable transport are applicable to RADIUS over TLS. 399 The Application Layer Watchdog defined in [RFC3539] Section 3.4 MUST 400 be used. The Status-Server packet [STATUS] MUST be used as the 401 application layer watchdog message. Implementations MUST reserve one 402 RADIUS ID per connection for the application layer watchdog message. 403 This restriction is described further below in Section 2.6.4. 405 RADIUS over TLS Implementations MUST support receiving RADIUS packets 406 over both UDP and TLS transports originating from the same endpoint. 407 RADIUS packets received over UDP MUST be replied to over UDP; RADIUS 408 packets received over TLS MUST be replied to over TLS. That is, 409 RADIUS clients and servers MUST be treated as unique based on a key 410 of the three-tuple (IP address, port, transport protocol). 411 Implementations MUST permit different shared secrets to be used for 412 UDP and TCP connections to the same destination IP address and 413 numerical port. 415 This requirement does not forbid the traditional practice of using 416 primary and secondary servers in a fail-over relationship. Instead, 417 it requires that two services sharing an IP address and numerical 418 port, but differing in transport protocol, MUST be treated as 419 independent services for the purpose of fail-over, load-balancing, 420 etc. 422 Whenever the underlying network stack permits the use of TCP 423 keepalive socket options, their use is RECOMMENDED. 425 2.6.1. Duplicates and Retransmissions 427 As TCP is a reliable transport, implementations MUST NOT retransmit 428 RADIUS request packets over a given TCP connection. Similarly, if 429 there is no response to a RADIUS packet over one TCP connection, 430 implementations MUST NOT retransmit that packet over a different TCP 431 connection to the same destination IP address and port, while the 432 first connection is in the OKAY state ([RFC3539] Appendix A). 434 However, if the TCP connection is broken or closed, retransmissions 435 over new connections are permissible. RADIUS request packets that 436 have not yet received a response MAY be transmitted by a RADIUS 437 client over a new TCP connection. As this procedure involves using a 438 new source port, the ID of the packet MAY change. If the ID changes, 439 any security attributes such as Message-Authenticator MUST be 440 recalculated. 442 If a TCP connection is broken or closed, any cached RADIUS response 443 packets ([RFC5080] Section 2.2.2) associated with that connection 444 MUST be discarded. A RADIUS server SHOULD stop processing of any 445 requests associated with that TCP connection. No response to these 446 requests can be sent over the TCP connection, so any further 447 processing is pointless. This requirement applies not only to RADIUS 448 servers, but also to proxies. When a client's connection to a proxy 449 server is closed, there may be responses from a home server that were 450 supposed to be sent by the proxy back over that connection to the 451 client. Since the client connection is closed, those responses from 452 the home server to the proxy server SHOULD be silently discarded by 453 the proxy. 455 Despite the above discussion, RADIUS servers SHOULD still perform 456 duplicate detection on received packets, as described in [RFC5080] 457 Section 2.2.2. This detection can prevent duplicate processing of 458 packets from non-conformant clients. 460 As noted previously, RADIUS packets SHOULD NOT be re-transmitted to 461 the same destination IP and numerical port, but over a different 462 transport layer. There is no guarantee in RADIUS that the two ports 463 are in any way related. This requirement does not, however, forbid 464 the practice of putting multiple servers into a fail-over or load- 465 balancing pool. In that situation, RADIUS request MAY be 466 retransmitted to another server that known to be part of the same 467 pool. 469 2.6.2. Head of Line Blocking 471 When using UDP as a transport for RADIUS, there is no ordering of 472 packets. If a packet sent by a client is lost, that loss has no 473 effect on subsequent packets sent by that client. 475 Unlike UDP, TLS is subject to issues related to Head of Line (HoL) 476 blocking. This occurs when when a TLS segment is lost and a 477 subsequent TLS segment arrives out of order. While the RADIUS server 478 can process RADIUS packets out of order, the semantics of TLS makes 479 this impossible. This limitation can lower the maximum packet 480 processing rate of RADIUS over TLS. 482 2.6.3. Shared Secrets 484 The use of TLS transport does not change the calculation of security- 485 related fields (such as the Response-Authenticator) in RADIUS 486 [RFC2865] or RADIUS Dynamic Authorization [RFC5176]. Calculation of 487 attributes such as User-Password [RFC2865] or Message-Authenticator 488 [RFC3579] also does not change. 490 Clients and servers MUST be able to store and manage shared secrets 491 based on the key described above, of (IP address, port, transport 492 protocol). 494 2.6.4. Malformed Packets and Unknown Clients 496 The RADIUS specifications ([RFC2865], etc.) say that an 497 implementation should "silently discard" a packet in a number of 498 circumstances. This action has no further consequences for UDP 499 transport, as the "next" packet is completely independent of the 500 previous one. 502 When TCP is used as a transport, decoding the "next" packet on a 503 connection depends on the proper decoding of the previous packet. As 504 a result, the behavior with respect to discarded packets has to 505 change. 507 Implementations of this specification SHOULD treat the "silently 508 discard" texts referenced above as "silently discard and close the 509 connection." That is, the TCP connection MUST be closed if any of 510 the following circumstances are seen: 512 * Connection from an unknown client 513 * Packet where the RADIUS "length" field is less than the minimum 514 RADIUS packet length 515 * Packet where the RADIUS "length" field is more than the maximum 516 RADIUS packet length 518 * Packet that has an Attribute "length" field has value of zero 519 or one (0 or 1). 520 * Packet where the attributes do not exactly fill the packet 521 * Packet where the Request Authenticator fails validation 522 (where validation is required). 523 * Packet where the Response Authenticator fails validation 524 (where validation is required). 525 * Packet where the Message-Authenticator attribute fails 526 validation (when it occurs in a packet). 528 After applying the above rules, there are still situations where the 529 previous specifications allow a packet to be "silently discarded". 530 In these situations, the TCP connections MAY remain open, or MAY be 531 closed, as an implementation choice. However, the invalid packet 532 MUST be silently discarded. 534 * Packet with an invalid code field 535 * Response packets that do not match any outstanding request 537 These requirements minimize the possibility for a misbehaving client 538 or server to wreak havoc on the network. 540 2.6.5. Limitations of the ID Field 542 The RADIUS ID field is one octet in size. As a result, any one TCP 543 connection can have only 256 "in flight" RADIUS packets at a time. 544 If more than 256 simultaneous "in flight" packets are required, 545 additional TCP connections will need to be opened. This limitation 546 is also noted in [RFC3539] Section 2.4. 548 An additional limit is the requirement to send a Status-Server packet 549 over the same TCP connection as is used for normal requests. As 550 noted in [STATUS], the response to a Status-Server packet is either 551 an Access-Accept or an Accounting-Response. If all IDs were 552 allocated to normal requests, then there would be no free Id to use 553 for the Status-Server packet, and it could not be sent over the 554 connection. 556 Implementations SHOULD reserve ID zero on each TCP connection for 557 Status-Server packets. This value was picked arbitrarily, as there 558 is no reason to choose any one value over another for this use. 560 Implementors may be tempted to extend RADIUS to permit more than 256 561 outstanding packets on one connection. However, doing so will likely 562 require fundamental changes to the RADIUS protocol, and as such, is 563 outside of the scope of this specification. 565 2.6.6. EAP Sessions 567 When RADIUS clients send EAP requests using RADIUS over TCP, they 568 SHOULD choose the same TCP connection for all packets related to one 569 EAP session. This practice ensures that EAP packets are transmitted 570 in order, and that problems with any one TCP connection do affect the 571 minimum number of EAP sessions. 573 A simple method that may work in many situations is to hash the 574 contents of the Calling-Station-Id attribute, which normally contains 575 the MAC address. The output of that hash can be used to select a 576 particular TCP connection. 578 However, EAP packets for one EAP session can still be transported 579 from client to server over multiple paths. Therefore, when a server 580 receives a RADIUS request containing an EAP request, it MUST be 581 processed without considering the transport protocol. For TCP 582 transport, it MUST be processed without considering the source port. 583 The algorithm suggested in [RFC5080] Section 2.1.1 SHOULD be used to 584 track EAP sessions, as it is independent of source port and transport 585 protocol. 587 The retransmission requirements of Section 2.6.1, above, MUST be 588 applied to RADIUS encapsulated EAP packets. That is, EAP 589 retransmissions MUST NOT result in retransmissions of RADIUS packets 590 over a particular TCP connection. EAP retransmissions MAY result in 591 retransmission of RADIUS packets over a different TCP connection, but 592 only when the previous TCP connection is marked DOWN. 594 2.6.7. TCP Applications are not UDP Applications 596 Implementors should be aware that programming a robust TCP 597 application can be very different from programming a robust UDP 598 application. It is RECOMMENDED that implementors of this 599 specification familiarize themselves with TCP application programming 600 concepts. 602 Clients and servers SHOULD implement configurable connection limits. 603 Clients and servers SHOULD implement configurable rate limiting on 604 new connections. Allowing an unbounded number or rate of TCP 605 connections may result in resource exhaustion. 607 Further discussion of implementation issues is outside of the scope 608 of this document. 610 3. Diameter Considerations 612 This document defines TCP as a transport layer for RADIUS. It 613 defines no new RADIUS attributes or codes. The only interaction with 614 Diameter is in a RADIUS to Diameter, or in a Diameter to RADIUS 615 gateway. The RADIUS side of such a gateway MAY implement RADIUS over 616 TCP, but this change has no effect on Diameter. 618 4. IANA Considerations 620 This document requires no action by IANA. 622 5. Security Considerations 624 As the RADIUS packet format, signing, and client verification are 625 unchanged from prior specifications, all of the security issues 626 outlined in previous specifications for RADIUS over UDP are also 627 applicable here. 629 As noted above, clients and servers SHOULD support configurable 630 connection limits. Allowing an unlimited number of connections may 631 result in resource exhaustion. 633 There are no (at this time) other known security issues for RADIUS 634 over TCP transport. 636 6. References 638 6.1. Normative References 640 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 641 Requirement Levels", BCP 14, RFC 2119, March 1997. 643 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote 644 Authentication Dial In User Service (RADIUS)", RFC 2865, June 645 2000. 647 [RFC3539] Aboba, B. et al., "Authentication, Authorization and 648 Accounting (AAA) Transport Profile", RFC 3539, June 2003. 650 6.2. Informative References 652 [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. 654 [RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication Dial 655 In User Service) Support For Extensible Authentication 656 Protocol (EAP)", RFC 3579, September 2003. 658 [RFC4301] Kent, S. and R. Atkinson, "Security Architecture for the 659 Internet Protocol", RFC 4301, December, 2005. 661 [RFC4668] Nelson, D, "RADIUS Authentication Client MIB for IPv6", RFC 662 4668, August 2006. 664 [RFC4669] Nelson, D, "RADIUS Authentication Server MIB for IPv6", RFC 665 4669, August 2006. 667 [RFC4670] Nelson, D, "RADIUS Accounting Client MIB for IPv6", RFC 4670, 668 August 2006. 670 [RFC4671] Nelson, D, "RADIUS Accounting Server MIB for IPv6", RFC 4671, 671 August 2006. 673 [RFC4672] Nelson, D, "RADIUS Dynamic Authorization Client MIB", RFC 674 4672, August 2006. 676 [RFC4673] Nelson, D, "RADIUS Dynamic Authorization Server MIB", RFC 677 4673, August 2006. 679 [RFC5080] Nelson, D. and DeKok, A, "Common Remote Authentication Dial In 680 User Service (RADIUS) Implementation Issues and Suggested 681 Fixes", RFC 5080, December 2007. 683 [RFC5176] Chiba, M. et al., "Dynamic Authorization Extensions to Remote 684 Authentication Dial In User Service (RADIUS)", RFC 5176, 685 January 2008. 687 [RFC5216] Simon, D., etc al., "The EAP-TLS Authentication Protocol", RFC 688 5216, March 2008. 690 [STATUS] DeKok, A., "Use of Status-Server Packets in the Remote 691 Authentication Dial In User Service (RADIUS) Protocol", draft- 692 ietf-radext-status-server-07.txt, April 2010 (work in 693 progress). 695 [RTLS] Winter, S. et. al., "TLS encryption for RADIUS over TCP 696 (RadSec)", draft-ietf-radext-radsec-06.txt, March 2010 (work 697 in progress). 699 Acknowledgments 701 None at this time. 703 Authors' Addresses 705 Alan DeKok 706 The FreeRADIUS Server Project 707 http://freeradius.org/ 709 Email: aland@freeradius.org 711 Open issues 713 Open issues relating to this document are tracked on the following 714 web site: 716 http://www.drizzle.com/~aboba/RADEXT/