idnits 2.17.1 draft-ietf-radext-tcp-transport-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (1 July 2010) is 5047 days in the past. Is this intentional? Checking references for intended status: Experimental ---------------------------------------------------------------------------- -- Obsolete informational reference (is this intentional?): RFC 5246 (Obsoleted by RFC 8446) == Outdated reference: A later version (-09) exists of draft-ietf-radext-status-server-08 Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group A. DeKok 3 INTERNET-DRAFT FreeRADIUS 4 Category: Experimental 5 6 Expires: February 20, 2011 7 1 July 2010 9 RADIUS Over TCP 10 draft-ietf-radext-tcp-transport-08 12 Abstract 14 The Remote Authentication Dial In User Server (RADIUS) Protocol has 15 until now required the User Datagram Protocol (UDP) as the underlying 16 transport layer. This document defines RADIUS over the Transmission 17 Control Protocol (RADIUS/TCP), in order to address handling issues 18 related to RADIUS over Transport Layer Security (RADIUS/TLS). It 19 permits TCP to be used as a transport protocol for RADIUS only when a 20 transport layer such as TLS or IPsec provides confidentialy and 21 security. 23 Status of this Memo 25 This Internet-Draft is submitted to IETF in full conformance with 26 the provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF), its areas, and its working groups. Note that 30 other groups may also distribute working documents as Internet- 31 Drafts. 33 Internet-Drafts are draft documents valid for a maximum of six 34 months and may be updated, replaced, or obsoleted by other 35 documents at any time. It is inappropriate to use Internet-Drafts 36 as reference material or to cite them other than as "work in 37 progress." 39 The list of current Internet-Drafts can be accessed at 40 http://www.ietf.org/ietf/1id-abstracts.txt. 42 The list of Internet-Draft Shadow Directories can be accessed at 43 http://www.ietf.org/shadow.html. 45 This Internet-Draft will expire on February 1, 2011 47 Copyright Notice 48 Copyright (c) 2010 IETF Trust and the persons identified as the 49 document authors. All rights reserved. 51 This document is subject to BCP 78 and the IETF Trust's Legal 52 Provisions Relating to IETF Documents 53 (http://trustee.ietf.org/license-info/) in effect on the date of 54 publication of this document. Please review these documents 55 carefully, as they describe your rights and restrictions with 56 respect to this document. Code Components extracted from this 57 document must include Simplified BSD License text as described in 58 Section 4.e of the Trust Legal Provisions and are provided without 59 warranty as described in the Simplified BSD License. 61 Table of Contents 63 1. Introduction ............................................. 4 64 1.1. Applicability of Reliable Transport ................. 5 65 1.2. Terminology ......................................... 6 66 1.3. Requirements Language ............................... 7 67 2. Changes to RADIUS ........................................ 7 68 2.1. Packet Format ....................................... 8 69 2.2. Assigned Ports for RADIUS/TCP ....................... 8 70 2.3. Management Information Base (MIB) ................... 9 71 2.4. Detecting Live Servers .............................. 9 72 2.5. Congestion Control Issues ........................... 10 73 2.6. TCP Specific Issues ................................. 10 74 2.6.1. Duplicates and Retransmissions ................. 11 75 2.6.2. Head of Line Blocking .......................... 12 76 2.6.3. Shared Secrets ................................. 12 77 2.6.4. Malformed Packets and Unknown Clients .......... 12 78 2.6.5. Limitations of the ID Field .................... 13 79 2.6.6. EAP Sessions ................................... 14 80 2.6.7. TCP Applications are not UDP Applications ...... 15 81 3. Diameter Considerations .................................. 15 82 4. IANA Considerations ...................................... 15 83 5. Security Considerations .................................. 15 84 6. References ............................................... 16 85 6.1. Normative References ................................ 16 86 6.2. Informative References .............................. 16 88 1. Introduction 90 The RADIUS Protocol is defined in [RFC2865] as using the User 91 Datagram Protocol (UDP) for the underlying transport layer. While 92 there are a number of benefits to using UDP as outlined in [RFC2865] 93 Section 2.4, there are also some limitations: 95 * Unreliable transport. As a result, systems using RADIUS have to 96 implement application-layer timers and re-transmissions, as 97 described in [RFC5080] Section 2.2.1. 99 * Packet fragmentation. [RFC2865] Section 3 permits RADIUS 100 packets up to 4096 octets in length. These packets are larger 101 than the common Internet MTU (576), resulting in fragmentation of 102 the packets at the IP layer when they are proxied over the 103 Internet. Transport of fragmented UDP packets appears to be a 104 poorly tested code path on network devices. Some devices appear 105 to be incapable of transporting fragmented UDP packets, making it 106 difficult to deploy RADIUS in a network where those devices are 107 deployed. 109 * Connectionless transport. Neither clients nor servers receive 110 positive statements that a "connection" is down. This information 111 has to be deduced instead from the absence of a reply to a 112 request. 114 * Lack of congestion control. Clients can send arbitrary amounts 115 of traffic with little or no feedback. This lack of feedback can 116 result in congestive collapse of the network. 118 RADIUS has been widely deployed for well over a decade, and continues 119 to be widely deployed. Experience shows that these issues have been 120 minor in some use-cases, and problematic in others. For use-cases 121 such as inter-server proxying, an alternative transport and security 122 model -- RADIUS/TLS or RADIUS/TLS, as defined in [RADIUS/TLS]. That 123 document describes the transport implications of running RADIUS/TLS. 125 The choice of TCP as a transport protocol is largely driven by the 126 desire to improve the security of RADIUS by using RADIUS/TLS. For 127 practical reasons, the transport protocol (TCP) is defined separately 128 from the security mechanism (TLS). 130 Since "bare" TCP does not provide for confidentiality or enable 131 negotiation of credible ciphersuites, its use is not appropriate for 132 inter-server communications where strong security is required. As a 133 result "bare" TCP transport MUST NOT be used without TLS, IPsec, or 134 other secure upper layer. 136 "Bare" TCP transport MAY, however, be used when another method such 137 as IPSec [RFC4301] is used to provide additional confidentiality and 138 security. Should experience show that such deployments are useful, 139 this specification could be moved to standards track. 141 1.1. Applicability of Reliable Transport 143 The intent of this document is to address transport issues related to 144 RADIUS/TLS [RADIUS/TLS] in inter-server communications scenarios, 145 such as inter-domain communication between proxies. These situations 146 benefit from the confidentiality and ciphersuite negotiation that can 147 be provided by TLS. Since TLS is already widely available within the 148 operating systems used by proxies, implementation barriers are low. 150 In scenarios where RADIUS proxies exchange a large volume of packets, 151 it is likely that there will be sufficient traffic to enable the 152 congestion window to be widened beyond the minimum value on a long- 153 term basis, enabling ACK piggy-backing. Through use of an 154 application-layer watchdog as described in [RFC3539], it is possible 155 to address the objections to reliable transport described in 156 [RFC2865] Section 2.4 without substantial watchdog traffic, since 157 regular traffic is expected in both directions. 159 In addition, use of RADIUS/TLS has been found to improve operational 160 performance when used with multi-round trip authentication mechanisms 161 such as EAP over RADIUS [RFC3579]. In such exchanges, it is typical 162 for EAP fragmentation to increase the number of round-trips required. 163 For example, where EAP-TLS authentication [RFC5216] is attempted and 164 both the EAP peer and server utilize certificate chains of 8KB, as 165 many as 15 round-trips can be required if RADIUS packets are 166 restricted to the common Ethernet MTU (1500 octets) for EAP over LAN 167 (EAPoL) use-cases. Fragmentation of RADIUS/UDP packets is generally 168 inadvisable due to lack of fragmentation support within intermediate 169 devices such as filtering routers, firewalls and NATs. However, 170 since RADIUS/UDP implementations typically do not support MTU 171 discovery, fragmentation can occur even when the maximum RADIUS/UDP 172 packet size is restricted to 1500 octets. 174 These problems disappear if a 4096 application-layer payload can be 175 used alongside RADIUS/TLS. Since most TCP implementations support 176 MTU discovery, the TCP MSS is automatically adjusted to account for 177 the MTU, and the larger congestion window supported by TCP may allow 178 multiple TCP segments to be sent within a single window. Even those 179 few TCP stacks which do not perform path MTU discovery can already 180 support arbitrary payloads. 182 Where the MTU for EAP packets is large, RADIUS/EAP traffic required 183 for an EAP-TLS authentication with 8KB certificate chains may be 184 reduced to 7 round-trips or less, resulting in substantially reduced 185 authentication times. 187 In addition, experience indicates that EAP sessions transported over 188 RADIUS/TLS are less likely to abort unsuccessfully. Historically, 189 RADIUS over UDP implementations have exhibited poor retransmission 190 behavior. Some implementations retransmit packets, others do not, 191 and others send new packets rather then performing retransmission. 192 Some implementations are incapable of detecting EAP retransmissions, 193 and will instead treat the retransmitted packet as an error. As a 194 result, within RADIUS/UDP implementations, retransmissions have a 195 high likeilhood of causing an EAP authentication session to fail. 196 For a system with a million logins a day running EAP-TLS mutual 197 authentication with 15 round-trips, and having a packet loss 198 probability of P=0.01%, we expect that 0.3% of connections will 199 experience at least one lost packet. That is, 3,000 user sessions 200 each day will experience authentication failure. This is an 201 unacceptable failure rate for a mass-market network service. 203 Using a reliable transport method such as TCP means that RADIUS 204 implementations can remove all application-layer retransmissions, and 205 instead rely on the Operating System (OS) kernel's well-tested TCP 206 transport to ensure Path MTU discovery and reliable delivery. Modern 207 TCP implementations also implement anti-spoofing provisions, which is 208 more difficult to do in a UDP application. 210 In contrast, use of TCP as a transport between a NAS and a RADIUS 211 server is usually a poor fit. As noted in [RFC3539] Section 2.1, for 212 systems originating low numbers of RADIUS request packets, inter- 213 packet spacing is often larger than the packet RTT, meaning that, the 214 congestion window will typically stay below the minimum value on a 215 long-term basis. The result is an increase in packets due to ACKs as 216 compared to UDP, without a corresponding set of benefits. In 217 addition, the lack of substantial traffic implies the need for 218 additional watchdog traffic to confirm reachability. 220 As a result, the objections to reliable transport indicated in 221 [RFC2865] Section 2.4 continue to apply to NAS-RADIUS server 222 communications and UDP SHOULD continue to be used as the transport 223 protocol in this scenario. In addition, it is recommended that 224 implementations of "RADIUS Dynamic AUthorization Extensions" 225 [RFC5176] SHOULD continue to utilize UDP transport, since the volume 226 of dynamic authorization traffic is usually expected to be small. 228 1.2. Terminology 230 This document uses the following terms: 232 RADIUS client 233 A device that provides an access service for a user to a network. 234 Also referred to as a Network Access Server, or NAS. 236 RADIUS server 237 A device that provides one or more of authentication, 238 authorization, and/or accounting (AAA) services to a NAS. 240 RADIUS proxy 241 A RADIUS proxy acts as a RADIUS server to the NAS, and a RADIUS 242 client to the RADIUS server. 244 RADIUS request packet 245 A packet originated by a RADIUS client to a RADIUS server. e.g. 246 Access-Request, Accounting-Request, CoA-Request, or Disconnect- 247 Request. 249 RADIUS response packet 250 A packet sent by a RADIUS server to a RADIUS client, in response to 251 a RADIUS request packet. e.g. Access-Accept, Access-Reject, 252 Access-Challenge, Accounting-Response, CoA-ACK, etc. 254 RADIUS/UDP 255 RADIUS over UDP, as defined in [RFC2865]. 257 RADIUS/TCP 258 RADIUS over TCP, as defined in this document. 260 RADIUS/UDP 261 RADIUS over TLS,, as defined in [RADIUS/TLS]. 263 1.3. Requirements Language 265 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 266 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 267 document are to be interpreted as described in [RFC2119]. 269 2. Changes to RADIUS 271 RADIUS/TCP involves sending RADIUS application messages over a TCP 272 connection. In the sections that follow, we discuss the implications 273 for the RADIUS packet format (Section 2.1), port usage (Section 2.2), 274 RADIUS MIBs (Section 2.3) and RADIUS proxies (Section 2.5). TCP- 275 specific issues are discussed in Section 2.6. 277 2.1. Packet Format 279 The RADIUS packet format is unchanged from [RFC2865], [RFC2866], and 280 [RFC5176]. Specifically, all of the following portions of RADIUS 281 MUST be unchanged when using RADIUS/TCP: 283 * Packet format 284 * Permitted codes 285 * Request Authenticator calculation 286 * Response Authenticator calculation 287 * Minimum packet length 288 * Maximum packet length 289 * Attribute format 290 * Vendor-Specific Attribute (VSA) format 291 * Permitted data types 292 * Calculations of dynamic attributes such as CHAP-Challenge, 293 or Message-Authenticator. 294 * Calculation of "encrypted" attributes such as Tunnel-Password. 296 The use of TLS transport does not change the calculation of security- 297 related fields (such as the Response-Authenticator) in RADIUS 298 [RFC2865] or RADIUS Dynamic Authorization [RFC5176]. Calculation of 299 attributes such as User-Password [RFC2865] or Message-Authenticator 300 [RFC3579] also does not change. 302 Clients and servers MUST be able to store and manage shared secrets 303 based on the key described above, of (IP address, port, transport 304 protocol). 306 The changes to RADIUS implementations required to implement this 307 specification are largely limited to the portions that send and 308 receive packets on the network. 310 2.2. Assigned Ports for RADIUS/TCP 312 IANA has already assigned TCP ports for RADIUS and RADIUS/TLS 313 transport, as outlined below: 315 * radius 1812/tcp 316 * radius-acct 1813/tcp 317 * radius-dynauth 3799/tcp 318 * radsec 2083/tcp 320 Since these ports are unused by existing RADIUS implementations, the 321 assigned values MUST be used as the default ports for RADIUS over 322 TCP. 324 The early deployment of RADIUS was done using UDP port number 1645, 325 which conflicts with the "datametrics" service. Implementations 326 using RADIUS/TCP MUST NOT use TCP ports 1645 or 1646 as the default 327 ports for this specification. 329 The "radsec" port (2083/tcp) SHOULD be used as the default port for 330 RADIUS/TLS. The "radius" port (1812/tcp) SHOULD NOT be used for 331 RADIUS/TLS. 333 2.3. Management Information Base (MIB) 335 The MIB Module definitions in [RFC4668], [RFC4669], [RFC4670], 336 [RFC4671], [RFC4672], and [RFC4673] are intended to be used for 337 RADIUS over UDP. As such, they do not support RADIUS/TCP, and will 338 need to be updated in the future. Implementations of RADIUS/TCP 339 SHOULD NOT re-use these MIB Modules to perform statistics counting 340 for RADIUS/TCP connections. 342 2.4. Detecting Live Servers 344 As RADIUS is a "hop by hop" protocol, a RADIUS proxy shields the 345 client from any information about downstream servers. While the 346 client may be able to deduce the operational state of the local 347 server (i.e. proxy), it cannot make any determination about the 348 operational state of the downstream servers. 350 Within RADIUS as defined in [RFC2865], proxies typically only forward 351 traffic between the NAS and RADIUS server, and do not generate their 352 own responses. As a result, when a NAS does not receive a response 353 to a request, this could be the result of packet loss between the NAS 354 and proxy, a problem on the proxy, loss between the RADIUS proxy and 355 server, or a problem with the server. 357 When UDP is used as a transport protocol, the absence of a reply can 358 cause a client to deduce (incorrectly) that the proxy is unavailable. 359 The client could then fail over to another server, or conclude that 360 no "live" servers are available (OKAY state in [RFC3539] Appendix A). 361 This situation is made even worse when requests are sent through a 362 proxy to multiple destinations. Failures in one destination may 363 result in service outages for other destinations, if the client 364 erroneously believes that the proxy is unresponsive. 366 For RADIUS/TLS, it is RECOMMENDED that implementations utilize the 367 existence of a TCP connection along with the application layer 368 watchdog defined in [RFC3539] Section 3.4 to determine that the 369 server is "live". 371 RADIUS clients using RADIUS/TCP MUST mark a connection DOWN if the 372 network stack indicates that the connection is no longer active. If 373 the network stack indicates that connection is still active, Clients 374 MUST NOT decide that it is down until the application layer watchdog 375 algorithm has marked it DOWN ([RFC3539] Appendix A). RADIUS clients 376 using RADIUS/TCP MUST NOT decide that a RADIUS server is unresponsive 377 until all TCP connections to it have been marked DOWN. 379 The above requirements do not forbid the practice of a client pro- 380 actively closing connections, or marking a server as DOWN due to an 381 administrative decision. 383 2.5. Congestion Control Issues 385 Additional issues with RADIUS proxies involve transport protocol 386 changes where the proxy receives packets on one transport protocol, 387 and forwards them on a different transport protocol. There are 388 several situations in which the law of "conservation of packets" 389 could be violated on an end-to-end basis (e.g. where more packets 390 could enter the system than could leave it on a short-term basis): 392 * Where TCP is used between proxies, it is possible that the 393 bandwidth consumed by incoming UDP packets destined to a given 394 upstream server could exceed the sending rate of a single TCP 395 connection to that server, based on the window size/RTT estimate. 397 * It is possible for the incoming rate of TCP packets destined to 398 a given realm to exceed the UDP throughput achievable using the 399 transport guidelines established in [RFC5080]. This could happen, 400 for example, where the TCP window between proxies has opened, but 401 packet loss is being experienced on the UDP leg, so that the 402 effective congestion window on the UDP side is 1. 404 Intrinsically, proxy systems operate with multiple control loops 405 instead of one end-to-end loop, and so are less stable. This is true 406 even for TCP-TCP proxies. As discussed in [RFC3539], the only way to 407 achieve stability equivalent to a single TCP connection is to mimic 408 the end-to-end behavior of a single TCP connection. This typically 409 is not achievable with an application-layer RADIUS implementation, 410 regardless of transport. 412 2.6. TCP Specific Issues 414 The guidelines defined in [RFC3539] for implementing a AAA protocol 415 over reliable transport are applicable to RADIUS/TLS. 417 The Application Layer Watchdog defined in [RFC3539] Section 3.4 MUST 418 be used. The Status-Server packet [STATUS] MUST be used as the 419 application layer watchdog message. Implementations MUST reserve one 420 RADIUS ID per connection for the application layer watchdog message. 422 This restriction is described further below in Section 2.6.4. 424 RADIUS/TLS Implementations MUST support receiving RADIUS packets over 425 both UDP and TLS transports originating from the same endpoint. 426 RADIUS packets received over UDP MUST be replied to over UDP; RADIUS 427 packets received over TLS MUST be replied to over TLS. That is, 428 RADIUS clients and servers MUST be treated as unique based on a key 429 of the three-tuple (IP address, port, transport protocol). 430 Implementations MUST permit different shared secrets to be used for 431 UDP and TCP connections to the same destination IP address and 432 numerical port. 434 This requirement does not forbid the traditional practice of using 435 primary and secondary servers in a fail-over relationship. Instead, 436 it requires that two services sharing an IP address and numerical 437 port, but differing in transport protocol, MUST be treated as 438 independent services for the purpose of fail-over, load-balancing, 439 etc. 441 Whenever the underlying network stack permits the use of TCP 442 keepalive socket options, their use is RECOMMENDED. 444 2.6.1. Duplicates and Retransmissions 446 As TCP is a reliable transport, implementations MUST NOT retransmit 447 RADIUS request packets over a given TCP connection. Similarly, if 448 there is no response to a RADIUS packet over one TCP connection, 449 implementations MUST NOT retransmit that packet over a different TCP 450 connection to the same destination IP address and port, while the 451 first connection is in the OKAY state ([RFC3539] Appendix A). 453 However, if the TCP connection is broken or closed, retransmissions 454 over new connections are permissible. RADIUS request packets that 455 have not yet received a response MAY be transmitted by a RADIUS 456 client over a new TCP connection. As this procedure involves using a 457 new source port, the ID of the packet MAY change. If the ID changes, 458 any security attributes such as Message-Authenticator MUST be 459 recalculated. 461 If a TCP connection is broken or closed, any cached RADIUS response 462 packets ([RFC5080] Section 2.2.2) associated with that connection 463 MUST be discarded. A RADIUS server SHOULD stop processing of any 464 requests associated with that TCP connection. No response to these 465 requests can be sent over the TCP connection, so any further 466 processing is pointless. This requirement applies not only to RADIUS 467 servers, but also to proxies. When a client's connection to a proxy 468 server is closed, there may be responses from a home server that were 469 supposed to be sent by the proxy back over that connection to the 470 client. Since the client connection is closed, those responses from 471 the home server to the proxy server SHOULD be silently discarded by 472 the proxy. 474 Despite the above discussion, RADIUS servers SHOULD still perform 475 duplicate detection on received packets, as described in [RFC5080] 476 Section 2.2.2. This detection can prevent duplicate processing of 477 packets from non-conformant clients. 479 RADIUS packets SHOULD NOT be re-transmitted to the same destination 480 IP and numerical port, but over a different transport protocol. 481 There is no guarantee in RADIUS that the two ports are in any way 482 related. This requirement does not, however, forbid the practice of 483 putting multiple servers into a fail-over or load-balancing pool. In 484 that situation, RADIUS request MAY be retransmitted to another server 485 that is known to be part of the same pool. 487 2.6.2. Head of Line Blocking 489 When using UDP as a transport for RADIUS, there is no ordering of 490 packets. If a packet sent by a client is lost, that loss has no 491 effect on subsequent packets sent by that client. 493 Unlike UDP, TCP is subject to issues related to Head of Line (HoL) 494 blocking. This occurs when when a TCP segment is lost and a 495 subsequent TCP segment arrives out of order. While the RADIUS server 496 can process RADIUS packets out of order, the semantics of TCP makes 497 this impossible. This limitation can lower the maximum packet 498 processing rate of RADIUS/TCP. 500 2.6.3. Shared Secrets 502 The use of TLS transport does not change the calculation of security- 503 related fields (such as the Response-Authenticator) in RADIUS 504 [RFC2865] or RADIUS Dynamic Authorization [RFC5176]. Calculation of 505 attributes such as User-Password [RFC2865] or Message-Authenticator 506 [RFC3579] also does not change. 508 Clients and servers MUST be able to store and manage shared secrets 509 based on the key described above, of (IP address, port, transport 510 protocol). 512 2.6.4. Malformed Packets and Unknown Clients 514 The RADIUS specifications ([RFC2865], etc.) say that an 515 implementation should "silently discard" a packet in a number of 516 circumstances. This action has no further consequences for UDP 517 transport, as the "next" packet is completely independent of the 518 previous one. 520 When TCP is used as a transport, decoding the "next" packet on a 521 connection depends on the proper decoding of the previous packet. As 522 a result, the behavior with respect to discarded packets has to 523 change. 525 Implementations of this specification SHOULD treat the "silently 526 discard" texts referenced above as "silently discard and close the 527 connection." That is, the TCP connection MUST be closed if any of 528 the following circumstances are seen: 530 * Connection from an unknown client 531 * Packet where the RADIUS "length" field is less than the minimum 532 RADIUS packet length 533 * Packet where the RADIUS "length" field is more than the maximum 534 RADIUS packet length 535 * Packet that has an Attribute "length" field has value of zero 536 or one (0 or 1). 537 * Packet where the attributes do not exactly fill the packet 538 * Packet where the Request Authenticator fails validation 539 (where validation is required). 540 * Packet where the Response Authenticator fails validation 541 (where validation is required). 542 * Packet where the Message-Authenticator attribute fails 543 validation (when it occurs in a packet). 545 After applying the above rules, there are still two situations where 546 the previous specifications allow a packet to be "silently discarded" 547 on reception: 549 * Packets with an invalid code field 550 * Response packets that do not match any outstanding request 552 In these situations, the TCP connections MAY remain open, or MAY be 553 closed, as an implementation choice. However, the invalid packet 554 MUST be silently discarded. 556 These requirements reduce the possibility for a misbehaving client or 557 server to wreak havoc on the network. 559 2.6.5. Limitations of the ID Field 561 The RADIUS ID field is one octet in size. As a result, any one TCP 562 connection can have only 256 "in flight" RADIUS packets at a time. 563 If more than 256 simultaneous "in flight" packets are required, 564 additional TCP connections will need to be opened. This limitation 565 is also noted in [RFC3539] Section 2.4. 567 An additional limit is the requirement to send a Status-Server packet 568 over the same TCP connection as is used for normal requests. As 569 noted in [STATUS], the response to a Status-Server packet is either 570 an Access-Accept or an Accounting-Response. If all IDs were 571 allocated to normal requests, then there would be no free ID to use 572 for the Status-Server packet, and it could not be sent over the 573 connection. 575 Implementations SHOULD reserve ID zero (0) on each TCP connection for 576 Status-Server packets. This value was picked arbitrarily, as there 577 is no reason to choose any one value over another for this use. 579 Implementors may be tempted to extend RADIUS to permit more than 256 580 outstanding packets on one connection. However, doing so is a 581 violation of a fundamental part of the protocol and MUST NOT be done. 582 Making that extension here is outside of the scope of this 583 specification. 585 2.6.6. EAP Sessions 587 When RADIUS clients send EAP requests using RADIUS/TCP, they SHOULD 588 choose the same TCP connection for all packets related to one EAP 589 session. This practice ensures that EAP packets are transmitted in 590 order, and that problems with any one TCP connection do affect the 591 minimum number of EAP sessions. 593 A simple method that may work in many situations is to hash the 594 contents of the Calling-Station-Id attribute, which normally contains 595 the MAC address. The output of that hash can be used to select a 596 particular TCP connection. 598 However, EAP packets for one EAP session can still be transported 599 from client to server over multiple paths. Therefore, when a server 600 receives a RADIUS request containing an EAP request, it MUST be 601 processed without considering the transport protocol. For TCP 602 transport, it MUST be processed without considering the source port. 603 The algorithm suggested in [RFC5080] Section 2.1.1 SHOULD be used to 604 track EAP sessions, as it is independent of source port and transport 605 protocol. 607 The retransmission requirements of Section 2.6.1, above, MUST be 608 applied to RADIUS encapsulated EAP packets. That is, EAP 609 retransmissions MUST NOT result in retransmissions of RADIUS packets 610 over a particular TCP connection. EAP retransmissions MAY result in 611 retransmission of RADIUS packets over a different TCP connection, but 612 only when the previous TCP connection is marked DOWN. 614 2.6.7. TCP Applications are not UDP Applications 616 Implementors should be aware that programming a robust TCP 617 application can be very different from programming a robust UDP 618 application. It is RECOMMENDED that implementors of this 619 specification familiarize themselves with TCP application programming 620 concepts. 622 Clients and servers SHOULD implement configurable connection limits. 623 Clients and servers SHOULD implement configurable rate limiting on 624 new connections. Allowing an unbounded number or rate of TCP 625 connections may result in resource exhaustion. 627 Further discussion of implementation issues is outside of the scope 628 of this document. 630 3. Diameter Considerations 632 This document defines TCP as a transport layer for RADIUS. It 633 defines no new RADIUS attributes or codes. The only interaction with 634 Diameter is in a RADIUS to Diameter, or in a Diameter to RADIUS 635 gateway. The RADIUS side of such a gateway MAY implement RADIUS/TCP, 636 but this change has no effect on Diameter. 638 4. IANA Considerations 640 This document requires no action by IANA. 642 5. Security Considerations 644 As the RADIUS packet format, signing, and client verification are 645 unchanged from prior specifications, all of the security issues 646 outlined in previous specifications for RADIUS/UDP are also 647 applicable here. 649 As noted above, clients and servers SHOULD support configurable 650 connection limits. Allowing an unlimited number of connections may 651 result in resource exhaustion. 653 Implementors should consult [RADIUS/TLS] for issues related the 654 security of RADIUS/TLS, and [RFC5246] for issues related to the 655 security of the TLS protocol. 657 Since "bare" TCP does not provide for confidentiality or enable 658 negotiation of credible ciphersuites, its use is not appropriate for 659 inter-server communications where strong security is required. As a 660 result "bare" TCP transport MUST NOT be used without TLS, IPsec, or 661 other secure upper layer. 663 There are no (at this time) other known security issues for RADIUS 664 over TCP transport. 666 6. References 668 6.1. Normative References 670 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 671 Requirement Levels", BCP 14, RFC 2119, March 1997. 673 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote 674 Authentication Dial In User Service (RADIUS)", RFC 2865, June 675 2000. 677 [RFC3539] Aboba, B. et al., "Authentication, Authorization and 678 Accounting (AAA) Transport Profile", RFC 3539, June 2003. 680 [RADIUS/TLS] 681 Winter, S. et. al., "TLS encryption for RADIUS over TCP 682 (RadSec)", draft-ietf-radext-radsec-06.txt, March 2010 (work 683 in progress). 685 6.2. Informative References 687 [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. 689 [RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication Dial 690 In User Service) Support For Extensible Authentication 691 Protocol (EAP)", RFC 3579, September 2003. 693 [RFC4301] Kent, S. and R. Atkinson, "Security Architecture for the 694 Internet Protocol", RFC 4301, December, 2005. 696 [RFC4668] Nelson, D, "RADIUS Authentication Client MIB for IPv6", RFC 697 4668, August 2006. 699 [RFC4669] Nelson, D, "RADIUS Authentication Server MIB for IPv6", RFC 700 4669, August 2006. 702 [RFC4670] Nelson, D, "RADIUS Accounting Client MIB for IPv6", RFC 4670, 703 August 2006. 705 [RFC4671] Nelson, D, "RADIUS Accounting Server MIB for IPv6", RFC 4671, 706 August 2006. 708 [RFC4672] Nelson, D, "RADIUS Dynamic Authorization Client MIB", RFC 709 4672, August 2006. 711 [RFC4673] Nelson, D, "RADIUS Dynamic Authorization Server MIB", RFC 712 4673, August 2006. 714 [RFC5080] Nelson, D. and DeKok, A, "Common Remote Authentication Dial In 715 User Service (RADIUS) Implementation Issues and Suggested 716 Fixes", RFC 5080, December 2007. 718 [RFC5176] Chiba, M. et al., "Dynamic Authorization Extensions to Remote 719 Authentication Dial In User Service (RADIUS)", RFC 5176, 720 January 2008. 722 [RFC5216] Simon, D., etc al., "The EAP-TLS Authentication Protocol", RFC 723 5216, March 2008. 725 [RFC5246] Dierks, T., Rescorla, E., "The Transport Layer Security (TLS) 726 Protocol Version 1.2", RFC 5246, August 2008. 728 [STATUS] DeKok, A., "Use of Status-Server Packets in the Remote 729 Authentication Dial In User Service (RADIUS) Protocol", draft- 730 ietf-radext-status-server-08.txt, May 2010 (work in progress). 732 Acknowledgments 734 None at this time. 736 Authors' Addresses 738 Alan DeKok 739 The FreeRADIUS Server Project 740 http://freeradius.org/ 742 Email: aland@freeradius.org 744 Open issues 746 Open issues relating to this document are tracked on the following 747 web site: 749 http://www.drizzle.com/~aboba/RADEXT/