1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
|
<pre>Internet Engineering Task Force (IETF) A. DeKok, Ed.
Request for Comments: 6158 FreeRADIUS
BCP: 158 G. Weber
Category: Best Current Practice Individual Contributor
ISSN: 2070-1721 March 2011
<span class="h1">RADIUS Design Guidelines</span>
Abstract
This document provides guidelines for the design of attributes used
by the Remote Authentication Dial In User Service (RADIUS) protocol.
It is expected that these guidelines will prove useful to authors and
reviewers of future RADIUS attribute specifications, within the IETF
as well as other Standards Development Organizations (SDOs).
Status of This Memo
This memo documents an Internet Best Current Practice.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
BCPs is available in <a href="./rfc5741#section-2">Section 2 of RFC 5741</a>.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
<a href="http://www.rfc-editor.org/info/rfc6158">http://www.rfc-editor.org/info/rfc6158</a>.
Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and the IETF Trust's Legal
Provisions Relating to IETF Documents
(<a href="http://trustee.ietf.org/license-info">http://trustee.ietf.org/license-info</a>) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
<span class="grey">DeKok & Weber Best Current Practice [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc6158">RFC 6158</a> RADIUS Design Guidelines March 2011</span>
This document may contain material from IETF Documents or IETF
Contributions published or made publicly available before November
10, 2008. The person(s) controlling the copyright in some of this
material may not have granted the IETF Trust the right to allow
modifications of such material outside the IETF Standards Process.
Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other
than English.
Table of Contents
<a href="#section-1">1</a>. Introduction ....................................................<a href="#page-3">3</a>
<a href="#section-1.1">1.1</a>. Terminology ................................................<a href="#page-4">4</a>
<a href="#section-1.2">1.2</a>. Requirements Language ......................................<a href="#page-4">4</a>
<a href="#section-1.3">1.3</a>. Applicability ..............................................<a href="#page-5">5</a>
<a href="#section-1.3.1">1.3.1</a>. Reviews .............................................<a href="#page-5">5</a>
<a href="#section-2">2</a>. Guidelines ......................................................<a href="#page-6">6</a>
<a href="#section-2.1">2.1</a>. Data Types .................................................<a href="#page-8">8</a>
<a href="#section-2.2">2.2</a>. Vendor Space ...............................................<a href="#page-9">9</a>
<a href="#section-2.3">2.3</a>. Service Definitions and RADIUS .............................<a href="#page-9">9</a>
<a href="#section-2.4">2.4</a>. Translation of Vendor Specifications ......................<a href="#page-10">10</a>
<a href="#section-3">3</a>. Rationale ......................................................<a href="#page-11">11</a>
<a href="#section-3.1">3.1</a>. RADIUS Operational Model ..................................<a href="#page-11">11</a>
<a href="#section-3.2">3.2</a>. Data Model Issues .........................................<a href="#page-14">14</a>
<a href="#section-3.2.1">3.2.1</a>. Issues with Definitions of Types ...................<a href="#page-15">15</a>
<a href="#section-3.2.2">3.2.2</a>. Tagging Mechanism ..................................<a href="#page-16">16</a>
<a href="#section-3.2.3">3.2.3</a>. Complex Data Types .................................<a href="#page-16">16</a>
<a href="#section-3.2.4">3.2.4</a>. Complex Data Type Exceptions .......................<a href="#page-18">18</a>
<a href="#section-3.3">3.3</a>. Vendor Space ..............................................<a href="#page-19">19</a>
<a href="#section-3.3.1">3.3.1</a>. Interoperability Considerations ....................<a href="#page-20">20</a>
<a href="#section-3.3.2">3.3.2</a>. Vendor Allocations .................................<a href="#page-20">20</a>
<a href="#section-3.3.3">3.3.3</a>. SDO Allocations ....................................<a href="#page-20">20</a>
<a href="#section-3.4">3.4</a>. Polymorphic Attributes ....................................<a href="#page-21">21</a>
<a href="#section-4">4</a>. IANA Considerations ............................................<a href="#page-22">22</a>
<a href="#section-5">5</a>. Security Considerations ........................................<a href="#page-22">22</a>
<a href="#section-5.1">5.1</a>. New Data Types and Complex Attributes .....................<a href="#page-23">23</a>
<a href="#section-6">6</a>. References .....................................................<a href="#page-24">24</a>
<a href="#section-6.1">6.1</a>. Normative References ......................................<a href="#page-24">24</a>
<a href="#section-6.2">6.2</a>. Informative References ....................................<a href="#page-24">24</a>
<a href="#appendix-A">Appendix A</a>. Design Guidelines Checklist ..........................<a href="#page-27">27</a>
<a href="#appendix-A.1">A.1</a>. Types Matching the RADIUS Data Model ......................<a href="#page-27">27</a>
<a href="#appendix-A.1.1">A.1.1</a>. Transport of Basic Data Types ........................<a href="#page-27">27</a>
<a href="#appendix-A.1.2">A.1.2</a>. Transport of Authentication and Security Data ........<a href="#page-27">27</a>
<a href="#appendix-A.1.3">A.1.3</a>. Opaque Data Types ....................................<a href="#page-27">27</a>
<a href="#appendix-A.1.4">A.1.4</a>. Pre-existing Data Types ..............................<a href="#page-28">28</a>
<span class="grey">DeKok & Weber Best Current Practice [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc6158">RFC 6158</a> RADIUS Design Guidelines March 2011</span>
<a href="#appendix-A.2">A.2</a>. Improper Data Types .......................................<a href="#page-28">28</a>
<a href="#appendix-A.2.1">A.2.1</a>. Simple Data Types ....................................<a href="#page-28">28</a>
<a href="#appendix-A.2.2">A.2.2</a>. More Complex Data Types ..............................<a href="#page-29">29</a>
<a href="#appendix-A.3">A.3</a>. Vendor-Specific Formats ...................................<a href="#page-29">29</a>
<a href="#appendix-A.4">A.4</a>. Changes to the RADIUS Operational Model ...................<a href="#page-30">30</a>
<a href="#appendix-A.5">A.5</a>. Allocation of Attributes ..................................<a href="#page-31">31</a>
<a href="#appendix-B">Appendix B</a>. Complex Attributes ...................................<a href="#page-32">32</a>
<a href="#appendix-B.1">B.1</a>. CHAP-Password .............................................<a href="#page-32">32</a>
<a href="#appendix-B.2">B.2</a>. CHAP-Challenge ............................................<a href="#page-32">32</a>
<a href="#appendix-B.3">B.3</a>. Tunnel-Password ...........................................<a href="#page-33">33</a>
<a href="#appendix-B.4">B.4</a>. ARAP-Password .............................................<a href="#page-33">33</a>
<a href="#appendix-B.5">B.5</a>. ARAP-Features .............................................<a href="#page-34">34</a>
<a href="#appendix-B.6">B.6</a>. Connect-Info ..............................................<a href="#page-34">34</a>
<a href="#appendix-B.7">B.7</a>. Framed-IPv6-Prefix ........................................<a href="#page-35">35</a>
<a href="#appendix-B.8">B.8</a>. Egress-VLANID .............................................<a href="#page-36">36</a>
<a href="#appendix-B.9">B.9</a>. Egress-VLAN-Name ..........................................<a href="#page-37">37</a>
<a href="#appendix-B.10">B.10</a>. Digest-* .................................................<a href="#page-37">37</a>
Acknowledgments ...................................................<a href="#page-37">37</a>
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>
This document provides guidelines for the design of Remote
Authentication Dial In User Service (RADIUS) attributes within the
IETF as well as within other Standards Development Organizations
(SDOs). By articulating RADIUS design guidelines, it is hoped that
this document will encourage the development and publication of high-
quality RADIUS attribute specifications.
However, the advice in this document will not be helpful unless it is
put to use. As with "Guidelines for Authors and Reviewers of MIB
Documents" [<a href="./rfc4181" title=""Guidelines for Authors and Reviewers of MIB Documents"">RFC4181</a>], it is expected that authors will check their
document against the guidelines in this document prior to publication
or requesting review (such as an "Expert Review" described in
[<a href="./rfc3575" title=""IANA Considerations for RADIUS (Remote Authentication Dial In User Service)"">RFC3575</a>]). Similarly, it is expected that this document will be
used by reviewers (such as WG participants or the Authentication,
Authorization, and Accounting (AAA) Doctors [<a href="#ref-DOCTORS">DOCTORS</a>]), resulting in
an improvement in the consistency of reviews.
In order to meet these objectives, this document needs to cover not
only the science of attribute design but also the art. Therefore, in
addition to covering the most frequently encountered issues, this
document explains some of the considerations motivating the
guidelines. These considerations include complexity trade-offs that
make it difficult to provide "hard and fast" rules for attribute
design. This document explains those trade-offs through reviews of
current attribute usage.
<span class="grey">DeKok & Weber Best Current Practice [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc6158">RFC 6158</a> RADIUS Design Guidelines March 2011</span>
The rest of the document is organized as follows. <a href="#section-1">Section 1</a>
discusses the applicability of the guidelines and defines a
recommended review process for RADIUS specifications. <a href="#section-2">Section 2</a>
defines the design guidelines in terms of what is "RECOMMENDED" and
"NOT RECOMMENDED". <a href="#section-3">Section 3</a> gives a longer explanation of the
rationale behind the guidelines given in the previous section.
<a href="#appendix-A">Appendix A</a> repeats the guidelines in a "checklist" format. <a href="#appendix-B">Appendix</a>
<a href="#appendix-B">B</a> discusses previously defined attributes that do not follow the
guidelines.
Authors of new RADIUS specifications can be compliant with the design
guidelines by working through the checklists given in <a href="#appendix-A">Appendix A</a>.
Reviewers of RADIUS specifications are expected to be familiar with
the entire document.
<span class="h3"><a class="selflink" id="section-1.1" href="#section-1.1">1.1</a>. Terminology</span>
This document uses the following terms:
Network Access Server (NAS)
A device that provides an access service for a user to a network.
RADIUS server
A RADIUS authentication, authorization, and accounting (AAA)
server is an entity that provides one or more AAA services to a
NAS.
Standard space
Codes in the RADIUS Attribute Type Space that are allocated by
IANA and that follow the format defined in <a href="./rfc2865#section-5">Section 5 of RFC 2865</a>
[<a href="./rfc2865" title=""Remote Authentication Dial In User Service (RADIUS)"">RFC2865</a>].
Vendor space
The contents of the Vendor-Specific Attribute (VSA), as defined in
<a href="./rfc2865#section-5.26">[RFC2865], Section 5.26</a>. These attributes provide a unique
attribute type space in the "String" field for each vendor
(identified by the Vendor-Type field), which they can self-
allocate.
<span class="h3"><a class="selflink" id="section-1.2" href="#section-1.2">1.2</a>. Requirements Language</span>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [<a href="./rfc2119" title=""Key words for use in RFCs to Indicate Requirement Levels"">RFC2119</a>].
<span class="grey">DeKok & Weber Best Current Practice [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc6158">RFC 6158</a> RADIUS Design Guidelines March 2011</span>
<span class="h3"><a class="selflink" id="section-1.3" href="#section-1.3">1.3</a>. Applicability</span>
The advice in this document applies to RADIUS attributes used to
encode service-provisioning, authentication, or accounting data based
on the attribute encodings and data formats defined in <a href="./rfc2865">RFC 2865</a>
[<a href="./rfc2865" title=""Remote Authentication Dial In User Service (RADIUS)"">RFC2865</a>], <a href="./rfc2866">RFC 2866</a> [<a href="./rfc2866" title=""RADIUS Accounting"">RFC2866</a>], and subsequent RADIUS RFCs.
Since this document represents a Best Current Practice, it does not
update or deprecate existing standards. As a result, uses of the
terms "MUST" and "MUST NOT" are limited to requirements already
present in existing documents.
It is RECOMMENDED that these guidelines be followed for all new
RADIUS specifications, whether they originate from a vendor, an SDO,
or the IETF. Doing so will ensure the widest possible applicability
and interoperability of the specifications, while requiring minimal
changes to existing systems. In particular, it is expected that
RADIUS specifications requesting allocation within the standard space
will follow these guidelines and will explain why this is not
possible if they cannot.
However, there are situations in which vendors or SDOs can choose not
to follow these guidelines without major consequences. As noted in
<a href="./rfc2865#section-5.26">Section 5.26 of [RFC2865]</a>, Vendor-Specific Attributes (VSAs) are
"available to allow vendors to support their own extended Attributes
not suitable for general usage". Where vendors or SDOs develop
specifications "not suitable for general usage", limited
interoperability and inability to use existing implementations may be
acceptable, and, in these situations, vendors and SDOs MAY choose not
to conform to these guidelines.
Note that the RADEXT WG is currently (as of 2011) involved in
developing updates to RADIUS. Those updates will provide their own
usage guidelines that may modify some of the guidelines defined here,
such as defining new data types, practices, etc.
RADIUS protocol changes, or specification of attributes (such as
Service-Type), that can, in effect, provide new RADIUS commands
require greater expertise and deeper review, as do changes to the
RADIUS operational model. As a result, such changes are outside the
scope of this document and MUST NOT be undertaken outside the IETF.
<span class="h4"><a class="selflink" id="section-1.3.1" href="#section-1.3.1">1.3.1</a>. Reviews</span>
For specifications utilizing attributes within the standard space,
conformance with the design guidelines in this document is expected
unless a good case can be made for an exception. Reviewers SHOULD
use the design guidelines as a review checklist.
<span class="grey">DeKok & Weber Best Current Practice [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc6158">RFC 6158</a> RADIUS Design Guidelines March 2011</span>
While not required, IETF review may also be beneficial for
specifications utilizing the vendor space. Experience has shown that
attributes not originally designed for general usage can subsequently
garner wide-spread deployment. An example is the Vendor-Specific
Attributes defined in [<a href="./rfc2548" title=""Microsoft Vendor-specific RADIUS Attributes"">RFC2548</a>], which have been widely implemented
within IEEE 802.11 Access Points.
In order to assist in the development of specifications conforming to
these guidelines, authors can request review by sending an email to
the AAA Doctors [<a href="#ref-DOCTORS">DOCTORS</a>] or equivalent mailing list. The IETF
Operations & Management Area Directors will then arrange for the
review to be completed and posted to the AAA Doctors mailing list
[<a href="#ref-DOCTORS">DOCTORS</a>], RADEXT WG mailing list, or other IETF mailing lists.
Since reviews are handled by volunteers, responses are provided on a
best-effort basis, with no service-level guarantees. Authors are
encouraged to seek review as early as possible, so as to avoid
potential delays.
As reviewers require access to the specification, vendors and SDOs
are encouraged to make it publicly available. Where the RADIUS
specification is embedded within a larger document that cannot be
made public, the RADIUS attribute and value definitions can be made
available on a public web site or can be published as an
Informational RFC, as with [<a href="./rfc4679" title=""DSL Forum Vendor-Specific RADIUS Attributes"">RFC4679</a>].
The review process requires neither allocation of attributes within
the standard space nor publication of an RFC. Requiring SDOs or
vendors to rehost VSAs into the standard space solely for the purpose
of obtaining review would put pressure on the standard space and may
be harmful to interoperability since it would create two ways to
provision the same service. Rehosting may also require changes to
the RADIUS data model, which will affect implementations that do not
intend to support the SDO or vendor specifications.
Similarly, vendors are encouraged to make their specifications
publicly available, for maximum interoperability. However, it is not
necessary for a vendor to request publication of a VSA specification
as an RFC.
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Guidelines</span>
The RADIUS protocol as defined in [<a href="./rfc2865" title=""Remote Authentication Dial In User Service (RADIUS)"">RFC2865</a>] and [<a href="./rfc2866" title=""RADIUS Accounting"">RFC2866</a>] uses
elements known as attributes in order to represent authentication,
authorization, and accounting data.
<span class="grey">DeKok & Weber Best Current Practice [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc6158">RFC 6158</a> RADIUS Design Guidelines March 2011</span>
Unlike Simple Network Management Protocol (SNMP), first defined in
[<a href="./rfc1157" title=""Simple Network Management Protocol (SNMP)"">RFC1157</a>] and [<a href="./rfc1155" title=""Structure and identification of management information for TCP/IP- based internets"">RFC1155</a>], RADIUS does not define a formal data
definition language. The data type of RADIUS attributes is not
transported on the wire. Rather, the data type of a RADIUS attribute
is fixed when an attribute is defined. Based on the RADIUS attribute
type code, RADIUS clients and servers can determine the data type
based on pre-configured entries within a data dictionary.
To explain the implications of this early RADIUS design decision, we
distinguish two kinds of data types, namely "basic" and "complex".
Basic data types use one of the existing RADIUS data types as defined
in <a href="#section-2.1">Section 2.1</a>, encapsulated in a [<a href="./rfc2865" title=""Remote Authentication Dial In User Service (RADIUS)"">RFC2865</a>] RADIUS attribute or in a
[<a href="./rfc2865" title=""Remote Authentication Dial In User Service (RADIUS)"">RFC2865</a>] RADIUS VSA. All other data formats are "complex types".
RADIUS attributes can be classified into one of three broad
categories:
* Attributes that are of interest to a single vendor, e.g., for a
product or product line. Minimal cross-vendor interoperability
is needed.
Vendor-Specific Attributes (VSAs) are appropriate for use in
this situation. Code-point allocation is managed by the vendor
with the vendor space defined by their Private Enterprise Number
(PEN), as given in the Vendor-Id field.
* Attributes that are of interest to an industry segment, where an
SDO defines the attributes for that industry. Multi-vendor
interoperability within an industry segment is expected.
Vendor-Specific Attributes (VSAs) MUST be used. Code-point
allocation is managed by the SDO with the vendor space defined
by the SDO's PEN rather than the PEN of an individual vendor.
* Attributes that are of broad interest to the Internet community.
Multi-vendor interoperability is expected.
Attributes within the standard space are appropriate for this
purpose and are allocated via IANA as described in [<a href="./rfc3575" title=""IANA Considerations for RADIUS (Remote Authentication Dial In User Service)"">RFC3575</a>].
Since the standard space represents a finite resource, and is
the only attribute space available for use by IETF working
groups, vendors, and SDOs are encouraged to utilize the vendor
space rather than request allocation of attributes from the
standard space. Usage of attribute type codes reserved for
standard attributes is considered antisocial behavior and is
strongly discouraged.
<span class="grey">DeKok & Weber Best Current Practice [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc6158">RFC 6158</a> RADIUS Design Guidelines March 2011</span>
<span class="h3"><a class="selflink" id="section-2.1" href="#section-2.1">2.1</a>. Data Types</span>
RADIUS defines a limited set of data types, defined as "basic data
types". The following data qualifies as "basic data types":
* 32-bit unsigned integer in network byte order.
* Enumerated data types, represented as a 32-bit unsigned integer
with a list of name to value mappings (e.g., Service-Type).
* IPv4 address in network byte order.
* Time as a 32-bit unsigned value in network byte order and in
seconds since 00:00:00 UTC, January 1, 1970.
* IPv6 address in network byte order.
* Interface-Id (8-octet string in network byte order).
* IPv6 prefix.
* String (i.e., binary data), totaling 253 octets or less in
length. This includes the opaque encapsulation of data
structures defined outside of RADIUS. See also <a href="#appendix-A.1.3">Appendix A.1.3</a>
for additional discussion.
* UTF-8 text [<a href="./rfc3629" title=""UTF-8, a transformation format of ISO 10646"">RFC3629</a>], totaling 253 octets or less in length.
Note that the length limitations for VSAs of type String and Text are
less than 253 octets, due to the additional overhead of the Vendor-
Specific encoding.
The following data also qualifies as "basic data types":
* Attributes grouped into a logical container using the [<a href="./rfc2868" title=""RADIUS Attributes for Tunnel Protocol Support"">RFC2868</a>]
tagging mechanism. This approach is NOT RECOMMENDED (see
<a href="#section-3.2.2">Section 3.2.2</a>) but is permissible where the alternatives are
worse.
* Attributes requiring the transport of more than 253 octets of
Text or String data. This includes the opaque encapsulation of
data structures defined outside of RADIUS, e.g., EAP-Message.
All other data formats (including nested attributes) are defined to
be "complex data types" and are NOT RECOMMENDED for normal use.
Complex data types MAY be used in situations where they reduce
complexity in non-RADIUS systems or where using the basic data types
would be awkward (such as where grouping would be required in order
<span class="grey">DeKok & Weber Best Current Practice [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc6158">RFC 6158</a> RADIUS Design Guidelines March 2011</span>
to link related attributes). Since there are no "hard and fast"
rules for where complexity is best located, each situation has to be
decided on a case-by-case basis. Examples of this trade-off are
discussed in <a href="#appendix-B">Appendix B</a>. Where a complex data type is selected, an
explanation SHOULD be offered as to why this was necessary.
<span class="h3"><a class="selflink" id="section-2.2" href="#section-2.2">2.2</a>. Vendor Space</span>
The Vendor space is defined to be the contents of the Vendor-Specific
Attribute (<a href="./rfc2865#section-5.26">[RFC2865], Section 5.26</a>) where the Vendor-Id defines the
space for a particular vendor, and the contents of the "String" field
define a unique attribute type space for that vendor. As discussed
there, it is intended for vendors and SDOs to support their own
attributes not suitable for general use.
While the encoding of attributes within the vendor space is under the
control of vendors and SDOs, following the guidelines described here
is advantageous since it enables maximum interoperability with
minimal changes to existing systems.
For example, RADIUS server support for new attributes using "basic
data types" can typically be accomplished by editing a RADIUS
dictionary, whereas "complex data types" typically require RADIUS
server code changes, which can add complexity and delays in
implementation.
Vendor RADIUS Attribute specifications SHOULD self-allocate
attributes from the vendor space rather than request an allocation
from within the standard space.
VSA encodings that do not follow the <a href="./rfc2865#section-5.26">[RFC2865], Section 5.26</a> encoding
scheme are NOT RECOMMENDED. Although [<a href="./rfc2865" title=""Remote Authentication Dial In User Service (RADIUS)"">RFC2865</a>] does not mandate it,
implementations commonly assume that the Vendor Id can be used as a
key to determine the on-the-wire encoding of a VSA. Vendors
therefore SHOULD NOT use multiple encodings for VSAs that are
associated with a particular Vendor Id. A vendor wishing to use
multiple VSA encodings SHOULD request one Vendor Id for each VSA
encoding that they will use.
<span class="h3"><a class="selflink" id="section-2.3" href="#section-2.3">2.3</a>. Service Definitions and RADIUS</span>
RADIUS specifications define how an existing service or protocol can
be provisioned using RADIUS, usually via the Service-Type Attribute.
Therefore, it is expected that a RADIUS attribute specification will
reference documents defining the protocol or service to be
provisioned. Within the IETF, a RADIUS attribute specification
<span class="grey">DeKok & Weber Best Current Practice [Page 9]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-10" ></span>
<span class="grey"><a href="./rfc6158">RFC 6158</a> RADIUS Design Guidelines March 2011</span>
SHOULD NOT be used to define the protocol or service being
provisioned. New services using RADIUS for provisioning SHOULD be
defined elsewhere and referenced in the RADIUS specification.
New attributes, or new values of existing attributes, SHOULD NOT be
used to define new RADIUS commands. RADIUS attributes are intended
to:
* authenticate users
* authorize users (i.e., service provisioning or changes to
provisioning)
* account for user activity (i.e., logging of session activity)
Requirements for allocation of new commands (i.e., the Code field in
the packet header) and new attributes within the standard space are
described in <a href="./rfc3575#section-2.1">[RFC3575], Section 2.1</a>.
<span class="h3"><a class="selflink" id="section-2.4" href="#section-2.4">2.4</a>. Translation of Vendor Specifications</span>
<a href="./rfc2865#section-5.26">[RFC2865], Section 5.26</a> defines Vendor-Specific Attributes as
follows:
This Attribute is available to allow vendors to support their own
extended Attributes not suitable for general usage. It MUST NOT
affect the operation of the RADIUS protocol.
Servers not equipped to interpret the vendor-specific information
sent by a client MUST ignore it (although it may be reported).
Clients which do not receive desired vendor-specific information
SHOULD make an attempt to operate without it, although they may do
so (and report they are doing so) in a degraded mode.
The limitation on changes to the RADIUS protocol effectively
prohibits VSAs from changing fundamental aspects of RADIUS operation,
such as modifying RADIUS packet sequences or adding new commands.
However, the requirement for clients and servers to be able to
operate in the absence of VSAs has proven to be less of a constraint
since it is still possible for a RADIUS client and server to mutually
indicate support for VSAs, after which behavior expectations can be
reset.
Therefore, <a href="./rfc2865">RFC 2865</a> provides considerable latitude for development of
new attributes within the vendor space, while prohibiting development
of protocol variants. This flexibility implies that RADIUS
attributes can often be developed within the vendor space without
loss (and possibly even with gain) in functionality.
<span class="grey">DeKok & Weber Best Current Practice [Page 10]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-11" ></span>
<span class="grey"><a href="./rfc6158">RFC 6158</a> RADIUS Design Guidelines March 2011</span>
As a result, translation of RADIUS attributes developed within the
vendor space into the standard space may provide only modest
benefits, while accelerating the exhaustion of the standard space.
We do not expect that all RADIUS attribute specifications requiring
interoperability will be developed within the IETF, and allocated
from the standard space. A more scalable approach is to recognize
the flexibility of the vendor space, while working toward
improvements in the quality and availability of RADIUS attribute
specifications, regardless of where they are developed.
It is therefore NOT RECOMMENDED that specifications intended solely
for use by a vendor or SDO be translated into the standard space.
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. Rationale</span>
This section outlines the rationale behind the above recommendations.
<span class="h3"><a class="selflink" id="section-3.1" href="#section-3.1">3.1</a>. RADIUS Operational Model</span>
The RADIUS operational model includes several assumptions:
* The RADIUS protocol is stateless.
* Provisioning of services is not possible within an Access-Reject
or Disconnect-Request.
* There is a distinction between authorization checks and user
authentication.
* The protocol provides for authentication and integrity
protection of packets.
* The RADIUS protocol is a Request/Response protocol.
* The protocol defines packet length restrictions.
While RADIUS server implementations may keep state, the RADIUS
protocol is stateless, although information may be passed from one
protocol transaction to another via the State Attribute. As a
result, documents that require stateful protocol behavior without use
of the State Attribute are inherently incompatible with RADIUS as
defined in [<a href="./rfc2865" title=""Remote Authentication Dial In User Service (RADIUS)"">RFC2865</a>] and MUST be redesigned. See [<a href="./rfc5080" title=""Common Remote Authentication Dial In User Service (RADIUS) Implementation Issues and Suggested Fixes"">RFC5080</a>], <a href="#section-2.1.1">Section</a>
<a href="#section-2.1.1">2.1.1</a> for additional discussion surrounding the use of the State
Attribute.
As noted in <a href="./rfc5080#section-2.6">[RFC5080], Section 2.6</a>, the intent of an Access-Reject is
to deny access to the requested service. As a result, RADIUS does
not allow the provisioning of services within an Access-Reject or
<span class="grey">DeKok & Weber Best Current Practice [Page 11]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-12" ></span>
<span class="grey"><a href="./rfc6158">RFC 6158</a> RADIUS Design Guidelines March 2011</span>
Disconnect-Request. Documents that include provisioning of services
within an Access-Reject or Disconnect-Request are inherently
incompatible with RADIUS and need to be redesigned.
<a href="./rfc5176#section-3">[RFC5176], Section 3</a> notes the following:
A Disconnect-Request MUST contain only NAS and session
identification attributes. If other attributes are included in a
Disconnect-Request, implementations MUST send a Disconnect-NAK; an
Error-Cause Attribute with value "Unsupported Attribute" MAY be
included.
As a result, documents that include provisioning of services within a
Disconnect-Request are inherently incompatible with RADIUS and need
to be redesigned.
As noted in <a href="./rfc5080#section-2.1.1">[RFC5080], Section 2.1.1</a>, a RADIUS Access-Request may not
contain user authentication attributes or a State Attribute linking
the Access-Request to an earlier user authentication. Such an
Access-Request, known as an authorization check, provides no
assurance that it corresponds to a live user. RADIUS specifications
defining attributes containing confidential information (such as
Tunnel-Password) should be careful to prohibit such attributes from
being returned in response to an authorization check. Also,
<a href="./rfc5080#section-2.1.1">[RFC5080], Section 2.1.1</a> notes that authentication mechanisms need to
tie a sequence of Access-Request/Access-Challenge packets together
into one authentication session. The State Attribute is RECOMMENDED
for this purpose.
While [<a href="./rfc2865" title=""Remote Authentication Dial In User Service (RADIUS)"">RFC2865</a>] did not require authentication and integrity
protection of RADIUS Access-Request packets, subsequent
authentication mechanism specifications, such as RADIUS/EAP [<a href="./rfc3579" title=""RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP)"">RFC3579</a>]
and Digest Authentication [<a href="./rfc5090" title="which improperly uses two attributes from the standard space without having been assigned them by IANA. This self-allocation is forbidden">RFC5090</a>], have mandated authentication and
integrity protection for certain RADIUS packets. [<a href="./rfc5080" title=""Common Remote Authentication Dial In User Service (RADIUS) Implementation Issues and Suggested Fixes"">RFC5080</a>], <a href="#section-2.1.1">Section</a>
<a href="#section-2.1.1">2.1.1</a> makes this behavior RECOMMENDED for all Access-Request packets,
including Access-Request packets performing authorization checks. It
is expected that specifications for new RADIUS authentication
mechanisms will continue this practice.
The RADIUS protocol as defined in [<a href="./rfc2865" title=""Remote Authentication Dial In User Service (RADIUS)"">RFC2865</a>] is a request-response
protocol spoken between RADIUS clients and servers. A single RADIUS
request packet ([<a href="./rfc2865" title=""Remote Authentication Dial In User Service (RADIUS)"">RFC2865</a>], [<a href="./rfc2866" title=""RADIUS Accounting"">RFC2866</a>], or [<a href="./rfc5176" title=""Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)"">RFC5176</a>]) will solicit in
response at most a single response packet, sent to the IP address and
port of the RADIUS client that originated the request. Changes to
this model are likely to require major revisions to existing
implementations, and this practice is NOT RECOMMENDED.
<span class="grey">DeKok & Weber Best Current Practice [Page 12]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-13" ></span>
<span class="grey"><a href="./rfc6158">RFC 6158</a> RADIUS Design Guidelines March 2011</span>
The Length field in the RADIUS packet header is defined in <a href="./rfc2865#section-3">[RFC2865]
Section 3</a>. It is noted there that the maximum length of a RADIUS
packet is 4096 octets. As a result, attribute designers SHOULD NOT
assume that a RADIUS implementation can successfully process RADIUS
packets larger than 4096 octets.
Even when packets are less than 4096 octets, they may be larger than
the Path Maximum Transmission Unit (PMTU). Any packet larger than
the PMTU will be fragmented, making communications more brittle as
firewalls and filtering devices often discard fragments. Transport
of fragmented UDP packets appears to be a poorly tested code path on
network devices. Some devices appear to be incapable of transporting
fragmented UDP packets, making it difficult to deploy RADIUS in a
network where those devices are deployed. We RECOMMEND that RADIUS
messages be kept as small possible.
If a situation is envisaged where it may be necessary to carry
authentication, authorization, or accounting data in a packet larger
than 4096 octets, then one of the following approaches is
RECOMMENDED:
1. Utilization of a sequence of packets.
For RADIUS authentication, a sequence of Access-
Request/Access-Challenge packets would be used. For this to
be feasible, attribute designers need to enable inclusion of
attributes that can consume considerable space within Access-
Challenge packets. To maintain compatibility with existing
NASes, either the use of Access-Challenge packets needs to be
permissible (as with RADIUS/EAP, defined in [<a href="./rfc3579" title=""RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP)"">RFC3579</a>]) or
support for receipt of an Access-Challenge needs to be
indicated by the NAS (as in RADIUS Location [<a href="./rfc5580" title=""Carrying Location Objects in RADIUS and Diameter"">RFC5580</a>]). Also,
the specification needs to clearly describe how attribute
splitting is to be signaled and how attributes included within
the sequence are to be interpreted, without requiring stateful
operation. Unfortunately, previous specifications have not
always exhibited the required foresight. For example, even
though very large filter rules are conceivable, the NAS-
Filter-Rule Attribute defined in [<a href="./rfc4849" title=""RADIUS Filter Rule Attribute"">RFC4849</a>] is not permitted in
an Access-Challenge packet, nor is a mechanism specified to
allow a set of NAS-Filter-Rule Attributes to be split across
an Access-Request/Access-Challenge sequence.
In the case of RADIUS accounting, transporting large amounts
of data would require a sequence of Accounting-Request
packets. This is a non-trivial change to RADIUS, since RADIUS
accounting clients would need to be modified to split the
<span class="grey">DeKok & Weber Best Current Practice [Page 13]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-14" ></span>
<span class="grey"><a href="./rfc6158">RFC 6158</a> RADIUS Design Guidelines March 2011</span>
attribute stream across multiple Accounting-Requests, and
billing servers would need to be modified to reassemble and
interpret the attribute stream.
2. Utilization of names rather than values.
Where an attribute relates to a policy that could conceivably
be pre-provisioned on the NAS, then the name of the pre-
provisioned policy can be transmitted in an attribute rather
than the policy itself, which could be quite large. An
example of this is the Filter-Id Attribute defined in
<a href="./rfc2865#section-5.11">[RFC2865], Section 5.11</a>, which enables a set of pre-
provisioned filter rules to be referenced by name.
3. Utilization of Packetization Layer Path MTU Discovery
techniques, as specified in [<a href="./rfc4821" title=""Packetization Layer Path MTU Discovery"">RFC4821</a>].
As a last resort, where the above techniques cannot be made to
work, it may be possible to apply the techniques described in
[<a href="./rfc4821" title=""Packetization Layer Path MTU Discovery"">RFC4821</a>] to discover the maximum supported RADIUS packet size
on the path between a RADIUS client and a home server. While
such an approach can avoid the complexity of utilization of a
sequence of packets, dynamic discovery is likely to be time
consuming and cannot be guaranteed to work with existing
RADIUS implementations. As a result, this technique is not
generally applicable.
<span class="h3"><a class="selflink" id="section-3.2" href="#section-3.2">3.2</a>. Data Model Issues</span>
While <a href="./rfc2865#section-5">[RFC2865], Section 5</a> defines basic data types, later
specifications did not follow this practice. This problem has led
implementations to define their own names for data types, resulting
in non-standard names for those types.
In addition, the number of vendors and SDOs creating new attributes
within the vendor space has grown, and this has led to some
divergence in approaches to RADIUS attribute design. For example,
vendors and SDOs have evolved the data model to support functions
such as new data types along with attribute grouping and attribute
fragmentation, with different groups taking different approaches.
These approaches are often incompatible, leading to additional
complexity in RADIUS implementations.
In order to avoid repeating old mistakes, this section describes the
history of the RADIUS data model and attempts to codify existing
practices.
<span class="grey">DeKok & Weber Best Current Practice [Page 14]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-15" ></span>
<span class="grey"><a href="./rfc6158">RFC 6158</a> RADIUS Design Guidelines March 2011</span>
<span class="h4"><a class="selflink" id="section-3.2.1" href="#section-3.2.1">3.2.1</a>. Issues with Definitions of Types</span>
<a href="./rfc2865#section-5">[RFC2865], Section 5</a> explicitly defines five data types: text,
string, address, integer, and time. Both the names and
interpretations of the types are given.
Subsequent RADIUS specifications defined attributes by using type
names not defined in [<a href="./rfc2865" title=""Remote Authentication Dial In User Service (RADIUS)"">RFC2865</a>], without defining the new names as
done in [<a href="./rfc2865" title=""Remote Authentication Dial In User Service (RADIUS)"">RFC2865</a>]. They did not consistently indicate the format of
the value field using the same conventions as [<a href="./rfc2865" title=""Remote Authentication Dial In User Service (RADIUS)"">RFC2865</a>]. As a
result, the data type is ambiguous in some cases and may not be
consistent among different implementations.
It is out of the scope of this document to resolve all potential
ambiguities within existing RADIUS specifications. However, in order
to prevent future ambiguities, it is RECOMMENDED that future RADIUS
attribute specifications explicitly define newly created data types
at the beginning of the document and indicate clearly the data type
to be used for each attribute.
For example, [<a href="./rfc3162" title=""RADIUS and IPv6"">RFC3162</a>] utilizes, but does not explicitly define, a
type that encapsulates an IPv6 address (Sections <a href="#section-2.1">2.1</a> and <a href="#section-2.4">2.4</a>) and
another type that encapsulates an IPv6 prefix (<a href="#section-2.3">Section 2.3</a>). The
IPv6 address attributes confusingly are referenced as type "Address"
in the document. This is a similar name as the "address" type
defined in [<a href="./rfc2865" title=""Remote Authentication Dial In User Service (RADIUS)"">RFC2865</a>], which was defined to refer solely to IPv4
addresses.
While the Framed-Interface-Id Attribute defined in [<a href="./rfc3162" title=""RADIUS and IPv6"">RFC3162</a>], <a href="#section-2.2">Section</a>
<a href="#section-2.2">2.2</a> included a value field of 8 octets, the data type was not
explicitly indicated; therefore, there is controversy over whether
the format of the data was intended to be an 8-octet String or
whether a special Interface-Id type was intended.
Given that attributes encapsulating an IPv6 address and an IPv6
prefix are already in use, it is RECOMMENDED that RADIUS server
implementations include support for these as basic types, in addition
to the types defined in [<a href="./rfc2865" title=""Remote Authentication Dial In User Service (RADIUS)"">RFC2865</a>]. Where the intent is to represent
a specific IPv6 address, an "IPv6 address" type SHOULD be used.
Although it is possible to use an "IPv6 Prefix" type with a prefix
length of 128 to represent an IPv6 address, this usage is NOT
RECOMMENDED. Implementations supporting the Framed-Interface-Id
Attribute may select a data type of their choosing (most likely an
8-octet String or a special "Interface Id" data type).
<span class="grey">DeKok & Weber Best Current Practice [Page 15]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-16" ></span>
<span class="grey"><a href="./rfc6158">RFC 6158</a> RADIUS Design Guidelines March 2011</span>
It is worth noting that since RADIUS only supports unsigned integers
of 32 bits, attributes using signed integer data types or unsigned
integer types of other sizes will require code changes and SHOULD be
avoided.
For [<a href="./rfc2865" title=""Remote Authentication Dial In User Service (RADIUS)"">RFC2865</a>] RADIUS VSAs, the length limitation of the String and
Text types is 247 octets instead of 253 octets, due to the additional
overhead of the Vendor-Specific Attribute.
<span class="h4"><a class="selflink" id="section-3.2.2" href="#section-3.2.2">3.2.2</a>. Tagging Mechanism</span>
[<a id="ref-RFC2868">RFC2868</a>] defines an attribute grouping mechanism based on the use of
a one-octet tag value. Tunnel attributes that refer to the same
tunnel are grouped together by virtue of using the same tag value.
This tagging mechanism has some drawbacks. There are a limited
number of unique tags (31). The tags are not well suited for use
with arbitrary binary data values because it is not always possible
to tell if the first byte after the Length is the tag or the first
byte of the untagged value (assuming the tag is optional).
Other limitations of the tagging mechanism are that when integer
values are tagged, the value portion is reduced to three bytes,
meaning only 24-bit numbers can be represented. The tagging
mechanism does not offer an ability to create nested groups of
attributes. Some RADIUS implementations treat tagged attributes as
having the additional data types tagged-string and tagged-integer.
These types increase the complexity of implementing and managing
RADIUS systems.
For these reasons, the tagging scheme described in <a href="./rfc2868">RFC 2868</a> is NOT
RECOMMENDED for use as a generic grouping mechanism.
<span class="h4"><a class="selflink" id="section-3.2.3" href="#section-3.2.3">3.2.3</a>. Complex Data Types</span>
As described in this section, the creation of complex types can lead
to interoperability and deployment issues, so they need to be
introduced with care. For example, the RADIUS attribute encoding is
summarized in [<a href="./rfc2865" title=""Remote Authentication Dial In User Service (RADIUS)"">RFC2865</a>]:
0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
| Type | Length | Value ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
<span class="grey">DeKok & Weber Best Current Practice [Page 16]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-17" ></span>
<span class="grey"><a href="./rfc6158">RFC 6158</a> RADIUS Design Guidelines March 2011</span>
However, some standard attributes pack multiple sub-fields into the
"Value" field, resulting in the creation a non-standard, i.e.,
complex, type. Separating these sub-fields into different
attributes, each with its own type and length, would have the
following benefits:
* When manual data entry is required, it is easier for an
administrator to enter the data as well-known types rather than
as complex structures.
* It enables additional error checking by leveraging the parsing
and validation routines for well-known types.
* It simplifies implementations by eliminating special-case,
attribute-specific parsing.
One of the fundamental goals of the RADIUS protocol design was to
allow RADIUS servers to be configured to support new attributes,
without requiring server code changes. RADIUS server implementations
typically provide support for basic data types and define attributes
in a data dictionary. This architecture enables a new attribute to
be supported by the addition of a dictionary entry, without requiring
other RADIUS server code changes.
Code changes can also be required in policy management systems and in
the RADIUS server's receive path. These changes are due to
limitations in RADIUS server policy languages, which commonly provide
for limited operations (such as comparisons or arithmetic operations)
on the existing data types. Many existing RADIUS policy languages
typically are not capable of parsing sub-elements or providing more
sophisticated matching functionality.
On the RADIUS client, code changes are typically required in order to
implement a new attribute. The RADIUS client typically has to
compose the attribute dynamically when sending. When receiving, a
RADIUS client needs to be able to parse the attribute and carry out
the requested service. As a result, a detailed understanding of the
new attribute is required on clients, and data dictionaries are less
useful on clients than on servers.
Given these limitations, the introduction of new types can require
code changes on the RADIUS server, which would be unnecessary if
basic data types had been used instead. In addition, if "ad hoc"
types are used, attribute-specific parsing is required, which means
more complex software to develop and maintain. More complexity can
lead to more error-prone implementations, interoperability problems,
<span class="grey">DeKok & Weber Best Current Practice [Page 17]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-18" ></span>
<span class="grey"><a href="./rfc6158">RFC 6158</a> RADIUS Design Guidelines March 2011</span>
and even security vulnerabilities. These issues can increase costs
to network administrators as well as reduce reliability and introduce
deployment barriers.
<span class="h4"><a class="selflink" id="section-3.2.4" href="#section-3.2.4">3.2.4</a>. Complex Data Type Exceptions</span>
As described in <a href="#section-2.1">Section 2.1</a>, the introduction of complex data types
is discouraged where viable alternatives are available. A potential
exception is attributes that inherently require code changes on both
the client and server. For example, as described in <a href="#appendix-B">Appendix B</a>,
complex attributes have been used in situations involving
authentication and security attributes, which need to be dynamically
computed and verified. Supporting this functionality requires code
changes on both the RADIUS client and server, regardless of the
attribute format. As a result, in most cases, the use of complex
attributes to represent these methods is acceptable and does not
create additional interoperability or deployment issues.
Another exception to the recommendation against complex types is for
types that can be treated as opaque data by the RADIUS server. For
example, the EAP-Message Attribute, defined in [<a href="./rfc3579" title=""RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP)"">RFC3579</a>], <a href="#section-3.1">Section</a>
<a href="#section-3.1">3.1</a>, contains a complex data type that is an Extensible
Authentication Protocol (EAP) packet. Since these complex types do
not need to be parsed by the RADIUS server, the issues arising from
server limitations do not arise. Similarly, since attributes of
these complex types can be configured on the server using a data type
of String, dictionary limitations are also not encountered. <a href="#appendix-A.1">Appendix</a>
<a href="#appendix-A.1">A.1</a> includes a series of checklists that may be used to analyze a
design for RECOMMENDED and NOT RECOMMENDED behavior in relation to
complex types.
If the RADIUS Server simply passes the contents of an attribute to
some non-RADIUS portion of the network, then the data is opaque to
RADIUS and SHOULD be defined to be of type String. A concrete way of
judging this requirement is whether or not the attribute definition
in the RADIUS document contains delineated fields for sub-parts of
the data. If those fields need to be delineated in RADIUS, then the
data is not opaque to RADIUS, and it SHOULD be separated into
individual RADIUS attributes.
An examination of existing RADIUS RFCs discloses a number of complex
attributes that have already been defined. <a href="#appendix-B">Appendix B</a> includes a
listing of complex attributes used within [<a href="./rfc2865" title=""Remote Authentication Dial In User Service (RADIUS)"">RFC2865</a>], [<a href="./rfc2868" title=""RADIUS Attributes for Tunnel Protocol Support"">RFC2868</a>],
[<a href="./rfc2869" title=""RADIUS Extensions"">RFC2869</a>], [<a href="./rfc3162" title=""RADIUS and IPv6"">RFC3162</a>], [<a href="./rfc4818" title=""RADIUS Delegated-IPv6-Prefix Attribute"">RFC4818</a>], and [<a href="./rfc4675" title=""RADIUS Attributes for Virtual LAN and Priority Support"">RFC4675</a>]. The discussion of
these attributes includes reasons why a complex type is acceptable or
suggestions for how the attribute could have been defined to follow
the RADIUS data model.
<span class="grey">DeKok & Weber Best Current Practice [Page 18]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-19" ></span>
<span class="grey"><a href="./rfc6158">RFC 6158</a> RADIUS Design Guidelines March 2011</span>
In other cases, the data in the complex type are described textually
in a specification. This is possible because the data types are not
sent within the attributes but are a matter for endpoint
interpretation. An implementation can define additional data types
and use these data types today by matching them to the attribute's
textual definition.
<span class="h3"><a class="selflink" id="section-3.3" href="#section-3.3">3.3</a>. Vendor Space</span>
The usage model for RADIUS VSAs is described in [<a href="./rfc2865" title=""Remote Authentication Dial In User Service (RADIUS)"">RFC2865</a>], <a href="#section-6.2">Section</a>
<a href="#section-6.2">6.2</a>:
Note that RADIUS defines a mechanism for Vendor-Specific
extensions (Attribute 26) and the use of that should be encouraged
instead of allocation of global attribute types, for functions
specific only to one vendor's implementation of RADIUS, where no
interoperability is deemed useful.
Nevertheless, many new attributes have been defined in the vendor
space in situations where interoperability is not only useful but is
required. For example, SDOs outside the IETF (such as the IEEE 802
and the 3rd Generation Partnership Project (3GPP)) have been assigned
Vendor-Ids, enabling them to define their own VSA encoding and assign
Vendor types within their own vendor space, as defined by their
unique Vendor-Id.
The use of VSAs by SDOs outside the IETF has gained in popularity for
several reasons:
Efficiency
As with SNMP, which defines an "Enterprise" Object Identifier
(OID) space suitable for use by vendors as well as other SDOs, the
definition of Vendor-Specific Attributes has become a common
occurrence as part of standards activity outside the IETF. For
reasons of efficiency, it is easiest if the RADIUS attributes
required to manage a standard are developed within the same SDO
that develops the standard itself. As noted in "Transferring MIB
Work from IETF Bridge MIB WG to IEEE 802.1 WG" [<a href="./rfc4663" title=""Transferring MIB Work from IETF Bridge MIB WG to IEEE 802.1 WG"">RFC4663</a>], today
few vendors are willing to simultaneously fund individuals to
participate within an SDO to complete a standard as well as to
participate in the IETF in order to complete the associated RADIUS
attributes specification.
Attribute scarcity
The standard space is limited to 255 unique attributes. Of these,
only about half remain available for allocation. In the vendor
space, the number of attributes available is a function of the
encoding of the attribute (the size of the Vendor type field).
<span class="grey">DeKok & Weber Best Current Practice [Page 19]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-20" ></span>
<span class="grey"><a href="./rfc6158">RFC 6158</a> RADIUS Design Guidelines March 2011</span>
<span class="h4"><a class="selflink" id="section-3.3.1" href="#section-3.3.1">3.3.1</a>. Interoperability Considerations</span>
Vendors and SDOs are reminded that the standard space and the
enumerated value space for enumerated attributes are reserved for
allocation through work published via the IETF, as noted in
<a href="./rfc3575#section-2.1">[RFC3575], Section 2.1</a>. In the past, some vendors and SDOs have
assigned vendor-specific meaning to "unused" values from the standard
space. This process results in interoperability issues and is
counterproductive. Similarly, the vendor-specific enumeration
practice discussed in <a href="./rfc2882#section-2.2.1">[RFC2882], Section 2.2.1</a> is NOT RECOMMENDED.
If it is not possible to follow the IETF process, vendors and SDOs
SHOULD self-allocate an attribute, which MUST be in their own vendor
space as defined by their unique Vendor-Id, as discussed in Sections
3.3.2 and 3.3.3.
The design and specification of VSAs for multi-vendor usage SHOULD be
undertaken with the same level of care as standard RADIUS attributes.
Specifically, the provisions of this document that apply to standard
RADIUS attributes also apply to VSAs for multi-vendor usage.
<span class="h4"><a class="selflink" id="section-3.3.2" href="#section-3.3.2">3.3.2</a>. Vendor Allocations</span>
As noted in <a href="./rfc3575#section-2.1">[RFC3575], Section 2.1</a>, vendors are encouraged to utilize
VSAs to define functions "specific only to one vendor's
implementation of RADIUS, where no interoperability is deemed useful.
For functions specific only to one vendor's implementation of RADIUS,
the use of that should be encouraged instead of the allocation of
global attribute types".
The recommendation for vendors to allocate attributes from a vendor
space rather than via the IETF process is a recognition that vendors
desire to assert change control over their own RADIUS specifications.
This change control can be obtained by requesting a PEN from the
Internet Assigned Number Authority (IANA) for use as a Vendor-Id
within a Vendor-Specific Attribute. The vendor can then allocate
attributes within the vendor space defined by that Vendor-Id at their
sole discretion. Similarly, the use of data types (complex or
otherwise) within that vendor space is solely under the discretion of
the vendor.
<span class="h4"><a class="selflink" id="section-3.3.3" href="#section-3.3.3">3.3.3</a>. SDO Allocations</span>
Given the expanded utilization of RADIUS, it has become apparent that
requiring SDOs to accomplish all their RADIUS work within the IETF is
inherently inefficient and unscalable. It is therefore RECOMMENDED
<span class="grey">DeKok & Weber Best Current Practice [Page 20]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-21" ></span>
<span class="grey"><a href="./rfc6158">RFC 6158</a> RADIUS Design Guidelines March 2011</span>
that SDO RADIUS Attribute specifications allocate attributes from the
vendor space rather than request an allocation from the RADIUS
standard space for attributes matching any of the following criteria:
* Attributes relying on data types not defined within RADIUS
* Attributes intended primarily for use within an SDO
* Attributes intended primarily for use within a group of SDOs
Any new RADIUS attributes or values intended for interoperable use
across a broad spectrum of the Internet community SHOULD follow the
allocation process defined in [<a href="./rfc3575" title=""IANA Considerations for RADIUS (Remote Authentication Dial In User Service)"">RFC3575</a>].
The recommendation for SDOs to allocate attributes from a vendor
space rather than via the IETF process is a recognition that SDOs
desire to assert change control over their own RADIUS specifications.
This change control can be obtained by requesting a PEN from the
Internet Assigned Number Authority (IANA) for use as a Vendor-Id
within a Vendor-Specific Attribute. The SDO can then allocate
attributes within the vendor space defined by that Vendor-Id at their
sole discretion. Similarly, the use of data types (complex or
otherwise) within that vendor space is solely under the discretion of
the SDO.
<span class="h3"><a class="selflink" id="section-3.4" href="#section-3.4">3.4</a>. Polymorphic Attributes</span>
A polymorphic attribute is one whose format or meaning is dynamic.
For example, rather than using a fixed data format, an attribute's
format might change based on the contents of another attribute. Or,
the meaning of an attribute may depend on earlier packets in a
sequence.
RADIUS server dictionary entries are typically static, enabling the
user to enter the contents of an attribute without support for
changing the format based on dynamic conditions. However, this
limitation on static types does not prevent implementations from
implementing policies that return different attributes based on the
contents of received attributes; this is a common feature of existing
RADIUS implementations.
In general, polymorphism is NOT RECOMMENDED. Polymorphism rarely
enables capabilities that would not be available through use of
multiple attributes. Polymorphism requires code changes in the
RADIUS server in situations where attributes with fixed formats would
not require such changes. Thus, polymorphism increases complexity
while decreasing generality, without delivering any corresponding
benefits.
<span class="grey">DeKok & Weber Best Current Practice [Page 21]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-22" ></span>
<span class="grey"><a href="./rfc6158">RFC 6158</a> RADIUS Design Guidelines March 2011</span>
Note that changing an attribute's format dynamically is not the same
thing as using a fixed format and computing the attribute itself
dynamically. RADIUS authentication attributes, such as User-
Password, EAP-Message, etc., while being computed dynamically, use a
fixed format.
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. IANA Considerations</span>
This document has no action items for IANA. However, it does provide
guidelines for Expert Reviewers appointed as described in [<a href="./rfc3575" title=""IANA Considerations for RADIUS (Remote Authentication Dial In User Service)"">RFC3575</a>].
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. Security Considerations</span>
This specification provides guidelines for the design of RADIUS
attributes used in authentication, authorization, and accounting.
Threats and security issues for this application are described in
[<a href="./rfc3579" title=""RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP)"">RFC3579</a>] and [<a href="./rfc3580" title=""IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines"">RFC3580</a>]; security issues encountered in roaming are
described in [<a href="./rfc2607" title=""Proxy Chaining and Policy Implementation in Roaming"">RFC2607</a>].
Obfuscation of RADIUS attributes on a per-attribute basis is
necessary in some cases. The current standard mechanism for this is
described in <a href="./rfc2865#section-5.2">[RFC2865], Section 5.2</a> (for obscuring User-Password
values) and is based on the MD5 algorithm specified in [<a href="./rfc1321" title=""The MD5 Message-Digest Algorithm"">RFC1321</a>].
The MD5 and SHA-1 algorithms have recently become a focus of scrutiny
and concern in security circles, and as a result, the use of these
algorithms in new attributes is NOT RECOMMENDED. In addition,
previous documents referred to this method as generating "encrypted"
data. This terminology is no longer accepted within the
cryptographic community.
Where new RADIUS attributes use cryptographic algorithms, algorithm
negotiation SHOULD be supported. Specification of a mandatory-to-
implement algorithm is REQUIRED, and it is RECOMMENDED that the
mandatory-to-implement algorithm be certifiable under FIPS 140
[<a href="#ref-FIPS" title=""Security Requirements for Cryptographic Modules"">FIPS</a>].
Where new RADIUS attributes encapsulate complex data types, or
transport opaque data, the security considerations discussed in
<a href="#section-5.1">Section 5.1</a> SHOULD be addressed.
Message authentication in RADIUS is provided largely via the Message-
Authenticator attribute. See <a href="./rfc3579#section-3.2">Section 3.2 of [RFC3579]</a> and also
<a href="./rfc5080#section-2.2.2">Section 2.2.2 of [RFC5080]</a>, which say that client implementations
SHOULD include a Message-Authenticator Attribute in every Access-
Request.
<span class="grey">DeKok & Weber Best Current Practice [Page 22]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-23" ></span>
<span class="grey"><a href="./rfc6158">RFC 6158</a> RADIUS Design Guidelines March 2011</span>
In general, the security of the RADIUS protocol is poor. Robust
deployments SHOULD support a secure communications protocol such as
IPsec. See <a href="./rfc3579#section-4">Section 4 of [RFC3579]</a> and <a href="./rfc3580#section-5">Section 5 of [RFC3580]</a> for a
more in-depth explanation of these issues.
Implementations not following the suggestions outlined in this
document may be subject to problems such as ambiguous protocol
decoding, packet loss leading to loss of billing information, and
denial-of-service attacks.
<span class="h3"><a class="selflink" id="section-5.1" href="#section-5.1">5.1</a>. New Data Types and Complex Attributes</span>
The introduction of complex data types brings the potential for the
introduction of new security vulnerabilities. Experience shows that
the common data types have few security vulnerabilities, or else that
all known issues have been found and fixed. New data types require
new code, which may introduce new bugs and therefore new attack
vectors.
Some systems permit complex attributes to be defined via a method
that is more capable than traditional RADIUS dictionaries. These
systems can reduce the security threat of new types significantly,
but they do not remove it entirely.
RADIUS servers are highly valued targets, as they control network
access and interact with databases that store usernames and
passwords. An extreme outcome of a vulnerability due to a new,
complex type would be that an attacker is capable of taking complete
control over the RADIUS server.
The use of attributes representing opaque data does not reduce this
threat. The threat merely moves from the RADIUS server to the system
that consumes that opaque data. The threat is particularly severe
when the opaque data originates from the user and is not validated by
the NAS. In those cases, the RADIUS server is potentially exposed to
attack by malware residing on an unauthenticated host.
Any system consuming opaque data that originates from a RADIUS system
SHOULD be properly isolated from that RADIUS system and SHOULD run
with minimal privileges. Any potential vulnerabilities in the non-
RADIUS system will then have minimal impact on the security of the
system as a whole.
<span class="grey">DeKok & Weber Best Current Practice [Page 23]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-24" ></span>
<span class="grey"><a href="./rfc6158">RFC 6158</a> RADIUS Design Guidelines March 2011</span>
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. References</span>
<span class="h3"><a class="selflink" id="section-6.1" href="#section-6.1">6.1</a>. Normative References</span>
[<a id="ref-RFC2119">RFC2119</a>] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", <a href="https://www.rfc-editor.org/bcp/bcp14">BCP 14</a>, <a href="./rfc2119">RFC 2119</a>, March 1997.
[<a id="ref-RFC2865">RFC2865</a>] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
"Remote Authentication Dial In User Service (RADIUS)",
<a href="./rfc2865">RFC 2865</a>, June 2000.
[<a id="ref-RFC3575">RFC3575</a>] Aboba, B., "IANA Considerations for RADIUS (Remote
Authentication Dial In User Service)", <a href="./rfc3575">RFC 3575</a>, July
2003.
<span class="h3"><a class="selflink" id="section-6.2" href="#section-6.2">6.2</a>. Informative References</span>
[<a id="ref-RFC1155">RFC1155</a>] Rose, M. and K. McCloghrie, "Structure and
identification of management information for TCP/IP-
based internets", STD 16, <a href="./rfc1155">RFC 1155</a>, May 1990.
[<a id="ref-RFC1157">RFC1157</a>] Case, J., Fedor, M., Schoffstall, M., and J. Davin,
"Simple Network Management Protocol (SNMP)", <a href="./rfc1157">RFC 1157</a>,
May 1990.
[<a id="ref-RFC1321">RFC1321</a>] Rivest, R., "The MD5 Message-Digest Algorithm", <a href="./rfc1321">RFC</a>
<a href="./rfc1321">1321</a>, April 1992.
[<a id="ref-RFC2548">RFC2548</a>] Zorn, G., "Microsoft Vendor-specific RADIUS
Attributes", <a href="./rfc2548">RFC 2548</a>, March 1999.
[<a id="ref-RFC2607">RFC2607</a>] Aboba, B. and J. Vollbrecht, "Proxy Chaining and Policy
Implementation in Roaming", <a href="./rfc2607">RFC 2607</a>, June 1999.
[<a id="ref-RFC2866">RFC2866</a>] Rigney, C., "RADIUS Accounting", <a href="./rfc2866">RFC 2866</a>, June 2000.
[<a id="ref-RFC2868">RFC2868</a>] Zorn, G., Leifer, D., Rubens, A., Shriver, J.,
Holdrege, M., and I. Goyret, "RADIUS Attributes for
Tunnel Protocol Support", <a href="./rfc2868">RFC 2868</a>, June 2000.
[<a id="ref-RFC2869">RFC2869</a>] Rigney, C., Willats, W., and P. Calhoun, "RADIUS
Extensions", <a href="./rfc2869">RFC 2869</a>, June 2000.
[<a id="ref-RFC2882">RFC2882</a>] Mitton, D., "Network Access Servers Requirements:
Extended RADIUS Practices", <a href="./rfc2882">RFC 2882</a>, July 2000.
[<a id="ref-RFC3162">RFC3162</a>] Aboba, B., Zorn, G., and D. Mitton, "RADIUS and IPv6",
<a href="./rfc3162">RFC 3162</a>, August 2001.
<span class="grey">DeKok & Weber Best Current Practice [Page 24]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-25" ></span>
<span class="grey"><a href="./rfc6158">RFC 6158</a> RADIUS Design Guidelines March 2011</span>
[<a id="ref-RFC3579">RFC3579</a>] Aboba, B. and P. Calhoun, "RADIUS (Remote
Authentication Dial In User Service) Support For
Extensible Authentication Protocol (EAP)", <a href="./rfc3579">RFC 3579</a>,
September 2003.
[<a id="ref-RFC3580">RFC3580</a>] Congdon, P., Aboba, B., Smith, A., Zorn, G., and J.
Roese, "IEEE 802.1X Remote Authentication Dial In User
Service (RADIUS) Usage Guidelines", <a href="./rfc3580">RFC 3580</a>, September
2003.
[<a id="ref-RFC3629">RFC3629</a>] Yergeau, F., "UTF-8, a transformation format of ISO
10646", STD 63, <a href="./rfc3629">RFC 3629</a>, November 2003.
[<a id="ref-RFC4181">RFC4181</a>] Heard, C., Ed., "Guidelines for Authors and Reviewers
of MIB Documents", <a href="https://www.rfc-editor.org/bcp/bcp111">BCP 111</a>, <a href="./rfc4181">RFC 4181</a>, September 2005.
[<a id="ref-RFC4663">RFC4663</a>] Harrington, D., "Transferring MIB Work from IETF Bridge
MIB WG to IEEE 802.1 WG", <a href="./rfc4663">RFC 4663</a>, September 2006.
[<a id="ref-RFC4675">RFC4675</a>] Congdon, P., Sanchez, M., and B. Aboba, "RADIUS
Attributes for Virtual LAN and Priority Support", <a href="./rfc4675">RFC</a>
<a href="./rfc4675">4675</a>, September 2006.
[<a id="ref-RFC4679">RFC4679</a>] Mammoliti, V., Zorn, G., Arberg, P., and R. Rennison,
"DSL Forum Vendor-Specific RADIUS Attributes", <a href="./rfc4679">RFC</a>
<a href="./rfc4679">4679</a>, September 2006.
[<a id="ref-RFC4818">RFC4818</a>] Salowey, J. and R. Droms, "RADIUS Delegated-IPv6-Prefix
Attribute", <a href="./rfc4818">RFC 4818</a>, April 2007.
[<a id="ref-RFC4821">RFC4821</a>] Mathis, M. and J. Heffner, "Packetization Layer Path
MTU Discovery", <a href="./rfc4821">RFC 4821</a>, March 2007.
[<a id="ref-RFC4849">RFC4849</a>] Congdon, P., Sanchez, M., and B. Aboba, "RADIUS Filter
Rule Attribute", <a href="./rfc4849">RFC 4849</a>, April 2007.
[<a id="ref-RFC5080">RFC5080</a>] Nelson, D. and A. DeKok, "Common Remote Authentication
Dial In User Service (RADIUS) Implementation Issues and
Suggested Fixes", <a href="./rfc5080">RFC 5080</a>, December 2007.
[<a id="ref-RFC5090">RFC5090</a>] Sterman, B., Sadolevsky, D., Schwartz, D., Williams,
D., and W. Beck, "RADIUS Extension for Digest
Authentication", <a href="./rfc5090">RFC 5090</a>, February 2008.
[<a id="ref-RFC5176">RFC5176</a>] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B.
Aboba, "Dynamic Authorization Extensions to Remote
Authentication Dial In User Service (RADIUS)", <a href="./rfc5176">RFC</a>
<a href="./rfc5176">5176</a>, January 2008.
<span class="grey">DeKok & Weber Best Current Practice [Page 25]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-26" ></span>
<span class="grey"><a href="./rfc6158">RFC 6158</a> RADIUS Design Guidelines March 2011</span>
[<a id="ref-DOCTORS">DOCTORS</a>] AAA Doctors Mailing List, www.ietf.org/mail-
archive/web/aaa-doctors.
[<a id="ref-FIPS">FIPS</a>] FIPS 140-3 (DRAFT), "Security Requirements for
Cryptographic Modules",
<a href="http://csrc.nist.gov/publications/PubsFIPS.html">http://csrc.nist.gov/publications/PubsFIPS.html</a>.
[<a id="ref-IEEE-802.1Q">IEEE-802.1Q</a>] IEEE Standards for Local and Metropolitan Area
Networks: Draft Standard for Virtual Bridged Local Area
Networks, P802.1Q-2003, January 2003.
[<a id="ref-RFC5580">RFC5580</a>] Tschofenig, H., Ed., Adrangi, F., Jones, M., Lior, A.,
and B. Aboba, "Carrying Location Objects in RADIUS and
Diameter", <a href="./rfc5580">RFC 5580</a>, August 2009.
[<a id="ref-AAA-SIP">AAA-SIP</a>] Sterman, B., Sadolevsky, D., Schwartz, D., Williams,
D., and W. Beck, "RADIUS Extension for Digest
Authentication", Work in Progress, November 2004.
<span class="grey">DeKok & Weber Best Current Practice [Page 26]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-27" ></span>
<span class="grey"><a href="./rfc6158">RFC 6158</a> RADIUS Design Guidelines March 2011</span>
<span class="h2"><a class="selflink" id="appendix-A" href="#appendix-A">Appendix A</a>. Design Guidelines Checklist</span>
The following text provides guidelines for the design of attributes
used by the RADIUS protocol. Specifications that follow these
guidelines are expected to achieve maximum interoperability with
minimal changes to existing systems.
<span class="h3"><a class="selflink" id="appendix-A.1" href="#appendix-A.1">A.1</a>. Types Matching the RADIUS Data Model</span>
<span class="h4"><a class="selflink" id="appendix-A.1.1" href="#appendix-A.1.1">A.1.1</a>. Transport of Basic Data Types</span>
Does the data fit within the basic data types described in <a href="#section-2.1">Section</a>
<a href="#section-2.1">2.1</a>? If so, it SHOULD be encapsulated in a [<a href="./rfc2865" title=""Remote Authentication Dial In User Service (RADIUS)"">RFC2865</a>] format RADIUS
attribute or in a [<a href="./rfc2865" title=""Remote Authentication Dial In User Service (RADIUS)"">RFC2865</a>] format RADIUS VSA that uses one of the
existing RADIUS data types.
<span class="h4"><a class="selflink" id="appendix-A.1.2" href="#appendix-A.1.2">A.1.2</a>. Transport of Authentication and Security Data</span>
Does the data provide authentication and/or security capabilities for
the RADIUS protocol as outlined below? If so, use of a complex data
type is acceptable under the following circumstances:
* Complex data types that carry authentication methods that RADIUS
servers are expected to parse and verify as part of an
authentication process.
* Complex data types that carry security information intended to
increase the security of the RADIUS protocol itself.
Any data type carrying authentication and/or security data that is
not meant to be parsed by a RADIUS server is an "opaque data type",
as defined in Section A.1.3.
<span class="h4"><a class="selflink" id="appendix-A.1.3" href="#appendix-A.1.3">A.1.3</a>. Opaque Data Types</span>
Does the attribute encapsulate an existing data structure defined
outside of the RADIUS specifications? Can the attribute be treated
as opaque data by RADIUS servers (including proxies)? If both
questions can be answered affirmatively, a complex structure MAY be
used in a RADIUS specification.
The specification of the attribute SHOULD define the encapsulating
attribute to be of type String. The specification SHOULD refer to an
external document defining the structure. The specification SHOULD
NOT define or describe the structure, for reasons discussed in
<a href="#section-3.2.3">Section 3.2.3</a>.
<span class="grey">DeKok & Weber Best Current Practice [Page 27]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-28" ></span>
<span class="grey"><a href="./rfc6158">RFC 6158</a> RADIUS Design Guidelines March 2011</span>
<span class="h4"><a class="selflink" id="appendix-A.1.4" href="#appendix-A.1.4">A.1.4</a>. Pre-Existing Data Types</span>
There is a trade-off in design between reusing existing formats for
historical compatibility or choosing new formats for a "better"
design. This trade-off does not always require the "better" design
to be used. As a result, pre-existing complex data types described
in <a href="#appendix-B">Appendix B</a> MAY be used.
<span class="h3"><a class="selflink" id="appendix-A.2" href="#appendix-A.2">A.2</a>. Improper Data Types</span>
This section suggests alternatives to data types that do not fall
within the "basic data type" definition. Section A.2.1 describes
simple data types, which should be replaced by basic data types.
Section A.2.2 describes more complex data types, which should be
replaced by multiple attributes using the basic data types.
<span class="h4"><a class="selflink" id="appendix-A.2.1" href="#appendix-A.2.1">A.2.1</a>. Simple Data Types</span>
Does the attribute use any of the following data types? If so, the
data type SHOULD be replaced with the suggested alternatives, or it
SHOULD NOT be used at all.
* Signed integers of any size.
SHOULD NOT be used. SHOULD be replaced with one or more
unsigned integer attributes. The definition of the attribute
can contain information that would otherwise go into the sign
value of the integer.
* 8-bit unsigned integers.
SHOULD be replaced with 32-bit unsigned integer. There is
insufficient justification to save three bytes.
* 16-bit unsigned integers.
SHOULD be replaced with 32-bit unsigned integer. There is
insufficient justification to save two bytes.
* Unsigned integers of size other than 32 bits.
SHOULD be replaced by an unsigned integer of 32 bits. There is
insufficient justification to define a new size of integer.
* Integers of any size in non-network byte order.
SHOULD be replaced by unsigned integer of 32 bits in network.
There is no reason to transport integers in any format other
than network byte order.
* Multi-field text strings.
Each field SHOULD be encapsulated in a separate attribute.
<span class="grey">DeKok & Weber Best Current Practice [Page 28]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-29" ></span>
<span class="grey"><a href="./rfc6158">RFC 6158</a> RADIUS Design Guidelines March 2011</span>
* Polymorphic attributes.
Multiple attributes, each with a static data type, SHOULD be
defined instead.
* Nested attribute-value pairs (AVPs).
Attributes should be defined in a flat typespace.
<span class="h4"><a class="selflink" id="appendix-A.2.2" href="#appendix-A.2.2">A.2.2</a>. More Complex Data Types</span>
Does the attribute:
* define a complex data type not described in <a href="#appendix-B">Appendix B</a>?
* that a RADIUS server and/or client is expected to parse,
validate, or create the contents of via a dynamic computation
(i.e., a type that cannot be treated as opaque data (Section
A.1.3))?
* involve functionality that could be implemented without code
changes on both the client and server (i.e., a type that doesn't
require dynamic computation and verification, such as those
performed for authentication or security attributes)?
If so, this data type SHOULD be replaced with simpler types, as
discussed in <a href="#appendix-A.2.1">Appendix A.2.1</a>. See also <a href="#section-2.1">Section 2.1</a> for a discussion
of why complex types are problematic.
<span class="h3"><a class="selflink" id="appendix-A.3" href="#appendix-A.3">A.3</a>. Vendor-Specific Formats</span>
Does the specification contain Vendor-Specific Attributes that match
any of the following criteria? If so, the VSA encoding should be
replaced with the <a href="./rfc2865#section-5.26">[RFC2865], Section 5.26</a> encoding or should not be
used at all.
* Vendor types of more than 8 bits.
SHOULD NOT be used. Vendor types of 8 bits SHOULD be used
instead.
* Vendor lengths of less than 8 bits (i.e., zero bits).
SHOULD NOT be used. Vendor lengths of 8 bits SHOULD be used
instead.
* Vendor lengths of more than 8 bits.
SHOULD NOT be used. Vendor lengths of 8 bits SHOULD be used
instead.
<span class="grey">DeKok & Weber Best Current Practice [Page 29]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-30" ></span>
<span class="grey"><a href="./rfc6158">RFC 6158</a> RADIUS Design Guidelines March 2011</span>
* Vendor-specific contents that are not in Type-Length-Value
format.
SHOULD NOT be used. Vendor-Specific Attributes SHOULD be in
Type-Length-Value format.
In general, Vendor-Specific Attributes SHOULD follow the encoding
suggested in <a href="./rfc2865#section-5.26">Section 5.26 of [RFC2865]</a>. Vendor extensions to non-
standard encodings are NOT RECOMMENDED as they can negatively affect
interoperability.
<span class="h3"><a class="selflink" id="appendix-A.4" href="#appendix-A.4">A.4</a>. Changes to the RADIUS Operational Model</span>
Does the specification change the RADIUS operation model as outlined
in the list below? If so, then another method of achieving the
design objectives SHOULD be used. Potential problem areas include
the following:
* Defining new commands in RADIUS using attributes.
The addition of new commands to RADIUS MUST be handled via
allocation of a new Code and not by the use of an attribute.
This restriction includes new commands created by overloading
the Service-Type Attribute to define new values that modify the
functionality of Access-Request packets.
* Using RADIUS as a transport protocol for data unrelated to
authentication, authorization, or accounting.
Using RADIUS to transport authentication methods such as EAP is
explicitly permitted, even if those methods require the
transport of relatively large amounts of data. Transport of
opaque data relating to AAA is also permitted, as discussed in
<a href="#section-3.2.3">Section 3.2.3</a>. However, if the specification does not relate to
AAA, then RADIUS SHOULD NOT be used.
* Assuming support for packet lengths greater than 4096 octets.
Attribute designers cannot assume that RADIUS implementations
can successfully handle packets larger than 4096 octets. If a
specification could lead to a RADIUS packet larger than 4096
octets, then the alternatives described in <a href="#section-3.3">Section 3.3</a> SHOULD be
considered.
* Stateless operation.
The RADIUS protocol is stateless, and documents that require
stateful protocol behavior without the use of the State
Attribute need to be redesigned.
<span class="grey">DeKok & Weber Best Current Practice [Page 30]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-31" ></span>
<span class="grey"><a href="./rfc6158">RFC 6158</a> RADIUS Design Guidelines March 2011</span>
* Provisioning of service in an Access-Reject.
Such provisioning is not permitted, and MUST NOT be used. If
limited access needs to be provided, then an Access-Accept with
appropriate authorizations can be used instead.
* Provisioning of service in a Disconnect-Request.
Such provisioning is not permitted and MUST NOT be used. If
limited access needs to be provided, then a CoA-Request
[<a href="./rfc5176" title=""Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)"">RFC5176</a>] with appropriate authorizations can be used instead.
* Lack of user authentication or authorization restrictions.
In an authorization check, where there is no demonstration of a
live user, confidential data cannot be returned. Where there is
a link to a previous user authentication, the State Attribute
SHOULD be present.
* Lack of per-packet integrity and authentication.
It is expected that documents will support per-packet integrity
and authentication.
* Modification of RADIUS packet sequences.
In RADIUS, each request is encapsulated in its own packet and
elicits a single response that is sent to the requester. Since
changes to this paradigm are likely to require major
modifications to RADIUS client and server implementations, they
SHOULD be avoided if possible.
For further details, see <a href="#section-3.1">Section 3.1</a>.
<span class="h3"><a class="selflink" id="appendix-A.5" href="#appendix-A.5">A.5</a>. Allocation of Attributes</span>
Does the attribute have a limited scope of applicability as outlined
below? If so, then the attributes SHOULD be allocated from the
vendor space rather than requesting allocation from the standard
space.
* attributes intended for a vendor to support their own systems
and not suitable for general usage
* attributes relying on data types not defined within RADIUS
* attributes intended primarily for use within an SDO
* attributes intended primarily for use within a group of SDOs
Note that the points listed above do not relax the recommendations
discussed in this document. Instead, they recognize that the RADIUS
data model has limitations. In certain situations where
<span class="grey">DeKok & Weber Best Current Practice [Page 31]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-32" ></span>
<span class="grey"><a href="./rfc6158">RFC 6158</a> RADIUS Design Guidelines March 2011</span>
interoperability can be strongly constrained by the SDO or vendor, an
expanded data model MAY be used. It is RECOMMENDED, however, that
the RADIUS data model be used, even when it is marginally less
efficient than alternatives.
When attributes are used primarily within a group of SDOs, and are
not applicable to the wider Internet community, we expect that one
SDO will be responsible for allocation from their own private vendor
space.
<span class="h2"><a class="selflink" id="appendix-B" href="#appendix-B">Appendix B</a>. Complex Attributes</span>
This appendix summarizes RADIUS attributes with complex data types
that are defined in existing RFCs.
This appendix is published for informational purposes only and
reflects the usage of attributes with complex data types at the time
of the publication of this document.
<span class="h3"><a class="selflink" id="appendix-B.1" href="#appendix-B.1">B.1</a>. CHAP-Password</span>
<a href="./rfc2865#section-5.3">[RFC2865], Section 5.3</a> defines the CHAP-Password Attribute, which is
sent from the RADIUS client to the RADIUS server in an Access-
Request. The data type of the CHAP Identifier is not given, only the
one-octet length:
0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
| Type | Length | CHAP Ident | String ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Since this is an authentication attribute, code changes are required
on the RADIUS client and server to support it, regardless of the
attribute format. Therefore, this complex data type is acceptable in
this situation.
<span class="h3"><a class="selflink" id="appendix-B.2" href="#appendix-B.2">B.2</a>. CHAP-Challenge</span>
<a href="./rfc2865#section-5.40">[RFC2865], Section 5.40</a> defines the CHAP-Challenge Attribute, which
is sent from the RADIUS client to the RADIUS server in an Access-
Request. While the data type of the CHAP Identifier is given, the
text also says:
If the CHAP challenge value is 16 octets long it MAY be placed in
the Request Authenticator field instead of using this attribute.
<span class="grey">DeKok & Weber Best Current Practice [Page 32]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-33" ></span>
<span class="grey"><a href="./rfc6158">RFC 6158</a> RADIUS Design Guidelines March 2011</span>
Defining attributes to contain values taken from the RADIUS packet
header is NOT RECOMMENDED. Attributes should have values that are
packed into a RADIUS AVP.
<span class="h3"><a class="selflink" id="appendix-B.3" href="#appendix-B.3">B.3</a>. Tunnel-Password</span>
<a href="./rfc2868#section-3.5">[RFC2868], Section 3.5</a> defines the Tunnel-Password Attribute, which
is sent from the RADIUS server to the client in an Access-Accept.
This attribute includes Tag and Salt fields, as well as a String
field that consists of three logical sub-fields: the Data-Length
(required and one octet), Password sub-fields (required), and the
optional Padding sub-field. The attribute appears as follows:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Tag | Salt
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Salt (cont) | String ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Since this is a security attribute, code changes are required on the
RADIUS client and server to support it, regardless of the attribute
format. However, while use of a complex data type is acceptable in
this situation, the design of the Tunnel-Password Attribute is
problematic from a security perspective since it uses MD5 as a cipher
and provides a password to a NAS, potentially without proper
authorization.
<span class="h3"><a class="selflink" id="appendix-B.4" href="#appendix-B.4">B.4</a>. ARAP-Password</span>
<a href="./rfc2869#section-5.4">[RFC2869], Section 5.4</a> defines the ARAP-Password Attribute, which is
sent from the RADIUS client to the server in an Access-Request. It
contains four 4-octet values instead of having a single Value field:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Value1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Value2
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Value3
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Value4
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
<span class="grey">DeKok & Weber Best Current Practice [Page 33]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-34" ></span>
<span class="grey"><a href="./rfc6158">RFC 6158</a> RADIUS Design Guidelines March 2011</span>
As with the CHAP-Password Attribute, this is an authentication
attribute that would have required code changes on the RADIUS client
and server, regardless of format.
<span class="h3"><a class="selflink" id="appendix-B.5" href="#appendix-B.5">B.5</a>. ARAP-Features</span>
<a href="./rfc2869#section-5.5">[RFC2869], Section 5.5</a> defines the ARAP-Features Attribute, which is
sent from the RADIUS server to the client in an Access-Accept or
Access-Challenge. It contains a compound string of two single octet
values, plus three 4-octet values, which the RADIUS client
encapsulates in a feature flags packet in the Apple Remote Access
Protocol (ARAP):
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Value1 | Value2 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Value3 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Value4 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Value5 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Unlike the previous attributes, this attribute contains no encrypted
component, nor is it directly involved in authentication. The
individual sub-fields therefore could have been encapsulated in
separate attributes.
While the contents of this attribute are intended to be placed in an
ARAP packet, the fields need to be set by the RADIUS server. Using
standard RADIUS data types would have simplified RADIUS server
implementations and subsequent management. The current form of the
attribute requires either the RADIUS server implementation or the
RADIUS server administrator to understand the internals of the ARAP
protocol.
<span class="h3"><a class="selflink" id="appendix-B.6" href="#appendix-B.6">B.6</a>. Connect-Info</span>
<a href="./rfc2869#section-5.11">[RFC2869], Section 5.11</a> defines the Connect-Info Attribute, which is
used to indicate the nature of the connection.
0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Text...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
<span class="grey">DeKok & Weber Best Current Practice [Page 34]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-35" ></span>
<span class="grey"><a href="./rfc6158">RFC 6158</a> RADIUS Design Guidelines March 2011</span>
Even though the type is Text, the rest of the description indicates
that it is a complex attribute:
The Text field consists of UTF-8 encoded 10646 [8] characters.
The connection speed SHOULD be included at the beginning of the
first Connect-Info attribute in the packet. If the transmit and
receive connection speeds differ, they may both be included in the
first attribute with the transmit speed first (the speed the NAS
modem transmits at), a slash (/), the receive speed, then
optionally other information.
For example, "28800 V42BIS/LAPM" or "52000/31200 V90"
More than one Connect-Info attribute may be present in an
Accounting-Request packet to accommodate expected efforts by ITU
to have modems report more connection information in a standard
format that might exceed 252 octets.
This attribute contains no encrypted component and is not directly
involved in authentication. The individual sub-fields could
therefore have been encapsulated in separate attributes.
However, since the definition refers to potential standardization
activity within ITU, the Connect-Info Attribute can also be thought
of as opaque data whose definition is provided elsewhere. The
Connect-Info Attribute could therefore qualify for an exception as
described in <a href="#section-3.2.4">Section 3.2.4</a>.
<span class="h3"><a class="selflink" id="appendix-B.7" href="#appendix-B.7">B.7</a>. Framed-IPv6-Prefix</span>
<a href="./rfc3162#section-2.3">Section 2.3 of [RFC3162]</a> defines the Framed-IPv6-Prefix Attribute,
and <a href="./rfc4818#section-3">Section 3 of [RFC4818]</a> reuses this format for the Delegated-
IPv6-Prefix Attribute; these attributes are sent from the RADIUS
server to the client in an Access-Accept.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Reserved | Prefix-Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Prefix
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Prefix
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Prefix
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Prefix |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
<span class="grey">DeKok & Weber Best Current Practice [Page 35]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-36" ></span>
<span class="grey"><a href="./rfc6158">RFC 6158</a> RADIUS Design Guidelines March 2011</span>
The sub-fields encoded in these attributes are strongly related, and
there was no previous definition of this data structure that could be
referenced. Support for this attribute requires code changes on both
the client and server, due to a new data type being defined. In this
case, it appears to be acceptable to encode them in one attribute.
<span class="h3"><a class="selflink" id="appendix-B.8" href="#appendix-B.8">B.8</a>. Egress-VLANID</span>
<a href="./rfc4675#section-2.1">[RFC4675], Section 2.1</a> defines the Egress-VLANID Attribute, which can
be sent by a RADIUS client or server.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Value
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
While it appears superficially to be of type Integer, the Value field
is actually a packed structure, as follows:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Tag Indic. | Pad | VLANID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The length of the VLANID field is defined by the [<a href="#ref-IEEE-802.1Q" title="P802.1Q-2003">IEEE-802.1Q</a>]
specification. The Tag Indicator field is either 0x31 or 0x32, for
compatibility with the Egress-VLAN-Name, as discussed below. The
complex structure of Egress-VLANID overlaps with that of the base
Integer data type, meaning that no code changes are required for a
RADIUS server to support this attribute. Code changes are required
on the NAS, if only to implement the VLAN ID enforcement.
Given the IEEE VLAN requirements and the limited data model of
RADIUS, the chosen method is likely the best of the possible
alternatives.
<span class="grey">DeKok & Weber Best Current Practice [Page 36]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-37" ></span>
<span class="grey"><a href="./rfc6158">RFC 6158</a> RADIUS Design Guidelines March 2011</span>
<span class="h3"><a class="selflink" id="appendix-B.9" href="#appendix-B.9">B.9</a>. Egress-VLAN-Name</span>
<a href="./rfc4675#section-2.3">[RFC4675], Section 2.3</a> defines the Egress-VLAN-Name Attribute, which
can be sent by a RADIUS client or server.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Tag Indic. | String...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The Tag Indicator is either the character '1' or '2', which in ASCII
map to the identical values for Tag Indicator in Egress-VLANID above.
The complex structure of this attribute is acceptable for reasons
identical to those given for Egress-VLANID.
<span class="h3"><a class="selflink" id="appendix-B.10" href="#appendix-B.10">B.10</a>. Digest-*</span>
[<a id="ref-RFC5090">RFC5090</a>] attempts to standardize the functionality provided by an
expired Internet-Draft [<a href="#ref-AAA-SIP" title=""RADIUS Extension for Digest Authentication"">AAA-SIP</a>], which improperly uses two
attributes from the standard space without having been assigned them
by IANA. This self-allocation is forbidden, as described in <a href="#section-2">Section</a>
<a href="#section-2">2</a>. In addition, the document uses nested attributes, which are
discouraged in <a href="#section-2.1">Section 2.1</a>. The updated document uses basic data
types and allocates nearly 20 attributes in the process.
However, the document has seen wide-spread implementation, but
[<a href="./rfc5090" title="which improperly uses two attributes from the standard space without having been assigned them by IANA. This self-allocation is forbidden">RFC5090</a>] has not. One explanation may be that implementors
disagreed with the trade-offs made in the updated specification. It
may have been better to simply document the existing format and
request IANA allocation of two attributes. The resulting design
would have used nested attributes but may have gained more wide-
spread implementation.
Acknowledgments
We would like to acknowledge David Nelson, Bernard Aboba, Emile van
Bergen, Barney Wolff, Glen Zorn, Avi Lior, and Hannes Tschofenig for
contributions to this document.
<span class="grey">DeKok & Weber Best Current Practice [Page 37]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-38" ></span>
<span class="grey"><a href="./rfc6158">RFC 6158</a> RADIUS Design Guidelines March 2011</span>
Authors' Addresses
Alan DeKok (editor)
The FreeRADIUS Server Project
<a href="http://freeradius.org/">http://freeradius.org/</a>
EMail: aland@freeradius.org
Greg Weber
Knoxville, TN 37932
USA
EMail: gdweber@gmail.com
DeKok & Weber Best Current Practice [Page 38]
</pre>
|
