1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
|
<pre>Internet Engineering Task Force (IETF) A. DeKok
Request for Comments: 6613 FreeRADIUS
Category: Experimental May 2012
ISSN: 2070-1721
<span class="h1">RADIUS over TCP</span>
Abstract
The Remote Authentication Dial-In User Server (RADIUS) protocol has,
until now, required the User Datagram Protocol (UDP) as the
underlying transport layer. This document defines RADIUS over the
Transmission Control Protocol (RADIUS/TCP), in order to address
handling issues related to RADIUS over Transport Layer Security
(RADIUS/TLS). It permits TCP to be used as a transport protocol for
RADIUS only when a transport layer such as TLS or IPsec provides
confidentiality and security.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for examination, experimental implementation, and
evaluation.
This document defines an Experimental Protocol for the Internet
community. This document is a product of the Internet Engineering
Task Force (IETF). It represents the consensus of the IETF
community. It has received public review and has been approved for
publication by the Internet Engineering Steering Group (IESG). Not
all documents approved by the IESG are a candidate for any level of
Internet Standard; see <a href="./rfc5741#section-2">Section 2 of RFC 5741</a>.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
<a href="http://www.rfc-editor.org/info/rfc6613">http://www.rfc-editor.org/info/rfc6613</a>.
<span class="grey">DeKok Experimental [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc6613">RFC 6613</a> RADIUS over TCP May 2012</span>
Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and the IETF Trust's Legal
Provisions Relating to IETF Documents
(<a href="http://trustee.ietf.org/license-info">http://trustee.ietf.org/license-info</a>) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
<a href="#section-1">1</a>. Introduction ....................................................<a href="#page-3">3</a>
<a href="#section-1.1">1.1</a>. Applicability of Reliable Transport ........................<a href="#page-4">4</a>
<a href="#section-1.2">1.2</a>. Terminology ................................................<a href="#page-6">6</a>
<a href="#section-1.3">1.3</a>. Requirements Language ......................................<a href="#page-6">6</a>
<a href="#section-2">2</a>. Changes to RADIUS ...............................................<a href="#page-6">6</a>
<a href="#section-2.1">2.1</a>. Packet Format ..............................................<a href="#page-7">7</a>
<a href="#section-2.2">2.2</a>. Assigned Ports for RADIUS/TCP ..............................<a href="#page-7">7</a>
<a href="#section-2.3">2.3</a>. Management Information Base (MIB) ..........................<a href="#page-8">8</a>
<a href="#section-2.4">2.4</a>. Detecting Live Servers .....................................<a href="#page-8">8</a>
<a href="#section-2.5">2.5</a>. Congestion Control Issues ..................................<a href="#page-9">9</a>
<a href="#section-2.6">2.6</a>. TCP Specific Issues ........................................<a href="#page-9">9</a>
<a href="#section-2.6.1">2.6.1</a>. Duplicates and Retransmissions .....................<a href="#page-10">10</a>
<a href="#section-2.6.2">2.6.2</a>. Head of Line Blocking ..............................<a href="#page-11">11</a>
<a href="#section-2.6.3">2.6.3</a>. Shared Secrets .....................................<a href="#page-11">11</a>
<a href="#section-2.6.4">2.6.4</a>. Malformed Packets and Unknown Clients ..............<a href="#page-12">12</a>
<a href="#section-2.6.5">2.6.5</a>. Limitations of the ID Field ........................<a href="#page-13">13</a>
<a href="#section-2.6.6">2.6.6</a>. EAP Sessions .......................................<a href="#page-13">13</a>
<a href="#section-2.6.7">2.6.7</a>. TCP Applications Are Not UDP Applications ..........<a href="#page-14">14</a>
<a href="#section-3">3</a>. Diameter Considerations ........................................<a href="#page-14">14</a>
<a href="#section-4">4</a>. Security Considerations ........................................<a href="#page-14">14</a>
<a href="#section-5">5</a>. References .....................................................<a href="#page-15">15</a>
<a href="#section-5.1">5.1</a>. Normative References ......................................<a href="#page-15">15</a>
<a href="#section-5.2">5.2</a>. Informative References ....................................<a href="#page-15">15</a>
<span class="grey">DeKok Experimental [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc6613">RFC 6613</a> RADIUS over TCP May 2012</span>
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>
The RADIUS protocol is defined in [<a href="./rfc2865" title=""Remote Authentication Dial In User Service (RADIUS)"">RFC2865</a>] as using the User
Datagram Protocol (UDP) for the underlying transport layer. While
there are a number of benefits to using UDP as outlined in <a href="./rfc2865#section-2.4">[RFC2865],
Section 2.4</a>, there are also some limitations:
* Unreliable transport. As a result, systems using RADIUS have
to implement application-layer timers and retransmissions, as
described in <a href="./rfc5080#section-2.2.1">[RFC5080], Section 2.2.1</a>.
* Packet fragmentation. <a href="./rfc2865#section-3">[RFC2865], Section 3</a>, permits RADIUS
packets up to 4096 octets in length. These packets are larger
than the common Internet MTU (576), resulting in fragmentation
of the packets at the IP layer when they are proxied over the
Internet. Transport of fragmented UDP packets appears to be a
poorly tested code path on network devices. Some devices
appear to be incapable of transporting fragmented UDP packets,
making it difficult to deploy RADIUS in a network where those
devices are deployed.
* Connectionless transport. Neither clients nor servers receive
positive statements that a "connection" is down. This
information has to be deduced instead from the absence of a
reply to a request.
* Lack of congestion control. Clients can send arbitrary amounts
of traffic with little or no feedback. This lack of feedback
can result in congestive collapse of the network.
RADIUS has been widely deployed for well over a decade and continues
to be widely deployed. Experience shows that these issues have been
minor in some use cases and problematic in others. For use cases
such as inter-server proxying, an alternative transport and security
model -- RADIUS/TLS, is defined in [<a href="./rfc6614" title=""Transport Layer Security (TLS) Encryption for RADIUS"">RFC6614</a>]. That document
describes the transport implications of running RADIUS/TLS.
The choice of TCP as a transport protocol is largely driven by the
desire to improve the security of RADIUS by using RADIUS/TLS. For
practical reasons, the transport protocol (TCP) is defined separately
from the security mechanism (TLS).
Since "bare" TCP does not provide for confidentiality or enable
negotiation of credible ciphersuites, its use is not appropriate for
inter-server communications where strong security is required. As a
result, "bare" TCP transport MUST NOT be used without TLS, IPsec, or
another secure upper layer.
<span class="grey">DeKok Experimental [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc6613">RFC 6613</a> RADIUS over TCP May 2012</span>
However, "bare" TCP transport MAY be used when another method such as
IPsec [<a href="./rfc4301" title=""Security Architecture for the Internet Protocol"">RFC4301</a>] is used to provide additional confidentiality and
security. Should experience show that such deployments are useful,
this specification could be moved to the Standards Track.
<span class="h3"><a class="selflink" id="section-1.1" href="#section-1.1">1.1</a>. Applicability of Reliable Transport</span>
The intent of this document is to address transport issues related to
RADIUS/TLS [<a href="./rfc6614" title=""Transport Layer Security (TLS) Encryption for RADIUS"">RFC6614</a>] in inter-server communications scenarios, such
as inter-domain communication between proxies. These situations
benefit from the confidentiality and ciphersuite negotiation that can
be provided by TLS. Since TLS is already widely available within the
operating systems used by proxies, implementation barriers are low.
In scenarios where RADIUS proxies exchange a large volume of packets,
it is likely that there will be sufficient traffic to enable the
congestion window to be widened beyond the minimum value on a long-
term basis, enabling ACK piggybacking. Through use of an
application-layer watchdog as described in [<a href="./rfc3539" title=""Authentication, Authorization and Accounting (AAA) Transport Profile"">RFC3539</a>], it is possible
to address the objections to reliable transport described in
<a href="./rfc2865#section-2.4">[RFC2865], Section 2.4</a>, without substantial watchdog traffic, since
regular traffic is expected in both directions.
In addition, use of RADIUS/TLS has been found to improve operational
performance when used with multi-round-trip authentication mechanisms
such as the Extensible Authentication Protocol (EAP) over RADIUS
[<a href="./rfc3579" title=""RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP)"">RFC3579</a>]. In such exchanges, it is typical for EAP fragmentation to
increase the number of round trips required. For example, where EAP-
TLS authentication [<a href="./rfc5216" title=""The EAP-TLS Authentication Protocol"">RFC5216</a>] is attempted and both the EAP peer and
server utilize certificate chains of 8 KB, as many as 15 round trips
can be required if RADIUS packets are restricted to the common
Ethernet MTU (1500 octets) for EAP over LAN (EAPoL) use cases.
Fragmentation of RADIUS/UDP packets is generally inadvisable due to
lack of fragmentation support within intermediate devices such as
filtering routers, firewalls, and NATs. However, since RADIUS/UDP
implementations typically do not support MTU discovery, fragmentation
can occur even when the maximum RADIUS/UDP packet size is restricted
to 1500 octets.
These problems disappear if a 4096-octet application-layer payload
can be used alongside RADIUS/TLS. Since most TCP implementations
support MTU discovery, the TCP Maximum Segment Size (MSS) is
automatically adjusted to account for the MTU, and the larger
congestion window supported by TCP may allow multiple TCP segments to
be sent within a single window. Even those few TCP stacks that do
not perform Path MTU discovery can already support arbitrary
payloads.
<span class="grey">DeKok Experimental [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc6613">RFC 6613</a> RADIUS over TCP May 2012</span>
Where the MTU for EAP packets is large, RADIUS/EAP traffic required
for an EAP-TLS authentication with 8-KB certificate chains may be
reduced to 7 round trips or less, resulting in substantially reduced
authentication times.
In addition, experience indicates that EAP sessions transported over
RADIUS/TLS are less likely to abort unsuccessfully. Historically,
RADIUS-over-UDP (see <a href="#section-1.2">Section 1.2</a>) implementations have exhibited poor
retransmission behavior. Some implementations retransmit packets,
others do not, and others send new packets rather than performing
retransmission. Some implementations are incapable of detecting EAP
retransmissions, and will instead treat the retransmitted packet as
an error. As a result, within RADIUS/UDP implementations,
retransmissions have a high likelihood of causing an EAP
authentication session to fail. For a system with a million logins a
day running EAP-TLS mutual authentication with 15 round trips, and
having a packet loss probability of P=0.01%, we expect that 0.3% of
connections will experience at least one lost packet. That is, 3,000
user sessions each day will experience authentication failure. This
is an unacceptable failure rate for a mass-market network service.
Using a reliable transport method such as TCP means that RADIUS
implementations can remove all application-layer retransmissions, and
instead rely on the Operating System (OS) kernel's well-tested TCP
transport to ensure Path MTU discovery and reliable delivery. Modern
TCP implementations also implement anti-spoofing provisions, which is
more difficult to do in a UDP application.
In contrast, use of TCP as a transport between a Network Access
Server (NAS) and a RADIUS server is usually a poor fit. As noted in
<a href="./rfc3539#section-2.1">[RFC3539], Section 2.1</a>, for systems originating low numbers of RADIUS
request packets, inter-packet spacing is often larger than the packet
Round-Trip Time (RTT), meaning that, the congestion window will
typically stay below the minimum value on a long-term basis. The
result is an increase in packets due to ACKs as compared to UDP,
without a corresponding set of benefits. In addition, the lack of
substantial traffic implies the need for additional watchdog traffic
to confirm reachability.
As a result, the objections to reliable transport indicated in
<a href="./rfc2865#section-2.4">[RFC2865], Section 2.4</a>, continue to apply to NAS-RADIUS server
communications, and UDP SHOULD continue to be used as the transport
protocol in this scenario. In addition, it is recommended that
implementations of RADIUS Dynamic Authorization Extensions [<a href="./rfc5176" title=""Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)"">RFC5176</a>]
SHOULD continue to utilize UDP transport, since the volume of dynamic
authorization traffic is usually expected to be small.
<span class="grey">DeKok Experimental [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc6613">RFC 6613</a> RADIUS over TCP May 2012</span>
<span class="h3"><a class="selflink" id="section-1.2" href="#section-1.2">1.2</a>. Terminology</span>
This document uses the following terms:
RADIUS client
A device that provides an access service for a user to a network.
Also referred to as a Network Access Server, or NAS.
RADIUS server
A device that provides one or more of authentication,
authorization, and/or accounting (AAA) services to a NAS.
RADIUS proxy
A RADIUS proxy acts as a RADIUS server to the NAS, and a RADIUS
client to the RADIUS server.
RADIUS request packet
A packet originated by a RADIUS client to a RADIUS server. For
example, Access-Request, Accounting-Request, CoA-Request, or
Disconnect-Request.
RADIUS response packet
A packet sent by a RADIUS server to a RADIUS client, in response
to a RADIUS request packet. For example, Access-Accept, Access-
Reject, Access-Challenge, Accounting-Response, or CoA-ACK.
RADIUS/UDP
RADIUS over UDP, as defined in [<a href="./rfc2865" title=""Remote Authentication Dial In User Service (RADIUS)"">RFC2865</a>].
RADIUS/TCP
RADIUS over TCP, as defined in this document.
RADIUS/TLS
RADIUS over TLS, as defined in [<a href="./rfc6614" title=""Transport Layer Security (TLS) Encryption for RADIUS"">RFC6614</a>].
<span class="h3"><a class="selflink" id="section-1.3" href="#section-1.3">1.3</a>. Requirements Language</span>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [<a href="./rfc2119" title=""Key words for use in RFCs to Indicate Requirement Levels"">RFC2119</a>].
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Changes to RADIUS</span>
RADIUS/TCP involves sending RADIUS application messages over a TCP
connection. In the sections that follow, we discuss the implications
for the RADIUS packet format (<a href="#section-2.1">Section 2.1</a>), port usage (<a href="#section-2.2">Section 2.2</a>),
RADIUS MIBs (<a href="#section-2.3">Section 2.3</a>), and RADIUS proxies (<a href="#section-2.5">Section 2.5</a>). TCP-
specific issues are discussed in <a href="#section-2.6">Section 2.6</a>.
<span class="grey">DeKok Experimental [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc6613">RFC 6613</a> RADIUS over TCP May 2012</span>
<span class="h3"><a class="selflink" id="section-2.1" href="#section-2.1">2.1</a>. Packet Format</span>
The RADIUS packet format is unchanged from [<a href="./rfc2865" title=""Remote Authentication Dial In User Service (RADIUS)"">RFC2865</a>], [<a href="./rfc2866" title=""RADIUS Accounting"">RFC2866</a>], and
[<a href="./rfc5176" title=""Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)"">RFC5176</a>]. Specifically, all of the following portions of RADIUS
MUST be unchanged when using RADIUS/TCP:
* Packet format
* Permitted codes
* Request Authenticator calculation
* Response Authenticator calculation
* Minimum packet length
* Maximum packet length
* Attribute format
* Vendor-Specific Attribute (VSA) format
* Permitted data types
* Calculations of dynamic attributes such as CHAP-Challenge, or
Message-Authenticator.
* Calculation of "encrypted" attributes such as Tunnel-Password.
The use of TLS transport does not change the calculation of security-
related fields (such as the Response-Authenticator) in RADIUS
[<a href="./rfc2865" title=""Remote Authentication Dial In User Service (RADIUS)"">RFC2865</a>] or RADIUS Dynamic Authorization [<a href="./rfc5176" title=""Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)"">RFC5176</a>]. Calculation of
attributes such as User-Password [<a href="./rfc2865" title=""Remote Authentication Dial In User Service (RADIUS)"">RFC2865</a>] or Message-Authenticator
[<a href="./rfc3579" title=""RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP)"">RFC3579</a>] also does not change.
Clients and servers MUST be able to store and manage shared secrets
based on the key described in <a href="#section-2.6">Section 2.6</a>, of (IP address, port,
transport protocol).
The changes to RADIUS implementations required to implement this
specification are largely limited to the portions that send and
receive packets on the network.
<span class="h3"><a class="selflink" id="section-2.2" href="#section-2.2">2.2</a>. Assigned Ports for RADIUS/TCP</span>
IANA has already assigned TCP ports for RADIUS transport, as outlined
below:
* radius 1812/tcp
* radius-acct 1813/tcp
* radius-dynauth 3799/tcp
Since these ports are unused by existing RADIUS implementations, the
assigned values MUST be used as the default ports for RADIUS over
TCP.
<span class="grey">DeKok Experimental [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc6613">RFC 6613</a> RADIUS over TCP May 2012</span>
The early deployment of RADIUS was done using UDP port number 1645,
which conflicts with the "datametrics" service. Implementations
using RADIUS/TCP MUST NOT use TCP ports 1645 or 1646 as the default
ports for this specification.
The "radsec" port (2083/tcp) SHOULD be used as the default port for
RADIUS/TLS. The "radius" port (1812/tcp) SHOULD NOT be used for
RADIUS/TLS.
<span class="h3"><a class="selflink" id="section-2.3" href="#section-2.3">2.3</a>. Management Information Base (MIB)</span>
The MIB Module definitions in [<a href="./rfc4668" title=""RADIUS Authentication Client MIB for IPv6"">RFC4668</a>], [<a href="./rfc4669" title=""RADIUS Authentication Server MIB for IPv6"">RFC4669</a>], [<a href="./rfc4670" title=""RADIUS Accounting Client MIB for IPv6"">RFC4670</a>],
[<a href="./rfc4671" title=""RADIUS Accounting Server MIB for IPv6"">RFC4671</a>], [<a href="./rfc4672" title=""RADIUS Dynamic Authorization Client MIB"">RFC4672</a>], and [<a href="./rfc4673" title=""RADIUS Dynamic Authorization Server MIB"">RFC4673</a>] are intended to be used for
RADIUS over UDP. As such, they do not support RADIUS/TCP, and will
need to be updated in the future. Implementations of RADIUS/TCP
SHOULD NOT reuse these MIB Modules to perform statistics counting for
RADIUS/TCP connections.
<span class="h3"><a class="selflink" id="section-2.4" href="#section-2.4">2.4</a>. Detecting Live Servers</span>
As RADIUS is a "hop-by-hop" protocol, a RADIUS proxy shields the
client from any information about downstream servers. While the
client may be able to deduce the operational state of the local
server (i.e., proxy), it cannot make any determination about the
operational state of the downstream servers.
Within RADIUS, as defined in [<a href="./rfc2865" title=""Remote Authentication Dial In User Service (RADIUS)"">RFC2865</a>], proxies typically only
forward traffic between the NAS and RADIUS server, and they do not
generate their own responses. As a result, when a NAS does not
receive a response to a request, this could be the result of packet
loss between the NAS and proxy, a problem on the proxy, loss between
the RADIUS proxy and server, or a problem with the server.
When UDP is used as a transport protocol, the absence of a reply can
cause a client to deduce (incorrectly) that the proxy is unavailable.
The client could then fail over to another server or conclude that no
"live" servers are available (OKAY state in <a href="./rfc3539#appendix-A">[RFC3539], Appendix A</a>).
This situation is made even worse when requests are sent through a
proxy to multiple destinations. Failures in one destination may
result in service outages for other destinations, if the client
erroneously believes that the proxy is unresponsive.
For RADIUS/TLS, it is RECOMMENDED that implementations utilize the
existence of a TCP connection along with the application-layer
watchdog defined in <a href="./rfc3539#section-3.4">[RFC3539], Section 3.4</a>, to determine that the
server is "live".
<span class="grey">DeKok Experimental [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc6613">RFC 6613</a> RADIUS over TCP May 2012</span>
RADIUS clients using RADIUS/TCP MUST mark a connection DOWN if the
network stack indicates that the connection is no longer active. If
the network stack indicates that the connection is still active,
clients MUST NOT decide that it is down until the application-layer
watchdog algorithm has marked it DOWN (<a href="./rfc3539#appendix-A">[RFC3539], Appendix A</a>).
RADIUS clients using RADIUS/TCP MUST NOT decide that a RADIUS server
is unresponsive until all TCP connections to it have been marked
DOWN.
The above requirements do not forbid the practice of a client
proactively closing connections or marking a server as DOWN due to an
administrative decision.
<span class="h3"><a class="selflink" id="section-2.5" href="#section-2.5">2.5</a>. Congestion Control Issues</span>
Additional issues with RADIUS proxies involve transport protocol
changes where the proxy receives packets on one transport protocol
and forwards them on a different transport protocol. There are
several situations in which the law of "conservation of packets"
could be violated on an end-to-end basis (e.g., where more packets
could enter the system than could leave it on a short-term basis):
* Where TCP is used between proxies, it is possible that the
bandwidth consumed by incoming UDP packets destined to a given
upstream server could exceed the sending rate of a single TCP
connection to that server, based on the window size/RTT
estimate.
* It is possible for the incoming rate of TCP packets destined to
a given realm to exceed the UDP throughput achievable using the
transport guidelines established in [<a href="./rfc5080" title=""Common Remote Authentication Dial In User Service (RADIUS) Implementation Issues and Suggested Fixes"">RFC5080</a>]. This could
happen, for example, where the TCP window between proxies has
opened, but packet loss is being experienced on the UDP leg, so
that the effective congestion window on the UDP side is 1.
Intrinsically, proxy systems operate with multiple control loops
instead of one end-to-end loop, and so they are less stable. This is
true even for TCP-TCP proxies. As discussed in [<a href="./rfc3539" title=""Authentication, Authorization and Accounting (AAA) Transport Profile"">RFC3539</a>], the only
way to achieve stability equivalent to a single TCP connection is to
mimic the end-to-end behavior of a single TCP connection. This
typically is not achievable with an application-layer RADIUS
implementation, regardless of transport.
<span class="h3"><a class="selflink" id="section-2.6" href="#section-2.6">2.6</a>. TCP Specific Issues</span>
The guidelines defined in [<a href="./rfc3539" title=""Authentication, Authorization and Accounting (AAA) Transport Profile"">RFC3539</a>] for implementing a AAA protocol
over reliable transport are applicable to RADIUS/TLS.
<span class="grey">DeKok Experimental [Page 9]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-10" ></span>
<span class="grey"><a href="./rfc6613">RFC 6613</a> RADIUS over TCP May 2012</span>
The application-layer watchdog defined in <a href="./rfc3539#section-3.4">[RFC3539], Section 3.4</a>,
MUST be used. The Status-Server packet [<a href="./rfc5997" title=""Use of Status-Server Packets in the Remote Authentication Dial In User Service (RADIUS) Protocol"">RFC5997</a>] MUST be used as the
application-layer watchdog message. Implementations MUST reserve one
RADIUS ID per connection for the application-layer watchdog message.
This restriction is described further in <a href="#section-2.6.4">Section 2.6.4</a>.
RADIUS/TLS implementations MUST support receiving RADIUS packets over
both UDP and TCP transports originating from the same endpoint.
RADIUS packets received over UDP MUST be replied to over UDP; RADIUS
packets received over TCP MUST be replied to over TCP. That is,
RADIUS clients and servers MUST be treated as unique based on a key
of the three-tuple (IP address, port, transport protocol).
Implementations MUST permit different shared secrets to be used for
UDP and TCP connections to the same destination IP address and
numerical port.
This requirement does not forbid the traditional practice of using
primary and secondary servers in a failover relationship. Instead,
it requires that two services sharing an IP address and numerical
port, but differing in transport protocol, MUST be treated as
independent services for the purpose of failover, load-balancing,
etc.
Whenever the underlying network stack permits the use of TCP
keepalive socket options, their use is RECOMMENDED.
<span class="h4"><a class="selflink" id="section-2.6.1" href="#section-2.6.1">2.6.1</a>. Duplicates and Retransmissions</span>
As TCP is a reliable transport, implementations MUST NOT retransmit
RADIUS request packets over a given TCP connection. Similarly, if
there is no response to a RADIUS packet over one TCP connection,
implementations MUST NOT retransmit that packet over a different TCP
connection to the same destination IP address and port, while the
first connection is in the OKAY state (<a href="./rfc3539#appendix-A">[RFC3539], Appendix A</a>).
However, if the TCP connection is broken or closed, retransmissions
over new connections are permissible. RADIUS request packets that
have not yet received a response MAY be transmitted by a RADIUS
client over a new TCP connection. As this procedure involves using a
new source port, the ID of the packet MAY change. If the ID changes,
any security attributes such as Message-Authenticator MUST be
recalculated.
If a TCP connection is broken or closed, any cached RADIUS response
packets (<a href="./rfc5080#section-2.2.2">[RFC5080], Section 2.2.2</a>) associated with that connection
MUST be discarded. A RADIUS server SHOULD stop the processing of any
requests associated with that TCP connection. No response to these
requests can be sent over the TCP connection, so any further
<span class="grey">DeKok Experimental [Page 10]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-11" ></span>
<span class="grey"><a href="./rfc6613">RFC 6613</a> RADIUS over TCP May 2012</span>
processing is pointless. This requirement applies not only to RADIUS
servers, but also to proxies. When a client's connection to a proxy
server is closed, there may be responses from a home server that were
supposed to be sent by the proxy back over that connection to the
client. Since the client connection is closed, those responses from
the home server to the proxy server SHOULD be silently discarded by
the proxy.
Despite the above discussion, RADIUS servers SHOULD still perform
duplicate detection on received packets, as described in <a href="./rfc5080#section-2.2.2">[RFC5080],
Section 2.2.2</a>. This detection can prevent duplicate processing of
packets from non-conformant clients.
RADIUS packets SHOULD NOT be retransmitted to the same destination IP
and numerical port, but over a different transport protocol. There
is no guarantee in RADIUS that the two ports are in any way related.
This requirement does not, however, forbid the practice of putting
multiple servers into a failover or load-balancing pool. In that
situation, RADIUS request MAY be retransmitted to another server that
is known to be part of the same pool.
<span class="h4"><a class="selflink" id="section-2.6.2" href="#section-2.6.2">2.6.2</a>. Head of Line Blocking</span>
When using UDP as a transport for RADIUS, there is no ordering of
packets. If a packet sent by a client is lost, that loss has no
effect on subsequent packets sent by that client.
Unlike UDP, TCP is subject to issues related to Head of Line (HoL)
blocking. This occurs when a TCP segment is lost and a subsequent
TCP segment arrives out of order. While the RADIUS server can
process RADIUS packets out of order, the semantics of TCP makes this
impossible. This limitation can lower the maximum packet processing
rate of RADIUS/TCP.
<span class="h4"><a class="selflink" id="section-2.6.3" href="#section-2.6.3">2.6.3</a>. Shared Secrets</span>
The use of TLS transport does not change the calculation of security-
related fields (such as the Response-Authenticator) in RADIUS
[<a href="./rfc2865" title=""Remote Authentication Dial In User Service (RADIUS)"">RFC2865</a>] or RADIUS Dynamic Authorization [<a href="./rfc5176" title=""Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)"">RFC5176</a>]. Calculation of
attributes such as User-Password [<a href="./rfc2865" title=""Remote Authentication Dial In User Service (RADIUS)"">RFC2865</a>] or Message-Authenticator
[<a href="./rfc3579" title=""RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP)"">RFC3579</a>] also does not change.
Clients and servers MUST be able to store and manage shared secrets
based on the key described above, at the start of this section (i.e.,
IP address, port, transport protocol).
<span class="grey">DeKok Experimental [Page 11]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-12" ></span>
<span class="grey"><a href="./rfc6613">RFC 6613</a> RADIUS over TCP May 2012</span>
<span class="h4"><a class="selflink" id="section-2.6.4" href="#section-2.6.4">2.6.4</a>. Malformed Packets and Unknown Clients</span>
The RADIUS specifications ([<a href="./rfc2865" title=""Remote Authentication Dial In User Service (RADIUS)"">RFC2865</a>], and many others) say that an
implementation should "silently discard" a packet in a number of
circumstances. This action has no further consequences for UDP
transport, as the "next" packet is completely independent of the
previous one.
When TCP is used as a transport, decoding the "next" packet on a
connection depends on the proper decoding of the previous packet. As
a result, the behavior with respect to discarded packets has to
change.
Implementations of this specification SHOULD treat the "silently
discard" texts referenced above as "silently discard and close the
connection". That is, the TCP connection MUST be closed if any of
the following circumstances are seen:
* Connection from an unknown client
* Packet where the RADIUS "Length" field is less than the minimum
RADIUS packet length
* Packet where the RADIUS "Length" field is more than the maximum
RADIUS packet length
* Packet that has an Attribute "Length" field has value of zero
or one (0 or 1)
* Packet where the attributes do not exactly fill the packet
* Packet where the Request Authenticator fails validation (where
validation is required)
* Packet where the Response Authenticator fails validation (where
validation is required)
* Packet where the Message-Authenticator attribute fails
validation (when it occurs in a packet)
After applying the above rules, there are still two situations where
the previous specifications allow a packet to be "silently discarded"
upon receipt:
* Packets with an invalid code field
* Response packets that do not match any outstanding request
In these situations, the TCP connections MAY remain open, or they MAY
be closed, as an implementation choice. However, the invalid packet
MUST be silently discarded.
These requirements reduce the possibility for a misbehaving client or
server to wreak havoc on the network.
<span class="grey">DeKok Experimental [Page 12]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-13" ></span>
<span class="grey"><a href="./rfc6613">RFC 6613</a> RADIUS over TCP May 2012</span>
<span class="h4"><a class="selflink" id="section-2.6.5" href="#section-2.6.5">2.6.5</a>. Limitations of the ID Field</span>
The RADIUS ID field is one octet in size. As a result, any one TCP
connection can have only 256 "in flight" RADIUS packets at a time.
If more than 256 simultaneous "in flight" packets are required,
additional TCP connections will need to be opened. This limitation
is also noted in <a href="./rfc3539#section-2.4">[RFC3539], Section 2.4</a>.
An additional limit is the requirement to send a Status-Server packet
over the same TCP connection as is used for normal requests. As
noted in [<a href="./rfc5997" title=""Use of Status-Server Packets in the Remote Authentication Dial In User Service (RADIUS) Protocol"">RFC5997</a>], the response to a Status-Server packet is either
an Access-Accept or an Accounting-Response. If all IDs were
allocated to normal requests, then there would be no free ID to use
for the Status-Server packet, and it could not be sent over the
connection.
Implementations SHOULD reserve ID zero (0) on each TCP connection for
Status-Server packets. This value was picked arbitrarily, as there
is no reason to choose any one value over another for this use.
Implementors may be tempted to extend RADIUS to permit more than 256
outstanding packets on one connection. However, doing so is a
violation of a fundamental part of the protocol and MUST NOT be done.
Making that extension here is outside of the scope of this
specification.
<span class="h4"><a class="selflink" id="section-2.6.6" href="#section-2.6.6">2.6.6</a>. EAP Sessions</span>
When RADIUS clients send EAP requests using RADIUS/TCP, they SHOULD
choose the same TCP connection for all packets related to one EAP
session. This practice ensures that EAP packets are transmitted in
order, and that problems with any one TCP connection affect the
minimum number of EAP sessions.
A simple method that may work in many situations is to hash the
contents of the Calling-Station-Id attribute, which normally contains
the Media Access Control (MAC) address. The output of that hash can
be used to select a particular TCP connection.
However, EAP packets for one EAP session can still be transported
from client to server over multiple paths. Therefore, when a server
receives a RADIUS request containing an EAP request, it MUST be
processed without considering the transport protocol. For TCP
transport, it MUST be processed without considering the source port.
The algorithm suggested in <a href="./rfc5080#section-2.1.1">[RFC5080], Section 2.1.1</a> SHOULD be used to
track EAP sessions, as it is independent of the source port and
transport protocol.
<span class="grey">DeKok Experimental [Page 13]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-14" ></span>
<span class="grey"><a href="./rfc6613">RFC 6613</a> RADIUS over TCP May 2012</span>
The retransmission requirements of <a href="#section-2.6.1">Section 2.6.1</a>, above, MUST be
applied to RADIUS-encapsulated EAP packets. That is, EAP
retransmissions MUST NOT result in retransmissions of RADIUS packets
over a particular TCP connection. EAP retransmissions MAY result in
retransmission of RADIUS packets over a different TCP connection, but
only when the previous TCP connection is marked DOWN.
<span class="h4"><a class="selflink" id="section-2.6.7" href="#section-2.6.7">2.6.7</a>. TCP Applications Are Not UDP Applications</span>
Implementors should be aware that programming a robust TCP
application can be very different from programming a robust UDP
application. It is RECOMMENDED that implementors of this
specification familiarize themselves with TCP application programming
concepts.
Clients and servers SHOULD implement configurable connection limits.
Clients and servers SHOULD implement configurable limits on
connection lifetime and idle timeouts. Clients and servers SHOULD
implement configurable rate limiting on new connections. Allowing an
unbounded number or rate of TCP connections may result in resource
exhaustion.
Further discussion of implementation issues is outside of the scope
of this document.
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. Diameter Considerations</span>
This document defines TCP as a transport layer for RADIUS. It
defines no new RADIUS attributes or codes. The only interaction with
Diameter is in a RADIUS-to-Diameter, or in a Diameter-to-RADIUS
gateway. The RADIUS side of such a gateway MAY implement RADIUS/TCP,
but this change has no effect on Diameter.
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. Security Considerations</span>
As the RADIUS packet format, signing, and client verification are
unchanged from prior specifications, all of the security issues
outlined in previous specifications for RADIUS/UDP are also
applicable here.
As noted above, clients and servers SHOULD support configurable
connection limits. Allowing an unlimited number of connections may
result in resource exhaustion.
Implementors should consult [<a href="./rfc6614" title=""Transport Layer Security (TLS) Encryption for RADIUS"">RFC6614</a>] for issues related to the
security of RADIUS/TLS, and [<a href="./rfc5246" title=""The Transport Layer Security (TLS) Protocol Version 1.2"">RFC5246</a>] for issues related to the
security of the TLS protocol.
<span class="grey">DeKok Experimental [Page 14]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-15" ></span>
<span class="grey"><a href="./rfc6613">RFC 6613</a> RADIUS over TCP May 2012</span>
Since "bare" TCP does not provide for confidentiality or enable
negotiation of credible ciphersuites, its use is not appropriate for
inter-server communications where strong security is required. As a
result, "bare" TCP transport MUST NOT be used without TLS, IPsec, or
another secure upper layer.
There are no (at this time) other known security issues for RADIUS-
over-TCP transport.
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. References</span>
<span class="h3"><a class="selflink" id="section-5.1" href="#section-5.1">5.1</a>. Normative References</span>
[<a id="ref-RFC2119">RFC2119</a>] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", <a href="https://www.rfc-editor.org/bcp/bcp14">BCP 14</a>, <a href="./rfc2119">RFC 2119</a>, March 1997.
[<a id="ref-RFC2865">RFC2865</a>] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
"Remote Authentication Dial In User Service (RADIUS)",
<a href="./rfc2865">RFC 2865</a>, June 2000.
[<a id="ref-RFC3539">RFC3539</a>] Aboba, B. and J. Wood, "Authentication, Authorization
and Accounting (AAA) Transport Profile", <a href="./rfc3539">RFC 3539</a>, June
2003.
[<a id="ref-RFC5997">RFC5997</a>] DeKok, A., "Use of Status-Server Packets in the Remote
Authentication Dial In User Service (RADIUS) Protocol",
<a href="./rfc5997">RFC 5997</a>, August 2010.
[<a id="ref-RFC6614">RFC6614</a>] Winter, S., McCauley, M., Venaas, S., and K. Wierenga,
"Transport Layer Security (TLS) Encryption for RADIUS",
<a href="./rfc6614">RFC 6614</a>, May 2012.
<span class="h3"><a class="selflink" id="section-5.2" href="#section-5.2">5.2</a>. Informative References</span>
[<a id="ref-RFC2866">RFC2866</a>] Rigney, C., "RADIUS Accounting", <a href="./rfc2866">RFC 2866</a>, June 2000.
[<a id="ref-RFC3579">RFC3579</a>] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication
Dial In User Service) Support For Extensible
Authentication Protocol (EAP)", <a href="./rfc3579">RFC 3579</a>, September
2003.
[<a id="ref-RFC4301">RFC4301</a>] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", <a href="./rfc4301">RFC 4301</a>, December 2005.
[<a id="ref-RFC4668">RFC4668</a>] Nelson, D., "RADIUS Authentication Client MIB for IPv6",
<a href="./rfc4668">RFC 4668</a>, August 2006.
<span class="grey">DeKok Experimental [Page 15]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-16" ></span>
<span class="grey"><a href="./rfc6613">RFC 6613</a> RADIUS over TCP May 2012</span>
[<a id="ref-RFC4669">RFC4669</a>] Nelson, D., "RADIUS Authentication Server MIB for IPv6",
<a href="./rfc4669">RFC 4669</a>, August 2006.
[<a id="ref-RFC4670">RFC4670</a>] Nelson, D., "RADIUS Accounting Client MIB for IPv6", <a href="./rfc4670">RFC</a>
<a href="./rfc4670">4670</a>, August 2006.
[<a id="ref-RFC4671">RFC4671</a>] Nelson, D., "RADIUS Accounting Server MIB for IPv6", <a href="./rfc4671">RFC</a>
<a href="./rfc4671">4671</a>, August 2006.
[<a id="ref-RFC4672">RFC4672</a>] De Cnodder, S., Jonnala, N., and M. Chiba, "RADIUS
Dynamic Authorization Client MIB", <a href="./rfc4672">RFC 4672</a>, September
2006.
[<a id="ref-RFC4673">RFC4673</a>] De Cnodder, S., Jonnala, N., and M. Chiba, "RADIUS
Dynamic Authorization Server MIB", <a href="./rfc4673">RFC 4673</a>, September
2006.
[<a id="ref-RFC5080">RFC5080</a>] Nelson, D. and A. DeKok, "Common Remote Authentication
Dial In User Service (RADIUS) Implementation Issues and
Suggested Fixes", <a href="./rfc5080">RFC 5080</a>, December 2007.
[<a id="ref-RFC5176">RFC5176</a>] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B.
Aboba, "Dynamic Authorization Extensions to Remote
Authentication Dial In User Service (RADIUS)", <a href="./rfc5176">RFC 5176</a>,
January 2008.
[<a id="ref-RFC5216">RFC5216</a>] Simon, D., Aboba, B., and R. Hurst, "The EAP-TLS
Authentication Protocol", <a href="./rfc5216">RFC 5216</a>, March 2008.
[<a id="ref-RFC5246">RFC5246</a>] Dierks, T. and E. Rescorla, "The Transport Layer
Security (TLS) Protocol Version 1.2", <a href="./rfc5246">RFC 5246</a>, August
2008.
Author's Address
Alan DeKok
The FreeRADIUS Server Project
<a href="http://freeradius.org/">http://freeradius.org/</a>
EMail: aland@freeradius.org
DeKok Experimental [Page 16]
</pre>
|
