draft-ietf-radext-rfc4590bis-00.txt   draft-ietf-radext-rfc4590bis-01.txt 
Network Working Group B. Sterman Network Working Group B. Sterman
INTERNET-DRAFT Kayote Networks INTERNET-DRAFT Kayote Networks
Obsoletes: 4590 D. Sadolevsky Obsoletes: 4590 D. Sadolevsky
Category: Standards Track SecureOL, Inc. Category: Standards Track SecureOL, Inc.
<draft-ietf-radext-rfc4590bis-00.txt> D. Schwartz <draft-ietf-radext-rfc4590bis-01.txt> D. Schwartz
1 January 2007 Kayote Networks 21 March 2007 Kayote Networks
D. Williams D. Williams
Cisco Systems Cisco Systems
W. Beck W. Beck
Deutsche Telekom AG Deutsche Telekom AG
RADIUS Extension for Digest Authentication RADIUS Extension for Digest Authentication
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
skipping to change at page 1, line 37 skipping to change at page 1, line 37
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on July 17, 2007. This Internet-Draft will expire on September 17, 2007.
Copyright Notice Copyright Notice
Copyright (C) The IETF Trust (2007). All Rights Reserved. Copyright (C) The IETF Trust (2007). All Rights Reserved.
Abstract Abstract
This document defines an extension to the Remote Authentication Dial- This document defines an extension to the Remote Authentication Dial-
In User Service (RADIUS) protocol to enable support of Digest In User Service (RADIUS) protocol to enable support of Digest
Authentication, for use with HTTP-style protocols like the Session Authentication, for use with HTTP-style protocols like the Session
Initiation Protocol (SIP) and HTTP. Initiation Protocol (SIP) and HTTP.
Table of Contents Table of Contents
1. Introduction ....................................................2 1. Introduction ....................................................3
1.1. Terminology ................................................2 1.1. Terminology ................................................3
1.2. Motivation .................................................3 1.2. Motivation .................................................3
1.3. Overview ...................................................4 1.3. Overview ...................................................4
2. Detailed Description ............................................6 2. Detailed Description ............................................6
2.1. RADIUS Client Behavior .....................................6 2.1. RADIUS Client Behavior .....................................6
2.1.1. Credential Selection ................................6
2.1.2. Constructing an Access-Request ......................7
2.1.3. Constructing an Authentication-Info Header ..........7
2.1.4. Failed Authentication ...............................9
2.1.5. Obtaining Nonces ....................................9
2.2. RADIUS Server Behavior .....................................9 2.2. RADIUS Server Behavior .....................................9
2.2.1. General Attribute Checks ...........................10
2.2.2. Authentication .....................................10
2.2.3. Constructing the Reply .............................11
3. New RADIUS Attributes ..........................................12 3. New RADIUS Attributes ..........................................12
3.1. Digest-Response attribute .................................12 3.1. Digest-Response attribute .................................12
3.2. Digest-Realm Attribute ....................................13 3.2. Digest-Realm Attribute ....................................13
3.3. Digest-Nonce Attribute ....................................13 3.3. Digest-Nonce Attribute ....................................13
3.4. Digest-Response-Auth Attribute ............................14 3.4. Digest-Response-Auth Attribute ............................14
3.5. Digest-Nextnonce Attribute ................................14 3.5. Digest-Nextnonce Attribute ................................14
3.6. Digest-Method Attribute ...................................15 3.6. Digest-Method Attribute ...................................15
3.7. Digest-URI Attribute ......................................15 3.7. Digest-URI Attribute ......................................15
3.8. Digest-Qop Attribute ......................................15 3.8. Digest-Qop Attribute ......................................15
3.9. Digest-Algorithm Attribute ................................16 3.9. Digest-Algorithm Attribute ................................16
skipping to change at page 2, line 45 skipping to change at page 2, line 37
3.13. Digest-Username Attribute ................................17 3.13. Digest-Username Attribute ................................17
3.14. Digest-Opaque Attribute ..................................18 3.14. Digest-Opaque Attribute ..................................18
3.15. Digest-Auth-Param Attribute ..............................18 3.15. Digest-Auth-Param Attribute ..............................18
3.16. Digest-AKA-Auts Attribute ................................19 3.16. Digest-AKA-Auts Attribute ................................19
3.17. Digest-Domain Attribute ..................................19 3.17. Digest-Domain Attribute ..................................19
3.18. Digest-Stale Attribute ...................................20 3.18. Digest-Stale Attribute ...................................20
3.19. Digest-HA1 Attribute .....................................20 3.19. Digest-HA1 Attribute .....................................20
3.20. SIP-AOR Attribute ........................................21 3.20. SIP-AOR Attribute ........................................21
4. Diameter Compatibility .........................................21 4. Diameter Compatibility .........................................21
5. Table of Attributes ............................................21 5. Table of Attributes ............................................21
6. Examples .......................................................22 6. Examples .......................................................23
7. IANA Considerations ............................................26 7. IANA Considerations ............................................26
8. Security Considerations ........................................27 8. Security Considerations ........................................27
8.1. Denial of Service .........................................27 8.1. Denial of Service .........................................27
8.2. Confidentiality and Data Integrity ........................28 8.2. Confidentiality and Data Integrity ........................28
9. References .....................................................29 9. References .....................................................29
9.1. Normative References ......................................29 9.1. Normative References ......................................29
9.2. Informative References ....................................29 9.2. Informative References ....................................29
Acknowledgements ..................................................30
Author's Addresses ................................................30
Appendix A - Changes from RFC 4590 ................................31
Full Copyright Statement ..........................................32
Intellectual Property .............................................32
1. Introduction 1. Introduction
1.1. Terminology 1.1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
The use of normative requirement key words in this document shall The use of normative requirement key words in this document shall
skipping to change at page 10, line 24 skipping to change at page 10, line 24
Digest-Algorithm and Digest-Qop, it looks for Digest-Entity-Body- Digest-Algorithm and Digest-Qop, it looks for Digest-Entity-Body-
Hash, Digest-CNonce, and Digest-AKA-Auts, too. See [RFC2617] and Hash, Digest-CNonce, and Digest-AKA-Auts, too. See [RFC2617] and
[RFC3310] for details. If the Digest-Algorithm attribute is missing, [RFC3310] for details. If the Digest-Algorithm attribute is missing,
'MD5' is assumed. If the RADIUS server has issued a Digest-Opaque 'MD5' is assumed. If the RADIUS server has issued a Digest-Opaque
attribute along with the nonce, the Access-Request MUST have a attribute along with the nonce, the Access-Request MUST have a
matching Digest-Opaque attribute. matching Digest-Opaque attribute.
If mandatory attributes are missing, it MUST respond with an Access- If mandatory attributes are missing, it MUST respond with an Access-
Reject packet. Reject packet.
The RADIUS server removes '' characters that escape quote and '' The RADIUS server removes '\' characters that escape quote and '\'
characters from the text values it has received in the Digest-* characters from the text values it has received in the Digest-*
attributes. attributes.
If the mandatory attributes are present, the RADIUS server MUST check If the mandatory attributes are present, the RADIUS server MUST check
if the RADIUS client is authorized to serve users of the realm if the RADIUS client is authorized to serve users of the realm
mentioned in the Digest-Realm attribute. If the RADIUS client is not mentioned in the Digest-Realm attribute. If the RADIUS client is not
authorized, the RADIUS server MUST send an Access-Reject. The RADIUS authorized, the RADIUS server MUST send an Access-Reject. The RADIUS
server SHOULD log the event so as to notify the operator, and MAY server SHOULD log the event so as to notify the operator, and MAY
take additional action such as sending an Access-Reject in response take additional action such as sending an Access-Reject in response
to all future requests from this client, until this behavior is reset to all future requests from this client, until this behavior is reset
skipping to change at page 12, line 33 skipping to change at page 12, line 33
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Text ... | Type | Length | Text ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Quote and backslash characters in Digest-* attributes representing Quote and backslash characters in Digest-* attributes representing
HTTP-style directives with a quoted-string syntax are escaped. The HTTP-style directives with a quoted-string syntax are escaped. The
surrounding quotes are removed. They are syntactical delimiters that surrounding quotes are removed. They are syntactical delimiters that
are redundant in RADIUS. For example, the directive are redundant in RADIUS. For example, the directive
realm="the realm="the \"example\" value"
is represented as follows: is represented as follows:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Digest-Realm | 23 | the | Digest-Realm | 23 | the \"example\" value |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
3.1. Digest-Response attribute 3.1. Digest-Response attribute
Description Description
If this attribute is present in an Access-Request message, a If this attribute is present in an Access-Request message, a
RADIUS server implementing this specification MUST treat the RADIUS server implementing this specification MUST treat the
Access-Request as a request for Digest Authentication. When a Access-Request as a request for Digest Authentication. When a
RADIUS client receives a (Proxy-)Authorization header, it puts RADIUS client receives a (Proxy-)Authorization header, it puts
the request-digest value into a Digest-Response attribute. the request-digest value into a Digest-Response attribute.
This attribute (which enables the user to prove possession of This attribute (which enables the user to prove possession of
the password) MUST only be used in Access-Requests. the password) MUST only be used in Access-Request packets.
Type Type
103 for Digest-Response. 103 for Digest-Response.
Length Length
>= 3 >= 3
Text Text
When using HTTP Digest, the text field is 32 octets long and When using HTTP Digest, the text field is 32 octets long and
contains a hexadecimal representation of a 16-octet digest contains a hexadecimal representation of a 16-octet digest
value as it was calculated by the authenticated client. Other value as it was calculated by the authenticated client. Other
digest algorithms MAY define different digest lengths. The digest algorithms MAY define different digest lengths. The
text field MUST be copied from request-digest of text field MUST be copied from request-digest of
digest-response ([RFC2617]) without surrounding quotes. digest-response ([RFC2617]) without surrounding quotes.
3.2. Digest-Realm Attribute 3.2. Digest-Realm Attribute
Description Description
This attribute describes a protection space component of the This attribute describes a protection space component of the
RADIUS server. HTTP-style protocols differ in their definition RADIUS server. HTTP-style protocols differ in their definition
of the protection space. See [RFC2617], Section 1.2, for of the protection space. See [RFC2617], Section 1.2, for
details. It MUST only be used in Access-Request and details. It MUST only be used in Access-Request,
Access-Challenge packets. Access-Challenge, and Accounting-Request packets.
Type Type
104 for Digest-Realm 104 for Digest-Realm
Length Length
>=3 >=3
Text Text
In Access-Requests, the RADIUS client takes the value of the In Access-Requests, the RADIUS client takes the value of the
realm directive (realm-value according to [RFC2617]) without realm directive (realm-value according to [RFC2617]) without
surrounding quotes from the HTTP-style request it wants to surrounding quotes from the HTTP-style request it wants to
authenticate. In Access-Challenge packets, the RADIUS server authenticate. In Access-Challenge packets, the RADIUS server
puts the expected realm value into this attribute. puts the expected realm value into this attribute.
3.3. Digest-Nonce Attribute 3.3. Digest-Nonce Attribute
Description Description
This attribute holds a nonce to be used in the HTTP Digest This attribute holds a nonce to be used in the HTTP Digest
calculation. If the Access-Request had a Digest-Method and a calculation. If the Access-Request had a Digest-Method and a
Digest-URI but no Digest-Nonce attribute, the RADIUS server Digest-URI but no Digest-Nonce attribute, the RADIUS server
MUST put a Digest-Nonce attribute into its Access-Challenge MUST put a Digest-Nonce attribute into its Access-Challenge
packet. This attribute MUST only be used in Access-Request and packet. This attribute MUST only be used in Access-Request
Access-Challenge packets. and Access-Challenge packets.
Type Type
105 for Digest-Nonce 105 for Digest-Nonce
Length Length
>=3 >=3
Text Text
In Access-Requests, the RADIUS client takes the value of the In Access-Requests, the RADIUS client takes the value of the
nonce directive (nonce-value in [RFC2617]) without surrounding nonce directive (nonce-value in [RFC2617]) without surrounding
quotes from the HTTP-style request it wants to authenticate. quotes from the HTTP-style request it wants to authenticate.
In Access-Challenge packets, the attribute contains the nonce In Access-Challenge packets, the attribute contains the nonce
skipping to change at page 15, line 10 skipping to change at page 15, line 10
Length Length
>=3 >=3
Text Text
It is recommended that this text be base64 or hexadecimal data. It is recommended that this text be base64 or hexadecimal data.
3.6. Digest-Method Attribute 3.6. Digest-Method Attribute
Description Description
This attribute holds the method value to be used in the HTTP This attribute holds the method value to be used in the HTTP
Digest calculation. This attribute MUST only be used in Digest calculation. This attribute MUST only be used in
Access-Request packets. Access-Request and Accounting-Request packets.
Type Type
108 for Digest-Method 108 for Digest-Method
Length Length
>=3 >=3
Text Text
In Access-Requests, the RADIUS client takes the value of the In Access-Requests, the RADIUS client takes the value of the
request method from the HTTP-style request it wants to request method from the HTTP-style request it wants to
authenticate. authenticate.
3.7. Digest-URI Attribute 3.7. Digest-URI Attribute
Description Description
This attribute is used to transport the contents of the This attribute is used to transport the contents of the
digest-uri directive or the URI of the HTTP-style request. It digest-uri directive or the URI of the HTTP-style request.
MUST only be used in Access-Request packets. It MUST only be used in Access-Request and
Accounting-Request packets.
Type Type
109 for Digest-URI 109 for Digest-URI
Length Length
>=3 >=3
Text Text
If the HTTP-style request has an Authorization header, the If the HTTP-style request has an Authorization header, the
RADIUS client puts the value of the "uri" directive found in RADIUS client puts the value of the "uri" directive found in
the HTTP-style request Authorization header (known as the HTTP-style request Authorization header (known as
"digest-uri-value" in section 3.2.2 of [RFC2617]) without "digest-uri-value" in section 3.2.2 of [RFC2617]) without
surrounding quotes into this attribute. If there is no surrounding quotes into this attribute. If there is no
Authorization header, the RADIUS client takes the value of the Authorization header, the RADIUS client takes the value of
request URI from the HTTP-style request it wants to the request URI from the HTTP-style request it wants to
authenticate. authenticate.
3.8. Digest-Qop Attribute 3.8. Digest-Qop Attribute
Description Description
This attribute holds the Quality of Protection parameter that This attribute holds the Quality of Protection parameter that
influences the HTTP Digest calculation. This attribute MUST influences the HTTP Digest calculation. This attribute MUST
only be used in Access-Request and Access-Challenge packets. A only be used in Access-Request, Access-Challenge and
RADIUS client SHOULD insert one of the Digest-Qop attributes it Accounting-Request packets. A RADIUS client SHOULD insert
has received in a previous Access-Challenge packet. RADIUS one of the Digest-Qop attributes it has received in a previous
servers SHOULD insert at least one Digest-Qop attribute in an Access-Challenge packet. RADIUS servers SHOULD insert at
Access-Challenge packet. Digest-Qop is optional in order to least one Digest-Qop attribute in an Access-Challenge
preserve backward compatibility with a minimal implementation packet. Digest-Qop is optional in order to preserve
backward compatibility with a minimal implementation
of [RFC2069]. of [RFC2069].
Type Type
110 for Digest-Qop 110 for Digest-Qop
Length Length
>=3 >=3
Text Text
In Access-Requests, the RADIUS client takes the value of the In Access-Requests, the RADIUS client takes the value of the
qop directive (qop-value as described in [RFC2617]) from the qop directive (qop-value as described in [RFC2617]) from the
HTTP-style request it wants to authenticate. In HTTP-style request it wants to authenticate. In
Access-Challenge packets, the RADIUS server puts a desired Access-Challenge packets, the RADIUS server puts a desired
qop-value into this attribute. If the RADIUS server supports qop-value into this attribute. If the RADIUS server supports
more than one "quality of protection" value, it puts each more than one "quality of protection" value, it puts each
qop-value into a separate Digest-Qop attribute. qop-value into a separate Digest-Qop attribute.
3.9. Digest-Algorithm Attribute 3.9. Digest-Algorithm Attribute
Description Description
This attribute holds the algorithm parameter that influences This attribute holds the algorithm parameter that influences
the HTTP Digest calculation. It MUST only be used in the HTTP Digest calculation. It MUST only be used in
Access-Request and Access-Challenge packets. If this attribute Access-Request, Access-Challenge and Accounting-Request
is missing, MD5 is assumed. packets. If this attribute is missing, MD5 is assumed.
Type Type
111 for Digest-Algorithm 111 for Digest-Algorithm
Length Length
>=3 >=3
Text Text
In Access-Requests, the RADIUS client takes the value of the In Access-Requests, the RADIUS client takes the value of the
algorithm directive (as described in [RFC2617], section 3.2.1) algorithm directive (as described in [RFC2617], section 3.2.1)
from the HTTP-style request it wants to authenticate. In from the HTTP-style request it wants to authenticate. In
Access-Challenge packets, the RADIUS server SHOULD put the Access-Challenge packets, the RADIUS server SHOULD put the
desired algorithm into this attribute. desired algorithm into this attribute.
skipping to change at page 17, line 12 skipping to change at page 17, line 14
>=3 >=3
Text Text
The attribute holds the hexadecimal representation of The attribute holds the hexadecimal representation of
H(entity-body). This hash is required by certain H(entity-body). This hash is required by certain
authentication mechanisms, such as HTTP Digest with quality of authentication mechanisms, such as HTTP Digest with quality of
protection set to "auth-int". RADIUS clients MUST use this protection set to "auth-int". RADIUS clients MUST use this
attribute to transport the hash of the entity body when HTTP attribute to transport the hash of the entity body when HTTP
Digest is the authentication mechanism and the RADIUS server Digest is the authentication mechanism and the RADIUS server
requires that the integrity of the entity body (e.g., qop requires that the integrity of the entity body (e.g., qop
parameter set to "auth-int") be verified. Extensions to this parameter set to "auth-int") be verified. Extensions to this
document may define support for authentication mechanisms other document may define support for authentication mechanisms
than HTTP Digest. other than HTTP Digest.
3.11. Digest-CNonce Attribute 3.11. Digest-CNonce Attribute
Description Description
This attribute holds the client nonce parameter that is used in This attribute holds the client nonce parameter that is used in
the HTTP Digest calculation. It MUST only be used in the HTTP Digest calculation. It MUST only be used in
Access-Request packets. Access-Request packets.
Type Type
113 for Digest-CNonce 113 for Digest-CNonce
Length Length
skipping to change at page 18, line 6 skipping to change at page 18, line 8
3.13. Digest-Username Attribute 3.13. Digest-Username Attribute
Description Description
This attribute holds the user name used in the HTTP Digest This attribute holds the user name used in the HTTP Digest
calculation. The RADIUS server MUST use this attribute only calculation. The RADIUS server MUST use this attribute only
for the purposes of calculating the digest. In order to for the purposes of calculating the digest. In order to
determine the appropriate user credentials, the RADIUS server determine the appropriate user credentials, the RADIUS server
MUST use the User-Name (1) attribute, and MUST NOT use the MUST use the User-Name (1) attribute, and MUST NOT use the
Digest-Username attribute. This attribute MUST only be used in Digest-Username attribute. This attribute MUST only be used in
Access-Request packets. Access-Request and Accounting-Request packets.
Type Type
115 for Digest-Username 115 for Digest-Username
Length Length
>= 3 >= 3
Text Text
In Access-Requests, the RADIUS client takes the value of the In Access-Requests, the RADIUS client takes the value of the
username directive (username-value according to [RFC2617]) username directive (username-value according to [RFC2617])
without surrounding quotes from the HTTP-style request it wants without surrounding quotes from the HTTP-style request it wants
to authenticate. to authenticate.
skipping to change at page 19, line 7 skipping to change at page 19, line 9
that are not understood by the RADIUS client and for which that are not understood by the RADIUS client and for which
there are no corresponding stand-alone attributes. there are no corresponding stand-alone attributes.
Unlike the previously listed Digest-* attributes, the Unlike the previously listed Digest-* attributes, the
Digest-Auth-Param contains not only the value but also the Digest-Auth-Param contains not only the value but also the
parameter name, since the parameter name is unknown to the parameter name, since the parameter name is unknown to the
RADIUS client. If the Digest header contains several unknown RADIUS client. If the Digest header contains several unknown
parameters, then the RADIUS implementation MUST repeat this parameters, then the RADIUS implementation MUST repeat this
attribute and each instance MUST contain one different unknown attribute and each instance MUST contain one different unknown
Digest parameter/value combination. This attribute MUST ONLY Digest parameter/value combination. This attribute MUST ONLY
be used in Access-Request, Access-Challenge, or Access-Accept be used in Access-Request, Access-Challenge, Access-Accept
packets. and Accounting-Request packets.
Type Type
117 for Digest-Auth-Param 117 for Digest-Auth-Param
Length Length
>=3 >=3
Text Text
The text consists of the whole parameter, including its name The text consists of the whole parameter, including its name
and the equal sign ('=') and quotes. and the equal sign ('=') and quotes.
3.16. Digest-AKA-Auts Attribute 3.16. Digest-AKA-Auts Attribute
skipping to change at page 19, line 45 skipping to change at page 19, line 47
3.17. Digest-Domain Attribute 3.17. Digest-Domain Attribute
Description Description
When a RADIUS client has asked for a nonce, the RADIUS server When a RADIUS client has asked for a nonce, the RADIUS server
MAY send one or more Digest-Domain attributes in its MAY send one or more Digest-Domain attributes in its
Access-Challenge packet. The RADIUS client puts them into the Access-Challenge packet. The RADIUS client puts them into the
quoted, space-separated list of URIs of the 'domain' directive quoted, space-separated list of URIs of the 'domain' directive
of a WWW-Authenticate header. Together with Digest-Realm, the of a WWW-Authenticate header. Together with Digest-Realm, the
URIs in the list define the protection space (see [RFC2617], URIs in the list define the protection space (see [RFC2617],
section 3.2.1) for some HTTP-style protocols. This attribute section 3.2.1) for some HTTP-style protocols. This attribute
MUST only be used in Access-Challenge packets. MUST only be used in Access-Challenge and Accounting-Request
packets.
Type Type
119 for Digest-Domain 119 for Digest-Domain
Length Length
3 3
Text Text
This attribute consists of a single URI that defines a This attribute consists of a single URI that defines a
protection space component. protection space component.
3.18. Digest-Stale Attribute 3.18. Digest-Stale Attribute
skipping to change at page 22, line 5 skipping to change at page 22, line 5
companion document "Diameter Session Initiation Protocol (SIP) companion document "Diameter Session Initiation Protocol (SIP)
Application" [RFC4740] defines support for Digest Authentication in Application" [RFC4740] defines support for Digest Authentication in
Diameter, and addresses compatibility issues between RADIUS and Diameter, and addresses compatibility issues between RADIUS and
Diameter. Diameter.
5. Table of Attributes 5. Table of Attributes
The following table provides a guide to which attributes may be found The following table provides a guide to which attributes may be found
in which kinds of packets, and in what quantity. in which kinds of packets, and in what quantity.
+-----+--------+--------+-----------+-----+-------------------------+ Access- Access- Access- Access- Acct-
| Req | Accept | Reject | Challenge | # | Attribute | Request Accept Reject Challenge Req # Attribute
+-----+--------+--------+-----------+-----+-------------------------+ 0-1 0 0 0 0-1 1 User-Name
| 1 | 0 | 0 | 0 | 1 | User-Name | 0-1 0 0 1 0 24 State [4]
| 1 | 1 | 1 | 1 | 80 | Message-Authenticator | 1 1 1 1 0-1 80 Message-Authenticator
| 0-1 | 0 | 0 | 0 | 103 | Digest-Response | 0-1 0 0 0 0 103 Digest-Response
| 0-1 | 0 | 0 | 1 | 104 | Digest-Realm | 0-1 0 0 1 0-1 104 Digest-Realm
| 0-1 | 0 | 0 | 1 | 105 | Digest-Nonce | 0-1 0 0 1 0 105 Digest-Nonce
| 0 | 0-1 | 0 | 0 | 106 | Digest-Response-Auth | 0 0-1 0 0 0 106 Digest-Response-Auth [1][2]
| | | | | | (see Note 1, 2) | 0 0-1 0 0 0 107 Digest-Nextnonce
| 0 | 0-1 | 0 | 0 | 107 | Digest-Nextnonce | 1 0 0 0 0-1 108 Digest-Method
| 1 | 0 | 0 | 0 | 108 | Digest-Method | 0-1 0 0 0 0-1 109 Digest-URI
| 0-1 | 0 | 0 | 0 | 109 | Digest-URI | 0-1 0 0 0+ 0-1 110 Digest-Qop
| 0-1 | 0 | 0 | 0+ | 110 | Digest-Qop | 0-1 0 0 0-1 0-1 111 Digest-Algorithm [3]
| 0-1 | 0 | 0 | 0-1 | 111 | Digest-Algorithm (see | 0-1 0 0 0 0 112 Digest-Entity-Body-Hash
| | | | | | Note 3) | 0-1 0 0 0 0 113 Digest-CNonce
| 0-1 | 0 | 0 | 0 | 112 | Digest-Entity-Body-Hash | 0-1 0 0 0 0 114 Digest-Nonce-Count
| 0-1 | 0 | 0 | 0 | 113 | Digest-CNonce | 0-1 0 0 0 0-1 115 Digest-Username
| 0-1 | 0 | 0 | 0 | 114 | Digest-Nonce-Count | 0-1 0 0 0-1 0 116 Digest-Opaque
| 0-1 | 0 | 0 | 0 | 115 | Digest-Username | 0+ 0+ 0 0+ 0+ 117 Digest-Auth-Param
| 0-1 | 0 | 0 | 0-1 | 116 | Digest-Opaque | 0-1 0 0 0 0 118 Digest-AKA-Auts
| 0+ | 0+ | 0 | 0+ | 117 | Digest-Auth-Param | 0 0 0 0+ 0+ 119 Digest-Domain
| 0-1 | 0 | 0 | 0 | 118 | Digest-AKA-Auts | 0 0 0 0-1 0 120 Digest-Stale
| 0 | 0 | 0 | 0+ | 119 | Digest-Domain | 0 0-1 0 0 0 121 Digest-HA1 [1][2]
| 0 | 0 | 0 | 0-1 | 120 | Digest-Stale | 0-1 0 0 0 0 122 SIP-AOR
| 0 | 0-1 | 0 | 0 | 121 | Digest-HA1 (see Note 1, |
| | | | | | 2) |
| 0-1 | 0 | 0 | 0 | 122 | SIP-AOR |
| 0-1 | 0 | 0 | 1 | 24 | State (see Note 4) |
+-----+--------+--------+-----------+-----+-------------------------+
Table 1 The following table defines the meaning of the above table entries.
0 This attribute MUST NOT be present in the packet.
0+ Zero or more instances of this attribute MAY be
present in the packet.
0-1 Zero or one instance of this attribute MAY be
present in the packet.
[Note 1] Digest-HA1 MUST be used instead of Digest-Response-Auth if [Note 1] Digest-HA1 MUST be used instead of Digest-Response-Auth if
Digest-Qop is 'auth-int'. Digest-Qop is 'auth-int'.
[Note 2] Digest-Response-Auth MUST be used instead of Digest-HA1 if [Note 2] Digest-Response-Auth MUST be used instead of Digest-HA1 if
Digest-Qop is 'auth'. Digest-Qop is 'auth'.
[Note 3] If Digest-Algorithm is missing, 'MD5' is assumed. [Note 3] If Digest-Algorithm is missing, 'MD5' is assumed.
[Note 4] An Access-Challenge MUST contain a State attribute, which is [Note 4] An Access-Challenge MUST contain a State attribute, which is
skipping to change at page 26, line 44 skipping to change at page 26, line 44
B->A B->A
HTTP/1.1 200 OK HTTP/1.1 200 OK
... ...
<html> <html>
... ...
7. IANA Considerations 7. IANA Considerations
This document serves as an IANA registration request for a number of The following values from the RADIUS attribute type number space were
values from the RADIUS attribute type number space. The IANA has assigned in [RFC4590]. This document requests that the values in the
assigned the following: table below be entered within the existing registry.
Attribute # Attribute #
--------------- ---- --------------- ----
Digest-Response 103 Digest-Response 103
Digest-Realm 104 Digest-Realm 104
Digest-Nonce 105 Digest-Nonce 105
Digest-Response-Auth 106 Digest-Response-Auth 106
Digest-Nextnonce 107 Digest-Nextnonce 107
Digest-Method 108 Digest-Method 108
Digest-URI 109 Digest-URI 109
skipping to change at page 29, line 46 skipping to change at page 29, line 46
9.2. Informative References 9.2. Informative References
[RFC1994] Simpson, W., "PPP Challenge Handshake Authentication Protocol [RFC1994] Simpson, W., "PPP Challenge Handshake Authentication Protocol
(CHAP)", RFC 1994, August 1996. (CHAP)", RFC 1994, August 1996.
[RFC2069] Franks, J., Hallam-Baker, P., Hostetler, J., Leach, P., [RFC2069] Franks, J., Hallam-Baker, P., Hostetler, J., Leach, P.,
Luotonen, A., Sink, E., and L. Stewart, "An Extension to HTTP Luotonen, A., Sink, E., and L. Stewart, "An Extension to HTTP
: Digest Access Authentication", RFC 2069, January 1997. : Digest Access Authentication", RFC 2069, January 1997.
[RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.1", RFC 4346, April 2006.
[RFC3851] Ramsdell, B., "Secure/Multipurpose Internet Mail Extensions
(S/MIME) Version 3.1 Message Specification", RFC 3851, July
2004.
[RFC3310] Niemi, A., Arkko, J., and V. Torvinen, "Hypertext Transfer [RFC3310] Niemi, A., Arkko, J., and V. Torvinen, "Hypertext Transfer
Protocol (HTTP) Digest Authentication Using Authentication and Protocol (HTTP) Digest Authentication Using Authentication and
Key Agreement (AKA)", RFC 3310, September 2002. Key Agreement (AKA)", RFC 3310, September 2002.
[RFC3588] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J. [RFC3588] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J.
Arkko, "Diameter Base Protocol", RFC 3588, September 2003. Arkko, "Diameter Base Protocol", RFC 3588, September 2003.
[RFC3851] Ramsdell, B., "Secure/Multipurpose Internet Mail Extensions
(S/MIME) Version 3.1 Message Specification", RFC 3851, July
2004.
[RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.1", RFC 4346, April 2006.
[RFC4590] Sterman, B., Sadolevsky, D., Schwartz, D., Williams, D., and
W. Beck, "RADIUS Extension for Digest Authentication", RFC
4590, July 2006.
[RFC4740] Garcia-Martin, M., Belinchon, M., Pallares-Lopez, M., Canales- [RFC4740] Garcia-Martin, M., Belinchon, M., Pallares-Lopez, M., Canales-
Valenzuela, C. and K. Tammik, "Diameter Session Initiation Valenzuela, C. and K. Tammik, "Diameter Session Initiation
Protocol (SIP) Application", RFC 4740, November 2006. Protocol (SIP) Application", RFC 4740, November 2006.
Acknowledgments Acknowledgments
We would like to acknowledge Kevin McDermott (Cisco Systems) for We would like to acknowledge Kevin McDermott (Cisco Systems) for
providing comments and experimental implementation. providing comments and experimental implementation.
Many thanks to all reviewers, especially to Miguel Garcia, Jari Many thanks to all reviewers, especially to Miguel Garcia, Jari
skipping to change at page 31, line 25 skipping to change at page 31, line 29
Germany Germany
EMail: beckw@t-systems.com EMail: beckw@t-systems.com
Appendix A - Changes from RFC 4590 Appendix A - Changes from RFC 4590
This Appendix lists the major changes between [RFC4590] and this This Appendix lists the major changes between [RFC4590] and this
document. Minor changes, including style, grammar, spelling, and document. Minor changes, including style, grammar, spelling, and
editorial changes are not mentioned here. editorial changes are not mentioned here.
Intellectual Property Statement o The Table of Attributes (Section 5) now indicates that the Digest-
Method attribute is required within an Access-Request. Also, an
entry has been added for the State attribute. The table also
includes entries for Accounting-Request messages. As noted in the
examples, the User-Name attribute is not necessary when requesting a
nonce.
o Two errors in attribute assignment have been corrected within the
IANA Considerations (Section 7). Digest-Response-Auth is assigned
attribute 106, and Digest-Nextnonce is assigned attribute 107.
Full Copyright Statement
Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79. found in BCP 78 and BCP 79.
skipping to change at page 32, line 5 skipping to change at page 32, line 45
such proprietary rights by implementers or users of this such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr. http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at ietf- this standard. Please address the information to the IETF at ietf-
ipr@ietf.org. ipr@ietf.org.
Disclaimer of Validity
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement
Copyright (C) The IETF Trust (2007). This document is subject to the
rights, licenses and restrictions contained in BCP 78, and except as
set forth therein, the authors retain all their rights.
Acknowledgment Acknowledgment
Funding for the RFC Editor function is currently provided by the Funding for the RFC Editor function is provided by the IETF
Internet Society. Administrative Support Activity (IASA).
Open issues Open issues
Open issues relating to this specification are tracked on the Open issues relating to this specification are tracked on the
following web site: following web site:
http://www.drizzle.com/~aboba/RADEXT/ http://www.drizzle.com/~aboba/RADEXT/
 End of changes. 30 change blocks. 
101 lines changed or deleted 117 lines changed or added

This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/