draft-ietf-radext-tcp-transport-00.txt   draft-ietf-radext-tcp-transport-01.txt 
Network Working Group A. DeKok Network Working Group A. DeKok
INTERNET-DRAFT FreeRADIUS INTERNET-DRAFT FreeRADIUS
Category: Proposed Standard Category: Proposed Standard
<draft-ietf-radext-tcp-transport-00.txt> <draft-ietf-radext-tcp-transport-01.txt>
Expires: June 11, 2009 Expires: June 11, 2009
11 December 2008 11 December 2008
RADIUS Over TCP RADIUS Over TCP
draft-ietf-radext-tcp-transport-00 draft-ietf-radext-tcp-transport-01
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
skipping to change at page 1, line 49 skipping to change at page 1, line 49
Documents (http://trustee.ietf.org/license-info) in effect on the Documents (http://trustee.ietf.org/license-info) in effect on the
date of publication of this document. Please review these documents date of publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. to this document.
Abstract Abstract
The Remote Authentication Dial In User Server (RADIUS) Protocol has The Remote Authentication Dial In User Server (RADIUS) Protocol has
traditionally used the User Datagram Protocol (UDP) as it's traditionally used the User Datagram Protocol (UDP) as it's
underlying transport layer. This document defines RADIUS over the underlying transport layer. This document defines RADIUS over the
Transport Control Protocol (TCP). Transmission Control Protocol (TCP).
Table of Contents Table of Contents
1. Introduction ............................................. 3 1. Introduction ............................................. 3
1.1. Benefits of Reliable Transport ...................... 3 1.1. Benefits of Reliable Transport ...................... 3
1.2. Drawbacks of Reliable Transport ..................... 4 1.2. Drawbacks of Reliable Transport ..................... 4
1.3. Terminology ......................................... 4 1.3. Terminology ......................................... 4
1.4. Requirements Language ............................... 5 1.4. Requirements Language ............................... 5
2. Changes to RADIUS ........................................ 5 2. Changes to RADIUS ........................................ 5
2.1. Packet Format ....................................... 5 2.1. Packet Format ....................................... 5
2.2. TCP Ports ........................................... 5 2.2. Assigned Ports for RADIUS Over TCP .................. 6
2.3. Management Information Base (MIB) ................... 6 2.3. Management Information Base (MIB) ................... 6
2.4. Interaction with RadSec ............................. 6 2.4. Interaction with RadSec ............................. 7
2.4.1. Applicability .................................. 6 2.4.1. Applicability .................................. 7
2.5. RADIUS Proxies ...................................... 7 2.5. RADIUS Proxies ...................................... 7
2.6. TCP Specific Issues ................................. 7 2.6. TCP Specific Issues ................................. 8
2.6.1. Duplicates and Retransmissions ................. 8 2.6.1. Duplicates and Retransmissions ................. 9
2.6.2. Shared Secrets ................................. 9 2.6.2. Shared Secrets ................................. 10
2.6.3. Malformed Packets and Unknown Clients .......... 9 2.6.3. Malformed Packets and Unknown Clients .......... 10
2.6.4. Limits of the ID Field ......................... 10 2.6.4. Limitations of the ID Field .................... 11
2.6.5. EAP Sessions ................................... 10 2.6.5. EAP Sessions ................................... 11
2.6.6. TCP Applications are not UDP Applications ...... 11 2.6.6. TCP Applications are not UDP Applications ...... 12
3. Diameter Considerations .................................. 11 3. Diameter Considerations .................................. 12
4. IANA Considerations ...................................... 11 4. IANA Considerations ...................................... 12
5. Security Considerations .................................. 11 5. Security Considerations .................................. 12
6. References ............................................... 12 6. References ............................................... 13
6.1. Normative References ................................ 12 6.1. Normative References ................................ 13
6.2. Informative References .............................. 12 6.2. Informative References .............................. 13
1. Introduction 1. Introduction
The RADIUS Protocol has been defined in [RFC2865] as using the User The RADIUS Protocol has been defined in [RFC2865] as using the User
Datagram Protocol (UDP) for the underlying transport layer. While Datagram Protocol (UDP) for the underlying transport layer. While
there are a number of benefits to using UDP as outlined in [RFC2865] there are a number of benefits to using UDP as outlined in [RFC2865]
Section 2.4, there are also some limitations: Section 2.4, there are also some limitations:
* Unreliable transport. As a result, systems using RADIUS have to * Unreliable transport. As a result, systems using RADIUS have to
implement application-layer timers and re-transmissions, as implement application-layer timers and re-transmissions, as
skipping to change at page 3, line 25 skipping to change at page 3, line 25
* Packet fragmentation. [RFC2865] Section 3 permits RADIUS * Packet fragmentation. [RFC2865] Section 3 permits RADIUS
packets to up to 4096 octets in length. These packets are larger packets to up to 4096 octets in length. These packets are larger
than the default Internet MTU (576), resulting in fragmentation of than the default Internet MTU (576), resulting in fragmentation of
the packets at the IP layer. Transport of fragmented UDP packets the packets at the IP layer. Transport of fragmented UDP packets
appearsto be a poorly tested code path on network devices. Some appearsto be a poorly tested code path on network devices. Some
devices appear to be incapable of transporting fragmented UDP devices appear to be incapable of transporting fragmented UDP
packets, making it difficult to deploy RADIUS in a network where packets, making it difficult to deploy RADIUS in a network where
those devices are deployed. those devices are deployed.
* Connectionless transport. Neither clients no servers can * Connectionless transport. Neither clients nor servers can
reliably detect when the other is down. This information has be reliably detect when the other is down. This information has to
deduced from the absence of a reply to a request. be deduced instead from the absence of a reply to a request.
As RADIUS is widely deployed, and has been widely deployed for well As RADIUS is widely deployed, and has been widely deployed for well
over a decade, these issues are relatively minor. However, new over a decade, these issues are relatively minor. However, new
systems may be interested in choosing a different set of trade-offs systems may be interested in choosing a different set of trade-offs
than those outlined in [RFC2865] Section 2.4. For those systems, we than those outlined in [RFC2865] Section 2.4. For those systems, we
define RADIUS over TCP. define RADIUS over TCP.
1.1. Benefits of Reliable Transport 1.1. Benefits of Reliable Transport
There are a number of benefits to using a reliable transport. For There are a number of benefits to using a reliable transport. For
example, when RADIUs is used to carry EAP conversions [RFC3579], the example, when RADIUS is used to carry EAP conversions [RFC3579], the
EAP exchanges may involve 10 round trips at the RADIUS application EAP exchanges may involve 10 round trips at the RADIUS application
layer. If we assume a 0.1% probability of packet loss in each layer. If we assume a 0.1% probability of packet loss in each
direction, then approximately 2% (1 - 0.999^20) of the authentication direction, then approximately 2% (1 - 0.999^20) of the authentication
attempts will have a lost packet. If we assume a 0.01% packet loss, attempts will have a lost packet. If we assume a 0.01% packet loss,
then 0.2% of authentication attempts will result in a lost packet. then 0.2% of authentication attempts will result in a lost packet.
These lost packets require the supplicant and/or the NAS to re- These lost packets require the supplicant and/or the NAS to re-
transmit packets at the application layer. The difficulty with this transmit packets at the application layer. The difficulty with this
approach is that retransmission implementations have historically approach is that retransmission implementations have historically
been poor. Some implementations retransmit packets, others do not. been poor. Some implementations retransmit packets, others do not,
and others send new packets rather then performing retransmission.
Some implementations are incapable of detecting EAP retransmissions, Some implementations are incapable of detecting EAP retransmissions,
and will instead treat the retransmitted packet as an error. and will instead treat the retransmitted packet as an error.
These retransmissions have a high likelihood of causing the entire These retransmissions have a high likelihood of causing the entire
authentication session to fail. For systems with millions to tens of authentication session to fail. For systems with millions to tens of
millions of users, such a high authentication failure rate (0.2% to millions of users, such a high authentication failure rate (0.2% to
2%) may be unacceptable. 2%) may be unacceptable.
Using TCP as an underlying reliable transport means that the RADIUS In addition, transport of fragmented UDP packets appears to be a
implementations can remove all of the application-layer poorly tested code path on network devices. Some devices appear to
retransmissions, and instead rely on the Operating System (OS) be incapable of transporting fragmented UDP packets, meaning that the
kernel's well-tested TCP transport. packet loss rate for fragmented packets approaches 100 percent. The
net effect can be to prevent the deployment of authentication methods
such as EAP-TLS that require large RADIUS packets.
Using a reliable transport method such as TCP means that RADIUS
implementations can remove all application-layer retransmissions, and
instead rely on the Operating System (OS) kernel's well-tested TCP
transport to ensure reliable delivery. In addition, most TCP
implementations discover Path MTU better than RADIUS application
implementations, resulting in significantly fewer fragmented packets.
Modern TCP implementations also implement anti-spoofing provisions,
which is more difficult to do in UDP applications.
Transporting RADIUS over TCP means that the RADIUS applications can
leverage these additional protections offered by TCP.
1.2. Drawbacks of Reliable Transport 1.2. Drawbacks of Reliable Transport
No protocol is perfect for all uses. RADIUS over TCP has some No protocol is perfect for all uses. RADIUS over TCP has some
drawbacks, as noted in [RFC2865] Section 2.4. [RFC3539] Section 2 drawbacks, as noted in [RFC2865] Section 2.4. [RFC3539] Section 2
discusses further issues with using TCP as a transport for discusses further issues with using TCP as a transport for
Authentication, Authorization, and/or Accounting (AAA) protocols such Authentication, Authorization, and/or Accounting (AAA) protocols such
as RADIUS. as RADIUS.
The impact of these issues is dicussed in more detail, below. The impact of these issues is dicussed in more detail below.
1.3. Terminology 1.3. Terminology
This document uses the following terms: This document uses the following terms:
Network Access Server (NAS) RADIUS client
A device that provides an access service for a user to a network. A device that provides an access service for a user to a network.
Also referred to as a Network Access Server, or NAS.
RADIUS server RADIUS server
A RADIUS authentication, authorization, and/or accounting (AAA) A RADIUS authentication, authorization, and/or accounting (AAA)
server is an entity that provides one or more AAA services to a server is an entity that provides one or more AAA services to a
NAS. NAS.
RADIUS proxy RADIUS proxy
A RADIUS proxy acts as a RADIUS server to the NAS, and a RADIUS A RADIUS proxy acts as a RADIUS server to the NAS, and a RADIUS
client to the RADIUS server. client to the RADIUS server.
skipping to change at page 5, line 15 skipping to change at page 5, line 29
1.4. Requirements Language 1.4. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
2. Changes to RADIUS 2. Changes to RADIUS
Adding TCP as a RADIUS transport has a number of impacts on the Adding TCP as a RADIUS transport has a number of impacts on the
protocol, on applications using the protocol, and on networks that protocol, on applications using the protocol, and on networks that
deploy the protocol. This section outlines those impacts, and deploy the protocol. In short, RADIUS over TCP is little more than
defines behaviors. sending RADIUS formatted messages over a TCP connection.
As always, there are additional details that need to be discussed.
This section outlines the various impacts of using RADIUS over TCP,
and the discusses the proposal in more detail.
2.1. Packet Format 2.1. Packet Format
The RADIUS packet format is unchanged from [RFC2865], [RFC2866], and The RADIUS packet format is unchanged from [RFC2865], [RFC2866], and
[RFC5176]. Specifically, all of the following portions of RADIUS [RFC5176]. Specifically, all of the following portions of RADIUS
MUST be unchanged when using RADIUS over TCP: MUST be unchanged when using RADIUS over TCP:
* Packet format * Packet format
* Permitted codes * Permitted codes
* Request Authenticator calculation * Request Authenticator calculation
* Response Authenticator calculation * Response Authenticator calculation
* Minimum packet length * Minimum packet length
* Maximum packet length * Maximum packet length
* Attribute format * Attribute format
* Vendor-Specific Attribute (VSA) format * Vendor-Specific Attribute (VSA) format
* Permitted data types * Permitted data types
* Calculations of dynamic attributes such as CHAP-Challenge, * Calculations of dynamic attributes such as CHAP-Challenge,
or Message-Authenticator. or Message-Authenticator.
* Calculation of "encrypted" attributes such as Tunnel-Password.
The changes to RADIUS implementations required to implement this The changes to RADIUS implementations required to implement this
specification are largely limited to the code that sends and receives specification are largely limited to the portions that send and
packets on the network. receive packets on the network.
2.2. TCP Ports 2.2. Assigned Ports for RADIUS Over TCP
IANA has already assigned TCP ports for RADIUS transport, as outlined IANA has already assigned TCP ports for RADIUS transport, as outlined
below: below:
* radius 1812/udp * radius 1812/tcp
* radius-acct 1813/tcp * radius-acct 1813/tcp
* radius-dynauth 3799/tcp * radius-dynauth 3799/tcp
These ports are unused by existing RADIUS applications. These ports are unused by existing RADIUS applications.
Implementations SHOULD use the assigned values as the default ports Implementations SHOULD use the assigned values as the default ports
for RADIUS over TCP. for RADIUS over TCP.
The early deployment of RADIUS was done using UDP port number 1645, The early deployment of RADIUS was done using UDP port number 1645,
which conflicts with the "datametrics" service. Implementations which conflicts with the "datametrics" service. Implementations
using RADIUS over TCP MUST NOT use TCP ports 1645 or 1646 as the using RADIUS over TCP MUST NOT use TCP ports 1645 or 1646 as the
default ports for this specification. default ports for this specification.
2.3. Management Information Base (MIB) 2.3. Management Information Base (MIB)
The MIB definitions in [RFC4668], [RFC4669], [RFC4670], [RFC4671], The MIB definitions in [RFC4668], [RFC4669], [RFC4670], [RFC4671],
[RFC4672], and [RFC4673] each contain only one reference to UDP. [RFC4672], and [RFC4673] each contain only one reference to UDP.
These references are in the DESCRIPTION field of the MIB definition, These references are in the DESCRIPTION field of the MIB definition,
and are in the form of "The UDP port" or "the UDP destination port". and are in the form of "The UDP port" or "the UDP destination port".
Implementations of RADIUS over TCP MAY re-use these MIBs to perform Implementations of RADIUS over TCP SHOULD re-use these MIBs to
statistics counting for RADIUS over TCP connections. However, perform statistics counting for RADIUS over TCP connections.
implementors are warned that there is no way for these MIBs to However, implementors are warned that there is no way for these MIBs
distinguish between packets sent over UDP or over TCP transport. to distinguish between packets sent over UDP or over TCP transport.
Similarly, there is no requirement in RADIUS that the RADIUS services Similarly, there is no requirement in RADIUS that the RADIUS services
offered over UDP on a particular IP address and port are identical to offered over UDP on a particular IP address and port are identical to
the RADIUS services offered over TCP on a particular IP address and the RADIUS services offered over TCP on a particular IP address and
the same (numerical) port. the same (numerical) port.
Implementations of RADIUS over TCP SHOULD include the protocol (UDP)
or (TCP) in the radiusAuthServIdent, radiusAuthClientID,
radiusAuthClientIdentifier, radiusAccServIdent, radiusAccClientID, or
radiusAccClientIdentifier fields of the MIB. This information can
help the administrator distinguish capabilities of systems in the
network.
2.4. Interaction with RadSec 2.4. Interaction with RadSec
IANA has already assigned TCP ports for RadSec transport, as outlined IANA has already assigned TCP ports for RadSec (i.e. RADIUS over TLS
below: over TCP), as outlined below:
* radsec 2083/tcp * radsec 2083/tcp
This value SHOULD be used as the default port for RADIUS over TLS This value SHOULD be used as the default port for RADIUS over TLS
(i.e. RadSec). The "radius" port (1812/tcp) SHOULD NOT be used for (i.e. RadSec). The "radius" port (1812/tcp) SHOULD NOT be used for
RadSec. RadSec.
2.4.1. Applicability 2.4.1. Applicability
As noted in [RFC3539] Section 2.1, for systems originating low As noted in [RFC3539] Section 2.1, for systems originating low
numbers of RADIUS request packets, inter-packet spacing is often numbers of RADIUS request packets, inter-packet spacing is often
larger than the RTT. In those situations, RADIUS over TCP SHOULD NOT larger than the packet RTT. In those situations, RADIUS over TCP
be used. SHOULD NOT be used.
In general, RADIUS clients generating small amounts of RADIUS traffic In general, RADIUS clients generating small amounts of RADIUS traffic
SHOULD NOT use TCP. This suggestion will usually apply to most SHOULD NOT use TCP. This suggestion will usually apply to most
NASes, and to most clients that originate CoA-Request and Disconnect- NASes, and to most clients that originate CoA-Request and Disconnect-
Request packets. Request packets.
RADIUS over TCP is most applicable to RADIUS proxies that exchange a RADIUS over TCP is most applicable to RADIUS proxies that exchange a
large volume of packets with RADIUS clients and servers (10's to large volume of packets with RADIUS clients and servers (10's to
1000's of packets per second). In those situations, RADIUS over TCP 1000's of packets per second). In those situations, RADIUS over TCP
is a good fit, and may result in increased network stability and is a good fit, and may result in increased network stability and
skipping to change at page 7, line 20 skipping to change at page 7, line 48
While the client may be able to deduce the operational state of the While the client may be able to deduce the operational state of the
local server (i.e. proxy), it cannot make any determination about the local server (i.e. proxy), it cannot make any determination about the
operational state of the downstream servers. operational state of the downstream servers.
If a request is proxied through intermediate proxies, it is not If a request is proxied through intermediate proxies, it is not
possible to detect which of the later hops is responsible for the possible to detect which of the later hops is responsible for the
absence of a reply. An intermediate proxy also cannot signal that absence of a reply. An intermediate proxy also cannot signal that
the outage lies in a later hop because RADIUS does not have the the outage lies in a later hop because RADIUS does not have the
ability to carry such signalling information. This issue is further ability to carry such signalling information. This issue is further
exacerbated by some proxy implementations that do not reply to a exacerbated by some proxy implementations that do not reply to a
client if they do not recieve a reply to a proxied request. client if they do not receive a reply to a proxied request.
When UDP was used as a transport protocol, the absence of a reply can When UDP was used as a transport protocol, the absence of a reply can
cause a client to deduce (incorrectly) that the proxy is unavailable. cause a client to deduce (incorrectly) that the proxy is unavailable.
The client could then fail over to another server, or conclude that The client could then fail over to another server, or conclude that
no "live" servers are available. This situation is made even worse no "live" servers are available (OKAY state in [RFC3539] Appendix A).
when requests are sent through a proxy to multiple destinations. This situation is made even worse when requests are sent through a
Failures in one destination may result in service outages for other proxy to multiple destinations. Failures in one destination may
destinations, if the client erroneously believes that the proxy is result in service outages for other destinations, if the client
unresponsive. erroneously believes that the proxy is unresponsive.
For RADIUS over TCP, the continued existence of the TCP connection For RADIUS over TCP, the continued existence of the TCP connection
SHOULD be used to deduce that the service on the other end of the SHOULD be used to deduce that the service on the other end of the
connection is still responsive. Further, the application layer connection is still responsive. Further, the application layer
watchdog defined in [RFC3539] Section 3.4 enables clients to watchdog defined in [RFC3539] Section 3.4 enables clients to
determine that the server is "live", even though it may not have determine that the server is "live", even though it may not have
responded recently to other, non-watchdog requests. responded recently to other, non-watchdog requests.
RADIUS clients using RADIUS over TCP MUST NOT decide that a RADIUS clients using RADIUS over TCP MUST NOT decide that a
connection is down until the application layer watchdog algorithm has connection is down until the application layer watchdog algorithm has
skipping to change at page 8, line 10 skipping to change at page 8, line 37
of this specification. of this specification.
The Application Layer Watchdog defined in [RFC3539] Section 3.4 MUST The Application Layer Watchdog defined in [RFC3539] Section 3.4 MUST
be used. The Status-Server packet [STATUS] MUST be used as the be used. The Status-Server packet [STATUS] MUST be used as the
application layer watchdog message. Implementations MUST reserve one application layer watchdog message. Implementations MUST reserve one
RADIUS ID per connection for the application layer watchdog message. RADIUS ID per connection for the application layer watchdog message.
This restriction is described further below. This restriction is described further below.
Implementations MUST NOT confuse UDP and TCP transport. That is, Implementations MUST NOT confuse UDP and TCP transport. That is,
RADIUS clients and servers MUST be treated as unique based on a key RADIUS clients and servers MUST be treated as unique based on a key
of (IP address, port, transport protocol). Implementations MUST be of the three-tuple (IP address, port, transport protocol).
configurable to have different shared secrets for UDP and TCP to the Implementations MUST be configurable to have different shared secrets
same destination IP address and numerical port. for UDP and TCP to the same destination IP address and numerical
port.
This requirement does not forbid the traditional practice of using This requirement does not forbid the traditional practice of using
primary and secondary servers in a fail-over relationship. Instead, primary and secondary servers in a fail-over relationship. Instead,
it requires that two services sharing an IP address and numerical it requires that two services sharing an IP address and numerical
port, but differing in transport protocol, MUST be treated as port, but differing in transport protocol, MUST be treated as
independent services for the purpose of fail-over, load-balancing, independent services for the purpose of fail-over, load-balancing,
etc. etc.
Whenever the underlying operating system permits the use of TCP Whenever the underlying operating system permits the use of TCP
keepalive socket options, their use is RECOMMENDED. keepalive socket options, their use is RECOMMENDED.
2.6.1. Duplicates and Retransmissions 2.6.1. Duplicates and Retransmissions
As TCP is a reliable transport, implementors of this specification As TCP is a reliable transport, implementors of this specification
MUST NOT retransmit RADIUS packets over the same TCP connection. MUST NOT retransmit RADIUS request packets over the same TCP
Similarly, if there is no response to a RADIUS packet over one TCP connection. Similarly, if there is no response to a RADIUS packet
connection, implementations MUST NOT retransmit that packet over a over one TCP connection, implementations MUST NOT retransmit that
different TCP connection to the same destination IP address and port. packet over a different TCP connection to the same destination IP
address and port, while the first connection is in the OKAY state
([RFC3539] Appendix A).
However, if the TCP connection is broken or closed, the above However, if the TCP connection is broken or closed, retransmissions
requirement can be relaxed somewhat. RADIUS request packets that over new connections are permissible. RADIUS request packets that
have not yet received a response MAY be transmitted by a RADIUS have not yet received a response MAY be transmitted by a RADIUS
client over a new TCP connection. As this procedure involves using a client over a new TCP connection. As this procedure involves using a
new source port, the ID of the packet MAY change. If the ID changes, new source port, the ID of the packet MAY change. If the ID changes,
any security attributes such as Message-Authenticator MUST be any security attributes such as Message-Authenticator MUST be
recalculated. recalculated.
If a TCP connection is broken or closed, any cached RADIUS response If a TCP connection is broken or closed, any cached RADIUS response
packets ([RFC5080] Section 2.2.2) associated with that connection packets ([RFC5080] Section 2.2.2) associated with that connection
MUST be discarded. A RADIUS server SHOULD stop processing any "live" MUST be discarded. A RADIUS server SHOULD stop processing of any
requests associated with that TCP connection. No response to these requests associated with that TCP connection. No response to these
requests cannot be sent over the TCP connection, so any further requests can be sent over the TCP connection, so any further
processing is pointless. A RADIUS proxy that has a client close it's processing is pointless. This requirement applies not only to RADIUS
TCP connection SHOULD silently discard any responses it recieves to a servers, but also to proxies. When a client's connection to a proxy
proxied requests that is associated with the original client request. server is closed, there may be responses from a home server that were
supposed to be sent by the proxy back over that connection to the
client. Since the client connection is closed, those responses from
the home server to the proxy server SHOULD be silently discarded by
the proxy.
Despite the above requirement, RADIUS servers SHOULD still perform Despite the above discussion, RADIUS servers SHOULD still perform
duplicate detection on received packets, as described in [RFC5080] duplicate detection on received packets, as described in [RFC5080]
Section 2.2.2. This effort can prevent duplicate processing of Section 2.2.2. This detection can prevent duplicate processing of
packets from non-conformant clients. packets from non-conformant clients.
As noted above, RADIUS packets SHOULD NOT be re-transmitted to the As noted previously, RADIUS packets SHOULD NOT be re-transmitted to
same destination IP and numerical port, but over a different the same destination IP and numerical port, but over a different
transport layer. There is no guarantee in RADIUS that the two ports transport layer. There is no guarantee in RADIUS that the two ports
are in any way related. This requirement does not forbid the are in any way related. This requirement does not forbid the
practice of putting multiple servers into a fail-over or load-balance practice of putting multiple servers into a fail-over or load-balance
pool. pool.
Much of the discussion in this section can be summarized by the Much of the discussion in this section can be summarized by the
following requirement. RADIUS requests MAY be re-transmitted following requirement. RADIUS requests MAY be re-transmitted
verbatim only if the following 5-tuple (Client IP address, Client verbatim only if the following 5-tuple (Client IP address, Client
port, Transport Protocol, Server IP address, Server port) remains the port, Transport Protocol, Server IP address, Server port) remains the
same. If any field of that 5-typle changes, the packet MUST NOT be same. If any field of that 5-tuple changes, the packet MUST NOT be
considered to be a re-transmission. Instead, the packet MUST be considered to be a re-transmission. Instead, the packet MUST be
considered to be a new request, and be treated accordingly. (e.g. considered to be a new request, and be treated accordingly. (e.g.
header calculations, packet signatures, associated timers and header calculations, packet signatures, associated timers and
counters, etc.) counters, etc.)
The above requirement is necessary, but not sufficient in all cases. The above requirement is necessary, but not sufficient in all cases.
Other specifications give additional situations where the packet is Other specifications give additional situations where the packet is
to be considered as a new request. Those recommendations MUST be to be considered as a new request. Those recommendations MUST also
followed. be followed.
2.6.2. Shared Secrets 2.6.2. Shared Secrets
The use of shared secrets in calculating the Response Authenticator, The use of shared secrets in calculating the Response Authenticator,
and other attributes such as User-Password or Message-Authenticator and other attributes such as User-Password or Message-Authenticator
[RFC3579] MUST be unchanged from previous specifications. [RFC3579] MUST be unchanged from previous specifications.
Clients and servers MUST be able to store and manage shared secrets Clients and servers MUST be able to store and manage shared secrets
based on the key described above, of (IP address, port, transport). based on the key described above, of (IP address, port, transport
protocol).
2.6.3. Malformed Packets and Unknown Clients 2.6.3. Malformed Packets and Unknown Clients
The original specifications say that an implement should "silently The RADIUS specifications ([RFC2865], etc.) say that an implemention
discard" a packet in a number of circumstances. This action has no should "silently discard" a packet in a number of circumstances.
further consequences for UDP transport, as the "next" packet is This action has no further consequences for UDP transport, as the
completely independent of the previous one. "next" packet is completely independent of the previous one.
When TCP is used as a transport, decoding the "next" packet on a When TCP is used as a transport, decoding the "next" packet on a
connection depends on the proper decoding of the previous packet. As connection depends on the proper decoding of the previous packet. As
a result, the behavior with respect to discarded packets has to a result, the behavior with respect to discarded packets has to
change. change.
Implementations of this specification SHOULD treat the "silently Implementations of this specification SHOULD treat the "silently
discard" texts referenced above as "silently discard and close the discard" texts referenced above as "silently discard and close the
connection." Specifically, the TCP connection MUST be closed if any connection." That is, the TCP connection MUST be closed if any of
of the following circumstances are seen: the following circumstances are seen:
* Packet from an unknown client (using the key as defined above) * Packet from an unknown client
* Packet with an invalid code field * Packet where the RADIUS "length" field is less than the minimim
* Packet that is less than the minimim RADIUS packet length RADIUS packet length
* Packet that is more than the minimim RADIUS packet length * Packet where the RADIUS "length" field is more than the maximum
* A packet that is otherwise malformed, e.g. Attribute Length of RADIUS packet length
0 or 1 * Packet that has an Attribute "length" field has value of zero
or one (0 or 1).
* Packet where the attributes do not exactly fill the packet
* Packet where the Request Authenticator fails validation * Packet where the Request Authenticator fails validation
(if applicable) (where applicable).
* Packet where the Response Authenticator fails validation * Packet where the Response Authenticator fails validation
* Packet where the Message-Authenticator fails validation (where applicable).
* Packet where the Message-Authenticator attribute fails
validation (where applicable).
TCP connections MAY be closed if any of the following circumstances
are seen. Alternatively, the TCP connection MAY remain open if any
of the following circumstances are seen, but the invalid packet MUST
BE silently discarded.
* Packet with an invalid code field
* Response packets that do not match any outstanding request * Response packets that do not match any outstanding request
These requirements minimize the possibilty for a misbehaving client These requirements minimize the possibility for a misbehaving client
or server to wreak havoc on the network. or server to wreak havoc on the network.
2.6.4. Limits of the ID Field 2.6.4. Limitations of the ID Field
The RADIUS ID field is one octet in size. As a result, any one TCP The RADIUS ID field is one octet in size. As a result, a single TCP
connection can have only 256 "in flight" RADIUS packets at a time. connection can only send 256 RADIUS request packets at a time. If
If more than 256 simultaneous "in flight" packets are required, those packets are not responded to, no more packets can be sent over
additional TCP connections will need to be opened. This limitation that connection. If more packets need to be sent by a client to a
is also noted in [RFC3539] Section 2.4. server, more TCP connections are needed.. This limitation is also
noted in [RFC3539] Section 2.4.
An additional limit is the requirement to send a Status-Server packet An additional limit is the requirement to send a Status-Server packet
over the same TCP connection as is used for normal requests. As over the same TCP connection as is used for normal requests. As
noted in [STATUS], the response to a Status-Server packet is either noted in [STATUS], the response to a Status-Server packet is either
an Access-Accept, or an Accounting-Response. If all IDs were an Access-Accept, an Accounting-Response, or a CoA-ACK. If all IDs
allocated to normal requests, then there would be no free Id to use were allocated to normal requests, then there would be no free Id to
for the Status-Server packet, and it could not be sent over the use for the Status-Server packet, and it could not be sent over the
connection. connection.
Implementations SHOULD reserve ID zero on each TCP connection for Implementations SHOULD reserve ID zero on each TCP connection for
Status-Server packets. This value was picked arbitrarily, as there Status-Server packets. This value was picked arbitrarily, as there
is no reason to choose any one value over another for this use. is no reason to choose any one value over another for this use.
It is tempting to extend RADIUS to permit more than 256 outstanding Implementors may be tempted to extend RADIUS to permit more than 256
packets on one connection. However, doing so will likely require outstanding packets on one connection. However, doing so will likely
fundamental changes to the RADIUS protocol, and as such, are outside require fundamental changes to the RADIUS protocol, and as such, is
of the scope of this specification. outside of the scope of this specification.
2.6.5. EAP Sessions 2.6.5. EAP Sessions
When RADIUS clients send EAP requests using RADIUS over TCP, they When RADIUS clients send EAP requests using RADIUS over TCP, they
SHOULD choose the same TCP connection for all packets related to one SHOULD choose the same TCP connection for all packets related to one
EAP conversation. A simple method that may often work is hashing the EAP conversation. A simple method that may work in many situations
contents of the Calling-Station-Id attribute, which normally contains is to hash the contents of the Calling-Station-Id attribute, which
the MAC accress. The output of that hash can be used to select a normally contains the MAC address. The output of that hash can be
particular TCP connection. used to select a particular TCP connection.
It may be difficult to implement this suggestion in practice, as busy If this practice is used, then the client SHOULD also reserve one
servers may allocate all RADIUS IDs in one TCP connection in the time RADIUS Id per TCP connection for a particular EAP session.
between two subsequent EAP packets. It is difficult to suggest
simple and reasonable methods to address this issue. The retransmission requires of Section 2.6.1, above, MUST be applied
to RADIUS encapsulated EAP packets. That is, EAP retransmissions
MUST NOT result in retransmissions of RADIUS packets over a
particular TCP connection. EAP retransmissions MAY result in
retransmission of RADIUS packets over a different TCP connection, but
only when the previous TCP connection is marked DOWN as per the
algorithm in [RFC3539] Appendix A.
2.6.6. TCP Applications are not UDP Applications 2.6.6. TCP Applications are not UDP Applications
Implementors should be aware that programming a robust TCP Implementors should be aware that programming a robust TCP
application can be a very different process than programming a robust application can be very different from programming a robust UDP
UDP application. We RECOMMEND that implementors of this application. We RECOMMEND that implementors of this specification
specification familiarize themselves with TCP application programming familiarize themselves with TCP application programming concepts. We
concepts. We RECOMMEND also that existing TCP applications be RECOMMEND also that existing TCP applications be examined with an eye
examined with an eye to robustness, performance, scalability, etc. to robustness, performance, scalability, etc.
Clients and servers SHOULD implement configurable connection limits. Clients and servers SHOULD implement configurable connection limits.
Allowing an unlimited number of connections may result in resource Clients and servers SHOULD implement configurable rate limiting on
exhaustion. new connections. Allowing an unbounded number or rate of TCP
connections may result in resource exhaustion.
Further discussion of implementation issues is outside of the scope Further discussion of implementation issues is outside of the scope
of this document. of this document.
3. Diameter Considerations 3. Diameter Considerations
This document defines TCP as a transport layer for RADIUS. It This document defines TCP as a transport layer for RADIUS. It
defines no new RADIUS attributes or codes. The only interaction with defines no new RADIUS attributes or codes. The only interaction with
Diameter is in a RADIUS to Diameter, or in a Diameter to RADIUS Diameter is in a RADIUS to Diameter, or in a Diameter to RADIUS
gateway. The RADIUS side of such a gateway MAY implement RADIUS over gateway. The RADIUS side of such a gateway MAY implement RADIUS over
 End of changes. 49 change blocks. 
115 lines changed or deleted 171 lines changed or added

This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/