draft-ietf-radext-tcp-transport-02.txt   draft-ietf-radext-tcp-transport-03.txt 
Network Working Group A. DeKok Network Working Group A. DeKok
INTERNET-DRAFT FreeRADIUS INTERNET-DRAFT FreeRADIUS
Category: Proposed Standard Category: Proposed Standard
<draft-ietf-radext-tcp-transport-02.txt> <draft-ietf-radext-tcp-transport-03.txt>
Expires: June 16, 2009 Expires: September 1, 2009
16 December 2008
RADIUS Over TCP RADIUS Over TCP
draft-ietf-radext-tcp-transport-02 draft-ietf-radext-tcp-transport-03
This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. This document may contain material
from IETF Documents or IETF Contributions published or made publicly
available before November 10, 2008. The person(s) controlling the
copyright in some of this material may not have granted the IETF
Trust the right to allow modifications of such material outside the
IETF Standards Process. Without obtaining an adequate license from
the person(s) controlling the copyright in such materials, this
document may not be modified outside the IETF Standards Process, and
derivative works of it may not be created outside the IETF Standards
Process, except to format it for publication as an RFC or to
translate it into languages other than English.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on June 11, 2009. This Internet-Draft will expire on September 1, 2009.
Copyright Notice Copyright Notice
This Internet-Draft is submitted to IETF in full conformance with the Copyright (c) 2009 IETF Trust and the persons identified as the
provisions of BCP 78 and BCP 79. document authors. All rights reserved.
Copyright (c) 2008 IETF Trust and the persons identified as the This document is subject to BCP 78 and the IETF Trust's Legal
document authors. All rights reserved. This document is subject to Provisions Relating to IETF Documents in effect on the date of
BCP 78 and the IETF Trust's Legal Provisions Relating to IETF publication of this document (http://trustee.ietf.org/license-info).
Documents (http://trustee.ietf.org/license-info) in effect on the Please review these documents carefully, as they describe your rights
date of publication of this document. Please review these documents and restrictions with respect to this document.
carefully, as they describe your rights and restrictions with respect
to this document.
Abstract Abstract
The Remote Authentication Dial In User Server (RADIUS) Protocol has The Remote Authentication Dial In User Server (RADIUS) Protocol has
traditionally used the User Datagram Protocol (UDP) as it's traditionally used the User Datagram Protocol (UDP) as it's
underlying transport layer. This document defines RADIUS over the underlying transport layer. This document defines RADIUS over the
Transmission Control Protocol (TCP). Transmission Control Protocol (TCP).
Table of Contents Table of Contents
1. Introduction ............................................. 3 1. Introduction ............................................. 4
1.1. Applicability of Reliable Transport ................. 3 1.1. Applicability of Reliable Transport ................. 4
1.2. Terminology ......................................... 5 1.2. Terminology ......................................... 6
1.3. Requirements Language ............................... 5 1.3. Requirements Language ............................... 6
2. Changes to RADIUS ........................................ 5 2. Changes to RADIUS ........................................ 6
2.1. Packet Format ....................................... 6 2.1. Packet Format ....................................... 7
2.2. Assigned Ports for RADIUS Over TCP .................. 6 2.2. Assigned Ports for RADIUS Over TCP .................. 7
2.3. Management Information Base (MIB) ................... 6 2.3. Management Information Base (MIB) ................... 7
2.4. Interaction with RadSec ............................. 7 2.4. Interaction with RadSec ............................. 8
2.5. RADIUS Proxies ...................................... 7 2.5. RADIUS Proxies ...................................... 8
2.6. TCP Specific Issues ................................. 9 2.6. TCP Specific Issues ................................. 10
2.6.1. Duplicates and Retransmissions ................. 9 2.6.1. Duplicates and Retransmissions ................. 10
2.6.2. Shared Secrets ................................. 10 2.6.2. Shared Secrets ................................. 11
2.6.3. Malformed Packets and Unknown Clients .......... 11 2.6.3. Malformed Packets and Unknown Clients .......... 12
2.6.4. Limitations of the ID Field .................... 11 2.6.4. Limitations of the ID Field .................... 12
2.6.5. EAP Sessions ................................... 12 2.6.5. EAP Sessions ................................... 13
2.6.6. TCP Applications are not UDP Applications ...... 12 2.6.6. TCP Applications are not UDP Applications ...... 13
3. Diameter Considerations .................................. 13 3. Diameter Considerations .................................. 14
4. IANA Considerations ...................................... 13 4. IANA Considerations ...................................... 14
5. Security Considerations .................................. 13 5. Security Considerations .................................. 14
6. References ............................................... 13 6. References ............................................... 14
6.1. Normative References ................................ 13 6.1. Normative References ................................ 14
6.2. Informative References .............................. 14 6.2. Informative References .............................. 15
1. Introduction 1. Introduction
The RADIUS Protocol has been defined in [RFC2865] as using the User The RADIUS Protocol has been defined in [RFC2865] as using the User
Datagram Protocol (UDP) for the underlying transport layer. While Datagram Protocol (UDP) for the underlying transport layer. While
there are a number of benefits to using UDP as outlined in [RFC2865] there are a number of benefits to using UDP as outlined in [RFC2865]
Section 2.4, there are also some limitations: Section 2.4, there are also some limitations:
* Unreliable transport. As a result, systems using RADIUS have to * Unreliable transport. As a result, systems using RADIUS have to
implement application-layer timers and re-transmissions, as implement application-layer timers and re-transmissions, as
skipping to change at page 14, line 44 skipping to change at page 15, line 44
[RFC5080] Nelson, D. and DeKok, A, "Common Remote Authentication Dial In [RFC5080] Nelson, D. and DeKok, A, "Common Remote Authentication Dial In
User Service (RADIUS) Implementation Issues and Suggested User Service (RADIUS) Implementation Issues and Suggested
Fixes", RFC 5080, December 2007. Fixes", RFC 5080, December 2007.
[RFC5176] Chiba, M. et al., "Dynamic Authorization Extensions to Remote [RFC5176] Chiba, M. et al., "Dynamic Authorization Extensions to Remote
Authentication Dial In User Service (RADIUS)", RFC 5176, Authentication Dial In User Service (RADIUS)", RFC 5176,
January 2008. January 2008.
[STATUS] DeKok, A., "Use of Status-Server Packets in the Remote [STATUS] DeKok, A., "Use of Status-Server Packets in the Remote
Authentication Dial In User Service (RADIUS) Protocol", draft- Authentication Dial In User Service (RADIUS) Protocol", draft-
ietf-radext-status-server-02.txt, November 2008 (work in ietf-radext-status-server-03.txt, March 2009 (work in
progress). progress).
[RADSEC] Winter, S. et. al., "TLS encryption for RADIUS over TCP [RADSEC] Winter, S. et. al., "TLS encryption for RADIUS over TCP
(RadSec)", draft-ietf-radext-radsec-02.txt, October 2008 (work (RadSec)", draft-ietf-radext-radsec-03.txt, Februrary 2009
in progress). (work in progress).
Acknowledgments Acknowledgments
None at this time. None at this time.
Authors' Addresses Authors' Addresses
Alan DeKok Alan DeKok
The FreeRADIUS Server Project The FreeRADIUS Server Project
http://freeradius.org/ http://freeradius.org/
 End of changes. 8 change blocks. 
41 lines changed or deleted 50 lines changed or added

This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/