draft-ietf-radext-tcp-transport-05.txt   draft-ietf-radext-tcp-transport-06.txt 
Network Working Group A. DeKok Network Working Group A. DeKok
INTERNET-DRAFT FreeRADIUS INTERNET-DRAFT FreeRADIUS
Category: Experimental Category: Experimental
<draft-ietf-radext-tcp-transport-05.txt> <draft-ietf-radext-tcp-transport-06.txt>
Expires: April 12,2009 Expires: November 27, 2010
19 February 2010 27 April 2010
RADIUS Over TCP RADIUS Over TCP
draft-ietf-radext-tcp-transport-05 draft-ietf-radext-tcp-transport-06
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
skipping to change at page 1, line 34 skipping to change at page 1, line 34
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on April 12, 2009. This Internet-Draft will expire on November 27, 2010
Copyright Notice Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info/) in effect on the date of (http://trustee.ietf.org/license-info/) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 11 skipping to change at page 2, line 11
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Abstract Abstract
The Remote Authentication Dial In User Server (RADIUS) Protocol has The Remote Authentication Dial In User Server (RADIUS) Protocol has
traditionally used the User Datagram Protocol (UDP) as its underlying traditionally used the User Datagram Protocol (UDP) as its underlying
transport layer. This document defines RADIUS over the Transmission transport layer. This document defines RADIUS over the Transmission
Control Protocol (TCP), in order to address handling issues related Control Protocol (TCP), in order to address handling issues related
to RADIUS over TLS [RTLS]. It is not intended to define TCP as a to RADIUS over Transport Layer Security [RTLS]. It is not intended
transport protocol for RADIUS in the absence of TLS. to define TCP as a transport protocol for RADIUS in the absence of
TLS.
Table of Contents Table of Contents
1. Introduction ............................................. 4 1. Introduction ............................................. 4
1.1. Applicability of Reliable Transport ................. 4 1.1. Applicability of Reliable Transport ................. 5
1.2. Terminology ......................................... 6 1.2. Terminology ......................................... 6
1.3. Requirements Language ............................... 7 1.3. Requirements Language ............................... 7
2. Changes to RADIUS ........................................ 7 2. Changes to RADIUS ........................................ 7
2.1. Packet Format ....................................... 7 2.1. Packet Format ....................................... 7
2.2. Assigned Ports for RADIUS Over TCP .................. 8 2.2. Assigned Ports for RADIUS Over TCP .................. 8
2.3. Management Information Base (MIB) ................... 8 2.3. Management Information Base (MIB) ................... 8
2.4. Detecting Live Servers .............................. 9 2.4. Detecting Live Servers .............................. 9
2.5. Congestion Control Issues ........................... 10 2.5. Congestion Control Issues ........................... 9
2.6. TCP Specific Issues ................................. 10 2.6. TCP Specific Issues ................................. 10
2.6.1. Duplicates and Retransmissions ................. 11 2.6.1. Duplicates and Retransmissions ................. 11
2.6.2. Head of Line Blocking .......................... 12 2.6.2. Head of Line Blocking .......................... 12
2.6.3. Shared Secrets ................................. 12 2.6.3. Shared Secrets ................................. 12
2.6.4. Malformed Packets and Unknown Clients .......... 13 2.6.4. Malformed Packets and Unknown Clients .......... 12
2.6.5. Limitations of the ID Field .................... 14 2.6.5. Limitations of the ID Field .................... 13
2.6.6. EAP Sessions ................................... 14 2.6.6. EAP Sessions ................................... 14
2.6.7. TCP Applications are not UDP Applications ...... 15 2.6.7. TCP Applications are not UDP Applications ...... 14
3. Diameter Considerations .................................. 15 3. Diameter Considerations .................................. 15
4. IANA Considerations ...................................... 15 4. IANA Considerations ...................................... 15
5. Security Considerations .................................. 15 5. Security Considerations .................................. 15
6. References ............................................... 16 6. References ............................................... 15
6.1. Normative References ................................ 16 6.1. Normative References ................................ 15
6.2. Informative References .............................. 16 6.2. Informative References .............................. 15
1. Introduction 1. Introduction
The RADIUS Protocol has been defined in [RFC2865] as using the User The RADIUS Protocol has been defined in [RFC2865] as using the User
Datagram Protocol (UDP) for the underlying transport layer. While Datagram Protocol (UDP) for the underlying transport layer. While
there are a number of benefits to using UDP as outlined in [RFC2865] there are a number of benefits to using UDP as outlined in [RFC2865]
Section 2.4, there are also some limitations: Section 2.4, there are also some limitations:
* Unreliable transport. As a result, systems using RADIUS have to * Unreliable transport. As a result, systems using RADIUS have to
implement application-layer timers and re-transmissions, as implement application-layer timers and re-transmissions, as
described in [RFC5080] Section 2.2.1. described in [RFC5080] Section 2.2.1.
* Packet fragmentation. [RFC2865] Section 3 permits RADIUS * Packet fragmentation. [RFC2865] Section 3 permits RADIUS
packets up to 4096 octets in length. These packets are larger packets up to 4096 octets in length. These packets are larger
than the default Internet MTU (576), resulting in fragmentation of than the common Internet MTU (576), resulting in fragmentation of
the packets at the IP layer. Transport of fragmented UDP packets the packets at the IP layer when they are proxied over the
appears to be a poorly tested code path on network devices. Some Internet. Transport of fragmented UDP packets appears to be a
devices appear to be incapable of transporting fragmented UDP poorly tested code path on network devices. Some devices appear
packets, making it difficult to deploy RADIUS in a network where to be incapable of transporting fragmented UDP packets, making it
those devices are deployed. difficult to deploy RADIUS in a network where those devices are
deployed.
* Connectionless transport. Neither clients nor servers receive * Connectionless transport. Neither clients nor servers receive
positive statements that a "connection" is down. This information positive statements that a "connection" is down. This information
has to be deduced instead from the absence of a reply to a has to be deduced instead from the absence of a reply to a
request. request.
As RADIUS is widely deployed, and has been widely deployed for well As RADIUS is widely deployed, and has been widely deployed for well
over a decade, these issues have been minor in some use-cases, and over a decade, these issues have been minor in some use-cases, and
problematic in others. For use-cases such as inter-server proxying, problematic in others. For use-cases such as inter-server proxying,
[RTLS] suggests an alternative transport and security model -- RADIUS [RTLS] suggests an alternative transport and security model -- RADIUS
over TLS. This document describes the transport implications of over TLS. That document describes the transport implications of
running RADIUS over TLS/TCP. running RADIUS over TLS.
Since "bare" TCP does not provide for confidentiality or enable
negotiation of credible ciphersuites, its use is not appropriate for
inter-server communications where strong security is required. As a
result the use of "bare" TCP transport (i.e., without additional
confidentiality and security) is NOT RECOMMENDED, as there has been
little or no operational experience with it.
"Bare" TCP transport MAY, however, be used when another method such
as IPSec [RFC4301] is used to provide additional confidentiality and
security. Should experience show that such deployments are useful,
this specification could be moved to standards track.
1.1. Applicability of Reliable Transport 1.1. Applicability of Reliable Transport
The intent of this document is to address transport issues related to The intent of this document is to address transport issues related to
RADIUS over TLS [RTLS] in inter-server communications scenarios, such RADIUS over TLS [RTLS] in inter-server communications scenarios, such
as inter-domain communication between proxies. These situations as inter-domain communication between proxies. These situations
benefit from the confidentiality and ciphersuite negotiation that can benefit from the confidentiality and ciphersuite negotiation that can
be provided by TLS. Since TLS is already widely available within the be provided by TLS. Since TLS is already widely available within the
operating systems used by proxies, implementation barriers are low. operating systems used by proxies, implementation barriers are low.
In scenarios where RADIUS proxies exchange a large volume of packets In scenarios where RADIUS proxies exchange a large volume of packets
(10+ packets per second), it is likely that there will be sufficient (10+ packets per second), it is likely that there will be sufficient
traffic to enable the congestion window to be widened beyond the traffic to enable the congestion window to be widened beyond the
minimum value on a long-term basis, enabling ACK piggy-backing. minimum value on a long-term basis, enabling ACK piggy-backing.
Through use of an application-layer watchdog as described in Through use of an application-layer watchdog as described in
[RFC3539], it is possible to address the objections to reliable [RFC3539], it is possible to address the objections to reliable
transport described in [RFC2865] Section 2.4 without substantial transport described in [RFC2865] Section 2.4 without substantial
watchdog traffic, since regular traffic is expected in both watchdog traffic, since regular traffic is expected in both
directions. directions.
In addition, use of RADIUS over TLS/TCP has been found to improve In addition, use of RADIUS over TLS has been found to improve
operational performance when used with multi-round trip operational performance when used with multi-round trip
authentication mechanisms such as RADIUS over EAP [RFC3579]. In such authentication mechanisms such as RADIUS over EAP [RFC3579]. In such
exchanges, it is typical for EAP fragmentation to increase the number exchanges, it is typical for EAP fragmentation to increase the number
of round-trips required. For example, where EAP-TLS authentication of round-trips required. For example, where EAP-TLS authentication
[RFC5216] is attempted and both the EAP peer and server utilize [RFC5216] is attempted and both the EAP peer and server utilize
certificate chains of 8KB, as many as 15 round-trips can be required certificate chains of 8KB, as many as 15 round-trips can be required
if RADIUS packets are restricted to 1500 octets in size. if RADIUS packets are restricted to the common Ethernet MTU (1500
Fragmentation of RADIUS over UDP packets is generally inadvisable due octets) for EAP over LAN (EAPoL) use-cases. Fragmentation of RADIUS
to lack of fragmentation support within intermediate devices such as over UDP packets is generally inadvisable due to lack of
filtering routers, firewalls and NATs. However, since RADIUS over fragmentation support within intermediate devices such as filtering
UDP implementations typically do not support MTU discovery, routers, firewalls and NATs. However, since RADIUS over UDP
fragmentation can occur even when the maximum RADIUS over UDP packet implementations typically do not support MTU discovery, fragmentation
size is restricted to 1500 octets. can occur even when the maximum RADIUS over UDP packet size is
restricted to 1500 octets.
These problems disappear if a 4096 application-layer payload can be These problems disappear if a 4096 application-layer payload can be
used alongside RADIUS over TLS/TCP. Since most TCP implementations used alongside RADIUS over TLS. Since most TCP implementations
support MTU discovery, the TCP MSS is automatically adjusted to support MTU discovery, the TCP MSS is automatically adjusted to
account for the MTU, and the larger congestion window supported by account for the MTU, and the larger congestion window supported by
TCP may allow multiple TCP segments to be sent within a single TCP may allow multiple TCP segments to be sent within a single
window. window.
Where the MTU for EAP packets is large, RADIUS/EAP traffic required Where the MTU for EAP packets is large, RADIUS/EAP traffic required
for an EAP-TLS authentication with 8KB certificate chains may be for an EAP-TLS authentication with 8KB certificate chains may be
reduced to 7 round-trips or less, resulting in substantially reduced reduced to 7 round-trips or less, resulting in substantially reduced
authentication times. authentication times.
skipping to change at page 6, line 27 skipping to change at page 6, line 44
additional watchdog traffic to confirm reachability. additional watchdog traffic to confirm reachability.
As a result, the objections to reliable transport indicated in As a result, the objections to reliable transport indicated in
[RFC2865] Section 2.4 continue to apply to NAS-RADIUS server [RFC2865] Section 2.4 continue to apply to NAS-RADIUS server
communications and UDP SHOULD continue to be used as the transport communications and UDP SHOULD continue to be used as the transport
protocol in this scenario. In addition, it is recommended that protocol in this scenario. In addition, it is recommended that
implementations of "RADIUS Dynamic AUthorization Extensions" implementations of "RADIUS Dynamic AUthorization Extensions"
[RFC5176] SHOULD continue to utilize UDP transport, since the volume [RFC5176] SHOULD continue to utilize UDP transport, since the volume
of dynamic authorization traffic is usually expected to be small. of dynamic authorization traffic is usually expected to be small.
Since "bare" TCP does not provide for confidentiality or enable
negotiation of credible ciphersuites, its use is not appropriate for
inter-server communications where strong security is required. As a
result the use of "bare" TCP transport (i.e. without additional
confidentiality and security) is NOT RECOMMENDED for use in any
situation, and there has been little or no operational experience
with it.
1.2. Terminology 1.2. Terminology
This document uses the following terms: This document uses the following terms:
RADIUS client RADIUS client
A device that provides an access service for a user to a network. A device that provides an access service for a user to a network.
Also referred to as a Network Access Server, or NAS. Also referred to as a Network Access Server, or NAS.
RADIUS server RADIUS server
A RADIUS authentication, authorization, and/or accounting (AAA) A device that provides one or more of authentication,
server is an entity that provides one or more AAA services to a authorization, and/or accounting (AAA) services to a NAS.
NAS.
RADIUS proxy RADIUS proxy
A RADIUS proxy acts as a RADIUS server to the NAS, and a RADIUS A RADIUS proxy acts as a RADIUS server to the NAS, and a RADIUS
client to the RADIUS server. client to the RADIUS server.
RADIUS request packet RADIUS request packet
A packet originated by a RADIUS client to a RADIUS server. e.g. A packet originated by a RADIUS client to a RADIUS server. e.g.
Access-Request, Accounting-Request, CoA-Request, or Disconnect- Access-Request, Accounting-Request, CoA-Request, or Disconnect-
Request. Request.
skipping to change at page 7, line 48 skipping to change at page 8, line 7
* Response Authenticator calculation * Response Authenticator calculation
* Minimum packet length * Minimum packet length
* Maximum packet length * Maximum packet length
* Attribute format * Attribute format
* Vendor-Specific Attribute (VSA) format * Vendor-Specific Attribute (VSA) format
* Permitted data types * Permitted data types
* Calculations of dynamic attributes such as CHAP-Challenge, * Calculations of dynamic attributes such as CHAP-Challenge,
or Message-Authenticator. or Message-Authenticator.
* Calculation of "encrypted" attributes such as Tunnel-Password. * Calculation of "encrypted" attributes such as Tunnel-Password.
The use of TLS/TCP transport does not change the calculation of The use of TLS transport does not change the calculation of security-
security-related fields (such as the Response-Authenticator) in related fields (such as the Response-Authenticator) in RADIUS
RADIUS [RFC2865] or RADIUS Dynamic Authorization [RFC5176]. [RFC2865] or RADIUS Dynamic Authorization [RFC5176]. Calculation of
Calculation of attributes such as User-Password [RFC2865] or Message- attributes such as User-Password [RFC2865] or Message-Authenticator
Authenticator [RFC3579] also does not change. [RFC3579] also does not change.
Clients and servers MUST be able to store and manage shared secrets Clients and servers MUST be able to store and manage shared secrets
based on the key described above, of (IP address, port, transport based on the key described above, of (IP address, port, transport
protocol). protocol).
The changes to RADIUS implementations required to implement this The changes to RADIUS implementations required to implement this
specification are largely limited to the portions that send and specification are largely limited to the portions that send and
receive packets on the network. receive packets on the network.
2.2. Assigned Ports for RADIUS Over TCP 2.2. Assigned Ports for RADIUS Over TCP
IANA has already assigned TCP ports for RADIUS and RTLS transport, as IANA has already assigned TCP ports for RADIUS and RTLS transport, as
outlined below: outlined below:
* radius 1812/tcp * radius 1812/tcp
* radius-acct 1813/tcp * radius-acct 1813/tcp
* radius-dynauth 3799/tcp * radius-dynauth 3799/tcp
* radsec 2083/tcp * radsec 2083/tcp
Since these ports are unused by existing RADIUS implementations, the Since these ports are unused by existing RADIUS implementations, the
assigned values SHOULD be used as the default ports for RADIUS over assigned values MUST be used as the default ports for RADIUS over
TCP. TCP.
The early deployment of RADIUS was done using UDP port number 1645, The early deployment of RADIUS was done using UDP port number 1645,
which conflicts with the "datametrics" service. Implementations which conflicts with the "datametrics" service. Implementations
using RADIUS over TCP MUST NOT use TCP ports 1645 or 1646 as the using RADIUS over TCP MUST NOT use TCP ports 1645 or 1646 as the
default ports for this specification. default ports for this specification.
The "radsec" port (2083/tcp) SHOULD be used as the default port for The "radsec" port (2083/tcp) SHOULD be used as the default port for
RTLS. The "radius" port (1812/tcp) SHOULD NOT be used for RTLS. RTLS. The "radius" port (1812/tcp) SHOULD NOT be used for RTLS.
2.3. Management Information Base (MIB) 2.3. Management Information Base (MIB)
The MIB Module definitions in [RFC4668], [RFC4669], [RFC4670], The MIB Module definitions in [RFC4668], [RFC4669], [RFC4670],
[RFC4671], [RFC4672], and [RFC4673] each contain only one reference [RFC4671], [RFC4672], and [RFC4673] are intended to be used for
to UDP. These references are in the DESCRIPTION field of the MIB RADIUS over UDP. As such, they do not support RADIUS over TCP, and
Module definition, and are in the form of "The UDP port" or "the UDP will need to be updated in the future. Implementations of RADIUS
destination port". over TCP SHOULD NOT re-use these MIB Modules to perform statistics
counting for RADIUS over TCP connections.w
Implementations of RADIUS over TCP SHOULD re-use these MIB Modules to
perform statistics counting for RADIUS over TCP connections.
However, implementors are warned that there is no way for these MIB
Modules to distinguish between packets sent over UDP or over TCP
transport. Similarly, there is no requirement in RADIUS that the
RADIUS services offered over UDP on a particular IP address and port
are identical to the RADIUS services offered over TCP on a particular
IP address and the same (numerical) port.
Implementations of RADIUS over TCP SHOULD include the protocol (UDP)
or (TCP) in the radiusAuthServIdent, radiusAuthClientID,
radiusAuthClientIdentifier, radiusAccServIdent, radiusAccClientID, or
radiusAccClientIdentifier fields of the MIB Module. This information
can help the administrator distinguish capabilities of systems in the
network.
2.4. Detecting Live Servers 2.4. Detecting Live Servers
As RADIUS is a "hop by hop" protocol, a RADIUS proxy effectively As RADIUS is a "hop by hop" protocol, a RADIUS proxy effectively
shields the client from any information about downstream servers. shields the client from any information about downstream servers.
While the client may be able to deduce the operational state of the While the client may be able to deduce the operational state of the
local server (i.e. proxy), it cannot make any determination about the local server (i.e. proxy), it cannot make any determination about the
operational state of the downstream servers. operational state of the downstream servers.
Within RADIUS as defined in [RFC2865], proxies typically only forward Within RADIUS as defined in [RFC2865], proxies typically only forward
skipping to change at page 9, line 34 skipping to change at page 9, line 29
When UDP was used as a transport protocol, the absence of a reply can When UDP was used as a transport protocol, the absence of a reply can
cause a client to deduce (incorrectly) that the proxy is unavailable. cause a client to deduce (incorrectly) that the proxy is unavailable.
The client could then fail over to another server, or conclude that The client could then fail over to another server, or conclude that
no "live" servers are available (OKAY state in [RFC3539] Appendix A). no "live" servers are available (OKAY state in [RFC3539] Appendix A).
This situation is made even worse when requests are sent through a This situation is made even worse when requests are sent through a
proxy to multiple destinations. Failures in one destination may proxy to multiple destinations. Failures in one destination may
result in service outages for other destinations, if the client result in service outages for other destinations, if the client
erroneously believes that the proxy is unresponsive. erroneously believes that the proxy is unresponsive.
For RADIUS over TLS/TCP, it is RECOMMENDED that implementations For RADIUS over TLS, it is RECOMMENDED that implementations utilize
utilize the existence of a TCP connection along with the application the existence of a TCP connection along with the application layer
layer watchdog defined in [RFC3539] Section 3.4 to determine that the watchdog defined in [RFC3539] Section 3.4 to determine that the
server is "live". server is "live".
RADIUS clients using RADIUS over TCP MUST mark a connection DOWN if RADIUS clients using RADIUS over TCP MUST mark a connection DOWN if
the network stack indicates that the connection is no longer active. the network stack indicates that the connection is no longer active.
If the network stack indicates that connection is still active, If the network stack indicates that connection is still active,
Clients MUST NOT decide that it is down until the application layer Clients MUST NOT decide that it is down until the application layer
watchdog algorithm has marked it DOWN ([RFC3539] Appendix A). RADIUS watchdog algorithm has marked it DOWN ([RFC3539] Appendix A). RADIUS
clients using RADIUS over TCP MUST NOT decide that a RADIUS server is clients using RADIUS over TCP MUST NOT decide that a RADIUS server is
unresponsive until all TCP connections to it have been marked DOWN. unresponsive until all TCP connections to it have been marked DOWN.
skipping to change at page 10, line 37 skipping to change at page 10, line 29
instead of one end-to-end loop, and so are less stable. This is true instead of one end-to-end loop, and so are less stable. This is true
even for TCP-TCP proxies. As discussed in [RFC3539], the only way to even for TCP-TCP proxies. As discussed in [RFC3539], the only way to
achieve stability equivalent to a single TCP connection is to mimic achieve stability equivalent to a single TCP connection is to mimic
the end-to-end behavior of a single TCP connection. This typically the end-to-end behavior of a single TCP connection. This typically
is not achievable with an application-layer RADIUS implementation, is not achievable with an application-layer RADIUS implementation,
regardless of transport. regardless of transport.
2.6. TCP Specific Issues 2.6. TCP Specific Issues
The guidelines defined in [RFC3539] for implementing a AAA protocol The guidelines defined in [RFC3539] for implementing a AAA protocol
over reliable transport are applicable to RADIUS over TLS/TCP. over reliable transport are applicable to RADIUS over TLS.
The Application Layer Watchdog defined in [RFC3539] Section 3.4 MUST The Application Layer Watchdog defined in [RFC3539] Section 3.4 MUST
be used. The Status-Server packet [STATUS] MUST be used as the be used. The Status-Server packet [STATUS] MUST be used as the
application layer watchdog message. Implementations MUST reserve one application layer watchdog message. Implementations MUST reserve one
RADIUS ID per connection for the application layer watchdog message. RADIUS ID per connection for the application layer watchdog message.
This restriction is described further below in Section 2.6.4. This restriction is described further below in Section 2.6.4.
RADIUS over TLS/TCP Implementations MUST support receiving RADIUS RADIUS over TLS Implementations MUST support receiving RADIUS packets
packets over both UDP and TLS/TCP transports originating from the over both UDP and TLS transports originating from the same endpoint.
same endpoint. RADIUS packets received over UDP MUST be replied to RADIUS packets received over UDP MUST be replied to over UDP; RADIUS
over UDP; RADIUS packets received over TLS/TCP MUST be replied to packets received over TLS MUST be replied to over TLS. That is,
over TLS/TCP. That is, RADIUS clients and servers MUST be treated as RADIUS clients and servers MUST be treated as unique based on a key
unique based on a key of the three-tuple (IP address, port, transport of the three-tuple (IP address, port, transport protocol).
protocol). Implementations MUST permit different shared secrets to Implementations MUST permit different shared secrets to be used for
be used for UDP and TCP connections to the same destination IP UDP and TCP connections to the same destination IP address and
address and numerical port. numerical port.
This requirement does not forbid the traditional practice of using This requirement does not forbid the traditional practice of using
primary and secondary servers in a fail-over relationship. Instead, primary and secondary servers in a fail-over relationship. Instead,
it requires that two services sharing an IP address and numerical it requires that two services sharing an IP address and numerical
port, but differing in transport protocol, MUST be treated as port, but differing in transport protocol, MUST be treated as
independent services for the purpose of fail-over, load-balancing, independent services for the purpose of fail-over, load-balancing,
etc. etc.
Whenever the underlying network stack permits the use of TCP Whenever the underlying network stack permits the use of TCP
keepalive socket options, their use is RECOMMENDED. keepalive socket options, their use is RECOMMENDED.
skipping to change at page 12, line 8 skipping to change at page 11, line 49
Despite the above discussion, RADIUS servers SHOULD still perform Despite the above discussion, RADIUS servers SHOULD still perform
duplicate detection on received packets, as described in [RFC5080] duplicate detection on received packets, as described in [RFC5080]
Section 2.2.2. This detection can prevent duplicate processing of Section 2.2.2. This detection can prevent duplicate processing of
packets from non-conformant clients. packets from non-conformant clients.
As noted previously, RADIUS packets SHOULD NOT be re-transmitted to As noted previously, RADIUS packets SHOULD NOT be re-transmitted to
the same destination IP and numerical port, but over a different the same destination IP and numerical port, but over a different
transport layer. There is no guarantee in RADIUS that the two ports transport layer. There is no guarantee in RADIUS that the two ports
are in any way related. This requirement does not, however, forbid are in any way related. This requirement does not, however, forbid
the practice of putting multiple servers into a fail-over or load- the practice of putting multiple servers into a fail-over or load-
balance pool. balancing pool. In that situation, RADIUS request MAY be
retransmitted to another server that known to be part of the same
Much of the discussion in this section can be summarized by the pool.
following requirement. RADIUS requests MAY be re-transmitted
verbatim only if the following 5-tuple (Client IP address, Client
port, Transport Protocol, Server IP address, Server port) remains the
same. If any field of that 5-tuple changes, the packet MUST NOT be
considered to be a re-transmission. Instead, the packet MUST be
considered to be a new request, and be treated accordingly. This
involves updating header calculations, packet signatures, associated
timers and counters, etc.
The above requirement is necessary, but not sufficient in all cases.
Other specifications give additional situations where the packet is
to be considered as a new request. Those recommendations MUST also
be followed.
2.6.2. Head of Line Blocking 2.6.2. Head of Line Blocking
When using UDP as a transport for RADIUS, there is no ordering of When using UDP as a transport for RADIUS, there is no ordering of
packets. If a packet sent by a client is lost, that loss has no packets. If a packet sent by a client is lost, that loss has no
effect on subsequent packets sent by that client. effect on subsequent packets sent by that client.
Unlike UDP, TLS/TCP is subject to issues related to Head of Line Unlike UDP, TLS is subject to issues related to Head of Line (HoL)
(HoL) blocking. This occurs when when a TLS/TCP segment is lost and blocking. This occurs when when a TLS segment is lost and a
a subsequent TLS/TCP segment arrives out of order. While the RADIUS subsequent TLS segment arrives out of order. While the RADIUS server
server can process RADIUS packets out of order, the semantics of can process RADIUS packets out of order, the semantics of TLS makes
TLS/TCP makes this impossible. This limitation can lower the maximum this impossible. This limitation can lower the maximum packet
packet processing rate of RADIUS over TLS/TCP. processing rate of RADIUS over TLS.
2.6.3. Shared Secrets 2.6.3. Shared Secrets
The use of TLS/TCP transport does not change the calculation of The use of TLS transport does not change the calculation of security-
security-related fields (such as the Response-Authenticator) in related fields (such as the Response-Authenticator) in RADIUS
RADIUS [RFC2865] or RADIUS Dynamic Authorization [RFC5176]. [RFC2865] or RADIUS Dynamic Authorization [RFC5176]. Calculation of
Calculation of attributes such as User-Password [RFC2865] or Message- attributes such as User-Password [RFC2865] or Message-Authenticator
Authenticator [RFC3579] also does not change. [RFC3579] also does not change.
Clients and servers MUST be able to store and manage shared secrets Clients and servers MUST be able to store and manage shared secrets
based on the key described above, of (IP address, port, transport based on the key described above, of (IP address, port, transport
protocol). protocol).
2.6.4. Malformed Packets and Unknown Clients 2.6.4. Malformed Packets and Unknown Clients
The RADIUS specifications ([RFC2865], etc.) say that an The RADIUS specifications ([RFC2865], etc.) say that an
implementation should "silently discard" a packet in a number of implementation should "silently discard" a packet in a number of
circumstances. This action has no further consequences for UDP circumstances. This action has no further consequences for UDP
skipping to change at page 15, line 14 skipping to change at page 14, line 38
applied to RADIUS encapsulated EAP packets. That is, EAP applied to RADIUS encapsulated EAP packets. That is, EAP
retransmissions MUST NOT result in retransmissions of RADIUS packets retransmissions MUST NOT result in retransmissions of RADIUS packets
over a particular TCP connection. EAP retransmissions MAY result in over a particular TCP connection. EAP retransmissions MAY result in
retransmission of RADIUS packets over a different TCP connection, but retransmission of RADIUS packets over a different TCP connection, but
only when the previous TCP connection is marked DOWN. only when the previous TCP connection is marked DOWN.
2.6.7. TCP Applications are not UDP Applications 2.6.7. TCP Applications are not UDP Applications
Implementors should be aware that programming a robust TCP Implementors should be aware that programming a robust TCP
application can be very different from programming a robust UDP application can be very different from programming a robust UDP
application. We RECOMMEND that implementors of this specification application. It is RECOMMENDED that implementors of this
familiarize themselves with TCP application programming concepts. We specification familiarize themselves with TCP application programming
RECOMMEND also that existing TCP applications be examined with an eye concepts.
to robustness, performance, scalability, etc.
Clients and servers SHOULD implement configurable connection limits. Clients and servers SHOULD implement configurable connection limits.
Clients and servers SHOULD implement configurable rate limiting on Clients and servers SHOULD implement configurable rate limiting on
new connections. Allowing an unbounded number or rate of TCP new connections. Allowing an unbounded number or rate of TCP
connections may result in resource exhaustion. connections may result in resource exhaustion.
Further discussion of implementation issues is outside of the scope Further discussion of implementation issues is outside of the scope
of this document. of this document.
3. Diameter Considerations 3. Diameter Considerations
skipping to change at page 16, line 27 skipping to change at page 16, line 5
Accounting (AAA) Transport Profile", RFC 3539, June 2003. Accounting (AAA) Transport Profile", RFC 3539, June 2003.
6.2. Informative References 6.2. Informative References
[RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000.
[RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication Dial [RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication Dial
In User Service) Support For Extensible Authentication In User Service) Support For Extensible Authentication
Protocol (EAP)", RFC 3579, September 2003. Protocol (EAP)", RFC 3579, September 2003.
[RFC4301] Kent, S. and R. Atkinson, "Security Architecture for the
Internet Protocol", RFC 4301, December, 2005.
[RFC4668] Nelson, D, "RADIUS Authentication Client MIB for IPv6", RFC [RFC4668] Nelson, D, "RADIUS Authentication Client MIB for IPv6", RFC
4668, August 2006. 4668, August 2006.
[RFC4669] Nelson, D, "RADIUS Authentication Server MIB for IPv6", RFC [RFC4669] Nelson, D, "RADIUS Authentication Server MIB for IPv6", RFC
4669, August 2006. 4669, August 2006.
[RFC4670] Nelson, D, "RADIUS Accounting Client MIB for IPv6", RFC 4670, [RFC4670] Nelson, D, "RADIUS Accounting Client MIB for IPv6", RFC 4670,
August 2006. August 2006.
[RFC4671] Nelson, D, "RADIUS Accounting Server MIB for IPv6", RFC 4671, [RFC4671] Nelson, D, "RADIUS Accounting Server MIB for IPv6", RFC 4671,
skipping to change at page 17, line 10 skipping to change at page 16, line 39
[RFC5176] Chiba, M. et al., "Dynamic Authorization Extensions to Remote [RFC5176] Chiba, M. et al., "Dynamic Authorization Extensions to Remote
Authentication Dial In User Service (RADIUS)", RFC 5176, Authentication Dial In User Service (RADIUS)", RFC 5176,
January 2008. January 2008.
[RFC5216] Simon, D., etc al., "The EAP-TLS Authentication Protocol", RFC [RFC5216] Simon, D., etc al., "The EAP-TLS Authentication Protocol", RFC
5216, March 2008. 5216, March 2008.
[STATUS] DeKok, A., "Use of Status-Server Packets in the Remote [STATUS] DeKok, A., "Use of Status-Server Packets in the Remote
Authentication Dial In User Service (RADIUS) Protocol", draft- Authentication Dial In User Service (RADIUS) Protocol", draft-
ietf-radext-status-server-06.txt, February 2010 (work in ietf-radext-status-server-07.txt, April 2010 (work in
progress). progress).
[RTLS] Winter, S. et. al., "TLS encryption for RADIUS over TCP [RTLS] Winter, S. et. al., "TLS encryption for RADIUS over TCP
(RadSec)", draft-ietf-radext-radsec-05.txt, July 2009 (work in (RadSec)", draft-ietf-radext-radsec-06.txt, March 2010 (work
progress). in progress).
Acknowledgments Acknowledgments
None at this time. None at this time.
Authors' Addresses Authors' Addresses
Alan DeKok Alan DeKok
The FreeRADIUS Server Project The FreeRADIUS Server Project
http://freeradius.org/ http://freeradius.org/
 End of changes. 29 change blocks. 
116 lines changed or deleted 96 lines changed or added

This html diff was produced by rfcdiff 1.38. The latest version is available from http://tools.ietf.org/tools/rfcdiff/