draft-ietf-radext-tcp-transport-07.txt   draft-ietf-radext-tcp-transport-08.txt 
Network Working Group A. DeKok Network Working Group A. DeKok
INTERNET-DRAFT FreeRADIUS INTERNET-DRAFT FreeRADIUS
Category: Experimental Category: Experimental
<draft-ietf-radext-tcp-transport-07.txt> <draft-ietf-radext-tcp-transport-08.txt>
Expires: November 20, 2010 Expires: February 20, 2011
20 May 2010 1 July 2010
RADIUS Over TCP RADIUS Over TCP
draft-ietf-radext-tcp-transport-07 draft-ietf-radext-tcp-transport-08
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the Abstract
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering The Remote Authentication Dial In User Server (RADIUS) Protocol has
Task Force (IETF), its areas, and its working groups. Note that until now required the User Datagram Protocol (UDP) as the underlying
other groups may also distribute working documents as Internet- transport layer. This document defines RADIUS over the Transmission
Drafts. Control Protocol (RADIUS/TCP), in order to address handling issues
related to RADIUS over Transport Layer Security (RADIUS/TLS). It
permits TCP to be used as a transport protocol for RADIUS only when a
transport layer such as TLS or IPsec provides confidentialy and
security.
Internet-Drafts are draft documents valid for a maximum of six months Status of this Memo
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at This Internet-Draft is submitted to IETF in full conformance with
http://www.ietf.org/ietf/1id-abstracts.txt. the provisions of BCP 78 and BCP 79.
The list of Internet-Draft Shadow Directories can be accessed at Internet-Drafts are working documents of the Internet Engineering
http://www.ietf.org/shadow.html. Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
This Internet-Draft will expire on November 20, 2010 Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other
documents at any time. It is inappropriate to use Internet-Drafts
as reference material or to cite them other than as "work in
progress."
Copyright Notice The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
Copyright (c) 2010 IETF Trust and the persons identified as the The list of Internet-Draft Shadow Directories can be accessed at
document authors. All rights reserved. http://www.ietf.org/shadow.html.
This document is subject to BCP 78 and the IETF Trust's Legal This Internet-Draft will expire on February 1, 2011
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info/) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Abstract Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved.
The Remote Authentication Dial In User Server (RADIUS) Protocol has This document is subject to BCP 78 and the IETF Trust's Legal
traditionally used the User Datagram Protocol (UDP) as its underlying Provisions Relating to IETF Documents
transport layer. This document defines RADIUS over the Transmission (http://trustee.ietf.org/license-info/) in effect on the date of
Control Protocol (TCP), in order to address handling issues related publication of this document. Please review these documents
to RADIUS over Transport Layer Security [RTLS]. It is not intended carefully, as they describe your rights and restrictions with
to define TCP as a transport protocol for RADIUS in the absence of a respect to this document. Code Components extracted from this
secure transport layer. document must include Simplified BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction ............................................. 4 1. Introduction ............................................. 4
1.1. Applicability of Reliable Transport ................. 5 1.1. Applicability of Reliable Transport ................. 5
1.2. Terminology ......................................... 7 1.2. Terminology ......................................... 6
1.3. Requirements Language ............................... 7 1.3. Requirements Language ............................... 7
2. Changes to RADIUS ........................................ 7 2. Changes to RADIUS ........................................ 7
2.1. Packet Format ....................................... 7 2.1. Packet Format ....................................... 8
2.2. Assigned Ports for RADIUS Over TCP .................. 8 2.2. Assigned Ports for RADIUS/TCP ....................... 8
2.3. Management Information Base (MIB) ................... 9 2.3. Management Information Base (MIB) ................... 9
2.4. Detecting Live Servers .............................. 9 2.4. Detecting Live Servers .............................. 9
2.5. Congestion Control Issues ........................... 10 2.5. Congestion Control Issues ........................... 10
2.6. TCP Specific Issues ................................. 10 2.6. TCP Specific Issues ................................. 10
2.6.1. Duplicates and Retransmissions ................. 11 2.6.1. Duplicates and Retransmissions ................. 11
2.6.2. Head of Line Blocking .......................... 12 2.6.2. Head of Line Blocking .......................... 12
2.6.3. Shared Secrets ................................. 12 2.6.3. Shared Secrets ................................. 12
2.6.4. Malformed Packets and Unknown Clients .......... 12 2.6.4. Malformed Packets and Unknown Clients .......... 12
2.6.5. Limitations of the ID Field .................... 13 2.6.5. Limitations of the ID Field .................... 13
2.6.6. EAP Sessions ................................... 14 2.6.6. EAP Sessions ................................... 14
2.6.7. TCP Applications are not UDP Applications ...... 14 2.6.7. TCP Applications are not UDP Applications ...... 15
3. Diameter Considerations .................................. 15 3. Diameter Considerations .................................. 15
4. IANA Considerations ...................................... 15 4. IANA Considerations ...................................... 15
5. Security Considerations .................................. 15 5. Security Considerations .................................. 15
6. References ............................................... 15 6. References ............................................... 16
6.1. Normative References ................................ 15 6.1. Normative References ................................ 16
6.2. Informative References .............................. 16 6.2. Informative References .............................. 16
1. Introduction 1. Introduction
The RADIUS Protocol has been defined in [RFC2865] as using the User The RADIUS Protocol is defined in [RFC2865] as using the User
Datagram Protocol (UDP) for the underlying transport layer. While Datagram Protocol (UDP) for the underlying transport layer. While
there are a number of benefits to using UDP as outlined in [RFC2865] there are a number of benefits to using UDP as outlined in [RFC2865]
Section 2.4, there are also some limitations: Section 2.4, there are also some limitations:
* Unreliable transport. As a result, systems using RADIUS have to * Unreliable transport. As a result, systems using RADIUS have to
implement application-layer timers and re-transmissions, as implement application-layer timers and re-transmissions, as
described in [RFC5080] Section 2.2.1. described in [RFC5080] Section 2.2.1.
* Packet fragmentation. [RFC2865] Section 3 permits RADIUS * Packet fragmentation. [RFC2865] Section 3 permits RADIUS
packets up to 4096 octets in length. These packets are larger packets up to 4096 octets in length. These packets are larger
skipping to change at page 4, line 35 skipping to change at page 4, line 35
* Connectionless transport. Neither clients nor servers receive * Connectionless transport. Neither clients nor servers receive
positive statements that a "connection" is down. This information positive statements that a "connection" is down. This information
has to be deduced instead from the absence of a reply to a has to be deduced instead from the absence of a reply to a
request. request.
* Lack of congestion control. Clients can send arbitrary amounts * Lack of congestion control. Clients can send arbitrary amounts
of traffic with little or no feedback. This lack of feedback can of traffic with little or no feedback. This lack of feedback can
result in congestive collapse of the network. result in congestive collapse of the network.
As RADIUS is widely deployed, and has been widely deployed for well RADIUS has been widely deployed for well over a decade, and continues
over a decade, these issues have been minor in some use-cases, and to be widely deployed. Experience shows that these issues have been
problematic in others. For use-cases such as inter-server proxying, minor in some use-cases, and problematic in others. For use-cases
[RTLS] suggests an alternative transport and security model -- RADIUS such as inter-server proxying, an alternative transport and security
over TLS. That document describes the transport implications of model -- RADIUS/TLS or RADIUS/TLS, as defined in [RADIUS/TLS]. That
running RADIUS over TLS. document describes the transport implications of running RADIUS/TLS.
The choice of TCP as a transport protocol is largely driven by the The choice of TCP as a transport protocol is largely driven by the
desire to improve the security of RADIUS by using RADIUS over TLS. desire to improve the security of RADIUS by using RADIUS/TLS. For
For practical reasons, the transport protocol (TCP) is defined practical reasons, the transport protocol (TCP) is defined separately
separately from the security mechanism (TLS). from the security mechanism (TLS).
Since "bare" TCP does not provide for confidentiality or enable Since "bare" TCP does not provide for confidentiality or enable
negotiation of credible ciphersuites, its use is not appropriate for negotiation of credible ciphersuites, its use is not appropriate for
inter-server communications where strong security is required. As a inter-server communications where strong security is required. As a
result "bare" TCP transport MUST NOT be used without TLS, IPsec, or result "bare" TCP transport MUST NOT be used without TLS, IPsec, or
other secure upper layer. other secure upper layer.
"Bare" TCP transport MAY, however, be used when another method such "Bare" TCP transport MAY, however, be used when another method such
as IPSec [RFC4301] is used to provide additional confidentiality and as IPSec [RFC4301] is used to provide additional confidentiality and
security. Should experience show that such deployments are useful, security. Should experience show that such deployments are useful,
this specification could be moved to standards track. this specification could be moved to standards track.
1.1. Applicability of Reliable Transport 1.1. Applicability of Reliable Transport
The intent of this document is to address transport issues related to The intent of this document is to address transport issues related to
RADIUS over TLS [RTLS] in inter-server communications scenarios, such RADIUS/TLS [RADIUS/TLS] in inter-server communications scenarios,
as inter-domain communication between proxies. These situations such as inter-domain communication between proxies. These situations
benefit from the confidentiality and ciphersuite negotiation that can benefit from the confidentiality and ciphersuite negotiation that can
be provided by TLS. Since TLS is already widely available within the be provided by TLS. Since TLS is already widely available within the
operating systems used by proxies, implementation barriers are low. operating systems used by proxies, implementation barriers are low.
In scenarios where RADIUS proxies exchange a large volume of packets, In scenarios where RADIUS proxies exchange a large volume of packets,
it is likely that there will be sufficient traffic to enable the it is likely that there will be sufficient traffic to enable the
congestion window to be widened beyond the minimum value on a long- congestion window to be widened beyond the minimum value on a long-
term basis, enabling ACK piggy-backing. Through use of an term basis, enabling ACK piggy-backing. Through use of an
application-layer watchdog as described in [RFC3539], it is possible application-layer watchdog as described in [RFC3539], it is possible
to address the objections to reliable transport described in to address the objections to reliable transport described in
[RFC2865] Section 2.4 without substantial watchdog traffic, since [RFC2865] Section 2.4 without substantial watchdog traffic, since
regular traffic is expected in both directions. regular traffic is expected in both directions.
In addition, use of RADIUS over TLS has been found to improve In addition, use of RADIUS/TLS has been found to improve operational
operational performance when used with multi-round trip performance when used with multi-round trip authentication mechanisms
authentication mechanisms such as RADIUS over EAP [RFC3579]. In such such as EAP over RADIUS [RFC3579]. In such exchanges, it is typical
exchanges, it is typical for EAP fragmentation to increase the number for EAP fragmentation to increase the number of round-trips required.
of round-trips required. For example, where EAP-TLS authentication For example, where EAP-TLS authentication [RFC5216] is attempted and
[RFC5216] is attempted and both the EAP peer and server utilize both the EAP peer and server utilize certificate chains of 8KB, as
certificate chains of 8KB, as many as 15 round-trips can be required many as 15 round-trips can be required if RADIUS packets are
if RADIUS packets are restricted to the common Ethernet MTU (1500 restricted to the common Ethernet MTU (1500 octets) for EAP over LAN
octets) for EAP over LAN (EAPoL) use-cases. Fragmentation of RADIUS (EAPoL) use-cases. Fragmentation of RADIUS/UDP packets is generally
over UDP packets is generally inadvisable due to lack of inadvisable due to lack of fragmentation support within intermediate
fragmentation support within intermediate devices such as filtering devices such as filtering routers, firewalls and NATs. However,
routers, firewalls and NATs. However, since RADIUS over UDP since RADIUS/UDP implementations typically do not support MTU
implementations typically do not support MTU discovery, fragmentation discovery, fragmentation can occur even when the maximum RADIUS/UDP
can occur even when the maximum RADIUS over UDP packet size is packet size is restricted to 1500 octets.
restricted to 1500 octets.
These problems disappear if a 4096 application-layer payload can be These problems disappear if a 4096 application-layer payload can be
used alongside RADIUS over TLS. Since most TCP implementations used alongside RADIUS/TLS. Since most TCP implementations support
support MTU discovery, the TCP MSS is automatically adjusted to MTU discovery, the TCP MSS is automatically adjusted to account for
account for the MTU, and the larger congestion window supported by the MTU, and the larger congestion window supported by TCP may allow
TCP may allow multiple TCP segments to be sent within a single multiple TCP segments to be sent within a single window. Even those
window. Even those few TCP stacks which do not perform path MTU few TCP stacks which do not perform path MTU discovery can already
discovery can already support arbitrary payloads. support arbitrary payloads.
Where the MTU for EAP packets is large, RADIUS/EAP traffic required Where the MTU for EAP packets is large, RADIUS/EAP traffic required
for an EAP-TLS authentication with 8KB certificate chains may be for an EAP-TLS authentication with 8KB certificate chains may be
reduced to 7 round-trips or less, resulting in substantially reduced reduced to 7 round-trips or less, resulting in substantially reduced
authentication times. authentication times.
In addition, experience indicates that EAP sessions transported over In addition, experience indicates that EAP sessions transported over
RTLS are less likely to abort unsuccessfully. Historically, RADIUS RADIUS/TLS are less likely to abort unsuccessfully. Historically,
over UDP implementations have exhibited poor retransmission behavior. RADIUS over UDP implementations have exhibited poor retransmission
Some implementations retransmit packets, others do not, and others behavior. Some implementations retransmit packets, others do not,
send new packets rather then performing retransmission. Some and others send new packets rather then performing retransmission.
implementations are incapable of detecting EAP retransmissions, and Some implementations are incapable of detecting EAP retransmissions,
will instead treat the retransmitted packet as an error. As a and will instead treat the retransmitted packet as an error. As a
result, within RADIUS over UDP implementations, retransmissions have result, within RADIUS/UDP implementations, retransmissions have a
a high likeilhood of causing an EAP authentication session to fail. high likeilhood of causing an EAP authentication session to fail.
For a system with a million logins a day running EAP-TLS mutual For a system with a million logins a day running EAP-TLS mutual
authentication with 15 round-trips, and having a packet loss authentication with 15 round-trips, and having a packet loss
probability of P=0.01%, we expect that 0.3% of connections will probability of P=0.01%, we expect that 0.3% of connections will
experience at least one lost packet. That is, 3,000 user sessions experience at least one lost packet. That is, 3,000 user sessions
each day will experience authentication failure. This is an each day will experience authentication failure. This is an
unacceptable failure rate for a mass-market network service. unacceptable failure rate for a mass-market network service.
Using a reliable transport method such as TCP means that RADIUS Using a reliable transport method such as TCP means that RADIUS
implementations can remove all application-layer retransmissions, and implementations can remove all application-layer retransmissions, and
instead rely on the Operating System (OS) kernel's well-tested TCP instead rely on the Operating System (OS) kernel's well-tested TCP
skipping to change at page 7, line 31 skipping to change at page 7, line 27
RADIUS request packet RADIUS request packet
A packet originated by a RADIUS client to a RADIUS server. e.g. A packet originated by a RADIUS client to a RADIUS server. e.g.
Access-Request, Accounting-Request, CoA-Request, or Disconnect- Access-Request, Accounting-Request, CoA-Request, or Disconnect-
Request. Request.
RADIUS response packet RADIUS response packet
A packet sent by a RADIUS server to a RADIUS client, in response to A packet sent by a RADIUS server to a RADIUS client, in response to
a RADIUS request packet. e.g. Access-Accept, Access-Reject, a RADIUS request packet. e.g. Access-Accept, Access-Reject,
Access-Challenge, Accounting-Response, CoA-ACK, etc. Access-Challenge, Accounting-Response, CoA-ACK, etc.
RADIUS/UDP
RADIUS over UDP, as defined in [RFC2865].
RADIUS/TCP
RADIUS over TCP, as defined in this document.
RADIUS/UDP
RADIUS over TLS,, as defined in [RADIUS/TLS].
1.3. Requirements Language 1.3. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
2. Changes to RADIUS 2. Changes to RADIUS
RADIUS over TCP involves sending RADIUS application messages over a RADIUS/TCP involves sending RADIUS application messages over a TCP
TCP connection. In the sections that follow, we discuss the connection. In the sections that follow, we discuss the implications
implications for the RADIUS packet format (Section 2.1), port usage for the RADIUS packet format (Section 2.1), port usage (Section 2.2),
(Section 2.2), RADIUS MIBs (Section 2.3) and RADIUS proxies (Section RADIUS MIBs (Section 2.3) and RADIUS proxies (Section 2.5). TCP-
2.5). TCP-specific issues are discussed in Section 2.6. specific issues are discussed in Section 2.6.
2.1. Packet Format 2.1. Packet Format
The RADIUS packet format is unchanged from [RFC2865], [RFC2866], and The RADIUS packet format is unchanged from [RFC2865], [RFC2866], and
[RFC5176]. Specifically, all of the following portions of RADIUS [RFC5176]. Specifically, all of the following portions of RADIUS
MUST be unchanged when using RADIUS over TCP: MUST be unchanged when using RADIUS/TCP:
* Packet format * Packet format
* Permitted codes * Permitted codes
* Request Authenticator calculation * Request Authenticator calculation
* Response Authenticator calculation * Response Authenticator calculation
* Minimum packet length * Minimum packet length
* Maximum packet length * Maximum packet length
* Attribute format * Attribute format
* Vendor-Specific Attribute (VSA) format * Vendor-Specific Attribute (VSA) format
* Permitted data types * Permitted data types
skipping to change at page 8, line 29 skipping to change at page 8, line 38
[RFC3579] also does not change. [RFC3579] also does not change.
Clients and servers MUST be able to store and manage shared secrets Clients and servers MUST be able to store and manage shared secrets
based on the key described above, of (IP address, port, transport based on the key described above, of (IP address, port, transport
protocol). protocol).
The changes to RADIUS implementations required to implement this The changes to RADIUS implementations required to implement this
specification are largely limited to the portions that send and specification are largely limited to the portions that send and
receive packets on the network. receive packets on the network.
2.2. Assigned Ports for RADIUS Over TCP 2.2. Assigned Ports for RADIUS/TCP
IANA has already assigned TCP ports for RADIUS and RTLS transport, as IANA has already assigned TCP ports for RADIUS and RADIUS/TLS
outlined below: transport, as outlined below:
* radius 1812/tcp * radius 1812/tcp
* radius-acct 1813/tcp * radius-acct 1813/tcp
* radius-dynauth 3799/tcp * radius-dynauth 3799/tcp
* radsec 2083/tcp * radsec 2083/tcp
Since these ports are unused by existing RADIUS implementations, the Since these ports are unused by existing RADIUS implementations, the
assigned values MUST be used as the default ports for RADIUS over assigned values MUST be used as the default ports for RADIUS over
TCP. TCP.
The early deployment of RADIUS was done using UDP port number 1645, The early deployment of RADIUS was done using UDP port number 1645,
which conflicts with the "datametrics" service. Implementations which conflicts with the "datametrics" service. Implementations
using RADIUS over TCP MUST NOT use TCP ports 1645 or 1646 as the using RADIUS/TCP MUST NOT use TCP ports 1645 or 1646 as the default
default ports for this specification. ports for this specification.
The "radsec" port (2083/tcp) SHOULD be used as the default port for The "radsec" port (2083/tcp) SHOULD be used as the default port for
RTLS. The "radius" port (1812/tcp) SHOULD NOT be used for RTLS. RADIUS/TLS. The "radius" port (1812/tcp) SHOULD NOT be used for
RADIUS/TLS.
2.3. Management Information Base (MIB) 2.3. Management Information Base (MIB)
The MIB Module definitions in [RFC4668], [RFC4669], [RFC4670], The MIB Module definitions in [RFC4668], [RFC4669], [RFC4670],
[RFC4671], [RFC4672], and [RFC4673] are intended to be used for [RFC4671], [RFC4672], and [RFC4673] are intended to be used for
RADIUS over UDP. As such, they do not support RADIUS over TCP, and RADIUS over UDP. As such, they do not support RADIUS/TCP, and will
will need to be updated in the future. Implementations of RADIUS need to be updated in the future. Implementations of RADIUS/TCP
over TCP SHOULD NOT re-use these MIB Modules to perform statistics SHOULD NOT re-use these MIB Modules to perform statistics counting
counting for RADIUS over TCP connections.w for RADIUS/TCP connections.
2.4. Detecting Live Servers 2.4. Detecting Live Servers
As RADIUS is a "hop by hop" protocol, a RADIUS proxy effectively As RADIUS is a "hop by hop" protocol, a RADIUS proxy shields the
shields the client from any information about downstream servers. client from any information about downstream servers. While the
While the client may be able to deduce the operational state of the client may be able to deduce the operational state of the local
local server (i.e. proxy), it cannot make any determination about the server (i.e. proxy), it cannot make any determination about the
operational state of the downstream servers. operational state of the downstream servers.
Within RADIUS as defined in [RFC2865], proxies typically only forward Within RADIUS as defined in [RFC2865], proxies typically only forward
traffic between the NAS and RADIUS server, and do not generate their traffic between the NAS and RADIUS server, and do not generate their
own responses. As a result, when a NAS does not receive a response own responses. As a result, when a NAS does not receive a response
to a request, this could be the result of packet loss between the NAS to a request, this could be the result of packet loss between the NAS
and proxy, a problem on the proxy, loss between the RADIUS proxy and and proxy, a problem on the proxy, loss between the RADIUS proxy and
server, or a problem with the server. server, or a problem with the server.
When UDP was used as a transport protocol, the absence of a reply can When UDP is used as a transport protocol, the absence of a reply can
cause a client to deduce (incorrectly) that the proxy is unavailable. cause a client to deduce (incorrectly) that the proxy is unavailable.
The client could then fail over to another server, or conclude that The client could then fail over to another server, or conclude that
no "live" servers are available (OKAY state in [RFC3539] Appendix A). no "live" servers are available (OKAY state in [RFC3539] Appendix A).
This situation is made even worse when requests are sent through a This situation is made even worse when requests are sent through a
proxy to multiple destinations. Failures in one destination may proxy to multiple destinations. Failures in one destination may
result in service outages for other destinations, if the client result in service outages for other destinations, if the client
erroneously believes that the proxy is unresponsive. erroneously believes that the proxy is unresponsive.
For RADIUS over TLS, it is RECOMMENDED that implementations utilize For RADIUS/TLS, it is RECOMMENDED that implementations utilize the
the existence of a TCP connection along with the application layer existence of a TCP connection along with the application layer
watchdog defined in [RFC3539] Section 3.4 to determine that the watchdog defined in [RFC3539] Section 3.4 to determine that the
server is "live". server is "live".
RADIUS clients using RADIUS over TCP MUST mark a connection DOWN if RADIUS clients using RADIUS/TCP MUST mark a connection DOWN if the
the network stack indicates that the connection is no longer active. network stack indicates that the connection is no longer active. If
If the network stack indicates that connection is still active, the network stack indicates that connection is still active, Clients
Clients MUST NOT decide that it is down until the application layer MUST NOT decide that it is down until the application layer watchdog
watchdog algorithm has marked it DOWN ([RFC3539] Appendix A). RADIUS algorithm has marked it DOWN ([RFC3539] Appendix A). RADIUS clients
clients using RADIUS over TCP MUST NOT decide that a RADIUS server is using RADIUS/TCP MUST NOT decide that a RADIUS server is unresponsive
unresponsive until all TCP connections to it have been marked DOWN. until all TCP connections to it have been marked DOWN.
The above requirements do not forbid the practice of a client pro- The above requirements do not forbid the practice of a client pro-
actively closing connections, or marking a server as DOWN due to an actively closing connections, or marking a server as DOWN due to an
administrative decision. administrative decision.
2.5. Congestion Control Issues 2.5. Congestion Control Issues
Additional issues with RADIUS proxies involve transport protocol Additional issues with RADIUS proxies involve transport protocol
changes where the proxy receives packets on one transport protocol, changes where the proxy receives packets on one transport protocol,
and forwards them on a different transport protocol. There are and forwards them on a different transport protocol. There are
skipping to change at page 10, line 38 skipping to change at page 10, line 46
instead of one end-to-end loop, and so are less stable. This is true instead of one end-to-end loop, and so are less stable. This is true
even for TCP-TCP proxies. As discussed in [RFC3539], the only way to even for TCP-TCP proxies. As discussed in [RFC3539], the only way to
achieve stability equivalent to a single TCP connection is to mimic achieve stability equivalent to a single TCP connection is to mimic
the end-to-end behavior of a single TCP connection. This typically the end-to-end behavior of a single TCP connection. This typically
is not achievable with an application-layer RADIUS implementation, is not achievable with an application-layer RADIUS implementation,
regardless of transport. regardless of transport.
2.6. TCP Specific Issues 2.6. TCP Specific Issues
The guidelines defined in [RFC3539] for implementing a AAA protocol The guidelines defined in [RFC3539] for implementing a AAA protocol
over reliable transport are applicable to RADIUS over TLS. over reliable transport are applicable to RADIUS/TLS.
The Application Layer Watchdog defined in [RFC3539] Section 3.4 MUST The Application Layer Watchdog defined in [RFC3539] Section 3.4 MUST
be used. The Status-Server packet [STATUS] MUST be used as the be used. The Status-Server packet [STATUS] MUST be used as the
application layer watchdog message. Implementations MUST reserve one application layer watchdog message. Implementations MUST reserve one
RADIUS ID per connection for the application layer watchdog message. RADIUS ID per connection for the application layer watchdog message.
This restriction is described further below in Section 2.6.4. This restriction is described further below in Section 2.6.4.
RADIUS over TLS Implementations MUST support receiving RADIUS packets RADIUS/TLS Implementations MUST support receiving RADIUS packets over
over both UDP and TLS transports originating from the same endpoint. both UDP and TLS transports originating from the same endpoint.
RADIUS packets received over UDP MUST be replied to over UDP; RADIUS RADIUS packets received over UDP MUST be replied to over UDP; RADIUS
packets received over TLS MUST be replied to over TLS. That is, packets received over TLS MUST be replied to over TLS. That is,
RADIUS clients and servers MUST be treated as unique based on a key RADIUS clients and servers MUST be treated as unique based on a key
of the three-tuple (IP address, port, transport protocol). of the three-tuple (IP address, port, transport protocol).
Implementations MUST permit different shared secrets to be used for Implementations MUST permit different shared secrets to be used for
UDP and TCP connections to the same destination IP address and UDP and TCP connections to the same destination IP address and
numerical port. numerical port.
This requirement does not forbid the traditional practice of using This requirement does not forbid the traditional practice of using
primary and secondary servers in a fail-over relationship. Instead, primary and secondary servers in a fail-over relationship. Instead,
it requires that two services sharing an IP address and numerical it requires that two services sharing an IP address and numerical
port, but differing in transport protocol, MUST be treated as port, but differing in transport protocol, MUST be treated as
independent services for the purpose of fail-over, load-balancing, independent services for the purpose of fail-over, load-balancing,
etc. etc.
skipping to change at page 12, line 11 skipping to change at page 12, line 19
duplicate detection on received packets, as described in [RFC5080] duplicate detection on received packets, as described in [RFC5080]
Section 2.2.2. This detection can prevent duplicate processing of Section 2.2.2. This detection can prevent duplicate processing of
packets from non-conformant clients. packets from non-conformant clients.
RADIUS packets SHOULD NOT be re-transmitted to the same destination RADIUS packets SHOULD NOT be re-transmitted to the same destination
IP and numerical port, but over a different transport protocol. IP and numerical port, but over a different transport protocol.
There is no guarantee in RADIUS that the two ports are in any way There is no guarantee in RADIUS that the two ports are in any way
related. This requirement does not, however, forbid the practice of related. This requirement does not, however, forbid the practice of
putting multiple servers into a fail-over or load-balancing pool. In putting multiple servers into a fail-over or load-balancing pool. In
that situation, RADIUS request MAY be retransmitted to another server that situation, RADIUS request MAY be retransmitted to another server
that known to be part of the same pool. that is known to be part of the same pool.
2.6.2. Head of Line Blocking 2.6.2. Head of Line Blocking
When using UDP as a transport for RADIUS, there is no ordering of When using UDP as a transport for RADIUS, there is no ordering of
packets. If a packet sent by a client is lost, that loss has no packets. If a packet sent by a client is lost, that loss has no
effect on subsequent packets sent by that client. effect on subsequent packets sent by that client.
Unlike UDP, TCP is subject to issues related to Head of Line (HoL) Unlike UDP, TCP is subject to issues related to Head of Line (HoL)
blocking. This occurs when when a TCP segment is lost and a blocking. This occurs when when a TCP segment is lost and a
subsequent TCP segment arrives out of order. While the RADIUS server subsequent TCP segment arrives out of order. While the RADIUS server
can process RADIUS packets out of order, the semantics of TCP makes can process RADIUS packets out of order, the semantics of TCP makes
this impossible. This limitation can lower the maximum packet this impossible. This limitation can lower the maximum packet
processing rate of RADIUS over TCP. processing rate of RADIUS/TCP.
2.6.3. Shared Secrets 2.6.3. Shared Secrets
The use of TLS transport does not change the calculation of security- The use of TLS transport does not change the calculation of security-
related fields (such as the Response-Authenticator) in RADIUS related fields (such as the Response-Authenticator) in RADIUS
[RFC2865] or RADIUS Dynamic Authorization [RFC5176]. Calculation of [RFC2865] or RADIUS Dynamic Authorization [RFC5176]. Calculation of
attributes such as User-Password [RFC2865] or Message-Authenticator attributes such as User-Password [RFC2865] or Message-Authenticator
[RFC3579] also does not change. [RFC3579] also does not change.
Clients and servers MUST be able to store and manage shared secrets Clients and servers MUST be able to store and manage shared secrets
skipping to change at page 13, line 22 skipping to change at page 13, line 31
* Packet that has an Attribute "length" field has value of zero * Packet that has an Attribute "length" field has value of zero
or one (0 or 1). or one (0 or 1).
* Packet where the attributes do not exactly fill the packet * Packet where the attributes do not exactly fill the packet
* Packet where the Request Authenticator fails validation * Packet where the Request Authenticator fails validation
(where validation is required). (where validation is required).
* Packet where the Response Authenticator fails validation * Packet where the Response Authenticator fails validation
(where validation is required). (where validation is required).
* Packet where the Message-Authenticator attribute fails * Packet where the Message-Authenticator attribute fails
validation (when it occurs in a packet). validation (when it occurs in a packet).
After applying the above rules, there are still situations where the After applying the above rules, there are still two situations where
previous specifications allow a packet to be "silently discarded". the previous specifications allow a packet to be "silently discarded"
on reception:
* Packets with an invalid code field
* Response packets that do not match any outstanding request
In these situations, the TCP connections MAY remain open, or MAY be In these situations, the TCP connections MAY remain open, or MAY be
closed, as an implementation choice. However, the invalid packet closed, as an implementation choice. However, the invalid packet
MUST be silently discarded. MUST be silently discarded.
* Packet with an invalid code field These requirements reduce the possibility for a misbehaving client or
* Response packets that do not match any outstanding request server to wreak havoc on the network.
These requirements minimize the possibility for a misbehaving client
or server to wreak havoc on the network.
2.6.5. Limitations of the ID Field 2.6.5. Limitations of the ID Field
The RADIUS ID field is one octet in size. As a result, any one TCP The RADIUS ID field is one octet in size. As a result, any one TCP
connection can have only 256 "in flight" RADIUS packets at a time. connection can have only 256 "in flight" RADIUS packets at a time.
If more than 256 simultaneous "in flight" packets are required, If more than 256 simultaneous "in flight" packets are required,
additional TCP connections will need to be opened. This limitation additional TCP connections will need to be opened. This limitation
is also noted in [RFC3539] Section 2.4. is also noted in [RFC3539] Section 2.4.
An additional limit is the requirement to send a Status-Server packet An additional limit is the requirement to send a Status-Server packet
over the same TCP connection as is used for normal requests. As over the same TCP connection as is used for normal requests. As
noted in [STATUS], the response to a Status-Server packet is either noted in [STATUS], the response to a Status-Server packet is either
an Access-Accept or an Accounting-Response. If all IDs were an Access-Accept or an Accounting-Response. If all IDs were
allocated to normal requests, then there would be no free Id to use allocated to normal requests, then there would be no free ID to use
for the Status-Server packet, and it could not be sent over the for the Status-Server packet, and it could not be sent over the
connection. connection.
Implementations SHOULD reserve ID zero on each TCP connection for Implementations SHOULD reserve ID zero (0) on each TCP connection for
Status-Server packets. This value was picked arbitrarily, as there Status-Server packets. This value was picked arbitrarily, as there
is no reason to choose any one value over another for this use. is no reason to choose any one value over another for this use.
Implementors may be tempted to extend RADIUS to permit more than 256 Implementors may be tempted to extend RADIUS to permit more than 256
outstanding packets on one connection. However, doing so will likely outstanding packets on one connection. However, doing so is a
require fundamental changes to the RADIUS protocol, and as such, is violation of a fundamental part of the protocol and MUST NOT be done.
outside of the scope of this specification. Making that extension here is outside of the scope of this
specification.
2.6.6. EAP Sessions 2.6.6. EAP Sessions
When RADIUS clients send EAP requests using RADIUS over TCP, they When RADIUS clients send EAP requests using RADIUS/TCP, they SHOULD
SHOULD choose the same TCP connection for all packets related to one choose the same TCP connection for all packets related to one EAP
EAP session. This practice ensures that EAP packets are transmitted session. This practice ensures that EAP packets are transmitted in
in order, and that problems with any one TCP connection do affect the order, and that problems with any one TCP connection do affect the
minimum number of EAP sessions. minimum number of EAP sessions.
A simple method that may work in many situations is to hash the A simple method that may work in many situations is to hash the
contents of the Calling-Station-Id attribute, which normally contains contents of the Calling-Station-Id attribute, which normally contains
the MAC address. The output of that hash can be used to select a the MAC address. The output of that hash can be used to select a
particular TCP connection. particular TCP connection.
However, EAP packets for one EAP session can still be transported However, EAP packets for one EAP session can still be transported
from client to server over multiple paths. Therefore, when a server from client to server over multiple paths. Therefore, when a server
receives a RADIUS request containing an EAP request, it MUST be receives a RADIUS request containing an EAP request, it MUST be
skipping to change at page 15, line 13 skipping to change at page 15, line 26
connections may result in resource exhaustion. connections may result in resource exhaustion.
Further discussion of implementation issues is outside of the scope Further discussion of implementation issues is outside of the scope
of this document. of this document.
3. Diameter Considerations 3. Diameter Considerations
This document defines TCP as a transport layer for RADIUS. It This document defines TCP as a transport layer for RADIUS. It
defines no new RADIUS attributes or codes. The only interaction with defines no new RADIUS attributes or codes. The only interaction with
Diameter is in a RADIUS to Diameter, or in a Diameter to RADIUS Diameter is in a RADIUS to Diameter, or in a Diameter to RADIUS
gateway. The RADIUS side of such a gateway MAY implement RADIUS over gateway. The RADIUS side of such a gateway MAY implement RADIUS/TCP,
TCP, but this change has no effect on Diameter. but this change has no effect on Diameter.
4. IANA Considerations 4. IANA Considerations
This document requires no action by IANA. This document requires no action by IANA.
5. Security Considerations 5. Security Considerations
As the RADIUS packet format, signing, and client verification are As the RADIUS packet format, signing, and client verification are
unchanged from prior specifications, all of the security issues unchanged from prior specifications, all of the security issues
outlined in previous specifications for RADIUS over UDP are also outlined in previous specifications for RADIUS/UDP are also
applicable here. applicable here.
As noted above, clients and servers SHOULD support configurable As noted above, clients and servers SHOULD support configurable
connection limits. Allowing an unlimited number of connections may connection limits. Allowing an unlimited number of connections may
result in resource exhaustion. result in resource exhaustion.
Implementors should consult [RTLS] for issues related the security of Implementors should consult [RADIUS/TLS] for issues related the
RADIUS over TLS, and [RFC5246] for issues related to the security of security of RADIUS/TLS, and [RFC5246] for issues related to the
the TLS protocol. security of the TLS protocol.
Since "bare" TCP does not provide for confidentiality or enable Since "bare" TCP does not provide for confidentiality or enable
negotiation of credible ciphersuites, its use is not appropriate for negotiation of credible ciphersuites, its use is not appropriate for
inter-server communications where strong security is required. As a inter-server communications where strong security is required. As a
result "bare" TCP transport MUST NOT be used without TLS, IPsec, or result "bare" TCP transport MUST NOT be used without TLS, IPsec, or
other secure upper layer. other secure upper layer.
There are no (at this time) other known security issues for RADIUS There are no (at this time) other known security issues for RADIUS
over TCP transport. over TCP transport.
skipping to change at page 16, line 9 skipping to change at page 16, line 22
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote
Authentication Dial In User Service (RADIUS)", RFC 2865, June Authentication Dial In User Service (RADIUS)", RFC 2865, June
2000. 2000.
[RFC3539] Aboba, B. et al., "Authentication, Authorization and [RFC3539] Aboba, B. et al., "Authentication, Authorization and
Accounting (AAA) Transport Profile", RFC 3539, June 2003. Accounting (AAA) Transport Profile", RFC 3539, June 2003.
[RTLS] Winter, S. et. al., "TLS encryption for RADIUS over TCP [RADIUS/TLS]
Winter, S. et. al., "TLS encryption for RADIUS over TCP
(RadSec)", draft-ietf-radext-radsec-06.txt, March 2010 (work (RadSec)", draft-ietf-radext-radsec-06.txt, March 2010 (work
in progress). in progress).
6.2. Informative References 6.2. Informative References
[RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000.
[RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication Dial [RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication Dial
In User Service) Support For Extensible Authentication In User Service) Support For Extensible Authentication
Protocol (EAP)", RFC 3579, September 2003. Protocol (EAP)", RFC 3579, September 2003.
 End of changes. 52 change blocks. 
147 lines changed or deleted 161 lines changed or added

This html diff was produced by rfcdiff 1.38. The latest version is available from http://tools.ietf.org/tools/rfcdiff/