idnits 2.17.00 (12 Aug 2021) /tmp/idnits48877/draft-klammorrissette-radext-very-common-vsas-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (July 6, 2015) is 2504 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC4301' is defined on line 853, but no explicit reference was found in the text -- Obsolete informational reference (is this intentional?): RFC 5246 (Obsoleted by RFC 8446) Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 RADEXT WG D. Morrissette 3 Internet-Draft Verizon 4 Intended status: Standards Track F. Klamm 5 Expires: January 7, 2016 L. Morand 6 Orange 7 July 6, 2015 9 RADIUS attributes commonly used in fixed networks 10 draft-klammorrissette-radext-very-common-vsas-00 12 Abstract 14 There is a set of Remote Authentication Dial-In User Service 15 attributes which have been widely used in different types of fixed 16 networks though they don't appear as standard attributes. Each of 17 these attributes has for long been part of many vendor dictionnaries, 18 thus presented in different approaches and different syntaxes. This 19 document try to solve this in an effort to present them in a 20 standard, common way, based on approaches found in multiple 21 dictionnaries. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at http://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on January 7, 2016. 40 Copyright Notice 42 Copyright (c) 2015 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (http://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 58 2. Conventions and Terminology . . . . . . . . . . . . . . . . . 3 59 2.1. Conventions . . . . . . . . . . . . . . . . . . . . . . . 3 60 2.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 61 3. Deployment Scenarios . . . . . . . . . . . . . . . . . . . . 3 62 4. RADIUS attributes . . . . . . . . . . . . . . . . . . . . . . 4 63 4.1. Attributes for Routing Context . . . . . . . . . . . . . 4 64 4.1.1. Virtual-Router-Id . . . . . . . . . . . . . . . . . . 4 65 4.2. Policies and QoS Attributes . . . . . . . . . . . . . . . 5 66 4.2.1. Policy-Name . . . . . . . . . . . . . . . . . . . . . 5 67 4.2.2. QoS-Profile-Name . . . . . . . . . . . . . . . . . . 6 68 4.3. Attributes for walled garden services . . . . . . . . . . 6 69 4.3.1. HTTP-Redirect-URI . . . . . . . . . . . . . . . . . . 7 70 4.3.2. HTTP-Redirect-Profile-Name . . . . . . . . . . . . . 7 71 4.4. DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 72 4.4.1. Primary-DNS-Server-Address . . . . . . . . . . . . . 8 73 4.4.2. Secundary-DNS-Server-Address . . . . . . . . . . . . 8 74 4.5. Multicast attributes . . . . . . . . . . . . . . . . . . 9 75 4.5.1. IGMP-Enable . . . . . . . . . . . . . . . . . . . . . 9 76 4.5.2. IGMP-Profile-Name . . . . . . . . . . . . . . . . . . 10 77 4.5.3. MLD-Enable . . . . . . . . . . . . . . . . . . . . . 10 78 4.5.4. MLD-Profile-Name . . . . . . . . . . . . . . . . . . 11 79 4.6. Tunnel attributes . . . . . . . . . . . . . . . . . . . . 11 80 4.6.1. Tunnel-Virtual-Router . . . . . . . . . . . . . . . . 12 81 4.6.2. Tunnel-Max-Sessions . . . . . . . . . . . . . . . . . 12 82 4.6.3. Tunnel-Profile-Name . . . . . . . . . . . . . . . . . 13 83 4.6.4. Tunnel-Terminate-Cause . . . . . . . . . . . . . . . 13 84 4.7. Service attributes . . . . . . . . . . . . . . . . . . . 14 85 4.7.1. Service-Name . . . . . . . . . . . . . . . . . . . . 14 86 4.7.2. Deactivat-Service-Name . . . . . . . . . . . . . . . 15 87 4.7.3. Service-Accounting . . . . . . . . . . . . . . . . . 15 88 5. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 16 89 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 90 7. Security Considerations . . . . . . . . . . . . . . . . . . . 18 91 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 18 92 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 18 93 9.1. Normative References . . . . . . . . . . . . . . . . . . 18 94 9.2. Informative References . . . . . . . . . . . . . . . . . 19 95 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19 97 1. Introduction 99 This document describes a set of Remote Authentication Dial-In User 100 Service (RADIUS) [RFC2865] attributes which have been widely used in 101 different fixed network contexts (residential access, business 102 services...). Since those attributes have been for long part of many 103 vendor dictionnaries, they were presented in different syntax and 104 semantic approaches. This document is as far as possible an effort 105 to present them in a common way. 107 2. Conventions and Terminology 109 2.1. Conventions 111 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 112 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 113 document are to be interpreted as described in [RFC2119]. 115 2.2. Terminology 117 xxx 119 3. Deployment Scenarios 121 TO be added. Example below: 123 deployment scenarios is intended to cover a wide range of access 124 networks The main purpose is to standardise common vendor specific 125 attributes. The extensions in this document are intended to be 126 applicable across a wide variety of network access scenarios in which 127 RADIUS is involved. The involved protocols include but are not 128 limited to DHCP, PPP, L2TP and protocols related to multicast or QoS. 130 One such typical network scenario is illustrated in Figure 1. It is 131 composed of an IP Routing Residential Gateway (RG) or host; a Layer 2 132 Access Node (AN), e.g., a Digital Subscriber Line Access Multiplexer 133 (DSLAM); an IP Network Access Server (NAS) (incorporating an 134 Authentication, Authorization, and Accounting (AAA) client); and a 135 AAA server. 137 +-----+ 138 | AAA | 139 | | 140 +--+--+ 141 ^ 142 . 143 .(RADIUS) 144 . 145 v 146 +------+ +---+---+ 147 +------+ | | | | 148 | RG/ +-------| AN +-----------+----------+ NAS | 149 | host | | | | | 150 +------+ (DSL) +------+ (Ethernet) +-------+ 152 Figure 1 154 In the depicted scenario, the NAS may utilize an IP address 155 configuration protocol (e.g., DHCPv6) to handle address assignment to 156 RGs/hosts. The RADIUS server authenticates each RG/host and returns 157 the Attributes used for authorization and accounting. These 158 Attributes can include attributes related to routing context, 159 policies and QoS, walled garden services, DNS servers, multicast 160 service, PPP and L2TP configurations. The following sections defines 161 these specific attributes. 163 4. RADIUS attributes 165 The new attributes described in this section are defined as short 166 extended attributes, as defined in [RFC6929]. 168 Each attribute is described following the suggestions given in 169 section 4 of [draft-dekok-radext-datatypes]. Please refer to this 170 specification to find further details on the data types used for the 171 different attributes. 173 4.1. Attributes for Routing Context 175 [To Be Completed] 177 4.1.1. Virtual-Router-Id 179 Description 181 The Virtual-Router-Id attribute contains an identifier that 182 identifies exactly one virtual router when multiple, independent 183 virtual routers co-exist on the same physical routing platform. 184 This attribute MAY be included in Access-Accept or Change of 185 Authorization (CoA) Request. When returned in the RADIUS Access- 186 Accept, this attribute defines the virtual router to which a user 187 session is assigned. If the Virtual Router ID returned by the 188 RADIUS server does not exist, the Network Access Server (NAS) MUST 189 NOT permit the user to access the network. If the RADIUS server 190 does not return any Virtual Router Id, the user session MAY be 191 assigned to a default routing context or to any available virtual 192 router. 194 Type 196 241.x01 198 Length 200 >= 4 202 Ext-Data 204 string 206 Value 208 The "Value" field is one or more octets and contains the virtual 209 router ID that the user is assigned. A robust implementation 210 SHOULD support the field as undistinguished octets. 212 4.2. Policies and QoS Attributes 214 [To Be Completed] 216 4.2.1. Policy-Name 218 Description 220 The Policy-Name attribute contains a name that identifies the 221 policy to apply on the user session for the egress or ingress 222 direction. The policy definition itself resides locally in the 223 NAS. This attribute MAY be included in Access-Accept and CoA- 224 Request. If the policy name provided in the RADIUS message does 225 not exist, the Network Access Server (NAS) MAY assign a default 226 policy the user if one exists on the NAS itself. 228 Type 230 241.x03 232 Length 233 >=4 235 Ext-Data 237 string 239 Value 241 The "Value" field is one or more octets, specifying the name of 242 the policy to apply on the user session in the ingress or egress 243 direction. A robust implementation SHOULD support the field as 244 undistinguished octets. 246 4.2.2. QoS-Profile-Name 248 Description 250 The QoS-Profile-Name attribute contains a name that identify the 251 QoS profile to apply on the user session. The QoS profile 252 definition itself resides locally in the NAS. This attribute MAY 253 be included in Access-Accept and CoA-Request. If the value of the 254 QoS profile name provided in the RADIUS message does not exist, 255 the Network Access Server (NAS) MAY apply a default QoS profile to 256 the user session if one exists on the NAS itself. 258 Type 260 241.x04 262 Length 264 >=4 266 Ext-Data 268 string 270 Value 272 The "Value" field is one or more octets, specifying the QoS 273 profile name to apply on the user session. A robust 274 implementation SHOULD support the field as undistinguished octets. 276 4.3. Attributes for walled garden services 278 [To Be Completed] 280 4.3.1. HTTP-Redirect-URI 282 Description 284 The HTTP-Redirect-URI attribute contains an HTTP uniform resource 285 Identifier (URI) to which user originating HTTP requests are 286 redirected by the NAS. This attibute MAY be includeded in Access- 287 Accept, CoA Request and Accounting-Request. 289 Type 291 241.x05 293 Length 295 >=4 297 Ext-Data 299 string 301 Value 303 The "Value" field is one or more octets, containing an HTTP URI as 304 specified in [RFC7230]. A robust implementation SHOULD support 305 the field as undistinguished octets. 307 4.3.2. HTTP-Redirect-Profile-Name 309 Description 311 The HTTP-Redirect-Profile-Name attribute contains the name of an 312 HTTP redirect profile to apply on the user session. This 313 attribute MAY be included in Access-Accept, in CoA-Request and 314 Accounting-Request. 316 Type 318 241.x06 320 Length 322 >=4 324 Ext-Data 326 sext 328 Value 330 The "Value" is one or more octets, containing the name of an HTTP 331 redirect profile to apply on the user's originating HTTP traffic. 332 A robust implementation SHOULD support the field as 333 undistinguished octets. 335 4.4. DNS 337 This section only defines DNS server for IPv4. DNS servers for IPv6 338 can be found in [RFC6911]. 340 4.4.1. Primary-DNS-Server-Address 342 Description 344 The Primary-DNS-Server-Address attribute contains the IPv4 address 345 (in network byte order) of the primary DNS server negotiated 346 during IPCP. This attibute MAY be included in Access-Accept and 347 Accounting-Request. 349 Type 351 241.x07 353 Length 355 6 357 Ext-Data 359 ipv4addr 361 Value 363 The "Value" field contains the IPv4 address (in network byte 364 order) of the primary DNS server. 366 4.4.2. Secundary-DNS-Server-Address 368 Description 370 The Secondary-DNS-Server attribute contains the IPv4 address (in 371 network byte order) of the secondary DNS server if negotiated 372 during IPCP. This attribute MAY be included in Access-Accept and 373 Accounting-Request. 375 Type 376 241.x08 378 Length 380 6 382 Ext-Data 384 ipv4addr 386 Value 388 The "Value" field contains the IPv4 address (in network byte 389 order) of the secondary DNS server. 391 4.5. Multicast attributes 393 [To Be Completed] 395 4.5.1. IGMP-Enable 397 Description 399 The IGMP-Enable contains an enumerated value that indicates 400 whether the MLD protocol is enabled or disabled on the user 401 interface upon connection establishment. This attribute MAY be 402 included in Access-Accept and CoA-Request. 404 Type 406 241.x09 408 Length 410 6 412 Ext-Data 414 enum 416 Value 418 The "Value" field is an enumerated value that indicates whether 419 IGMP is enabled or disabled. The valid set of enumerated values 420 are: 422 0 = Disable 423 1 = Enable 425 4.5.2. IGMP-Profile-Name 427 Description 429 The IGMP-Profile-Name attribute contains the name of the IGMP 430 service profile configured on the NAS and to apply on the user 431 session. This attribute MAY be included in Access-Accept, CoA- 432 Request and Accounting-Request. 434 Type 436 241.x10 438 Length 440 >=4 442 Ext-Data 444 sext 446 Value 448 The "Value" field contains the IGMP profile name that is assigned 449 to the user session. A robust implementation SHOULD support the 450 field as undistinguished octets. 452 4.5.3. MLD-Enable 454 Description 456 The MLD-Enable attribute contains an enumerated value that 457 indicates whether the MLD protocol is enabled or disabled on the 458 user interface upon connection establishment. This attribute MAY 459 be included in Access-Accept and CoA-Request. 461 Type 463 241.x11 465 Length 467 6 469 Ext-Data 470 enum 472 Value 474 The "Value" field is an enumerated value that indicates whether 475 the MLD protocol is enabled or disabled on the user interface upon 476 connection establishment. The valid set of enumerated values are: 478 0 = Disable 480 1 = Enable 482 4.5.4. MLD-Profile-Name 484 Description 486 The MLD-Profile-Name attribute contains the identifier of the IGMP 487 service profile configured on the NAS and applied to the user 488 session. This attribute MAY be included in Access-Accept, CoA- 489 Request and Accounting-Request. If the value of the IGMP Profile 490 in the RADIUS message sent by the RADIUS server does not exist, 491 the Network Access Server (NAS) MAY assign a default IGMP Profile 492 the user if one exists on the NAS itself. 494 Type 496 241.x12 498 Length 500 >=4 502 Ext-Data 504 String 506 Value 508 The "Value" field is one or more octets, specifying the MLD 509 profile name that is assigned to the subscriber session. A robust 510 implementation SHOULD support the field as undistinguished octets. 512 4.6. Tunnel attributes 514 [To Be Completed] 516 4.6.1. Tunnel-Virtual-Router 518 Description 520 The Tunnel-Virtual-Router attribute identifies the virtual router 521 name such as the VPN instance of the tunnel context. 523 When returned in the RADIUS Access-Accept, this attribute defines 524 the virtual routing context to which a tunnel is assigned. 526 Type 528 241.x13 530 Length 532 >=4 534 Ext-Data 536 sext 538 Value 540 The "Value" field is one or more octets, specifying the Tunnel 541 virtual router name that is assigned to the tunnel. A robust 542 implementation SHOULD support the field as undistinguished octets. 544 4.6.2. Tunnel-Max-Sessions 546 Description 548 The Tunnel-Max-Sessions attribute specifies the maximum number of 549 sessions that are allowed in a given tunnel. A session must be 550 denied once the value tied to this attribute is exceeded. 552 The Tunnel-Max-Sessions attribute may be returned in Access- 553 Accept. 555 Type 557 241.x14 559 Length 561 6 563 Ext-Data 564 enum 566 Value 568 The "Value" field is an enumerated value that indicates the 569 maximum number of sessions that can be brought up in a tunnel. 571 4.6.3. Tunnel-Profile-Name 573 Description 575 The Tunnel-Profile-Name attribute contains a name that identifies 576 the profile that defines the tunnel to which the subscriber 577 session is tied. The Tunnel profile definition itself that 578 comprises various tunnel specific parameters resides locally in 579 the NAS. 581 This attribute MAY be included in Access-Accept. If the value of 582 the tunnel profile name provided in the RADIUS message does not 583 exist, the Network Access Server (NAS) MAY apply a default Tunnel 584 profile to the subscriber session if one exists on the NAS itself. 586 Type 588 241.x15 590 Length 592 >=1 594 Ext-Data 596 string 598 Value 600 The "Value" field is one or more octets, specifying the Tunnel 601 profile name to apply on the user session. A robust 602 implementation SHOULD support the field as undistinguished octets. 604 4.6.4. Tunnel-Terminate-Cause 606 Description 608 The Tunnel-Terminate-Cause attribute specifies the disconnect 609 cause when a tunneled subscriber is disconnected, for example when 610 the termination is initiated by the L2TP layer in the case of LNS. 612 The Tunnel-Terminate-Cause attribute may be included in 613 Accounting-Stop message. 615 Type 617 241.x16 619 Length 621 >=4 623 Ext-Data 625 enum 627 Value 629 The "Value" field is an enumerated value containing an integer 630 specifying the cause of session termination 632 4.7. Service attributes 634 [To Be Completed] 636 4.7.1. Service-Name 638 Description 640 The Service-Name attribute specifies the name of the service to be 641 activated for a given subscriber session. The Service-Name 642 attribute may be present in Access-Accept, CoA request and CoA 643 response RADIUS messages. The Service-Name attribute may be 644 tagged supporting multiple tags. 646 Type 648 241.x17 650 Length 652 >=4 654 Ext-Data 656 sext 658 Value 659 The "Value" field contains the Service name that is assigned to 660 the subscriber session. A robust implementation SHOULD support 661 the field as undistinguished octets. 663 4.7.2. Deactivat-Service-Name 665 Description 667 The Deactivate-Service-Name attribute specifies the name of the 668 service to be de-activated for a given subscriber session. 670 The Decativate-Service-Name attribute may be present in Access- 671 Accept and CoA request RADIUS messages. 673 Type 675 241.x18 677 Length 679 6 681 Ext-Data 683 enum 685 Value 687 The "Value" field contains the Service name that is to be de- 688 activated for a given subscriber session. A robust implementation 689 SHOULD support the field as undistinguished octets. 691 4.7.3. Service-Accounting 693 Description 695 The Service-Accounting attribute specifies whether accounting for 696 a given service tied to a subscriber session is enabled or 697 disabled. 699 This attribute MAY be included in Access-Accept and CoA Request. 700 Implementations may support sub-options for Service-Accounting 701 such as time and/or volume based accounting statistics collection. 702 The Service-Accounting attribute may support tags. 704 Type 706 241.x19 708 Length 710 >=1 712 Ext-Data 714 string 716 Value 718 The "Value" field is an enumerated value that indicates whether 719 the Service-Accounting is enabled or disabled for the service tied 720 to a subscriber session. The valid set of enumerated values are: 722 0 = Disable 724 1 = Enable 726 5. Table of Attributes 728 The following table provides a guide to which attributes may be found 729 in which kinds of packets and in what quantity. 731 Access- Access- Access- Access- 732 Request Accept Reject Chall # Attribute 733 0 0-1 0 0 241.x01 Virtual-Router-Id 734 0 0-1 0 0 241.x02 Redirect-Virtual-Router-Id 735 0 0-1 0 0 241.x03 Policy-Name 736 0 0-1 0 0 241.x04 QoS-Policy-Name 737 0 0-1 0 0 241.x05 HTTP-Redirect-URI 738 0 0-1 0 0 241.x06 HTTP-Redirect-Profile-Name 739 0 0-1 0 0 241.x07 Primary-DNS-Server-Address 740 0 0-1 0 0 241.x08 Secundary-DNS-Server-Address 741 0 0-1 0 0 241.x09 IGMP-Enable 742 0 0-1 0 0 241.x10 IGMP-profile-Name 743 0 0-1 0 0 241.x11 MLD-Enable 744 0 0-1 0 0 241.x12 MLD-Profile-Name 745 0 0-1 0 0 241.x13 Tunnel-Virtual-Router 746 0 0-1 0 0 241.x14 Tunnel-Max-Session 747 0 0-1 0 0 241.x15 Tunnel-Profile-Name 748 0 0 0 0 241.x16 Tunnel-Terminate-Cause 749 0 0-1 0 0 241.x17 Service-Name 750 0 0-1 0 0 241.x18 Service-Deactivate 751 0 0-1 0 0 241.x19 Service-Accounting 752 CoA- Dis- Acct- 753 Request Request Request # Attribute 754 0-1 0 0 241.x01 Virtual-Router-Id 755 0-1 0 0 241.x02 Redirect-Virtual-Router-Id 756 0-1 0 0 241.x03 Policy-Name 757 0-1 0 0 241.x04 QoS-Policy-Name 758 0-1 0 0-1 241.x05 HTTP-Redirect-URI 759 0-1 0 0-1 241.x06 HTTP-Redirect-Profile-Name 760 0-1 0 0-1 241.x07 Primary-DNS-Server-Address 761 0-1 0 0-1 241.x08 Secundary-DNS-Server-Address 762 0-1 0 0 241.x09 IGMP-Enable 763 0-1 0 0-1 241.x10 IGMP-profile-Name 764 0-1 0 0 241.x11 MLD-Enable 765 0-1 0 0-1 241.x12 MLD-Profile-Name 766 0-1 0 0 241.x13 Tunnel-Virtual-Router 767 0-1 0 0 241.x14 Tunnel-Max-Session 768 0-1 0 0 241.x15 Tunnel-Profile-Name 769 0 0 0-1 241.x16 Tunnel-Terminate-Cause 770 0-1 0 0 241.x17 Service-Name 771 0-1 0 0 241.x18 Service-Deactivate 772 0-1 0 0 241.x19 Service-Accounting 774 The following table defines the above table entries. 776 0 This attribute MUST NOT be present in packet. 778 0+ Zero or more instances of this attribute MAY be present in the 779 packet. 781 0-1 Zero or one instance of this attribute MAY be present in the 782 packet. 784 6. IANA Considerations 786 This document requires the following IANA action: 788 Attribute Type 789 ========= ==== 790 Virtual-Router-Id 241.x01 791 Redirect-Virtual-Router-Id 241.x02 792 Policy-Name 241.x03 793 QoS-Policy-Name 241.x04 794 HTTP-Redirect-URI 241.x05 795 HTTP-Redirect-Profile-Name 241.x06 796 Primary-DNS-Server-Address 241.x07 797 Secundary-DNS-Server-Address 241.x08 798 IGMP-Enable 241.x09 799 IGMP-profile-Name 241.x10 800 MLD-Enable 241.x11 801 MLD-Profile-Name 241.x12 802 Tunnel-Virtual-Router 241.x13 803 Tunnel-Max-Session 241.x14 804 Tunnel-Profile-Name 241.x15 805 Tunnel-Terminate-Cause 241.x16 806 Service-Name 241.x17 807 Service-Deactivate 241.x18 808 Service-Accounting 241.x19 810 7. Security Considerations 812 This document specifies additional RADIUS Attributes useful in 813 residential broadband network deployments. In such networks, the 814 RADIUS protocol may run either over IPv4 or over IPv6, and known 815 security vulnerabilities of the RADIUS protocol apply to the 816 Attributes defined in this document. A trust relationship between a 817 NAS and RADIUS server is expected to be in place, with communication 818 optionally secured by IPsec [RFC4301]or Transport Layer Security 819 (TLS) [RFC5246]. This document does not introduce any new security 820 issue compared to those identified in [RFC2865]. 822 8. Acknowledgements 824 The author would like to thank Sri Gundavelli and Gaetan Feige for 825 having shared thoughts on concepts exposed in this document. 827 9. References 829 9.1. Normative References 831 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 832 Requirement Levels", BCP 14, RFC 2119, March 1997. 834 [RFC2865] "Remote Authentication Dial In User Service (RADIUS)". 836 [RFC6911] Dec, W., Sarikaya, B., Zorn, G., Miles, D., and B. 837 Lourdelet, "RADIUS Attributes for IPv6 Access Networks", 838 RFC 6911, April 2013. 840 [RFC6929] DeKok, A. and A. Lior, "Remote Authentication Dial In User 841 Service (RADIUS) Protocol Extensions", RFC 6929, April 842 2013. 844 [RFC7230] "Hypertext Transfer Protocol (HTTP/1.1): Message Syntax 845 and Routing". 847 9.2. Informative References 849 [draft-dekok-radext-datatypes] 850 "Data Types in the Remote Authentication Dial-In User 851 Service Protocol (RADIUS)". 853 [RFC4301] "Security Architecture for the Internet Protocol". 855 [RFC5246] "The Transport Layer Security (TLS) Protocol". 857 Authors' Addresses 859 Devasena Morrissette 860 Verizon 861 555 Elm St, Manchester, NH , 862 Manchester 03101 863 USA 865 Email: devasena.morrissette@verizon.com 867 Frederic Klamm 868 Orange 869 4, rue du Clos Courtel, BP 91226 870 Cesson-Sevigne 35512 871 France 873 Email: frederic.klamm@orange.com 875 Lionel Morand 876 Orange 877 38-40 rue du General Leclerc 878 Issy-Les-Moulineaux 92130 879 France 881 Email: lionel.morand@orange.com