RADIUS EXTensions Working Group Sanal Kumar Kariyezhath Sivaraman INTERNET-DRAFT Aravind Prasad Sridharan Intended Status: Standards Track DELL Expires: May 10, 2016 November 7, 2015 RADIUS Extended Identifier Attribute draft-aravind-radext-extended-identifier-attribute-00 Abstract This document proposes solution to alleviate the limitation of limited size (8 bits) of RADIUS Identifier field by proposing a new Extended Identifier attribute. Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/1id-abstracts.html The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html Copyright and License Notice Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents Aravind, et al. Expires May 10, 2016 [Page 1] INTERNET DRAFT RADIUS Extended Identifier Attribute November 7, 2015 carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1 Terminology . . . . . . . . . . . . . . . . . . . . . . . . 3 2 Extended Identifier Attribute . . . . . . . . . . . . . . . . 3 3 Implementation and Usage Guidelines . . . . . . . . . . . . . . 3 3.1 Extended Identifier Attribute Value . . . . . . . . . . . . 3 3.2 RADIUS Client . . . . . . . . . . . . . . . . . . . . . . . 4 3.3 RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . 4 4 Backward compatibility . . . . . . . . . . . . . . . . . . . . 4 5 Security Considerations . . . . . . . . . . . . . . . . . . . . 5 6 IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 5 7 References . . . . . . . . . . . . . . . . . . . . . . . . . . 5 7.1 Normative References . . . . . . . . . . . . . . . . . . . 5 7.2 Informative References . . . . . . . . . . . . . . . . . . 5 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 6 1 Introduction The Identifier field in RADIUS Message is only one octet in size. As a result, only 256 simultaneous "in flight" packets can be present at a time. This problem is also specified in RFC 6613 (RADIUS over TCP) Section 2.6.5 and RFC 3539 (Authentication, Authorization and Accounting (AAA) Transport Profile) Section 2.4. This problem is significant in embedded systems where RADIUS clients most likely re-use the same socket due to the limitation in resources such as file descriptors. For Example, consider the deployment of a NAS that handles thousands of 802.1x supplicants. There are many scenarios, where thousands of supplicants can request for authorization at the same time. Most of the 802.1x supplicants may not get authorized due to ID mismatch if the RADIUS client re-uses same socket for multiple requests as mentioned above. Aravind, et al. Expires May 10, 2016 [Page 2] INTERNET DRAFT RADIUS Extended Identifier Attribute November 7, 2015 1.1 Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. 2 Extended Identifier Attribute 0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | Value ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Description This Attribute has the same purpose as that of Identifier Field in Message Header,ie, match a request with its corresponding response and aids in detecting duplicate requests if they have the same client source IP address and source UDP port and Identifier within a short span of time. Type TBD Length 6 Value The Value field is four octets 3 Implementation and Usage Guidelines The value of the Extended Identifier Attribute should be given more precedence than the Identifier field in Message Header. 3.1 Extended Identifier Attribute Value The approach for generating the Extended Identifier Attribute value shall be same as followed for generation of Identifier field in Aravind, et al. Expires May 10, 2016 [Page 3] INTERNET DRAFT RADIUS Extended Identifier Attribute November 7, 2015 Message Header. For example, if a Radius client uses the approach of incrementing identifier field (can support from 0 to 255) for each request, then the same approach shall be used for Extended Identifier Attribute too. As Extended Identifier attribute length is of 4 bytes, it can support from 0 to 4294967295. 3.2 RADIUS Client Radius client should send all the messages (say, Access-Request) with both identifier field (as part of message header) and Extended Identifier attribute. Identifier field in the message header can get restarted from 0 after it reaches 255. But the Extended Identifier attribute needs to be restarted only after the count of 4294967295(4 bytes) is reached. 3.3 RADIUS Server If the RADIUS Server supports Extended Identifier Attribute and the attribute is present in the message, Radius server must consider only the Extended Radius Identifier attribute value and ignore the Identifier field in the message header. In this case, Radius server should send the response (say, Access Challenge, Access Accept or Access Reject) to client with the same Extended Identifier Attribute and Identifier field in Message Header values. If the server doesn't support Extended Identifier attribute, then Identifier field in the message header will be considered and Extended Identifier attribute must be ignored. In this case, this attribute shall not be present in the response to the client. For the response message from Radius server, client must consider only the value of the Extended Identifier attribute value instead of Identifier field in the message header if the attribute exists in the message. 4 Backward compatibility The proposed usage of both Identifier field and the Extended Identifier attribute ensures the backward compatibility with the servers that don't have the support for Extended Identifier Aravind, et al. Expires May 10, 2016 [Page 4] INTERNET DRAFT RADIUS Extended Identifier Attribute November 7, 2015 attribute. 5 Security Considerations This document does not introduce any new security concerns to RADIUS or any other specifications referenced in this document. 6 IANA Considerations This document requests IANA to allocate the new type code value to the proposed Extended Identifier attribute and add it to the list of RADIUS Attributes. 7 References 7.1 Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, June 2000. [RFC3575] Aboba, B., "IANA Considerations for RADIUS (Remote Authentication Dial In User Service)", RFC 3575, July 2003. [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 5226, May 2008. [RFC6158] DeKok, A. and G. Weber, "RADIUS Design Guidelines", BCP 158, RFC 6158, March 2011. [RFC6929] DeKok, A. and A. Lior, "Remote Authentication Dial In User Service (RADIUS) Protocol Extensions", RFC 6929, April 2013. 7.2 Informative References [RFC6613] DeKok, A., "RADIUS over TCP", May 2012. [RFC2868] Zorn, G., Leifer, D., Rubens A., Shriver, J., Aravind, et al. Expires May 10, 2016 [Page 5] INTERNET DRAFT RADIUS Extended Identifier Attribute November 7, 2015 Holdrege, M., Goyret, I, "RADIUS Attributes for Tunnel Protocol Support", June 2000 [RFC6929] DeKok, A. and Lior , A., "Remote Authentication Dial-In User Service RADIUS) Protocol Extensions", April 2013. [RFC5080] Nelson, D. and DeKok. A., "Common Remote Authentication Dial In User Service (RADIUS) Implementation Issues and Suggested Fixes" [RFC2867] Zorn, G., Aboba, B. and Mitton, D., "RADIUS Accounting Modifications for Tunnel Protocol Support", June 2000. [RFC5997] DeKok. A., "Use of Status-Server Packets in the Remote Authentication Dial In User Service (RADIUS) Protocol", August 2010. Authors' Addresses Sanal Kumar Kariyezhath Sivaraman DELL Olympia Technology Park Guindy, Chennai 600032 India Phone: +91 4058643 Email: Sanal_Kumar_Sivarama@dell.com Aravind Prasad Sridharan DELL Olympia Technology Park Guindy, Chennai 600032 India Phone: +91 9884612715 Email: aravind_sridharan@dell.com Aravind, et al. Expires May 10, 2016 [Page 6]