draft-ietf-radext-extended-attributes-01.txt   draft-ietf-radext-extended-attributes-02.txt 
Network Working Group Y. Li Network Working Group Y. Li
Internet-Draft A. Lior Internet-Draft A. Lior
Intended status: Standards Track BWS Intended status: Standards Track BWS
Expires: August 24, 2008 G. Zorn Expires: September 16, 2008 G. Zorn
Aruba Networks Aruba Networks
February 21, 2008 March 15, 2008
Extended Remote Authentication Dial In User Service (RADIUS) Attributes Extended Remote Authentication Dial In User Service (RADIUS) Attributes
draft-ietf-radext-extended-attributes-01.txt draft-ietf-radext-extended-attributes-02.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 36 skipping to change at page 1, line 36
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on August 24, 2008. This Internet-Draft will expire on September 16, 2008.
Copyright Notice Copyright Notice
Copyright (C) The IETF Trust (2008). Copyright (C) The IETF Trust (2008).
Abstract Abstract
In order for the Remote Authentication Dial In User Service (RADIUS) For the Remote Authentication Dial In User Service (RADIUS) protocol
protocol to continue to support new applications the RADIUS attribute to continue to support new applications the RADIUS attribute type
type space must be extended beyond the current limit of 255 possible space must be extended beyond the current limit of 255 possible
attribute types while maintaining backwards compatibility with the attribute types while maintaining backwards compatibility with the
existing protocol. This document defines a mechanism to accomplish existing protocol. This document defines a mechanism to accomplish
that task, along with standard methods to group together related that task, along with standard methods to group together related
attributes and to encode values that don't fit into 253 octets. attributes and to encode values that don't fit into 253 octets.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 2.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
3. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 4 3. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 4
4. RADIUS Type Extension . . . . . . . . . . . . . . . . . . . . 4 4. RADIUS Type Extension . . . . . . . . . . . . . . . . . . . . 4
5. Formal Syntax . . . . . . . . . . . . . . . . . . . . . . . . 6 5. Formal Syntax . . . . . . . . . . . . . . . . . . . . . . . . 5
6. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 6. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
7. Security Considerations . . . . . . . . . . . . . . . . . . . 11 7. Security Considerations . . . . . . . . . . . . . . . . . . . 11
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
9. Open Issues . . . . . . . . . . . . . . . . . . . . . . . . . 11 9. Open Issues . . . . . . . . . . . . . . . . . . . . . . . . . 11
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11
10.1. Normative References . . . . . . . . . . . . . . . . . . . 11 10.1. Normative References . . . . . . . . . . . . . . . . . . . 11
10.2. Informative References . . . . . . . . . . . . . . . . . . 11 10.2. Informative References . . . . . . . . . . . . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 12 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 12
Intellectual Property and Copyright Statements . . . . . . . . . . 13 Intellectual Property and Copyright Statements . . . . . . . . . . 13
skipping to change at page 5, line 33 skipping to change at page 5, line 33
o The final octet of the header contains the More flag and Tag o The final octet of the header contains the More flag and Tag
field. If the one bit More flag is set (1) this indicates that field. If the one bit More flag is set (1) this indicates that
the encapsulated TLV is continued in the following Extended the encapsulated TLV is continued in the following Extended
Attribute; if the More flag is clear (0) then all of the Attribute; if the More flag is clear (0) then all of the
encapsulated TLVs fit into the current Extended Attribute. The encapsulated TLVs fit into the current Extended Attribute. The
More flag MUST NOT be set if the Extended Attribute contains more More flag MUST NOT be set if the Extended Attribute contains more
than one TLV. The Tag field is used to combine sets of related than one TLV. The Tag field is used to combine sets of related
Extended Attributes into simple groups. Extended Attributes into simple groups.
TLVs are encoded as follows: o The Data fields is an abstract container for TLVs; the Data field
MUST contain at least one TLV.
o The first bit is the Standard or 'S' flag. The Standard flag is TLVs are encoded as follows:
set (1) if the TLV is a standard RADIUS attribute (as defined in
RFC 2865, for example), otherwise it is clear (0).
o The next 2 octets are the Ext-Type field o The first octet is the Ext-Type field
o The next octet is the Ext-Length field, representing of the entire o The next octet is the Ext-Length field, representing of the entire
TLV, including the length of the Ext-Type field (2 octets), the TLV, including the length of the Ext-Type field (1 octet), the
length of the Ext-Length field itself (1 octet) and the length of length of the Ext-Length field itself (1 octet) and the length of
the Value field (1 or more octets) the Value field (1 or more octets)
o The Value field consists of one or more octets comprising the o The Value field consists of one or more octets comprising the
actual data. actual data to be transmitted
5. Formal Syntax 5. Formal Syntax
This section describes the encoding scheme used for RADIUS Extended This section describes the encoding scheme used for RADIUS Extended
Attributes. The basis of this encoding is the format recommended for Attributes. The basis of this encoding is the format recommended for
Vendor Specific Attributes in RFC 2865 [RFC2865]. Vendor Specific Attributes in RFC 2865 [RFC2865].
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type (26) | Length | Vendor-Id (0) | | Type (26) | Length | Vendor-Id (0) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Vendor-Id (0) |M| Tag | Ext-Type | Vendor-Id (0) |M| Tag | Data...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Ext-Type | Ext-Length | Value...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type Type
26 for Vendor-Specific 26 for Vendor-Specific
Length Length
>=10 >=10
Vendor ID Vendor ID
The high-order octet is zero (0) and the low-order 3 octets are The high-order octet is zero (0) and the low-order 3 octets are
zeros (0)s representing an extended IETF RADIUS attribute zeros (0)s representing an extended IETF RADIUS attribute
M (More) M (More)
The More Flag is one (1) bit in length. When a value to be The More Flag is one (1) bit in length and MUST be present. When
transmitted exceeds 246 octets in length it is fragmented over two a value to be transmitted exceeds 246 octets in length it is
or more Extended Attributes. If the More Flag is set (1), this fragmented over two or more Extended Attributes. If the More Flag
indicates that the Value field of the Extended Attribute contains is set (1), this indicates that the Value field of the Extended
a fragment of a larger value, which is continued in the next Attribute contains a fragment of a larger value, which is
Extended Attribute of the same Ext-Type. When the More Flag is continued in the next Extended Attribute of the same Ext-Type.
clear (0), the final (or only) fragment of the value is contained When the More Flag is clear (0), the final (or only) fragment of
in the Extended Attribute. the value is contained in the Extended Attribute.
Tag Tag
The Tag field is 7 bits long and MUST be present. It is used to The Tag field is 7 bits long and MUST be present. It is used to
group Extended Attributes. Extended Attributes with the same non- group Extended Attributes. Extended Attributes with the same non-
zero value in the Tag field belong to the same group. A Tag value zero value in the Tag field belong to the same group. A Tag value
of zero (0) indicates that the attribute is not grouped. A Tag of zero (0) indicates that the attribute is not grouped. A Tag
value of all ones (0x7F) is reserved. value of all ones (0x7F) is reserved.
Data
The Data field is >= 3 octets in length. It consists of 1 or more
TLVs.
TLVs have the following syntax:
1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Ext-Type | Ext-Len | Value...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Ext-Type Ext-Type
Two (2) octets. Up-to-date values of the Ext-Type field are One (1) octets. Up-to-date values of the Ext-Type field are
specified in the most recent "Assigned Numbers" [IANA]. Values specified in the most recent "Assigned Numbers" [IANA]. Values
XXXX-YYYY are reserved. XXXX-YYYY are reserved.
Ext-Length Ext-Len
>= 4. The length of the Extended Attribute, including the Ext- >= 4. The length of the Extended Attribute, including the Ext-
Type, Ext-Length and Value fields. Type, Ext-Length and Value fields.
Value Value
One or more octets. One or more octets.
6. Examples 6. Examples
Consider an attribute called Foo of type String. Foo is allocated an Consider an attribute called Foo of type String. Foo is allocated an
Extended-Type by IANA of 10. The following figure shows the encoding Extended-Type by IANA of 10. The following figure shows the encoding
of Foo(0,4) = "Hello": of Foo(0,4) = "Hello":
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type (26) | Length | Vendor-Id | Type (26) | Length | Vendor-Id
| | (6 + 9 = 15) | (0) | | (7 + 7 = 14) | (0)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Id (cont) |M| Tag | Ext-Type Vendor-Id (cont) |M| Tag | Ext-Type |
|0| (0) | (257) |0| (0) | (257) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Ext-Type (cont)| Ext-Length | Value | | | Ext-Length | Value | | |
| (4 + 5 = 9) | (H) | (e) | | (2 + 5 = 7) | (H) | (e) | (l) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | | | | |
| (l) | (l) | (o) | | (l) | (o) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1 Figure 1
Now consider another instantiation of the Foo Extended Attribute, Now consider another instantiation of the Foo Extended Attribute,
this one with a length of 251 octets. In this case the value is this one with a length of 251 octets. In this case the value is
fragmented over two Extended Attributes. The first 245 octets are fragmented over two Extended Attributes. The first 246 octets are
included in the first fragment which has the More bit set and the included in the first fragment which has the More bit set and the
remaining 6 octets appear in the second attribute. Figure 2 below remaining 6 octets appear in the second attribute. Figure 2 below
illustrates the encoding of the first 7 octets of the first Extended illustrates the encoding of the first 7 octets of the first Extended
Attribute (Foo(0,6) = "Hello W"), while Figure 3 shows how the second Attribute (Foo(0,6) = "Hello W"), while Figure 3 shows how the second
attribute (Foo(245,250) = "e end.") is encoded. attribute (Foo(246,250) = "e end.") is encoded.
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type (26) | Length | Vendor-Id | Type (26) | Length | Vendor-Id
| |(7 + 248 = 255)| (0) | |(7 + 248 = 255)| (0)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Id (cont) |M| Tag | Ext-Type Vendor-Id (cont) |M| Tag | Ext-Type |
|1| (0) | (256) |1| (0) | (256) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Ext-Type (cont)| Ext-Length | Value | | | Ext-Length | Value | | |
|(3 + 245 = 248)| (H) | (e) | |(2 + 246 = 248)| (H) | (e) | (l) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | | | | | | | |
| (l) | (l) | (o) | ( ) | | (l) | (o) | ( ) | (W) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| (W) |
+-+-+-+-+-+-+-+-+
... ...
Figure 2 Figure 2
1 2 3 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type (26) | Length | Vendor-Id | | Type (26) | Length | Vendor-Id |
| | (7 + 9 = 16) | (0) | | | (7 + 8 = 15) | (0) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Id |M| Tag | Ext-Type
(0) |0| (0) | (256)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Ext-Type (cont)| Ext-Length | Value | | Vendor-Id |M| Tag | Ext-Type |
| (3 + 6 = 9) | (e) | ( ) | (0) |0| (0) | (256) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | | | | Ext-Length | Value | |
| (e) | (n) | (d) | (.) | | (2 + 6 = 8) | (e) | ( ) | (e)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
| (n) | (d) | (.) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 3 Figure 3
The next example illustrates several of the features of Extended The next example illustrates several of the features of Extended
Attributes: Attributes:
o encapsulation of values greater than 253 octets in length o encapsulation of values greater than 253 octets in length
o grouping of related Extended Attributes using tags o grouping of related Extended Attributes using tags
o encapsulation of more than one TLV in a single Extended Attribute o encapsulation of more than one TLV in a single Extended Attribute
Consider the following structure: Consider the following structure:
struct struct
Integer a; Integer a;
String b; String b;
Integer c; Integer c;
endStruct endStruct
skipping to change at page 11, line 27 skipping to change at page 11, line 27
9. Open Issues 9. Open Issues
What is the numbering scheme for attributes that will be used by RFC What is the numbering scheme for attributes that will be used by RFC
writers going forward? For example today we write user-name(1). writers going forward? For example today we write user-name(1).
Going forward, will we write foo-bar(0,1)? Going forward, will we write foo-bar(0,1)?
What is the numbering plan for these attributes? What range should What is the numbering plan for these attributes? What range should
be reserved? be reserved?
We have allocated 1 octet for Extended Type. Is that too little?
Note, if we run out the IETF can request another enterprise number.
10. References 10. References
10.1. Normative References 10.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
"Remote Authentication Dial In User Service (RADIUS)", "Remote Authentication Dial In User Service (RADIUS)",
RFC 2865, June 2000. RFC 2865, June 2000.
skipping to change at page 12, line 40 skipping to change at page 12, line 37
Ottawa, Ontario K2K 3J1 Ottawa, Ontario K2K 3J1
Canada Canada
Phone: +1 (613) 591-6655 Phone: +1 (613) 591-6655
Email: avi@bridgewatersystems.com Email: avi@bridgewatersystems.com
URI: http://www.bridgewatersystems.com/ URI: http://www.bridgewatersystems.com/
Glen Zorn Glen Zorn
Aruba Networks Aruba Networks
1322 Crossman Avenue 1322 Crossman Avenue
Sunnyvale, CA 94089-1113 Sunnyvale, CA 94089
USA USA
Email: gwz@arubanetworks.com Email: gzorn@arubanetworks.com
URI: http://www.arubanetworks.com/
Full Copyright Statement Full Copyright Statement
Copyright (C) The IETF Trust (2008). Copyright (C) The IETF Trust (2008).
This document is subject to the rights, licenses and restrictions This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors contained in BCP 78, and except as set forth therein, the authors
retain all their rights. retain all their rights.
This document and the information contained herein are provided on an This document and the information contained herein are provided on an
 End of changes. 34 change blocks. 
59 lines changed or deleted 66 lines changed or added

This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/