[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Issue RFC3576bis Usage of service-type in Disconnect-Request
Description of issue
Submitter name: Avi Lior
Submitter email address: avi@bridgewatersystems.com
Date first submitted: March 14th, 2007
Reference:
Document: RFC 3576bis
Comment type: T
Priority: S
Section: Insert_Section_Number_Here
Rationale/Explanation of issue:
Service-Type = "Authorize-Only" does not make sense for Disconnect
Message.
Length description of problem:
Service-Type = "Authorize-Only" was added to make the Change of
Authorization compatible with the Diameter specification.
However, Diameters ASR message directly correlates with Disconnect
Message, that is, both can be sent by the server to the client.
Therefore, the 3756 semantics for Service-Type = "Authorize-Only"
are not required for Disconnect Message.
Requested change:
Remove the use of Service-Type = 'Authorize-Only' from RFC3576bis
and disallow State in Disconnect Messages details follow.
In section 2.1. Disconnect Messages (DM)
*********************************************
Remove the following:
"A NAS MUST respond to a
Disconnect-Request including a Service-Type Attribute with an
unsupported value with a Disconnect-NAK; an Error-Cause Attribute
with value "Unsupported Service" MAY be included."
And remove the following:
"A NAS supporting the "Authorize Only" Service-Type within a
Disconnect-Request responds with a Disconnect-NAK containing a
Service-Type Attribute with value "Authorize Only" and an Error-Cause
Attribute with value "Request Initiated". The NAS will then send an
Access-Request containing a Service-Type Attribute with a value of
"Authorize Only", along with a State Attribute. The RADIUS server
MUST reply to this Access-Request with an Access-Reject.
"
In section: 3. Attributes
**************************
Change:
A Disconnect-Request MUST contain only NAS and session identification
attributes (see Section 3), as well as Service-Type, Nonce and State
attributes. If other attributes are included in a Disconnect-
Request, implementations MUST send a Disconnect-NAK; an Error-Cause
Attribute with value "Unsupported Attribute" MAY be included.
To:
A Disconnect-Request MUST contain only NAS and session identification
attributes (see Section 3), as well as Nonce. If other attributes
are
included in a Disconnect-Request, implementations MUST send a
Disconnect-NAK; an Error-Cause Attribute with value "Unsupported
Attribute" MAY be included.
In section 3.1. State
**********************
Change:
In order to provide a State attribute to the NAS, a server sending a
CoA-Request or Disconnect-Request with a Service-Type value of
"Authorize-Only" MUST include a State Attribute, and the NAS MUST
include the State Attribute unchanged in the Access-Request. A NAS
receiving a CoA-Request or Disconnect-Request containing a Service-
Type value of "Authorize-Only" but lacking a State attribute MUST
send a CoA-NAK or Disconnect-NAK and SHOULD include an Error-Cause
attribute with value 402 (Missing Attribute).
To:
In order to provide a State attribute to the NAS, a server sending a
CoA-Request with a Service-Type value of
"Authorize-Only" MUST include a State Attribute, and the NAS MUST
include the State Attribute unchanged in the Access-Request. A NAS
receiving a CoA-Request containing a Service-
Type value of "Authorize-Only" but lacking a State attribute MUST
send a CoA-NAK or Disconnect-NAK and SHOULD include an Error-Cause
attribute with value 402 (Missing Attribute).
In section 3.4. Error-Cause
****************************
Change:
"Unsupported Service" is a fatal error sent if a Service-Type
Attribute included with the Request is sent with an invalid or
unsupported value.
To:
"Unsupported Service" is a fatal error sent if a Service-Type
Attribute included with the Request is sent with an invalid or
unsupported value. Only valid when performing Change of
Authorization.
Change:
"Request Initiated" is a fatal error sent in response to a Request
including a Service-Type Attribute with a value of "Authorize
Only". It indicates that the Disconnect-Request or CoA-Request
has not been honored, but that a RADIUS Access-Request including a
Service-Type Attribute with value "Authorize Only" is being sent
to the RADIUS server.
To:
"Request Initiated" is a fatal error sent in response to a
CoA-Request
including a Service-Type Attribute with a value of "Authorize
Only". It indicates that the CoA-Request
has not been honored, but that a RADIUS Access-Request including a
Service-Type Attribute with value "Authorize Only" is being sent
to the RADIUS server.
In section 3.5. Table of Attributes
***************************************
In the Disconnect Messages Table:
Request ACK NAK # Attribute
Change:
0-1 0 0-1 6 Service-Type [Note 6]
To:
0 0 0 6 Service-Type
Change:
0-1 0-1 0-1 24 State [Note 7]
To:
0 0 0 24 State
Change NOTE 6 from:
[Note 6] Support for the Service-Type of "Authorize Only" is OPTIONAL
on the NAS and RADIUS server. A NAS supporting the "Authorize Only"
Service-Type value within Disconnect-Request or CoA-Request packets
MUST respond with a Disconnect-NAK or CoA-NAK respectively,
containing a Service-Type Attribute with value "Authorize Only", and
an Error-Cause Attribute with value "Request Initiated". The NAS
then sends an Access-Request to the RADIUS server with a Service-Type
Attribute with value "Authorize Only". This Access-Request SHOULD
contain the NAS attributes from the Disconnect or CoA-Request, as
well as the session attributes from the Request legal for inclusion
in an Access-Request as specified in [RFC2865], [RFC2868], [RFC2869]
and [RFC3162]. As noted in [RFC2869] Section 5.19, a Message-
Authenticator attribute SHOULD be included in an Access-Request that
does not contain a User-Password, CHAP-Password, ARAP-Password or
EAP-Message Attribute. The RADIUS server should send back an Access-
Accept to (re-)authorize the session or an Access-Reject to refuse to
(re-)authorize it.
A NAS that does not support the Service-Type Attribute with the value
"Authorize Only" within a Disconnect-Request MUST respond with a
Disconnect-NAK including no Service-Type Attribute; an Error-Cause
Attribute with value "Unsupported Service" MAY be included. A NAS
that does not support the Service-Type Attribute with the value
"Authorize Only" within a CoA-Request MUST respond with a CoA-NAK
including no Service-Type Attribute; an Error-Cause Attribute with
value "Unsupported Service" MAY be included.
To:
[Note 6] Support for the Service-Type of "Authorize Only" is OPTIONAL
on the NAS and RADIUS server. A NAS supporting the "Authorize Only"
Service-Type value within a CoA-Request packet
MUST respond with a CoA-NAK,
containing a Service-Type Attribute with value "Authorize Only", and
an Error-Cause Attribute with value "Request Initiated". The NAS
then sends an Access-Request to the RADIUS server with a Service-Type
Attribute with value "Authorize Only". This Access-Request SHOULD
contain the NAS attributes from the CoA-Request, as
well as the session attributes from the Request legal for inclusion
in an Access-Request as specified in [RFC2865], [RFC2868], [RFC2869]
and [RFC3162]. As noted in [RFC2869] Section 5.19, a Message-
Authenticator attribute SHOULD be included in an Access-Request that
does not contain a User-Password, CHAP-Password, ARAP-Password or
EAP-Message Attribute. The RADIUS server should send back an Access-
Accept to (re-)authorize the session or an Access-Reject to refuse to
(re-)authorize it.
A NAS
that does not support the Service-Type Attribute with the value
"Authorize Only" within a CoA-Request MUST respond with a CoA-NAK
including no Service-Type Attribute; an Error-Cause Attribute with
value "Unsupported Service" MAY be included.
Change:
[Note 7] The State Attribute is available to be sent by the RADIUS
server to the NAS in a Disconnect-Request or CoA-Request packet and
MUST be sent unmodified from the NAS to the RADIUS server in a
subsequent ACK or NAK packet. If a Service-Type Attribute with value
"Authorize Only" is included in a Disconnect-Request or CoA-Request
then a State Attribute MUST be present, and MUST be sent unmodified
from the NAS to the RADIUS server in the resulting Access-Request
sent to the RADIUS server, if any. The State Attribute is also
available to be sent by the RADIUS server to the NAS in a CoA-Request
that also includes a Termination-Action Attribute with the value of
RADIUS-Request. If the client performs the Termination-Action by
sending a new Access-Request upon termination of the current session,
it MUST include the State Attribute unchanged in that Access-Request.
In either usage, the client MUST NOT interpret the Attribute locally.
A Disconnect- Request or CoA-Request packet must have only zero or
one State Attribute. Usage of the State Attribute is implementation
dependent. If the RADIUS server does not recognize the State
Attribute in the Access-Request, then it MUST send an Access-Reject.
To:
[Note 7] The State Attribute is available to be sent by the RADIUS
server to the NAS in a CoA-Request packet and
MUST be sent unmodified from the NAS to the RADIUS server in a
subsequent ACK or NAK packet. If a Service-Type Attribute with value
"Authorize Only" is included in a CoA-Request
then a State Attribute MUST be present, and MUST be sent unmodified
from the NAS to the RADIUS server in the resulting Access-Request
sent to the RADIUS server, if any. The State Attribute is also
available to be sent by the RADIUS server to the NAS in a CoA-Request
that also includes a Termination-Action Attribute with the value of
RADIUS-Request. If the client performs the Termination-Action by
sending a new Access-Request upon termination of the current session,
it MUST include the State Attribute unchanged in that Access-Request.
In either usage, the client MUST NOT interpret the Attribute locally.
A Disconnect-Request or CoA-Request packet must have only zero or
one State Attribute. Usage of the State Attribute is implementation
dependent.
NOTE: I am recommending to delete the last sentence
"If the RADIUS server does not recognize the State
Attribute in the Access-Request, then it MUST send an Access-Reject."
because it does not belong in this document.
In section 4. Diameter Considerations
***************************************
Change:
Since both the ASR/ASA and Disconnect-Request/Disconnect-
NAK/Disconnect-ACK exchanges involve just a request and response,
inclusion of an "Authorize Only" Service-Type within a Disconnect-
Request is not needed to assist in Diameter/RADIUS translation, and
may make translation more difficult. As a result, inclusion of a
Service-Type of "Authorize Only" within a Disconnect-Request is NOT
RECOMMENDED.
To:
Since both the ASR/ASA and Disconnect-Request/Disconnect-
NAK/Disconnect-ACK exchanges involve just a request and response,
inclusion of an "Authorize Only" Service-Type within a Disconnect-
Request is not needed to assist in Diameter/RADIUS translation, and
may make translation more difficult. As a result, the Service-Type
attribute MUST NOT be used within a Disconnect-Request.
In Appendix A - Changes from RFC 3576
**************************************
Add:
Disallowed usage of Service-Type and State attribute in
Disconnect-Message
========================
Avi Lior
Bridgewater Systems Corporation
Phone : +1 (613) 591-9104 x6417
Cell : +1 (613) 796-4183
E-mail : mailto:avi@bridgewatersystems.com
<mailto:avi@bridgewatersystems.com>
www.bridgewatersystems.com <http://www.bridgewatersystems.com/>
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>