[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Issue RFC3576bis Usage of service-type in Disconnect-Request



   Description of issue
    Submitter name: Avi Lior
    Submitter email address: avi@bridgewatersystems.com
    Date first submitted: March 14th, 2007
    Reference: 
    Document: RFC 3576bis
    Comment type: T
    Priority: S
    Section: Insert_Section_Number_Here
    Rationale/Explanation of issue:
    
    Service-Type = "Authorize-Only" does not make sense for Disconnect
Message.
    
    Length description of problem:
    
    Service-Type = "Authorize-Only" was added to make the Change of
Authorization compatible with the Diameter specification.
    
    However, Diameters ASR message directly correlates with Disconnect
Message, that is, both can be sent by the server to the client.  
    Therefore, the 3756 semantics for Service-Type = "Authorize-Only"
are not required for Disconnect Message.

    Requested change:
    
    Remove the use of Service-Type = 'Authorize-Only' from RFC3576bis
and disallow State in Disconnect Messages details follow.
    


In section 2.1.  Disconnect Messages (DM) 
*********************************************


Remove the following:
   "A NAS MUST respond to a
   Disconnect-Request including a Service-Type Attribute with an
   unsupported value with a Disconnect-NAK; an Error-Cause Attribute
   with value "Unsupported Service" MAY be included."

And remove the following:

   "A NAS supporting the "Authorize Only" Service-Type within a
   Disconnect-Request responds with a Disconnect-NAK containing a
   Service-Type Attribute with value "Authorize Only" and an Error-Cause
   Attribute with value "Request Initiated".  The NAS will then send an
   Access-Request containing a Service-Type Attribute with a value of
   "Authorize Only", along with a State Attribute.  The RADIUS server
   MUST reply to this Access-Request with an Access-Reject.
   "


In section: 3.  Attributes
**************************

Change:
   A Disconnect-Request MUST contain only NAS and session identification
   attributes (see Section 3), as well as Service-Type, Nonce and State
   attributes.  If other attributes are included in a Disconnect-
   Request, implementations MUST send a Disconnect-NAK; an Error-Cause
   Attribute with value "Unsupported Attribute" MAY be included.

To:
   A Disconnect-Request MUST contain only NAS and session identification
   attributes (see Section 3), as well as Nonce.  If other attributes
are 
   included in a Disconnect-Request, implementations MUST send a 
   Disconnect-NAK; an Error-Cause Attribute with value "Unsupported
Attribute" MAY be included.

   
In section 3.1.  State
**********************

Change:
   In order to provide a State attribute to the NAS, a server sending a
   CoA-Request or Disconnect-Request with a Service-Type value of
   "Authorize-Only" MUST include a State Attribute, and the NAS MUST
   include the State Attribute unchanged in the Access-Request.  A NAS
   receiving a CoA-Request or Disconnect-Request containing a Service-
   Type value of "Authorize-Only" but lacking a State attribute MUST
   send a CoA-NAK or Disconnect-NAK and SHOULD include an Error-Cause
   attribute with value 402 (Missing Attribute).

To:
   In order to provide a State attribute to the NAS, a server sending a
   CoA-Request with a Service-Type value of
   "Authorize-Only" MUST include a State Attribute, and the NAS MUST
   include the State Attribute unchanged in the Access-Request.  A NAS
   receiving a CoA-Request containing a Service-
   Type value of "Authorize-Only" but lacking a State attribute MUST
   send a CoA-NAK or Disconnect-NAK and SHOULD include an Error-Cause
   attribute with value 402 (Missing Attribute).


In section 3.4.  Error-Cause
****************************

Change:
      "Unsupported Service" is a fatal error sent if a Service-Type
      Attribute included with the Request is sent with an invalid or
      unsupported value.
To:
      "Unsupported Service" is a fatal error sent if a Service-Type
      Attribute included with the Request is sent with an invalid or
      unsupported value.  Only valid when performing Change of
Authorization.


Change:

      "Request Initiated" is a fatal error sent in response to a Request
      including a Service-Type Attribute with a value of "Authorize
      Only".  It indicates that the Disconnect-Request or CoA-Request
      has not been honored, but that a RADIUS Access-Request including a
      Service-Type Attribute with value "Authorize Only" is being sent
      to the RADIUS server.
To:
      "Request Initiated" is a fatal error sent in response to a
CoA-Request
      including a Service-Type Attribute with a value of "Authorize
      Only".  It indicates that the CoA-Request
      has not been honored, but that a RADIUS Access-Request including a
      Service-Type Attribute with value "Authorize Only" is being sent
      to the RADIUS server.


In section 3.5.  Table of Attributes
***************************************

In the Disconnect Messages Table:

   Request   ACK      NAK   #   Attribute
   
Change:
   0-1       0        0-1   6   Service-Type [Note 6]
To:
   0         0        0     6   Service-Type

Change:
 0-1       0-1      0-1  24   State [Note 7]
To:
   0       0      0  24   State 
 
Change NOTE 6 from:

   [Note 6] Support for the Service-Type of "Authorize Only" is OPTIONAL
   on the NAS and RADIUS server.  A NAS supporting the "Authorize Only"
   Service-Type value within Disconnect-Request or CoA-Request packets
   MUST respond with a Disconnect-NAK or CoA-NAK respectively,
   containing a Service-Type Attribute with value "Authorize Only", and
   an Error-Cause Attribute with value "Request Initiated".  The NAS
   then sends an Access-Request to the RADIUS server with a Service-Type
   Attribute with value "Authorize Only".  This Access-Request SHOULD
   contain the NAS attributes from the Disconnect or CoA-Request, as
   well as the session attributes from the Request legal for inclusion
   in an Access-Request as specified in [RFC2865], [RFC2868], [RFC2869]
   and [RFC3162].  As noted in [RFC2869] Section 5.19, a Message-
   Authenticator attribute SHOULD be included in an Access-Request that
   does not contain a User-Password, CHAP-Password, ARAP-Password or
   EAP-Message Attribute.  The RADIUS server should send back an Access-
   Accept to (re-)authorize the session or an Access-Reject to refuse to
   (re-)authorize it.

   A NAS that does not support the Service-Type Attribute with the value
   "Authorize Only" within a Disconnect-Request MUST respond with a
   Disconnect-NAK including no Service-Type Attribute; an Error-Cause
   Attribute with value "Unsupported Service" MAY be included.  A NAS
   that does not support the Service-Type Attribute with the value
   "Authorize Only" within a CoA-Request MUST respond with a CoA-NAK
   including no Service-Type Attribute; an Error-Cause Attribute with
   value "Unsupported Service" MAY be included.

To:

   [Note 6] Support for the Service-Type of "Authorize Only" is OPTIONAL
   on the NAS and RADIUS server.  A NAS supporting the "Authorize Only"
   Service-Type value within a CoA-Request packet
   MUST respond with a CoA-NAK,
   containing a Service-Type Attribute with value "Authorize Only", and
   an Error-Cause Attribute with value "Request Initiated".  The NAS
   then sends an Access-Request to the RADIUS server with a Service-Type
   Attribute with value "Authorize Only".  This Access-Request SHOULD
   contain the NAS attributes from the CoA-Request, as
   well as the session attributes from the Request legal for inclusion
   in an Access-Request as specified in [RFC2865], [RFC2868], [RFC2869]
   and [RFC3162].  As noted in [RFC2869] Section 5.19, a Message-
   Authenticator attribute SHOULD be included in an Access-Request that
   does not contain a User-Password, CHAP-Password, ARAP-Password or
   EAP-Message Attribute.  The RADIUS server should send back an Access-
   Accept to (re-)authorize the session or an Access-Reject to refuse to
   (re-)authorize it.

   A NAS
   that does not support the Service-Type Attribute with the value
   "Authorize Only" within a CoA-Request MUST respond with a CoA-NAK
   including no Service-Type Attribute; an Error-Cause Attribute with
   value "Unsupported Service" MAY be included.


Change:

   [Note 7] The State Attribute is available to be sent by the RADIUS
   server to the NAS in a Disconnect-Request or CoA-Request packet and
   MUST be sent unmodified from the NAS to the RADIUS server in a
   subsequent ACK or NAK packet.  If a Service-Type Attribute with value
   "Authorize Only" is included in a Disconnect-Request or CoA-Request
   then a State Attribute MUST be present, and MUST be sent unmodified
   from the NAS to the RADIUS server in the resulting Access-Request
   sent to the RADIUS server, if any.  The State Attribute is also
   available to be sent by the RADIUS server to the NAS in a CoA-Request
   that also includes a Termination-Action Attribute with the value of
   RADIUS-Request.  If the client performs the Termination-Action by
   sending a new Access-Request upon termination of the current session,
   it MUST include the State Attribute unchanged in that Access-Request.
   In either usage, the client MUST NOT interpret the Attribute locally.
   A Disconnect- Request or CoA-Request packet must have only zero or
   one State Attribute.  Usage of the State Attribute is implementation
   dependent.  If the RADIUS server does not recognize the State
   Attribute in the Access-Request, then it MUST send an Access-Reject.

To:  
   [Note 7] The State Attribute is available to be sent by the RADIUS
   server to the NAS in a CoA-Request packet and
   MUST be sent unmodified from the NAS to the RADIUS server in a
   subsequent ACK or NAK packet.  If a Service-Type Attribute with value
   "Authorize Only" is included in a CoA-Request
   then a State Attribute MUST be present, and MUST be sent unmodified
   from the NAS to the RADIUS server in the resulting Access-Request
   sent to the RADIUS server, if any.  The State Attribute is also
   available to be sent by the RADIUS server to the NAS in a CoA-Request
   that also includes a Termination-Action Attribute with the value of
   RADIUS-Request.  If the client performs the Termination-Action by
   sending a new Access-Request upon termination of the current session,
   it MUST include the State Attribute unchanged in that Access-Request.
   In either usage, the client MUST NOT interpret the Attribute locally.
   A Disconnect-Request or CoA-Request packet must have only zero or
   one State Attribute.  Usage of the State Attribute is implementation
   dependent.  
   
NOTE: I am recommending to delete the last sentence 

"If the RADIUS server does not recognize the State
   Attribute in the Access-Request, then it MUST send an Access-Reject."

   because it does not belong in this document.
   


In section 4.  Diameter Considerations
***************************************

Change:

   Since both the ASR/ASA and Disconnect-Request/Disconnect-
   NAK/Disconnect-ACK exchanges involve just a request and response,
   inclusion of an "Authorize Only" Service-Type within a Disconnect-
   Request is not needed to assist in Diameter/RADIUS translation, and
   may make translation more difficult.  As a result, inclusion of a
   Service-Type of "Authorize Only" within a Disconnect-Request is NOT
   RECOMMENDED.

To:
   Since both the ASR/ASA and Disconnect-Request/Disconnect-
   NAK/Disconnect-ACK exchanges involve just a request and response,
   inclusion of an "Authorize Only" Service-Type within a Disconnect-
   Request is not needed to assist in Diameter/RADIUS translation, and
   may make translation more difficult.  As a result, the Service-Type 
   attribute MUST NOT be used within a Disconnect-Request.



In Appendix A - Changes from RFC 3576
**************************************

Add:

Disallowed usage of Service-Type and State attribute in
Disconnect-Message

 
 

========================

Avi Lior                                    
Bridgewater Systems Corporation 
Phone :  +1 (613) 591-9104 x6417
Cell    :  +1 (613) 796-4183
E-mail : mailto:avi@bridgewatersystems.com
<mailto:avi@bridgewatersystems.com> 
www.bridgewatersystems.com <http://www.bridgewatersystems.com/>  


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>