[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RFC 3576bis Open Issues

To: <radiusext@ops.ietf.org>
Subject: RFC 3576bis Open Issues
From: Bernard Aboba <bernard_aboba@hotmail.com>
Date: Tue, 15 May 2007 15:45:56 -0700

Currently, we have two open issues on RFC 3576bis:

Issue 226: RFC 3576bis and Renumbering
Issue 227: Proxy State

In order to resolve these issues, we need answer to the following questions from implementers of RFC 3576:

a. Have you implemented Framed-IP-Address or Framed-IPv6-Prefix/Framed-Interface-Id as a Session Identification attribute?
b. Have you implemented the proxy state algorithm described below?

    If there are any Proxy-State Attributes in a Disconnect-Request or
    CoA-Request received from the server, the forwarding proxy or NAS
    MUST include those Proxy-State Attributes in its response to the
    server.

    A forwarding proxy or NAS MUST NOT modify existing Proxy-State,
    State, or Class Attributes present in the packet. The forwarding
    proxy or NAS MUST treat any Proxy-State attributes already in the
    packet as opaque data. Its operation MUST NOT depend on the
    content of Proxy-State attributes added by previous proxies. The
    forwarding proxy MUST NOT modify any other Proxy-State Attributes
    that were in the packet; it may choose not to forward them, but it
    MUST NOT change their contents. If the forwarding proxy omits the
    Proxy-State Attributes in the request, it MUST attach them to the
    response before sending it.

    When the proxy forwards a Disconnect or CoA-Request, it MAY add a
    Proxy-State Attribute, but it MUST NOT add more than one. If a
    Proxy-State Attribute is added to a packet when forwarding the
    packet, the Proxy-State Attribute MUST be added after any existing
    Proxy-State attributes. The forwarding proxy MUST NOT change the
    order of any attributes of the same type, including Proxy-State.
    Other Attributes can be placed before, after or even between the
    Proxy-State Attributes.

    When the proxy receives a response to a CoA-Request or Disconnect-
    Request, it MUST remove its own Proxy-State (the last Proxy- State
    in the packet) before forwarding the response. Since Disconnect
    and CoA responses are authenticated on the entire packet contents,
    the stripping of the Proxy-State Attribute invalidates the
    integrity check - so the proxy needs to recompute it.

Prev by Date: Last Call: draft-ietf-radext-rfc4590bis (RADIUS Extension for Digest Authentication) to Proposed Standard
Next by Date: Re: Issue 226: RFC 3576bis and Renumbering
Previous by thread: Last Call: draft-ietf-radext-rfc4590bis (RADIUS Extension for Digest Authentication) to Proposed Standard
Next by thread: Re: Issue 226: RFC 3576bis and Renumbering
Index(es):
- Date
- Thread