[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Issue 226: RFC 3576bis and Renumbering

> If the NAS is sending Acct-Session-Id, why not just use that to identify the session? 

This is the approach taken by Diameter.  This suggests to me that the inclusion of an Acct-Session-Id attribute should be at least recommended. 

For example, a Diameter Abort Session Request includes a mandatory Session-Id and optional User-Name AVP ([RFC3588] Section 8.5.1).  Similarly, a Diameter Re-Auth-Request also includes a mandatory Session-Id and optional User-Name AVP ([RFC3588] Section 8.3.1).

        ::= < Diameter Header: 274, REQ, PXY >
                 < Session-Id >
                 { Origin-Host }
                 { Origin-Realm }
                 { Destination-Realm }
                 { Destination-Host }
                 { Auth-Application-Id }
                 [ User-Name ]
                 [ Origin-State-Id ]
               * [ Proxy-Info ]
               * [ Route-Record ]
               * [ AVP ]


        ::= < Diameter Header: 258, REQ, PXY >
                 < Session-Id >
                 { Origin-Host }
                 { Origin-Realm }
                 { Destination-Realm }
                 { Destination-Host }
                 { Auth-Application-Id }
                 { Re-Auth-Request-Type }
                 [ User-Name ]
                 [ Origin-State-Id ]
               * [ Proxy-Info ]
               * [ Route-Record ]
               * [ AVP ]

In contrast to the simple approach taken in RFC 3588, RFC 3576 included support for a wider range of identification attributes:

   Attribute              #    Reference  Description
   ---------             ---   ---------  -----------
   User-Name              1    [RFC2865]  The name of the user
                                          associated with the session.
   NAS-Port               5    [RFC2865]  The port on which the
                                          session is terminated.
   Framed-IP-Address      8    [RFC2865]  The IPv4 address associated
                                          with the session.
   Called-Station-Id     30    [RFC2865]  The link address to which
                                          the session is connected.
   Calling-Station-Id    31    [RFC2865]  The link address from which
                                          the session is connected.
   Acct-Session-Id       44    [RFC2866]  The identifier uniquely
                                          identifying the session
                                          on the NAS.
   Acct-Multi-Session-Id 50    [RFC2866]  The identifier uniquely
                                          identifying related sessions.
   NAS-Port-Type         61    [RFC2865]  The type of port used.
   NAS-Port-Id           87    [RFC2869]  String identifying the port
                                          where the session is.
   Originating-Line-Info 94    [NASREQ]   Provides information on the
                                          characteristics of the line
                                          from which a session
                                          originated.
   Framed-Interface-Id   96    [RFC3162]  The IPv6 Interface Identifier
                                          associated with the session;
                                          always sent with
                                          Framed-IPv6-Prefix.
   Framed-IPv6-Prefix    97    [RFC3162]  The IPv6 prefix associated
                                          with the session, always sent
                                          with Framed-Interface-Id.

> If the NAS isn't sending it (or isn't sending accounting packets at all), then the proposal above already suggests
> changing the NAS behavior.  Why not just require sending Acct-Session-Id in all Access-Requests?

If there are no accounting packets, I'm not sure how the RADIUS server can know that the session did in fact start.  So I think it is reasonable to assume that an Accounting-Request was sent and that it contained an Acct-Session-Id.   However, the entity sending an RFC 3576 packet may not necessarily have access to either authentication or accounting data.  It could, for example, be an IDS system.   So I'm not sure we can mandate Acct-Session-Id. 

Here's what RFC 3576 says about session-identification attributes:

   To address security concerns described in Section 5.1., the User-Name
   Attribute SHOULD be present in Disconnect-Request or CoA-Request
   packets; one or more additional session identification attributes MAY
   also be present.  To address security concerns described in Section
   5.2., one or more of the NAS-IP-Address or NAS-IPv6-Address
   Attributes SHOULD be present in Disconnect-Request or CoA-Request
   packets; the NAS-Identifier Attribute MAY be present in addition.

My suggestion would be to add Acct-Session-Id to the list of SHOULDs. 

The question in my mind is how big the list of MAYs should be. 

In case the Acct-Session-Id is not available for some reason, then the User-Name attribute may not be sufficient to identify a session, so that other attributes might be necessary.  For example, I can see including NAS-Port/NAS-Port-Id to specify the port. 

However, I'm still not sure that all of the MAY attributes are really necessary.  If Session-Id is present this should be sufficient.  If this is not present, then User-Name and NAS-Port/NAS-Port-Id should be cover it.  It is not easy for me to imagine a scenario in which these attributes would not be available, but the other attributes would be. 
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>