TOC 
Network Working GroupG. Zorn
Internet-DraftNetwork Zen
Updates: 4005 (if approved)L. Morand
Intended status: Standards TrackOrange Labs
Expires: September 8, 2010T. Hiller
 Lucent Technologies
 March 07, 2010


The RADIUS-Diameter Gateway (RADIA) Application
draft-zorn-dime-radia-gate-01.txt

Abstract

This document describes the Diameter RADIUS-Diameter Gateway (RADIA) Application, which is designed to facillitate the interoperability of Authentication, Authorization and Accounting (AAA) systems based upon RADIUS and Diameter.

Status of this Memo

This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as “work in progress.”

The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt.

The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html.

This Internet-Draft will expire on September 8, 2010.

Copyright Notice

Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the BSD License.

This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English.


Table of Contents

1.  Introduction
2.  Requirements Language
3.  The RADIUS-Diameter Gateway Application
    3.1.  Advertising Application Support
    3.2.  Diameter Session Usage
    3.3.  Commands
        3.3.1.  The RADIA-Request (RDR) Command
        3.3.2.  The RADIA-Answer (RDA) Command
    3.4.  Attribute-Value Pairs
        3.4.1.  Radius-Message AVP
4.  Security Considerations
5.  IANA Considerations
    5.1.  Diameter Application Identifier
    5.2.  Diameter Command Codes
    5.3.  Attribute-Value Pairs
6.  Normative References
§  Authors' Addresses



 TOC 

1.  Introduction

The Diameter Network Access Server (NASREQ) Application (Calhoun, P., Zorn, G., Spence, D., and D. Mitton, “Diameter Network Access Server Application,” August 2005.) [RFC4005] specifies methods to deal with various interactions between the RADIUS (Rigney, C., Willens, S., Rubens, A., and W. Simpson, “Remote Authentication Dial In User Service (RADIUS),” June 2000.) [RFC2865] and Diameter (Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J. Arkko, “Diameter Base Protocol,” September 2003.) [RFC3588] protocols. In particular, the translation of RADIUS messages and attributes to and from Diameter commands and Attribute-Value Pairs (AVPs) is described at some length. However, there is a fundamental and insurmountable problem with attempting to translate Diameter protocol elements into RADIUS protocol elements: a single Diameter AVP may be much larger than an entire RADIUS message. Various workarounds have been proposed to ameliorate this proble, including limiting the size of Diameter elements that might require translation into RADIUS and returning an error upon receipt of an untranslatable AVP. The former approach uneccessarily limits the utility of, for example, the NASREQ application in pure Diameter deployments while the latter can result in the denial of service to otherwise legitimate users.

This document describes a simple method to solve the problems of interaction between RADIUS and Diameter by taking advantage of the fact thata RADIUS message can fit into a single Diameter AVP.


 TOC 

2.  Requirements Language

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 (Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” March 1997.) [RFC2119].


 TOC 

3.  The RADIUS-Diameter Gateway Application

The following sections define the syntax, semantics and usage of the RADIA application.


 TOC 

3.1.  Advertising Application Support

Servers and proxies supporting the RADIUS-Diameter Gateway application MUST advertise support by including the value <AID> in the Auth-Application-Id of the Capabilities-Exchange-Request (CER), Accounting-Request (ACR), Accounting-Answer (ACA), RADIA-Request (RDR), and RADIA-Answer (RDA) messages.


 TOC 

3.2.  Diameter Session Usage

Session usage in the RADIA application is identical to that in NASREQ.


 TOC 

3.3.  Commands

The RADIA application defines two new commands: Gateway-Request (RDR) and Gateway-Answer (RDA). The following sections describe these commands.


 TOC 

3.3.1.  The RADIA-Request (RDR) Command

The peer sends the RADIA-Request (RDR) command, indicated by the Command-Code field set to <CC1> and the Command Flags' 'R' bit set, in order to transmit a RADIUS message (encapsulated in the Radius-Message AVP (Radius-Message AVP)) toward its final destination. The Radius-Message AVP will generally encapsulate a RADIUS request message (e.g., Access-Request).

Message format: 

      <RDR> ::= < Diameter Header: CC1, REQ, PXY >
                { Origin-Host }
                { Origin-Realm }
                { Destination-Realm }
                { Auth-Application-Id }
                { Radius-Message}
                [ Destination-Host ]
              * [ Proxy-Info ]
              * [ Route-Record ]
              * [ AVP ]


 TOC 

3.3.2.  The RADIA-Answer (RDA) Command

The peer sends the RADIA-Answer (RDA) command, indicated by the Command-Code field set to <CC2> and the Command Flags' 'R' bit set, in order to transmit a RADIUS message (encapsulated in the Radius-Message AVP (Radius-Message AVP)) toward its final destination. The Radius-Message AVP will generally encapsulate a RADIUS reply message (e.g., Access-Accept).

Message format: 

      <RDA> ::= < Diameter Header: CC2, REQ, PXY >
                { Origin-Host }
                { Origin-Realm }
                { Destination-Realm }
                { Auth-Application-Id }
                { Radius-Message}
                [ Destination-Host ]
              * [ Proxy-Info ]
              * [ Route-Record ]
              * [ AVP ]


 TOC 

3.4.  Attribute-Value Pairs

This section describes the single AVP specific to the RADIUS-Diameter Gateway application.


 TOC 

3.4.1.  Radius-Message AVP

The Radius-Message AVP (AVP code <AVP>) is of type OctetString. The 'M' bit MUST be set and the 'V' bit MUST NOT be set. The AVP contains a complete RADIUS message.


 TOC 

4.  Security Considerations

The protocol defined in this specification has no effect upon the security of either Diameter or RADIUS.


 TOC 

5.  IANA Considerations

Upon publication of this memo as an RFC, IANA is requested to assign values as described in the following sections.


 TOC 

5.1.  Diameter Application Identifier

An application identifier for Diameter RADIUS-Diameter Gateway (<AID>, Section 3 (The RADIUS-Diameter Gateway Application)) must be assigned according to the policy specified in Section 11.3 of RFC 3588.


 TOC 

5.2.  Diameter Command Codes

Command codes must be assigned for the RADIA-Request (RDR) (<CC1>, Section 3.3.1 (The RADIA-Request (RDR) Command)) and RADIA-Answer (RDA) (<CC2>, Section 3.3.2 (The RADIA-Answer (RDA) Command)) commands according to the policy specified in RFC 3588, Section 11.2.1.


 TOC 

5.3.  Attribute-Value Pairs

A code must be assigned for the following AVP using the policy specified in RFC 3588, Section 11.1.1: Radius-Message (<AVP>, Section 3.4.1 (Radius-Message AVP)).


 TOC 

6. Normative References

[RFC2119] Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” BCP 14, RFC 2119, March 1997 (TXT, HTML, XML).
[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, “Remote Authentication Dial In User Service (RADIUS),” RFC 2865, June 2000 (TXT).
[RFC3588] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J. Arkko, “Diameter Base Protocol,” RFC 3588, September 2003 (TXT).
[RFC4005] Calhoun, P., Zorn, G., Spence, D., and D. Mitton, “Diameter Network Access Server Application,” RFC 4005, August 2005 (TXT).

 TOC 

Authors' Addresses

  Glen Zorn
  Network Zen
  1310 East Thomas Street
  #306
  Seattle, Washington 98102
  USA
Email:  gwz@net-zen.net
  
  Lionel Morand
  Orange Labs
  38-40 rue du general Leclerc
  Issy-moulineaux Cedex 9 92794
  France
Email:  Lionel.morand@orange-ftgroup.com
  
  Tom Hiller
  Lucent Technologies
  1960 Lucent Lane
  Naperville, Illinois 60566
  USA
Email:  tom.hiller@alcatel-lucent.com