rfc3162.txt

radius服务器


RFC 3162                    RADIUS and IPv6                  August 2001


      Whenever the gateway address is the IPv6 unspecified address the
      IP address of the user SHOULD be used as the gateway address.  The
      unspecified address can be expressed in any of the acceptable
      formats described in [16].  For example, "2000:0:0:106::/64 :: 1".

2.6.  Framed-IPv6-Pool

   Description

      This Attribute contains the name of an assigned pool that SHOULD
      be used to assign an IPv6 prefix for the user.  If a NAS does not
      support multiple prefix pools, the NAS MUST ignore this Attribute.

   A summary of the Framed-IPv6-Pool Attribute format is shown below.
   The fields are transmitted from left to right.

    0                   1                   2
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |     Type      |    Length     |     String...
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type

      100 for Framed-IPv6-Pool

   Length

      >= 3

   String

      The string field contains the name of an assigned IPv6 prefix pool
      configured on the NAS.  The field is not NUL (hex 00) terminated.

3.  Table of Attributes

   The following table provides a guide to which attributes may be found
   in which kinds of packets, and in what quantity.

   Request Accept Reject Challenge Accounting  #  Attribute
                                   Request
   0-1     0      0      0         0-1        95  NAS-IPv6-Address
   0-1     0-1    0      0         0-1        96  Framed-Interface-Id
   0+      0+     0      0         0+         97  Framed-IPv6-Prefix
   0+      0+     0      0         0+         98  Login-IPv6-Host
   0       0+     0      0         0+         99  Framed-IPv6-Route
   0       0-1    0      0         0-1       100  Framed-IPv6-Pool



Aboba, et al.               Standards Track                     [Page 7]

RFC 3162                    RADIUS and IPv6                  August 2001


4.  References

   [1]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
         Levels", BCP 14, RFC 2119, March, 1997.

   [2]   Yergeau, F., "UTF-8, a transformation format of Unicode and ISO
         10646", RFC 2044, October 1996.

   [3]   Aboba, B. and J. Vollbrecht, "Proxy Chaining and Policy
         Implementation in Roaming", RFC 2607, June 1999.

   [4]   Rigney, C., Rubens, A., Simpson, W. and S. Willens,  "Remote
         Authentication Dial In User Service (RADIUS)", RFC 2865, June
         2000.

   [5]   Rigney, C., "RADIUS Accounting", RFC 2866, June 2000.

   [6]   Zorn, G., Mitton, D. and B. Aboba, "RADIUS Accounting
         Modifications for Tunnel Protocol Support", RFC 2867, June
         2000.

   [7]   Zorn, G., Leifer, D., Rubens, A., Shriver, J., Holdrege, M.
         and I. Goyret, "RADIUS Attributes for Tunnel Protocol Support",
         RFC 2868, June 2000.

   [8]   Rigney, C., Willats, W. and P. Calhoun, "RADIUS Extensions",
         RFC 2869, June 2000.

   [9]   Kent S. and R. Atkinson, "Security Architecture for the
         Internet Protocol", RFC 2401, November 1998.

   [10]  Alvestrand, H. and T. Narten, "Guidelines for Writing an IANA
         Considerations Section in RFCs", BCP 26, RFC 2434, October
         1998.

   [11]  Haskin, D. and E. Allen, "IP Version 6 over PPP", RFC 2472,
         December 1998.

   [12]  Carpenter, B. and K. Moore, "Connection of IPv6 Domains via
         IPv4 Clouds", RFC 3056, February 2001.

   [13]  Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6)
         Specification", RFC 2460, December 1998.

   [14]  Carpenter, B. and C. Jung, "Transmission of IPv6 over IPv4
         Domains without Explicit Tunnels", RFC 2529, March 1999.





Aboba, et al.               Standards Track                     [Page 8]

RFC 3162                    RADIUS and IPv6                  August 2001


   [15]  Gilligan, R. and E. Nordmark, "Transition Mechanisms for IPv6
         Hosts and Routers", RFC 2893, August 2000.

   [16]  Hinden, R. and S. Deering, "IP Version 6 Addressing
         Architecture", RFC 2373, July 1998.

5.  Security Considerations

   This document describes the use of RADIUS for the purposes of
   authentication, authorization and accounting in IPv6-enabled
   networks.  In such networks, the RADIUS protocol may run either over
   IPv4 or over IPv6.  Known security vulnerabilities of the RADIUS
   protocol are described in [3], [4] and [8].

   Since IPSEC [9] is mandatory to implement for IPv6, it is expected
   that running RADIUS implementations supporting IPv6 will typically
   run over IPSEC.  Where RADIUS is run over IPSEC and where
   certificates are used for authentication, it may be desirable to
   avoid management of RADIUS shared secrets, so as to leverage the
   improved scalability of public key infrastructure.

   Within RADIUS, a shared secret is used for hiding of attributes such
   as User-Password [4] and Tunnel-Password [7].  In addition, the
   shared secret is used in computation of the Response Authenticator
   [4], as well as the Message-Authenticator attribute [8].  Therefore,
   in RADIUS a shared secret is used to provide confidentiality as well
   as integrity protection and authentication.  As a result, only use of
   IPSEC ESP with a non-null transform can provide security services
   sufficient to substitute for RADIUS application-layer security.
   Therefore, where IPSEC AH or ESP null is used, it will typically
   still be necessary to configure a RADIUS shared secret.

   However, where RADIUS is run over IPSEC ESP with a non-null
   transform, the secret shared between the NAS and the RADIUS server
   MAY NOT be configured.  In this case, a shared secret of zero length
   MUST be assumed.















Aboba, et al.               Standards Track                     [Page 9]

RFC 3162                    RADIUS and IPv6                  August 2001


6.  IANA Considerations

   This document requires the assignment of six new RADIUS attribute
   numbers for the following attributes:

      NAS-IPv6-Address
      Framed-Interface-Id
      Framed-IPv6-Prefix
      Login-IPv6-Host
      Framed-IPv6-Route
      Framed-IPv6-Pool

   See section 3 for the registered list of numbers.

7.  Acknowledgments

   The authors would like to acknowledge Jun-ichiro itojun Hagino of IIJ
   Research Laboratory, Darran Potter of Cisco and Carl Rigney of Lucent
   for contributions to this document.
































Aboba, et al.               Standards Track                    [Page 10]

RFC 3162                    RADIUS and IPv6                  August 2001


8.  Authors' Addresses

   Bernard Aboba
   Microsoft Corporation
   One Microsoft Way
   Redmond, WA 98052

   Phone: +1 425 936 6605
   Fax:   +1 425 936 7329
   EMail: bernarda@microsoft.com


   Glen Zorn
   Cisco Systems, Inc.
   500 108th Avenue N.E., Suite 500
   Bellevue, WA 98004

   Phone: +1 425 471 4861
   EMail: gwz@cisco.com


   Dave Mitton
   Circular Logic UnLtd.
   733 Turnpike Street #154
   North Andover, MA 01845

   Phone: 978 683-1814
   Email: david@mitton.com























Aboba, et al.               Standards Track                    [Page 11]

RFC 3162                    RADIUS and IPv6                  August 2001


Full Copyright Statement

   Copyright (C) The Internet Society (2001).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement

   Funding for the RFC Editor function is currently provided by the
   Internet Society.



















Aboba, et al.               Standards Track                    [Page 12]