Protocol Action: 'Dynamic Authorization Proxying in Remote Authorization Dial-In User Service Protocol (RADIUS)' to Proposed Standard (draft-ietf-radext-coa-proxy-10.txt)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The IESG has approved the following document:
- 'Dynamic Authorization Proxying in Remote Authorization Dial-In User
   Service Protocol (RADIUS)'
  (draft-ietf-radext-coa-proxy-10.txt) as Proposed Standard

This document is the product of the RADIUS EXTensions Working Group.

The IESG contact persons are Warren Kumari, Ignas Bagdonas and Benjamin Kaduk.

A URL of this Internet Draft is:
https://datatracker.ietf.org/doc/draft-ietf-radext-coa-proxy/




Technical Summary:

   RFC 5176 defines Change of Authorization (CoA) and Disconnect Message
   (DM) behavior for RADIUS.  Section 3.1 of that document suggests that
   proxying these messages is possible, but gives no guidance as to how
   that is done. This ommission means that proxying of CoA packets is, 
   in practice, impossible. This specification corrects that omission for 
   scenarios where networks use Realm-based proxying as defined in
   [RFC7542].
   It leverages an existing RADIUS attribute, Operator-Name ( Section 
   4.1 of [RFC5580]), to record the visited network for a particular 
   session.  The document explains how that attribute can be used by CoA 
   proxies to route packets "backwards" through a RADIUS proxy chain. It
   introduces a new attribute; Operator-NAS-Identifier, and shows how this
   attribute can increase privacy about the internal implementation of 
   the visited network.
   
Working Group Summary:

   The radext working group is rather light in attendance and discussion,
   and will shut down soon. With that said, this particular document got 
   a (comparatively) good amount of review and interest.

Document Quality:

   At least one RADIUS implementation has support for parts of this specification. Particularly the bit
   about replacing NAS-IP-Address/IPv6-Address/NAS-Identifier with Operator-NAS-Identifier when
   leaving the own administrative domain is not implemented. The complexity of that functionality
   can be expected to be modest, though.

Personnel:

The Document Shepherd is Stefan Winter <stefan.winter@restena.lu>. The responsible area director is Benjamin Kaduk <kaduk@mit.edu>.




[Index of Archives]     [IETF]     [IETF Discussion]     [Linux Kernel]

  Powered by Linux