RADIUS EXTensions (radext) -------------------------- Charter Last Modified: 2011-09-29 Current Status: Active Working Group Chair(s): Mauricio Sanchez <mauricio.sanchez@hp.com> Jouni Korhonen <jouni.korhonen@nsn.com> Operations and Management Area Director(s): Dan Romascanu <dromasca@avaya.com> Ronald Bonica <rbonica@juniper.net> Operations and Management Area Advisor: Dan Romascanu <dromasca@avaya.com> Technical Advisor(s): Paul Congdon <paul.congdon@hp.com> Mailing Lists: General Discussion:radext@ietf.org To Subscribe: https://www.ietf.org/mailman/listinfo/radext Archive: http://www.ietf.org/mail-archive/web/radext/ Description of Working Group: The RADIUS Extensions Working Group will focus on extensions to the RADIUS protocol required to define extensions to the standard attribute space as well as to address cryptographic algorithm agility and use over new transports. In addition, RADEXT will work on RADIUS Design Guidelines and define new attributes for particular applications of authentication, authorization and accounting such as NAS management and local area network (LAN) usage. In order to enable interoperation of heterogeneous RADIUS/Diameter deployments, all RADEXT WG work items MUST contain a Diameter compatibility section, outlining how interoperability with Diameter will be maintained. Furthermore, to ensure backward compatibility with existing RADIUS implementations, as well as compatibility between RADIUS and Diameter, the following restrictions are imposed on extensions considered by the RADEXT WG: - All documents produced MUST specify means of interoperation with legacy RADIUS and, if possible, be backward compatible with existing RADIUS RFCs, including RFCs 2865-2869, 3162, 3575, 3579, 3580, 4668-4673,4675, 5080, 5090 and 5176. Transport profiles should, if possible, be compatible with RFC 3539. - All RADIUS work MUST be compatible with equivalent facilities in Diameter. Where possible, new attributes should be defined so that the same attribute can be used in both RADIUS and Diameter without translation. In other cases a translation considerations section should be included in the specification. Work Items The immediate goals of the RADEXT working group are to address the following issues: - RADIUS design guidelines. This document will provide guidelines for design of RADIUS attributes. It will specifically consider how complex data types may be introduced in a robust manner, maintaining backwards compatibility with existing RADIUS RFCs, across all the classes of attributes: Standard, Vendor-Specific and SDO-Specific. In addition, it will review RADIUS data types and associated backwards compatibility issues. - RADIUS Management authorization. This document will define the use of RADIUS for NAS management over IP. -RADIUS attribute space extension. The standard RADIUS attribute space is currently being depleted. This document will provide additional standard attribute space, while maintaining backward compatibility with existing attributes. -RADIUS Cryptographic Algorithm Agility. RADIUS has traditionally relied on MD5 for both per-packet integrity and authentication as well as attribute confidentiality. Given the increasingly successful attacks being mounted against MD5, the ability to support alternative algorithms is required. This work item will include documentation of RADIUS crypto-agility requirements, as well as development of one or more Experimental RFCs providing support for negotiation of alternative cryptographic algorithms to protect RADIUS. - IEEE 802 attributes. New attributes have been proposed to support IEEE 802 standards for wired and wireless LANs. This work item will support authentication, authorization and accounting attributes needed by IEEE 802 groups including IEEE 802.1, IEEE 802.11 and IEEE 802.16. - New RADIUS transports. A reliable transport profile for RADIUS will be developed, as well as specifications for Secure transports, including TCP/TLS (RADSEC) and UDP/DTLS. - Documentation of Status-Server usage. A document describing usage of the Status-Server facility will be developed. Goals and Milestones: Done Updates to RFC 2618-2621 RADIUS MIBs submitted for publication Done SIP RADIUS authentication draft submitted as a Proposed Standard RFC Done RFC 2486bis submitted as a Proposed Standard RFC Done RFC 3576 MIBs submitted as an Informational RFC Done RADIUS VLAN and Priority Attributes draft submitted as a Proposed Standard RFC (reduced in scope) Done RADIUS Implementation Issues and Fixes draft submitted as an Informational RFC Done RADIUS Filtering Attributes draft submitted as a Proposed Standard RFC (split out from VLAN & Priority draft) Done RFC 3576bis submitted as an Informational RFC (split out from Issues & Fixes draft) Done RADIUS Redirection Attributes draft submitted as a Proposed Standard RFC (split out from VLAN & Priority draft) Done RADIUS Design Guidelines submitted as a Best Current Practice RFC Done RADIUS Management Authorization I-D submitted as a Proposed Standard RFC Done Reliable Transport Profile for RADIUS I-D submitted as a Proposed Standard RFC Done Status-Server I-D submitted as a Proposed Standard RFC Dec 2010 IPv6 Access I-D submitted as a Proposed Standard RFC Mar 2011 RADIUS over DTLS I-D submitted as an Experimental RFC Mar 2011 RADSEC (RADIUS over TCP/TLS) draft submitted as an Experimental RFC Mar 2011 RADIUS Crypto-agility Requirements submitted as an Informational RFC Jun 2011 Extended Attributes I-D submitted as a Proposed Standard RFC Oct 2011 IEEE 802 Attributes I-D submitted as a Proposed Standard RFC Oct 2011 Dynamic Discovery I-D submitted as a Proposed Standard RFC Internet-Drafts: Posted Revised I-D Title <Filename> ------ ------- -------------------------------------------- May 2008 Jul 2011 <draft-ietf-radext-crypto-agility-requirements-07.txt> Crypto-Agility Requirements for Remote Dial-In User Service (RADIUS) Jun 2008 Jul 2011 <draft-ietf-radext-radsec-09.txt> TLS encryption for RADIUS Dec 2008 Oct 2010 <draft-ietf-radext-tcp-transport-09.txt> RADIUS Over TCP Jul 2009 Jul 2011 <draft-ietf-radext-dynamic-discovery-03.txt> NAI-based Dynamic Peer Discovery for RADIUS/TLS and RADIUS/DTLS Mar 2010 Jul 2011 <draft-ietf-radext-ipv6-access-05.txt> RADIUS attributes for IPv6 Access Networks Feb 2011 Oct 2011 <draft-ietf-radext-radius-extensions-02.txt> Remote Authentication Dial In User Service (RADIUS) Protocol Extensions Request For Comments: RFC Stat Published Title ------- -- ----------- ------------------------------------ RFC4282Standard Dec 2005 The Network Access Identifier RFC4372Standard Jan 2006 Chargeable User Identity RFC4590 PS Jul 2006 RADIUS Extension for Digest Authentication RFC4668 PS Aug 2006 RADIUS Authentication Client MIB for IPV6 RFC4669 PS Aug 2006 RADIUS Authentication Server MIB for IPv6 RFC4671 I Aug 2006 RADIUS Accounting Server MIB for IPv6 RFC4670 I Aug 2006 RADIUS Accounting Client MIB for IPv6 RFC4672 I Sep 2006 RADIUS Dynamic Authorization Client MIB RFC4673 I Sep 2006 RADIUS Dynamic Authorization Server MIB RFC4675 PS Sep 2006 RADIUS Attributes for Virtual LAN and Priority Support RFC4818 PS Apr 2007 RADIUS Delegated-IPv6-Prefix Attribute RFC4849 PS Apr 2007 RADIUS Filter Rule Attribute RFC5080 PS Dec 2007 Common Remote Authentication Dial In User Service (RADIUS) Implementation Issues and Suggested Fixes RFC5176 I Jan 2008 Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS) RFC5090 PS Feb 2008 RADIUS Extension for Digest Authentication RFC5607 PS Jul 2009 Remote Authentication Dial-In User Service (RADIUS) Authorization for Network Access Server (NAS) Management RFC5997 I Aug 2010 Use of Status-Server Packets in the Remote Authentication Dial In User Service (RADIUS) Protocol RFC6158BCP Mar 2011 RADIUS Design Guidelines