Network Working Group B. Aboba
Request for Comments: 3162 Microsoft
Category: Standards Track G. Zorn
Cisco Systems
D. Mitton
Circular Logic UnLtd.
August 2001
Network Working Group B. Aboba
Request for Comments: 3162 Microsoft
Category: Standards Track G. Zorn
Cisco Systems
D. Mitton
Circular Logic UnLtd.
August 2001
RADIUS and IPv6
RADIUS与IPv6
Status of this Memo
本备忘录的状况
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2001). All Rights Reserved.
版权所有(C)互联网协会(2001年)。版权所有。
Abstract
摘要
This document specifies the operation of RADIUS (Remote Authentication Dial In User Service) when run over IPv6 as well as the RADIUS attributes used to support IPv6 network access.
本文档指定了在IPv6上运行时RADIUS(远程身份验证拨入用户服务)的操作,以及用于支持IPv6网络访问的RADIUS属性。
This document specifies the operation of RADIUS [4]-[8] over IPv6 [13] as well as the RADIUS attributes used to support IPv6 network access.
本文档规定了RADIUS[4]-[8]在IPv6[13]上的操作,以及用于支持IPv6网络访问的RADIUS属性。
Note that a NAS sending a RADIUS Access-Request may not know a-priori whether the host will be using IPv4, IPv6, or both. For example, within PPP, IPv6CP [11] occurs after LCP, so that address assignment will not occur until after RADIUS authentication and authorization has completed.
请注意,发送RADIUS访问请求的NAS可能事先不知道主机是否将使用IPv4、IPv6或两者。例如,在PPP中,IPv6CP[11]发生在LCP之后,因此在RADIUS身份验证和授权完成之前不会发生地址分配。
Therefore it is presumed that the IPv6 attributes described in this document MAY be sent along with IPv4-related attributes within the same RADIUS message and that the NAS will decide which attributes to use. The NAS SHOULD only allocate addresses and prefixes that the client can actually use, however. For example, there is no need for
因此,假定本文档中描述的IPv6属性可以与同一RADIUS消息中的IPv4相关属性一起发送,NAS将决定使用哪些属性。但是,NAS应该只分配客户端实际可以使用的地址和前缀。例如,不需要
the NAS to reserve use of an IPv4 address for a host that only supports IPv6; similarly, a host only using IPv4 or 6to4 [12] does not require allocation of an IPv6 prefix.
NAS为仅支持IPv6的主机保留IPv4地址的使用;类似地,仅使用IPv4或6to4[12]的主机不需要分配IPv6前缀。
The NAS can provide IPv6 access natively, or alternatively, via other methods such as IPv6 within IPv4 tunnels [15] or 6over4 [14]. The choice of method for providing IPv6 access has no effect on RADIUS usage per se, although if it is desired that an IPv6 within IPv4 tunnel be opened to a particular location, then tunnel attributes should be utilized, as described in [6], [7].
NAS可以本机提供IPv6访问,也可以通过其他方法提供IPv6访问,如IPv4隧道内的IPv6[15]或6over4[14]。提供IPv6访问的方法的选择对RADIUS使用本身没有影响,但如果希望IPv4隧道中的IPv6打开到特定位置,则应使用隧道属性,如[6],[7]中所述。
In this document, the key words "MAY", "MUST, "MUST NOT", "optional", "recommended", "SHOULD", and "SHOULD NOT", are to be interpreted as described in [1].
在本文件中,关键词“可能”、“必须”、“不得”、“可选”、“建议”、“应该”和“不应该”的解释如[1]所述。
Description
描述
This Attribute indicates the identifying IPv6 Address of the NAS which is requesting authentication of the user, and SHOULD be unique to the NAS within the scope of the RADIUS server. NAS-IPv6-Address is only used in Access-Request packets. NAS-IPv6- Address and/or NAS-IP-Address MAY be present in an Access-Request packet; however, if neither attribute is present then NAS-Identifier MUST be present.
此属性表示正在请求用户身份验证的NAS的标识IPv6地址,并且对于RADIUS服务器范围内的NAS来说应该是唯一的。NAS-IPv6-Address仅用于访问请求数据包。NAS-IPv6-地址和/或NAS IP地址可能存在于访问请求数据包中;但是,如果两个属性都不存在,则必须存在NAS标识符。
A summary of the NAS-IPv6-Address Attribute format is shown below. The fields are transmitted from left to right.
NAS-IPv6-Address属性格式的摘要如下所示。字段从左向右传输。
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Address
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Address
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Address
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Address
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Address
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Address
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Address
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Address
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
95 for NAS-IPv6-Address
95用于NAS-IPv6-IP地址
Length
长
18
18
Address
住址
The Address field is 16 octets.
地址字段是16个八位字节。
Description
描述
This Attribute indicates the IPv6 interface identifier to be configured for the user. It MAY be used in Access-Accept packets. If the Interface-Identifier IPv6CP option [11] has been successfully negotiated, this Attribute MUST be included in an Access-Request packet as a hint by the NAS to the server that it would prefer that value. It is recommended, but not required, that the server honor the hint.
此属性表示要为用户配置的IPv6接口标识符。它可以用于访问和接受数据包。如果已成功协商接口标识符IPv6CP选项[11],则NAS必须将此属性包含在访问请求数据包中,作为向服务器提示其更喜欢该值的提示。建议服务器遵守提示,但不是必需的。
A summary of the Framed-Interface-Id Attribute format is shown below. The fields are transmitted from left to right.
框架接口Id属性格式的摘要如下所示。字段从左向右传输。
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Interface-Id
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Interface-Id
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Interface-Id |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Interface-Id
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Interface-Id
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Interface-Id |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
96 for Framed-Interface-Id
96用于帧接口Id
Length
长
10
10
Interface-Id
接口Id
The Interface-Id field is 8 octets.
接口Id字段为8个八位字节。
Description
描述
This Attribute indicates an IPv6 prefix (and corresponding route) to be configured for the user. It MAY be used in Access-Accept packets, and can appear multiple times. It MAY be used in an Access-Request packet as a hint by the NAS to the server that it would prefer these prefix(es), but the server is not required to honor the hint. Since it is assumed that the NAS will plumb a route corresponding to the prefix, it is not necessary for the server to also send a Framed-IPv6-Route attribute for the same prefix.
此属性表示要为用户配置的IPv6前缀(和相应的路由)。它可以用于访问和接受数据包,并且可以多次出现。NAS可以在访问请求数据包中使用它作为向服务器发出的提示,表示它更喜欢这些前缀,但服务器不需要遵守该提示。由于假定NAS将垂直于与前缀相对应的路由,因此服务器不必也为同一前缀发送Framed-IPv6-route属性。
A summary of the Framed-IPv6-Prefix Attribute format is shown below. The fields are transmitted from left to right.
Framed-IPv6-Prefix属性格式的摘要如下所示。字段从左向右传输。
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Reserved | Prefix-Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Prefix
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Prefix
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Prefix
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Prefix |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Reserved | Prefix-Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Prefix
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Prefix
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Prefix
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Prefix |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
97 for Framed-IPv6-Prefix
97用于带帧IPv6-Prefix
Length
长
At least 4 and no larger than 20.
至少4个且不大于20个。
Reserved
含蓄的
This field, which is reserved and MUST be present, is always set to zero.
此字段是保留的,必须存在,始终设置为零。
Prefix-Length
前缀长度
The length of the prefix, in bits. At least 0 and no larger than 128.
前缀的长度,以位为单位。至少为0且不大于128。
Prefix
前缀
The Prefix field is up to 16 octets in length. Bits outside of the Prefix-Length, if included, must be zero.
前缀字段的长度最多为16个八位字节。前缀长度之外的位(如果包括)必须为零。
Description
描述
This Attribute indicates the system with which to connect the user, when the Login-Service Attribute is included. It MAY be used in Access-Accept packets. It MAY be used in an Access-Request packet as a hint to the server that the NAS would prefer to use that host, but the server is not required to honor the hint.
此属性表示在包含“登录服务”属性时要与用户连接的系统。它可以用于访问和接受数据包。它可以在访问请求数据包中用作向服务器发出的NAS希望使用该主机的提示,但服务器无需遵守该提示。
A summary of the Login-IPv6-Host Attribute format is shown below. The fields are transmitted from left to right.
Login-IPv6-Host属性格式的摘要如下所示。字段从左向右传输。
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Address
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Address
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Address
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Address
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Address
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Address
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Address
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Address
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
98 for Login-IPv6-Host
98用于登录IPv6主机
Length
长
18
18
Address
住址
The Address field is 16 octets in length. The value 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF indicates that the NAS SHOULD allow the user to select an address or name to be connected to. The value 0 indicates that the NAS SHOULD select a host to connect the user to. Other values indicate the address the NAS SHOULD connect the user to.
地址字段的长度为16个八位字节。值0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF表示NAS应允许用户选择要连接的地址或名称。值0表示NAS应选择要将用户连接到的主机。其他值指示NAS应将用户连接到的地址。
Description
描述
This Attribute provides routing information to be configured for the user on the NAS. It is used in the Access-Accept packet and can appear multiple times.
此属性提供要在NAS上为用户配置的路由信息。它用于Access Accept数据包中,可以多次出现。
A summary of the Framed-IPv6-Route Attribute format is shown below. The fields are transmitted from left to right.
Framed-IPv6-Route属性格式的摘要如下所示。字段从左向右传输。
0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
| Type | Length | Text ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
| Type | Length | Text ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type
类型
99 for Framed-IPv6-Route
99用于帧间IPv6路由
Length
长
>=3
>=3
Text
文本
The Text field is one or more octets, and its contents are implementation dependent. The field is not NUL (hex 00) terminated. It is intended to be human readable and MUST NOT affect operation of the protocol.
文本字段是一个或多个八位字节,其内容取决于实现。该字段未以NUL(十六进制00)结尾。其目的是让人可读,并且不得影响协议的运行。
For IPv6 routes, it SHOULD contain a destination prefix optionally followed by a slash and a decimal length specifier stating how many high order bits of the prefix to use. That is followed by a space, a gateway address, a space, and one or more metrics (encoded in decimal) separated by spaces. Prefixes and addresses are formatted as described in [16]. For example, "2000:0:0:106::/64 2000::106:a00:20ff:fe99:a998 1".
对于IPv6路由,它应该包含一个目标前缀(可选),后跟一个斜杠和一个十进制长度说明符,说明要使用前缀的高阶位数。后跟一个空格、一个网关地址、一个空格和一个或多个由空格分隔的度量(十进制编码)。前缀和地址的格式如[16]所述。例如,“2000:0:0:106::/64 2000::106:a00:20ff:fe99:a998 1”。
Whenever the gateway address is the IPv6 unspecified address the IP address of the user SHOULD be used as the gateway address. The unspecified address can be expressed in any of the acceptable formats described in [16]. For example, "2000:0:0:106::/64 :: 1".
当网关地址为IPv6未指定地址时,应将用户的IP地址用作网关地址。未指定的地址可以用[16]中所述的任何可接受格式表示。例如,“2000:0:0:106::/64::1”。
Description
描述
This Attribute contains the name of an assigned pool that SHOULD be used to assign an IPv6 prefix for the user. If a NAS does not support multiple prefix pools, the NAS MUST ignore this Attribute.
此属性包含应用于为用户分配IPv6前缀的已分配池的名称。如果NAS不支持多个前缀池,则NAS必须忽略此属性。
A summary of the Framed-IPv6-Pool Attribute format is shown below. The fields are transmitted from left to right.
Framed-IPv6-Pool属性格式的摘要如下所示。字段从左向右传输。
0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | String...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | String...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
类型
100 for Framed-IPv6-Pool
100个用于框架IPv6-Pool
Length
长
>= 3
>= 3
String
一串
The string field contains the name of an assigned IPv6 prefix pool configured on the NAS. The field is not NUL (hex 00) terminated.
字符串字段包含NAS上配置的已分配IPv6前缀池的名称。该字段未以NUL(十六进制00)结尾。
The following table provides a guide to which attributes may be found in which kinds of packets, and in what quantity.
下表提供了在哪些类型的数据包中可以找到哪些属性以及数量的指南。
Request Accept Reject Challenge Accounting # Attribute Request 0-1 0 0 0 0-1 95 NAS-IPv6-Address 0-1 0-1 0 0 0-1 96 Framed-Interface-Id 0+ 0+ 0 0 0+ 97 Framed-IPv6-Prefix 0+ 0+ 0 0 0+ 98 Login-IPv6-Host 0 0+ 0 0 0+ 99 Framed-IPv6-Route 0 0-1 0 0 0-1 100 Framed-IPv6-Pool
请求接受拒绝质询记帐#属性请求0-1 0 0 0-1 95 NAS-IPv6-Address 0-1 0-1 0 0-1 96带框接口Id 0+0+0 0 0+97带框-IPv6-Prefix 0+0+0 0 0+98登录-IPv6-Host 0+0 0 0 0 0+99带框-IPv6-Route 0-1 0 0 0 0 0-0-1 100带框-IPv6-Pool
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March, 1997.
[1] Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[2] Yergeau, F., "UTF-8, a transformation format of Unicode and ISO 10646", RFC 2044, October 1996.
[2] “UTF-8,Unicode和ISO10646的转换格式”,RFC 2044,1996年10月。
[3] Aboba, B. and J. Vollbrecht, "Proxy Chaining and Policy Implementation in Roaming", RFC 2607, June 1999.
[3] Aboba,B.和J.Vollbrecht,“漫游中的代理链接和策略实施”,RFC 2607,1999年6月。
[4] Rigney, C., Rubens, A., Simpson, W. and S. Willens, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, June 2000.
[4] Rigney,C.,Rubens,A.,Simpson,W.和S.Willens,“远程认证拨入用户服务(RADIUS)”,RFC 28652000年6月。
[5] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000.
[5] 里格尼,C.,“半径会计”,RFC 28662000年6月。
[6] Zorn, G., Mitton, D. and B. Aboba, "RADIUS Accounting Modifications for Tunnel Protocol Support", RFC 2867, June 2000.
[6] Zorn,G.,Mitton,D.和B.Aboba,“隧道协议支持的半径计算修改”,RFC 28672000年6月。
[7] Zorn, G., Leifer, D., Rubens, A., Shriver, J., Holdrege, M. and I. Goyret, "RADIUS Attributes for Tunnel Protocol Support", RFC 2868, June 2000.
[7] Zorn,G.,Leifer,D.,Rubens,A.,Shriver,J.,Holdrege,M.和I.Goyret,“隧道协议支持的半径属性”,RFC 28682000年6月。
[8] Rigney, C., Willats, W. and P. Calhoun, "RADIUS Extensions", RFC 2869, June 2000.
[8] 里格尼,C.,威拉斯,W.和P.卡尔霍恩,“半径延伸”,RFC 28692000年6月。
[9] Kent S. and R. Atkinson, "Security Architecture for the Internet Protocol", RFC 2401, November 1998.
[9] Kent S.和R.Atkinson,“互联网协议的安全架构”,RFC 2401,1998年11月。
[10] Alvestrand, H. and T. Narten, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
[10] Alvestrand,H.和T.Narten,“在RFCs中编写IANA注意事项部分的指南”,BCP 26,RFC 2434,1998年10月。
[11] Haskin, D. and E. Allen, "IP Version 6 over PPP", RFC 2472, December 1998.
[11] Haskin,D.和E.Allen,“PPP上的IP版本6”,RFC 24721998年12月。
[12] Carpenter, B. and K. Moore, "Connection of IPv6 Domains via IPv4 Clouds", RFC 3056, February 2001.
[12] Carpenter,B.和K.Moore,“通过IPv4云连接IPv6域”,RFC 3056,2001年2月。
[13] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", RFC 2460, December 1998.
[13] Deering,S.和R.Hinden,“互联网协议,第6版(IPv6)规范”,RFC 2460,1998年12月。
[14] Carpenter, B. and C. Jung, "Transmission of IPv6 over IPv4 Domains without Explicit Tunnels", RFC 2529, March 1999.
[14] Carpenter,B.和C.Jung,“无显式隧道的IPv4域上IPv6传输”,RFC 2529,1999年3月。
[15] Gilligan, R. and E. Nordmark, "Transition Mechanisms for IPv6 Hosts and Routers", RFC 2893, August 2000.
[15] Gilligan,R.和E.Nordmark,“IPv6主机和路由器的过渡机制”,RFC 28932000年8月。
[16] Hinden, R. and S. Deering, "IP Version 6 Addressing Architecture", RFC 2373, July 1998.
[16] Hinden,R.和S.Deering,“IP版本6寻址体系结构”,RFC 23731998年7月。
This document describes the use of RADIUS for the purposes of authentication, authorization and accounting in IPv6-enabled networks. In such networks, the RADIUS protocol may run either over IPv4 or over IPv6. Known security vulnerabilities of the RADIUS protocol are described in [3], [4] and [8].
本文档介绍了RADIUS在支持IPv6的网络中用于身份验证、授权和记帐的用途。在这种网络中,RADIUS协议可以通过IPv4或IPv6运行。[3]、[4]和[8]中描述了RADIUS协议的已知安全漏洞。
Since IPSEC [9] is mandatory to implement for IPv6, it is expected that running RADIUS implementations supporting IPv6 will typically run over IPSEC. Where RADIUS is run over IPSEC and where certificates are used for authentication, it may be desirable to avoid management of RADIUS shared secrets, so as to leverage the improved scalability of public key infrastructure.
由于IPSEC[9]对于IPv6是强制实施的,因此运行支持IPv6的RADIUS实施通常会在IPSEC上运行。如果RADIUS通过IPSEC运行,并且证书用于身份验证,则可能需要避免对RADIUS共享机密的管理,以便利用公钥基础设施的改进的可伸缩性。
Within RADIUS, a shared secret is used for hiding of attributes such as User-Password [4] and Tunnel-Password [7]. In addition, the shared secret is used in computation of the Response Authenticator [4], as well as the Message-Authenticator attribute [8]. Therefore, in RADIUS a shared secret is used to provide confidentiality as well as integrity protection and authentication. As a result, only use of IPSEC ESP with a non-null transform can provide security services sufficient to substitute for RADIUS application-layer security. Therefore, where IPSEC AH or ESP null is used, it will typically still be necessary to configure a RADIUS shared secret.
在RADIUS中,共享秘密用于隐藏用户密码[4]和隧道密码[7]等属性。此外,共享秘密用于计算响应验证器[4]以及消息验证器属性[8]。因此,在RADIUS中,共享秘密用于提供机密性以及完整性保护和身份验证。因此,只有使用具有非空转换的IPSEC ESP才能提供足以替代RADIUS应用层安全的安全服务。因此,在使用IPSEC AH或ESP null的情况下,通常仍需要配置RADIUS共享机密。
However, where RADIUS is run over IPSEC ESP with a non-null transform, the secret shared between the NAS and the RADIUS server MAY NOT be configured. In this case, a shared secret of zero length MUST be assumed.
但是,如果RADIUS通过IPSEC ESP以非空转换运行,则可能无法配置NAS和RADIUS服务器之间共享的机密。在这种情况下,必须假定一个长度为零的共享秘密。
This document requires the assignment of six new RADIUS attribute numbers for the following attributes:
本文件要求为以下属性分配六个新的半径属性编号:
NAS-IPv6-Address Framed-Interface-Id Framed-IPv6-Prefix Login-IPv6-Host Framed-IPv6-Route Framed-IPv6-Pool
NAS-IPv6-Address框架接口Id框架IPv6-Prefix登录IPv6-Host框架IPv6-Route框架IPv6-Pool
See section 3 for the registered list of numbers.
请参见第3节,了解已登记的编号列表。
The authors would like to acknowledge Jun-ichiro itojun Hagino of IIJ Research Laboratory, Darran Potter of Cisco and Carl Rigney of Lucent for contributions to this document.
作者要感谢IIJ研究实验室的Jun ichiro itojun Hagino、思科的Darran Potter和朗讯的Carl Rigney对本文件的贡献。
Bernard Aboba Microsoft Corporation One Microsoft Way Redmond, WA 98052
伯纳德·阿博巴(Bernard Aboba)微软公司华盛顿州雷德蒙微软大道一号,邮编:98052
Phone: +1 425 936 6605
Fax: +1 425 936 7329
EMail: bernarda@microsoft.com
Phone: +1 425 936 6605
Fax: +1 425 936 7329
EMail: bernarda@microsoft.com
Glen Zorn Cisco Systems, Inc. 500 108th Avenue N.E., Suite 500 Bellevue, WA 98004
格伦佐恩思科系统有限公司,地址:华盛顿州贝尔维尤第108大道500号,邮编:98004
Phone: +1 425 471 4861
EMail: gwz@cisco.com
Phone: +1 425 471 4861
EMail: gwz@cisco.com
Dave Mitton Circular Logic UnLtd. 733 Turnpike Street #154 North Andover, MA 01845
戴夫·米顿循环逻辑UnLtd。马萨诸塞州安多弗北部154号收费公路街733号,邮编01845
Phone: 978 683-1814 Email: david@mitton.com
电话:978683-1814电子邮件:david@mitton.com
Full Copyright Statement
完整版权声明
Copyright (C) The Internet Society (2001). All Rights Reserved.
版权所有(C)互联网协会(2001年)。版权所有。
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。