Network Working Group                                     P. Eronen, Ed.
Request for Comments: 4072                                         Nokia
Category: Standards Track                                      T. Hiller
                                                     Lucent Technologies
                                                                 G. Zorn
                                                           Cisco Systems
                                                             August 2005
        
Network Working Group                                     P. Eronen, Ed.
Request for Comments: 4072                                         Nokia
Category: Standards Track                                      T. Hiller
                                                     Lucent Technologies
                                                                 G. Zorn
                                                           Cisco Systems
                                                             August 2005
        

Diameter Extensible Authentication Protocol (EAP) Application

Diameter可扩展身份验证协议(EAP)应用程序

Status of This Memo

关于下段备忘

This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.

本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。

Copyright Notice

版权公告

Copyright (C) The Internet Society (2005).

版权所有(C)互联网协会(2005年)。

Abstract

摘要

The Extensible Authentication Protocol (EAP) provides a standard mechanism for support of various authentication methods. This document defines the Command-Codes and AVPs necessary to carry EAP packets between a Network Access Server (NAS) and a back-end authentication server.

可扩展身份验证协议(EAP)提供了支持各种身份验证方法的标准机制。本文档定义了在网络访问服务器(NAS)和后端身份验证服务器之间传输EAP数据包所需的命令代码和AVP。

Table of Contents

目录

   1.  Introduction ...................................................2
       1.1.  Conventions Used in This Document ........................3
   2.  Extensible Authentication Protocol Support in Diameter .........3
       2.1.  Advertising Application Support ..........................3
       2.2.  Protocol Overview ........................................4
       2.3.  Sessions and NASREQ Interaction ..........................6
             2.3.1. Scenario 1: Direct Connection .....................7
             2.3.2. Scenario 2: Direct Connection with Redirects ......8
             2.3.3. Scenario 3: Direct EAP, Authorization via Agents ..9
             2.3.4. Scenario 4: Proxy Agents .........................10
       2.4.  Invalid Packets .........................................10
       2.5.  Retransmission ..........................................11
       2.6.  Fragmentation ...........................................12
       2.7.  Accounting ..............................................12
       2.8.  Usage Guidelines ........................................13
        
   1.  Introduction ...................................................2
       1.1.  Conventions Used in This Document ........................3
   2.  Extensible Authentication Protocol Support in Diameter .........3
       2.1.  Advertising Application Support ..........................3
       2.2.  Protocol Overview ........................................4
       2.3.  Sessions and NASREQ Interaction ..........................6
             2.3.1. Scenario 1: Direct Connection .....................7
             2.3.2. Scenario 2: Direct Connection with Redirects ......8
             2.3.3. Scenario 3: Direct EAP, Authorization via Agents ..9
             2.3.4. Scenario 4: Proxy Agents .........................10
       2.4.  Invalid Packets .........................................10
       2.5.  Retransmission ..........................................11
       2.6.  Fragmentation ...........................................12
       2.7.  Accounting ..............................................12
       2.8.  Usage Guidelines ........................................13
        
             2.8.1. User-Name AVP ....................................13
             2.8.2. Conflicting AVPs .................................13
             2.8.3. Displayable Messages .............................14
             2.8.4. Role Reversal ....................................14
             2.8.5. Identifier Space .................................14
   3.  Command-Codes .................................................14
       3.1.  Diameter-EAP-Request (DER) Command ......................15
       3.2.  Diameter-EAP-Answer (DEA) Command .......................16
   4.  Attribute-Value Pairs .........................................18
       4.1.  New AVPs ................................................18
             4.1.1. EAP-Payload AVP ..................................18
             4.1.2. EAP-Reissued-Payload AVP .........................18
             4.1.3. EAP-Master-Session-Key AVP .......................19
             4.1.4. EAP-Key-Name AVP .................................19
             4.1.5. Accounting-EAP-Auth-Method AVP ...................19
   5.  AVP Occurrence Tables .........................................19
       5.1.  EAP Command AVP Table ...................................20
       5.2.  Accounting AVP Table ....................................21
   6.  RADIUS/Diameter Interactions ..................................22
       6.1.  RADIUS Request Forwarded as Diameter Request ............22
       6.2.  Diameter Request Forwarded as RADIUS Request ............23
       6.3.  Accounting Requests .....................................24
   7.  IANA Considerations ...........................................24
   8.  Security Considerations .......................................24
       8.1.  Overview ................................................24
       8.2.  AVP Editing .............................................26
       8.3.  Negotiation Attacks .....................................27
       8.4.  Session Key Distribution ................................28
       8.5.  Privacy Issues ..........................................28
       8.6.  Note about EAP and Impersonation ........................29
   9.  Acknowledgements ..............................................29
   10. References ....................................................30
       10.1. Normative References ....................................30
       10.2. Informative References ..................................30
        
             2.8.1. User-Name AVP ....................................13
             2.8.2. Conflicting AVPs .................................13
             2.8.3. Displayable Messages .............................14
             2.8.4. Role Reversal ....................................14
             2.8.5. Identifier Space .................................14
   3.  Command-Codes .................................................14
       3.1.  Diameter-EAP-Request (DER) Command ......................15
       3.2.  Diameter-EAP-Answer (DEA) Command .......................16
   4.  Attribute-Value Pairs .........................................18
       4.1.  New AVPs ................................................18
             4.1.1. EAP-Payload AVP ..................................18
             4.1.2. EAP-Reissued-Payload AVP .........................18
             4.1.3. EAP-Master-Session-Key AVP .......................19
             4.1.4. EAP-Key-Name AVP .................................19
             4.1.5. Accounting-EAP-Auth-Method AVP ...................19
   5.  AVP Occurrence Tables .........................................19
       5.1.  EAP Command AVP Table ...................................20
       5.2.  Accounting AVP Table ....................................21
   6.  RADIUS/Diameter Interactions ..................................22
       6.1.  RADIUS Request Forwarded as Diameter Request ............22
       6.2.  Diameter Request Forwarded as RADIUS Request ............23
       6.3.  Accounting Requests .....................................24
   7.  IANA Considerations ...........................................24
   8.  Security Considerations .......................................24
       8.1.  Overview ................................................24
       8.2.  AVP Editing .............................................26
       8.3.  Negotiation Attacks .....................................27
       8.4.  Session Key Distribution ................................28
       8.5.  Privacy Issues ..........................................28
       8.6.  Note about EAP and Impersonation ........................29
   9.  Acknowledgements ..............................................29
   10. References ....................................................30
       10.1. Normative References ....................................30
       10.2. Informative References ..................................30
        
1. Introduction
1. 介绍

The Extensible Authentication Protocol (EAP), defined in [EAP], is an authentication framework which supports multiple authentication mechanisms. EAP may be used on dedicated links, switched circuits, and wired as well as wireless links.

[EAP]中定义的可扩展身份验证协议(EAP)是一个支持多种身份验证机制的身份验证框架。EAP可用于专用链路、交换电路以及有线和无线链路。

To date, EAP has been implemented with hosts and routers that connect via switched circuits or dial-up lines using PPP [RFC1661], IEEE 802 wired switches [IEEE-802.1X], and IEEE 802.11 wireless access points [IEEE-802.11i]. EAP has also been adopted for IPsec remote access in IKEv2 [IKEv2].

到目前为止,EAP已经通过使用PPP[RFC1661]、IEEE 802有线交换机[IEEE-802.1X]和IEEE 802.11无线接入点[IEEE-802.11i]通过交换电路或拨号线连接的主机和路由器实现。IKEv2[IKEv2]中的IPsec远程访问也采用了EAP。

This document specifies the Diameter EAP application that carries EAP packets between a Network Access Server (NAS) working as an EAP Authenticator and a back-end authentication server. The Diameter EAP application is based on the Diameter Network Access Server Application [NASREQ] and is intended for environments similar to NASREQ.

本文档指定了Diameter EAP应用程序,该应用程序在用作EAP身份验证程序的网络访问服务器(NAS)和后端身份验证服务器之间承载EAP数据包。Diameter EAP应用程序基于Diameter网络访问服务器应用程序[NASREQ],适用于与NASREQ类似的环境。

In the Diameter EAP application, authentication occurs between the EAP client and its home Diameter server. This end-to-end authentication reduces the possibility for fraudulent authentication, such as replay and man-in-the-middle attacks. End-to-end authentication also provides a possibility for mutual authentication, which is not possible with PAP and CHAP in a roaming PPP environment.

在Diameter EAP应用程序中,在EAP客户端及其主Diameter服务器之间进行身份验证。这种端到端身份验证降低了欺诈性身份验证的可能性,例如重播和中间人攻击。端到端身份验证还提供了相互身份验证的可能性,这在漫游PPP环境中PAP和CHAP是不可能的。

The Diameter EAP application relies heavily on [NASREQ], and in earlier versions was part of the Diameter NASREQ application. It can also be used in conjunction with NASREQ, selecting the application based on the user authentication mechanism (EAP or PAP/CHAP). The Diameter EAP application defines new Command-Codes and Attribute-Value Pairs (AVPs), and can work together with RADIUS EAP support [RFC3579].

Diameter EAP应用程序严重依赖[NASREQ],在早期版本中是Diameter NASREQ应用程序的一部分。它还可以与NASREQ结合使用,根据用户身份验证机制(EAP或PAP/CHAP)选择应用程序。Diameter EAP应用程序定义了新的命令代码和属性值对(AVP),可以与RADIUS EAP支持一起工作[RFC3579]。

1.1. Conventions Used in This Document
1.1. 本文件中使用的公约

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].

本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。

2. Extensible Authentication Protocol Support in Diameter
2. Diameter中的可扩展身份验证协议支持
2.1. Advertising Application Support
2.1. 广告应用支持

Diameter nodes conforming to this specification MUST advertise support by including the Diameter EAP Application ID value of 5 in the Auth-Application-Id AVP of the Capabilities-Exchange-Request and Capabilities-Exchange-Answer command [BASE].

符合本规范的Diameter节点必须通过在功能交换请求和功能交换应答命令[BASE]的验证应用程序ID AVP中包含Diameter EAP应用程序ID值5来公布支持。

If the NAS receives a response with the Result-Code set to DIAMETER_APPLICATION_UNSUPPORTED [BASE], it indicates that the Diameter server in the home realm does not support EAP. If possible, the access device MAY attempt to negotiate another authentication protocol, such as PAP or CHAP. An access device SHOULD be cautious when determining whether a less secure authentication protocol will be used, since this could result from a downgrade attack (see Section 8.3).

如果NAS收到结果代码设置为DIAMETER_APPLICATION_UNSUPPORTED[BASE]的响应,则表示主域中的DIAMETER服务器不支持EAP。如果可能,接入设备可尝试协商另一认证协议,如PAP或CHAP。接入设备在确定是否使用不太安全的认证协议时应谨慎,因为这可能是降级攻击的结果(见第8.3节)。

2.2. Protocol Overview
2.2. 协议概述

The EAP conversation between the authenticating peer and the access device begins with the initiation of EAP within a link layer, such as PPP [RFC1661] or IEEE 802.11i [IEEE-802.11i]. Once EAP has been initiated, the access device will typically send a Diameter-EAP-Request message with an empty EAP-Payload AVP to the Diameter server, signifying an EAP-Start.

认证对等方和接入设备之间的EAP会话从链路层内的EAP发起开始,例如PPP[RFC1661]或IEEE 802.11i[IEEE-802.11i]。一旦EAP被启动,接入设备通常将向Diameter服务器发送带有空EAP有效负载AVP的Diameter EAP请求消息,表示EAP启动。

If the Diameter home server is willing to do EAP authentication, it responds with a Diameter-EAP-Answer message containing an EAP-Payload AVP that includes an encapsulated EAP packet. The Result-Code AVP in the message will be set to DIAMETER_MULTI_ROUND_AUTH, signifying that a subsequent request is expected. The EAP payload is forwarded by the access device to the EAP client. This is illustrated in the diagram below.

如果Diameter home server愿意执行EAP身份验证,则它将使用Diameter EAP应答消息进行响应,该消息包含包含封装的EAP数据包的EAP有效负载AVP。消息中的结果代码AVP将设置为DIAMETER\u MULTI\u ROUND\u AUTH,表示预期会有后续请求。EAP有效负载由接入设备转发到EAP客户端。下图对此进行了说明。

   User                             NAS                           Server
    |                                |                                |
    |        (initiate EAP)          |                                |
    |<------------------------------>|                                |
    |                                | Diameter-EAP-Request           |
    |                                | EAP-Payload(EAP Start)         |
    |                                |------------------------------->|
    |                                |                                |
    |                                |            Diameter-EAP-Answer |
    |                           Result-Code=DIAMETER_MULTI_ROUND_AUTH |
    |                                |    EAP-Payload(EAP Request #1) |
    |                                |<-------------------------------|
    |                 EAP Request #1 |                                |
    |<-------------------------------|                                |
    :                                :                                :
    :                        ...continues...                          :
        
   User                             NAS                           Server
    |                                |                                |
    |        (initiate EAP)          |                                |
    |<------------------------------>|                                |
    |                                | Diameter-EAP-Request           |
    |                                | EAP-Payload(EAP Start)         |
    |                                |------------------------------->|
    |                                |                                |
    |                                |            Diameter-EAP-Answer |
    |                           Result-Code=DIAMETER_MULTI_ROUND_AUTH |
    |                                |    EAP-Payload(EAP Request #1) |
    |                                |<-------------------------------|
    |                 EAP Request #1 |                                |
    |<-------------------------------|                                |
    :                                :                                :
    :                        ...continues...                          :
        

The initial Diameter-EAP-Answer in a multi-round exchange normally includes an EAP-Request/Identity, requesting the EAP client to identify itself. Upon receipt of the EAP client's EAP-Response, the access device will then issue a second Diameter-EAP-Request message, with the client's EAP payload encapsulated within the EAP-Payload AVP.

多轮交换中的初始直径EAP应答通常包括一个EAP请求/标识,请求EAP客户端识别自己。在接收到EAP客户端的EAP响应后,接入设备随后将发出第二个Diameter EAP请求消息,其中客户端的EAP有效负载封装在EAP有效负载AVP中。

A preferred approach is for the access device to issue the EAP-Request/Identity message to the EAP client, and forward the EAP-Response/Identity packet, encapsulated within the EAP-Payload AVP, as a Diameter-EAP-Request to the Diameter server (see the diagram below). This alternative reduces the number of Diameter message round trips. When the EAP-Request/Identity message is issued by the access device, it SHOULD interpret the EAP-Response/Identity

首选方法是接入设备向EAP客户端发出EAP请求/标识消息,并将封装在EAP有效负载AVP中的EAP响应/标识分组作为Diameter EAP请求转发给Diameter服务器(参见下图)。此备选方案减少了Diameter消息往返的次数。当接入设备发出EAP请求/标识消息时,它应解释EAP响应/标识

packet returned by the authenticating peer, and copy its value to a User-Name AVP in Diameter-EAP-Request. This is useful in roaming environments, since the Destination-Realm is needed for routing purposes. Note that this alternative cannot be universally employed, as there are circumstances in which a user's identity is not needed (such as when authorization occurs based on a calling or called phone number).

验证对等方返回的数据包,并将其值复制到Diameter EAP请求中的用户名AVP。这在漫游环境中很有用,因为路由需要目标域。请注意,此替代方案不能普遍采用,因为在某些情况下不需要用户的身份(例如,当根据呼叫或被叫电话号码进行授权时)。

   User                             NAS                           Server
    |                                |                                |
    |        (initiate EAP)          |                                |
    |<------------------------------>|                                |
    |                                |                                |
    |          EAP Request(Identity) |                                |
    |<-------------------------------|                                |
    |                                |                                |
    | EAP Response(Identity)         |                                |
    |------------------------------->|                                |
    |                                | Diameter-EAP-Request           |
    |                                | EAP-Payload(EAP Response)      |
    |                                |------------------------------->|
    :                                :                                :
    :                        ...continues...                          :
        
   User                             NAS                           Server
    |                                |                                |
    |        (initiate EAP)          |                                |
    |<------------------------------>|                                |
    |                                |                                |
    |          EAP Request(Identity) |                                |
    |<-------------------------------|                                |
    |                                |                                |
    | EAP Response(Identity)         |                                |
    |------------------------------->|                                |
    |                                | Diameter-EAP-Request           |
    |                                | EAP-Payload(EAP Response)      |
    |                                |------------------------------->|
    :                                :                                :
    :                        ...continues...                          :
        

The conversation continues until the Diameter server sends a Diameter-EAP-Answer with a Result-Code AVP indicating success or failure, and an optional EAP-Payload. The Result-Code AVP is used by the access device to determine whether service is to be provided to the EAP client. The access device MUST NOT rely on the contents of the optional EAP-Payload to determine whether service is to be provided.

对话将继续,直到Diameter服务器发送Diameter EAP应答,应答结果代码AVP表示成功或失败,以及可选的EAP负载。接入设备使用结果代码AVP来确定是否向EAP客户端提供服务。接入设备不得依赖可选EAP有效载荷的内容来确定是否要提供服务。

    :                        ...continued...                          :
    :                                :                                :
    | EAP Response #N                |                                |
    |------------------------------->|                                |
    |                                | Diameter-EAP-Request           |
    |                                | EAP-Payload(EAP Response #N)   |
    |                                |------------------------------->|
    |                                |                                |
    |                                |            Diameter-EAP-Answer |
    |                                |   Result-Code=DIAMETER_SUCCESS |
    |                                |       EAP-Payload(EAP Success) |
    |                                |       [EAP-Master-Session-Key] |
    |                                |           (authorization AVPs) |
    |                                |<-------------------------------|
    |                                |                                |
    |                    EAP Success |                                |
    |<-------------------------------|                                |
        
    :                        ...continued...                          :
    :                                :                                :
    | EAP Response #N                |                                |
    |------------------------------->|                                |
    |                                | Diameter-EAP-Request           |
    |                                | EAP-Payload(EAP Response #N)   |
    |                                |------------------------------->|
    |                                |                                |
    |                                |            Diameter-EAP-Answer |
    |                                |   Result-Code=DIAMETER_SUCCESS |
    |                                |       EAP-Payload(EAP Success) |
    |                                |       [EAP-Master-Session-Key] |
    |                                |           (authorization AVPs) |
    |                                |<-------------------------------|
    |                                |                                |
    |                    EAP Success |                                |
    |<-------------------------------|                                |
        

If authorization was requested, a Diameter-EAP-Answer with Result-Code set to DIAMETER_SUCCESS SHOULD also include the appropriate authorization AVPs required for the service requested (see Section 5 and [NASREQ]). In some cases, the home server may not be able to provide all necessary authorization AVPs; in this case, a separate authorization step MAY be used as described in Section 2.3.3. Diameter-EAP-Answer messages whose Result-Code AVP is set to DIAMETER_MULTI_ROUND_AUTH MAY include authorization AVPs.

如果请求授权,结果代码设置为Diameter_SUCCESS的Diameter EAP应答还应包括请求服务所需的适当授权AVP(见第5节和[NASREQ])。在某些情况下,家庭服务器可能无法提供所有必要的授权avp;在这种情况下,可使用第2.3.3节所述的单独授权步骤。结果代码AVP设置为Diameter\u MULTI\u ROUND\u AUTH的Diameter EAP应答消息可能包括授权AVP。

A Diameter-EAP-Answer with successful Result-Code MAY also include an EAP-Master-Session-Key AVP that contains keying material for protecting the communication between the user and the NAS. Exactly how this keying material is used depends on the link layer in question, and is beyond the scope of this document.

具有成功结果代码的Diameter EAP应答还可以包括EAP主会话密钥AVP,其包含用于保护用户与NAS之间的通信的密钥材料。该键控材质的具体使用方式取决于所讨论的链接层,并且超出了本文档的范围。

A home Diameter server MAY request EAP re-authentication by issuing the Re-Auth-Request [BASE] message to the Diameter client.

home Diameter服务器可以通过向Diameter客户端发出重新验证请求[BASE]消息来请求EAP重新验证。

Should an EAP authentication session be interrupted due to a home server failure, the session MAY be directed to an alternate server, but the authentication session will have to be restarted from the beginning.

如果EAP身份验证会话因家庭服务器故障而中断,则该会话可能会定向到备用服务器,但身份验证会话必须从头开始重新启动。

2.3. Sessions and NASREQ Interaction
2.3. 会话和NASREQ交互

The previous section introduced the basic protocol between the NAS and the home server. Since the Diameter-EAP-Answer message may include a Master Session Key (MSK) for protecting the communication between the user and the NAS, one must ensure that this key does not fall into wrong hands.

上一节介绍了NAS和家庭服务器之间的基本协议。由于Diameter EAP应答消息可能包括用于保护用户与NAS之间通信的主会话密钥(MSK),因此必须确保该密钥不会落入坏人手中。

Basic Diameter security mechanisms (IPsec and TLS) protect Diameter messages hop-by-hop. Since there are currently no end-to-end (NAS-to-home server) security mechanisms defined for Diameter, this section describes possible scenarios on how the messages could be transport protected using these hop-by-hop mechanisms.

基本Diameter安全机制(IPsec和TLS)逐跳保护Diameter消息。由于目前没有为Diameter定义端到端(NAS到家庭服务器)安全机制,因此本节介绍了如何使用这些逐跳机制对消息进行传输保护的可能场景。

This list of scenarios is not intended to be exhaustive, and it is possible to combine them. For instance, the first proxy agent after the NAS could use redirects as in Scenario 2 to bypass any additional proxy agents.

此场景列表并非详尽无遗,可以将它们结合起来。例如,NAS之后的第一个代理可以使用场景2中的重定向绕过任何其他代理。

2.3.1. Scenario 1: Direct Connection
2.3.1. 场景1:直接连接

The simplest case is when the NAS contacts the home server directly. All authorization AVPs and EAP keying material are delivered by the home server.

最简单的情况是NAS直接与家庭服务器联系。所有授权AVP和EAP密钥资料均由家庭服务器提供。

   NAS                                                       home server
    |                                                                 |
    | Diameter-EAP-Request                                            |
    | Auth-Request-Type=AUTHORIZE_AUTHENTICATE                        |
    | EAP-Payload(EAP Start)                                          |
    |---------------------------------------------------------------->|
    |                                                                 |
    |                                             Diameter-EAP-Answer |
    |                           Result-Code=DIAMETER_MULTI_ROUND_AUTH |
    |                                        EAP-Payload(EAP Request) |
    |<----------------------------------------------------------------|
    |                                                                 |
    :              ...more EAP Request/Response pairs...              :
    |                                                                 |
    | Diameter-EAP-Request                                            |
    | EAP-Payload(EAP Response)                                       |
    |---------------------------------------------------------------->|
    |                                                                 |
    |                                             Diameter-EAP-Answer |
    |                                    Result-Code=DIAMETER_SUCCESS |
    |                                        EAP-Payload(EAP Success) |
    |                                          EAP-Master-Session-Key |
    |                                            (authorization AVPs) |
    |<----------------------------------------------------------------|
        
   NAS                                                       home server
    |                                                                 |
    | Diameter-EAP-Request                                            |
    | Auth-Request-Type=AUTHORIZE_AUTHENTICATE                        |
    | EAP-Payload(EAP Start)                                          |
    |---------------------------------------------------------------->|
    |                                                                 |
    |                                             Diameter-EAP-Answer |
    |                           Result-Code=DIAMETER_MULTI_ROUND_AUTH |
    |                                        EAP-Payload(EAP Request) |
    |<----------------------------------------------------------------|
    |                                                                 |
    :              ...more EAP Request/Response pairs...              :
    |                                                                 |
    | Diameter-EAP-Request                                            |
    | EAP-Payload(EAP Response)                                       |
    |---------------------------------------------------------------->|
    |                                                                 |
    |                                             Diameter-EAP-Answer |
    |                                    Result-Code=DIAMETER_SUCCESS |
    |                                        EAP-Payload(EAP Success) |
    |                                          EAP-Master-Session-Key |
    |                                            (authorization AVPs) |
    |<----------------------------------------------------------------|
        

This scenario is the most likely to be used in small networks, or in cases where Diameter agents are not needed to provide routing or additional authorization AVPs.

此场景最有可能用于小型网络,或者不需要Diameter代理来提供路由或附加授权AVP的情况。

2.3.2. Scenario 2: Direct Connection with Redirects
2.3.2. 场景2:使用重定向的直接连接

In this scenario the NAS uses a redirect agent to locate the home server. The rest of the session proceeds as before.

在这种情况下,NAS使用重定向代理来定位主服务器。会议的其余部分照常进行。

   NAS                      Local redirect agent             Home server
    |                                |                                |
    | Diameter-EAP-Request           |                                |
    | Auth-Request-Type=AUTHORIZE_AUTHENTICATE                        |
    | EAP-Payload(EAP Start)         |                                |
    |------------------------------->|                                |
    |                                |                                |
    |                       Diameter-EAP-Answer                       |
    |      Redirect-Host=homeserver.example.com                       |
    | Redirect-Host-Usage=REALM_AND_APPLICATION                       |
    |<-------------------------------|                                |
    |                                :                                |
    | Diameter-EAP-Request          :                                 |
    | Auth-Request-Type=AUTHORIZE_AUTHENTICATE                        |
    | EAP-Payload(EAP Start)        :                                 |
    |---------------------------------------------------------------->|
    |                                :                                |
    :      ...rest of the session continues as in first case...       :
    :                                :                                :
        
   NAS                      Local redirect agent             Home server
    |                                |                                |
    | Diameter-EAP-Request           |                                |
    | Auth-Request-Type=AUTHORIZE_AUTHENTICATE                        |
    | EAP-Payload(EAP Start)         |                                |
    |------------------------------->|                                |
    |                                |                                |
    |                       Diameter-EAP-Answer                       |
    |      Redirect-Host=homeserver.example.com                       |
    | Redirect-Host-Usage=REALM_AND_APPLICATION                       |
    |<-------------------------------|                                |
    |                                :                                |
    | Diameter-EAP-Request          :                                 |
    | Auth-Request-Type=AUTHORIZE_AUTHENTICATE                        |
    | EAP-Payload(EAP Start)        :                                 |
    |---------------------------------------------------------------->|
    |                                :                                |
    :      ...rest of the session continues as in first case...       :
    :                                :                                :
        

The advantage of this scenario is that knowledge of realms and home servers is centralized to a redirect agent, and it is not necessary to modify the NAS configuration when, for example, a new roaming agreement is made.

此场景的优点是,领域和家庭服务器的知识集中在重定向代理上,例如,在签订新的漫游协议时,无需修改NAS配置。

2.3.3. Scenario 3: Direct EAP, Authorization via Agents
2.3.3. 场景3:直接EAP,通过代理进行授权

In this scenario the EAP authentication is done directly with the home server (with Auth-Request-Type set to AUTHENTICATE_ONLY), and authorization AVPs are retrieved from local proxy agents. This scenario is intended for environments in which the home server cannot provide all the necessary authorization AVPs to the NAS.

在这种情况下,EAP身份验证直接通过家庭服务器完成(身份验证请求类型设置为仅验证\ U),并且从本地代理检索授权AVP。此场景适用于家庭服务器无法向NAS提供所有必要授权AVP的环境。

   NAS                       Local proxy agent               Home server
    |                                :                                |
    | Diameter-EAP-Request           :                                |
    | Auth-Request-Type=AUTHENTICATE_ONLY                             |
    | EAP-Payload(EAP Start)         :                                |
    |---------------------------------------------------------------->|
    |                                :                                |
    |                                :            Diameter-EAP-Answer |
    |                           Result-Code=DIAMETER_MULTI_ROUND_AUTH |
    |                                :       EAP-Payload(EAP Request) |
    |<----------------------------------------------------------------|
    |                                :                                |
    :              ...more EAP Request/Response pairs...              :
    |                                :                                |
    | Diameter-EAP-Request           :                                |
    | EAP-Payload(EAP Response)      :                                |
    |---------------------------------------------------------------->|
    |                                :                                |
    |                                :            Diameter-EAP-Answer |
    |                                :   Result-Code=DIAMETER_SUCCESS |
    |                                :       EAP-Payload(EAP Success) |
    |                                :         EAP-Master-Session-Key |
    |                                :           (authorization AVPs) |
    |<----------------------------------------------------------------|
    |                                |                                |
    | AA-Request                     |                                |
    | Auth-Request-Type=AUTHORIZE_ONLY                                |
    | (some AVPs from first session) |                                |
    |------------------------------->|                                |
    |                                |                                |
    |                      AA-Answer |                                |
    |   Result-Code=DIAMETER_SUCCESS |                                |
    |           (authorization AVPs) |                                |
    |<-------------------------------|                                |
        
   NAS                       Local proxy agent               Home server
    |                                :                                |
    | Diameter-EAP-Request           :                                |
    | Auth-Request-Type=AUTHENTICATE_ONLY                             |
    | EAP-Payload(EAP Start)         :                                |
    |---------------------------------------------------------------->|
    |                                :                                |
    |                                :            Diameter-EAP-Answer |
    |                           Result-Code=DIAMETER_MULTI_ROUND_AUTH |
    |                                :       EAP-Payload(EAP Request) |
    |<----------------------------------------------------------------|
    |                                :                                |
    :              ...more EAP Request/Response pairs...              :
    |                                :                                |
    | Diameter-EAP-Request           :                                |
    | EAP-Payload(EAP Response)      :                                |
    |---------------------------------------------------------------->|
    |                                :                                |
    |                                :            Diameter-EAP-Answer |
    |                                :   Result-Code=DIAMETER_SUCCESS |
    |                                :       EAP-Payload(EAP Success) |
    |                                :         EAP-Master-Session-Key |
    |                                :           (authorization AVPs) |
    |<----------------------------------------------------------------|
    |                                |                                |
    | AA-Request                     |                                |
    | Auth-Request-Type=AUTHORIZE_ONLY                                |
    | (some AVPs from first session) |                                |
    |------------------------------->|                                |
    |                                |                                |
    |                      AA-Answer |                                |
    |   Result-Code=DIAMETER_SUCCESS |                                |
    |           (authorization AVPs) |                                |
    |<-------------------------------|                                |
        

The NASREQ application is used here for authorization because the realm-specific routing table supports routing based on application, not on Diameter commands.

这里使用NASREQ应用程序进行授权,因为特定于领域的路由表支持基于应用程序的路由,而不是基于Diameter命令的路由。

2.3.4. Scenario 4: Proxy Agents
2.3.4. 场景4:代理

This scenario is the same as Scenario 1, but the NAS contacts the home server through proxies. Note that the proxies can see the EAP session keys, thus it is not suitable for environments where proxies cannot be trusted.

此方案与方案1相同,但NAS通过代理与家庭服务器联系。请注意,代理可以看到EAP会话密钥,因此它不适用于代理不可信的环境。

   NAS                    Local proxy/relay agent            Home server
    |                                |                                |
    |  Diameter-EAP-Request          |                                |
    |  Auth-Request-Type=AUTHORIZE_AUTHENTICATE                       |
    |  EAP-Payload(EAP Start)        |                                |
    |------------------------------->|------------------------------->|
    |                                |                                |
    |                                |           Diameter-EAP-Answer  |
    |                          Result-Code=DIAMETER_MULTI_ROUND_AUTH  |
    |                                |      EAP-Payload(EAP Request)  |
    |<-------------------------------|<-------------------------------|
    |                                :                                |
    :              ...more EAP Request/Response pairs...              :
    |                                :                                |
    |  Diameter-EAP-Request          |                                |
    |  EAP-Payload(EAP Response)     |                                |
    |------------------------------->|------------------------------->|
    |                                |                                |
    |                                |           Diameter-EAP-Answer  |
    |                                |  Result-Code=DIAMETER_SUCCESS  |
    |                                |      EAP-Payload(EAP Success)  |
    |                                |        EAP-Master-Session-Key  |
    |                                |          (authorization AVPs)  |
    |<-------------------------------|<-------------------------------|
        
   NAS                    Local proxy/relay agent            Home server
    |                                |                                |
    |  Diameter-EAP-Request          |                                |
    |  Auth-Request-Type=AUTHORIZE_AUTHENTICATE                       |
    |  EAP-Payload(EAP Start)        |                                |
    |------------------------------->|------------------------------->|
    |                                |                                |
    |                                |           Diameter-EAP-Answer  |
    |                          Result-Code=DIAMETER_MULTI_ROUND_AUTH  |
    |                                |      EAP-Payload(EAP Request)  |
    |<-------------------------------|<-------------------------------|
    |                                :                                |
    :              ...more EAP Request/Response pairs...              :
    |                                :                                |
    |  Diameter-EAP-Request          |                                |
    |  EAP-Payload(EAP Response)     |                                |
    |------------------------------->|------------------------------->|
    |                                |                                |
    |                                |           Diameter-EAP-Answer  |
    |                                |  Result-Code=DIAMETER_SUCCESS  |
    |                                |      EAP-Payload(EAP Success)  |
    |                                |        EAP-Master-Session-Key  |
    |                                |          (authorization AVPs)  |
    |<-------------------------------|<-------------------------------|
        
2.4. Invalid Packets
2.4. 无效数据包

While acting as a pass-through, the NAS MUST validate the EAP header fields (Code, Identifier, Length) prior to forwarding an EAP packet to or from the Diameter server. On receiving an EAP packet from the peer, the NAS checks the Code (Code 2=Response) and Length fields, and matches the Identifier value against the current Identifier, supplied by the Diameter server in the most recently validated EAP Request. On receiving an EAP packet from the Diameter server (encapsulated within a Diameter-EAP-Answer), the NAS checks the Code (Code 1=Request) and Length fields, then updates the current Identifier value. Pending EAP Responses that do not match the current Identifier value are silently discarded by the NAS.

当作为传递时,NAS必须在向Diameter服务器转发EAP数据包或从Diameter服务器转发EAP数据包之前验证EAP报头字段(代码、标识符、长度)。从对等端接收EAP数据包时,NAS将检查代码(代码2=响应)和长度字段,并将标识符值与Diameter服务器在最近验证的EAP请求中提供的当前标识符进行匹配。从Diameter服务器(封装在Diameter EAP应答中)接收EAP数据包时,NAS检查代码(代码1=请求)和长度字段,然后更新当前标识符值。与当前标识符值不匹配的挂起EAP响应将被NAS自动丢弃。

Since EAP method fields (Type, Type-Data) are typically not validated by a NAS operating as a pass-through, despite these checks it is possible for a NAS to forward an invalid EAP packet to or from the Diameter server.

由于EAP方法字段(类型、类型数据)通常不会由作为直通操作的NAS进行验证,因此尽管进行了这些检查,NAS仍可能向Diameter服务器转发无效的EAP数据包。

A Diameter server receiving an EAP-Payload AVP that it does not understand SHOULD determine whether the error is fatal or non-fatal based on the EAP Type. A Diameter server determining that a fatal error has occurred MUST send a Diameter-EAP-Answer with a failure Result-Code and an EAP-Payload AVP encapsulating an EAP Failure packet. A Diameter server determining that a non-fatal error has occurred MUST send a Diameter-EAP-Answer with DIAMETER_MULTI_ROUND_AUTH Result-Code, but no EAP-Payload AVP. To simplify RADIUS translation, this message MUST also include an EAP-Reissued-Payload AVP encapsulating the previous EAP Request sent by the server.

Diameter服务器接收到它不理解的EAP有效负载AVP时,应根据EAP类型确定错误是致命的还是非致命的。确定发生致命错误的Diameter服务器必须发送Diameter EAP应答,其中包含故障结果代码和封装EAP故障数据包的EAP有效负载AVP。确定发生了非致命错误的Diameter服务器必须发送带有Diameter\u MULTI\u ROUND\u AUTH结果代码的Diameter EAP应答,但不发送EAP有效负载AVP。为了简化RADIUS转换,此消息还必须包含EAP重新发布的有效负载AVP,该AVP封装了服务器发送的先前EAP请求。

When receiving a Diameter-EAP-Answer without an EAP-Payload AVP (and DIAMETER_MULTI_ROUND_AUTH Result-Code), the NAS SHOULD discard the EAP-Response packet most recently transmitted to the Diameter server and check whether additional EAP Response packets that match the current Identifier value have been received. If so, a new EAP Response packet, if available, MUST be sent to the Diameter server within an Diameter-EAP-Request. If no EAP Response packet is available, then the previous EAP Request is resent to the peer, and the retransmission timer is reset.

当接收到没有EAP有效负载AVP(和Diameter\u MULTI\u ROUND\u AUTH结果代码)的Diameter EAP应答时,NAS应丢弃最近发送到Diameter服务器的EAP响应数据包,并检查是否已接收到与当前标识符值匹配的其他EAP响应数据包。如果是,则必须在Diameter EAP请求中向Diameter服务器发送新的EAP响应数据包(如果可用)。如果没有可用的EAP响应数据包,则将先前的EAP请求重新发送给对等方,并重置重传计时器。

In order to provide protection against Denial of Service (DoS) attacks, it is advisable for the NAS to allocate a finite buffer for EAP packets received from the peer, and to discard packets according to an appropriate policy once that buffer has been exceeded. Also, the Diameter server is advised to permit only a modest number of invalid EAP packets within a single session, prior to terminating the session with DIAMETER_AUTHENTICATION_REJECTED Result-Code. By default, a value of 5 invalid EAP packets is recommended.

为了提供针对拒绝服务(DoS)攻击的保护,建议NAS为从对等方接收的EAP数据包分配有限缓冲区,并在超过该缓冲区后根据适当的策略丢弃数据包。此外,建议Diameter服务器在使用Diameter_验证_拒绝的结果代码终止会话之前,在单个会话中仅允许少量无效EAP数据包。默认情况下,建议将无效EAP数据包的值设置为5。

2.5. Retransmission
2.5. 重传

As noted in [EAP], if an EAP packet is lost in transit between the authenticating peer and the NAS (or vice versa), the NAS will retransmit.

如[EAP]中所述,如果EAP数据包在认证对等方和NAS之间的传输过程中丢失(反之亦然),NAS将重新传输。

It may be necessary to adjust retransmission strategies and authentication time-outs in certain cases. For example, when a token card is used, additional time may be required to allow the user to find the card and enter the token. Since the NAS will typically not have knowledge of the required parameters, these need to be provided by the Diameter server.

在某些情况下,可能需要调整重传策略和身份验证超时。例如,当使用令牌卡时,可能需要额外的时间来允许用户找到该卡并输入令牌。由于NAS通常不知道所需的参数,因此需要由Diameter服务器提供这些参数。

If a Multi-Round-Time-Out AVP [BASE] is present in a Diameter-EAP-Answer message that also contains an EAP-Payload AVP, that value is used to set the EAP retransmission timer for that EAP Request and that Request alone.

如果还包含EAP有效负载AVP的Diameter EAP应答消息中存在多轮超时AVP[BASE],则该值用于为该EAP请求和该请求单独设置EAP重传计时器。

2.6. Fragmentation
2.6. 碎裂

Using the EAP-Payload AVP, it is possible for the Diameter server to encapsulate an EAP packet that is larger than the MTU on the link between the NAS and the peer. Since it is not possible for the Diameter server to use MTU discovery to ascertain the link MTU, a Framed-MTU AVP may be included in a Diameter-EAP-Request message in order to provide the Diameter server with this information.

使用EAP有效负载AVP,Diameter服务器可以封装NAS和对等机之间链路上大于MTU的EAP数据包。由于Diameter服务器不可能使用MTU发现来确定链路MTU,因此可以在Diameter EAP请求消息中包括带帧的MTU AVP,以便向Diameter服务器提供该信息。

A Diameter server having received a Framed-MTU AVP in a Diameter-EAP-Request message MUST NOT send any subsequent packet in this EAP conversation containing EAP-Payload AVP whose length exceeds that specified by the Framed-MTU value, taking the link type (specified by the NAS-Port-Type AVP) into account. For example, as noted in [RFC3580] Section 3.10, for a NAS-Port-Type value of IEEE 802.11, the RADIUS server may send an EAP packet as large as Framed-MTU minus four (4) octets, taking into account the additional overhead for the IEEE 802.1X Version (1 octet), Type (1 octet) and Body Length (2 octets) fields.

在Diameter EAP请求消息中接收到帧MTU AVP的Diameter服务器不得在此EAP会话中发送任何后续数据包,其中包含长度超过帧MTU值指定长度的EAP有效负载AVP,并考虑链路类型(由NAS端口类型AVP指定)。例如,如[RFC3580]第3.10节所述,对于IEEE 802.11的NAS端口类型值,RADIUS服务器可以发送一个EAP数据包,其大小为帧MTU减去四(4)个八位字节,考虑到IEEE 802.1X版本(1个八位字节)、类型(1个八位字节)和正文长度(2个八位字节)字段的额外开销。

2.7. Accounting
2.7. 会计

When a user is authenticated using EAP, the NAS MAY include an Accounting-Auth-Method AVP [NASREQ] with value 5 (EAP) in Accounting-Request messages. This document specifies one additional AVP for accounting messages. One or more Accounting-EAP-Auth-Method AVPs (see Section 4.1.5) MAY be included in Accounting-Request messages to indicate the EAP method(s) used to authenticate the user.

当使用EAP对用户进行身份验证时,NAS可在记帐请求消息中包括值为5(EAP)的记帐身份验证方法AVP[NASREQ]。本文档为记帐消息指定了一个附加AVP。会计请求消息中可能包含一个或多个会计EAP认证方法AVP(见第4.1.5节),以指示用于认证用户的EAP方法。

If the NAS has authenticated the user with a locally implemented EAP method, it knows the method used and SHOULD include it in an Accounting-EAP-Auth-Method AVP.

如果NAS已使用本地实现的EAP方法对用户进行了身份验证,则它知道所使用的方法,并应将其包含在记帐EAP Auth方法AVP中。

If the authentication was done using Diameter-EAP-Request/Answer messages, the Diameter server SHOULD include one or more Accounting-EAP-Auth-Method AVPs in Diameter-EAP-Answer packets with a successful result code. In this case, the NAS SHOULD include these AVPs in Accounting-Request messages.

如果身份验证是使用Diameter EAP请求/应答消息完成的,Diameter服务器应在Diameter EAP应答数据包中包含一个或多个记帐EAP Auth METHORY AVP,并带有成功的结果代码。在这种情况下,NAS应在记帐请求消息中包含这些AVP。

2.8. Usage Guidelines
2.8. 使用指南
2.8.1. User-Name AVP
2.8.1. 用户名AVP

Unless the access device interprets the EAP-Response/Identity packet returned by the authenticating peer, it will not have access to the user's identity. Furthermore, some EAP methods support identity protection where the user's real identity is not included in EAP-Response/Identity. Therefore, the Diameter Server SHOULD return the user's identity by inserting a User-Name AVP to Diameter-EAP-Answer messages that have a Result-Code of DIAMETER_SUCCESS. A separate billing identifier or pseudonym MAY be used for privacy reasons (see Section 8.5). If the user's identity is not available to the NAS, the Session-Id AVP MAY be used for accounting and billing; however operationally this could be very difficult to manage.

除非接入设备解释认证对等方返回的EAP响应/标识包,否则它将无法访问用户的标识。此外,一些EAP方法支持身份保护,其中用户的真实身份不包括在EAP响应/身份中。因此,Diameter服务器应通过向Diameter EAP应答消息插入用户名AVP来返回用户身份,该消息的结果代码为Diameter_SUCCESS。出于隐私原因,可使用单独的账单标识符或笔名(见第8.5节)。如果用户的身份对NAS不可用,则会话Id AVP可用于记帐和计费;然而,在操作上,这可能很难管理。

2.8.2. Conflicting AVPs
2.8.2. 冲突AVP

A Diameter-EAP-Answer message containing an EAP-Payload of type EAP-Success or EAP-Failure MUST NOT have the Result-Code AVP set to DIAMETER_MULTI_ROUND_AUTH.

包含EAP Success或EAP Failure类型EAP有效负载的Diameter EAP应答消息不得将结果代码AVP设置为Diameter\u MULTI\u ROUND\u AUTH。

Some lower layers assume that the authorization decision is made by the EAP server, and thus the peer considers EAP Success as an indication that access was granted. In this case, the Result-Code SHOULD match the contained EAP packet: a successful Result-Code for EAP-Success, and a failure Result-Code for EAP-Failure. If the encapsulated EAP packet does not match the result implied by the Result-Code AVP, the combination is likely to cause confusion, because the NAS and peer will conclude the outcome of the authentication differently. For example, if the NAS receives a failure Result-Code with an encapsulated EAP Success, it will not grant access to the peer. However, on receiving the EAP Success, the peer will be led to believe that access was granted.

一些较低层假设授权决策由EAP服务器做出,因此对等方将EAP成功视为授予访问权的指示。在这种情况下,结果代码应与所包含的EAP数据包匹配:EAP成功的成功结果代码和EAP失败的失败结果代码。如果封装的EAP数据包与结果代码AVP暗示的结果不匹配,则该组合可能会导致混淆,因为NAS和对等方将以不同的方式得出认证结果的结论。例如,如果NAS接收到封装了EAP Success的故障结果代码,它将不会授予对等方访问权限。然而,在接收到EAP成功后,对等方将被引导相信访问已被授予。

This situation can be difficult to avoid when Diameter proxy agents make authorization decisions (that is, proxies can change the Result-Code AVP sent by the home server). Because it is the responsibility of the Diameter server to avoid conflicts, the NAS MUST NOT "manufacture" EAP result packets in order to correct the contradictory messages that it receives. This behavior, originally mandated within [IEEE-802.1X], is now deprecated.

当Diameter代理做出授权决策时,这种情况很难避免(也就是说,代理可以更改家庭服务器发送的结果代码AVP)。由于Diameter服务器有责任避免冲突,因此NAS不得“制造”EAP结果数据包,以纠正其接收到的相互矛盾的消息。这种行为最初是在[IEEE-802.1X]中强制规定的,现在已被弃用。

2.8.3. Displayable Messages
2.8.3. 可显示消息

The Reply-Message AVP [NASREQ] MUST NOT be included in any Diameter message containing an EAP-Payload AVP.

回复消息AVP[NASREQ]不得包含在包含EAP有效负载AVP的任何Diameter消息中。

2.8.4. Role Reversal
2.8.4. 角色转换

Some environments in which EAP is used, such as PPP, support peer-to-peer operation. Both parties act as authenticators and authenticatees at the same time, in two simultaneous and independent EAP conversations.

使用EAP的某些环境(如PPP)支持对等操作。在两次同时进行的独立EAP对话中,双方同时充当认证者和被认证者。

This specification is intended for communication between EAP (passthrough) authenticator and backend authentication server. A Diameter client MUST NOT send a Diameter-EAP-Request encapsulating an EAP Request packet, and a Diameter server receiving such a packet MUST respond with a failure Result-Code.

本规范用于EAP(直通)身份验证程序和后端身份验证服务器之间的通信。Diameter客户端不得发送封装EAP请求数据包的Diameter EAP请求,并且接收此类数据包的Diameter服务器必须使用故障结果代码进行响应。

2.8.5. Identifier Space
2.8.5. 标识符空间

In EAP, each session has its own unique Identifier space. Diameter server implementations MUST be able to distinguish between EAP packets with the same Identifier existing within distinct EAP sessions and originating on the same NAS. This is done by using the Session-Id AVP.

在EAP中,每个会话都有自己的唯一标识符空间。Diameter服务器实现必须能够区分不同EAP会话中存在的具有相同标识符的EAP数据包和源自相同NAS的EAP数据包。这是通过使用会话Id AVP完成的。

If a Diameter NAS is in the middle of a multi-round authentication exchange, and it detects that the EAP session between the client and the NAS has been terminated, it MUST select a new Diameter Session-Id for any subsequent EAP sessions. This is necessary in order to distinguish a restarted EAP authentication process from the continuation of an ongoing process (by the same user on the same NAS and port).

如果直径NAS位于多轮认证交换的中间,并且检测到客户端和NAS之间的EAP会话已经终止,则它必须为后续的EAP会话选择新的直径会话ID。这对于区分重新启动的EAP身份验证过程与正在进行的过程(由同一NAS和端口上的同一用户)的继续是必要的。

In RADIUS, the same functionality can be achieved through the inclusion or omission of the State attribute. Translation rules in [NASREQ] ensure that an Access-Request without the State attribute maps to a new Diameter Session-Id AVP value. Furthermore, a translation agent will always include a State attribute in Access-Challenge messages, making sure that the State attribute is available for a RADIUS NAS.

在RADIUS中,可以通过包含或省略State属性来实现相同的功能。[NASREQ]中的转换规则确保没有State属性的访问请求映射到新的Diameter会话Id AVP值。此外,翻译代理将始终在访问质询消息中包含状态属性,以确保状态属性可用于RADIUS NAS。

3. Command-Codes
3. 命令代码

This section defines new Command-Code values that MUST be supported by all Diameter implementations conforming to this specification. The following commands are defined in this section:

本节定义了所有符合本规范的直径实施必须支持的新命令代码值。本节定义了以下命令:

      Command-Name             Abbrev.    Code       Reference
      --------------------------------------------------------
      Diameter-EAP-Request      DER       268          3.1
      Diameter-EAP-Answer       DEA       268          3.2
        
      Command-Name             Abbrev.    Code       Reference
      --------------------------------------------------------
      Diameter-EAP-Request      DER       268          3.1
      Diameter-EAP-Answer       DEA       268          3.2
        

When the NASREQ AA-Request (AAR) or AA-Answer (AAA) commands are used for AUTHORIZE_ONLY messages in conjunction with EAP (see Section 2.3.3), an Application Identifier value of 1 (NASREQ) is used, and the commands follow the rules and ABNF defined in [NASREQ].

当NASREQ AA请求(AAR)或AA应答(AAA)命令与EAP(见第2.3.3节)一起用于仅授权消息时,使用应用程序标识符值1(NASREQ),命令遵循[NASREQ]中定义的规则和ABNF。

When the Re-Auth-Request (RAR), Re-Auth-Answer (RAA), Session-Termination-Request (STR), Session-Termination-Answer (STA), Abort-Session-Request (ASR), Abort-Session-Answer (ASA), Accounting-Request (ACR), and Accounting-Answer (ACA) commands are used together with the Diameter EAP application, they follow the rules in [NASREQ] and [BASE]. The accounting commands use Application Identifier value of 3 (Diameter Base Accounting); the others use 0 (Diameter Common Messages).

当重新身份验证请求(RAR)、重新身份验证应答(RAA)、会话终止请求(STR)、会话终止应答(STA)、中止会话请求(ASR)、中止会话应答(ASA)、记帐请求(ACR)和记帐应答(ACA)命令与Diameter EAP应用程序一起使用时,它们遵循[NASREQ]和[BASE]中的规则。记帐命令使用应用程序标识符值3(直径基本记帐);其他使用0(直径公共消息)。

3.1. Diameter-EAP-Request (DER) Command
3.1. 直径EAP请求(DER)命令

The Diameter-EAP-Request (DER) command, indicated by the Command-Code field set to 268 and the 'R' bit set in the Command Flags field, is sent by a Diameter client to a Diameter server, and conveys an EAP-Response from the EAP client. The Diameter-EAP-Request MUST contain one EAP-Payload AVP containing the actual EAP payload. An EAP-Payload AVP with no data MAY be sent to the Diameter server to initiate an EAP authentication session.

Diameter EAP请求(DER)命令由设置为268的命令代码字段和命令标志字段中设置的“R”位指示,由Diameter客户端发送到Diameter服务器,并从EAP客户端传送EAP响应。Diameter EAP请求必须包含一个包含实际EAP有效负载的EAP有效负载AVP。没有数据的EAP有效负载AVP可以发送到Diameter服务器以启动EAP认证会话。

The DER message MAY be the result of a multi-round authentication exchange that occurs when the DEA is received with the Result-Code AVP set to DIAMETER_MULTI_ROUND_AUTH [BASE]. A subsequent DER message MUST include any State AVPs [NASREQ] that were present in the DEA. For re-authentication, it is recommended that the Identity request be skipped in order to reduce the number of authentication round trips. This is only possible when the user's identity is already known by the home Diameter server.

DER消息可能是多轮身份验证交换的结果,该多轮身份验证交换在接收DEA时发生,结果代码AVP设置为DIAMETER\u multi\u round\u AUTH[BASE]。后续DER消息必须包括DEA中存在的任何状态AVP[NASREQ]。对于重新身份验证,建议跳过身份验证请求,以减少身份验证往返次数。只有当home Diameter服务器已经知道用户的身份时,才可能这样做。

Message format

消息格式

      <Diameter-EAP-Request> ::= < Diameter Header: 268, REQ, PXY >
                                 < Session-Id >
                                 { Auth-Application-Id }
                                 { Origin-Host }
                                 { Origin-Realm }
                                 { Destination-Realm }
                                 { Auth-Request-Type }
                                 [ Destination-Host ]
        
      <Diameter-EAP-Request> ::= < Diameter Header: 268, REQ, PXY >
                                 < Session-Id >
                                 { Auth-Application-Id }
                                 { Origin-Host }
                                 { Origin-Realm }
                                 { Destination-Realm }
                                 { Auth-Request-Type }
                                 [ Destination-Host ]
        
                                 [ NAS-Identifier ]
                                 [ NAS-IP-Address ]
                                 [ NAS-IPv6-Address ]
                                 [ NAS-Port ]
                                 [ NAS-Port-Id ]
                                 [ NAS-Port-Type ]
                                 [ Origin-State-Id ]
                                 [ Port-Limit ]
                                 [ User-Name ]
                                 { EAP-Payload }
                                 [ EAP-Key-Name ]
                                 [ Service-Type ]
                                 [ State ]
                                 [ Authorization-Lifetime ]
                                 [ Auth-Grace-Period ]
                                 [ Auth-Session-State ]
                                 [ Callback-Number ]
                                 [ Called-Station-Id ]
                                 [ Calling-Station-Id ]
                                 [ Originating-Line-Info ]
                                 [ Connect-Info ]
                               * [ Framed-Compression ]
                                 [ Framed-Interface-Id ]
                                 [ Framed-IP-Address ]
                               * [ Framed-IPv6-Prefix ]
                                 [ Framed-IP-Netmask ]
                                 [ Framed-MTU ]
                                 [ Framed-Protocol ]
                               * [ Tunneling ]
                               * [ Proxy-Info ]
                               * [ Route-Record ]
                               * [ AVP ]
        
                                 [ NAS-Identifier ]
                                 [ NAS-IP-Address ]
                                 [ NAS-IPv6-Address ]
                                 [ NAS-Port ]
                                 [ NAS-Port-Id ]
                                 [ NAS-Port-Type ]
                                 [ Origin-State-Id ]
                                 [ Port-Limit ]
                                 [ User-Name ]
                                 { EAP-Payload }
                                 [ EAP-Key-Name ]
                                 [ Service-Type ]
                                 [ State ]
                                 [ Authorization-Lifetime ]
                                 [ Auth-Grace-Period ]
                                 [ Auth-Session-State ]
                                 [ Callback-Number ]
                                 [ Called-Station-Id ]
                                 [ Calling-Station-Id ]
                                 [ Originating-Line-Info ]
                                 [ Connect-Info ]
                               * [ Framed-Compression ]
                                 [ Framed-Interface-Id ]
                                 [ Framed-IP-Address ]
                               * [ Framed-IPv6-Prefix ]
                                 [ Framed-IP-Netmask ]
                                 [ Framed-MTU ]
                                 [ Framed-Protocol ]
                               * [ Tunneling ]
                               * [ Proxy-Info ]
                               * [ Route-Record ]
                               * [ AVP ]
        
3.2. Diameter-EAP-Answer (DEA) Command
3.2. 直径EAP应答(DEA)命令

The Diameter-EAP-Answer (DEA) message, indicated by the Command-Code field set to 268 and the 'R' bit cleared in the Command Flags field, is sent by the Diameter server to the client for one of the following reasons:

Diameter EAP应答(DEA)消息由设置为268的命令代码字段和命令标志字段中清除的“R”位指示,由Diameter服务器发送到客户端,原因如下:

1. The message is part of a multi-round authentication exchange, and the server is expecting a subsequent Diameter-EAP-Request. This is indicated by setting the Result-Code to DIAMETER_MULTI_ROUND_AUTH, and MAY include zero or more State AVPs.

1. 该消息是多轮身份验证交换的一部分,服务器需要后续的Diameter EAP请求。这是通过将结果代码设置为DIAMETER\u MULTI\u ROUND\u AUTH来表示的,可能包括零个或多个状态AVP。

2. The EAP client has been successfully authenticated and authorized, in which case the message MUST include the Result-Code AVP indicating success, and SHOULD include an EAP-Payload of type EAP-Success. This event MUST cause the access device to provide service to the EAP client.

2. EAP客户端已成功通过身份验证和授权,在这种情况下,消息必须包含指示成功的结果代码AVP,并应包含EAP success类型的EAP有效负载。此事件必须导致访问设备向EAP客户端提供服务。

3. The EAP client has not been successfully authenticated and/or authorized, and the Result-Code AVP is set to indicate failure. This message SHOULD include an EAP-Payload, but this AVP is not used to determine whether service is to be provided.

3. EAP客户端尚未成功通过身份验证和/或授权,结果代码AVP设置为指示失败。此消息应包括EAP有效负载,但此AVP不用于确定是否提供服务。

If the message from the Diameter client included a request for authorization, a successful response MUST include the authorization AVPs that are relevant to the service being provided.

如果来自Diameter客户端的消息包含授权请求,则成功响应必须包含与所提供服务相关的授权AVP。

Message format

消息格式

      <Diameter-EAP-Answer> ::= < Diameter Header: 268, PXY >
                                < Session-Id >
                                { Auth-Application-Id }
                                { Auth-Request-Type }
                                { Result-Code }
                                { Origin-Host }
                                { Origin-Realm }
                                [ User-Name ]
                                [ EAP-Payload ]
                                [ EAP-Reissued-Payload ]
                                [ EAP-Master-Session-Key ]
                                [ EAP-Key-Name ]
                                [ Multi-Round-Time-Out ]
                                [ Accounting-EAP-Auth-Method ]
                                [ Service-Type ]
                              * [ Class ]
                              * [ Configuration-Token ]
                                [ Acct-Interim-Interval ]
                                [ Error-Message ]
                                [ Error-Reporting-Host ]
                              * [ Failed-AVP ]
                                [ Idle-Timeout ]
                                [ Authorization-Lifetime ]
                                [ Auth-Grace-Period ]
                                [ Auth-Session-State ]
                                [ Re-Auth-Request-Type ]
                                [ Session-Timeout ]
                                [ State ]
                              * [ Reply-Message ]
                                [ Origin-State-Id ]
                              * [ Filter-Id ]
        
      <Diameter-EAP-Answer> ::= < Diameter Header: 268, PXY >
                                < Session-Id >
                                { Auth-Application-Id }
                                { Auth-Request-Type }
                                { Result-Code }
                                { Origin-Host }
                                { Origin-Realm }
                                [ User-Name ]
                                [ EAP-Payload ]
                                [ EAP-Reissued-Payload ]
                                [ EAP-Master-Session-Key ]
                                [ EAP-Key-Name ]
                                [ Multi-Round-Time-Out ]
                                [ Accounting-EAP-Auth-Method ]
                                [ Service-Type ]
                              * [ Class ]
                              * [ Configuration-Token ]
                                [ Acct-Interim-Interval ]
                                [ Error-Message ]
                                [ Error-Reporting-Host ]
                              * [ Failed-AVP ]
                                [ Idle-Timeout ]
                                [ Authorization-Lifetime ]
                                [ Auth-Grace-Period ]
                                [ Auth-Session-State ]
                                [ Re-Auth-Request-Type ]
                                [ Session-Timeout ]
                                [ State ]
                              * [ Reply-Message ]
                                [ Origin-State-Id ]
                              * [ Filter-Id ]
        
                                [ Port-Limit ]
                                [ Callback-Id ]
                                [ Callback-Number ]
                                [ Framed-Appletalk-Link ]
                              * [ Framed-Appletalk-Network ]
                                [ Framed-Appletalk-Zone ]
                              * [ Framed-Compression ]
                                [ Framed-Interface-Id ]
                                [ Framed-IP-Address ]
                              * [ Framed-IPv6-Prefix ]
                                [ Framed-IPv6-Pool ]
                              * [ Framed-IPv6-Route ]
                                [ Framed-IP-Netmask ]
                              * [ Framed-Route ]
                                [ Framed-Pool ]
                                [ Framed-IPX-Network ]
                                [ Framed-MTU ]
                                [ Framed-Protocol ]
                                [ Framed-Routing ]
                              * [ NAS-Filter-Rule ]
                              * [ QoS-Filter-Rule ]
                              * [ Tunneling ]
                              * [ Redirect-Host ]
                                [ Redirect-Host-Usage ]
                                [ Redirect-Max-Cache-Time ]
                              * [ Proxy-Info ]
                              * [ AVP ]
        
                                [ Port-Limit ]
                                [ Callback-Id ]
                                [ Callback-Number ]
                                [ Framed-Appletalk-Link ]
                              * [ Framed-Appletalk-Network ]
                                [ Framed-Appletalk-Zone ]
                              * [ Framed-Compression ]
                                [ Framed-Interface-Id ]
                                [ Framed-IP-Address ]
                              * [ Framed-IPv6-Prefix ]
                                [ Framed-IPv6-Pool ]
                              * [ Framed-IPv6-Route ]
                                [ Framed-IP-Netmask ]
                              * [ Framed-Route ]
                                [ Framed-Pool ]
                                [ Framed-IPX-Network ]
                                [ Framed-MTU ]
                                [ Framed-Protocol ]
                                [ Framed-Routing ]
                              * [ NAS-Filter-Rule ]
                              * [ QoS-Filter-Rule ]
                              * [ Tunneling ]
                              * [ Redirect-Host ]
                                [ Redirect-Host-Usage ]
                                [ Redirect-Max-Cache-Time ]
                              * [ Proxy-Info ]
                              * [ AVP ]
        
4. Attribute-Value Pairs
4. 属性值对

This section both defines new AVPs, unique to the EAP Diameter application and describes the usage of AVPs defined elsewhere (if that usage in the EAP application is noteworthy).

本节既定义了EAP Diameter应用程序特有的新AVP,也描述了其他地方定义的AVP的用法(如果EAP应用程序中的用法值得注意)。

4.1. New AVPs
4.1. 新AVP
4.1.1. EAP-Payload AVP
4.1.1. 有效载荷平均值

The EAP-Payload AVP (AVP Code 462) is of type OctetString and is used to encapsulate the actual EAP packet that is being exchanged between the EAP client and the home Diameter server.

EAP有效载荷AVP(AVP代码462)是OctetString类型,用于封装在EAP客户端和home Diameter服务器之间交换的实际EAP分组。

4.1.2. EAP-Reissued-Payload AVP
4.1.2. EAP重新发布的有效载荷AVP

The EAP-Reissued-Payload AVP (AVP Code 463) is of type OctetString. The use of this AVP is described in Section 2.4.

EAP重新发布的有效负载AVP(AVP代码463)为OctetString类型。第2.4节描述了该AVP的使用。

4.1.3. EAP-Master-Session-Key AVP
4.1.3. EAP主会话密钥AVP

The EAP-Master-Session-Key AVP (AVP Code 464) is of type OctetString. It contains keying material for protecting the communications between the user and the NAS. Exactly how this keying material is used depends on the link layer in question, and is beyond the scope of this document.

EAP主会话密钥AVP(AVP代码464)的类型为OctetString。它包含用于保护用户与NAS之间通信的密钥材料。该键控材质的具体使用方式取决于所讨论的链接层,并且超出了本文档的范围。

4.1.4. EAP-Key-Name AVP
4.1.4. EAP密钥名AVP

The EAP-Key-Name AVP (Radius Attribute Type 102) is of type OctetString. It contains an opaque key identifier (name) generated by the EAP method. Exactly how this name is used depends on the link layer in question, and is beyond the scope of this document (see [EAPKey] for more discussion).

EAP密钥名称AVP(半径属性类型102)的类型为OctetString。它包含由EAP方法生成的不透明密钥标识符(名称)。此名称的确切使用方式取决于所讨论的链接层,并且超出了本文档的范围(有关更多讨论,请参阅[EAPKey])。

Note that not all link layers use this name, and currently most EAP methods do not generate it. Since the NAS operates in pass-through mode, it cannot know the Key-Name before receiving it from the AAA server. As a result, a Key-Name AVP sent in a Diameter-EAP-Request MUST NOT contain any data. A home Diameter server receiving a Diameter-EAP-Request with a Key-Name AVP with non-empty data MUST silently discard the AVP. In addition, the home Diameter server SHOULD include this AVP in Diameter-EAP-Response only if an empty EAP-Key-Name AVP was present in Diameter-EAP-Request.

请注意,并非所有链接层都使用此名称,目前大多数EAP方法都不生成此名称。由于NAS以直通模式运行,因此在从AAA服务器接收密钥之前,它无法知道密钥名称。因此,在Diameter EAP请求中发送的密钥名AVP不得包含任何数据。接收密钥名为AVP且数据非空的Diameter home server Diameter EAP请求时,必须以静默方式放弃AVP。此外,仅当Diameter EAP请求中存在空EAP密钥名AVP时,home Diameter服务器才应在Diameter EAP响应中包含此AVP。

4.1.5. Accounting-EAP-Auth-Method AVP
4.1.5. 会计EAP认证方法AVP

The Accounting-EAP-Auth-Method AVP (AVP Code 465) is of type Unsigned64. In case of expanded types [EAP, Section 5.7], this AVP contains the value ((Vendor-Id * 2^32) + Vendor-Type).

会计EAP验证方法AVP(AVP代码465)的类型为Unsigned64。对于扩展类型[EAP,第5.7节],此AVP包含值((供应商Id*2^32)+供应商类型)。

The use of this AVP is described in Section 2.7.

第2.7节描述了该AVP的使用。

5. AVP Occurrence Tables
5. AVP发生表

The following tables use these symbols:

下表使用了这些符号:

0 The AVP MUST NOT be present in the message 0+ Zero or more instances of the AVP MAY be present in the message 0-1 Zero or one instance of the AVP MAY be present in the message 1 One instance of the AVP MUST be present in the message

0消息中不得存在AVP 0+消息0-1中可能存在零个或多个AVP实例0或消息1中可能存在一个AVP实例消息中必须存在一个AVP实例

Note that AVPs that can only be present within a Grouped AVP are not represented in these tables.

请注意,这些表中不表示只能在分组AVP中出现的AVP。

5.1. EAP Command AVP Table
5.1. EAP命令AVP表

The following table lists the AVPs that may be present in the DER and DEA Commands, as defined in this document; the AVPs listed are defined both here and in [NASREQ].

下表列出了本文件中定义的DER和DEA命令中可能存在的AVP;此处和[NASREQ]中都定义了列出的AVP。

                                       +---------------+
                                       |  Command-Code |
                                       |-------+-------+
   Attribute Name                      |  DER  |  DEA  |
   ------------------------------------|-------+-------|
   Accounting-EAP-Auth-Method          |   0   |   0+  |
   Acct-Interim-Interval [BASE]        |   0   |  0-1  |
   Auth-Application-Id [BASE]          |   1   |   1   |
   Auth-Grace-Period [BASE]            |  0-1  |  0-1  |
   Auth-Request-Type [BASE]            |   1   |   1   |
   Auth-Session-State [BASE]           |  0-1  |  0-1  |
   Authorization-Lifetime [BASE]       |  0-1  |  0-1  |
   Callback-Id [NASREQ]                |   0   |  0-1  |
   Callback-Number [NASREQ]            |  0-1  |  0-1  |
   Called-Station-Id [NASREQ]          |  0-1  |   0   |
   Calling-Station-Id [NASREQ]         |  0-1  |   0   |
   Class [BASE]                        |   0   |   0+  |
   Configuration-Token [NASREQ]        |   0   |   0+  |
   Connect-Info [NASREQ]               |  0-1  |   0   |
   Destination-Host [BASE]             |  0-1  |   0   |
   Destination-Realm [BASE]            |   1   |   0   |
   EAP-Master-Session-Key              |   0   |  0-1  |
   EAP-Key-Name                        |  0-1  |  0-1  |
   EAP-Payload                         |   1   |  0-1  |
   EAP-Reissued-Payload                |   0   |  0-1  |
   Error-Message [BASE]                |   0   |  0-1  |
   Error-Reporting-Host [BASE]         |   0   |  0-1  |
   Failed-AVP [BASE]                   |   0   |   0+  |
   Filter-Id [NASREQ]                  |   0   |   0+  |
   Framed-Appletalk-Link [NASREQ]      |   0   |  0-1  |
   Framed-Appletalk-Network [NASREQ]   |   0   |   0+  |
   Framed-Appletalk-Zone [NASREQ]      |   0   |  0-1  |
   Framed-Compression [NASREQ]         |   0+  |   0+  |
   Framed-Interface-Id [NASREQ]        |  0-1  |  0-1  |
   Framed-IP-Address [NASREQ]          |  0-1  |  0-1  |
   Framed-IP-Netmask [NASREQ]          |  0-1  |  0-1  |
   Framed-IPv6-Prefix [NASREQ]         |   0+  |   0+  |
   Framed-IPv6-Pool [NASREQ]           |   0   |  0-1  |
   Framed-IPv6-Route [NASREQ]          |   0   |   0+  |
   Framed-IPX-Network [NASREQ]         |   0   |  0-1  |
   Framed-MTU [NASREQ]                 |  0-1  |  0-1  |
   Framed-Pool [NASREQ]                |   0   |  0-1  |
        
                                       +---------------+
                                       |  Command-Code |
                                       |-------+-------+
   Attribute Name                      |  DER  |  DEA  |
   ------------------------------------|-------+-------|
   Accounting-EAP-Auth-Method          |   0   |   0+  |
   Acct-Interim-Interval [BASE]        |   0   |  0-1  |
   Auth-Application-Id [BASE]          |   1   |   1   |
   Auth-Grace-Period [BASE]            |  0-1  |  0-1  |
   Auth-Request-Type [BASE]            |   1   |   1   |
   Auth-Session-State [BASE]           |  0-1  |  0-1  |
   Authorization-Lifetime [BASE]       |  0-1  |  0-1  |
   Callback-Id [NASREQ]                |   0   |  0-1  |
   Callback-Number [NASREQ]            |  0-1  |  0-1  |
   Called-Station-Id [NASREQ]          |  0-1  |   0   |
   Calling-Station-Id [NASREQ]         |  0-1  |   0   |
   Class [BASE]                        |   0   |   0+  |
   Configuration-Token [NASREQ]        |   0   |   0+  |
   Connect-Info [NASREQ]               |  0-1  |   0   |
   Destination-Host [BASE]             |  0-1  |   0   |
   Destination-Realm [BASE]            |   1   |   0   |
   EAP-Master-Session-Key              |   0   |  0-1  |
   EAP-Key-Name                        |  0-1  |  0-1  |
   EAP-Payload                         |   1   |  0-1  |
   EAP-Reissued-Payload                |   0   |  0-1  |
   Error-Message [BASE]                |   0   |  0-1  |
   Error-Reporting-Host [BASE]         |   0   |  0-1  |
   Failed-AVP [BASE]                   |   0   |   0+  |
   Filter-Id [NASREQ]                  |   0   |   0+  |
   Framed-Appletalk-Link [NASREQ]      |   0   |  0-1  |
   Framed-Appletalk-Network [NASREQ]   |   0   |   0+  |
   Framed-Appletalk-Zone [NASREQ]      |   0   |  0-1  |
   Framed-Compression [NASREQ]         |   0+  |   0+  |
   Framed-Interface-Id [NASREQ]        |  0-1  |  0-1  |
   Framed-IP-Address [NASREQ]          |  0-1  |  0-1  |
   Framed-IP-Netmask [NASREQ]          |  0-1  |  0-1  |
   Framed-IPv6-Prefix [NASREQ]         |   0+  |   0+  |
   Framed-IPv6-Pool [NASREQ]           |   0   |  0-1  |
   Framed-IPv6-Route [NASREQ]          |   0   |   0+  |
   Framed-IPX-Network [NASREQ]         |   0   |  0-1  |
   Framed-MTU [NASREQ]                 |  0-1  |  0-1  |
   Framed-Pool [NASREQ]                |   0   |  0-1  |
        

Framed-Protocol [NASREQ] | 0-1 | 0-1 | Framed-Route [NASREQ] | 0 | 0+ | Framed-Routing [NASREQ] | 0 | 0-1 | Idle-Timeout [NASREQ] | 0 | 0-1 | Multi-Round-Time-Out [BASE] | 0 | 0-1 | NAS-Filter-Rule [NASREQ] | 0 | 0+ | NAS-Identifier [NASREQ] | 0-1 | 0 | NAS-IP-Address [NASREQ] | 0-1 | 0 | NAS-IPv6-Address [NASREQ] | 0-1 | 0 | NAS-Port [NASREQ] | 0-1 | 0 | NAS-Port-Id [NASREQ] | 0-1 | 0 | NAS-Port-Type [NASREQ] | 0-1 | 0 | Originating-Line-Info [NASREQ] | 0-1 | 0 | Origin-Host [BASE] | 1 | 1 | Origin-Realm [BASE] | 1 | 1 | Origin-State-Id [BASE] | 0-1 | 0-1 | Port-Limit [NASREQ] | 0-1 | 0-1 | Proxy-Info [BASE] | 0+ | 0+ | QoS-Filter-Rule [NASREQ] | 0 | 0+ | Re-Auth-Request-Type [BASE] | 0 | 0-1 | Redirect-Host [BASE] | 0 | 0+ | Redirect-Host-Usage [BASE] | 0 | 0-1 | Redirect-Max-Cache-Time [BASE] | 0 | 0-1 | Reply-Message [NASREQ] | 0 | 0+ | Result-Code [BASE] | 0 | 1 | Route-Record [BASE] | 0+ | 0+ | Service-Type [NASREQ] | 0-1 | 0-1 | Session-Id [BASE] | 1 | 1 | Session-Timeout [BASE] | 0 | 0-1 | State [NASREQ] | 0-1 | 0-1 | Tunneling [NASREQ] | 0+ | 0+ | User-Name [BASE] | 0-1 | 0-1 |

框架式路由(Nareq)0 12400+| 0 0+| 0 0+|;框架式路由(Nareq)框架式路由(Nareq)0 0 0 1240-1 0-1 | 0-1(Nareq)框架式路由(Nareq)框架式路由(Nareq)0-0-0-0-1。框架式路由(Nareq)框架式路由(Nareq)框架式路由(Nareq)0 0-0 0 0 0 0-1 1240-1,0-1,0-1,0-1 1240-1 1240-1 1240-1 1240-1 124;空闲超时空闲超时(Nareq)空闲时间(Nareq)空闲时间(Nareq)空闲超时[Nareq)空闲时间(Nareq)空闲时间[Nareq)0-1-1-1-1-1-1-1)| NAS端口[NASREQ]0-1 0-1 0-1 0-1 0 0-1 0 0-1 1 0 0-1 0 0-1 0 0-1 0 0-1 1 0 0-1 0 0 0-1 0 0 0-1 0 0 0-1 0 0 0-1 0 0 0 0-1 0 0 0-1 0 0 0 0-1 0 0 0 0 0-1 0 0 0 0 0 0-1 0 0 0 0-1 0 0 0 0 0 0 0 0-1 0 0 0 0 0 0 0 0 0124; Nasa4;Nasa4作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为作为;0 | 0+|重新验证请求类型[BASE]0 0 0-1 0 0 0 0 0-1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0-1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0+重定向主机使用情况[基础]重定向主机使用情况[基础]0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0-1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0-1 1 1 1 1 1 0 0 0 0 0 0 0 0-1 1 1 1 1 0 0 0 0 0 0 0 0 0 0-1 1 1 1 1 0 0 0 0 0 0 0 0 0 0-1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 124;状态[NASREQ]| 0-1 | 0-1 |隧道[NASREQ]| 0+| 0+|用户名[BASE]| 0-1 | 0-1|

5.2. Accounting AVP Table
5.2. 会计平均值表

The table in this section is used to represent which AVPs defined in this document are to be present in the Accounting messages, as defined in [BASE].

本节中的表格用于表示本文档中定义的哪些AVP将出现在会计信息中,如[BASE]中所定义。

                                          +-----------+
                                          |  Command  |
                                          |    Code   |
                                          |-----+-----+
   Attribute Name                         | ACR | ACA |
   ---------------------------------------|-----+-----+
   Accounting-EAP-Auth-Method             |  0+ |  0  |
        
                                          +-----------+
                                          |  Command  |
                                          |    Code   |
                                          |-----+-----+
   Attribute Name                         | ACR | ACA |
   ---------------------------------------|-----+-----+
   Accounting-EAP-Auth-Method             |  0+ |  0  |
        
6. RADIUS/Diameter Interactions
6. 半径/直径相互作用

Section 9 of [NASREQ] describes basic guidelines for translation agents that translate between RADIUS and Diameter protocols. These guidelines SHOULD be followed for Diameter EAP application as well, with some additional guidelines given in this section. Note that this document does not restrict implementations from creating additional methods, as long as the translation function does not violate the RADIUS or the Diameter protocols.

[NASREQ]第9节描述了在RADIUS和Diameter协议之间进行翻译的翻译代理的基本指南。直径EAP应用也应遵循这些指南,本节还提供了一些附加指南。请注意,只要转换函数不违反RADIUS或Diameter协议,本文档不会限制实现创建其他方法。

6.1. RADIUS Request Forwarded as Diameter Request
6.1. 作为直径请求转发的RADIUS请求

RADIUS Access-Request to Diameter-EAP-Request:

RADIUS访问请求到Diameter EAP请求:

o RADIUS EAP-Message attribute(s) are translated to a Diameter EAP-Payload AVP. If multiple RADIUS EAP-Message attributes are present, they are concatenated and translated to a single Diameter EAP-Payload AVP.

o RADIUS EAP消息属性被转换为直径EAP有效负载AVP。如果存在多个RADIUS EAP消息属性,则将它们串联并转换为单个直径EAP有效负载AVP。

o An empty RADIUS EAP-Message attribute (with length 2) signifies EAP-Start, and it is translated to an empty EAP-Payload AVP.

o 空的RADIUS EAP消息属性(长度为2)表示EAP开始,并将其转换为空的EAP有效负载AVP。

Diameter-EAP-Answer to RADIUS Access-Accept/Reject/Challenge:

直径EAP对RADIUS访问的回答接受/拒绝/质询:

o Diameter EAP-Payload AVP is translated to RADIUS EAP-Message attribute(s). If necessary, the value is split into multiple RADIUS EAP-Message attributes.

o Diameter EAP有效负载AVP被转换为RADIUS EAP消息属性。如有必要,该值将拆分为多个RADIUS EAP消息属性。

o Diameter EAP-Reissued-Payload AVP is translated to a message that contains RADIUS EAP-Message attribute(s), and a RADIUS Error-Cause attribute [RFC3576] with value 202 (decimal), "Invalid EAP Packet (Ignored)" [RFC3579].

o Diameter EAP重新发布的有效负载AVP被转换为包含RADIUS EAP消息属性和RADIUS错误原因属性[RFC3576],其值为202(十进制),“无效EAP数据包(忽略)”[RFC3579]。

o As described in [NASREQ], if the Result-Code AVP set to DIAMETER_MULTI_ROUND_AUTH and the Multi-Round-Time-Out AVP is present, it is translated to the RADIUS Session-Timeout attribute.

o 如[NASREQ]中所述,如果结果代码AVP设置为DIAMETER_MULTI_ROUND_AUTH且存在多轮超时AVP,则会将其转换为RADIUS会话超时属性。

o Diameter EAP-Master-Session-Key AVP can be translated to the vendor-specific RADIUS MS-MPPE-Recv-Key and MS-MPPE-Send-Key attributes [RFC2548]. The first up to 32 octets of the key is stored into MS-MPPE-Recv-Key, and the next up to 32 octets (if present) are stored into MS-MPPE-Send-Key. The encryption of this attribute is described in [RFC2548].

o Diameter EAP主会话密钥AVP可以转换为特定于供应商的RADIUS MS MPPE Recv密钥和MS MPPE Send密钥属性[RFC2548]。密钥的前多达32个八位字节存储在MS MPPE Recv密钥中,下一个多达32个八位字节(如果存在)存储在MS MPPE Send密钥中。[RFC2548]中描述了此属性的加密。

o Diameter Accounting-EAP-Auth-Method AVPs, if present, are discarded.

o 直径核算EAP认证方法AVP(如果存在)将被丢弃。

6.2. Diameter Request Forwarded as RADIUS Request
6.2. 直径请求作为半径请求转发

Diameter-EAP-Request to RADIUS Access-Request:

直径EAP请求到半径访问请求:

o The Diameter EAP-Payload AVP is translated to RADIUS EAP-Message attribute(s).

o 直径EAP有效负载AVP转换为半径EAP消息属性。

o An empty Diameter EAP-Payload AVP signifies EAP-Start, and is translated to an empty RADIUS EAP-Message attribute.

o 空直径EAP有效负载AVP表示EAP开始,并转换为空半径EAP消息属性。

o The type (or expanded type) field from the EAP-Payload AVP can be saved either in a local state table, or encoded in a RADIUS Proxy-State attribute. This information is needed to construct an Accounting-EAP-Auth-Method AVP for the answer message (see below).

o EAP有效负载AVP中的类型(或扩展类型)字段可以保存在本地状态表中,也可以编码在RADIUS代理状态属性中。为应答消息构造记帐EAP Auth方法AVP时需要此信息(见下文)。

RADIUS Access-Accept/Reject/Challenge to Diameter-EAP-Answer:

半径访问接受/拒绝/质疑直径EAP回答:

o If the RADIUS Access-Challenge message does not contain an Error-Cause attribute [RFC3576] with value 202 (decimal), "Invalid EAP Packet (Ignored)" [RFC3579], any RADIUS EAP-Message attributes are translated to a Diameter EAP-Payload AVP, concatenating them if multiple attributes are present.

o 如果RADIUS访问质询消息不包含值为202(十进制)“无效EAP数据包(忽略)”[RFC3579]的错误原因属性[RFC3576],则任何RADIUS EAP消息属性都将转换为Diameter EAP有效负载AVP,如果存在多个属性,则将它们连接起来。

o If the Error-Cause attribute with value 202 is present, any RADIUS EAP-Message attributes are translated to a Diameter EAP-Reissued-Payload AVP, concatenating them if multiple attributes are present.

o 如果存在值为202的错误原因属性,则任何RADIUS EAP消息属性都将转换为Diameter EAP重新发布的有效负载AVP,如果存在多个属性,则将它们连接起来。

o As described in [NASREQ], if the Session-Timeout attribute is present in a RADIUS Access-Challenge message, it is translated to the Diameter Multi-Round-Time-Out AVP.

o 如[NASREQ]中所述,如果RADIUS访问质询消息中存在会话超时属性,则会将其转换为Diameter多轮超时AVP。

o If the vendor-specific RADIUS MS-MPPE-Recv-Key and/or MS-MPPE-Send-Key attributes [RFC2548] are present, they can be translated to a Diameter EAP-Master-Session-Key AVP. The attributes have to be decrypted before conversion, and the Salt, Key-Length and Padding sub-fields are discarded. The Key sub-fields are concatenated (MS-MPPE-Recv-Key first, MS-MPPE-Send-Key next), and the concatenated value is stored into a Diameter EAP-Master-Session-Key AVP.

o 如果存在供应商特定的RADIUS MS MPPE Recv密钥和/或MS MPPE Send密钥属性[RFC2548],则可以将其转换为Diameter EAP主会话密钥AVP。转换前必须对属性进行解密,Salt、密钥长度和Padding子字段将被丢弃。密钥子字段被连接(首先是MS MPPE Recv Key,然后是MS MPPE Send Key),连接的值被存储到Diameter EAP主会话密钥AVP中。

o If the Diameter-EAP-Answer will have a successful result code, the saved state (see above) can be used to construct an Accounting-EAP-Auth-Method AVP.

o 如果Diameter EAP应答将有一个成功的结果代码,则保存的状态(见上文)可用于构造记帐EAP Auth方法AVP。

6.3. Accounting Requests
6.3. 会计请求

In Accounting-Requests, the vendor-specific RADIUS MS-Acct-EAP-Type attribute [RFC2548] can be translated to a Diameter Accounting-EAP-Auth-Method AVP, and vice versa.

在记帐请求中,特定于供应商的RADIUS MS Acct EAP Type属性[RFC2548]可以转换为直径记帐EAP Auth方法AVP,反之亦然。

When translating from Diameter to RADIUS, note that the MS-Acct-EAP-Type attribute does not support expanded EAP types. Type values greater than 255 should be translated to type 254.

从直径转换为半径时,请注意MS Acct EAP Type属性不支持扩展的EAP类型。大于255的类型值应转换为254类型。

7. IANA Considerations
7. IANA考虑

This document does not create any new namespaces to be maintained by IANA, but it requires new values in namespaces that have been defined in the Diameter Base protocol and RADIUS specifications.

本文档不创建IANA要维护的任何新名称空间,但它要求名称空间中的新值已在Diameter基本协议和RADIUS规范中定义。

o This document defines one new Diameter command (in Section 3) whose Command Code is allocated from the Command Code namespace defined in [BASE]. The Command Code for DER / DEA is 268.

o 本文档定义了一个新的Diameter命令(在第3节中),其命令代码是从[BASE]中定义的命令代码命名空间中分配的。DER/DEA的命令代码是268。

o This document defines four new AVPs whose AVP Codes are allocated from the AVP Code namespace defined in [BASE] as follows:

o 本文件定义了四个新的AVP,其AVP代码从[BASE]中定义的AVP代码命名空间分配,如下所示:

462 for EAP-Payload (defined in Section 4.1.1), 463 for EAP-Reissued-Payload (defined in Section 4.1.2), 464 for EAP-Master-Session-Key (defined in Section 4.1.3), and 465 for Accounting-EAP-Auth-Method (defined in Section 4.1.5).

462用于EAP有效载荷(定义见第4.1.1节),463用于EAP重新发布的有效载荷(定义见第4.1.2节),464用于EAP主会话密钥(定义见第4.1.3节),465用于核算EAP认证方法(定义见第4.1.5节)。

o This document defines one new AVP (attribute) whose AVP Code (Attribute Type) is to be allocated from the Attribute Type namespace defined in [RFC2865] and [RFC3575]. The Radius Attribute Type for EAP-Key-Name (defined in Section 4.1.4) is 102.

o 本文档定义了一个新的AVP(属性),其AVP代码(属性类型)将从[RFC2865]和[RFC3575]中定义的属性类型命名空间中分配。EAP密钥名称(定义见第4.1.4节)的半径属性类型为102。

o This document defines one new Diameter application (in Section 2.1) whose Application ID is to be allocated from the Application Identifier namespace defined in [BASE]. The Application ID for Diameter EAP is 5.

o 本文档定义了一个新的Diameter应用程序(在第2.1节中),其应用程序ID将从[BASE]中定义的应用程序标识符命名空间中分配。直径EAP的应用程序ID为5。

8. Security Considerations
8. 安全考虑
8.1. Overview
8.1. 概述

Diameter peer-to-peer connections can be protected with IPsec or TLS. These mechanisms are believed to provide sufficient protection under the normal Internet threat model, that is, assuming the authorized nodes engaging in the protocol have not been compromised, but the attacker has complete control over the communication channels between them. This includes eavesdropping, message modification, insertion,

Diameter对等连接可以使用IPsec或TLS进行保护。据信,在正常的互联网威胁模型下,这些机制可以提供足够的保护,也就是说,假设参与协议的授权节点没有被破坏,但攻击者完全控制了它们之间的通信通道。这包括窃听、消息修改、插入、,

man-in-the-middle and replay attacks. The details and related security considerations are discussed in [BASE].

中间人和重放攻击。详细信息和相关安全注意事项在[BASE]中讨论。

In addition to authentication provided by IPsec or TLS, authorization is also required. Here, authorization means determining if a Diameter message received from an authenticated Diameter peer should be accepted (and not authorization of users requesting network access from a NAS). In other words, when a Diameter server receives a Diameter-EAP-Request, it has to decide if the client is authorized to act as a NAS for the specific user, service type, and so on. Correspondingly, when a NAS contacts a server to send a Diameter-EAP-Request, it has to determine whether the server is authorized to act as home server for the realm in question.

除了IPsec或TLS提供的身份验证之外,还需要授权。这里,授权意味着确定是否应该接受从经过身份验证的Diameter对等方接收的Diameter消息(而不是对从NAS请求网络访问的用户的授权)。换句话说,当Diameter服务器收到Diameter EAP请求时,它必须决定客户端是否被授权作为特定用户、服务类型等的NAS。相应地,当NAS联系服务器以发送Diameter EAP请求时,它必须确定服务器是否被授权作为所讨论领域的主服务器。

Authorization can involve local Access Control Lists (ACLs), information contained in certificates, or some other means. See [BASE] for more discussion and related security considerations. Note that authorization issues are particularly relevant when Diameter redirects are used. While redirection reduces the number of nodes which have access to the contents of Diameter messages, a compromised Diameter agent may not supply the right home server's address. If the Diameter client is unable to tell whether this particular server is authorized to act as the home server for this particular user, the security of the communications rests on the redirect agent.

授权可以涉及本地访问控制列表(ACL)、证书中包含的信息或其他方式。有关更多讨论和相关安全注意事项,请参见[BASE]。请注意,当使用Diameter重定向时,授权问题尤其相关。虽然重定向减少了可以访问Diameter消息内容的节点数量,但受损的Diameter代理可能无法提供正确的家庭服务器地址。如果Diameter客户端无法判断此特定服务器是否被授权作为此特定用户的家庭服务器,则通信的安全性取决于重定向代理。

The hop-by-hop security mechanisms (IPsec and TLS) combined with proper authorization provide good protection against "outside" attackers, except for denial-of-service attacks. The remaining part of this section deals with attacks by nodes that have been properly authorized (to function as a NAS, Diameter agent, or Diameter server), but abuse their authorization or have been compromised. In general, it is not possible to completely protect against attacks by compromised nodes, but this section offers advice on limiting the extent of the damage.

逐跳安全机制(IPsec和TLS)与适当的授权相结合,可以很好地防止“外部”攻击者,拒绝服务攻击除外。本节的其余部分将讨论已正确授权(用作NAS、Diameter代理或Diameter服务器)但滥用其授权或已被破坏的节点的攻击。一般来说,不可能完全防止受损节点的攻击,但本节提供了限制损害程度的建议。

Attacks involving eavesdropping or modification of EAP messages are beyond the scope of these document. See [EAP] for discussion of these security considerations (including method negotiation, dictionary attacks, and privacy issues). While these attacks can be carried out by an attacker between the client and the NAS, compromised NASes and Diameter agents are naturally also in a good position to modify and eavesdrop on the EAP messages.

涉及窃听或修改EAP消息的攻击超出了这些文档的范围。有关这些安全注意事项(包括方法协商、字典攻击和隐私问题)的讨论,请参见[EAP]。虽然攻击者可以在客户端和NAS之间执行这些攻击,但受损的NASE和Diameter代理自然也可以修改和窃听EAP消息。

Similarly, attacks involving the link layer protocol used between the client and the NAS, such as PPP or IEEE 802.11, are beyond the scope of this document.

类似地,涉及客户端和NAS之间使用的链路层协议(如PPP或IEEE 802.11)的攻击超出了本文档的范围。

8.2. AVP Editing
8.2. AVP编辑

Diameter agents can modify, insert, and delete AVPs. Diameter agents are usually meant to modify AVPs, and the protocol cannot distinguish well-intentioned and malicious modifications (see [RFC2607] for more discussion). Similarly, a compromised NAS or server can naturally include a different set of AVPs than expected.

Diameter代理可以修改、插入和删除AVP。Diameter代理通常用于修改AVP,协议无法区分善意和恶意修改(更多讨论请参见[RFC2607])。类似地,受损的NAS或服务器自然会包含与预期不同的AVP集。

Therefore, the question is what an attacker who compromises an authorized NAS, agent, or server can do using Diameter EAP messages. Some of the consequences are rather obvious. For instance, a Diameter agent can give access to unauthorized users by changing the Result-Code to DIAMETER_SUCCESS. Other consequences are less obvious and are discussed below and authentication method negotiation attacks are discussed in the next section.

因此,问题是,如果攻击者利用Diameter EAP消息破坏授权的NAS、代理或服务器,那么攻击者可以做什么。其中一些后果相当明显。例如,Diameter代理可以通过将结果代码更改为Diameter_SUCCESS,向未经授权的用户提供访问权限。其他后果不太明显,将在下面讨论,身份验证方法协商攻击将在下一节讨论。

By including suitable AVPs in an AA-Answer/Diameter-EAP-Answer messages, an attacker may be able (depending on implementation and configuration details) to:

通过在AA应答/Diameter EAP应答消息中包含合适的AVP,攻击者可能(取决于实现和配置详细信息)能够:

o Give unauthorized users access, or deny access to authorized users (Result-Code).

o 允许未授权用户访问,或拒绝授权用户访问(结果代码)。

o Give an attacker a login session to a host otherwise protected by firewalls, or redirect an authorized user's login session to a host controlled by the attacker (Login-Host).

o 向攻击者提供一个登录会话到防火墙保护的主机,或将授权用户的登录会话重定向到攻击者控制的主机(登录主机)。

o Route an authorized user's traffic through a host controlled by the attacker (various tunneling AVPs).

o 通过攻击者控制的主机(各种隧道AVP)路由授权用户的流量。

o Redirect an authorized user's DNS requests to a malicious DNS server (various vendor-specific AVPs).

o 将授权用户的DNS请求重定向到恶意DNS服务器(各种特定于供应商的AVP)。

o Modify routing tables at the NAS and thus redirect packets destined for someone else (Framed-Route, Framed-Routing).

o 修改NAS上的路由表,从而重定向发送给其他人的数据包(帧路由、帧路由)。

o Remove packet filters and other restrictions for user (Filter, Callback, various vendor-specific AVPs).

o 删除用户的数据包筛选器和其他限制(筛选器、回调、各种特定于供应商的AVP)。

o Cause the NAS to call some number, possibly an expensive toll number controlled by the attacker (callback AVPs).

o 使NAS呼叫某个号码,可能是由攻击者控制的昂贵的长途电话号码(回调AVP)。

o Execute Command Line Interface (CLI) commands on the NAS (various vendor-specific attributes).

o 在NAS上执行命令行界面(CLI)命令(各种特定于供应商的属性)。

By modifying an AA-Request/Diameter-EAP-Request, an attacker may be able to:

By modifying an AA-Request/Diameter-EAP-Request, an attacker may be able to:translate error, please retry

o Change NAS-Identifier/NAS-Port/Origin-Host (or another attribute) so that a valid user appears to be accessing the network from a different NAS than in reality.

o 更改NAS标识符/NAS端口/源主机(或其他属性),使有效用户看起来是从与实际不同的NAS访问网络。

o Modify Calling-Station-ID (either to hide the true value, gain access, or frame someone else).

o 修改呼叫站ID(隐藏真实值、获得访问权限或框定其他人)。

o Modify password change messages (some vendor-specific attributes).

o 修改密码更改消息(某些特定于供应商的属性)。

o Modify usage information in accounting messages.

o 修改记帐消息中的使用信息。

o Modify contents of Class and State AVPs.

o 修改类和状态AVP的内容。

Some of these attacks can be prevented if the NAS or server is configured to not accept some particular AVPs, or accepts them only from some nodes.

如果NAS或服务器配置为不接受某些特定AVP,或仅从某些节点接受这些AVP,则可以防止其中一些攻击。

8.3. Negotiation Attacks
8.3. 谈判攻击

This section deals with attacks where the NAS, any Diameter agents, or Diameter server attempt to cause the authenticating user to choose some authentication method other than EAP, such as PAP or CHAP (negotiation attacks within EAP are discussed in [EAP], Section 7.8).

本节讨论NAS、任何Diameter代理或Diameter服务器试图使身份验证用户选择EAP以外的某种身份验证方法的攻击,如PAP或CHAP(EAP内的协商攻击在[EAP]第7.8节中讨论)。

The vulnerability can be mitigated via implementation of a per-connection policy by the authenticating peer, and a per-user policy by the Diameter server. For the authenticating peer, the authentication policy should be set on a per-connection basis.

可通过认证对等方实施每连接策略和Diameter服务器实施每用户策略来缓解该漏洞。对于身份验证对等方,应根据每个连接设置身份验证策略。

With a per-connection policy, an authenticating peer will only attempt to negotiate EAP for a session in which EAP support is expected. As a result, it is presumed that an authenticating peer selecting EAP requires that level of security. If it cannot be provided, there is likely a misconfiguration, or the authenticating peer may be contacting the wrong server. In this case, the authenticating peer simply disconnects.

对于每连接策略,身份验证对等方将仅尝试为预期EAP支持的会话协商EAP。因此,假定选择EAP的认证对等方需要该安全级别。如果无法提供,则可能存在配置错误,或者身份验证对等方可能联系了错误的服务器。在这种情况下,身份验证对等方只是断开连接。

Similarly, with a per-user policy, the home server will not accept authentication methods other than EAP for users for which EAP support is expected.

类似地,对于每用户策略,家庭服务器将不接受除EAP之外的身份验证方法,以用于预期EAP支持的用户。

For a NAS, it may not be possible to determine whether a peer is required to authenticate with EAP until the peer's identity is known. For example, for shared-uses NASes one reseller may implement EAP while another does not. Alternatively, some peer might be

对于NAS,在知道对等方的身份之前,可能无法确定是否需要对等方向EAP进行身份验证。例如,对于共享使用NASE,一个分销商可以实施EAP,而另一个分销商则不实施EAP。或者,一些同龄人可能是

authenticated locally by the NAS while other peers are authenticated via Diameter. In such cases, if any peers of the NAS MUST do EAP, then the NAS MUST attempt to negotiate EAP for every session. This avoids forcing a peer to support more than one authentication type, which could weaken security.

通过NAS进行本地身份验证,而其他对等方通过Diameter进行身份验证。在这种情况下,如果NAS的任何对等方必须执行EAP,则NAS必须尝试为每个会话协商EAP。这避免了强制对等方支持多种身份验证类型,这可能会削弱安全性。

8.4. Session Key Distribution
8.4. 会话密钥分配

Since there are currently no end-to-end (NAS-to-home server) security mechanisms specified for Diameter, any agents that process Diameter-EAP-Answer messages can see the contents of the EAP-Master-Session-Key AVP. For this reason, this specification strongly recommends avoiding Diameter agents when they cannot be trusted to keep the keys secret.

由于目前没有为Diameter指定端到端(NAS到家庭服务器)安全机制,因此任何处理Diameter EAP应答消息的代理都可以查看EAP主会话密钥AVP的内容。因此,本规范强烈建议在无法信任Diameter代理来保密密钥时避免使用Diameter代理。

In environments where agents are present, several factors should be considered when deciding whether the agents that are authorized (and considered "trustworthy enough") to grant access to users and specify various authorization and tunneling AVPs are also "trustworthy enough" to handle the session keys. These factors include (but are not limited to) the type of access provided (e.g., public Internet or corporate internet), security level of the agents, and the possibilities for attacking user's traffic after it has been decrypted by the NAS.

在存在代理的环境中,在决定被授权(且被认为“足够值得信任”)向用户授予访问权限并指定各种授权和隧道AVP的代理是否也“足够值得信任”以处理会话密钥时,应考虑几个因素。这些因素包括(但不限于)提供的访问类型(例如,公共互联网或公司互联网)、代理的安全级别,以及NAS解密后攻击用户流量的可能性。

Note that the keys communicated in Diameter messages are usually short-term session keys (or short-term master keys that are used to derive session keys). To actually cause any damage, those session keys must end up with some malicious party that must be able to eavesdrop, modify, or insert traffic between the user and the NAS during the lifetime of those keys (for example, in 802.11i the attacker must also eavesdrop the "four-way handshake").

注意,Diameter消息中传递的密钥通常是短期会话密钥(或用于派生会话密钥的短期主密钥)。要真正造成任何损坏,这些会话密钥必须最终由某个恶意方完成,该方必须能够在这些密钥的生命周期内窃听、修改或插入用户与NAS之间的通信量(例如,在802.11i中,攻击者还必须窃听“四向握手”)。

8.5. Privacy Issues
8.5. 隐私问题

Diameter messages can contain AVPs that can be used to identify the user (e.g., User-Name) and approximate location of the user (e.g., Origin-Host for WLAN access points, Calling-Station-Id for fixed phone lines). Thus, any Diameter nodes that process the messages may be able to determine the geographic location of users.

Diameter消息可以包含AVP,可用于识别用户(例如用户名)和用户的大致位置(例如,WLAN接入点的原始主机、固定电话线的呼叫站Id)。因此,处理消息的任何Diameter节点都可以确定用户的地理位置。

Note that in many cases, the user identity is also sent in clear inside EAP-Payload AVPs, and it may be possible to eavesdrop this between the user and the NAS.

注意,在许多情况下,用户身份也在EAP有效负载AVP内以明文形式发送,并且可能在用户和NAS之间窃听此信息。

This can be mitigated somewhat by using EAP methods that provide identity protection (see [EAP], Section 7.3), and using Session-Id or pseudonyms for accounting.

通过使用提供身份保护的EAP方法(参见[EAP],第7.3节),以及使用会话Id或假名进行记帐,可以在一定程度上缓解这一问题。

8.6. Note about EAP and Impersonation
8.6. 关于EAP和模拟的注意事项

If the EAP method used does not provide mutual authentication, obviously anyone can impersonate the network to the user. Even when EAP mutual authentication is used, it occurs between the user and the Diameter home server. See [EAPKey] for an extensive discussion about the details and their implications.

如果使用的EAP方法不提供相互身份验证,显然任何人都可以向用户模拟网络。即使使用EAP相互身份验证,也会发生在用户和Diameter home server之间。有关详细信息及其含义的详细讨论,请参见[EAPKey]。

One issue is worth pointing out here. As described in [EAPKey], the current EAP architecture does not allow the home server to restrict what service parameters or identities (such as SSID or BSSID in 802.11 wireless LANs) are advertised by the NAS to the client. That is, a compromised NAS can change its BSSID or SSID, and thus appear to offer a different service than intended. Even if these parameters are included in Diameter-EAP-Answer messages, the NAS can tell different values to the client.

这里有一个问题值得指出。如[EAPKey]中所述,当前EAP体系结构不允许家庭服务器限制NAS向客户端播发的服务参数或标识(如802.11无线局域网中的SSID或BSSID)。也就是说,受损的NAS可以更改其BSSID或SSID,从而提供与预期不同的服务。即使这些参数包含在Diameter EAP应答消息中,NAS也可以向客户端告知不同的值。

Therefore, the NAS's possession of the session keys proves that the user is talking to an authorized NAS, but a compromised NAS can lie about its exact identity. See [EAPKey] for discussion on how individual EAP methods can provide authentication of NAS service parameters and identities.

因此,NAS拥有会话密钥证明用户正在与授权的NAS通话,但受损的NAS可能会隐瞒其确切身份。有关单个EAP方法如何提供NAS服务参数和身份验证的讨论,请参阅[EAPKey]。

Note that the usefulness of this authentication may be rather limited in many environments. For instance, in wireless LANs the user does not usually securely know the identity (such as BSSID) of the "right" access point; it is simply picked from a beacon message that has the correct SSID and good signal strength (something that is easy to spoof). Thus, simply authenticating the identity may not allow the user to distinguish the "right" access point from all others.

请注意,在许多环境中,此身份验证的用途可能相当有限。例如,在无线局域网中,用户通常不安全地知道“正确”接入点的身份(如BSSID);它只是从具有正确SSID和良好信号强度(易于欺骗)的信标消息中挑选出来的。因此,简单地认证身份可能不允许用户将“正确”接入点与所有其他接入点区分开来。

9. Acknowledgements
9. 致谢

This Diameter application relies heavily on earlier work on Diameter NASREQ application [NASREQ] and RADIUS EAP support [RFC3579]. Much of the material in this specification has been copied from these documents.

此Diameter应用程序严重依赖Diameter NASREQ应用程序[NASREQ]和RADIUS EAP支持[RFC3579]的早期工作。本规范中的大部分材料都是从这些文件中复制的。

The authors would also like to acknowledge the following people for their contributions to this document: Bernard Aboba, Jari Arkko, Julien Bournelle, Pat Calhoun, Henry Haverinen, John Loughney, Yoshihiro Ohba, and Joseph Salowey.

作者还要感谢以下人士对本文件的贡献:Bernard Aboba、Jari Arkko、Julien Bournelle、Pat Calhoun、Henry Haverinen、John Loughney、Yoshihiro Ohba和Joseph Salowey。

10. References
10. 工具书类
10.1. Normative References
10.1. 规范性引用文件

[BASE] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J. Arkko, "Diameter Base Protocol", RFC 3588, September 2003.

[基础]Calhoun,P.,Loughney,J.,Guttman,E.,Zorn,G.,和J.Arkko,“直径基础协议”,RFC 3588,2003年9月。

[EAP] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H. Levkowetz, "Extensible Authentication Protocol (EAP)", RFC 3748, June 2004.

[EAP]Aboba,B.,Blunk,L.,Vollbrecht,J.,Carlson,J.,和H.Levkowetz,“可扩展认证协议(EAP)”,RFC 37482004年6月。

[NASREQ] Calhoun, P., Zorn, G., Spence, D., and D. Mitton, "Diameter Network Access Server Application", RFC 4005, August 2005.

[NASREQ]Calhoun,P.,Zorn,G.,Spence,D.,和D.Mitton,“Diameter网络访问服务器应用”,RFC 4005,2005年8月。

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。

10.2. Informative References
10.2. 资料性引用

[EAPKey] Aboba, B., Simon, D., Arkko, J., Eronen, P., and H. Levkowetz, "Extensible Authentication Protocol (EAP) Key Management Framework", Work in Progress, July 2004.

[EAPKey]Aboba,B.,Simon,D.,Arkko,J.,Eronen,P.,和H.Levkowetz,“可扩展认证协议(EAP)密钥管理框架”,正在进行的工作,2004年7月。

[IEEE-802.1X] Institute of Electrical and Electronics Engineers, "Local and Metropolitan Area Networks: Port-Based Network Access Control", IEEE Standard 802.1X, September 2001.

[IEEE-802.1X]电气和电子工程师协会,“局域网和城域网:基于端口的网络访问控制”,IEEE标准802.1X,2001年9月。

[IEEE-802.11i] Institute of Electrical and Electronics Engineers, "IEEE Standard for Information technology - Telecommunications and information exchange between systems - Local and metropolitan area networks - Specific requirements - Part 11: Wireless Medium Access Control (MAC) and Physical Layer (PHY) Specifications: Amendment 6: Medium Access Control (MAC) Security Enhancements", IEEE Standard 802.11i-2004, July 2004.

[IEEE-802.11i]电气和电子工程师协会,“IEEE信息技术标准-系统间电信和信息交换-局域网和城域网-特殊要求-第11部分:无线媒体访问控制(MAC)和物理层(PHY)规范:修改件6:介质访问控制(MAC)安全增强”,IEEE标准802.11i-2004,2004年7月。

[IKEv2] Kaufman, C., Ed., "Internet Key Exchange (IKEv2) Protocol", Work in Progress, June 2004.

[IKEv2]Kaufman,C.,编辑,“互联网密钥交换(IKEv2)协议”,正在进行的工作,2004年6月。

[RFC1661] Simpson, W., "The Point-to-Point Protocol (PPP)", STD 51, RFC 1661, July 1994.

[RFC1661]辛普森,W.“点对点协议(PPP)”,标准51,RFC1661,1994年7月。

[RFC2548] Zorn, G., "Microsoft Vendor-specific RADIUS Attributes", RFC 2548, March 1999.

[RFC2548]Zorn,G.,“微软特定于供应商的半径属性”,RFC 2548,1999年3月。

[RFC2607] Aboba, B. and J. Vollbrecht, "Proxy Chaining and Policy Implementation in Roaming", RFC 2607, June 1999.

[RFC2607]Aboba,B.和J.Vollbrecht,“漫游中的代理链接和策略实施”,RFC 2607,1999年6月。

[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, June 2000.

[RFC2865]Rigney,C.,Willens,S.,Rubens,A.,和W.Simpson,“远程认证拨入用户服务(RADIUS)”,RFC 28652000年6月。

[RFC3575] Aboba, B., "IANA Considerations for RADIUS (Remote Authentication Dial In User Service)", RFC 3575, July 2003.

[RFC3575]Aboba,B.“RADIUS(远程认证拨入用户服务)的IANA注意事项”,RFC 3575,2003年7月。

[RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B. Aboba, "Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)", RFC 3576, July 2003.

[RFC3576]Chiba,M.,Dommety,G.,Eklund,M.,Mitton,D.,和B.Aboba,“远程认证拨号用户服务(RADIUS)的动态授权扩展”,RFC 35762003年7月。

[RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP)", RFC 3579, September 2003.

[RFC3579]Aboba,B.和P.Calhoun,“RADIUS(远程认证拨入用户服务)对可扩展认证协议(EAP)的支持”,RFC 3579,2003年9月。

[RFC3580] Congdon, P., Aboba, B., Smith, A., Zorn, G., and J. Roese, "IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines", RFC 3580, September 2003.

[RFC3580]Congdon,P.,Aboba,B.,Smith,A.,Zorn,G.,和J.Roese,“IEEE 802.1X远程认证拨入用户服务(RADIUS)使用指南”,RFC 35802003年9月。

Authors' Addresses

作者地址

Pasi Eronen (editor) Nokia Research Center P.O. Box 407 FIN-00045 Nokia Group Finland

Pasi Eronen(编辑)诺基亚研究中心邮政信箱407 FIN-00045诺基亚芬兰集团

   EMail: pasi.eronen@nokia.com
        
   EMail: pasi.eronen@nokia.com
        

Tom Hiller Lucent Technologies 1960 Lucent Lane Naperville, IL 60566 USA

汤姆·希勒·朗讯科技有限公司1960年美国伊利诺伊州朗讯巷纳珀维尔市,邮编:60566

   Phone: +1 630 979 7673
   EMail: tomhiller@lucent.com
        
   Phone: +1 630 979 7673
   EMail: tomhiller@lucent.com
        

Glen Zorn Cisco Systems 500 108th Avenue N.E., Suite 500 Bellevue, WA 98004 USA

格伦佐恩思科系统500美国华盛顿州贝尔维尤第108大道北500号套房,邮编:98004

   Phone: +1 425 344 8113
   EMail: gwz@cisco.com
        
   Phone: +1 425 344 8113
   EMail: gwz@cisco.com
        

Full Copyright Statement

完整版权声明

Copyright (C) The Internet Society (2005).

版权所有(C)互联网协会(2005年)。

This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.

本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。

This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

本文件及其包含的信息是按“原样”提供的,贡献者、他/她所代表或赞助的组织(如有)、互联网协会和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。

Intellectual Property

知识产权

The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.

IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。

Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.

向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.

The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.

IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.

Acknowledgement

确认

Funding for the RFC Editor function is currently provided by the Internet Society.

RFC编辑功能的资金目前由互联网协会提供。