RADIUS EXTensions (radext)
--------------------------

 Charter
 Last Modified: 2009-06-03

 Current Status: Active Working Group

 Chair(s):
     Bernard Aboba  <Bernard_Aboba@hotmail.com>
     David Nelson  <d.b.nelson@comcast.net>

 Operations and Management Area Director(s):
     Dan Romascanu  <dromasca@avaya.com>
     Ronald Bonica  <rbonica@juniper.net>

 Operations and Management Area Advisor:
     Dan Romascanu  <dromasca@avaya.com>

 Technical Advisor(s):
     Paul Congdon  <paul.congdon@hp.com>

 Mailing Lists: 
     General Discussion:radiusext@ops.ietf.org
     To Subscribe:      radiusext-request@ops.ietf.org
         In Body:       In Body: subscribe
     Archive:           https://ops.ietf.org/lists/radiusext

Description of Working Group:

The RADIUS Extensions Working Group will focus on extensions to the
RADIUS protocol required to define extensions to the standard
attribute space as well as to address cryptographic algorithm
agility and use over new transports. In addition, RADEXT will
work on RADIUS Design Guidelines and define new attributes for
particular applications of authentication, authorization and
accounting such as NAS management and local area network (LAN) usage.

In order to enable interoperation of heterogeneous RADIUS/Diameter
deployments, all RADEXT WG work items MUST contain a Diameter
compatibility section, outlining how interoperability with
Diameter will be maintained.

Furthermore, to ensure backward compatibility with existing RADIUS
implementations, as well as compatibility between RADIUS and Diameter,
the following restrictions are imposed on extensions considered by the
RADEXT WG:

- All documents produced MUST specify means of interoperation with
legacy RADIUS and, if possible, be backward
compatible with existing RADIUS RFCs, including RFCs 2865-2869,
3162, 3575, 3579, 3580, 4668-4673,4675, 5080, 5090 and 5176.
Transport profiles should, if possible, be compatible with RFC 3539.

- All RADIUS work MUST be compatible with equivalent facilities in
Diameter. Where possible, new attributes should be defined so that
the same attribute can be used in both RADIUS and Diameter without
translation. In other cases a translation considerations
section should be included in the specification.


Work Items

The immediate goals of the RADEXT working group are to address the
following issues:

- RADIUS design guidelines. This document will provide guidelines for
design of RADIUS attributes. It will specifically consider how
complex data types may be introduced in a robust manner, maintaining
backwards compatibility with existing RADIUS RFCs, across all the
classes of attributes: Standard, Vendor-Specific and SDO-Specific.
In addition, it will review RADIUS data types and associated
backwards compatibility issues.

- RADIUS Management authorization. This document will define the
use of RADIUS for NAS management over IP.

-RADIUS attribute space extension. The standard RADIUS attribute
space is currently being depleted. This document will provide
additional standard attribute space, while maintaining backward
compatibility with existing attributes.

-RADIUS Cryptographic Algorithm Agility. RADIUS has traditionally
relied on MD5 for both per-packet integrity and authentication as well
as attribute confidentiality. Given the increasingly successful
attacks being mounted against MD5, the ability to support
alternative algorithms is required. This work item will
include documentation of RADIUS crypto-agility requirements,
as well as development of one or more Experimental RFCs providing
support for negotiation of alternative cryptographic algorithms
to protect RADIUS.

- IEEE 802 attributes. New attributes have been proposed to
support IEEE 802 standards for wired and wireless LANs. This
work item will support authentication, authorization and
accounting attributes needed by IEEE 802 groups including
IEEE 802.1, IEEE 802.11 and IEEE 802.16.

- New RADIUS transports. A reliable transport profile for
RADIUS will be developed, as well as specifications for
Secure transports, including TCP/TLS (RADSEC) and UDP/DTLS.

- Documentation of Status-Server usage. A document
describing usage of the Status-Server facility will be
developed.

 Goals and Milestones:

   Done         Updates to RFC 2618-2621 RADIUS MIBs submitted for publication 

   Done         SIP RADIUS authentication draft submitted as a Proposed 
                Standard RFC 

   Done         RFC 2486bis submitted as a Proposed Standard RFC 

   Done         RFC 3576 MIBs submitted as an Informational RFC 

   Done         RADIUS VLAN and Priority Attributes draft submitted as a 
                Proposed Standard RFC (reduced in scope) 

   Done         RADIUS Implementation Issues and Fixes draft submitted as an 
                Informational RFC 

   Done         RADIUS Filtering Attributes draft submitted as a Proposed 
                Standard RFC (split out from VLAN & Priority draft) 

   Done         RFC 3576bis submitted as an Informational RFC (split out from 
                Issues & Fixes draft) 

   Done         RADIUS Redirection Attributes draft submitted as a Proposed 
                Standard RFC (split out from VLAN & Priority draft) 

   Done         RADIUS Design Guidelines submitted as a Best Current Practice 
                RFC 

   Done         RADIUS Management Authorization I-D submitted as a Proposed 
                Standard RFC 

   Sep 2008       Extended Attributes I-D submitted as a Proposed Standard RFC 

   Sep 2008       RADIUS Crypto-agility Requirements submitted as an 
                Informational RFC 

   Dec 2008       IEEE 802 Attributes I-D submitted as a Proposed Standard RFC 

   Jan 2009       Reliable Transport Profile for RADIUS I-D submitted as a 
                Proposed Standard RFC 

   Mar 2009       Status-Server I-D submitted as a Proposed Standard RFC 

   Mar 2009       RADSEC (RADIUS over TCP/TLS) draft submitted as an Experimental 
                RFC 

   Jun 2009       RADIUS Cryptographic Algorithm Agility I-D submitted as an 
                Experimental RFC 

   Jun 2009       RADIUS over DTLS I-D submitted as an Experimental RFC 


 Internet-Drafts:

Posted Revised         I-D Title   <Filename>
------ ------- --------------------------------------------
Sep 2007 Feb 2010   <draft-ietf-radext-design-11.txt>
                RADIUS Design Guidelines 

Jun 2008 Mar 2010   <draft-ietf-radext-radsec-06.txt>
                TLS encryption for RADIUS 

Jun 2008 Feb 2010   <draft-ietf-radext-status-server-06.txt>
                Use of Status-Server Packets in the Remote Authentication Dial 
                In User Service (RADIUS) Protocol 

Dec 2008 Feb 2010   <draft-ietf-radext-tcp-transport-05.txt>
                RADIUS Over TCP 

Mar 2010 Mar 2010   <draft-ietf-radext-ipv6-access-00.txt>
                RADIUS attributes for IPv6 Access Networks 

 Request For Comments:

  RFC   Stat Published     Title
------- -- ----------- ------------------------------------
RFC4282Standard  Dec 2005    The Network Access Identifier 

RFC4372Standard  Jan 2006    Chargeable User Identity 

RFC4590 PS   Jul 2006    RADIUS Extension for Digest Authentication 

RFC4668 PS   Aug 2006    RADIUS Authentication Client MIB for IPV6 

RFC4669 PS   Aug 2006    RADIUS Authentication Server MIB for IPv6 

RFC4671 I    Aug 2006    RADIUS Accounting Server MIB for IPv6 

RFC4670 I    Aug 2006    RADIUS Accounting Client MIB for IPv6 

RFC4672 I    Sep 2006    RADIUS Dynamic Authorization Client MIB 

RFC4673 I    Sep 2006    RADIUS Dynamic Authorization Server MIB 

RFC4675 PS   Sep 2006    RADIUS Attributes for Virtual LAN and Priority Support 

RFC4818 PS   Apr 2007    RADIUS Delegated-IPv6-Prefix Attribute 

RFC4849 PS   Apr 2007    RADIUS Filter Rule Attribute 

RFC5080 PS   Dec 2007    Common Remote Authentication Dial In User Service 
                       (RADIUS) Implementation Issues and Suggested Fixes 

RFC5176 I    Jan 2008    Dynamic Authorization Extensions to Remote 
                       Authentication Dial In User Service (RADIUS) 

RFC5090 PS   Feb 2008    RADIUS Extension for Digest Authentication 

RFC5607 PS   Jul 2009    Remote Authentication Dial-In User Service (RADIUS) 
                       Authorization for Network Access Server (NAS) Management