Dynamic Authorization Proxying in the Remote Authentication Dial-In User Service (RADIUS) Protocol
draft-ietf-radext-coa-proxy-10

• Status
• IESG evaluation record
• IESG writeups
• Email expansions
• History

Approval announcement
Draft of message to be sent after approval:

Announcement

From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Cc: radext@ietf.org, The IESG <iesg@ietf.org>, stefan.winter@restena.lu, draft-ietf-radext-coa-proxy@ietf.org, radext-chairs@ietf.org, kaduk@mit.edu, Stefan Winter <stefan.winter@restena.lu>, rfc-editor@rfc-editor.org
Subject: Protocol Action: 'Dynamic Authorization Proxying in Remote Authorization Dial-In User Service Protocol (RADIUS)' to Proposed Standard (draft-ietf-radext-coa-proxy-10.txt)

The IESG has approved the following document:
- 'Dynamic Authorization Proxying in Remote Authorization Dial-In User
   Service Protocol (RADIUS)'
  (draft-ietf-radext-coa-proxy-10.txt) as Proposed Standard

This document is the product of the RADIUS EXTensions Working Group.

The IESG contact persons are Warren Kumari, Ignas Bagdonas and Benjamin Kaduk.

A URL of this Internet Draft is:
https://datatracker.ietf.org/doc/draft-ietf-radext-coa-proxy/

Ballot Text

Technical Summary:

   RFC 5176 defines Change of Authorization (CoA) and Disconnect Message
   (DM) behavior for RADIUS.  Section 3.1 of that document suggests that
   proxying these messages is possible, but gives no guidance as to how
   that is done. This ommission means that proxying of CoA packets is, 
   in practice, impossible. This specification corrects that omission for 
   scenarios where networks use Realm-based proxying as defined in
   [RFC7542].
   It leverages an existing RADIUS attribute, Operator-Name ( Section 
   4.1 of [RFC5580]), to record the visited network for a particular 
   session.  The document explains how that attribute can be used by CoA 
   proxies to route packets "backwards" through a RADIUS proxy chain. It
   introduces a new attribute; Operator-NAS-Identifier, and shows how this
   attribute can increase privacy about the internal implementation of 
   the visited network.
   
Working Group Summary:

   The radext working group is rather light in attendance and discussion,
   and will shut down soon. With that said, this particular document got 
   a (comparatively) good amount of review and interest.

Document Quality:

   At least one RADIUS implementation has support for parts of this specification. Particularly the bit
   about replacing NAS-IP-Address/IPv6-Address/NAS-Identifier with Operator-NAS-Identifier when
   leaving the own administrative domain is not implemented. The complexity of that functionality
   can be expected to be modest, though.

Personnel:

The Document Shepherd is Stefan Winter <stefan.winter@restena.lu>. The responsible area director is Benjamin Kaduk <kaduk@mit.edu>.

RFC Editor Note