Cisco Vendor-Specific RADIUS Attributes for the Delivery of Keying Material
RFC 6218

Document Type RFC - Informational (April 2011; No errata)
Last updated 2015-10-14
Stream ISE
Formats plain text pdf html bibtex
Stream ISE state (None)
Consensus Unknown
Document shepherd No shepherd assigned
IESG IESG state RFC 6218 (Informational)
Telechat date
Responsible AD Dan Romascanu
Send notices to rfc-ise@rfc-editor.org
Independent Submission                                           G. Zorn
Request for Comments: 6218                                   Network Zen
Category: Informational                                         T. Zhang
ISSN: 2070-1721                                     Advista Technologies
                                                               J. Walker
                                                       Intel Corporation
                                                              J. Salowey
                                                           Cisco Systems
                                                              April 2011

              Cisco Vendor-Specific RADIUS Attributes for
                    the Delivery of Keying Material

Abstract

   This document defines a set of vendor-specific RADIUS Attributes
   designed to allow both the secure transmission of cryptographic
   keying material and strong authentication of any RADIUS message.
   These attributes have been allocated from the Cisco vendor-specific
   space and have been implemented by multiple vendors.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This is a contribution to the RFC Series, independently of any other
   RFC stream.  The RFC Editor has chosen to publish this document at
   its discretion and makes no statement about its value for
   implementation or deployment.  Documents approved for publication by
   the RFC Editor are not a candidate for any level of Internet
   Standard; see Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc6218.

IESG Note

   The IESG has concluded that this work is related to IETF work done in
   the RADEXT WG, but this relationship does not prevent publishing.
   The IESG recommends that the RADEXT WG proceed with the work for an
   interoperable modern key wrap solution using attributes from the
   standard space as part of its charter.

Zorn, et al.                  Informational                     [Page 1]
RFC 6218           RADIUS Keying Material Transfer VSA        April 2011

Copyright Notice

   Copyright (c) 2011 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.

Table of Contents

   1. Introduction ....................................................2
   2. Specification of Requirements ...................................3
   3. Attributes ......................................................3
      3.1. Keying-Material ............................................4
      3.2. MAC-Randomizer .............................................9
      3.3. Message-Authentication-Code ...............................11
   4. Security Considerations ........................................16
   5. Contributors ...................................................16
   6. Acknowledgements ...............................................16
   7. References .....................................................16
      7.1. Normative References ......................................16
      7.2. Informative References ....................................17

1.  Introduction

   This document defines a set of vendor-specific RADIUS Attributes,
   allocated from the Cisco vendor space, that can be used to securely
   transfer cryptographic keying material using standard techniques with
   well-understood security properties.  In addition, the Message-
   Authentication-Code Attribute may be used to provide strong
   authentication for any RADIUS message, including those used for
   accounting and dynamic authorization.

   These attributes were designed to provide stronger protection and
   more flexibility than the currently defined Vendor-Specific
   MS-MPPE-Send-Key and MS-MPPE-Recv-Key Attributes in [RFC2548] and the
   Message-Authenticator Attribute in [RFC3579].

   Many remote access deployments (for example, deployments utilizing
   wireless LAN technology) require the secure transmission of
   cryptographic keying material from a RADIUS [RFC2865] server to a
   network access point.  This material is usually produced as a
   by-product of an Extensible Authentication Protocol (EAP) [RFC3748]
   authentication and returned in the Access-Accept message following a

Zorn, et al.                  Informational                     [Page 2]
Show full document text