[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Issue: Multi-homed, multi-version IP stacks

To: <radiusext@ops.ietf.org>
Subject: Issue: Multi-homed, multi-version IP stacks
From: "Nelson, David" <dnelson@enterasys.com>
Date: Wed, 20 Jul 2005 14:36:54 -0400

Description of issue:
Submitter name: Dave Nelson / Bernard Aboba
Submitter email address: dnelson@enterasys.com
Date first submitted: July 20, 2005
Reference: RADEXT Issue 87
Document: Issues and Fixes draft
Comment type: T
Priority: '1' Should fix
Section: N/A
Rationale/Explanation of issue:

A sub-portion of the Issue 87 discussion is being filed as a new and
separate Issue.  The relevant portion of that discussion, contributed by
Bernard Aboba, follows.

"However, this does bring up another issue, which is how the RADIUS 
server identifies the  NAS if it is more than one hop away.  NASes can 
have more than one IPv6 address and this makes it possible for a NAS 
to put a linkscope address in the NAS-IPv6-Address field.  If the 
proxy is on the same link as the RADIUS client, the RADIUS server 
could receive a packet with a  NAS-IPv6-Address as a linklocal 
address.

The same issue can occur with IPv4 Link Local, and of course a NAS can 
have more than one IPv4 and IPv6 address.

One potential suggestion might be to use the NAS-Identifier attribute 
in such a situation so as to avoid having to configure the RADIUS 
server with all potential NAS addresses."

Length description of problem:

Requested change:
Proposed changes to the document.

"One potential suggestion might be to use the NAS-Identifier attribute 
in such a situation so as to avoid having to configure the RADIUS 
server with all potential NAS addresses."

"There are a number of situations in which a NAS may have multiple IP
addresses.  IPv4/IPv6 dual stack operation is one example, but it is
also possible for a NAS to have multiple IPv6 or IPv4 addresses.
A  NAS that is a member of multiple VLANs would have an IPv4 address for
each VLAN.  A NAS also can have multiple IPv6 or IPv4 addresses on a
single interface.

[RFC2865] Section 5.44 states that only a single NAS-IP-Address
attribute may be included in an Access-Request, and that it may not be
included in other messages (Challenge, Reject, Accept).  Similarly,
[RFC3162] Section
3 provides the same restrictions for NAS-IPv6-Address.

Since RADIUS only looks at the packet source address to determine the
appropriate shared secret, if a NAS sends packets from different source
addresses, then the RADIUS server needs to have a shared secret for each
address.

My recommendation is that RADIUS clients with multiple addresses SHOULD
use the NAS-Identifier attribute instead of NAS-IPv4-Address or
NAS-IPv6-Address."

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- Re: Issue: Multi-homed, multi-version IP stacks
  - From: "Alan DeKok" <aland@ox.org>

Prev by Date: NAS Identification (was MIBs)
Next by Date: Re: Issue: Multi-homed, multi-version IP stacks
Previous by thread: Revised RADIUS MIBs I-Ds
Next by thread: Re: Issue: Multi-homed, multi-version IP stacks
Index(es):
- Date
- Thread