RADIUS attribute from rfc3162


Framed-IPv6-Pool

This Attribute contains the name of an assigned pool that SHOULD
      be used to assign an IPv6 prefix for the user.  If a NAS does not
      support multiple prefix pools, the NAS MUST ignore this Attribute.

   A summary of the Framed-IPv6-Pool Attribute format is shown below.
   The fields are transmitted from left to right.

    0                   1                   2
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |     Type      |    Length     |     String...
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type

      100 for Framed-IPv6-Pool

   Length

      >= 3

   String

      The string field contains the name of an assigned IPv6 prefix pool
      configured on the NAS.  The field is not NUL (hex 00) terminated.3.  Table of AttributesThe following table provides a guide to which attributes may be found
   in which kinds of packets, and in what quantity.

   Request Accept Reject Challenge Accounting  #  Attribute
                                   Request
   0-1     0      0      0         0-1        95  NAS-IPv6-Address
   0-1     0-1    0      0         0-1        96  Framed-Interface-Id
   0+      0+     0      0         0+         97  Framed-IPv6-Prefix
   0+      0+     0      0         0+         98  Login-IPv6-Host
   0       0+     0      0         0+         99  Framed-IPv6-Route
   0       0-1    0      0         0-1       100  Framed-IPv6-Pool4.  References   Bradner, S., "Key words for use in RFCs to Indicate Requirement
         Levels",,, March, 1997.

      Yergeau, F., "UTF-8, a transformation format of Unicode and ISO
         10646",, October 1996.

      Aboba, B. and J. Vollbrecht, "Proxy Chaining and Policy
         Implementation in Roaming",, June 1999.

      Rigney, C., Rubens, A., Simpson, W. and S. Willens,  "Remote
         Authentication Dial In User Service (RADIUS)",, June
         2000.

      Rigney, C., "RADIUS Accounting",, June 2000.

      Zorn, G., Mitton, D. and B. Aboba, "RADIUS Accounting
         Modifications for Tunnel Protocol Support",, June
         2000.

      Zorn, G., Leifer, D., Rubens, A., Shriver, J., Holdrege, M.
         and I. Goyret, "RADIUS Attributes for Tunnel Protocol Support",, June 2000.

      Rigney, C., Willats, W. and P. Calhoun, "RADIUS Extensions",, June 2000.

      Kent S. and R. Atkinson, "Security Architecture for the
         Internet Protocol",, November 1998.

     Alvestrand, H. and T. Narten, "Guidelines for Writing an IANA
         Considerations Section in RFCs",,, October
         1998.

     Haskin, D. and E. Allen, "IP Version 6 over PPP",,
         December 1998.

     Carpenter, B. and K. Moore, "Connection of IPv6 Domains via
         IPv4 Clouds",, February 2001.

     Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6)
         Specification",, December 1998.

     Carpenter, B. and C. Jung, "Transmission of IPv6 over IPv4
         Domains without Explicit Tunnels",, March 1999.  Gilligan, R. and E. Nordmark, "Transition Mechanisms for IPv6
         Hosts and Routers",, August 2000.

     Hinden, R. and S. Deering, "IP Version 6 Addressing
         Architecture",, July 1998.5.  Security ConsiderationsThis document describes the use of RADIUS for the purposes of
   authentication, authorization and accounting in IPv6-enabled
   networks.  In such networks, the RADIUS protocol may run either over
   IPv4 or over IPv6.  Known security vulnerabilities of the RADIUS
   protocol are described in ,  and .

   Since IPSEC  is mandatory to implement for IPv6, it is expected
   that running RADIUS implementations supporting IPv6 will typically
   run over IPSEC.  Where RADIUS is run over IPSEC and where
   certificates are used for authentication, it may be desirable to
   avoid management of RADIUS shared secrets, so as to leverage the
   improved scalability of public key infrastructure.

   Within RADIUS, a shared secret is used for hiding of attributes such
   as User-Password  and Tunnel-Password .  In addition, the
   shared secret is used in computation of the Response Authenticator
   , as well as the Message-Authenticator attribute .  Therefore,
   in RADIUS a shared secret is used to provide confidentiality as well
   as integrity protection and authentication.  As a result, only use of
   IPSEC ESP with a non-null transform can provide security services
   sufficient to substitute for RADIUS application-layer security.
   Therefore, where IPSEC AH or ESP null is used, it will typically
   still be necessary to configure a RADIUS shared secret.

   However, where RADIUS is run over IPSEC ESP with a non-null
   transform, the secret shared between the NAS and the RADIUS server
   MAY NOT be configured.  In this case, a shared secret of zero length
   MUST be assumed.6.  IANA ConsiderationsThis document requires the assignment of six new RADIUS attribute
   numbers for the following attributes:

      NAS-IPv6-Address
      Framed-Interface-Id
      Framed-IPv6-Prefix
      Login-IPv6-Host
      Framed-IPv6-Route
      Framed-IPv6-Pool

   Seefor the registered list of numbers.7.  AcknowledgmentsThe authors would like to acknowledge Jun-ichiro itojun Hagino of IIJ
   Research Laboratory, Darran Potter of Cisco and Carl Rigney of Lucent
   for contributions to this document.8.  Authors' AddressesBernard Aboba
   Microsoft Corporation
   One Microsoft Way
   Redmond, WA 98052

   Phone: +1 425 936 6605
   Fax:   +1 425 936 7329
   EMail: [email protected]


   Glen Zorn
   Cisco Systems, Inc.
   500 108th Avenue N.E., Suite 500
   Bellevue, WA 98004

   Phone: +1 425 471 4861
   EMail: [email protected]


   Dave Mitton
   Circular Logic UnLtd.
   733 Turnpike Street #154
   North Andover, MA 01845

   Phone: 978 683-1814
   Email: [email protected] Copyright Statement

   Copyright (C) The Internet Society (2001).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement

   Funding for the RFC Editor function is currently provided by the
   Internet Society.



















Aboba, et al.               Standards Track