Cisco Vendor-Specific RADIUS Attributes for the Delivery of Keying Material
RFC 6218
| Document | Type |
RFC - Informational
(April 2011; Errata)
Was draft-zorn-radius-keywrap (gen)
|
|
|---|---|---|---|
| Authors | Joseph Salowey , Tiebing Zhang , Glen Zorn , Jesse Walker | ||
| Last updated | 2020-01-21 | ||
| Stream | ISE | ||
| Formats | plain text html pdf htmlized with errata bibtex | ||
| Stream | ISE state | (None) | |
| Consensus Boilerplate | Unknown | ||
| Document shepherd | No shepherd assigned | ||
| IESG | IESG state | RFC 6218 (Informational) | |
| Telechat date | |||
| Responsible AD | Dan Romascanu | ||
| Send notices to | rfc-ise@rfc-editor.org | ||
Independent Submission G. Zorn
Request for Comments: 6218 Network Zen
Category: Informational T. Zhang
ISSN: 2070-1721 Advista Technologies
J. Walker
Intel Corporation
J. Salowey
Cisco Systems
April 2011
Cisco Vendor-Specific RADIUS Attributes for
the Delivery of Keying Material
Abstract
This document defines a set of vendor-specific RADIUS Attributes
designed to allow both the secure transmission of cryptographic
keying material and strong authentication of any RADIUS message.
These attributes have been allocated from the Cisco vendor-specific
space and have been implemented by multiple vendors.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This is a contribution to the RFC Series, independently of any other
RFC stream. The RFC Editor has chosen to publish this document at
its discretion and makes no statement about its value for
implementation or deployment. Documents approved for publication by
the RFC Editor are not a candidate for any level of Internet
Standard; see Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc6218.
IESG Note
The IESG has concluded that this work is related to IETF work done in
the RADEXT WG, but this relationship does not prevent publishing.
The IESG recommends that the RADEXT WG proceed with the work for an
interoperable modern key wrap solution using attributes from the
standard space as part of its charter.
Zorn, et al. Informational [Page 1]
RFC 6218 RADIUS Keying Material Transfer VSA April 2011
Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document.
Table of Contents
1. Introduction ....................................................2
2. Specification of Requirements ...................................3
3. Attributes ......................................................3
3.1. Keying-Material ............................................4
3.2. MAC-Randomizer .............................................9
3.3. Message-Authentication-Code ...............................11
4. Security Considerations ........................................16
5. Contributors ...................................................16
6. Acknowledgements ...............................................16
7. References .....................................................16
7.1. Normative References ......................................16
7.2. Informative References ....................................17
1. Introduction
This document defines a set of vendor-specific RADIUS Attributes,
allocated from the Cisco vendor space, that can be used to securely
transfer cryptographic keying material using standard techniques with
well-understood security properties. In addition, the Message-
Authentication-Code Attribute may be used to provide strong
authentication for any RADIUS message, including those used for
accounting and dynamic authorization.
These attributes were designed to provide stronger protection and
more flexibility than the currently defined Vendor-Specific
MS-MPPE-Send-Key and MS-MPPE-Recv-Key Attributes in [RFC2548] and the
Message-Authenticator Attribute in [RFC3579].
Many remote access deployments (for example, deployments utilizing
wireless LAN technology) require the secure transmission of
cryptographic keying material from a RADIUS [RFC2865] server to a
network access point. This material is usually produced as a
by-product of an Extensible Authentication Protocol (EAP) [RFC3748]
authentication and returned in the Access-Accept message following a
Zorn, et al. Informational [Page 2]
RFC 6218 RADIUS Keying Material Transfer VSA April 2011
successful authentication process. The keying material is of a form
Show full document text