Cisco Vendor-Specific RADIUS Attributes for the Delivery of Keying Material
RFC 6218
Document | Type |
RFC - Informational
(April 2011; Errata)
Was draft-zorn-radius-keywrap (gen)
|
|
---|---|---|---|
Authors | Joseph Salowey , Tiebing Zhang , Glen Zorn , Jesse Walker | ||
Last updated | 2020-01-21 | ||
Stream | ISE | ||
Formats | plain text html pdf htmlized with errata bibtex | ||
Stream | ISE state | (None) | |
Consensus Boilerplate | Unknown | ||
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 6218 (Informational) | |
Telechat date | |||
Responsible AD | Dan Romascanu | ||
Send notices to | rfc-ise@rfc-editor.org |
Independent Submission G. Zorn Request for Comments: 6218 Network Zen Category: Informational T. Zhang ISSN: 2070-1721 Advista Technologies J. Walker Intel Corporation J. Salowey Cisco Systems April 2011 Cisco Vendor-Specific RADIUS Attributes for the Delivery of Keying Material Abstract This document defines a set of vendor-specific RADIUS Attributes designed to allow both the secure transmission of cryptographic keying material and strong authentication of any RADIUS message. These attributes have been allocated from the Cisco vendor-specific space and have been implemented by multiple vendors. Status of This Memo This document is not an Internet Standards Track specification; it is published for informational purposes. This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor has chosen to publish this document at its discretion and makes no statement about its value for implementation or deployment. Documents approved for publication by the RFC Editor are not a candidate for any level of Internet Standard; see Section 2 of RFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6218. IESG Note The IESG has concluded that this work is related to IETF work done in the RADEXT WG, but this relationship does not prevent publishing. The IESG recommends that the RADEXT WG proceed with the work for an interoperable modern key wrap solution using attributes from the standard space as part of its charter. Zorn, et al. Informational [Page 1] RFC 6218 RADIUS Keying Material Transfer VSA April 2011 Copyright Notice Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Table of Contents 1. Introduction ....................................................2 2. Specification of Requirements ...................................3 3. Attributes ......................................................3 3.1. Keying-Material ............................................4 3.2. MAC-Randomizer .............................................9 3.3. Message-Authentication-Code ...............................11 4. Security Considerations ........................................16 5. Contributors ...................................................16 6. Acknowledgements ...............................................16 7. References .....................................................16 7.1. Normative References ......................................16 7.2. Informative References ....................................17 1. Introduction This document defines a set of vendor-specific RADIUS Attributes, allocated from the Cisco vendor space, that can be used to securely transfer cryptographic keying material using standard techniques with well-understood security properties. In addition, the Message- Authentication-Code Attribute may be used to provide strong authentication for any RADIUS message, including those used for accounting and dynamic authorization. These attributes were designed to provide stronger protection and more flexibility than the currently defined Vendor-Specific MS-MPPE-Send-Key and MS-MPPE-Recv-Key Attributes in [RFC2548] and the Message-Authenticator Attribute in [RFC3579]. Many remote access deployments (for example, deployments utilizing wireless LAN technology) require the secure transmission of cryptographic keying material from a RADIUS [RFC2865] server to a network access point. This material is usually produced as a by-product of an Extensible Authentication Protocol (EAP) [RFC3748] authentication and returned in the Access-Accept message following a Zorn, et al. Informational [Page 2] RFC 6218 RADIUS Keying Material Transfer VSA April 2011 successful authentication process. The keying material is of a formShow full document text