errata logo graphic

Found 1 record.

Status: Verified (1)

RFC6519, "RADIUS Extensions for Dual-Stack Lite", February 2012

Source of RFC: softwire (int)

Errata ID: 3372

Status: Verified
Type: Technical

Reported By: Alan DeKok
Date Reported: 2012-10-08
Verifier Name: Ralph Droms
Date Verified: 2013-03-12

Section 3 says:

   In the scenario depicted in Figure 2, the Access-Request packet
   contains a Service-Type attribute with the value Authorize Only (17);
   thus, according to [RFC5080], the Access-Request packet MUST contain
   a State attribute.

It should say:

    In the scenario depicted in Figure 2, the Access-Request packet
   contains a Service-Type attribute with the value Call-Check (10).

Notes:

The document references RFC 5080. However, the use of the State attribute in this document is wrong. The text in RFC 5080 clearly says that State is used to tie an "Authorize Only" request to a previous authentication. The text requiring State in "Authorize Only" is surrounded by explanations describing *why* it's required.

The original text in RFC 6519 appears to say that adding State magically satisfies the requirements of 5080. But it ignores all of the surrounding text.

The NAS can't simply invent a State attribute, to satisfy the requirement of 5080. It MUST get the State from a previous Access-Accept. Since there's no previous Access-Accept here, the use of Authorize-Only and State is wrong.

RFC 2865 suggests the use of "Service-Type = Call Check" for this kind of authorization checking:

Call Check

Used by the NAS in an Access-Request packet to
indicate that a call is being received and
that the RADIUS server should send back an
Access-Accept to answer the call, or an
Access-Reject to not accept the call,
typically based on the Called-Station-Id or
Calling-Station-Id attributes. It is
recommended that such Access-Requests use the
value of Calling-Station-Id as the value of
the User-Name


Report New Errata