| Article Index |
|---|
| RADIUS/Diameter Protocol Interactions |
| Page 2 |
| Page 3 |
| Page 4 |
| Page 5 |
| Page 6 |
| Page 7 |
| All Pages |
Page 5 of 7
9.3. AVPs Used Only for Compatibility
The AVPs defined in this section SHOULD only be used for backwards
compatibility when a Diameter/RADIUS translation function is invoked
and are not typically originated by Diameter systems during normal
operations.
+---------------------+
| AVP Flag rules |
|----+-----+----+-----|----+
AVP Section | | |SHLD| MUST| |
Attribute Name Code Defined Value Type |MUST| MAY | NOT| NOT|Encr|
-----------------------------------------|----+-----+----+-----|----|
NAS-Identifier 32 9.3.1 UTF8String | M | P | | V | Y |
NAS-IP-Address 4 9.3.2 OctetString| M | P | | V | Y |
NAS-IPv6-Address 95 9.3.3 OctetString| M | P | | V | Y |
State 24 9.3.4 OctetString| M | P | | V | Y |
Termination- 295 9.3.5 Enumerated | M | P | | V | Y |
Cause | | | | | |
Origin-AAA- 408 9.3.6 Enumerated | M | P | | V | Y |
Protocol | | | | | |
-----------------------------------------|----+-----+----+-----|----|
9.3.1. NAS-Identifier AVP
The NAS-Identifier AVP (AVP Code 32) [RADIUS] is of type UTF8String
and contains the identity of the NAS providing service to the user.
This AVP SHOULD only be added by a RADIUS/Diameter Translation Agent.
When this AVP is present, the Origin-Host AVP identifies the NAS
providing service to the user.
In RADIUS it would be possible for a rogue NAS to forge the NAS-
Identifier attribute. Diameter/RADIUS translation agents SHOULD
attempt to check a received NAS-Identifier attribute against the
source address of the RADIUS packet, by doing an A/AAAA RR query. If
the NAS-Identifier attribute contains an FQDN, then such a query
would resolve to an IP address matching the source address. However,
the NAS-Identifier attribute is not required to contain an FQDN, so
such a query could fail. If it fails, an error should be logged, but
no action should be taken, other than a reverse lookup on the source
address and insert the resulting FQDN into the Route-Record AVP.
Diameter agents and servers SHOULD check whether a NAS-Identifier AVP
corresponds to an entry in the Route-Record AVP. If no match is
found, then an error is logged, but no other action is taken.
9.3.2. NAS-IP-Address AVP
The NAS-IP-Address AVP (AVP Code 4) [RADIUS] is of type OctetString
and contains the IP Address of the NAS providing service to the user.
This AVP SHOULD only be added by a RADIUS/Diameter Translation Agent.
When this AVP is present, the Origin-Host AVP identifies the NAS
providing service to the user.
In RADIUS it would be possible for a rogue NAS to forge the NAS-IP-
Address attribute value. Diameter/RADIUS translation agents MUST
check a received NAS-IP-Address or NAS-IPv6-Address attribute against
the source address of the RADIUS packet. If they do not match and
the Diameter/RADIUS translation agent does not know whether the
packet was sent by a RADIUS proxy or NAS (e.g., no Proxy-State
attribute), then by default it is assumed that the source address
corresponds to a RADIUS proxy, and that the NAS Address is behind
that proxy, potentially with some additional RADIUS proxies in
between. The Diameter/RADIUS translation agent MUST insert entries
in the Route-Record AVP corresponding to the apparent route. This
implies doing a reverse lookup on the source address and NAS-IP-
Address or NAS-IPv6-Address attributes to determine the corresponding
FQDNs.
If the source address and the NAS-IP-Address or NAS-IPv6-Address do
not match, and the Diameter/RADIUS translation agent knows that it is
talking directly to the NAS (e.g., there are no RADIUS proxies
between it and the NAS), then the error should be logged, and the
packet MUST be discarded.
Diameter agents and servers MUST check whether the NAS-IP-Address AVP
corresponds to an entry in the Route-Record AVP. This is done by
doing a reverse lookup (PTR RR) for the NAS-IP-Address to retrieve
the corresponding FQDN, and by checking for a match with the Route Record AVP. If no match is found, then an error is logged, but no
other action is taken.
9.3.3. NAS-IPv6-Address AVP
The NAS-IPv6-Address AVP (AVP Code 95) [RADIUSIPv6] is of type
OctetString and contains the IPv6 Address of the NAS providing
service to the user. This AVP SHOULD only be added by a
RADIUS/Diameter Translation Agent. When this AVP is present, the
Origin-Host AVP identifies the NAS providing service to the user.
In RADIUS it would be possible for a rogue NAS to forge the NAS-
IPv6-Address attribute. Diameter/RADIUS translation agents MUST
check a received NAS-IPv6-Address attribute against the source
address of the RADIUS packet. If they do not match and the
Diameter/RADIUS translation agent does not know whether the packet
was sent by a RADIUS proxy or NAS (e.g., no Proxy-State attribute),
then by default it is assumed that the source address corresponds to
a RADIUS proxy, and that the NAS-IPv6-Address is behind that proxy,
potentially with some additional RADIUS proxies in between. The
Diameter/RADIUS translation agent MUST insert entries in the Route-
Record AVP corresponding to the apparent route. This implies doing a
reverse lookup on the source address and NAS-IPv6-Address attributes
to determine the corresponding FQDNs.
If the source address and the NAS-IPv6-Address do not match, and the
Diameter/RADIUS translation agent knows that it is talking directly
to the NAS (e.g., there are no RADIUS proxies between it and the
NAS), then the error should be logged, and the packet MUST be
discarded.
Diameter agents and servers MUST check whether the NAS-IPv6-Address
AVP corresponds to an entry in the Route-Record AVP. This is done by
doing a reverse lookup (PTR RR) for the NAS-IPv6-Address to retrieve
the corresponding FQDN, and by checking for a match with the Record-
Route AVP. If no match is found, then an error is logged, but no
other action is taken.
