Skip to content

Commit 3b6a83c

Browse files
author
ietf-corpus-bot
committed
auto-ingest: ietf-elements backfill — 229 new elements (2026-07-05)
1 parent bcc3dec commit 3b6a83c

229 files changed

Lines changed: 2142 additions & 0 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.
Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
document: rfc-8559
2+
kind: design-rationale
3+
summary: CoA proxying as described in RFC 5176 is impossible in practice because proxies are stateless with respect to user sessions, RFC 5176 is silent on which attributes constitute session identification, and requiring session tracking would not scale for roaming consortia handling tens of millions of users. The solution is realm-based proxying on the reverse path using Operator-Name instead of User-Name.
4+
section: "2.3"
5+
topics:
6+
- radius
7+
- security
8+
extracted_by: claude-sonnet-4-6
9+
extracted_at: "2026-07-05"
Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
document: rfc-8559
2+
kind: design-rationale
3+
summary: The Operator-NAS-Identifier attribute is defined as an opaque token rather than exposing the NAS IP address directly. The rationale is that there is no compelling reason to make NAS topology information public to upstream proxies and home servers; however, the security of the attribute is not load-bearing since modification can only result in the erroneous transaction being rejected.
4+
section: "6.2"
5+
topics:
6+
- radius
7+
- privacy
8+
- security
9+
extracted_by: claude-sonnet-4-6
10+
extracted_at: "2026-07-05"
Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
document: rfc-8559
2+
kind: interoperability-note
3+
summary: Some NAS implementations currently NAK any CoA packet containing a Proxy-State attribute, based on a literal reading of RFC 5176 Section 2.3. This document corrects that behavior by specifying that NASes MUST NOT treat proxy-signaling attributes as mandatory.
4+
section: 4.3.2
5+
topics:
6+
- radius
7+
extracted_by: claude-sonnet-4-6
8+
extracted_at: "2026-07-05"
Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
document: rfc-8559
2+
kind: interoperability-note
3+
summary: This document updates RFC 5580 Section 5 to permit CoA-Request and Disconnect-Request packets to contain zero or one instance of the Operator-Name attribute. Previously RFC 5580 did not allow Operator-Name in these packet types.
4+
section: "3.2"
5+
topics:
6+
- radius
7+
extracted_by: claude-sonnet-4-6
8+
extracted_at: "2026-07-05"
Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
document: rfc-8559
2+
kind: normative-requirement
3+
summary: A home server MUST store Operator-NAS-Identifier along with user session identification attributes and MUST include verbatim any recorded Operator-NAS-Identifier when sending a CoA packet for that session. A home server MUST NOT send CoA packets for users of other networks.
4+
section: "4.1"
5+
rfc2119_level: MUST
6+
topics:
7+
- radius
8+
extracted_by: claude-sonnet-4-6
9+
extracted_at: "2026-07-05"
Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
document: rfc-8559
2+
kind: normative-requirement
3+
summary: Home networks that expect to send CoA packets to visited networks MUST record the Operator-Name attribute for each user session originating from a visited network. Without this record, the home network cannot determine where to route CoA packets.
4+
section: "3.1"
5+
rfc2119_level: MUST
6+
topics:
7+
- radius
8+
extracted_by: claude-sonnet-4-6
9+
extracted_at: "2026-07-05"
Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
document: rfc-8559
2+
kind: normative-requirement
3+
summary: If the Operator-NAS-Identifier attribute does not match a known NAS, the CoA server MUST return a NAK packet containing an Error-Cause Attribute with value 403 ('NAS Identification Mismatch').
4+
section: "3.3"
5+
rfc2119_level: MUST
6+
topics:
7+
- radius
8+
extracted_by: claude-sonnet-4-6
9+
extracted_at: "2026-07-05"
Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
document: rfc-8559
2+
kind: normative-requirement
3+
summary: Proxies MUST pass Operator-Name and Operator-NAS-Identifier attributes through unchanged. All attributes added by a RADIUS proxy on the forward path MUST be removed by the corresponding CoA proxy on the reverse path, preserving symmetry of attribute editing.
4+
section: 4.3.2
5+
rfc2119_level: MUST
6+
topics:
7+
- radius
8+
extracted_by: claude-sonnet-4-6
9+
extracted_at: "2026-07-05"
Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
document: rfc-8559
2+
kind: normative-requirement
3+
summary: Proxies MUST perform a reverse path forwarding (RPF) check to verify that a CoA packet originates from an authorized Dynamic Authorization Client, strengthening the MAY in RFC 5176 Section 6.1. Where the check fails, the proxy MUST return a NAK with Error-Cause 502.
4+
section: 4.3.1
5+
rfc2119_level: MUST
6+
topics:
7+
- radius
8+
- security
9+
extracted_by: claude-sonnet-4-6
10+
extracted_at: "2026-07-05"
Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
document: rfc-8559
2+
kind: normative-requirement
3+
summary: The CoA server at the visited network MUST validate the NAI in Operator-Name against the list of realms it hosts. If not found, it MUST return a NAK with Error-Cause 502. It SHOULD also validate the User-Name NAI, and if the home network lacks permission, MUST return a NAK with Error-Cause 502.
4+
section: "3.3"
5+
rfc2119_level: MUST
6+
topics:
7+
- radius
8+
- security
9+
extracted_by: claude-sonnet-4-6
10+
extracted_at: "2026-07-05"

0 commit comments

Comments
 (0)