RADIUS Attributes
Permitted in RADIUS Attributes DHCP SuboptionOrangeRennes35000Francemohamed.boucadair@orange.comThe RADIUS Attributes suboption, specified in RFC 4014, enables a
DHCP relay agent to pass identification and authorization information
received during RADIUS authentication to a DHCP server. However, RFC
4014 defines a frozen list of RADIUS attributes that can be included in
such a suboption. This document updates RFC 4014 by relaxing that constraint and
allowing to tag additional RADIUS Attributes as permitted in the RADIUS
Attributes DHCP suboption.The RADIUS Attributes suboption ()
enables a network element to pass identification and authorization
attributes received during RADIUS authentication to a DHCP server . However,
defines a frozen set of RADIUS attributes that can be included in such a
suboption. This limitation is suboptimal in contexts where new services
are deployed (e.g., support of encrypted DNS ). updates RFC 4014 by relaxing that
constraint and allowing to tag additional RADIUS Attributes as permitted
in the RADIUS Attributes DHCP suboption. To that aim, a new IANA
registry is created to maintain the set of permitted attributes in the
RADIUS Attributes DHCP suboption. The maintenance of such a registry is
similar to the one in . defines the
DHCPv4-Options RADIUS attribute that can be used by a DHCP relay agent,
collocated with a RADIUS client, to pass attributes obtained from a
RADIUS server to a DHCP server. The DHCPv4-Options RADIUS attribute can,
for example, include a list of encrypted DNS resolvers.The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP 14
when, and
only when, they appear in all capitals, as shown here.This document updates Section 3 of
as follows:To avoid dependencies
between the address allocation and other state information between
the RADIUS server and the DHCP server, the DHCP relay agent SHOULD
include only the attributes in the table below in an instance of
the RADIUS Attributes suboption. The table, based on the analysis
in RFC 3580 [8], lists attributes that MAY be included:To avoid dependencies
between the address allocation and other state information between
the RADIUS server and the DHCP server, the DHCP relay agent SHOULD
include only the attributes in the IANA-maintained registry () in an instance of the RADIUS Attributes
suboption.This document updates Section 4 of
as follows:If the relay agent
relays RADIUS attributes not included in the table in Section 4,
the DHCP server SHOULD ignore them.If the relay agent
relays RADIUS attributes not included in the IANA-maintained
registry (), the DHCP server SHOULD
ignore them.IANA is requested to create a new sub-registry entitled "RADIUS
Attributes Permitted in RADIUS Attributes Sub-option" in the "Dynamic
Host Configuration Protocol (DHCP) and Bootstrap Protocol (BOOTP)
Parameters" registry .The allocation policy of this new sub-registry is Expert Review per
. Designated experts should carefully
consider the security implications of allowing the relay agent to
include new RADIUS attributes to this registry.The initial content of this sub-registry is listed in .Type CodeAttributeReference1User-NameRFC 28656Service-TypeRFC 286526Vendor-SpecificRFC 286527Session-TimeoutRFC 286588Framed-PoolRFC 2869100Framed-IPv6-PoolRFC 3162245.TBA1DHCPv4-OptionsThis-DocumentThis document does not add new security considerations to those
already discussed in Section 7 of .To be completed.Dynamic Host Configuration Protocol (DHCP) and Bootstrap
Protocol (BOOTP) ParametersIANA