Extended Attributes

RADEXT - Interim

Alan DeKokFreeRADIUS

RADEXT - Interim

Requirements• More RADIUS Attribute Types

• 256 is too limited• Standard support for “long”

attributes• > 253 octets

• Better grouping• RFC 2868 tags are inadequate

RADEXT - Interim

Un-Requirements• Systems which were discussed

and rejected• too complex• too limited• which can’t be applied to

existing RFCs

RADEXT - Interim

Current Attributes

Type

1 octet

Length

1 octet

Value …

1..253 octets

RADEXT - Interim

Extended Attributes

Type

1 octet

Length

1 octet

Ext-Type

1 octet

Value …

1..252 octets

RADEXT - Interim

That’s pretty much it.

• “Steal” one octet of “value” for extended types

• Allocate 4 attributes of this format• 241, 242, 243, 244

• Solves the “need more attributes” problem

• Allows for ~1K new attributes

RADEXT - Interim

Naming• We need to name the new attributes types.

• Use SNMP / IP Address style “dotted number”

• 241.{1-255}• 241.1 “This-Is-A-New-attr”

• Versus• 1 “User-Name”

• Naming applies only for the IANA registry

RADEXT - Interim

Grouping

• Better grouping by defining a TLV data type

• Already in WiMAX, 3GPP2, and other SDOs / vendors.

RADEXT - Interim

TLV Data Type

TLV-Type

1 octet

TLV-Length

1 octet

Value …

1..253 octets

RADEXT - Interim

TLV in Ext-AttributeType

1 octet

Length

1 octet = 9

Ext-Type

1 octet

TLV-Type

1 octet

TLV-Length

1 octet

Value …

4 octets

RADEXT - Interim

TLVs in Ext-Attribute

Type

1 octet

Length

1 octet = 29

Ext-Type

1 octet

TLV-Type

1 octet

TLV-Length

1 octet

Value …

4 octets

TLV-Type’

1 octet

TLV-Length’

1 octet

Value’ …

18 octets

RADEXT - Interim

TLV Properties• Can carry any existing or future data type• Including TLVs.

• Multiple TLVs can be on in one Ext-Attr• Nested or concatenated

• Nesting is limited only by TLV-Length field• 253 / 3 =~ 80

• Practicalities show a depth of 5 is sufficient

RADEXT - Interim

TLV Naming• Leverage the same “dotted number”

notation!• 241.1.2

• RADIUS Attr 241, of type “ext-attr”• Extended Attr 1, data type “tlv”• TLV 2, data type “integer”

• Allows for ~250 fields in a struct• Extends type space past 1K attributes

RADEXT - Interim

“Long” Attributes• Leverage the Ext-Type format• Allocate 2 attributes of this type

• 245, 246• Add another field: “flags”• Standard way to say “more than

253 octets of data”

RADEXT - Interim

Long Ext Attributes

Type

1 octet

Length

1 octet

Ext-Type

1 octet

Flags

1 octet

Value …

1..251 octets

RADEXT - Interim

Flags• 1 bit of “M” for More (or

continuation)• Same meaning as existing ext-

attrs / WiMAX• 7 bits of “reserved”

• We have no idea what to do with these

• It’s likely that these will never be used

RADEXT - Interim

Additional notes• 24{1-6}.26 are VSAs

• Allows for many more VSAs• 24{1-6}.{241-255} are reserved• No “experimental” or

“implementation-specific”• They have not been useful

• Detail instructions for IANA are included

RADEXT - Interim

Motivation• RADEXT discussions have been

long• We need a solution soon (i.e.

within 2-3 years)• All other solutions are more

complex• Attribute audit shows the needs to

be simple

Attribute AuditCount Data Type

2257 integer

1762 text

273 IPv4 Address

235 string

96 other data types

35 IPv6 Address

18 date

4 Interface Id

3 IPv6 Prefix

4683 Total

• Public dictionaries

• ~100 vendors• 55% or more

are “short” (<20 bytes)

• ~20 “long” attributes

RADEXT - Interim

Summary• > 1K of new attribute space

• With TLVs, potentially 10’s of 1000’s

• Grouping via TLVs• Proven to work in SDO VSAs

• Standard way to have “long” attrs• No more “ad hoc method”

RADEXT - Interim

Implementations

• In FreeRADIUS “stable” branch• http://git.freeradius.org

• Implements TLVs, basic type• No support for “long attrs”

RADEXT - Interim

Questions?