Rfcs As PDF

Network Working Group T.
Dierks
Request for Comments: 2246 Certicom
Category: Standards Track C. Allen
Certicom
January 1999
The TLS Protocol

Version 1.0
Status of this Memo
This document specifies an Internet standards track protocol for the

Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (1999). All Rights Reserved.
Abstract
This document specifies Version 1.0 of the Transport Layer Security

(TLS) protocol. The TLS protocol provides communications privacy over
the Internet. The protocol allows client/server applications to
communicate in a way that is designed to prevent eavesdropping,
tampering, or message forgery.
Table of Contents
1. Introduction 3
2. Goals 4
3. Goals of this document 5
4. Presentation language 5
4.1. Basic block size 6
4.2. Miscellaneous 6
4.3. Vectors 6
4.4. Numbers 7
4.5. Enumerateds 7
4.6. Constructed types 8
4.6.1. Variants 9
4.7. Cryptographic attributes 10
4.8. Constants 11
5. HMAC and the pseudorandom function 11
6. The TLS Record Protocol 13
6.1. Connection states 14
Dierks & Allen Standards Track [Page 1]

RFC 2246 The TLS Protocol Version 1.0 January 1999
6.2. Record layer 16

6.2.1. Fragmentation 16
6.2.2. Record compression and decompression 17
6.2.3. Record payload protection 18
6.2.3.1. Null or standard stream cipher 19
6.2.3.2. CBC block cipher 19
6.3. Key calculation 21
6.3.1. Export key generation example 22
7. The TLS Handshake Protocol 23
7.1. Change cipher spec protocol 24
7.2. Alert protocol 24
7.2.1. Closure alerts 25
7.2.2. Error alerts 26
7.3. Handshake Protocol overview 29
7.4. Handshake protocol 32
7.4.1. Hello messages 33
7.4.1.1. Hello request 33
7.4.1.2. Client hello 34
7.4.1.3. Server hello 36
7.4.2. Server certificate 37
7.4.3. Server key exchange message 39
7.4.4. Certificate request 41
7.4.5. Server hello done 42
7.4.6. Client certificate 43
7.4.7. Client key exchange message 43
7.4.7.1. RSA encrypted premaster secret message 44
7.4.7.2. Client Diffie-Hellman public value 45
7.4.8. Certificate verify 45
7.4.9. Finished 46
8. Cryptographic computations 47
8.1. Computing the master secret 47
8.1.1. RSA 48
8.1.2. Diffie-Hellman 48
9. Mandatory Cipher Suites 48
10. Application data protocol 48
A. Protocol constant values 49
A.1. Record layer 49
A.2. Change cipher specs message 50
A.3. Alert messages 50
A.4. Handshake protocol 51
A.4.1. Hello messages 51
A.4.2. Server authentication and key exchange messages 52
A.4.3. Client authentication and key exchange messages 53
A.4.4. Handshake finalization message 54
A.5. The CipherSuite 54
A.6. The Security Parameters 56
B. Glossary 57
C. CipherSuite definitions 61

D. Implementation Notes 64
D.1. Temporary RSA keys 64
D.2. Random Number Generation and Seeding 64
D.3. Certificates and authentication 65
D.4. CipherSuites 65
E. Backward Compatibility With SSL 66
E.1. Version 2 client hello 67
E.2. Avoiding man-in-the-middle version rollback 68
F. Security analysis 69
F.1. Handshake protocol 69
F.1.1. Authentication and key exchange 69
F.1.1.1. Anonymous key exchange 69
F.1.1.2. RSA key exchange and authentication 70
F.1.1.3. Diffie-Hellman key exchange with authentication 71
F.1.2. Version rollback attacks 71
F.1.3. Detecting attacks against the handshake protocol 72
F.1.4. Resuming sessions 72
F.1.5. MD5 and SHA 72
F.2. Protecting application data 72
F.3. Final notes 73
G. Patent Statement 74
Security Considerations 75
References 75
Credits 77
Comments 78
Full Copyright Statement 80
1. Introduction
The primary goal of the TLS Protocol is to provide privacy and data
integrity between two communicating applications. The protocol is
composed of two layers: the TLS Record Protocol and the TLS Handshake
Protocol. At the lowest level, layered on top of some reliable
transport protocol (e.g., TCP[TCP]), is the TLS Record Protocol. The
TLS Record Protocol provides connection security that has two basic
properties:
- The connection is private. Symmetric cryptography is used for

data encryption (e.g., DES [DES], RC4 [RC4], etc.) The keys for
this symmetric encryption are generated uniquely for each
connection and are based on a secret negotiated by another
protocol (such as the TLS Handshake Protocol). The Record
Protocol can also be used without encryption.
- The connection is reliable. Message transport includes a message

integrity check using a keyed MAC. Secure hash functions (e.g.,
SHA, MD5, etc.) are used for MAC computations. The Record
Protocol can operate without a MAC, but is generally only used in

this mode while another protocol is using the Record Protocol as

a transport for negotiating security parameters.
The TLS Record Protocol is used for encapsulation of various higher

level protocols. One such encapsulated protocol, the TLS Handshake
Protocol, allows the server and client to authenticate each other and
to negotiate an encryption algorithm and cryptographic keys before
the application protocol transmits or receives its first byte of
data. The TLS Handshake Protocol provides connection security that
has three basic properties:
- The peer's identity can be authenticated using asymmetric, or

public key, cryptography (e.g., RSA [RSA], DSS [DSS], etc.). This
authentication can be made optional, but is generally required
for at least one of the peers.
- The negotiation of a shared secret is secure: the negotiated

secret is unavailable to eavesdroppers, and for any authenticated
connection the secret cannot be obtained, even by an attacker who
can place himself in the middle of the connection.
- The negotiation is reliable: no attacker can modify the

negotiation communication without being detected by the parties
to the communication.
One advantage of TLS is that it is application protocol independent.

Higher level protocols can layer on top of the TLS Protocol
transparently. The TLS standard, however, does not specify how
protocols add security with TLS; the decisions on how to initiate TLS
handshaking and how to interpret the authentication certificates
exchanged are left up to the judgment of the designers and
implementors of protocols which run on top of TLS.
2. Goals
The goals of TLS Protocol, in order of their priority, are:
1. Cryptographic security: TLS should be used to establish a secure

connection between two parties.
2. Interoperability: Independent programmers should be able to

develop applications utilizing TLS that will then be able to
successfully exchange cryptographic parameters without knowledge
of one another's code.
3. Extensibility: TLS seeks to provide a framework into which new

public key and bulk encryption methods can be incorporated as
necessary. This will also accomplish two sub-goals: to prevent

the need to create a new protocol (and risking the introduction

of possible new weaknesses) and to avoid the need to implement an
entire new security library.
4. Relative efficiency: Cryptographic operations tend to be highly

CPU intensive, particularly public key operations. For this
reason, the TLS protocol has incorporated an optional session
caching scheme to reduce the number of connections that need to
be established from scratch. Additionally, care has been taken to
reduce network activity.
3. Goals of this document
This document and the TLS protocol itself are based on the SSL 3.0
Protocol Specification as published by Netscape. The differences
between this protocol and SSL 3.0 are not dramatic, but they are
significant enough that TLS 1.0 and SSL 3.0 do not interoperate
(although TLS 1.0 does incorporate a mechanism by which a TLS
implementation can back down to SSL 3.0). This document is intended
primarily for readers who will be implementing the protocol and those
doing cryptographic analysis of it. The specification has been
written with this in mind, and it is intended to reflect the needs of
those two groups. For that reason, many of the algorithm-dependent
data structures and rules are included in the body of the text (as
opposed to in an appendix), providing easier access to them.
This document is not intended to supply any details of service

definition nor interface definition, although it does cover select
areas of policy as they are required for the maintenance of solid
security.
4. Presentation language
This document deals with the formatting of data in an external

representation. The following very basic and somewhat casually
defined presentation syntax will be used. The syntax draws from
several sources in its structure. Although it resembles the
programming language "C" in its syntax and XDR [XDR] in both its
syntax and intent, it would be risky to draw too many parallels. The
purpose of this presentation language is to document TLS only, not to
have general application beyond that particular goal.

4.1. Basic block size
The representation of all data items is explicitly specified. The

basic data block size is one byte (i.e. 8 bits). Multiple byte data
items are concatenations of bytes, from left to right, from top to
bottom. From the bytestream a multi-byte item (a numeric in the
example) is formed (using C notation) by:
value = (byte[0] << 8*(n-1)) | (byte[1] << 8*(n-2)) |

... | byte[n-1];
This byte ordering for multi-byte values is the commonplace network

byte order or big endian format.
4.2. Miscellaneous
Comments begin with "/*" and end with "*/".
Optional components are denoted by enclosing them in "[[ ]]" double

brackets.
Single byte entities containing uninterpreted data are of type

opaque.
4.3. Vectors
A vector (single dimensioned array) is a stream of homogeneous data

elements. The size of the vector may be specified at documentation
time or left unspecified until runtime. In either case the length
declares the number of bytes, not the number of elements, in the
vector. The syntax for specifying a new type T' that is a fixed
length vector of type T is
T T'[n];
Here T' occupies n bytes in the data stream, where n is a multiple of

the size of T. The length of the vector is not included in the
encoded stream.
In the following example, Datum is defined to be three consecutive

bytes that the protocol does not interpret, while Data is three
consecutive Datum, consuming a total of nine bytes.
opaque Datum[3]; /* three uninterpreted bytes */

Datum Data[9]; /* 3 consecutive 3 byte vectors */

Variable length vectors are defined by specifying a subrange of legal

lengths, inclusively, using the notation <floor..ceiling>. When
encoded, the actual length precedes the vector's contents in the byte
stream. The length will be in the form of a number consuming as many
bytes as required to hold the vector's specified maximum (ceiling)
length. A variable length vector with an actual length field of zero
is referred to as an empty vector.
T T'<floor..ceiling>;
In the following example, mandatory is a vector that must contain

between 300 and 400 bytes of type opaque. It can never be empty. The
actual length field consumes two bytes, a uint16, sufficient to
represent the value 400 (see Section 4.4). On the other hand, longer
can represent up to 800 bytes of data, or 400 uint16 elements, and it
may be empty. Its encoding will include a two byte actual length
field prepended to the vector. The length of an encoded vector must
be an even multiple of the length of a single element (for example, a
17 byte vector of uint16 would be illegal).
opaque mandatory<300..400>;
/* length field is 2 bytes, cannot be empty */
uint16 longer<0..800>;
/* zero to 400 16-bit unsigned integers */
4.4. Numbers
The basic numeric data type is an unsigned byte (uint8). All larger
numeric data types are formed from fixed length series of bytes
concatenated as described in Section 4.1 and are also unsigned. The
following numeric types are predefined.
uint8 uint16[2];
uint8 uint24[3];
uint8 uint32[4];
uint8 uint64[8];
All values, here and elsewhere in the specification, are stored in

"network" or "big-endian" order; the uint32 represented by the hex
bytes 01 02 03 04 is equivalent to the decimal value 16909060.
4.5. Enumerateds
An additional sparse data type is available called enum. A field of

type enum can only assume the values declared in the definition.
Each definition is a different type. Only enumerateds of the same
type may be assigned or compared. Every element of an enumerated must

be assigned a value, as demonstrated in the following example. Since

the elements of the enumerated are not ordered, they can be assigned
any unique value, in any order.
enum { e1(v1), e2(v2), ... , en(vn) [[, (n)]] } Te;
Enumerateds occupy as much space in the byte stream as would its

maximal defined ordinal value. The following definition would cause
one byte to be used to carry fields of type Color.
enum { red(3), blue(5), white(7) } Color;
One may optionally specify a value without its associated tag to

force the width definition without defining a superfluous element.
In the following example, Taste will consume two bytes in the data
stream but can only assume the values 1, 2 or 4.
enum { sweet(1), sour(2), bitter(4), (32000) } Taste;
The names of the elements of an enumeration are scoped within the

defined type. In the first example, a fully qualified reference to
the second element of the enumeration would be Color.blue. Such
qualification is not required if the target of the assignment is well
specified.
Color color = Color.blue; /* overspecified, legal */

Color color = blue; /* correct, type implicit */
For enumerateds that are never converted to external representation,

the numerical information may be omitted.
enum { low, medium, high } Amount;
4.6. Constructed types
Structure types may be constructed from primitive types for

convenience. Each specification declares a new, unique type. The
syntax for definition is much like that of C.
struct {
T1 f1;
T2 f2;
...
Tn fn;
} [[T]];

The fields within a structure may be qualified using the type's name
using a syntax much like that available for enumerateds. For example,
T.f2 refers to the second field of the previous declaration.
Structure definitions may be embedded.
4.6.1. Variants
Defined structures may have variants based on some knowledge that is

available within the environment. The selector must be an enumerated
type that defines the possible variants the structure defines. There
must be a case arm for every element of the enumeration declared in
the select. The body of the variant structure may be given a label
for reference. The mechanism by which the variant is selected at
runtime is not prescribed by the presentation language.
struct {
T1 f1;
T2 f2;
....
Tn fn;
select (E) {
case e1: Te1;
case e2: Te2;
....
case en: Ten;
} [[fv]];
} [[Tv]];
For example:
enum { apple, orange } VariantTag;

struct {
uint16 number;
opaque string<0..10>; /* variable length */
} V1;
struct {
uint32 number;
opaque string[10]; /* fixed length */
} V2;
struct {
select (VariantTag) { /* value of selector is implicit */
case apple: V1; /* VariantBody, tag = apple */
case orange: V2; /* VariantBody, tag = orange */
} variant_body; /* optional label on variant */
} VariantRecord;
Variant structures may be qualified (narrowed) by specifying a value

for the selector prior to the type. For example, a

orange VariantRecord
is a narrowed type of a VariantRecord containing a variant_body of

type V2.
4.7. Cryptographic attributes
The four cryptographic operations digital signing, stream cipher

encryption, block cipher encryption, and public key encryption are
designated digitally-signed, stream-ciphered, block-ciphered, and
public-key-encrypted, respectively. A field's cryptographic
processing is specified by prepending an appropriate key word
designation before the field's type specification. Cryptographic keys
are implied by the current session state (see Section 6.1).
In digital signing, one-way hash functions are used as input for a

signing algorithm. A digitally-signed element is encoded as an opaque
vector <0..2^16-1>, where the length is specified by the signing
algorithm and key.
In RSA signing, a 36-byte structure of two hashes (one SHA and one
MD5) is signed (encrypted with the private key). It is encoded with
PKCS #1 block type 0 or type 1 as described in [PKCS1].
In DSS, the 20 bytes of the SHA hash are run directly through the
Digital Signing Algorithm with no additional hashing. This produces
two values, r and s. The DSS signature is an opaque vector, as above,
the contents of which are the DER encoding of:
Dss-Sig-Value ::= SEQUENCE {

r INTEGER,
s INTEGER
}
In stream cipher encryption, the plaintext is exclusive-ORed with an

identical amount of output generated from a cryptographically-secure
keyed pseudorandom number generator.
In block cipher encryption, every block of plaintext encrypts to a

block of ciphertext. All block cipher encryption is done in CBC
(Cipher Block Chaining) mode, and all items which are block-ciphered
will be an exact multiple of the cipher block length.
In public key encryption, a public key algorithm is used to encrypt

data in such a way that it can be decrypted only with the matching
private key. A public-key-encrypted element is encoded as an opaque
vector <0..2^16-1>, where the length is specified by the signing
algorithm and key.

An RSA encrypted value is encoded with PKCS #1 block type 2 as

described in [PKCS1].
In the following example:
stream-ciphered struct {
uint8 field1;
uint8 field2;
digitally-signed opaque hash[20];
} UserType;
The contents of hash are used as input for the signing algorithm,
then the entire structure is encrypted with a stream cipher. The
length of this structure, in bytes would be equal to 2 bytes for
field1 and field2, plus two bytes for the length of the signature,
plus the length of the output of the signing algorithm. This is known
due to the fact that the algorithm and key used for the signing are
known prior to encoding or decoding this structure.
4.8. Constants
Typed constants can be defined for purposes of specification by

declaring a symbol of the desired type and assigning values to it.
Under-specified types (opaque, variable length vectors, and
structures that contain opaque) cannot be assigned values. No fields
of a multi-element structure or vector may be elided.
For example,
struct {
uint8 f1;
uint8 f2;
} Example1;
Example1 ex1 = {1, 4}; /* assigns f1 = 1, f2 = 4 */
5. HMAC and the pseudorandom function
A number of operations in the TLS record and handshake layer required

a keyed MAC; this is a secure digest of some data protected by a
secret. Forging the MAC is infeasible without knowledge of the MAC
secret. The construction we use for this operation is known as HMAC,
described in [HMAC].
HMAC can be used with a variety of different hash algorithms. TLS

uses it in the handshake with two different algorithms: MD5 and SHA-
1, denoting these as HMAC_MD5(secret, data) and HMAC_SHA(secret,

data). Additional hash algorithms can be defined by cipher suites and

used to protect record data, but MD5 and SHA-1 are hard coded into
the description of the handshaking for this version of the protocol.
In addition, a construction is required to do expansion of secrets

into blocks of data for the purposes of key generation or validation.
This pseudo-random function (PRF) takes as input a secret, a seed,
and an identifying label and produces an output of arbitrary length.
In order to make the PRF as secure as possible, it uses two hash

algorithms in a way which should guarantee its security if either
algorithm remains secure.
First, we define a data expansion function, P_hash(secret, data)

which uses a single hash function to expand a secret and seed into an
arbitrary quantity of output:
P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +

HMAC_hash(secret, A(2) + seed) +
HMAC_hash(secret, A(3) + seed) + ...
Where + indicates concatenation.
A() is defined as:

A(0) = seed
A(i) = HMAC_hash(secret, A(i-1))
P_hash can be iterated as many times as is necessary to produce the

required quantity of data. For example, if P_SHA-1 was being used to
create 64 bytes of data, it would have to be iterated 4 times
(through A(4)), creating 80 bytes of output data; the last 16 bytes
of the final iteration would then be discarded, leaving 64 bytes of
output data.
TLS's PRF is created by splitting the secret into two halves and
using one half to generate data with P_MD5 and the other half to
generate data with P_SHA-1, then exclusive-or'ing the outputs of
these two expansion functions together.
S1 and S2 are the two halves of the secret and each is the same
length. S1 is taken from the first half of the secret, S2 from the
second half. Their length is created by rounding up the length of the
overall secret divided by two; thus, if the original secret is an odd
number of bytes long, the last byte of S1 will be the same as the
first byte of S2.
L_S = length in bytes of secret;

L_S1 = L_S2 = ceil(L_S / 2);

The secret is partitioned into two halves (with the possibility of

one shared byte) as described above, S1 taking the first L_S1 bytes
and S2 the last L_S2 bytes.
The PRF is then defined as the result of mixing the two pseudorandom
streams by exclusive-or'ing them together.
PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR

P_SHA-1(S2, label + seed);
The label is an ASCII string. It should be included in the exact form

it is given without a length byte or trailing null character. For
example, the label "slithy toves" would be processed by hashing the
following bytes:
73 6C 69 74 68 79 20 74 6F 76 65 73
Note that because MD5 produces 16 byte outputs and SHA-1 produces 20
byte outputs, the boundaries of their internal iterations will not be
aligned; to generate a 80 byte output will involve P_MD5 being
iterated through A(5), while P_SHA-1 will only iterate through A(4).
6. The TLS Record Protocol
The TLS Record Protocol is a layered protocol. At each layer,

messages may include fields for length, description, and content.
The Record Protocol takes messages to be transmitted, fragments the
data into manageable blocks, optionally compresses the data, applies
a MAC, encrypts, and transmits the result. Received data is
decrypted, verified, decompressed, and reassembled, then delivered to
higher level clients.
Four record protocol clients are described in this document: the

handshake protocol, the alert protocol, the change cipher spec
protocol, and the application data protocol. In order to allow
extension of the TLS protocol, additional record types can be
supported by the record protocol. Any new record types should
allocate type values immediately beyond the ContentType values for
the four record types described here (see Appendix A.2). If a TLS
implementation receives a record type it does not understand, it
should just ignore it. Any protocol designed for use over TLS must be
carefully designed to deal with all possible attacks against it.
Note that because the type and length of a record are not protected
by encryption, care should be take to minimize the value of traffic
analysis of these values.

6.1. Connection states
A TLS connection state is the operating environment of the TLS Record

Protocol. It specifies a compression algorithm, encryption algorithm,
and MAC algorithm. In addition, the parameters for these algorithms
are known: the MAC secret and the bulk encryption keys and IVs for
the connection in both the read and the write directions. Logically,
there are always four connection states outstanding: the current read
and write states, and the pending read and write states. All records
are processed under the current read and write states. The security
parameters for the pending states can be set by the TLS Handshake
Protocol, and the Handshake Protocol can selectively make either of
the pending states current, in which case the appropriate current
state is disposed of and replaced with the pending state; the pending
state is then reinitialized to an empty state. It is illegal to make
a state which has not been initialized with security parameters a
current state. The initial current state always specifies that no
encryption, compression, or MAC will be used.
The security parameters for a TLS Connection read and write state are
set by providing the following values:
connection end
Whether this entity is considered the "client" or the "server" in
this connection.
bulk encryption algorithm

An algorithm to be used for bulk encryption. This specification
includes the key size of this algorithm, how much of that key is
secret, whether it is a block or stream cipher, the block size of
the cipher (if appropriate), and whether it is considered an
"export" cipher.
MAC algorithm
An algorithm to be used for message authentication. This
specification includes the size of the hash which is returned by
the MAC algorithm.
compression algorithm
An algorithm to be used for data compression. This specification
must include all information the algorithm requires to do
compression.
master secret
A 48 byte secret shared between the two peers in the connection.
client random
A 32 byte value provided by the client.

server random
A 32 byte value provided by the server.
These parameters are defined in the presentation language as:
enum { server, client } ConnectionEnd;
enum { null, rc4, rc2, des, 3des, des40 } BulkCipherAlgorithm;
enum { stream, block } CipherType;
enum { true, false } IsExportable;
enum { null, md5, sha } MACAlgorithm;
enum { null(0), (255) } CompressionMethod;
/* The algorithms specified in CompressionMethod,

BulkCipherAlgorithm, and MACAlgorithm may be added to. */
struct {
ConnectionEnd entity;
BulkCipherAlgorithm bulk_cipher_algorithm;
CipherType cipher_type;
uint8 key_size;
uint8 key_material_length;
IsExportable is_exportable;
MACAlgorithm mac_algorithm;
uint8 hash_size;
CompressionMethod compression_algorithm;
opaque master_secret[48];
opaque client_random[32];
opaque server_random[32];
} SecurityParameters;
The record layer will use the security parameters to generate the
following six items:
client write MAC secret

server write MAC secret
client write key
server write key
client write IV (for block ciphers only)
server write IV (for block ciphers only)
The client write parameters are used by the server when receiving and
processing records and vice-versa. The algorithm used for generating
these items from the security parameters is described in section 6.3.

Once the security parameters have been set and the keys have been
generated, the connection states can be instantiated by making them
the current states. These current states must be updated for each
record processed. Each connection state includes the following
elements:
compression state
The current state of the compression algorithm.
cipher state
The current state of the encryption algorithm. This will consist
of the scheduled key for that connection. In addition, for block
ciphers running in CBC mode (the only mode specified for TLS),
this will initially contain the IV for that connection state and
be updated to contain the ciphertext of the last block encrypted
or decrypted as records are processed. For stream ciphers, this
will contain whatever the necessary state information is to allow
the stream to continue to encrypt or decrypt data.
MAC secret
The MAC secret for this connection as generated above.
sequence number
Each connection state contains a sequence number, which is
maintained separately for read and write states. The sequence
number must be set to zero whenever a connection state is made
the active state. Sequence numbers are of type uint64 and may not
exceed 2^64-1. A sequence number is incremented after each
record: specifically, the first record which is transmitted under
a particular connection state should use sequence number 0.
6.2. Record layer
The TLS Record Layer receives uninterpreted data from higher layers
in non-empty blocks of arbitrary size.
6.2.1. Fragmentation
The record layer fragments information blocks into TLSPlaintext

records carrying data in chunks of 2^14 bytes or less. Client message
boundaries are not preserved in the record layer (i.e., multiple
client messages of the same ContentType may be coalesced into a
single TLSPlaintext record, or a single message may be fragmented
across several records).
struct {
uint8 major, minor;
} ProtocolVersion;

enum {
change_cipher_spec(20), alert(21), handshake(22),
application_data(23), (255)
} ContentType;
struct {
ContentType type;
ProtocolVersion version;
uint16 length;
opaque fragment[TLSPlaintext.length];
} TLSPlaintext;
type
The higher level protocol used to process the enclosed fragment.
version
The version of the protocol being employed. This document
describes TLS Version 1.0, which uses the version { 3, 1 }. The
version value 3.1 is historical: TLS version 1.0 is a minor
modification to the SSL 3.0 protocol, which bears the version
value 3.0. (See Appendix A.1).
length
The length (in bytes) of the following TLSPlaintext.fragment.
The length should not exceed 2^14.
fragment
The application data. This data is transparent and treated as an
independent block to be dealt with by the higher level protocol
specified by the type field.
Note: Data of different TLS Record layer content types may be

interleaved. Application data is generally of lower precedence
for transmission than other content types.
6.2.2. Record compression and decompression
All records are compressed using the compression algorithm defined in

the current session state. There is always an active compression
algorithm; however, initially it is defined as
CompressionMethod.null. The compression algorithm translates a
TLSPlaintext structure into a TLSCompressed structure. Compression
functions are initialized with default state information whenever a
connection state is made active.

Compression must be lossless and may not increase the content length
by more than 1024 bytes. If the decompression function encounters a
TLSCompressed.fragment that would decompress to a length in excess of
2^14 bytes, it should report a fatal decompression failure error.
struct {
ContentType type; /* same as TLSPlaintext.type */
ProtocolVersion version;/* same as TLSPlaintext.version */
uint16 length;
opaque fragment[TLSCompressed.length];
} TLSCompressed;
length
The length (in bytes) of the following TLSCompressed.fragment.
The length should not exceed 2^14 + 1024.
fragment
The compressed form of TLSPlaintext.fragment.
Note: A CompressionMethod.null operation is an identity operation; no

fields are altered.
Implementation note:
Decompression functions are responsible for ensuring that
messages cannot cause internal buffer overflows.
6.2.3. Record payload protection
The encryption and MAC functions translate a TLSCompressed structure

into a TLSCiphertext. The decryption functions reverse the process.
The MAC of the record also includes a sequence number so that
missing, extra or repeated messages are detectable.
struct {
ContentType type;
uint16 length;
select (CipherSpec.cipher_type) {
case stream: GenericStreamCipher;
case block: GenericBlockCipher;
} fragment;
} TLSCiphertext;
type
The type field is identical to TLSCompressed.type.
version
The version field is identical to TLSCompressed.version.

length
The length (in bytes) of the following TLSCiphertext.fragment.
The length may not exceed 2^14 + 2048.
fragment
The encrypted form of TLSCompressed.fragment, with the MAC.
6.2.3.1. Null or standard stream cipher
Stream ciphers (including BulkCipherAlgorithm.null - see Appendix

A.6) convert TLSCompressed.fragment structures to and from stream
TLSCiphertext.fragment structures.
opaque content[TLSCompressed.length];
opaque MAC[CipherSpec.hash_size];
} GenericStreamCipher;
The MAC is generated as:
HMAC_hash(MAC_write_secret, seq_num + TLSCompressed.type +

TLSCompressed.version + TLSCompressed.length +
TLSCompressed.fragment));
where "+" denotes concatenation.
seq_num
The sequence number for this record.
hash
The hashing algorithm specified by
SecurityParameters.mac_algorithm.
Note that the MAC is computed before encryption. The stream cipher
encrypts the entire block, including the MAC. For stream ciphers that
do not use a synchronization vector (such as RC4), the stream cipher
state from the end of one record is simply used on the subsequent
packet. If the CipherSuite is TLS_NULL_WITH_NULL_NULL, encryption
consists of the identity operation (i.e., the data is not encrypted
and the MAC size is zero implying that no MAC is used).
TLSCiphertext.length is TLSCompressed.length plus
CipherSpec.hash_size.
6.2.3.2. CBC block cipher
For block ciphers (such as RC2 or DES), the encryption and MAC
functions convert TLSCompressed.fragment structures to and from block
TLSCiphertext.fragment structures.

block-ciphered struct {
uint8 padding[GenericBlockCipher.padding_length];
uint8 padding_length;
} GenericBlockCipher;
The MAC is generated as described in Section 6.2.3.1.
padding
Padding that is added to force the length of the plaintext to be
an integral multiple of the block cipher's block length. The
padding may be any length up to 255 bytes long, as long as it
results in the TLSCiphertext.length being an integral multiple of
the block length. Lengths longer than necessary might be
desirable to frustrate attacks on a protocol based on analysis of
the lengths of exchanged messages. Each uint8 in the padding data
vector must be filled with the padding length value.
padding_length
The padding length should be such that the total size of the
GenericBlockCipher structure is a multiple of the cipher's block
length. Legal values range from zero to 255, inclusive. This
length specifies the length of the padding field exclusive of the
padding_length field itself.
The encrypted data length (TLSCiphertext.length) is one more than the

sum of TLSCompressed.length, CipherSpec.hash_size, and
padding_length.
Example: If the block length is 8 bytes, the content length

(TLSCompressed.length) is 61 bytes, and the MAC length is 20
bytes, the length before padding is 82 bytes. Thus, the
padding length modulo 8 must be equal to 6 in order to make
the total length an even multiple of 8 bytes (the block
length). The padding length can be 6, 14, 22, and so on,
through 254. If the padding length were the minimum necessary,
6, the padding would be 6 bytes, each containing the value 6.
Thus, the last 8 octets of the GenericBlockCipher before block
encryption would be xx 06 06 06 06 06 06 06, where xx is the
last octet of the MAC.
Note: With block ciphers in CBC mode (Cipher Block Chaining) the
initialization vector (IV) for the first record is generated with
the other keys and secrets when the security parameters are set.
The IV for subsequent records is the last ciphertext block from
the previous record.

6.3. Key calculation
The Record Protocol requires an algorithm to generate keys, IVs, and

MAC secrets from the security parameters provided by the handshake
protocol.
The master secret is hashed into a sequence of secure bytes, which

are assigned to the MAC secrets, keys, and non-export IVs required by
the current connection state (see Appendix A.6). CipherSpecs require
a client write MAC secret, a server write MAC secret, a client write
key, a server write key, a client write IV, and a server write IV,
which are generated from the master secret in that order. Unused
values are empty.
When generating keys and MAC secrets, the master secret is used as an
entropy source, and the random values provide unencrypted salt
material and IVs for exportable ciphers.
To generate the key material, compute
key_block = PRF(SecurityParameters.master_secret,
"key expansion",
SecurityParameters.server_random +
SecurityParameters.client_random);
until enough output has been generated. Then the key_block is

partitioned as follows:
client_write_MAC_secret[SecurityParameters.hash_size]
server_write_MAC_secret[SecurityParameters.hash_size]
client_write_key[SecurityParameters.key_material_length]
server_write_key[SecurityParameters.key_material_length]
client_write_IV[SecurityParameters.IV_size]
server_write_IV[SecurityParameters.IV_size]
The client_write_IV and server_write_IV are only generated for non-

export block ciphers. For exportable block ciphers, the
initialization vectors are generated later, as described below. Any
extra key_block material is discarded.
Implementation note:
The cipher spec which is defined in this document which requires
the most material is 3DES_EDE_CBC_SHA: it requires 2 x 24 byte
keys, 2 x 20 byte MAC secrets, and 2 x 8 byte IVs, for a total of
104 bytes of key material.

Exportable encryption algorithms (for which CipherSpec.is_exportable

is true) require additional processing as follows to derive their
final write keys:
final_client_write_key =
PRF(SecurityParameters.client_write_key,
"client write key",
SecurityParameters.client_random +
SecurityParameters.server_random);
final_server_write_key =
PRF(SecurityParameters.server_write_key,
"server write key",
SecurityParameters.client_random +
Exportable encryption algorithms derive their IVs solely from the

random values from the hello messages:
iv_block = PRF("", "IV block", SecurityParameters.client_random +

The iv_block is partitioned into two initialization vectors as the

key_block was above:
client_write_IV[SecurityParameters.IV_size]
server_write_IV[SecurityParameters.IV_size]
Note that the PRF is used without a secret in this case: this just
means that the secret has a length of zero bytes and contributes
nothing to the hashing in the PRF.
6.3.1. Export key generation example
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 requires five random bytes for

each of the two encryption keys and 16 bytes for each of the MAC
keys, for a total of 42 bytes of key material. The PRF output is
stored in the key_block. The key_block is partitioned, and the write
keys are salted because this is an exportable encryption algorithm.
key_block = PRF(master_secret,
"key expansion",
server_random +
client_random)[0..41]
client_write_MAC_secret = key_block[0..15]
server_write_MAC_secret = key_block[16..31]
client_write_key = key_block[32..36]
server_write_key = key_block[37..41]

final_client_write_key = PRF(client_write_key,
"client write key",
client_random +
server_random)[0..15]
final_server_write_key = PRF(server_write_key,
"server write key",
client_random +
iv_block = PRF("", "IV block", client_random +

client_write_IV = iv_block[0..7]
server_write_IV = iv_block[8..15]
7. The TLS Handshake Protocol
The TLS Handshake Protocol consists of a suite of three sub-protocols

which are used to allow peers to agree upon security parameters for
the record layer, authenticate themselves, instantiate negotiated
security parameters, and report error conditions to each other.
The Handshake Protocol is responsible for negotiating a session,

which consists of the following items:
session identifier
An arbitrary byte sequence chosen by the server to identify an
active or resumable session state.
peer certificate
X509v3 [X509] certificate of the peer. This element of the state
may be null.
compression method
The algorithm used to compress data prior to encryption.
cipher spec
Specifies the bulk data encryption algorithm (such as null, DES,
etc.) and a MAC algorithm (such as MD5 or SHA). It also defines
cryptographic attributes such as the hash_size. (See Appendix A.6
for formal definition)
master secret
48-byte secret shared between the client and server.
is resumable
A flag indicating whether the session can be used to initiate new
connections.

These items are then used to create security parameters for use by
the Record Layer when protecting application data. Many connections
can be instantiated using the same session through the resumption
feature of the TLS Handshake Protocol.
7.1. Change cipher spec protocol
The change cipher spec protocol exists to signal transitions in

ciphering strategies. The protocol consists of a single message,
which is encrypted and compressed under the current (not the pending)
connection state. The message consists of a single byte of value 1.
struct {
enum { change_cipher_spec(1), (255) } type;
} ChangeCipherSpec;
The change cipher spec message is sent by both the client and server
to notify the receiving party that subsequent records will be
protected under the newly negotiated CipherSpec and keys. Reception
of this message causes the receiver to instruct the Record Layer to
immediately copy the read pending state into the read current state.
Immediately after sending this message, the sender should instruct
the record layer to make the write pending state the write active
state. (See section 6.1.) The change cipher spec message is sent
during the handshake after the security parameters have been agreed
upon, but before the verifying finished message is sent (see section
7.4.9).
7.2. Alert protocol
One of the content types supported by the TLS Record layer is the
alert type. Alert messages convey the severity of the message and a
description of the alert. Alert messages with a level of fatal result
in the immediate termination of the connection. In this case, other
connections corresponding to the session may continue, but the
session identifier must be invalidated, preventing the failed session
from being used to establish new connections. Like other messages,
alert messages are encrypted and compressed, as specified by the
current connection state.
enum { warning(1), fatal(2), (255) } AlertLevel;
enum {
close_notify(0),
unexpected_message(10),
bad_record_mac(20),
decryption_failed(21),
record_overflow(22),

decompression_failure(30),
handshake_failure(40),
bad_certificate(42),
unsupported_certificate(43),
certificate_revoked(44),
certificate_expired(45),
certificate_unknown(46),
illegal_parameter(47),
unknown_ca(48),
access_denied(49),
decode_error(50),
decrypt_error(51),
export_restriction(60),
protocol_version(70),
insufficient_security(71),
internal_error(80),
user_canceled(90),
no_renegotiation(100),
(255)
} AlertDescription;
struct {
AlertLevel level;
AlertDescription description;
} Alert;
7.2.1. Closure alerts
The client and the server must share knowledge that the connection is
ending in order to avoid a truncation attack. Either party may
initiate the exchange of closing messages.
close_notify
This message notifies the recipient that the sender will not send
any more messages on this connection. The session becomes
unresumable if any connection is terminated without proper
close_notify messages with level equal to warning.
Either party may initiate a close by sending a close_notify alert.

Any data received after a closure alert is ignored.
Each party is required to send a close_notify alert before closing

the write side of the connection. It is required that the other party
respond with a close_notify alert of its own and close down the
connection immediately, discarding any pending writes. It is not
required for the initiator of the close to wait for the responding
close_notify alert before closing the read side of the connection.

If the application protocol using TLS provides that any data may be
carried over the underlying transport after the TLS connection is
closed, the TLS implementation must receive the responding
close_notify alert before indicating to the application layer that
the TLS connection has ended. If the application protocol will not
transfer any additional data, but will only close the underlying
transport connection, then the implementation may choose to close the
transport without waiting for the responding close_notify. No part of
this standard should be taken to dictate the manner in which a usage
profile for TLS manages its data transport, including when
connections are opened or closed.
NB: It is assumed that closing a connection reliably delivers

pending data before destroying the transport.
7.2.2. Error alerts
Error handling in the TLS Handshake protocol is very simple. When an

error is detected, the detecting party sends a message to the other
party. Upon transmission or receipt of an fatal alert message, both
parties immediately close the connection. Servers and clients are
required to forget any session-identifiers, keys, and secrets
associated with a failed connection. The following error alerts are
defined:
unexpected_message
An inappropriate message was received. This alert is always fatal
and should never be observed in communication between proper
implementations.
bad_record_mac
This alert is returned if a record is received with an incorrect
MAC. This message is always fatal.
decryption_failed
A TLSCiphertext decrypted in an invalid way: either it wasn`t an
even multiple of the block length or its padding values, when
checked, weren`t correct. This message is always fatal.
record_overflow
A TLSCiphertext record was received which had a length more than
2^14+2048 bytes, or a record decrypted to a TLSCompressed record
with more than 2^14+1024 bytes. This message is always fatal.
decompression_failure
The decompression function received improper input (e.g. data
that would expand to excessive length). This message is always
fatal.

handshake_failure
Reception of a handshake_failure alert message indicates that the
sender was unable to negotiate an acceptable set of security
parameters given the options available. This is a fatal error.
bad_certificate
A certificate was corrupt, contained signatures that did not
verify correctly, etc.
unsupported_certificate
A certificate was of an unsupported type.
certificate_revoked
A certificate was revoked by its signer.
certificate_expired
A certificate has expired or is not currently valid.
certificate_unknown
Some other (unspecified) issue arose in processing the
certificate, rendering it unacceptable.
illegal_parameter
A field in the handshake was out of range or inconsistent with
other fields. This is always fatal.
unknown_ca
A valid certificate chain or partial chain was received, but the
certificate was not accepted because the CA certificate could not
be located or couldn`t be matched with a known, trusted CA. This
message is always fatal.
access_denied
A valid certificate was received, but when access control was
applied, the sender decided not to proceed with negotiation.
This message is always fatal.
decode_error
A message could not be decoded because some field was out of the
specified range or the length of the message was incorrect. This
decrypt_error
A handshake cryptographic operation failed, including being
unable to correctly verify a signature, decrypt a key exchange,
or validate a finished message.

export_restriction
A negotiation not in compliance with export restrictions was
detected; for example, attempting to transfer a 1024 bit
ephemeral RSA key for the RSA_EXPORT handshake method. This
protocol_version
The protocol version the client has attempted to negotiate is
recognized, but not supported. (For example, old protocol
versions might be avoided for security reasons). This message is
always fatal.
insufficient_security
Returned instead of handshake_failure when a negotiation has
failed specifically because the server requires ciphers more
secure than those supported by the client. This message is always
fatal.
internal_error
An internal error unrelated to the peer or the correctness of the
protocol makes it impossible to continue (such as a memory
allocation failure). This message is always fatal.
user_canceled
This handshake is being canceled for some reason unrelated to a
protocol failure. If the user cancels an operation after the
handshake is complete, just closing the connection by sending a
close_notify is more appropriate. This alert should be followed
by a close_notify. This message is generally a warning.
no_renegotiation
Sent by the client in response to a hello request or by the
server in response to a client hello after initial handshaking.
Either of these would normally lead to renegotiation; when that
is not appropriate, the recipient should respond with this alert;
at that point, the original requester can decide whether to
proceed with the connection. One case where this would be
appropriate would be where a server has spawned a process to
satisfy a request; the process might receive security parameters
(key length, authentication, etc.) at startup and it might be
difficult to communicate changes to these parameters after that
point. This message is always a warning.
For all errors where an alert level is not explicitly specified, the
sending party may determine at its discretion whether this is a fatal
error or not; if an alert with a level of warning is received, the

receiving party may decide at its discretion whether to treat this as

a fatal error or not. However, all messages which are transmitted
with a level of fatal must be treated as fatal messages.
7.3. Handshake Protocol overview
The cryptographic parameters of the session state are produced by the

TLS Handshake Protocol, which operates on top of the TLS Record
Layer. When a TLS client and server first start communicating, they
agree on a protocol version, select cryptographic algorithms,
optionally authenticate each other, and use public-key encryption
techniques to generate shared secrets.
The TLS Handshake Protocol involves the following steps:
- Exchange hello messages to agree on algorithms, exchange random

values, and check for session resumption.
- Exchange the necessary cryptographic parameters to allow the

client and server to agree on a premaster secret.
- Exchange certificates and cryptographic information to allow the

client and server to authenticate themselves.
- Generate a master secret from the premaster secret and exchanged

random values.
- Provide security parameters to the record layer.
- Allow the client and server to verify that their peer has
calculated the same security parameters and that the handshake
occurred without tampering by an attacker.
Note that higher layers should not be overly reliant on TLS always
negotiating the strongest possible connection between two peers:
there are a number of ways a man in the middle attacker can attempt
to make two entities drop down to the least secure method they
support. The protocol has been designed to minimize this risk, but
there are still attacks available: for example, an attacker could
block access to the port a secure service runs on, or attempt to get
the peers to negotiate an unauthenticated connection. The fundamental
rule is that higher levels must be cognizant of what their security
requirements are and never transmit information over a channel less
secure than what they require. The TLS protocol is secure, in that
any cipher suite offers its promised level of security: if you
negotiate 3DES with a 1024 bit RSA key exchange with a host whose
certificate you have verified, you can expect to be that secure.

However, you should never send data over a link encrypted with 40 bit
security unless you feel that data is worth no more than the effort
required to break that encryption.
These goals are achieved by the handshake protocol, which can be

summarized as follows: The client sends a client hello message to
which the server must respond with a server hello message, or else a
fatal error will occur and the connection will fail. The client hello
and server hello are used to establish security enhancement
capabilities between client and server. The client hello and server
hello establish the following attributes: Protocol Version, Session
ID, Cipher Suite, and Compression Method. Additionally, two random
values are generated and exchanged: ClientHello.random and
ServerHello.random.
The actual key exchange uses up to four messages: the server

certificate, the server key exchange, the client certificate, and the
client key exchange. New key exchange methods can be created by
specifying a format for these messages and defining the use of the
messages to allow the client and server to agree upon a shared
secret. This secret should be quite long; currently defined key
exchange methods exchange secrets which range from 48 to 128 bytes in
length.
Following the hello messages, the server will send its certificate,
if it is to be authenticated. Additionally, a server key exchange
message may be sent, if it is required (e.g. if their server has no
certificate, or if its certificate is for signing only). If the
server is authenticated, it may request a certificate from the
client, if that is appropriate to the cipher suite selected. Now the
server will send the server hello done message, indicating that the
hello-message phase of the handshake is complete. The server will
then wait for a client response. If the server has sent a certificate
request message, the client must send the certificate message. The
client key exchange message is now sent, and the content of that
message will depend on the public key algorithm selected between the
client hello and the server hello. If the client has sent a
certificate with signing ability, a digitally-signed certificate
verify message is sent to explicitly verify the certificate.
At this point, a change cipher spec message is sent by the client,

and the client copies the pending Cipher Spec into the current Cipher
Spec. The client then immediately sends the finished message under
the new algorithms, keys, and secrets. In response, the server will
send its own change cipher spec message, transfer the pending to the
current Cipher Spec, and send its finished message under the new

Cipher Spec. At this point, the handshake is complete and the client
and server may begin to exchange application layer data. (See flow
chart below.)
Client Server
ClientHello -------->
ServerHello
Certificate*
ServerKeyExchange*
CertificateRequest*
<-------- ServerHelloDone
Certificate*
ClientKeyExchange
CertificateVerify*
[ChangeCipherSpec]
Finished -------->
[ChangeCipherSpec]
<-------- Finished
Application Data <-------> Application Data
Fig. 1 - Message flow for a full handshake
* Indicates optional or situation-dependent messages that are not

always sent.
Note: To help avoid pipeline stalls, ChangeCipherSpec is an

independent TLS Protocol content type, and is not actually a TLS
handshake message.
When the client and server decide to resume a previous session or

duplicate an existing session (instead of negotiating new security
parameters) the message flow is as follows:
The client sends a ClientHello using the Session ID of the session to

be resumed. The server then checks its session cache for a match. If
a match is found, and the server is willing to re-establish the
connection under the specified session state, it will send a
ServerHello with the same Session ID value. At this point, both
client and server must send change cipher spec messages and proceed
directly to finished messages. Once the re-establishment is complete,
the client and server may begin to exchange application layer data.
(See flow chart below.) If a Session ID match is not found, the
server generates a new session ID and the TLS client and server
perform a full handshake.

Client Server
ClientHello -------->
ServerHello
[ChangeCipherSpec]
<-------- Finished
[ChangeCipherSpec]
Finished -------->
Application Data <-------> Application Data
Fig. 2 - Message flow for an abbreviated handshake
The contents and significance of each message will be presented in

detail in the following sections.
7.4. Handshake protocol
The TLS Handshake Protocol is one of the defined higher level clients
of the TLS Record Protocol. This protocol is used to negotiate the
secure attributes of a session. Handshake messages are supplied to
the TLS Record Layer, where they are encapsulated within one or more
TLSPlaintext structures, which are processed and transmitted as
specified by the current active session state.
enum {
hello_request(0), client_hello(1), server_hello(2),
certificate(11), server_key_exchange (12),
certificate_request(13), server_hello_done(14),
certificate_verify(15), client_key_exchange(16),
finished(20), (255)
} HandshakeType;
struct {
HandshakeType msg_type; /* handshake type */
uint24 length; /* bytes in message */
select (HandshakeType) {
case hello_request: HelloRequest;
case client_hello: ClientHello;
case server_hello: ServerHello;
case certificate: Certificate;
case server_key_exchange: ServerKeyExchange;
case certificate_request: CertificateRequest;
case server_hello_done: ServerHelloDone;
case certificate_verify: CertificateVerify;
case client_key_exchange: ClientKeyExchange;
case finished: Finished;
} body;
} Handshake;

The handshake protocol messages are presented below in the order they
must be sent; sending handshake messages in an unexpected order
results in a fatal error. Unneeded handshake messages can be omitted,
however. Note one exception to the ordering: the Certificate message
is used twice in the handshake (from server to client, then from
client to server), but described only in its first position. The one
message which is not bound by these ordering rules in the Hello
Request message, which can be sent at any time, but which should be
ignored by the client if it arrives in the middle of a handshake.
7.4.1. Hello messages
The hello phase messages are used to exchange security enhancement

capabilities between the client and server. When a new session
begins, the Record Layer's connection state encryption, hash, and
compression algorithms are initialized to null. The current
connection state is used for renegotiation messages.
7.4.1.1. Hello request
When this message will be sent:

The hello request message may be sent by the server at any time.
Meaning of this message:

Hello request is a simple notification that the client should
begin the negotiation process anew by sending a client hello
message when convenient. This message will be ignored by the
client if the client is currently negotiating a session. This
message may be ignored by the client if it does not wish to
renegotiate a session, or the client may, if it wishes, respond
with a no_renegotiation alert. Since handshake messages are
intended to have transmission precedence over application data,
it is expected that the negotiation will begin before no more
than a few records are received from the client. If the server
sends a hello request but does not receive a client hello in
response, it may close the connection with a fatal alert.
After sending a hello request, servers should not repeat the request
until the subsequent handshake negotiation is complete.
Structure of this message:

struct { } HelloRequest;
Note: This message should never be included in the message hashes which
are maintained throughout the handshake and used in the finished
messages and the certificate verify message.

7.4.1.2. Client hello

When a client first connects to a server it is required to send
the client hello as its first message. The client can also send a
client hello in response to a hello request or on its own
initiative in order to renegotiate the security parameters in an
existing connection.

The client hello message includes a random structure, which is
used later in the protocol.
struct {
uint32 gmt_unix_time;
opaque random_bytes[28];
} Random;
gmt_unix_time
The current time and date in standard UNIX 32-bit format (seconds
since the midnight starting Jan 1, 1970, GMT) according to the
sender's internal clock. Clocks are not required to be set
correctly by the basic TLS Protocol; higher level or application
protocols may define additional requirements.
random_bytes
28 bytes generated by a secure random number generator.
The client hello message includes a variable length session

identifier. If not empty, the value identifies a session between the
same client and server whose security parameters the client wishes to
reuse. The session identifier may be from an earlier connection, this
connection, or another currently active connection. The second option
is useful if the client only wishes to update the random structures
and derived values of a connection, while the third option makes it
possible to establish several independent secure connections without
repeating the full handshake protocol. These independent connections
may occur sequentially or simultaneously; a SessionID becomes valid
when the handshake negotiating it completes with the exchange of
Finished messages and persists until removed due to aging or because
a fatal error was encountered on a connection associated with the
session. The actual contents of the SessionID are defined by the
server.
opaque SessionID<0..32>;

Warning:
Because the SessionID is transmitted without encryption or
immediate MAC protection, servers must not place confidential
information in session identifiers or let the contents of fake
session identifiers cause any breach of security. (Note that the
content of the handshake as a whole, including the SessionID, is
protected by the Finished messages exchanged at the end of the
handshake.)
The CipherSuite list, passed from the client to the server in the
client hello message, contains the combinations of cryptographic
algorithms supported by the client in order of the client's
preference (favorite choice first). Each CipherSuite defines a key
exchange algorithm, a bulk encryption algorithm (including secret key
length) and a MAC algorithm. The server will select a cipher suite
or, if no acceptable choices are presented, return a handshake
failure alert and close the connection.
uint8 CipherSuite[2]; /* Cryptographic suite selector */
The client hello includes a list of compression algorithms supported

by the client, ordered according to the client's preference.
struct {
ProtocolVersion client_version;
Random random;
SessionID session_id;
CipherSuite cipher_suites<2..2^16-1>;
CompressionMethod compression_methods<1..2^8-1>;
} ClientHello;
client_version
The version of the TLS protocol by which the client wishes to
communicate during this session. This should be the latest
(highest valued) version supported by the client. For this
version of the specification, the version will be 3.1 (See
Appendix E for details about backward compatibility).
random
A client-generated random structure.
session_id
The ID of a session the client wishes to use for this connection.
This field should be empty if no session_id is available or the
client wishes to generate new security parameters.

cipher_suites
This is a list of the cryptographic options supported by the
client, with the client's first preference first. If the
session_id field is not empty (implying a session resumption
request) this vector must include at least the cipher_suite from
that session. Values are defined in Appendix A.5.
compression_methods
This is a list of the compression methods supported by the
client, sorted by client preference. If the session_id field is
not empty (implying a session resumption request) it must include
the compression_method from that session. This vector must
contain, and all implementations must support,
CompressionMethod.null. Thus, a client and server will always be
able to agree on a compression method.
After sending the client hello message, the client waits for a server
hello message. Any other handshake message returned by the server
except for a hello request is treated as a fatal error.
Forward compatibility note:

In the interests of forward compatibility, it is permitted for a
client hello message to include extra data after the compression
methods. This data must be included in the handshake hashes, but
must otherwise be ignored. This is the only handshake message for
which this is legal; for all other messages, the amount of data
in the message must match the description of the message
precisely.
7.4.1.3. Server hello

The server will send this message in response to a client hello
message when it was able to find an acceptable set of algorithms.
If it cannot find such a match, it will respond with a handshake
failure alert.

struct {
ProtocolVersion server_version;
Random random;
CipherSuite cipher_suite;
CompressionMethod compression_method;
} ServerHello;

server_version
This field will contain the lower of that suggested by the client
in the client hello and the highest supported by the server. For
this version of the specification, the version is 3.1 (See
Appendix E for details about backward compatibility).
random
This structure is generated by the server and must be different
from (and independent of) ClientHello.random.
session_id
This is the identity of the session corresponding to this
connection. If the ClientHello.session_id was non-empty, the
server will look in its session cache for a match. If a match is
found and the server is willing to establish the new connection
using the specified session state, the server will respond with
the same value as was supplied by the client. This indicates a
resumed session and dictates that the parties must proceed
directly to the finished messages. Otherwise this field will
contain a different value identifying the new session. The server
may return an empty session_id to indicate that the session will
not be cached and therefore cannot be resumed. If a session is
resumed, it must be resumed using the same cipher suite it was
originally negotiated with.
cipher_suite
The single cipher suite selected by the server from the list in
ClientHello.cipher_suites. For resumed sessions this field is the
value from the state of the session being resumed.
compression_method
The single compression algorithm selected by the server from the
list in ClientHello.compression_methods. For resumed sessions
this field is the value from the resumed session state.
7.4.2. Server certificate

The server must send a certificate whenever the agreed-upon key
exchange method is not an anonymous one. This message will always
immediately follow the server hello message.

The certificate type must be appropriate for the selected cipher
suite's key exchange algorithm, and is generally an X.509v3
certificate. It must contain a key which matches the key exchange
method, as follows. Unless otherwise specified, the signing

algorithm for the certificate must be the same as the algorithm

for the certificate key. Unless otherwise specified, the public
key may be of any length.
Key Exchange Algorithm Certificate Key Type
RSA RSA public key; the certificate must

allow the key to be used for encryption.
RSA_EXPORT RSA public key of length greater than

512 bits which can be used for signing,
or a key of 512 bits or shorter which
can be used for either encryption or
signing.
DHE_DSS DSS public key.
DHE_DSS_EXPORT DSS public key.
DHE_RSA RSA public key which can be used for

signing.
DHE_RSA_EXPORT RSA public key which can be used for

signing.
DH_DSS Diffie-Hellman key. The algorithm used

to sign the certificate should be DSS.
DH_RSA Diffie-Hellman key. The algorithm used

to sign the certificate should be RSA.
All certificate profiles, key and cryptographic formats are defined

by the IETF PKIX working group [PKIX]. When a key usage extension is
present, the digitalSignature bit must be set for the key to be
eligible for signing, as described above, and the keyEncipherment bit
must be present to allow encryption, as described above. The
keyAgreement bit must be set on Diffie-Hellman certificates.
As CipherSuites which specify new key exchange methods are specified

for the TLS Protocol, they will imply certificate format and the
required encoded keying information.

opaque ASN.1Cert<1..2^24-1>;
struct {
ASN.1Cert certificate_list<0..2^24-1>;
} Certificate;

certificate_list
This is a sequence (chain) of X.509v3 certificates. The sender's
certificate must come first in the list. Each following
certificate must directly certify the one preceding it. Because
certificate validation requires that root keys be distributed
independently, the self-signed certificate which specifies the
root certificate authority may optionally be omitted from the
chain, under the assumption that the remote end must already
possess it in order to validate it in any case.
The same message type and structure will be used for the client's
response to a certificate request message. Note that a client may
send no certificates if it does not have an appropriate certificate
to send in response to the server's authentication request.
Note: PKCS #7 [PKCS7] is not used as the format for the certificate
vector because PKCS #6 [PKCS6] extended certificates are not
used. Also PKCS #7 defines a SET rather than a SEQUENCE, making
the task of parsing the list more difficult.
7.4.3. Server key exchange message

This message will be sent immediately after the server
certificate message (or the server hello message, if this is an
anonymous negotiation).
The server key exchange message is sent by the server only when
the server certificate message (if sent) does not contain enough
data to allow the client to exchange a premaster secret. This is
true for the following key exchange methods:
RSA_EXPORT (if the public key in the server certificate is

longer than 512 bits)
DHE_DSS
DHE_DSS_EXPORT
DHE_RSA
DHE_RSA_EXPORT
DH_anon
It is not legal to send the server key exchange message for the
following key exchange methods:
RSA
RSA_EXPORT (when the public key in the server certificate is
less than or equal to 512 bits in length)
DH_DSS
DH_RSA


This message conveys cryptographic information to allow the
client to communicate the premaster secret: either an RSA public
key to encrypt the premaster secret with, or a Diffie-Hellman
public key with which the client can complete a key exchange
(with the result being the premaster secret.)
As additional CipherSuites are defined for TLS which include new key
exchange algorithms, the server key exchange message will be sent if
and only if the certificate type associated with the key exchange
algorithm does not provide enough information for the client to
exchange a premaster secret.
Note: According to current US export law, RSA moduli larger than 512
bits may not be used for key exchange in software exported from
the US. With this message, the larger RSA keys encoded in
certificates may be used to sign temporary shorter RSA keys for
the RSA_EXPORT key exchange method.

enum { rsa, diffie_hellman } KeyExchangeAlgorithm;
struct {
opaque rsa_modulus<1..2^16-1>;
opaque rsa_exponent<1..2^16-1>;
} ServerRSAParams;
rsa_modulus
The modulus of the server's temporary RSA key.
rsa_exponent
The public exponent of the server's temporary RSA key.
struct {
opaque dh_p<1..2^16-1>;
opaque dh_g<1..2^16-1>;
opaque dh_Ys<1..2^16-1>;
} ServerDHParams; /* Ephemeral DH parameters */
dh_p
The prime modulus used for the Diffie-Hellman operation.
dh_g
The generator used for the Diffie-Hellman operation.
dh_Ys
The server's Diffie-Hellman public value (g^X mod p).

struct {
select (KeyExchangeAlgorithm) {
case diffie_hellman:
ServerDHParams params;
Signature signed_params;
case rsa:
ServerRSAParams params;
};
} ServerKeyExchange;
params
The server's key exchange parameters.
signed_params
For non-anonymous key exchanges, a hash of the corresponding
params value, with the signature appropriate to that hash
applied.
md5_hash
MD5(ClientHello.random + ServerHello.random + ServerParams);
sha_hash
SHA(ClientHello.random + ServerHello.random + ServerParams);
enum { anonymous, rsa, dsa } SignatureAlgorithm;
select (SignatureAlgorithm)
{ case anonymous: struct { };
case rsa:
digitally-signed struct {
opaque md5_hash[16];
opaque sha_hash[20];
};
case dsa:
};
} Signature;
7.4.4. Certificate request

A non-anonymous server can optionally request a certificate from
the client, if appropriate for the selected cipher suite. This
message, if sent, will immediately follow the Server Key Exchange
message (if it is sent; otherwise, the Server Certificate
message).


enum {
rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
(255)
} ClientCertificateType;
opaque DistinguishedName<1..2^16-1>;
struct {
ClientCertificateType certificate_types<1..2^8-1>;
DistinguishedName certificate_authorities<3..2^16-1>;
} CertificateRequest;
certificate_types
This field is a list of the types of certificates requested,
sorted in order of the server's preference.
certificate_authorities
A list of the distinguished names of acceptable certificate
authorities. These distinguished names may specify a desired
distinguished name for a root CA or for a subordinate CA;
thus, this message can be used both to describe known roots
and a desired authorization space.
Note: DistinguishedName is derived from [X509].
Note: It is a fatal handshake_failure alert for an anonymous server to

request client identification.
7.4.5. Server hello done

The server hello done message is sent by the server to indicate
the end of the server hello and associated messages. After
sending this message the server will wait for a client response.

This message means that the server is done sending messages to
support the key exchange, and the client can proceed with its
phase of the key exchange.
Upon receipt of the server hello done message the client should
verify that the server provided a valid certificate if required
and check that the server hello parameters are acceptable.

struct { } ServerHelloDone;

7.4.6. Client certificate

This is the first message the client can send after receiving a
server hello done message. This message is only sent if the
server requests a certificate. If no suitable certificate is
available, the client should send a certificate message
containing no certificates. If client authentication is required
by the server for the handshake to continue, it may respond with
a fatal handshake failure alert. Client certificates are sent
using the Certificate structure defined in Section 7.4.2.
Note: When using a static Diffie-Hellman based key exchange method

(DH_DSS or DH_RSA), if client authentication is requested, the
Diffie-Hellman group and generator encoded in the client's
certificate must match the server specified Diffie-Hellman
parameters if the client's parameters are to be used for the key
exchange.
7.4.7. Client key exchange message

This message is always sent by the client. It will immediately
follow the client certificate message, if it is sent. Otherwise
it will be the first message sent by the client after it receives
the server hello done message.

With this message, the premaster secret is set, either though
direct transmission of the RSA-encrypted secret, or by the
transmission of Diffie-Hellman parameters which will allow each
side to agree upon the same premaster secret. When the key
exchange method is DH_RSA or DH_DSS, client certification has
been requested, and the client was able to respond with a
certificate which contained a Diffie-Hellman public key whose
parameters (group and generator) matched those specified by the
server in its certificate, this message will not contain any
data.

The choice of messages depends on which key exchange method has
been selected. See Section 7.4.3 for the KeyExchangeAlgorithm
definition.
struct {
case rsa: EncryptedPreMasterSecret;
case diffie_hellman: ClientDiffieHellmanPublic;

} exchange_keys;
} ClientKeyExchange;
7.4.7.1. RSA encrypted premaster secret message

If RSA is being used for key agreement and authentication, the
client generates a 48-byte premaster secret, encrypts it using
the public key from the server's certificate or the temporary RSA
key provided in a server key exchange message, and sends the
result in an encrypted premaster secret message. This structure
is a variant of the client key exchange message, not a message in
itself.

struct {
opaque random[46];
} PreMasterSecret;
client_version
The latest (newest) version supported by the client. This is
used to detect version roll-back attacks. Upon receiving the
premaster secret, the server should check that this value
matches the value transmitted by the client in the client
hello message.
random
46 securely-generated random bytes.
struct {
public-key-encrypted PreMasterSecret pre_master_secret;
} EncryptedPreMasterSecret;
Note: An attack discovered by Daniel Bleichenbacher [BLEI] can be used

to attack a TLS server which is using PKCS#1 encoded RSA. The
attack takes advantage of the fact that by failing in different
ways, a TLS server can be coerced into revealing whether a
particular message, when decrypted, is properly PKCS#1 formatted
or not.
The best way to avoid vulnerability to this attack is to treat

incorrectly formatted messages in a manner indistinguishable from
correctly formatted RSA blocks. Thus, when it receives an
incorrectly formatted RSA block, a server should generate a
random 48-byte value and proceed using it as the premaster
secret. Thus, the server will act identically whether the
received RSA block is correctly encoded or not.

pre_master_secret
This random value is generated by the client and is used to
generate the master secret, as specified in Section 8.1.
7.4.7.2. Client Diffie-Hellman public value

This structure conveys the client's Diffie-Hellman public value
(Yc) if it was not already included in the client's certificate.
The encoding used for Yc is determined by the enumerated
PublicValueEncoding. This structure is a variant of the client
key exchange message, not a message in itself.

enum { implicit, explicit } PublicValueEncoding;
implicit
If the client certificate already contains a suitable
Diffie-Hellman key, then Yc is implicit and does not need to
be sent again. In this case, the Client Key Exchange message
will be sent, but will be empty.
explicit
Yc needs to be sent.
struct {
select (PublicValueEncoding) {
case implicit: struct { };
case explicit: opaque dh_Yc<1..2^16-1>;
} dh_public;
} ClientDiffieHellmanPublic;
dh_Yc
The client's Diffie-Hellman public value (Yc).
7.4.8. Certificate verify

This message is used to provide explicit verification of a client
certificate. This message is only sent following a client
certificate that has signing capability (i.e. all certificates
except those containing fixed Diffie-Hellman parameters). When
sent, it will immediately follow the client key exchange message.

struct {
Signature signature;
} CertificateVerify;

The Signature type is defined in 7.4.3.
CertificateVerify.signature.md5_hash
MD5(handshake_messages);
Certificate.signature.sha_hash
SHA(handshake_messages);
Here handshake_messages refers to all handshake messages sent or

received starting at client hello up to but not including this
message, including the type and length fields of the handshake
messages. This is the concatenation of all the Handshake structures
as defined in 7.4 exchanged thus far.
7.4.9. Finished

A finished message is always sent immediately after a change
cipher spec message to verify that the key exchange and
authentication processes were successful. It is essential that a
change cipher spec message be received between the other
handshake messages and the Finished message.

The finished message is the first protected with the just-
negotiated algorithms, keys, and secrets. Recipients of finished
messages must verify that the contents are correct. Once a side
has sent its Finished message and received and validated the
Finished message from its peer, it may begin to send and receive
application data over the connection.
struct {
opaque verify_data[12];
} Finished;
verify_data
PRF(master_secret, finished_label, MD5(handshake_messages) +
SHA-1(handshake_messages)) [0..11];
finished_label
For Finished messages sent by the client, the string "client
finished". For Finished messages sent by the server, the
string "server finished".
handshake_messages
All of the data from all handshake messages up to but not
including this message. This is only data visible at the
handshake layer and does not include record layer headers.

This is the concatenation of all the Handshake structures as

defined in 7.4 exchanged thus far.
It is a fatal error if a finished message is not preceded by a change

cipher spec message at the appropriate point in the handshake.
The hash contained in finished messages sent by the server

incorporate Sender.server; those sent by the client incorporate
Sender.client. The value handshake_messages includes all handshake
messages starting at client hello up to, but not including, this
finished message. This may be different from handshake_messages in
Section 7.4.8 because it would include the certificate verify message
(if sent). Also, the handshake_messages for the finished message sent
by the client will be different from that for the finished message
sent by the server, because the one which is sent second will include
the prior one.
Note: Change cipher spec messages, alerts and any other record types
are not handshake messages and are not included in the hash
computations. Also, Hello Request messages are omitted from
handshake hashes.
8. Cryptographic computations
In order to begin connection protection, the TLS Record Protocol

requires specification of a suite of algorithms, a master secret, and
the client and server random values. The authentication, encryption,
and MAC algorithms are determined by the cipher_suite selected by the
server and revealed in the server hello message. The compression
algorithm is negotiated in the hello messages, and the random values
are exchanged in the hello messages. All that remains is to calculate
the master secret.
8.1. Computing the master secret
For all key exchange methods, the same algorithm is used to convert
the pre_master_secret into the master_secret. The pre_master_secret
should be deleted from memory once the master_secret has been
computed.
master_secret = PRF(pre_master_secret, "master secret",

ClientHello.random + ServerHello.random)
[0..47];
The master secret is always exactly 48 bytes in length. The length of

the premaster secret will vary depending on key exchange method.

8.1.1. RSA
When RSA is used for server authentication and key exchange, a 48-
byte pre_master_secret is generated by the client, encrypted under
the server's public key, and sent to the server. The server uses its
private key to decrypt the pre_master_secret. Both parties then
convert the pre_master_secret into the master_secret, as specified
above.
RSA digital signatures are performed using PKCS #1 [PKCS1] block type
1. RSA public key encryption is performed using PKCS #1 block type 2.
8.1.2. Diffie-Hellman
A conventional Diffie-Hellman computation is performed. The

negotiated key (Z) is used as the pre_master_secret, and is converted
into the master_secret, as specified above.
Note: Diffie-Hellman parameters are specified by the server, and may

be either ephemeral or contained within the server's certificate.
9. Mandatory Cipher Suites
In the absence of an application profile standard specifying

otherwise, a TLS compliant application MUST implement the cipher
suite TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA.
10. Application data protocol
Application data messages are carried by the Record Layer and are
fragmented, compressed and encrypted based on the current connection
state. The messages are treated as transparent data to the record
layer.

A. Protocol constant values
This section describes protocol types and constants.
A.1. Record layer
struct {
uint8 major, minor;
} ProtocolVersion;
ProtocolVersion version = { 3, 1 }; /* TLS v1.0 */
enum {
change_cipher_spec(20), alert(21), handshake(22),
application_data(23), (255)
} ContentType;
struct {
ContentType type;
uint16 length;
opaque fragment[TLSPlaintext.length];
} TLSPlaintext;
struct {
ContentType type;
uint16 length;
opaque fragment[TLSCompressed.length];
} TLSCompressed;
struct {
ContentType type;
uint16 length;
select (CipherSpec.cipher_type) {
case stream: GenericStreamCipher;
case block: GenericBlockCipher;
} fragment;
} TLSCiphertext;
} GenericStreamCipher;
block-ciphered struct {

uint8 padding[GenericBlockCipher.padding_length];
uint8 padding_length;
} GenericBlockCipher;
A.2. Change cipher specs message
struct {
enum { change_cipher_spec(1), (255) } type;
} ChangeCipherSpec;
A.3. Alert messages
enum { warning(1), fatal(2), (255) } AlertLevel;
enum {
close_notify(0),
unexpected_message(10),
bad_record_mac(20),
decryption_failed(21),
record_overflow(22),
decompression_failure(30),
handshake_failure(40),
bad_certificate(42),
unsupported_certificate(43),
certificate_revoked(44),
certificate_expired(45),
certificate_unknown(46),
illegal_parameter(47),
unknown_ca(48),
access_denied(49),
decode_error(50),
decrypt_error(51),
export_restriction(60),
protocol_version(70),
insufficient_security(71),
internal_error(80),
user_canceled(90),
no_renegotiation(100),
(255)
} AlertDescription;
struct {
AlertLevel level;
AlertDescription description;
} Alert;

A.4. Handshake protocol
enum {
hello_request(0), client_hello(1), server_hello(2),
certificate(11), server_key_exchange (12),
certificate_request(13), server_hello_done(14),
certificate_verify(15), client_key_exchange(16),
finished(20), (255)
} HandshakeType;
struct {
HandshakeType msg_type;
uint24 length;
select (HandshakeType) {
case hello_request: HelloRequest;
case client_hello: ClientHello;
case server_hello: ServerHello;
case certificate: Certificate;
case server_key_exchange: ServerKeyExchange;
case certificate_request: CertificateRequest;
case server_hello_done: ServerHelloDone;
case certificate_verify: CertificateVerify;
case client_key_exchange: ClientKeyExchange;
case finished: Finished;
} body;
} Handshake;
A.4.1. Hello messages
struct { } HelloRequest;
struct {
uint32 gmt_unix_time;
opaque random_bytes[28];
} Random;
opaque SessionID<0..32>;
uint8 CipherSuite[2];
struct {
Random random;
CipherSuite cipher_suites<2..2^16-1>;
CompressionMethod compression_methods<1..2^8-1>;

} ClientHello;
struct {
ProtocolVersion server_version;
Random random;
CipherSuite cipher_suite;
CompressionMethod compression_method;
} ServerHello;
A.4.2. Server authentication and key exchange messages
opaque ASN.1Cert<2^24-1>;
struct {
ASN.1Cert certificate_list<1..2^24-1>;
} Certificate;
enum { rsa, diffie_hellman } KeyExchangeAlgorithm;
struct {
opaque RSA_modulus<1..2^16-1>;
opaque RSA_exponent<1..2^16-1>;
} ServerRSAParams;
struct {
opaque DH_p<1..2^16-1>;
opaque DH_g<1..2^16-1>;
opaque DH_Ys<1..2^16-1>;
} ServerDHParams;
struct {
case diffie_hellman:
ServerDHParams params;
case rsa:
ServerRSAParams params;
};
} ServerKeyExchange;
enum { anonymous, rsa, dsa } SignatureAlgorithm;
select (SignatureAlgorithm)
{ case anonymous: struct { };
case rsa:

opaque md5_hash[16];
};
case dsa:
};
} Signature;
enum {
rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
(255)
} ClientCertificateType;
opaque DistinguishedName<1..2^16-1>;
struct {
ClientCertificateType certificate_types<1..2^8-1>;
DistinguishedName certificate_authorities<3..2^16-1>;
} CertificateRequest;
struct { } ServerHelloDone;
A.4.3. Client authentication and key exchange messages
struct {
case rsa: EncryptedPreMasterSecret;
case diffie_hellman: DiffieHellmanClientPublicValue;
} exchange_keys;
} ClientKeyExchange;
struct {
opaque random[46];
} PreMasterSecret;
struct {
public-key-encrypted PreMasterSecret pre_master_secret;
} EncryptedPreMasterSecret;
enum { implicit, explicit } PublicValueEncoding;
struct {
select (PublicValueEncoding) {
case implicit: struct {};
case explicit: opaque DH_Yc<1..2^16-1>;

} dh_public;
} ClientDiffieHellmanPublic;
struct {
Signature signature;
} CertificateVerify;
A.4.4. Handshake finalization message
struct {
opaque verify_data[12];
} Finished;
A.5. The CipherSuite
The following values define the CipherSuite codes used in the client
hello and server hello messages.
A CipherSuite defines a cipher specification supported in TLS Version

1.0.
TLS_NULL_WITH_NULL_NULL is specified and is the initial state of a

TLS connection during the first handshake on that channel, but must
not be negotiated, as it provides no more protection than an
unsecured connection.
CipherSuite TLS_NULL_WITH_NULL_NULL = { 0x00,0x00 };
The following CipherSuite definitions require that the server provide

an RSA certificate that can be used for key exchange. The server may
request either an RSA or a DSS signature-capable certificate in the
certificate request message.
CipherSuite TLS_RSA_WITH_NULL_MD5 = { 0x00,0x01 };

CipherSuite TLS_RSA_WITH_NULL_SHA = { 0x00,0x02 };
CipherSuite TLS_RSA_EXPORT_WITH_RC4_40_MD5 = { 0x00,0x03 };
CipherSuite TLS_RSA_WITH_RC4_128_MD5 = { 0x00,0x04 };
CipherSuite TLS_RSA_WITH_RC4_128_SHA = { 0x00,0x05 };
CipherSuite TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = { 0x00,0x06 };
CipherSuite TLS_RSA_WITH_IDEA_CBC_SHA = { 0x00,0x07 };
CipherSuite TLS_RSA_EXPORT_WITH_DES40_CBC_SHA = { 0x00,0x08 };
CipherSuite TLS_RSA_WITH_DES_CBC_SHA = { 0x00,0x09 };
CipherSuite TLS_RSA_WITH_3DES_EDE_CBC_SHA = { 0x00,0x0A };
The following CipherSuite definitions are used for server-

authenticated (and optionally client-authenticated) Diffie-Hellman.
DH denotes cipher suites in which the server's certificate contains
the Diffie-Hellman parameters signed by the certificate authority

(CA). DHE denotes ephemeral Diffie-Hellman, where the Diffie-Hellman

parameters are signed by a DSS or RSA certificate, which has been
signed by the CA. The signing algorithm used is specified after the
DH or DHE parameter. The server can request an RSA or DSS signature-
capable certificate from the client for client authentication or it
may request a Diffie-Hellman certificate. Any Diffie-Hellman
certificate provided by the client must use the parameters (group and
generator) described by the server.
CipherSuite TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = { 0x00,0x0B };

CipherSuite TLS_DH_DSS_WITH_DES_CBC_SHA = { 0x00,0x0C };
CipherSuite TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = { 0x00,0x0D };
CipherSuite TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = { 0x00,0x0E };
CipherSuite TLS_DH_RSA_WITH_DES_CBC_SHA = { 0x00,0x0F };
CipherSuite TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = { 0x00,0x10 };
CipherSuite TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = { 0x00,0x11 };
CipherSuite TLS_DHE_DSS_WITH_DES_CBC_SHA = { 0x00,0x12 };
CipherSuite TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = { 0x00,0x13 };
CipherSuite TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = { 0x00,0x14 };
CipherSuite TLS_DHE_RSA_WITH_DES_CBC_SHA = { 0x00,0x15 };
CipherSuite TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = { 0x00,0x16 };
The following cipher suites are used for completely anonymous

Diffie-Hellman communications in which neither party is
authenticated. Note that this mode is vulnerable to man-in-the-middle
attacks and is therefore deprecated.
CipherSuite TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 = { 0x00,0x17 };

CipherSuite TLS_DH_anon_WITH_RC4_128_MD5 = { 0x00,0x18 };
CipherSuite TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA = { 0x00,0x19 };
CipherSuite TLS_DH_anon_WITH_DES_CBC_SHA = { 0x00,0x1A };
CipherSuite TLS_DH_anon_WITH_3DES_EDE_CBC_SHA = { 0x00,0x1B };
Note: All cipher suites whose first byte is 0xFF are considered
private and can be used for defining local/experimental
algorithms. Interoperability of such types is a local matter.
Note: Additional cipher suites can be registered by publishing an RFC

which specifies the cipher suites, including the necessary TLS
protocol information, including message encoding, premaster
secret derivation, symmetric encryption and MAC calculation and
appropriate reference information for the algorithms involved.
The RFC editor's office may, at its discretion, choose to publish
specifications for cipher suites which are not completely
described (e.g., for classified algorithms) if it finds the
specification to be of technical interest and completely
specified.

Note: The cipher suite values { 0x00, 0x1C } and { 0x00, 0x1D } are
reserved to avoid collision with Fortezza-based cipher suites in
SSL 3.
A.6. The Security Parameters
These security parameters are determined by the TLS Handshake

Protocol and provided as parameters to the TLS Record Layer in order
to initialize a connection state. SecurityParameters includes:
enum { server, client } ConnectionEnd;
enum { null, rc4, rc2, des, 3des, des40, idea }

BulkCipherAlgorithm;
enum { stream, block } CipherType;
enum { true, false } IsExportable;
enum { null, md5, sha } MACAlgorithm;
/* The algorithms specified in CompressionMethod,

BulkCipherAlgorithm, and MACAlgorithm may be added to. */
struct {
ConnectionEnd entity;
BulkCipherAlgorithm bulk_cipher_algorithm;
CipherType cipher_type;
uint8 key_size;
uint8 key_material_length;
IsExportable is_exportable;
MACAlgorithm mac_algorithm;
uint8 hash_size;
CompressionMethod compression_algorithm;
opaque master_secret[48];
opaque client_random[32];
opaque server_random[32];
} SecurityParameters;

B. Glossary
application protocol
An application protocol is a protocol that normally layers
directly on top of the transport layer (e.g., TCP/IP). Examples
include HTTP, TELNET, FTP, and SMTP.
asymmetric cipher
See public key cryptography.
authentication
Authentication is the ability of one entity to determine the
identity of another entity.
block cipher
A block cipher is an algorithm that operates on plaintext in
groups of bits, called blocks. 64 bits is a common block size.
bulk cipher
A symmetric encryption algorithm used to encrypt large quantities
of data.
cipher block chaining (CBC)

CBC is a mode in which every plaintext block encrypted with a
block cipher is first exclusive-ORed with the previous ciphertext
block (or, in the case of the first block, with the
initialization vector). For decryption, every block is first
decrypted, then exclusive-ORed with the previous ciphertext block
(or IV).
certificate
As part of the X.509 protocol (a.k.a. ISO Authentication
framework), certificates are assigned by a trusted Certificate
Authority and provide a strong binding between a party's identity
or some other attributes and its public key.
client
The application entity that initiates a TLS connection to a
server. This may or may not imply that the client initiated the
underlying transport connection. The primary operational
difference between the server and client is that the server is
generally authenticated, while the client is only optionally
authenticated.
client write key

The key used to encrypt data written by the client.

client write MAC secret

The secret data used to authenticate data written by the client.
connection
A connection is a transport (in the OSI layering model
definition) that provides a suitable type of service. For TLS,
such connections are peer to peer relationships. The connections
are transient. Every connection is associated with one session.
Data Encryption Standard

DES is a very widely used symmetric encryption algorithm. DES is
a block cipher with a 56 bit key and an 8 byte block size. Note
that in TLS, for key generation purposes, DES is treated as
having an 8 byte key length (64 bits), but it still only provides
56 bits of protection. (The low bit of each key byte is presumed
to be set to produce odd parity in that key byte.) DES can also
be operated in a mode where three independent keys and three
encryptions are used for each block of data; this uses 168 bits
of key (24 bytes in the TLS key generation method) and provides
the equivalent of 112 bits of security. [DES], [3DES]
Digital Signature Standard (DSS)

A standard for digital signing, including the Digital Signing
Algorithm, approved by the National Institute of Standards and
Technology, defined in NIST FIPS PUB 186, "Digital Signature
Standard," published May, 1994 by the U.S. Dept. of Commerce.
[DSS]
digital signatures
Digital signatures utilize public key cryptography and one-way
hash functions to produce a signature of the data that can be
authenticated, and is difficult to forge or repudiate.
handshake
An initial negotiation between client and server that establishes
the parameters of their transactions.
Initialization Vector (IV)

When a block cipher is used in CBC mode, the initialization
vector is exclusive-ORed with the first plaintext block prior to
encryption.
IDEA
A 64-bit block cipher designed by Xuejia Lai and James Massey.
[IDEA]

Message Authentication Code (MAC)

A Message Authentication Code is a one-way hash computed from a
message and some secret data. It is difficult to forge without
knowing the secret data. Its purpose is to detect if the message
has been altered.
master secret
Secure secret data used for generating encryption keys, MAC
secrets, and IVs.
MD5
MD5 is a secure hashing function that converts an arbitrarily
long data stream into a digest of fixed size (16 bytes). [MD5]
public key cryptography

A class of cryptographic techniques employing two-key ciphers.
Messages encrypted with the public key can only be decrypted with
the associated private key. Conversely, messages signed with the
private key can be verified with the public key.
one-way hash function

A one-way transformation that converts an arbitrary amount of
data into a fixed-length hash. It is computationally hard to
reverse the transformation or to find collisions. MD5 and SHA are
examples of one-way hash functions.
RC2
A block cipher developed by Ron Rivest at RSA Data Security, Inc.
[RSADSI] described in [RC2].
RC4
A stream cipher licensed by RSA Data Security [RSADSI]. A
compatible cipher is described in [RC4].
RSA
A very widely used public-key algorithm that can be used for
either encryption or digital signing. [RSA]
salt
Non-secret random data used to make export encryption keys resist
precomputation attacks.
server
The server is the application entity that responds to requests
for connections from clients. See also under client.

session
A TLS session is an association between a client and a server.
Sessions are created by the handshake protocol. Sessions define a
set of cryptographic security parameters, which can be shared
among multiple connections. Sessions are used to avoid the
expensive negotiation of new security parameters for each
connection.
session identifier
A session identifier is a value generated by a server that
identifies a particular session.
server write key

The key used to encrypt data written by the server.
server write MAC secret

The secret data used to authenticate data written by the server.
SHA
The Secure Hash Algorithm is defined in FIPS PUB 180-1. It
produces a 20-byte output. Note that all references to SHA
actually use the modified SHA-1 algorithm. [SHA]
SSL
Netscape's Secure Socket Layer protocol [SSL3]. TLS is based on
SSL Version 3.0
stream cipher
An encryption algorithm that converts a key into a
cryptographically-strong keystream, which is then exclusive-ORed
with the plaintext.
symmetric cipher
See bulk cipher.
Transport Layer Security (TLS)

This protocol; also, the Transport Layer Security working group
of the Internet Engineering Task Force (IETF). See "Comments" at
the end of this document.

C. CipherSuite definitions
CipherSuite Is Key Cipher Hash

Exportable Exchange
TLS_NULL_WITH_NULL_NULL * NULL NULL NULL

TLS_RSA_WITH_NULL_MD5 * RSA NULL MD5
TLS_RSA_WITH_NULL_SHA * RSA NULL SHA
TLS_RSA_EXPORT_WITH_RC4_40_MD5 * RSA_EXPORT RC4_40 MD5
TLS_RSA_WITH_RC4_128_MD5 RSA RC4_128 MD5
TLS_RSA_WITH_RC4_128_SHA RSA RC4_128 SHA
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 * RSA_EXPORT RC2_CBC_40 MD5
TLS_RSA_WITH_IDEA_CBC_SHA RSA IDEA_CBC SHA
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA * RSA_EXPORT DES40_CBC SHA
TLS_RSA_WITH_DES_CBC_SHA RSA DES_CBC SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA RSA 3DES_EDE_CBC SHA
TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA * DH_DSS_EXPORT DES40_CBC SHA
TLS_DH_DSS_WITH_DES_CBC_SHA DH_DSS DES_CBC SHA
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA DH_DSS 3DES_EDE_CBC SHA
TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA * DH_RSA_EXPORT DES40_CBC SHA
TLS_DH_RSA_WITH_DES_CBC_SHA DH_RSA DES_CBC SHA
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA DH_RSA 3DES_EDE_CBC SHA
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA * DHE_DSS_EXPORT DES40_CBC SHA
TLS_DHE_DSS_WITH_DES_CBC_SHA DHE_DSS DES_CBC SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA DHE_DSS 3DES_EDE_CBC SHA
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA * DHE_RSA_EXPORT DES40_CBC SHA
TLS_DHE_RSA_WITH_DES_CBC_SHA DHE_RSA DES_CBC SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA DHE_RSA 3DES_EDE_CBC SHA
TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 * DH_anon_EXPORT RC4_40 MD5
TLS_DH_anon_WITH_RC4_128_MD5 DH_anon RC4_128 MD5
TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA DH_anon DES40_CBC SHA
TLS_DH_anon_WITH_DES_CBC_SHA DH_anon DES_CBC SHA
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA DH_anon 3DES_EDE_CBC SHA
* Indicates IsExportable is True
Key
Exchange
Algorithm Description Key size limit
DHE_DSS Ephemeral DH with DSS signatures None

DHE_DSS_EXPORT Ephemeral DH with DSS signatures DH = 512 bits
DHE_RSA Ephemeral DH with RSA signatures None
DHE_RSA_EXPORT Ephemeral DH with RSA signatures DH = 512 bits,
RSA = none
DH_anon Anonymous DH, no signatures None
DH_anon_EXPORT Anonymous DH, no signatures DH = 512 bits

DH_DSS DH with DSS-based certificates None

DH_DSS_EXPORT DH with DSS-based certificates DH = 512 bits
DH_RSA DH with RSA-based certificates None
DH_RSA_EXPORT DH with RSA-based certificates DH = 512 bits,
RSA = none
NULL No key exchange N/A
RSA RSA key exchange None
RSA_EXPORT RSA key exchange RSA = 512 bits
Key size limit

The key size limit gives the size of the largest public key that
can be legally used for encryption in cipher suites that are
exportable.
Key Expanded Effective IV Block

Cipher Type Material Key Material Key Bits Size Size
NULL * Stream 0 0 0 0 N/A

IDEA_CBC Block 16 16 128 8 8
RC2_CBC_40 * Block 5 16 40 8 8
RC4_40 * Stream 5 16 40 0 N/A
RC4_128 Stream 16 16 128 0 N/A
DES40_CBC * Block 5 8 40 8 8
DES_CBC Block 8 8 56 8 8
3DES_EDE_CBC Block 24 24 168 8 8
* Indicates IsExportable is true.
Type
Indicates whether this is a stream cipher or a block cipher
running in CBC mode.
Key Material
The number of bytes from the key_block that are used for
generating the write keys.
Expanded Key Material

The number of bytes actually fed into the encryption algorithm
Effective Key Bits

How much entropy material is in the key material being fed into
the encryption routines.
IV Size
How much data needs to be generated for the initialization
vector. Zero for stream ciphers; equal to the block size for
block ciphers.

Block Size
The amount of data a block cipher enciphers in one chunk; a
block cipher running in CBC mode can only encrypt an even
multiple of its block size.
Hash Hash Padding

function Size Size
NULL 0 0
MD5 16 48
SHA 20 40

D. Implementation Notes
The TLS protocol cannot prevent many common security mistakes. This
section provides several recommendations to assist implementors.
D.1. Temporary RSA keys
US Export restrictions limit RSA keys used for encryption to 512

bits, but do not place any limit on lengths of RSA keys used for
signing operations. Certificates often need to be larger than 512
bits, since 512-bit RSA keys are not secure enough for high-value
transactions or for applications requiring long-term security. Some
certificates are also designated signing-only, in which case they
cannot be used for key exchange.
When the public key in the certificate cannot be used for encryption,
the server signs a temporary RSA key, which is then exchanged. In
exportable applications, the temporary RSA key should be the maximum
allowable length (i.e., 512 bits). Because 512-bit RSA keys are
relatively insecure, they should be changed often. For typical
electronic commerce applications, it is suggested that keys be
changed daily or every 500 transactions, and more often if possible.
Note that while it is acceptable to use the same temporary key for
multiple transactions, it must be signed each time it is used.
RSA key generation is a time-consuming process. In many cases, a

low-priority process can be assigned the task of key generation.
Whenever a new key is completed, the existing temporary key can be

replaced with the new one.
D.2. Random Number Generation and Seeding
TLS requires a cryptographically-secure pseudorandom number generator

(PRNG). Care must be taken in designing and seeding PRNGs. PRNGs
based on secure hash operations, most notably MD5 and/or SHA, are
acceptable, but cannot provide more security than the size of the
random number generator state. (For example, MD5-based PRNGs usually
provide 128 bits of state.)
To estimate the amount of seed material being produced, add the

number of bits of unpredictable information in each seed byte. For
example, keystroke timing values taken from a PC compatible's 18.2 Hz
timer provide 1 or 2 secure bits each, even though the total size of
the counter value is 16 bits or more. To seed a 128-bit PRNG, one
would thus require approximately 100 such timer values.

Warning: The seeding functions in RSAREF and versions of BSAFE prior to

3.0 are order-independent. For example, if 1000 seed bits are
supplied, one at a time, in 1000 separate calls to the seed
function, the PRNG will end up in a state which depends only
on the number of 0 or 1 seed bits in the seed data (i.e.,
there are 1001 possible final states). Applications using
BSAFE or RSAREF must take extra care to ensure proper seeding.
This may be accomplished by accumulating seed bits into a
buffer and processing them all at once or by processing an
incrementing counter with every seed bit; either method will
reintroduce order dependence into the seeding process.
D.3. Certificates and authentication
Implementations are responsible for verifying the integrity of

certificates and should generally support certificate revocation
messages. Certificates should always be verified to ensure proper
signing by a trusted Certificate Authority (CA). The selection and
addition of trusted CAs should be done very carefully. Users should
be able to view information about the certificate and root CA.
D.4. CipherSuites
TLS supports a range of key sizes and security levels, including some
which provide no or minimal security. A proper implementation will
probably not support many cipher suites. For example, 40-bit
encryption is easily broken, so implementations requiring strong
security should not allow 40-bit keys. Similarly, anonymous Diffie-
Hellman is strongly discouraged because it cannot prevent man-in-
the-middle attacks. Applications should also enforce minimum and
maximum key sizes. For example, certificate chains containing 512-bit
RSA keys or signatures are not appropriate for high-security
applications.

E. Backward Compatibility With SSL
For historical reasons and in order to avoid a profligate consumption

of reserved port numbers, application protocols which are secured by
TLS 1.0, SSL 3.0, and SSL 2.0 all frequently share the same
connection port: for example, the https protocol (HTTP secured by SSL
or TLS) uses port 443 regardless of which security protocol it is
using. Thus, some mechanism must be determined to distinguish and
negotiate among the various protocols.
TLS version 1.0 and SSL 3.0 are very similar; thus, supporting both
is easy. TLS clients who wish to negotiate with SSL 3.0 servers
should send client hello messages using the SSL 3.0 record format and
client hello structure, sending {3, 1} for the version field to note
that they support TLS 1.0. If the server supports only SSL 3.0, it
will respond with an SSL 3.0 server hello; if it supports TLS, with a
TLS server hello. The negotiation then proceeds as appropriate for
the negotiated protocol.
Similarly, a TLS server which wishes to interoperate with SSL 3.0

clients should accept SSL 3.0 client hello messages and respond with
an SSL 3.0 server hello if an SSL 3.0 client hello is received which
has a version field of {3, 0}, denoting that this client does not
support TLS.
Whenever a client already knows the highest protocol known to a

server (for example, when resuming a session), it should initiate the
connection in that native protocol.
TLS 1.0 clients that support SSL Version 2.0 servers must send SSL
Version 2.0 client hello messages [SSL2]. TLS servers should accept
either client hello format if they wish to support SSL 2.0 clients on
the same connection port. The only deviations from the Version 2.0
specification are the ability to specify a version with a value of
three and the support for more ciphering types in the CipherSpec.
Warning: The ability to send Version 2.0 client hello messages will be
phased out with all due haste. Implementors should make every
effort to move forward as quickly as possible. Version 3.0
provides better mechanisms for moving to newer versions.
The following cipher specifications are carryovers from SSL Version

2.0. These are assumed to use RSA for key exchange and
authentication.
V2CipherSpec TLS_RC4_128_WITH_MD5 = { 0x01,0x00,0x80 };

V2CipherSpec TLS_RC4_128_EXPORT40_WITH_MD5 = { 0x02,0x00,0x80 };
V2CipherSpec TLS_RC2_CBC_128_CBC_WITH_MD5 = { 0x03,0x00,0x80 };

V2CipherSpec TLS_RC2_CBC_128_CBC_EXPORT40_WITH_MD5
= { 0x04,0x00,0x80 };
V2CipherSpec TLS_IDEA_128_CBC_WITH_MD5 = { 0x05,0x00,0x80 };
V2CipherSpec TLS_DES_64_CBC_WITH_MD5 = { 0x06,0x00,0x40 };
V2CipherSpec TLS_DES_192_EDE3_CBC_WITH_MD5 = { 0x07,0x00,0xC0 };
Cipher specifications native to TLS can be included in Version 2.0

client hello messages using the syntax below. Any V2CipherSpec
element with its first byte equal to zero will be ignored by Version
2.0 servers. Clients sending any of the above V2CipherSpecs should
also include the TLS equivalent (see Appendix A.5):
V2CipherSpec (see TLS name) = { 0x00, CipherSuite };
E.1. Version 2 client hello
The Version 2.0 client hello message is presented below using this
document's presentation model. The true definition is still assumed
to be the SSL Version 2.0 specification.
uint8 V2CipherSpec[3];
struct {
uint8 msg_type;
Version version;
uint16 cipher_spec_length;
uint16 session_id_length;
uint16 challenge_length;
V2CipherSpec cipher_specs[V2ClientHello.cipher_spec_length];
opaque session_id[V2ClientHello.session_id_length];
Random challenge;
} V2ClientHello;
msg_type
This field, in conjunction with the version field, identifies a
version 2 client hello message. The value should be one (1).
version
The highest version of the protocol supported by the client
(equals ProtocolVersion.version, see Appendix A.1).
cipher_spec_length
This field is the total length of the field cipher_specs. It
cannot be zero and must be a multiple of the V2CipherSpec length
(3).

session_id_length
This field must have a value of either zero or 16. If zero, the
client is creating a new session. If 16, the session_id field
will contain the 16 bytes of session identification.
challenge_length
The length in bytes of the client's challenge to the server to
authenticate itself. This value must be 32.
cipher_specs
This is a list of all CipherSpecs the client is willing and able
to use. There must be at least one CipherSpec acceptable to the
server.
session_id
If this field's length is not zero, it will contain the
identification for a session that the client wishes to resume.
challenge
The client challenge to the server for the server to identify
itself is a (nearly) arbitrary length random. The TLS server will
right justify the challenge data to become the ClientHello.random
data (padded with leading zeroes, if necessary), as specified in
this protocol specification. If the length of the challenge is
greater than 32 bytes, only the last 32 bytes are used. It is
legitimate (but not necessary) for a V3 server to reject a V2
ClientHello that has fewer than 16 bytes of challenge data.
Note: Requests to resume a TLS session should use a TLS client hello.
E.2. Avoiding man-in-the-middle version rollback
When TLS clients fall back to Version 2.0 compatibility mode, they
should use special PKCS #1 block formatting. This is done so that TLS
servers will reject Version 2.0 sessions with TLS-capable clients.
When TLS clients are in Version 2.0 compatibility mode, they set the
right-hand (least-significant) 8 random bytes of the PKCS padding
(not including the terminal null of the padding) for the RSA
encryption of the ENCRYPTED-KEY-DATA field of the CLIENT-MASTER-KEY
to 0x03 (the other padding bytes are random). After decrypting the
ENCRYPTED-KEY-DATA field, servers that support TLS should issue an
error if these eight padding bytes are 0x03. Version 2.0 servers
receiving blocks padded in this manner will proceed normally.

F. Security analysis
The TLS protocol is designed to establish a secure connection between

a client and a server communicating over an insecure channel. This
document makes several traditional assumptions, including that
attackers have substantial computational resources and cannot obtain
secret information from sources outside the protocol. Attackers are
assumed to have the ability to capture, modify, delete, replay, and
otherwise tamper with messages sent over the communication channel.
This appendix outlines how TLS has been designed to resist a variety
of attacks.
F.1. Handshake protocol
The handshake protocol is responsible for selecting a CipherSpec and

generating a Master Secret, which together comprise the primary
cryptographic parameters associated with a secure session. The
handshake protocol can also optionally authenticate parties who have
certificates signed by a trusted certificate authority.
F.1.1. Authentication and key exchange
TLS supports three authentication modes: authentication of both

parties, server authentication with an unauthenticated client, and
total anonymity. Whenever the server is authenticated, the channel is
secure against man-in-the-middle attacks, but completely anonymous
sessions are inherently vulnerable to such attacks. Anonymous
servers cannot authenticate clients. If the server is authenticated,
its certificate message must provide a valid certificate chain
leading to an acceptable certificate authority. Similarly,
authenticated clients must supply an acceptable certificate to the
server. Each party is responsible for verifying that the other's
certificate is valid and has not expired or been revoked.
The general goal of the key exchange process is to create a

pre_master_secret known to the communicating parties and not to
attackers. The pre_master_secret will be used to generate the
master_secret (see Section 8.1). The master_secret is required to
generate the certificate verify and finished messages, encryption
keys, and MAC secrets (see Sections 7.4.8, 7.4.9 and 6.3). By sending
a correct finished message, parties thus prove that they know the
correct pre_master_secret.
F.1.1.1. Anonymous key exchange
Completely anonymous sessions can be established using RSA or

Diffie-Hellman for key exchange. With anonymous RSA, the client
encrypts a pre_master_secret with the server's uncertified public key

extracted from the server key exchange message. The result is sent in
a client key exchange message. Since eavesdroppers do not know the
server's private key, it will be infeasible for them to decode the
pre_master_secret. (Note that no anonymous RSA Cipher Suites are
defined in this document).
With Diffie-Hellman, the server's public parameters are contained in

the server key exchange message and the client's are sent in the
client key exchange message. Eavesdroppers who do not know the
private values should not be able to find the Diffie-Hellman result
(i.e. the pre_master_secret).
Warning: Completely anonymous connections only provide protection

against passive eavesdropping. Unless an independent tamper-
proof channel is used to verify that the finished messages
were not replaced by an attacker, server authentication is
required in environments where active man-in-the-middle
attacks are a concern.
F.1.1.2. RSA key exchange and authentication
With RSA, key exchange and server authentication are combined. The
public key may be either contained in the server's certificate or may
be a temporary RSA key sent in a server key exchange message. When
temporary RSA keys are used, they are signed by the server's RSA or
DSS certificate. The signature includes the current
ClientHello.random, so old signatures and temporary keys cannot be
replayed. Servers may use a single temporary RSA key for multiple
negotiation sessions.
Note: The temporary RSA key option is useful if servers need large
certificates but must comply with government-imposed size limits
on keys used for key exchange.
After verifying the server's certificate, the client encrypts a

pre_master_secret with the server's public key. By successfully
decoding the pre_master_secret and producing a correct finished
message, the server demonstrates that it knows the private key
corresponding to the server certificate.
When RSA is used for key exchange, clients are authenticated using
the certificate verify message (see Section 7.4.8). The client signs
a value derived from the master_secret and all preceding handshake
messages. These handshake messages include the server certificate,
which binds the signature to the server, and ServerHello.random,
which binds the signature to the current handshake process.

F.1.1.3. Diffie-Hellman key exchange with authentication
When Diffie-Hellman key exchange is used, the server can either

supply a certificate containing fixed Diffie-Hellman parameters or
can use the server key exchange message to send a set of temporary
Diffie-Hellman parameters signed with a DSS or RSA certificate.
Temporary parameters are hashed with the hello.random values before
signing to ensure that attackers do not replay old parameters. In
either case, the client can verify the certificate or signature to
ensure that the parameters belong to the server.
If the client has a certificate containing fixed Diffie-Hellman

parameters, its certificate contains the information required to
complete the key exchange. Note that in this case the client and
server will generate the same Diffie-Hellman result (i.e.,
pre_master_secret) every time they communicate. To prevent the
pre_master_secret from staying in memory any longer than necessary,
it should be converted into the master_secret as soon as possible.
Client Diffie-Hellman parameters must be compatible with those
supplied by the server for the key exchange to work.
If the client has a standard DSS or RSA certificate or is

unauthenticated, it sends a set of temporary parameters to the server
in the client key exchange message, then optionally uses a
certificate verify message to authenticate itself.
F.1.2. Version rollback attacks
Because TLS includes substantial improvements over SSL Version 2.0,

attackers may try to make TLS-capable clients and servers fall back
to Version 2.0. This attack can occur if (and only if) two TLS-
capable parties use an SSL 2.0 handshake.
Although the solution using non-random PKCS #1 block type 2 message

padding is inelegant, it provides a reasonably secure way for Version
3.0 servers to detect the attack. This solution is not secure against
attackers who can brute force the key and substitute a new
ENCRYPTED-KEY-DATA message containing the same key (but with normal
padding) before the application specified wait threshold has expired.
Parties concerned about attacks of this scale should not be using
40-bit encryption keys anyway. Altering the padding of the least-
significant 8 bytes of the PKCS padding does not impact security for
the size of the signed hashes and RSA key lengths used in the
protocol, since this is essentially equivalent to increasing the
input block size by 8 bytes.

F.1.3. Detecting attacks against the handshake protocol
An attacker might try to influence the handshake exchange to make the

parties select different encryption algorithms than they would
normally choose. Because many implementations will support 40-bit
exportable encryption and some may even support null encryption or
MAC algorithms, this attack is of particular concern.
For this attack, an attacker must actively change one or more

handshake messages. If this occurs, the client and server will
compute different values for the handshake message hashes. As a
result, the parties will not accept each others' finished messages.
Without the master_secret, the attacker cannot repair the finished
messages, so the attack will be discovered.
F.1.4. Resuming sessions
When a connection is established by resuming a session, new

ClientHello.random and ServerHello.random values are hashed with the
session's master_secret. Provided that the master_secret has not been
compromised and that the secure hash operations used to produce the
encryption keys and MAC secrets are secure, the connection should be
secure and effectively independent from previous connections.
Attackers cannot use known encryption keys or MAC secrets to
compromise the master_secret without breaking the secure hash
operations (which use both SHA and MD5).
Sessions cannot be resumed unless both the client and server agree.
If either party suspects that the session may have been compromised,
or that certificates may have expired or been revoked, it should
force a full handshake. An upper limit of 24 hours is suggested for
session ID lifetimes, since an attacker who obtains a master_secret
may be able to impersonate the compromised party until the
corresponding session ID is retired. Applications that may be run in
relatively insecure environments should not write session IDs to
stable storage.
F.1.5. MD5 and SHA
TLS uses hash functions very conservatively. Where possible, both MD5
and SHA are used in tandem to ensure that non-catastrophic flaws in
one algorithm will not break the overall protocol.
F.2. Protecting application data
The master_secret is hashed with the ClientHello.random and

ServerHello.random to produce unique data encryption keys and MAC
secrets for each connection.

Outgoing data is protected with a MAC before transmission. To prevent

message replay or modification attacks, the MAC is computed from the
MAC secret, the sequence number, the message length, the message
contents, and two fixed character strings. The message type field is
necessary to ensure that messages intended for one TLS Record Layer
client are not redirected to another. The sequence number ensures
that attempts to delete or reorder messages will be detected. Since
sequence numbers are 64-bits long, they should never overflow.
Messages from one party cannot be inserted into the other's output,
since they use independent MAC secrets. Similarly, the server-write
and client-write keys are independent so stream cipher keys are used
only once.
If an attacker does break an encryption key, all messages encrypted

with it can be read. Similarly, compromise of a MAC key can make
message modification attacks possible. Because MACs are also
encrypted, message-alteration attacks generally require breaking the
encryption algorithm as well as the MAC.
Note: MAC secrets may be larger than encryption keys, so messages can
remain tamper resistant even if encryption keys are broken.
F.3. Final notes
For TLS to be able to provide a secure connection, both the client

and server systems, keys, and applications must be secure. In
addition, the implementation must be free of security errors.
The system is only as strong as the weakest key exchange and

authentication algorithm supported, and only trustworthy
cryptographic functions should be used. Short public keys, 40-bit
bulk encryption keys, and anonymous servers should be used with great
caution. Implementations and users must be careful when deciding
which certificates and certificate authorities are acceptable; a
dishonest certificate authority can do tremendous damage.

G. Patent Statement
Some of the cryptographic algorithms proposed for use in this

protocol have patent claims on them. In addition Netscape
Communications Corporation has a patent claim on the Secure Sockets
Layer (SSL) work that this standard is based on. The Internet
Standards Process as defined in RFC 2026 requests that a statement be
obtained from a Patent holder indicating that a license will be made
available to applicants under reasonable terms and conditions.
The Massachusetts Institute of Technology has granted RSA Data

Security, Inc., exclusive sub-licensing rights to the following
patent issued in the United States:
Cryptographic Communications System and Method ("RSA"), No.

4,405,829
Netscape Communications Corporation has been issued the following

patent in the United States:
Secure Socket Layer Application Program Apparatus And Method

("SSL"), No. 5,657,390
Netscape Communications has issued the following statement:
Intellectual Property Rights
Secure Sockets Layer
The United States Patent and Trademark Office ("the PTO")

recently issued U.S. Patent No. 5,657,390 ("the SSL Patent") to
Netscape for inventions described as Secure Sockets Layers
("SSL"). The IETF is currently considering adopting SSL as a
transport protocol with security features. Netscape encourages
the royalty-free adoption and use of the SSL protocol upon the
following terms and conditions:
* If you already have a valid SSL Ref license today which

includes source code from Netscape, an additional patent
license under the SSL patent is not required.
* If you don't have an SSL Ref license, you may have a royalty
free license to build implementations covered by the SSL
Patent Claims or the IETF TLS specification provided that you
do not to assert any patent rights against Netscape or other
companies for the implementation of SSL or the IETF TLS
recommendation.

What are "Patent Claims":
Patent claims are claims in an issued foreign or domestic patent

that:
1) must be infringed in order to implement methods or build

products according to the IETF TLS specification; or
2) patent claims which require the elements of the SSL patent

claims and/or their equivalents to be infringed.
The Internet Society, Internet Architecture Board, Internet

Engineering Steering Group and the Corporation for National Research
Initiatives take no position on the validity or scope of the patents
and patent applications, nor on the appropriateness of the terms of
the assurance. The Internet Society and other groups mentioned above
have not made any determination as to any other intellectual property
rights which may apply to the practice of this standard. Any further
consideration of these matters is the user's own responsibility.
Security Considerations
Security issues are discussed throughout this memo.
References
[3DES] W. Tuchman, "Hellman Presents No Shortcut Solutions To DES,"

IEEE Spectrum, v. 16, n. 7, July 1979, pp40-41.
[BLEI] Bleichenbacher D., "Chosen Ciphertext Attacks against

Protocols Based on RSA Encryption Standard PKCS #1" in
Advances in Cryptology -- CRYPTO'98, LNCS vol. 1462, pages:
1--12, 1998.
[DES] ANSI X3.106, "American National Standard for Information

Systems-Data Link Encryption," American National Standards
Institute, 1983.
[DH1] W. Diffie and M. E. Hellman, "New Directions in

Cryptography," IEEE Transactions on Information Theory, V.
IT-22, n. 6, Jun 1977, pp. 74-84.
[DSS] NIST FIPS PUB 186, "Digital Signature Standard," National

Institute of Standards and Technology, U.S. Department of
Commerce, May 18, 1994.
[FTP] Postel J., and J. Reynolds, "File Transfer Protocol", STD 9,

RFC 959, October 1985.

[HTTP] Berners-Lee, T., Fielding, R., and H. Frystyk, "Hypertext

Transfer Protocol -- HTTP/1.0", RFC 1945, May 1996.
[HMAC] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-

Hashing for Message Authentication," RFC 2104, February
1997.
[IDEA] X. Lai, "On the Design and Security of Block Ciphers," ETH
Series in Information Processing, v. 1, Konstanz: Hartung-
Gorre Verlag, 1992.
[MD2] Kaliski, B., "The MD2 Message Digest Algorithm", RFC 1319,
April 1992.
[MD5] Rivest, R., "The MD5 Message Digest Algorithm", RFC 1321,
April 1992.
[PKCS1] RSA Laboratories, "PKCS #1: RSA Encryption Standard,"

version 1.5, November 1993.
[PKCS6] RSA Laboratories, "PKCS #6: RSA Extended Certificate Syntax

Standard," version 1.5, November 1993.
[PKCS7] RSA Laboratories, "PKCS #7: RSA Cryptographic Message Syntax

Standard," version 1.5, November 1993.
[PKIX] Housley, R., Ford, W., Polk, W. and D. Solo, "Internet

Public Key Infrastructure: Part I: X.509 Certificate and CRL
Profile", RFC 2459, January 1999.
[RC2] Rivest, R., "A Description of the RC2(r) Encryption

Algorithm", RFC 2268, January 1998.
[RC4] Thayer, R. and K. Kaukonen, A Stream Cipher Encryption

Algorithm, Work in Progress.
[RSA] R. Rivest, A. Shamir, and L. M. Adleman, "A Method for

Obtaining Digital Signatures and Public-Key Cryptosystems,"
Communications of the ACM, v. 21, n. 2, Feb 1978, pp. 120-
126.
[RSADSI] Contact RSA Data Security, Inc., Tel: 415-595-8782
[SCH] B. Schneier. Applied Cryptography: Protocols, Algorithms,

and Source Code in C, Published by John Wiley & Sons, Inc.
1994.

[SHA] NIST FIPS PUB 180-1, "Secure Hash Standard," National

Institute of Standards and Technology, U.S. Department of
Commerce, Work in Progress, May 31, 1994.
[SSL2] Hickman, Kipp, "The SSL Protocol", Netscape Communications

Corp., Feb 9, 1995.
[SSL3] A. Frier, P. Karlton, and P. Kocher, "The SSL 3.0 Protocol",

Netscape Communications Corp., Nov 18, 1996.
[TCP] Postel, J., "Transmission Control Protocol," STD 7, RFC 793,

September 1981.
[TEL] Postel J., and J. Reynolds, "Telnet Protocol

Specifications", STD 8, RFC 854, May 1993.
[TEL] Postel J., and J. Reynolds, "Telnet Option Specifications",

STD 8, RFC 855, May 1993.
[X509] CCITT. Recommendation X.509: "The Directory - Authentication

Framework". 1988.
[XDR] R. Srinivansan, Sun Microsystems, RFC-1832: XDR: External

Data Representation Standard, August 1995.
Credits
Win Treese
Open Market
EMail: treese@openmarket.com
Editors
Christopher Allen Tim Dierks

Certicom Certicom
EMail: callen@certicom.com EMail: tdierks@certicom.com
Authors' Addresses
Tim Dierks Philip L. Karlton

Certicom Netscape Communications
EMail: tdierks@certicom.com

Alan O. Freier Paul C. Kocher

Netscape Communications Independent Consultant
EMail: freier@netscape.com EMail: pck@netcom.com
Other contributors
Martin Abadi Robert Relyea

Digital Equipment Corporation Netscape Communications
EMail: ma@pa.dec.com EMail: relyea@netscape.com
Ran Canetti Jim Roskind

IBM Watson Research Center Netscape Communications
EMail: canetti@watson.ibm.com EMail: jar@netscape.com
Taher Elgamal Micheal J. Sabin, Ph. D.

Securify Consulting Engineer
EMail: elgamal@securify.com EMail: msabin@netcom.com
Anil R. Gangolli Dan Simon

Structured Arts Computing Corp. Microsoft
EMail: gangolli@structuredarts.com EMail: dansimon@microsoft.com
Kipp E.B. Hickman Tom Weinstein

Netscape Communications Netscape Communications
EMail: kipp@netscape.com EMail: tomw@netscape.com
Hugo Krawczyk
IBM Watson Research Center
EMail: hugo@watson.ibm.com
Comments
The discussion list for the IETF TLS working group is located at the
e-mail address <ietf-tls@lists.consensus.com>. Information on the
group and information on how to subscribe to the list is at
<http://lists.consensus.com/>.

Archives of the list can be found at:

<http://www.imc.org/ietf-tls/mail-archive/>

Full Copyright Statement
This document and translations of it may be copied and furnished to

others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an

"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Network Working Group B. Aboba

Requests for Commments: 2716 D. Simon
Category: Experimental Microsoft
October 1999
PPP EAP TLS Authentication Protocol
Status of this Memo
This memo defines an Experimental Protocol for the Internet

community. It does not specify an Internet standard of any kind.
Discussion and suggestions for improvement are requested.
Distribution of this memo is unlimited.
Copyright Notice
1. Abstract
The Point-to-Point Protocol (PPP) provides a standard method for

transporting multi-protocol datagrams over point-to-point links. PPP
also defines an extensible Link Control Protocol (LCP), which can be
used to negotiate authentication methods, as well as an Encryption
Control Protocol (ECP), used to negotiate data encryption over PPP
links, and a Compression Control Protocol (CCP), used to negotiate
compression methods. The Extensible Authentication Protocol (EAP) is
a PPP extension that provides support for additional authentication
methods within PPP.
Transport Level Security (TLS) provides for mutual authentication,

integrity-protected ciphersuite negotiation and key exchange between
two endpoints. This document describes how EAP-TLS, which includes
support for fragmentation and reassembly, provides for these TLS
mechanisms within EAP.
2. Introduction
The Extensible Authentication Protocol (EAP), described in [5],

provides a standard mechanism for support of additional
authentication methods within PPP. Through the use of EAP, support
for a number of authentication schemes may be added, including smart
cards, Kerberos, Public Key, One Time Passwords, and others. To date
however, EAP methods such as [6] have focussed on authenticating a
client to a server.
Aboba & Simon Experimental [Page 1]

RFC 2716 PPP EAP TLS Authentication Protocol October 1999
However, it may be desirable to support mutual authentication, and

since PPP encryption protocols such as [9] and [10] assume existence
of a session key, it is useful to have a mechanism for session key
establishment. Since design of secure key management protocols is
non-trivial, it is desirable to avoid creating new mechanisms for
this. The EAP protocol described in this document allows a PPP peer
to take advantage of the protected ciphersuite negotiation, mutual
authentication and key management capabilities of the TLS protocol,
described in [12].
2.1. Requirements language
In this document, the key words "MAY", "MUST, "MUST NOT", "optional",
"recommended", "SHOULD", and "SHOULD NOT", are to be interpreted as
described in [11].
3. Protocol overview
3.1. Overview of the EAP-TLS conversation
As described in [5], the EAP-TLS conversation will typically begin

with the authenticator and the peer negotiating EAP. The
authenticator will then typically send an EAP-Request/Identity packet
to the peer, and the peer will respond with an EAP-Response/Identity
packet to the authenticator, containing the peer's userId.
From this point forward, while nominally the EAP conversation occurs
between the PPP authenticator and the peer, the authenticator MAY act
as a passthrough device, with the EAP packets received from the peer
being encapsulated for transmission to a RADIUS server or backend
security server. In the discussion that follows, we will use the term
"EAP server" to denote the ultimate endpoint conversing with the
peer.
Once having received the peer's Identity, the EAP server MUST respond
with an EAP-TLS/Start packet, which is an EAP-Request packet with
EAP-Type=EAP-TLS, the Start (S) bit set, and no data. The EAP-TLS
conversation will then begin, with the peer sending an EAP-Response
packet with EAP-Type=EAP-TLS. The data field of that packet will
encapsulate one or more TLS records in TLS record layer format,
containing a TLS client_hello handshake message. The current cipher
spec for the TLS records will be TLS_NULL_WITH_NULL_NULL and null
compression. This current cipher spec remains the same until the
change_cipher_spec message signals that subsequent records will have
the negotiated attributes for the remainder of the handshake.

The client_hello message contains the client's TLS version number, a

sessionId, a random number, and a set of ciphersuites supported by
the client. The version offered by the client MUST correspond to TLS
v1.0 or later.
The EAP server will then respond with an EAP-Request packet with
EAP-Type=EAP-TLS. The data field of this packet will encapsulate one
or more TLS records. These will contain a TLS server_hello handshake
message, possibly followed by TLS certificate, server_key_exchange,
certificate_request, server_hello_done and/or finished handshake
messages, and/or a TLS change_cipher_spec message. The server_hello
handshake message contains a TLS version number, another random
number, a sessionId, and a ciphersuite. The version offered by the
server MUST correspond to TLS v1.0 or later.
If the client's sessionId is null or unrecognized by the server, the

server MUST choose the sessionId to establish a new session;
otherwise, the sessionId will match that offered by the client,
indicating a resumption of the previously established session with
that sessionID. The server will also choose a ciphersuite from those
offered by the client; if the session matches the client's, then the
ciphersuite MUST match the one negotiated during the handshake
protocol execution that established the session.
The purpose of the sessionId within the TLS protocol is to allow for
improved efficiency in the case where a client repeatedly attempts to
authenticate to an EAP server within a short period of time. While
this model was developed for use with HTTP authentication, it may
also have application to PPP authentication (e.g. multilink).
As a result, it is left up to the peer whether to attempt to continue

a previous session, thus shortening the TLS conversation. Typically
the peer's decision will be made based on the time elapsed since the
previous authentication attempt to that EAP server. Based on the
sessionId chosen by the peer, and the time elapsed since the previous
authentication, the EAP server will decide whether to allow the
continuation, or whether to choose a new session.
In the case where the EAP server and authenticator reside on the same
device, then client will only be able to continue sessions when
connecting to the same NAS or tunnel server. Should these devices be
set up in a rotary or round-robin then it may not be possible for the
peer to know in advance the authenticator it will be connecting to,
and therefore which sessionId to attempt to reuse. As a result, it is
likely that the continuation attempt will fail. In the case where the
EAP authentication is remoted then continuation is much more likely
to be successful, since multiple NAS devices and tunnel servers will
remote their EAP authentications to the same RADIUS server.

If the EAP server is resuming a previously established session, then

it MUST include only a TLS change_cipher_spec message and a TLS
finished handshake message after the server_hello message. The
finished message contains the EAP server's authentication response to
the peer. If the EAP server is not resuming a previously established
session, then it MUST include a TLS server_certificate handshake
message, and a server_hello_done handshake message MUST be the last
handshake message encapsulated in this EAP-Request packet.
The certificate message contains a public key certificate chain for

either a key exchange public key (such as an RSA or Diffie-Hellman
key exchange public key) or a signature public key (such as an RSA or
DSS signature public key). In the latter case, a TLS
server_key_exchange handshake message MUST also be included to allow
the key exchange to take place.
The certificate_request message is included when the server desires

the client to authenticate itself via public key. While the EAP
server SHOULD require client authentication, this is not a
requirement, since it may be possible that the server will require
that the peer authenticate via some other means.
The peer MUST respond to the EAP-Request with an EAP-Response packet

of EAP-Type=EAP-TLS. The data field of this packet will encapsulate
one or more TLS records containing a TLS change_cipher_spec message
and finished handshake message, and possibly certificate,
certificate_verify and/or client_key_exchange handshake messages. If
the preceding server_hello message sent by the EAP server in the
preceding EAP-Request packet indicated the resumption of a previous
session, then the peer MUST send only the change_cipher_spec and
finished handshake messages. The finished message contains the
peer's authentication response to the EAP server.
If the preceding server_hello message sent by the EAP server in the

preceeding EAP-Request packet did not indicate the resumption of a
previous session, then the peer MUST send, in addition to the
change_cipher_spec and finished messages, a client_key_exchange
message, which completes the exchange of a shared master secret
between the peer and the EAP server. If the EAP server sent a
certificate_request message in the preceding EAP-Request packet, then
the peer MUST send, in addition, certificate and certificate_verify
handshake messages. The former contains a certificate for the peer's
signature public key, while the latter contains the peer's signed
authentication response to the EAP server. After receiving this
packet, the EAP server will verify the peer's certificate and digital
signature, if requested.

If the peer's authentication is unsuccessful, the EAP server SHOULD

send an EAP-Request packet with EAP-Type=EAP-TLS, encapsulating a TLS
record containing the appropriate TLS alert message. The EAP server
SHOULD send a TLS alert message rather immediately terminating the
conversation so as to allow the peer to inform the user of the cause
of the failure and possibly allow for a restart of the conversation.
To ensure that the peer receives the TLS alert message, the EAP
server MUST wait for the peer to reply with an EAP-Response packet.
The EAP-Response packet sent by the peer MAY encapsulate a TLS
client_hello handshake message, in which case the EAP server MAY
allow the EAP-TLS conversation to be restarted, or it MAY contain an
EAP-Response packet with EAP-Type=EAP-TLS and no data, in which case
the EAP-Server MUST send an EAP-Failure packet, and terminate the
conversation. It is up to the EAP server whether to allow restarts,
and if so, how many times the conversation can be restarted. An EAP
Server implementing restart capability SHOULD impose a limit on the
number of restarts, so as to protect against denial of service
attacks.
If the peers authenticates successfully, the EAP server MUST respond

with an EAP-Request packet with EAP-Type=EAP-TLS, which includes, in
the case of a new TLS session, one or more TLS records containing TLS
change_cipher_spec and finished handshke messages. The latter
contains the EAP server's authentication response to the peer. The
peer will then verify the hash in order to authenticate the EAP
server.
If the EAP server authenticates unsuccessfully, the peer MAY send an

EAP-Response packet of EAP-Type=EAP-TLS containing a TLS Alert
message identifying the reason for the failed authentication. The
peer MAY send a TLS alert message rather than immediately terminating
the conversation so as to allow the EAP server to log the cause of
the error for examination by the system administrator.
To ensure that the EAP Server receives the TLS alert message, the
peer MUST wait for the EAP-Server to reply before terminating the
conversation. The EAP Server MUST reply with an EAP-Failure packet
since server authentication failure is a terminal condition.
If the EAP server authenticates successfully, the peer MUST send an

EAP-Response packet of EAP-Type=EAP-TLS, and no data. The EAP-Server
then MUST respond with an EAP-Success message.

3.2. Retry behavior
As with other EAP protocols, the EAP server is responsible for retry
behavior. This means that if the EAP server does not receive a reply
from the peer, it MUST resend the EAP-Request for which it has not
yet received an EAP-Response. However, the peer MUST NOT resend EAP-
Response packets without first being prompted by the EAP server.
For example, if the initial EAP-TLS start packet sent by the EAP
server were to be lost, then the peer would not receive this packet,
and would not respond to it. As a result, the EAP-TLS start packet
would be resent by the EAP server. Once the peer received the EAP-TLS
start packet, it would send an EAP-Response encapsulating the
client_hello message. If the EAP-Response were to be lost, then the
EAP server would resend the initial EAP-TLS start, and the peer would
resend the EAP-Response.
As a result, it is possible that a peer will receive duplicate EAP-

Request messages, and may send duplicate EAP-Responses. Both the
peer and the EAP-Server should be engineered to handle this
possibility.
3.3. Fragmentation
A single TLS record may be up to 16384 octets in length, but a TLS

message may span multiple TLS records, and a TLS certificate message
may in principle be as long as 16MB. The group of EAP-TLS messages
sent in a single round may thus be larger than the PPP MTU size, the
maximum RADIUS packet size of 4096 octets, or even the Multilink
Maximum Received Reconstructed Unit (MRRU). As described in [2], the
multilink MRRU is negotiated via the Multilink MRRU LCP option, which
includes an MRRU length field of two octets, and thus can support
MRRUs as large as 64 KB.
However, note that in order to protect against reassembly lockup and

denial of service attacks, it may be desirable for an implementation
to set a maximum size for one such group of TLS messages. Since a
typical certificate chain is rarely longer than a few thousand
octets, and no other field is likely to be anwhere near as long, a
reasonable choice of maximum acceptable message length might be 64
KB.
If this value is chosen, then fragmentation can be handled via the

multilink PPP fragmentation mechanisms described in [2]. While this
is desirable, there may be cases in which multilink or the MRRU LCP
option cannot be negotiated. As a result, an EAP-TLS implementation
MUST provide its own support for fragmentation and reassembly.

Since EAP is a simple ACK-NAK protocol, fragmentation support can be

added in a simple manner. In EAP, fragments that are lost or damaged
in transit will be retransmitted, and since sequencing information is
provided by the Identifier field in EAP, there is no need for a
fragment offset field as is provided in IPv4.
EAP-TLS fragmentation support is provided through addition of a flags

octet within the EAP-Response and EAP-Request packets, as well as a
TLS Message Length field of four octets. Flags include the Length
included (L), More fragments (M), and EAP-TLS Start (S) bits. The L
flag is set to indicate the presence of the four octet TLS Message
Length field, and MUST be set for the first fragment of a fragmented
TLS message or set of messages. The M flag is set on all but the last
fragment. The S flag is set only within the EAP-TLS start message
sent from the EAP server to the peer. The TLS Message Length field is
four octets, and provides the total length of the TLS message or set
of messages that is being fragmented; this simplifies buffer
allocation.
When an EAP-TLS peer receives an EAP-Request packet with the M bit

set, it MUST respond with an EAP-Response with EAP-Type=EAP-TLS and
no data. This serves as a fragment ACK. The EAP server MUST wait
until it receives the EAP-Response before sending another fragment.
In order to prevent errors in processing of fragments, the EAP server
MUST increment the Identifier field for each fragment contained
within an EAP-Request, and the peer MUST include this Identifier
value in the fragment ACK contained within the EAP-Reponse.
Retransmitted fragments will contain the same Identifier value.
Similarly, when the EAP server receives an EAP-Response with the M

bit set, it MUST respond with an EAP-Request with EAP-Type=EAP-TLS
and no data. This serves as a fragment ACK. The EAP peer MUST wait
until it receives the EAP-Request before sending another fragment.
In order to prevent errors in the processing of fragments, the EAP
server MUST use increment the Identifier value for each fragment ACK
contained within an EAP-Request, and the peer MUST include this
Identifier value in the subsequent fragment contained within an EAP-
Reponse.
3.4. Identity verification
As part of the TLS negotiation, the server presents a certificate to

the peer, and if mutual authentication is requested, the peer
presents a certificate to the server.
Note that since the peer has made a claim of identity in the EAP-
Response/Identity (MyID) packet, the EAP server SHOULD verify that
the claimed identity corresponds to the certificate presented by the

peer. Typically this will be accomplished either by placing the

userId within the peer certificate, or by providing a mapping between
the peer certificate and the userId using a directory service.
Similarly, the peer MUST verify the validity of the EAP server
certificate, and SHOULD also examine the EAP server name presented in
the certificate, in order to determine whether the EAP server can be
trusted. Please note that in the case where the EAP authentication is
remoted that the EAP server will not reside on the same machine as
the authenticator, and therefore the name in the EAP server's
certificate cannot be expected to match that of the intended
destination. In this case, a more appropriate test might be whether
the EAP server's certificate is signed by a CA controlling the
intended destination and whether the EAP server exists within a
target sub-domain.
3.5. Key derivation
Since the normal TLS keys are used in the handshake, and therefore
should not be used in a different context, new encryption keys must
be derived from the TLS master secret for use with PPP encryption.
For both peer and EAP server, the derivation proceeds as follows:
given the master secret negotiated by the TLS handshake, the
pseudorandom function (PRF) defined in the specification for the
version of TLS in use, and the value random defined as the
concatenation of the handshake message fields client_hello.random and
server_hello.random (in that order), the value PRF(master secret,
"client EAP encryption", random) is computed up to 128 bytes, and the
value PRF("", "client EAP encryption", random) is computed up to 64
bytes (where "" is an empty string). The peer encryption key (the
one used for encrypting data from peer to EAP server) is obtained by
truncating to the correct length the first 32 bytes of the first PRF
of these two output strings. TheEAP server encryption key (the one
used for encrypting data from EAP server to peer), if different from
the client encryption key, is obtained by truncating to the correct
length the second 32 bytes of this same PRF output string. The
client authentication key (the one used for computing MACs for
messages from peer to EAP server), if used, is obtained by truncating
to the correct length the third 32 bytes of this same PRF output
string. The EAP server authentication key (the one used for
computing MACs for messages from EAP server to peer), if used, and if
different from the peer authentication key, is obtained by truncating
to the correct length the fourth 32 bytes of this same PRF output
string. The peer initialization vector (IV), used for messages from
peer to EAP server if a block cipher has been specified, is obtained
by truncating to the cipher's block size the first 32 bytes of the
second PRF output string mentioned above. Finally, the server
initialization vector (IV), used for messages from peer to EAP server

if a block cipher has been specified, is obtained by truncating to

the cipher's block size the second 32 bytes of this second PRF
output.
The use of these encryption and authentication keys is specific to

the PPP encryption mechanism used, such as those defined in [9] and
[10]. Additional keys or other non-secret values (such as IVs) can
be obtained as needed for future PPP encryption methods by extending
the outputs of the PRF beyond 128 bytes and 64 bytes, respectively.
3.6. ECP negotiation
Since TLS supports ciphersuite negotiation, peers completing the TLS

negotiation will also have selected a ciphersuite, which includes key
strength, encryption and hashing methods. As a result, a subsequent
Encryption Control Protocol (ECP) conversation, if it occurs, has a
predetermined result.
In order to ensure agreement between the EAP-TLS ciphersuite

negotiation and the subsequent ECP negotiation (described in [6]),
during ECP negotiation the PPP peer MUST offer only the ciphersuite
negotiated inEAP-TLS. This ensures that the PPP authenticator MUST
accept the EAP-TLS negotiated ciphersuite in order for the
onversation to proceed. Should the authenticator not accept the
EAP-TLS negotiated ciphersuite, then the peer MUST send an LCP
terminate and disconnect.
Please note that it cannot be assumed that the PPP authenticator and
EAP server are located on the same machine or that the authenticator
understands the EAP-TLS conversation that has passed through it. Thus
if the peer offers a ciphersuite other than the one negotiated in
EAP-TLS there is no way for the authenticator to know how to respond
correctly.
3.7. CCP negotiation
TLS as described in [12] supports compression as well as ciphersuite

negotiation. However, TLS only provides support for a limited number
of compression types which do not overlap with the compression types
used in PPP. As a result, during the EAP-TLS conversation the EAP
endpoints MUST NOT request or negotiate compression. Instead, the PPP
Compression Control Protocol (CCP), described in [13] should be used
to negotiate the desired compression scheme.

3.8. Examples
In the case where the EAP-TLS mutual authentication is successful,

the conversation will appear as follows:
Authenticating Peer Authenticator

------------------- -------------
<- PPP LCP Request-EAP
auth
PPP LCP ACK-EAP
auth ->
<- PPP EAP-Request/
Identity
PPP EAP-Response/
Identity (MyID) ->
<- PPP EAP-Request/
EAP-Type=EAP-TLS
(TLS Start)
PPP EAP-Response/
EAP-Type=EAP-TLS
(TLS client_hello)->
<- PPP EAP-Request/
EAP-Type=EAP-TLS
(TLS server_hello,
TLS certificate,
[TLS server_key_exchange,]
[TLS certificate_request,]
TLS server_hello_done)
PPP EAP-Response/
EAP-Type=EAP-TLS
(TLS certificate,
TLS client_key_exchange,
[TLS certificate_verify,]
TLS change_cipher_spec,
TLS finished) ->
<- PPP EAP-Request/
EAP-Type=EAP-TLS
(TLS change_cipher_spec,
TLS finished)
PPP EAP-Response/
EAP-Type=EAP-TLS ->
<- PPP EAP-Success
PPP Authentication
Phase complete,
NCP Phase starts
ECP negotiation
CCP negotiation

In the case where the EAP-TLS mutual authentication is successful,

and fragmentation is required, the conversation will appear as
follows:

------------------- -------------
auth
PPP LCP ACK-EAP
auth ->
<- PPP EAP-Request/
Identity
PPP EAP-Response/
Identity (MyID) ->
<- PPP EAP-Request/
EAP-Type=EAP-TLS
(TLS Start, S bit set)
PPP EAP-Response/
EAP-Type=EAP-TLS
<- PPP EAP-Request/
EAP-Type=EAP-TLS
(TLS server_hello,
TLS certificate,
(Fragment 1: L, M bits set)
PPP EAP-Response/
EAP-Type=EAP-TLS ->
<- PPP EAP-Request/
EAP-Type=EAP-TLS
(Fragment 2: M bit set)
PPP EAP-Response/
EAP-Type=EAP-TLS ->
<- PPP EAP-Request/
EAP-Type=EAP-TLS
(Fragment 3)
PPP EAP-Response/
EAP-Type=EAP-TLS
(TLS certificate,
TLS inished)(Fragment 1:
L, M bits set)->
<- PPP EAP-Request/
EAP-Type=EAP-TLS

PPP EAP-Response/
EAP-Type=EAP-TLS
(Fragment 2)->
<- PPP EAP-Request/
EAP-Type=EAP-TLS
TLS finished)
PPP EAP-Response/
EAP-Type=EAP-TLS ->
<- PPP EAP-Success
PPP Authentication
Phase complete,
NCP Phase starts
ECP negotiation
CCP negotiation
In the case where the server authenticates to the client

successfully, but the client fails to authenticate to the server, the
conversation will appear as follows:

------------------- -------------
auth
PPP LCP ACK-EAP
auth ->
<- PPP EAP-Request/
Identity
PPP EAP-Response/
Identity (MyID) ->
<- PPP EAP-Request/
EAP-Type=EAP-TLS
(TLS Start)
PPP EAP-Response/
EAP-Type=EAP-TLS
<- PPP EAP-Request/
EAP-Type=EAP-TLS
(TLS server_hello,
TLS certificate,
TLS certificate_request,
PPP EAP-Response/
EAP-Type=EAP-TLS
(TLS certificate,

TLS certificate_verify,
TLS finished) ->
<- PPP EAP-Request/
EAP-Type=EAP-TLS
TLS finished)
PPP EAP-Response/
EAP-Type=EAP-TLS ->
<- PPP EAP-Request
EAP-Type=EAP-TLS
(TLS Alert message)
PPP EAP-Response/
EAP-Type=EAP-TLS ->
<- PPP EAP-Failure
(User Disconnected)
In the case where server authentication is unsuccessful, the

conversation will appear as follows:

------------------- -------------
auth
PPP LCP ACK-EAP
auth ->
<- PPP EAP-Request/
Identity
PPP EAP-Response/
Identity (MyID) ->
<- PPP EAP-Request/
EAP-Type=EAP-TLS
(TLS Start)
PPP EAP-Response/
EAP-Type=EAP-TLS
<- PPP EAP-Request/
EAP-Type=EAP-TLS
(TLS server_hello,
TLS certificate,
PPP EAP-Response/
EAP-Type=EAP-TLS
(TLS certificate,

TLS finished) ->
<- PPP EAP-Request/
EAP-Type=EAP-TLS
TLS finished)
PPP EAP-Response/
EAP-Type=EAP-TLS
TLS finished)
<- PPP EAP-Request/
EAP-Type=EAP-TLS
PPP EAP-Response/
EAP-Type=EAP-TLS
(TLS Alert message) ->
<- PPP EAP-Failure
(User Disconnected)
In the case where a previously established session is being resumed,

and both sides authenticate successfully, the conversation will
appear as follows:

------------------- -------------
auth
PPP LCP ACK-EAP
auth ->
<- PPP EAP-Request/
Identity
PPP EAP-Response/
Identity (MyID) ->
<- PPP EAP-Request/
EAP-Request/
EAP-Type=EAP-TLS
(TLS Start)
PPP EAP-Response/
EAP-Type=EAP-TLS
<- PPP EAP-Request/
EAP-Type=EAP-TLS
(TLS server_hello,
TLS change_cipher_spec
TLS finished)

PPP EAP-Response/
EAP-Type=EAP-TLS
TLS finished) ->
<- PPP EAP-Success
PPP Authentication
Phase complete,
NCP Phase starts
ECP negotiation
CCP negotiation

and the server authenticates to the client successfully but the
client fails to authenticate to the server, the conversation will
appear as follows:

------------------- -------------
auth
PPP LCP ACK-EAP
auth ->
<- PPP EAP-Request/
Identity
PPP EAP-Response/
Identity (MyID) ->
<- PPP EAP-Request/
EAP-Request/
EAP-Type=EAP-TLS
(TLS Start)
PPP EAP-Response/
EAP-Type=EAP-TLS
(TLS client_hello) ->
<- PPP EAP-Request/
EAP-Type=EAP-TLS
(TLS server_hello,
TLS finished)
PPP EA-Response/
EAP-Type=EAP-TLS
TLS finished) ->
<- PPP EAP-Request
EAP-Type=EAP-TLS
(TLS Alert message)

PPP EAP-Response
EAP-Type=EAP-TLS ->
<- PPP EAP-Failure
(User Disconnected)

and the server authentication is unsuccessful, the conversation will
appear as follows:

------------------- -------------
auth
PPP LCP ACK-EAP
auth ->
<- PPP EAP-Request/
Identity
PPP EAP-Response/
Identity (MyID) ->
<- PPP EAP-Request/
EAP-Request/
EAP-Type=EAP-TLS
(TLS Start)
PPP EAP-Response/
EAP-Type=EAP-TLS
<- PPP EAP-Request/
EAP-Type=EAP-TLS
(TLS server_hello,
TLS finished)
PPP EAP-Response/
EAP-Type=EAP-TLS
TLS finished)
<- PPP EAP-Request/
EAP-Type=EAP-TLS
PPP EAP-Response/
EAP-Type=EAP-TLS
(TLS Alert message) ->
<- PPP EAP-Failure
(User Disconnected)

4. Detailed description of the EAP-TLS protocol
4.1. PPP EAP TLS Packet Format
A summary of the PPP EAP TLS Request/Response packet format is shown

below. The fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Data...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Code
1 - Request
2 - Response
Identifier
The identifier field is one octet and aids in matching responses

with requests.
Length
The Length field is two octets and indicates the length of the EAP
packet including the Code, Identifier, Length, Type, and Data
fields. Octets outside the range of the Length field should be
treated as Data Link Layer padding and should be ignored on
reception.
Type
13 - EAP TLS
Data
The format of the Data field is determined by the Code field.

4.2. PPP EAP TLS Request Packet
A summary of the PPP EAP TLS Request packet format is shown below.
The fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Flags | TLS Message Length
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TLS Message Length | TLS Data...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Code
Identifier
The Identifier field is one octet and aids in matching responses

with requests. The Identifier field MUST be changed on each
Request packet.
Length
packet including the Code, Identifier, Length, Type, and TLS
Response fields.
Type
13 - EAP TLS
Flags
0 1 2 3 4 5 6 7 8
+-+-+-+-+-+-+-+-+
|L M S R R R R R|
+-+-+-+-+-+-+-+-+
L = Length included
M = More fragments
S = EAP-TLS start
R = Reserved

The L bit (length included) is set to indicate the presence of the

four octet TLS Message Length field, and MUST be set for the first
fragment of a fragmented TLS message or set of messages. The M bit
(more fragments) is set on all but the last fragment. The S bit
(EAP-TLS start) is set in an EAP-TLS Start message. This
differentiates the EAP-TLS Start message from a fragment
acknowledgement.
TLS Message Length
The TLS Message Length field is four octets, and is present only
if the L bit is set. This field provides the total length of the
TLS message or set of messages that is being fragmented.
TLS data
The TLS data consists of the encapsulated TLS packet in TLS record
format.
4.3. PPP EAP TLS Response Packet
A summary of the PPP EAP TLS Response packet format is shown below.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Flags | TLS Message Length
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TLS Message Length | TLS Data...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Code
Identifier
The Identifier field is one octet and MUST match the Identifier
field from the corresponding request.
Length
packet including the Code, Identifir, Length, Type, and TLS data
fields.

Type
13 - EAP TLS
Flags
0 1 2 3 4 5 6 7 8
+-+-+-+-+-+-+-+-+
|L M S R R R R R|
+-+-+-+-+-+-+-+-+
L = Length included
M = More fragments
S = EAP-TLS start
R = Reserved
The L bit (length included) is set to indicate the presence of the

four octet TLS Message Length field, and MUST be set for the first
fragment of a fragmented TLS message or set of messages. The M bit
(more fragments) is set on all but the last fragment. The S bit
(EAP-TLS start) is set in an EAP-TLS Start message. This
differentiates the EAP-TLS Start message from a fragment
acknowledgement.
TLS Message Length
The TLS Message Length field is four octets, and is present only
if the L bit is set. This field provides the total length of the
TLS message or set of messages that is being fragmented.
TLS data
The TLS data consists of the encapsulated TLS packet in TLS record
format.

5. References
[1] Simpson, W., Editor, "The Point-to-Point Protocol (PPP)", STD

51, RFC 1661, July 1994.
[2] Sklower, K., Lloyd, B., McGregor, G., Carr, D. and T. Coradetti,
"The PPP Multilink Protocol (MP)", RFC 1990, August 1996.
[3] Simpson, W., Editor, "PPP LCP Extensions", RFC 1570, January
1994.
[4] Rivest, R. and S. Dusse, "The MD5 Message-Digest Algorithm", RFC

1321, April 1992.
[5] Blunk, L. and J. Vollbrecht, "PPP Extensible Authentication

Protocol (EAP)", RFC 2284, March 1998.
[6] Meyer, G., "The PPP Encryption Protocol (ECP)", RFC 1968, June
1996.
[7] National Bureau of Standards, "Data Encryption Standard", FIPS

PUB 46 (January 1977).
[8] National Bureau of Standards, "DES Modes of Operation", FIPS PUB

81 (December 1980).
[9] Sklower, K. amd G. Meyer, "The PPP DES Encryption Protocol,

Version 2 (DESE-bis)", RFC 2419, September 1998.
[10] Hummert, K., "The PPP Triple-DES Encryption Protocol (3DESE)",

RFC 2420, September 1998.
[11] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.
[12] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", RFC
2246, November 1998.
[13] Rand, D., "The PPP Compression Control Protocol", RFC 1962, June
1996.

6. Security Considerations
6.1. Certificate revocation
Since the EAP server is on the Internet during the EAP conversation,
the server is capable of following a certificate chain or verifying
whether the peer's certificate has been revoked. In contrast, the
peer may or may not have Internet connectivity, and thus while it can
validate the EAP server's certificate based on a pre-configured set
of CAs, it may not be able to follow a certificate chain or verify
whether the EAP server's certificate has been revoked.
In the case where the peer is initiating a voluntary Layer 2 tunnel

using PPTP or L2TP, the peer will typically already have a PPP
interface and Internet connectivity established at the time of tunnel
initiation. As a result, during the EAP conversation it is capable
of checking for certificate revocation.
However, in the case where the peer is initiating an intial PPP

conversation, it will not have Internet connectivity and is therefore
not capable of checking for certificate revocation until after NCP
negotiation completes and the peer has access to the Internet. In
this case, the peer SHOULD check for certificate revocation after
connecting to the Internet.
6.2. Separation of the EAP server and PPP authenticator
As a result of the EAP-TLS conversation, the EAP endpoints will

mutually authenticate, negotiate a ciphersuite, and derive a session
key for subsequent use in PPP encryption. Since the peer and EAP
client reside on the same machine, it is necessary for the EAP client
module to pass the session key to the PPP encryption module.
The situation may be more complex on the PPP authenticator, which may
or may not reside on the same machine as the EAP server. In the case
where the EAP server and PPP authenticator reside on different
machines, there are several implications for security. Firstly, the
mutual authentication defined in EAP-TLS will occur between the peer
and the EAP server, not between the peer and the authenticator. This
means that as a result of the EAP-TLS conversation, it is not
possible for the peer to validate the identity of the NAS or tunnel
server that it is speaking to.
The second issue is that the session key negotiated between the peer
and EAP server will need to be transmitted to the authenticator.
Therefore a mechanism needs to be provided to transmit the session
key from the EAP server to the authenticator or tunnel server that
needs to use the key. The specification of this transit mechanism is

outside the scope of this document.
6.3. Relationship of PPP encryption to other security mechanisms
It is envisaged that EAP-TLS will be used primarily with dialup PPP

connections. However, there are also circumstances in which PPP
encryption may be used along with Layer 2 tunneling protocols such as
PPTP and L2TP.
In compulsory layer 2 tunneling, a PPP peer makes a connection to a

NAS or router which tunnels the PPP packets to a tunnel server.
Since with compulsory tunneling a PPP peer cannot tell whether its
packets are being tunneled, let alone whether the network device is
securing the tunnel, if security is required then the client must
make its own arrangements. In the case where all endpoints cannot be
relied upon to implement IPSEC, TLS, or another suitable security
protocol, PPP encryption provides a convenient means to ensure the
privacy of packets transiting between the client and the tunnel
server.
7. Acknowledgments
Thanks to Terence Spies, Glen Zorn and Narendra Gidwani of Microsoft

for useful discussions of this problem space.
8. Authors' Addresses
Bernard Aboba
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052
Phone: 425-936-6605
EMail: bernarda@microsoft.com
Dan Simon
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052
Phone: 425-936-6711
EMail: dansimon@microsoft.com

9. Full Copyright Statement

English.

Acknowledgement
Funding for the RFC Editor function is currently provided by the

Internet Society.
Network Working Group C. Rigney

Request for Comments: 2865 S. Willens
Obsoletes: 2138 Livingston
Category: Standards Track A. Rubens
Merit
W. Simpson
Daydreamer
June 2000
Remote Authentication Dial In User Service (RADIUS)
Status of this Memo

Copyright Notice
IESG Note:
This protocol is widely implemented and used. Experience has shown

that it can suffer degraded performance and lost data when used in
large scale systems, in part because it does not include provisions
for congestion control. Readers of this document may find it
beneficial to track the progress of the IETF's AAA working group,
which may develop a successor protocol that better addresses the
scaling and congestion control issues.
Abstract
This document describes a protocol for carrying authentication,

authorization, and configuration information between a Network Access
Server which desires to authenticate its links and a shared
Authentication Server.
Implementation Note
This memo documents the RADIUS protocol. The early deployment of

RADIUS was done using UDP port number 1645, which conflicts with the
"datametrics" service. The officially assigned port number for
RADIUS is 1812.
Rigney, et al. Standards Track [Page 1]

RFC 2865 RADIUS June 2000
Table of Contents
1. Introduction .......................................... 3
1.1 Specification of Requirements ................... 4
1.2 Terminology ..................................... 5
2. Operation ............................................. 5
2.1 Challenge/Response .............................. 7
2.2 Interoperation with PAP and CHAP ................ 8
2.3 Proxy ........................................... 8
2.4 Why UDP? ........................................ 11
2.5 Retransmission Hints ............................ 12
2.6 Keep-Alives Considered Harmful .................. 13
3. Packet Format ......................................... 13
4. Packet Types .......................................... 17
4.1 Access-Request .................................. 17
4.2 Access-Accept ................................... 18
4.3 Access-Reject ................................... 20
4.4 Access-Challenge ................................ 21
5. Attributes ............................................ 22
5.1 User-Name ....................................... 26
5.2 User-Password ................................... 27
5.3 CHAP-Password ................................... 28
5.4 NAS-IP-Address .................................. 29
5.5 NAS-Port ........................................ 30
5.6 Service-Type .................................... 31
5.7 Framed-Protocol ................................. 33
5.8 Framed-IP-Address ............................... 34
5.9 Framed-IP-Netmask ............................... 34
5.10 Framed-Routing .................................. 35
5.11 Filter-Id ....................................... 36
5.12 Framed-MTU ...................................... 37
5.13 Framed-Compression .............................. 37
5.14 Login-IP-Host ................................... 38
5.15 Login-Service ................................... 39
5.16 Login-TCP-Port .................................. 40
5.17 (unassigned) .................................... 41
5.18 Reply-Message ................................... 41
5.19 Callback-Number ................................. 42
5.20 Callback-Id ..................................... 42
5.21 (unassigned) .................................... 43
5.22 Framed-Route .................................... 43
5.23 Framed-IPX-Network .............................. 44
5.24 State ........................................... 45
5.25 Class ........................................... 46
5.26 Vendor-Specific ................................. 47
5.27 Session-Timeout ................................. 48
5.28 Idle-Timeout .................................... 49
5.29 Termination-Action .............................. 49

5.30 Called-Station-Id ............................... 50

5.31 Calling-Station-Id .............................. 51
5.32 NAS-Identifier .................................. 52
5.33 Proxy-State ..................................... 53
5.34 Login-LAT-Service ............................... 54
5.35 Login-LAT-Node .................................. 55
5.36 Login-LAT-Group ................................. 56
5.37 Framed-AppleTalk-Link ........................... 57
5.38 Framed-AppleTalk-Network ........................ 58
5.39 Framed-AppleTalk-Zone ........................... 58
5.40 CHAP-Challenge .................................. 59
5.41 NAS-Port-Type ................................... 60
5.42 Port-Limit ...................................... 61
5.43 Login-LAT-Port .................................. 62
5.44 Table of Attributes ............................. 63
6. IANA Considerations ................................... 64
6.1 Definition of Terms ............................. 64
6.2 Recommended Registration Policies ............... 65
7. Examples .............................................. 66
7.1 User Telnet to Specified Host ................... 66
7.2 Framed User Authenticating with CHAP ............ 67
7.3 User with Challenge-Response card ............... 68
8. Security Considerations ............................... 71
9. Change Log ............................................ 71
10. References ............................................ 73
11. Acknowledgements ...................................... 74
12. Chair's Address ....................................... 74
13. Authors' Addresses .................................... 75
14. Full Copyright Statement .............................. 76
1. Introduction
This document obsoletes RFC 2138 [1]. A summary of the changes

between this document and RFC 2138 is available in the "Change Log"
appendix.
Managing dispersed serial line and modem pools for large numbers of
users can create the need for significant administrative support.
Since modem pools are by definition a link to the outside world, they
require careful attention to security, authorization and accounting.
This can be best achieved by managing a single "database" of users,
which allows for authentication (verifying user name and password) as
well as configuration information detailing the type of service to
deliver to the user (for example, SLIP, PPP, telnet, rlogin).

Key features of RADIUS are:
Client/Server Model
A Network Access Server (NAS) operates as a client of RADIUS. The

client is responsible for passing user information to designated
RADIUS servers, and then acting on the response which is returned.
RADIUS servers are responsible for receiving user connection

requests, authenticating the user, and then returning all
configuration information necessary for the client to deliver
service to the user.
A RADIUS server can act as a proxy client to other RADIUS servers

or other kinds of authentication servers.
Network Security
Transactions between the client and RADIUS server are

authenticated through the use of a shared secret, which is never
sent over the network. In addition, any user passwords are sent
encrypted between the client and RADIUS server, to eliminate the
possibility that someone snooping on an unsecure network could
determine a user's password.
Flexible Authentication Mechanisms
The RADIUS server can support a variety of methods to authenticate

a user. When it is provided with the user name and original
password given by the user, it can support PPP PAP or CHAP, UNIX
login, and other authentication mechanisms.
Extensible Protocol
All transactions are comprised of variable length Attribute-

Length-Value 3-tuples. New attribute values can be added without
disturbing existing implementations of the protocol.
1.1. Specification of Requirements
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in BCP 14 [2]. These key
words mean the same thing whether capitalized or not.
An implementation is not compliant if it fails to satisfy one or more

of the must or must not requirements for the protocols it implements.
An implementation that satisfies all the must, must not, should and

should not requirements for its protocols is said to be

"unconditionally compliant"; one that satisfies all the must and must
not requirements but not all the should or should not requirements
for its protocols is said to be "conditionally compliant".
A NAS that does not implement a given service MUST NOT implement the
RADIUS attributes for that service. For example, a NAS that is
unable to offer ARAP service MUST NOT implement the RADIUS attributes
for ARAP. A NAS MUST treat a RADIUS access-accept authorizing an
unavailable service as an access-reject instead.
1.2. Terminology
This document frequently uses the following terms:
service The NAS provides a service to the dial-in user, such as PPP
or Telnet.
session Each service provided by the NAS to a dial-in user

constitutes a session, with the beginning of the session
defined as the point where service is first provided and
the end of the session defined as the point where service
is ended. A user may have multiple sessions in parallel or
series if the NAS supports that.
silently discard
This means the implementation discards the packet without
further processing. The implementation SHOULD provide the
capability of logging the error, including the contents of
the silently discarded packet, and SHOULD record the event
in a statistics counter.
2. Operation
When a client is configured to use RADIUS, any user of the client

presents authentication information to the client. This might be
with a customizable login prompt, where the user is expected to enter
their username and password. Alternatively, the user might use a
link framing protocol such as the Point-to-Point Protocol (PPP),
which has authentication packets which carry this information.
Once the client has obtained such information, it may choose to

authenticate using RADIUS. To do so, the client creates an "Access-
Request" containing such Attributes as the user's name, the user's
password, the ID of the client and the Port ID which the user is
accessing. When a password is present, it is hidden using a method
based on the RSA Message Digest Algorithm MD5 [3].

The Access-Request is submitted to the RADIUS server via the network.

If no response is returned within a length of time, the request is
re-sent a number of times. The client can also forward requests to
an alternate server or servers in the event that the primary server
is down or unreachable. An alternate server can be used either after
a number of tries to the primary server fail, or in a round-robin
fashion. Retry and fallback algorithms are the topic of current
research and are not specified in detail in this document.
Once the RADIUS server receives the request, it validates the sending
client. A request from a client for which the RADIUS server does not
have a shared secret MUST be silently discarded. If the client is
valid, the RADIUS server consults a database of users to find the
user whose name matches the request. The user entry in the database
contains a list of requirements which must be met to allow access for
the user. This always includes verification of the password, but can
also specify the client(s) or port(s) to which the user is allowed
access.
The RADIUS server MAY make requests of other servers in order to

satisfy the request, in which case it acts as a client.
If any Proxy-State attributes were present in the Access-Request,

they MUST be copied unmodified and in order into the response packet.
Other Attributes can be placed before, after, or even between the
Proxy-State attributes.
If any condition is not met, the RADIUS server sends an "Access-

Reject" response indicating that this user request is invalid. If
desired, the server MAY include a text message in the Access-Reject
which MAY be displayed by the client to the user. No other
Attributes (except Proxy-State) are permitted in an Access-Reject.
If all conditions are met and the RADIUS server wishes to issue a
challenge to which the user must respond, the RADIUS server sends an
"Access-Challenge" response. It MAY include a text message to be
displayed by the client to the user prompting for a response to the
challenge, and MAY include a State attribute.
If the client receives an Access-Challenge and supports

challenge/response it MAY display the text message, if any, to the
user, and then prompt the user for a response. The client then re-
submits its original Access-Request with a new request ID, with the
User-Password Attribute replaced by the response (encrypted), and
including the State Attribute from the Access-Challenge, if any.
Only 0 or 1 instances of the State Attribute SHOULD be

present in a request. The server can respond to this new Access-

Request with either an Access-Accept, an Access-Reject, or another
Access-Challenge.
If all conditions are met, the list of configuration values for the
user are placed into an "Access-Accept" response. These values
include the type of service (for example: SLIP, PPP, Login User) and
all necessary values to deliver the desired service. For SLIP and
PPP, this may include values such as IP address, subnet mask, MTU,
desired compression, and desired packet filter identifiers. For
character mode users, this may include values such as desired
protocol and host.
2.1. Challenge/Response
In challenge/response authentication, the user is given an

unpredictable number and challenged to encrypt it and give back the
result. Authorized users are equipped with special devices such as
smart cards or software that facilitate calculation of the correct
response with ease. Unauthorized users, lacking the appropriate
device or software and lacking knowledge of the secret key necessary
to emulate such a device or software, can only guess at the response.
The Access-Challenge packet typically contains a Reply-Message

including a challenge to be displayed to the user, such as a numeric
value unlikely ever to be repeated. Typically this is obtained from
an external server that knows what type of authenticator is in the
possession of the authorized user and can therefore choose a random
or non-repeating pseudorandom number of an appropriate radix and
length.
The user then enters the challenge into his device (or software) and
it calculates a response, which the user enters into the client which
forwards it to the RADIUS server via a second Access-Request. If the
response matches the expected response the RADIUS server replies with
an Access-Accept, otherwise an Access-Reject.
Example: The NAS sends an Access-Request packet to the RADIUS Server

with NAS-Identifier, NAS-Port, User-Name, User-Password (which may
just be a fixed string like "challenge" or ignored). The server
sends back an Access-Challenge packet with State and a Reply-Message
along the lines of "Challenge 12345678, enter your response at the
prompt" which the NAS displays. The NAS prompts for the response and
sends a NEW Access-Request to the server (with a new ID) with NAS-
Identifier, NAS-Port, User-Name, User-Password (the response just
entered by the user, encrypted), and the same State Attribute that

came with the Access-Challenge. The server then sends back either an
Access-Accept or Access-Reject based on whether the response matches
the required value, or it can even send another Access-Challenge.
2.2. Interoperation with PAP and CHAP
For PAP, the NAS takes the PAP ID and password and sends them in an
Access-Request packet as the User-Name and User-Password. The NAS MAY
include the Attributes Service-Type = Framed-User and Framed-Protocol
= PPP as a hint to the RADIUS server that PPP service is expected.
For CHAP, the NAS generates a random challenge (preferably 16 octets)

and sends it to the user, who returns a CHAP response along with a
CHAP ID and CHAP username. The NAS then sends an Access-Request
packet to the RADIUS server with the CHAP username as the User-Name
and with the CHAP ID and CHAP response as the CHAP-Password
(Attribute 3). The random challenge can either be included in the
CHAP-Challenge attribute or, if it is 16 octets long, it can be
placed in the Request Authenticator field of the Access-Request
packet. The NAS MAY include the Attributes Service-Type = Framed-
User and Framed-Protocol = PPP as a hint to the RADIUS server that
PPP service is expected.
The RADIUS server looks up a password based on the User-Name,

encrypts the challenge using MD5 on the CHAP ID octet, that password,
and the CHAP challenge (from the CHAP-Challenge attribute if present,
otherwise from the Request Authenticator), and compares that result
to the CHAP-Password. If they match, the server sends back an
Access-Accept, otherwise it sends back an Access-Reject.
If the RADIUS server is unable to perform the requested

authentication it MUST return an Access-Reject. For example, CHAP
requires that the user's password be available in cleartext to the
server so that it can encrypt the CHAP challenge and compare that to
the CHAP response. If the password is not available in cleartext to
the RADIUS server then the server MUST send an Access-Reject to the
client.
2.3. Proxy
With proxy RADIUS, one RADIUS server receives an authentication (or

accounting) request from a RADIUS client (such as a NAS), forwards
the request to a remote RADIUS server, receives the reply from the
remote server, and sends that reply to the client, possibly with
changes to reflect local administrative policy. A common use for
proxy RADIUS is roaming. Roaming permits two or more administrative
entities to allow each other's users to dial in to either entity's
network for service.

The NAS sends its RADIUS access-request to the "forwarding server"

which forwards it to the "remote server". The remote server sends a
response (Access-Accept, Access-Reject, or Access-Challenge) back to
the forwarding server, which sends it back to the NAS. The User-Name
attribute MAY contain a Network Access Identifier [8] for RADIUS
Proxy operations. The choice of which server receives the forwarded
request SHOULD be based on the authentication "realm". The
authentication realm MAY be the realm part of a Network Access
Identifier (a "named realm"). Alternatively, the choice of which
server receives the forwarded request MAY be based on whatever other
criteria the forwarding server is configured to use, such as Called-
Station-Id (a "numbered realm").
A RADIUS server can function as both a forwarding server and a remote

server, serving as a forwarding server for some realms and a remote
server for other realms. One forwarding server can act as a
forwarder for any number of remote servers. A remote server can have
any number of servers forwarding to it and can provide authentication
for any number of realms. One forwarding server can forward to
another forwarding server to create a chain of proxies, although care
must be taken to avoid introducing loops.
The following scenario illustrates a proxy RADIUS communication

between a NAS and the forwarding and remote RADIUS servers:
1. A NAS sends its access-request to the forwarding server.
2. The forwarding server forwards the access-request to the remote

server.
3. The remote server sends an access-accept, access-reject or

access-challenge back to the forwarding server. For this example,
an access-accept is sent.
4. The forwarding server sends the access-accept to the NAS.
The forwarding server MUST treat any Proxy-State attributes already

in the packet as opaque data. Its operation MUST NOT depend on the
content of Proxy-State attributes added by previous servers.
If there are any Proxy-State attributes in the request received from

the client, the forwarding server MUST include those Proxy-State
attributes in its reply to the client. The forwarding server MAY
include the Proxy-State attributes in the access-request when it
forwards the request, or MAY omit them in the forwarded request. If
the forwarding server omits the Proxy-State attributes in the
forwarded access-request, it MUST attach them to the response before
sending it to the client.

We now examine each step in more detail.
1. A NAS sends its access-request to the forwarding server. The

forwarding server decrypts the User-Password, if present, using
the shared secret it knows for the NAS. If a CHAP-Password
attribute is present in the packet and no CHAP-Challenge attribute
is present, the forwarding server MUST leave the Request-
Authenticator untouched or copy it to a CHAP-Challenge attribute.
'' The forwarding server MAY add one Proxy-State attribute to the
packet. (It MUST NOT add more than one.) If it adds a Proxy-
State, the Proxy-State MUST appear after any other Proxy-States in
the packet. The forwarding server MUST NOT modify any other
Proxy-States that were in the packet (it may choose not to forward
them, but it MUST NOT change their contents). The forwarding
server MUST NOT change the order of any attributes of the same
type, including Proxy-State.
2. The forwarding server encrypts the User-Password, if present,

using the secret it shares with the remote server, sets the
Identifier as needed, and forwards the access-request to the
remote server.
3. The remote server (if the final destination) verifies the user
using User-Password, CHAP-Password, or such method as future
extensions may dictate, and returns an access-accept, access-
reject or access-challenge back to the forwarding server. For
this example, an access-accept is sent. The remote server MUST
copy all Proxy-State attributes (and only the Proxy-State
attributes) in order from the access-request to the response
packet, without modifying them.
4. The forwarding server verifies the Response Authenticator using

the secret it shares with the remote server, and silently discards
the packet if it fails verification. If the packet passes
verification, the forwarding server removes the last Proxy-State
(if it attached one), signs the Response Authenticator using the
secret it shares with the NAS, restores the Identifier to match
the one in the original request by the NAS, and sends the access-
accept to the NAS.
A forwarding server MAY need to modify attributes to enforce local

policy. Such policy is outside the scope of this document, with the
following restrictions. A forwarding server MUST not modify existing
Proxy-State, State, or Class attributes present in the packet.

Implementers of forwarding servers should consider carefully which

values it is willing to accept for Service-Type. Careful
consideration must be given to the effects of passing along Service-
Types of NAS-Prompt or Administrative in a proxied Access-Accept, and
implementers may wish to provide mechanisms to block those or other
service types, or other attributes. Such mechanisms are outside the
scope of this document.
2.4. Why UDP?
A frequently asked question is why RADIUS uses UDP instead of TCP as

a transport protocol. UDP was chosen for strictly technical reasons.
There are a number of issues which must be understood. RADIUS is a

transaction based protocol which has several interesting
characteristics:
1. If the request to a primary Authentication server fails, a

secondary server must be queried.
To meet this requirement, a copy of the request must be kept above

the transport layer to allow for alternate transmission. This
means that retransmission timers are still required.
2. The timing requirements of this particular protocol are

significantly different than TCP provides.
At one extreme, RADIUS does not require a "responsive" detection

of lost data. The user is willing to wait several seconds for the
authentication to complete. The generally aggressive TCP
retransmission (based on average round trip time) is not required,
nor is the acknowledgement overhead of TCP.
At the other extreme, the user is not willing to wait several

minutes for authentication. Therefore the reliable delivery of
TCP data two minutes later is not useful. The faster use of an
alternate server allows the user to gain access before giving up.
3. The stateless nature of this protocol simplifies the use of UDP.
Clients and servers come and go. Systems are rebooted, or are
power cycled independently. Generally this does not cause a
problem and with creative timeouts and detection of lost TCP
connections, code can be written to handle anomalous events. UDP
however completely eliminates any of this special handling. Each
client and server can open their UDP transport just once and leave
it open through all types of failure events on the network.

4. UDP simplifies the server implementation.
In the earliest implementations of RADIUS, the server was single

threaded. This means that a single request was received,
processed, and returned. This was found to be unmanageable in
environments where the back-end security mechanism took real time
(1 or more seconds). The server request queue would fill and in
environments where hundreds of people were being authenticated
every minute, the request turn-around time increased to longer
than users were willing to wait (this was especially severe when a
specific lookup in a database or over DNS took 30 or more
seconds). The obvious solution was to make the server multi-
threaded. Achieving this was simple with UDP. Separate processes
were spawned to serve each request and these processes could
respond directly to the client NAS with a simple UDP packet to the
original transport of the client.
It's not all a panacea. As noted, using UDP requires one thing which
is built into TCP: with UDP we must artificially manage
retransmission timers to the same server, although they don't require
the same attention to timing provided by TCP. This one penalty is a
small price to pay for the advantages of UDP in this protocol.
Without TCP we would still probably be using tin cans connected by

string. But for this particular protocol, UDP is a better choice.
2.5. Retransmission Hints
If the RADIUS server and alternate RADIUS server share the same
shared secret, it is OK to retransmit the packet to the alternate
RADIUS server with the same ID and Request Authenticator, because the
content of the attributes haven't changed. If you want to use a new
Request Authenticator when sending to the alternate server, you may.
If you change the contents of the User-Password attribute (or any

other attribute), you need a new Request Authenticator and therefore
a new ID.
If the NAS is retransmitting a RADIUS request to the same server as

before, and the attributes haven't changed, you MUST use the same
Request Authenticator, ID, and source port. If any attributes have
changed, you MUST use a new Request Authenticator and ID.
A NAS MAY use the same ID across all servers, or MAY keep track of
IDs separately for each server, it is up to the implementer. If a
NAS needs more than 256 IDs for outstanding requests, it MAY use

additional source ports to send requests from, and keep track of IDs
for each source port. This allows up to 16 million or so outstanding
requests at one time to a single server.
2.6. Keep-Alives Considered Harmful
Some implementers have adopted the practice of sending test RADIUS

requests to see if a server is alive. This practice is strongly
discouraged, since it adds to load and harms scalability without
providing any additional useful information. Since a RADIUS request
is contained in a single datagram, in the time it would take you to
send a ping you could just send the RADIUS request, and getting a
reply tells you that the RADIUS server is up. If you do not have a
RADIUS request to send, it does not matter if the server is up or
not, because you are not using it.
If you want to monitor your RADIUS server, use SNMP. That's what
SNMP is for.
3. Packet Format
Exactly one RADIUS packet is encapsulated in the UDP Data field [4],
where the UDP Destination Port field indicates 1812 (decimal).
When a reply is generated, the source and destination ports are

reversed.
This memo documents the RADIUS protocol. The early deployment of

RADIUS was done using UDP port number 1645, which conflicts with the
"datametrics" service. The officially assigned port number for
RADIUS is 1812.

A summary of the RADIUS data format is shown below. The fields are
transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Authenticator |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attributes ...
+-+-+-+-+-+-+-+-+-+-+-+-+-
Code
The Code field is one octet, and identifies the type of RADIUS
packet. When a packet is received with an invalid Code field, it
is silently discarded.
RADIUS Codes (decimal) are assigned as follows:
1 Access-Request
2 Access-Accept
3 Access-Reject
4 Accounting-Request
5 Accounting-Response
11 Access-Challenge
12 Status-Server (experimental)
13 Status-Client (experimental)
255 Reserved
Codes 4 and 5 are covered in the RADIUS Accounting document [5].

Codes 12 and 13 are reserved for possible use, but are not further
mentioned here.
Identifier
The Identifier field is one octet, and aids in matching requests

and replies. The RADIUS server can detect a duplicate request if
it has the same client source IP address and source UDP port and
Identifier within a short span of time.

Length
The Length field is two octets. It indicates the length of the

packet including the Code, Identifier, Length, Authenticator and
Attribute fields. Octets outside the range of the Length field
MUST be treated as padding and ignored on reception. If the
packet is shorter than the Length field indicates, it MUST be
silently discarded. The minimum length is 20 and maximum length
is 4096.
Authenticator
The Authenticator field is sixteen (16) octets. The most

significant octet is transmitted first. This value is used to
authenticate the reply from the RADIUS server, and is used in the
password hiding algorithm.
Request Authenticator
In Access-Request Packets, the Authenticator value is a 16

octet random number, called the Request Authenticator. The
value SHOULD be unpredictable and unique over the lifetime of a
secret (the password shared between the client and the RADIUS
server), since repetition of a request value in conjunction
with the same secret would permit an attacker to reply with a
previously intercepted response. Since it is expected that the
same secret MAY be used to authenticate with servers in
disparate geographic regions, the Request Authenticator field
SHOULD exhibit global and temporal uniqueness.
The Request Authenticator value in an Access-Request packet

SHOULD also be unpredictable, lest an attacker trick a server
into responding to a predicted future request, and then use the
response to masquerade as that server to a future Access-
Request.
Although protocols such as RADIUS are incapable of protecting

against theft of an authenticated session via realtime active
wiretapping attacks, generation of unique unpredictable
requests can protect against a wide range of active attacks
against authentication.
The NAS and RADIUS server share a secret. That shared secret
followed by the Request Authenticator is put through a one-way
MD5 hash to create a 16 octet digest value which is xored with
the password entered by the user, and the xored result placed

in the User-Password attribute in the Access-Request packet.

See the entry for User-Password in the section on Attributes
for a more detailed description.
Response Authenticator
The value of the Authenticator field in Access-Accept, Access-

Reject, and Access-Challenge packets is called the Response
Authenticator, and contains a one-way MD5 hash calculated over
a stream of octets consisting of: the RADIUS packet, beginning
with the Code field, including the Identifier, the Length, the
Request Authenticator field from the Access-Request packet, and
the response Attributes, followed by the shared secret. That
is, ResponseAuth =
MD5(Code+ID+Length+RequestAuth+Attributes+Secret) where +
denotes concatenation.
Administrative Note
The secret (password shared between the client and the RADIUS
server) SHOULD be at least as large and unguessable as a well-
chosen password. It is preferred that the secret be at least 16
octets. This is to ensure a sufficiently large range for the
secret to provide protection against exhaustive search attacks.
The secret MUST NOT be empty (length 0) since this would allow
packets to be trivially forged.
A RADIUS server MUST use the source IP address of the RADIUS UDP
packet to decide which shared secret to use, so that RADIUS
requests can be proxied.
When using a forwarding proxy, the proxy must be able to alter the
packet as it passes through in each direction - when the proxy
forwards the request, the proxy MAY add a Proxy-State Attribute,
and when the proxy forwards a response, it MUST remove its Proxy-
State Attribute if it added one. Proxy-State is always added or
removed after any other Proxy-States, but no other assumptions
regarding its location within the list of attributes can be made.
Since Access-Accept and Access-Reject replies are authenticated on
the entire packet contents, the stripping of the Proxy-State
attribute invalidates the signature in the packet - so the proxy
has to re-sign it.
Further details of RADIUS proxy implementation are outside the

scope of this document.

4. Packet Types
The RADIUS Packet type is determined by the Code field in the first
octet of the Packet.
4.1. Access-Request
Description
Access-Request packets are sent to a RADIUS server, and convey

information used to determine whether a user is allowed access to
a specific NAS, and any special services requested for that user.
An implementation wishing to authenticate a user MUST transmit a
RADIUS packet with the Code field set to 1 (Access-Request).
Upon receipt of an Access-Request from a valid client, an

appropriate reply MUST be transmitted.
An Access-Request SHOULD contain a User-Name attribute. It MUST

contain either a NAS-IP-Address attribute or a NAS-Identifier
attribute (or both).
An Access-Request MUST contain either a User-Password or a CHAP-

Password or a State. An Access-Request MUST NOT contain both a
User-Password and a CHAP-Password. If future extensions allow
other kinds of authentication information to be conveyed, the
attribute for that can be used in an Access-Request instead of
User-Password or CHAP-Password.
An Access-Request SHOULD contain a NAS-Port or NAS-Port-Type

attribute or both unless the type of access being requested does
not involve a port or the NAS does not distinguish among its
ports.
An Access-Request MAY contain additional attributes as a hint to

the server, but the server is not required to honor the hint.
When a User-Password is present, it is hidden using a method based

on the RSA Message Digest Algorithm MD5 [3].

A summary of the Access-Request packet format is shown below. The

fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Request Authenticator |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attributes ...
+-+-+-+-+-+-+-+-+-+-+-+-+-
Code
1 for Access-Request.
Identifier
The Identifier field MUST be changed whenever the content of the

Attributes field changes, and whenever a valid reply has been
received for a previous request. For retransmissions, the
Identifier MUST remain unchanged.
The Request Authenticator value MUST be changed each time a new

Identifier is used.
Attributes
The Attribute field is variable in length, and contains the list

of Attributes that are required for the type of service, as well
as any desired optional Attributes.
4.2. Access-Accept
Description
Access-Accept packets are sent by the RADIUS server, and provide

specific configuration information necessary to begin delivery of
service to the user. If all Attribute values received in an
Access-Request are acceptable then the RADIUS implementation MUST
transmit a packet with the Code field set to 2 (Access-Accept).

On reception of an Access-Accept, the Identifier field is matched

with a pending Access-Request. The Response Authenticator field
MUST contain the correct response for the pending Access-Request.
Invalid packets are silently discarded.
A summary of the Access-Accept packet format is shown below. The

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Response Authenticator |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attributes ...
+-+-+-+-+-+-+-+-+-+-+-+-+-
Code
2 for Access-Accept.
Identifier
The Identifier field is a copy of the Identifier field of the

Access-Request which caused this Access-Accept.
The Response Authenticator value is calculated from the Access-

Request value, as described earlier.
Attributes
The Attribute field is variable in length, and contains a list of

zero or more Attributes.

4.3. Access-Reject
Description
If any value of the received Attributes is not acceptable, then

the RADIUS server MUST transmit a packet with the Code field set
to 3 (Access-Reject). It MAY include one or more Reply-Message
Attributes with a text message which the NAS MAY display to the
user.
A summary of the Access-Reject packet format is shown below. The

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attributes ...
+-+-+-+-+-+-+-+-+-+-+-+-+-
Code
3 for Access-Reject.
Identifier

Access-Request which caused this Access-Reject.

Attributes
The Attribute field is variable in length, and contains a list of


4.4. Access-Challenge
Description
If the RADIUS server desires to send the user a challenge

requiring a response, then the RADIUS server MUST respond to the
Access-Request by transmitting a packet with the Code field set to
11 (Access-Challenge).
The Attributes field MAY have one or more Reply-Message

Attributes, and MAY have a single State Attribute, or none.
Vendor-Specific, Idle-Timeout, Session-Timeout and Proxy-State
attributes MAY also be included. No other Attributes defined in
this document are permitted in an Access-Challenge.
On receipt of an Access-Challenge, the Identifier field is matched

with a pending Access-Request. Additionally, the Response
Authenticator field MUST contain the correct response for the
pending Access-Request. Invalid packets are silently discarded.
If the NAS does not support challenge/response, it MUST treat an

Access-Challenge as though it had received an Access-Reject
instead.
If the NAS supports challenge/response, receipt of a valid

Access-Challenge indicates that a new Access-Request SHOULD be
sent. The NAS MAY display the text message, if any, to the user,
and then prompt the user for a response. It then sends its
original Access-Request with a new request ID and Request
Authenticator, with the User-Password Attribute replaced by the
user's response (encrypted), and including the State Attribute
from the Access-Challenge, if any. Only 0 or 1 instances of the
State Attribute can be present in an Access-Request.
A NAS which supports PAP MAY forward the Reply-Message to the

dialing client and accept a PAP response which it can use as
though the user had entered the response. If the NAS cannot do
so, it MUST treat the Access-Challenge as though it had received
an Access-Reject instead.

A summary of the Access-Challenge packet format is shown below. The

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attributes ...
+-+-+-+-+-+-+-+-+-+-+-+-+-
Code
11 for Access-Challenge.
Identifier

Access-Request which caused this Access-Challenge.

Attributes
The Attributes field is variable in length, and contains a list of

5. Attributes
RADIUS Attributes carry the specific authentication, authorization,

information and configuration details for the request and reply.
The end of the list of Attributes is indicated by the Length of the

RADIUS packet.
Some Attributes MAY be included more than once. The effect of this
is Attribute specific, and is specified in each Attribute
description. A summary table is provided at the end of the
"Attributes" section.

If multiple Attributes with the same Type are present, the order of
Attributes with the same Type MUST be preserved by any proxies. The
order of Attributes of different Types is not required to be
preserved. A RADIUS server or client MUST NOT have any dependencies
on the order of attributes of different types. A RADIUS server or
client MUST NOT require attributes of the same type to be contiguous.
Where an Attribute's description limits which kinds of packet it can

be contained in, this applies only to the packet types defined in
this document, namely Access-Request, Access-Accept, Access-Reject
and Access-Challenge (Codes 1, 2, 3, and 11). Other documents
defining other packet types may also use Attributes described here.
To determine which Attributes are allowed in Accounting-Request and
Accounting-Response packets (Codes 4 and 5) refer to the RADIUS
Accounting document [5].
Likewise where packet types defined here state that only certain
Attributes are permissible in them, future memos defining new
Attributes should indicate which packet types the new Attributes may
be present in.
A summary of the Attribute format is shown below. The fields are

0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
| Type | Length | Value ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type
The Type field is one octet. Up-to-date values of the RADIUS Type
field are specified in the most recent "Assigned Numbers" RFC [6].
Values 192-223 are reserved for experimental use, values 224-240
are reserved for implementation-specific use, and values 241-255
are reserved and should not be used.
A RADIUS server MAY ignore Attributes with an unknown Type.
A RADIUS client MAY ignore Attributes with an unknown Type.

This specification concerns the following values:
1 User-Name
2 User-Password
3 CHAP-Password
4 NAS-IP-Address
5 NAS-Port
6 Service-Type
7 Framed-Protocol
8 Framed-IP-Address
9 Framed-IP-Netmask
10 Framed-Routing
11 Filter-Id
12 Framed-MTU
13 Framed-Compression
14 Login-IP-Host
15 Login-Service
16 Login-TCP-Port
17 (unassigned)
18 Reply-Message
19 Callback-Number
20 Callback-Id
21 (unassigned)
22 Framed-Route
23 Framed-IPX-Network
24 State
25 Class
26 Vendor-Specific
27 Session-Timeout
28 Idle-Timeout
29 Termination-Action
30 Called-Station-Id
31 Calling-Station-Id
32 NAS-Identifier
33 Proxy-State
34 Login-LAT-Service
35 Login-LAT-Node
36 Login-LAT-Group
37 Framed-AppleTalk-Link
38 Framed-AppleTalk-Network
39 Framed-AppleTalk-Zone
40-59 (reserved for accounting)
60 CHAP-Challenge
61 NAS-Port-Type
62 Port-Limit
63 Login-LAT-Port

Length
The Length field is one octet, and indicates the length of this
Attribute including the Type, Length and Value fields. If an
Attribute is received in an Access-Request but with an invalid
Length, an Access-Reject SHOULD be transmitted. If an Attribute
is received in an Access-Accept, Access-Reject or Access-Challenge
packet with an invalid length, the packet MUST either be treated
as an Access-Reject or else silently discarded.
Value
The Value field is zero or more octets and contains information

specific to the Attribute. The format and length of the Value
field is determined by the Type and Length fields.
Note that none of the types in RADIUS terminate with a NUL (hex
00). In particular, types "text" and "string" in RADIUS do not
terminate with a NUL (hex 00). The Attribute has a length field
and does not use a terminator. Text contains UTF-8 encoded 10646
[7] characters and String contains 8-bit binary data. Servers and
servers and clients MUST be able to deal with embedded nulls.
RADIUS implementers using C are cautioned not to use strcpy() when
handling strings.
The format of the value field is one of five data types. Note
that type "text" is a subset of type "string".
text 1-253 octets containing UTF-8 encoded 10646 [7]

characters. Text of length zero (0) MUST NOT be sent;
omit the entire attribute instead.
string 1-253 octets containing binary data (values 0 through

255 decimal, inclusive). Strings of length zero (0)
MUST NOT be sent; omit the entire attribute instead.
address 32 bit value, most significant octet first.
integer 32 bit unsigned value, most significant octet first.
time 32 bit unsigned value, most significant octet first --

seconds since 00:00:00 UTC, January 1, 1970. The
standard Attributes do not use this data type but it is
presented here for possible use in future attributes.

5.1. User-Name
Description
This Attribute indicates the name of the user to be authenticated.

It MUST be sent in Access-Request packets if available.
It MAY be sent in an Access-Accept packet, in which case the

client SHOULD use the name returned in the Access-Accept packet in
all Accounting-Request packets for this session. If the Access-
Accept includes Service-Type = Rlogin and the User-Name attribute,
a NAS MAY use the returned User-Name when performing the Rlogin
function.
A summary of the User-Name Attribute format is shown below. The

0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
| Type | Length | String ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type
1 for User-Name.
Length
>= 3
String
The String field is one or more octets. The NAS may limit the
maximum length of the User-Name but the ability to handle at least
63 octets is recommended.
The format of the username MAY be one of several forms:
text Consisting only of UTF-8 encoded 10646 [7] characters.
network access identifier

A Network Access Identifier as described in RFC 2486
[8].
distinguished name
A name in ASN.1 form used in Public Key authentication
systems.

5.2. User-Password
Description
This Attribute indicates the password of the user to be

authenticated, or the user's input following an Access-Challenge.
It is only used in Access-Request packets.
On transmission, the password is hidden. The password is first

padded at the end with nulls to a multiple of 16 octets. A one-
way MD5 hash is calculated over a stream of octets consisting of
the shared secret followed by the Request Authenticator. This
value is XORed with the first 16 octet segment of the password and
placed in the first 16 octets of the String field of the User-
Password Attribute.
If the password is longer than 16 characters, a second one-way MD5

hash is calculated over a stream of octets consisting of the
shared secret followed by the result of the first xor. That hash
is XORed with the second 16 octet segment of the password and
placed in the second 16 octets of the String field of the User-
Password Attribute.
If necessary, this operation is repeated, with each xor result

being used along with the shared secret to generate the next hash
to xor the next segment of the password, to no more than 128
characters.
The method is taken from the book "Network Security" by Kaufman,

Perlman and Speciner [9] pages 109-110. A more precise
explanation of the method follows:
Call the shared secret S and the pseudo-random 128-bit Request

Authenticator RA. Break the password into 16-octet chunks p1, p2,
etc. with the last one padded at the end with nulls to a 16-octet
boundary. Call the ciphertext blocks c(1), c(2), etc. We'll need
intermediate values b1, b2, etc.
b1 = MD5(S + RA) c(1) = p1 xor b1

b2 = MD5(S + c(1)) c(2) = p2 xor b2
. .
. .
. .
bi = MD5(S + c(i-1)) c(i) = pi xor bi
The String will contain c(1)+c(2)+...+c(i) where + denotes

concatenation.

On receipt, the process is reversed to yield the original

password.
A summary of the User-Password Attribute format is shown below. The

0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type
2 for User-Password.
Length
At least 18 and no larger than 130.
String
The String field is between 16 and 128 octets long, inclusive.
5.3. CHAP-Password
Description
This Attribute indicates the response value provided by a PPP

Challenge-Handshake Authentication Protocol (CHAP) user in
response to the challenge. It is only used in Access-Request
packets.
The CHAP challenge value is found in the CHAP-Challenge Attribute

(60) if present in the packet, otherwise in the Request
Authenticator field.
A summary of the CHAP-Password Attribute format is shown below. The

0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
| Type | Length | CHAP Ident | String ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

Type
3 for CHAP-Password.
Length
19
CHAP Ident
This field is one octet, and contains the CHAP Identifier from the
user's CHAP Response.
String
The String field is 16 octets, and contains the CHAP Response from
the user.
5.4. NAS-IP-Address
Description
This Attribute indicates the identifying IP Address of the NAS

which is requesting authentication of the user, and SHOULD be
unique to the NAS within the scope of the RADIUS server. NAS-IP-
Address is only used in Access-Request packets. Either NAS-IP-
Address or NAS-Identifier MUST be present in an Access-Request
packet.
Note that NAS-IP-Address MUST NOT be used to select the shared

secret used to authenticate the request. The source IP address of
the Access-Request packet MUST be used to select the shared
secret.
A summary of the NAS-IP-Address Attribute format is shown below. The

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Address
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Address (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
4 for NAS-IP-Address.

Length
Address
The Address field is four octets.
5.5. NAS-Port
Description
This Attribute indicates the physical port number of the NAS which
is authenticating the user. It is only used in Access-Request
packets. Note that this is using "port" in its sense of a
physical connection on the NAS, not in the sense of a TCP or UDP
port number. Either NAS-Port or NAS-Port-Type (61) or both SHOULD
be present in an Access-Request packet, if the NAS differentiates
among its ports.
A summary of the NAS-Port Attribute format is shown below. The

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Value
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
5 for NAS-Port.
Length
Value
The Value field is four octets.

5.6. Service-Type
Description
This Attribute indicates the type of service the user has

requested, or the type of service to be provided. It MAY be used
in both Access-Request and Access-Accept packets. A NAS is not
required to implement all of these service types, and MUST treat
unknown or unsupported Service-Types as though an Access-Reject
had been received instead.
A summary of the Service-Type Attribute format is shown below. The

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
6 for Service-Type.
Length
Value
1 Login
2 Framed
3 Callback Login
4 Callback Framed
5 Outbound
6 Administrative
7 NAS Prompt
8 Authenticate Only
9 Callback NAS Prompt
10 Call Check
11 Callback Administrative

The service types are defined as follows when used in an Access-

Accept. When used in an Access-Request, they MAY be considered to
be a hint to the RADIUS server that the NAS has reason to believe
the user would prefer the kind of service indicated, but the
server is not required to honor the hint.
Login The user should be connected to a host.
Framed A Framed Protocol should be started for the

User, such as PPP or SLIP.
Callback Login The user should be disconnected and called

back, then connected to a host.
Callback Framed The user should be disconnected and called

back, then a Framed Protocol should be started
for the User, such as PPP or SLIP.
Outbound The user should be granted access to outgoing

devices.
Administrative The user should be granted access to the

administrative interface to the NAS from which
privileged commands can be executed.
NAS Prompt The user should be provided a command prompt

on the NAS from which non-privileged commands
can be executed.
Authenticate Only Only Authentication is requested, and no

authorization information needs to be returned
in the Access-Accept (typically used by proxy
servers rather than the NAS itself).
Callback NAS Prompt The user should be disconnected and called

back, then provided a command prompt on the
NAS from which non-privileged commands can be
executed.
Call Check Used by the NAS in an Access-Request packet to

indicate that a call is being received and
that the RADIUS server should send back an
Access-Accept to answer the call, or an
Access-Reject to not accept the call,
typically based on the Called-Station-Id or
Calling-Station-Id attributes. It is

recommended that such Access-Requests use the

value of Calling-Station-Id as the value of
the User-Name.
Callback Administrative
The user should be disconnected and called
back, then granted access to the
administrative interface to the NAS from which
privileged commands can be executed.
5.7. Framed-Protocol
Description
This Attribute indicates the framing to be used for framed access.

It MAY be used in both Access-Request and Access-Accept packets.
A summary of the Framed-Protocol Attribute format is shown below.

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
7 for Framed-Protocol.
Length
Value
1 PPP
2 SLIP
3 AppleTalk Remote Access Protocol (ARAP)
4 Gandalf proprietary SingleLink/MultiLink protocol
5 Xylogics proprietary IPX/SLIP
6 X.75 Synchronous

5.8. Framed-IP-Address
Description
This Attribute indicates the address to be configured for the

user. It MAY be used in Access-Accept packets. It MAY be used in
an Access-Request packet as a hint by the NAS to the server that
it would prefer that address, but the server is not required to
honor the hint.
A summary of the Framed-IP-Address Attribute format is shown below.

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Address (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
8 for Framed-IP-Address.
Length
Address
The Address field is four octets. The value 0xFFFFFFFF indicates

that the NAS Should allow the user to select an address (e.g.
Negotiated). The value 0xFFFFFFFE indicates that the NAS should
select an address for the user (e.g. Assigned from a pool of
addresses kept by the NAS). Other valid values indicate that the
NAS should use that value as the user's IP address.
5.9. Framed-IP-Netmask
Description
This Attribute indicates the IP netmask to be configured for the

user when the user is a router to a network. It MAY be used in
Access-Accept packets. It MAY be used in an Access-Request packet
as a hint by the NAS to the server that it would prefer that
netmask, but the server is not required to honor the hint.

A summary of the Framed-IP-Netmask Attribute format is shown below.

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Address (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
9 for Framed-IP-Netmask.
Length
Address
The Address field is four octets specifying the IP netmask of the

user.
5.10. Framed-Routing
Description
This Attribute indicates the routing method for the user, when the
user is a router to a network. It is only used in Access-Accept
packets.
A summary of the Framed-Routing Attribute format is shown below. The

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
10 for Framed-Routing.

Length
Value
0 None
1 Send routing packets
2 Listen for routing packets
3 Send and Listen
5.11. Filter-Id
Description
This Attribute indicates the name of the filter list for this
user. Zero or more Filter-Id attributes MAY be sent in an
Access-Accept packet.
Identifying a filter list by name allows the filter to be used on

different NASes without regard to filter-list implementation
details.
A summary of the Filter-Id Attribute format is shown below. The

0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
| Type | Length | Text ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type
11 for Filter-Id.
Length
>= 3
Text
The Text field is one or more octets, and its contents are
implementation dependent. It is intended to be human readable and
MUST NOT affect operation of the protocol. It is recommended that
the message contain UTF-8 encoded 10646 [7] characters.

5.12. Framed-MTU
Description
This Attribute indicates the Maximum Transmission Unit to be

configured for the user, when it is not negotiated by some other
means (such as PPP). It MAY be used in Access-Accept packets. It
MAY be used in an Access-Request packet as a hint by the NAS to
the server that it would prefer that value, but the server is not
required to honor the hint.
A summary of the Framed-MTU Attribute format is shown below. The

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
12 for Framed-MTU.
Length
Value
The Value field is four octets. Despite the size of the field,
values range from 64 to 65535.
5.13. Framed-Compression
Description
This Attribute indicates a compression protocol to be used for the

link. It MAY be used in Access-Accept packets. It MAY be used in
an Access-Request packet as a hint to the server that the NAS
would prefer to use that compression, but the server is not
required to honor the hint.
More than one compression protocol Attribute MAY be sent. It is

the responsibility of the NAS to apply the proper compression
protocol to appropriate link traffic.

A summary of the Framed-Compression Attribute format is shown below.

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
13 for Framed-Compression.
Length
Value
0 None
1 VJ TCP/IP header compression [10]
2 IPX header compression
3 Stac-LZS compression
5.14. Login-IP-Host
Description
This Attribute indicates the system with which to connect the user,
when the Login-Service Attribute is included. It MAY be used in
Access-Accept packets. It MAY be used in an Access-Request packet as
a hint to the server that the NAS would prefer to use that host, but
the server is not required to honor the hint.
A summary of the Login-IP-Host Attribute format is shown below. The


0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Address (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
14 for Login-IP-Host.
Length
Address
The Address field is four octets. The value 0xFFFFFFFF indicates

that the NAS SHOULD allow the user to select an address. The
value 0 indicates that the NAS SHOULD select a host to connect the
user to. Other values indicate the address the NAS SHOULD connect
the user to.
5.15. Login-Service
Description
This Attribute indicates the service to use to connect the user to

the login host. It is only used in Access-Accept packets.
A summary of the Login-Service Attribute format is shown below. The

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
15 for Login-Service.

Length
Value
0 Telnet
1 Rlogin
2 TCP Clear
3 PortMaster (proprietary)
4 LAT
5 X25-PAD
6 X25-T3POS
8 TCP Clear Quiet (suppresses any NAS-generated connect string)
5.16. Login-TCP-Port
Description
This Attribute indicates the TCP port with which the user is to be
connected, when the Login-Service Attribute is also present. It
is only used in Access-Accept packets.
A summary of the Login-TCP-Port Attribute format is shown below. The

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
16 for Login-TCP-Port.
Length
Value
values range from 0 to 65535.

5.17. (unassigned)
Description
ATTRIBUTE TYPE 17 HAS NOT BEEN ASSIGNED.
5.18. Reply-Message
Description
This Attribute indicates text which MAY be displayed to the user.
When used in an Access-Accept, it is the success message.
When used in an Access-Reject, it is the failure message. It MAY

indicate a dialog message to prompt the user before another
Access-Request attempt.
When used in an Access-Challenge, it MAY indicate a dialog message

to prompt the user for a response.
Multiple Reply-Message's MAY be included and if any are displayed,

they MUST be displayed in the same order as they appear in the
packet.
A summary of the Reply-Message Attribute format is shown below. The

0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type
18 for Reply-Message.
Length
>= 3
Text
implementation dependent. It is intended to be human readable,
and MUST NOT affect operation of the protocol. It is recommended
that the message contain UTF-8 encoded 10646 [7] characters.

5.19. Callback-Number
Description
This Attribute indicates a dialing string to be used for callback.

It MAY be used in Access-Accept packets. It MAY be used in an
Access-Request packet as a hint to the server that a Callback
service is desired, but the server is not required to honor the
hint.
A summary of the Callback-Number Attribute format is shown below.

0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type
19 for Callback-Number.
Length
>= 3
String
The String field is one or more octets. The actual format of the
information is site or application specific, and a robust
implementation SHOULD support the field as undistinguished octets.
The codification of the range of allowed usage of this field is

outside the scope of this specification.
5.20. Callback-Id
Description
This Attribute indicates the name of a place to be called, to be

interpreted by the NAS. It MAY be used in Access-Accept packets.

A summary of the Callback-Id Attribute format is shown below. The

0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type
20 for Callback-Id.
Length
>= 3
String

5.21. (unassigned)
Description
ATTRIBUTE TYPE 21 HAS NOT BEEN ASSIGNED.
5.22. Framed-Route
Description
This Attribute provides routing information to be configured for

the user on the NAS. It is used in the Access-Accept packet and
can appear multiple times.
A summary of the Framed-Route Attribute format is shown below. The

0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

Type
22 for Framed-Route.
Length
>= 3
Text
implementation dependent. It is intended to be human readable and
MUST NOT affect operation of the protocol. It is recommended that
the message contain UTF-8 encoded 10646 [7] characters.
For IP routes, it SHOULD contain a destination prefix in dotted

quad form optionally followed by a slash and a decimal length
specifier stating how many high order bits of the prefix to use.
That is followed by a space, a gateway address in dotted quad
form, a space, and one or more metrics separated by spaces. For
example, "192.168.1.0/24 192.168.1.1 1 2 -1 3 400". The length
specifier may be omitted, in which case it defaults to 8 bits for
class A prefixes, 16 bits for class B prefixes, and 24 bits for
class C prefixes. For example, "192.168.1.0 192.168.1.1 1".
Whenever the gateway address is specified as "0.0.0.0" the IP

address of the user SHOULD be used as the gateway address.
5.23. Framed-IPX-Network
Description
This Attribute indicates the IPX Network number to be configured

for the user. It is used in Access-Accept packets.
A summary of the Framed-IPX-Network Attribute format is shown below.

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Type
23 for Framed-IPX-Network.
Length
Value
The Value field is four octets. The value 0xFFFFFFFE indicates

that the NAS should select an IPX network for the user (e.g.
assigned from a pool of one or more IPX networks kept by the NAS).
Other values should be used as the IPX network for the link to the
user.
5.24. State
Description
This Attribute is available to be sent by the server to the client

in an Access-Challenge and MUST be sent unmodified from the client
to the server in the new Access-Request reply to that challenge,
if any.

in an Access-Accept that also includes a Termination-Action
Attribute with the value of RADIUS-Request. If the NAS performs
the Termination-Action by sending a new Access-Request upon
termination of the current session, it MUST include the State
attribute unchanged in that Access-Request.
In either usage, the client MUST NOT interpret the attribute

locally. A packet must have only zero or one State Attribute.
Usage of the State Attribute is implementation dependent.
A summary of the State Attribute format is shown below. The fields

are transmitted from left to right.
0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type
24 for State.

Length
>= 3
String

5.25. Class
Description

in an Access-Accept and SHOULD be sent unmodified by the client to
the accounting server as part of the Accounting-Request packet if
accounting is supported. The client MUST NOT interpret the
attribute locally.
A summary of the Class Attribute format is shown below. The fields

are transmitted from left to right.
0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type
25 for Class.
Length
>= 3
String


5.26. Vendor-Specific
Description
This Attribute is available to allow vendors to support their own

extended Attributes not suitable for general usage. It MUST not
affect the operation of the RADIUS protocol.
Servers not equipped to interpret the vendor-specific information

sent by a client MUST ignore it (although it may be reported).
Clients which do not receive desired vendor-specific information
SHOULD make an attempt to operate without it, although they may do
so (and report they are doing so) in a degraded mode.
A summary of the Vendor-Specific Attribute format is shown below.

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Vendor-Id
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Id (cont) | String...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type
26 for Vendor-Specific.
Length
>= 7
Vendor-Id
The high-order octet is 0 and the low-order 3 octets are the SMI
Network Management Private Enterprise Code of the Vendor in
network byte order, as defined in the "Assigned Numbers" RFC [6].
String


It SHOULD be encoded as a sequence of vendor type / vendor length

/ value fields, as follows. The Attribute-Specific field is
dependent on the vendor's definition of that attribute. An
example encoding of the Vendor-Specific attribute using this
method follows:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Vendor-Id
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Id (cont) | Vendor type | Vendor length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attribute-Specific...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Multiple subattributes MAY be encoded within a single Vendor-

Specific attribute, although they do not have to be.
5.27. Session-Timeout
Description
This Attribute sets the maximum number of seconds of service to be

provided to the user before termination of the session or prompt.
in an Access-Accept or Access-Challenge.
A summary of the Session-Timeout Attribute format is shown below.

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
27 for Session-Timeout.
Length

Value
The field is 4 octets, containing a 32-bit unsigned integer with

the maximum number of seconds this user should be allowed to
remain connected by the NAS.
5.28. Idle-Timeout
Description
This Attribute sets the maximum number of consecutive seconds of

idle connection allowed to the user before termination of the
session or prompt. This Attribute is available to be sent by the
server to the client in an Access-Accept or Access-Challenge.
A summary of the Idle-Timeout Attribute format is shown below. The

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
28 for Idle-Timeout.
Length
Value

the maximum number of consecutive seconds of idle time this user
should be permitted before being disconnected by the NAS.
5.29. Termination-Action
Description
This Attribute indicates what action the NAS should take when the
specified service is completed. It is only used in Access-Accept
packets.

A summary of the Termination-Action Attribute format is shown below.

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
29 for Termination-Action.
Length
Value
0 Default
1 RADIUS-Request
If the Value is set to RADIUS-Request, upon termination of the

specified service the NAS MAY send a new Access-Request to the
RADIUS server, including the State attribute if any.
5.30. Called-Station-Id
Description
This Attribute allows the NAS to send in the Access-Request packet

the phone number that the user called, using Dialed Number
Identification (DNIS) or similar technology. Note that this may
be different from the phone number the call comes in on. It is
only used in Access-Request packets.
A summary of the Called-Station-Id Attribute format is shown below.

0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

Type
30 for Called-Station-Id.
Length
>= 3
String
The String field is one or more octets, containing the phone

number that the user's call came in on.
The actual format of the information is site or application

specific. UTF-8 encoded 10646 [7] characters are recommended, but
a robust implementation SHOULD support the field as
undistinguished octets.

5.31. Calling-Station-Id
Description
This Attribute allows the NAS to send in the Access-Request packet

the phone number that the call came from, using Automatic Number
Identification (ANI) or similar technology. It is only used in
Access-Request packets.
A summary of the Calling-Station-Id Attribute format is shown below.

0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type
31 for Calling-Station-Id.
Length
>= 3

String
The String field is one or more octets, containing the phone

number that the user placed the call from.

specific. UTF-8 encoded 10646 [7] characters are recommended, but
a robust implementation SHOULD support the field as

5.32. NAS-Identifier
Description
This Attribute contains a string identifying the NAS originating

the Access-Request. It is only used in Access-Request packets.
Either NAS-IP-Address or NAS-Identifier MUST be present in an
Access-Request packet.
Note that NAS-Identifier MUST NOT be used to select the shared

secret used to authenticate the request. The source IP address of
the Access-Request packet MUST be used to select the shared
secret.
A summary of the NAS-Identifier Attribute format is shown below. The

0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type
32 for NAS-Identifier.
Length
>= 3

String
The String field is one or more octets, and should be unique to

the NAS within the scope of the RADIUS server. For example, a
fully qualified domain name would be suitable as a NAS-Identifier.

specific, and a robust implementation SHOULD support the field as

5.33. Proxy-State
Description
This Attribute is available to be sent by a proxy server to

another server when forwarding an Access-Request and MUST be
returned unmodified in the Access-Accept, Access-Reject or
Access-Challenge. When the proxy server receives the response to
its request, it MUST remove its own Proxy-State (the last Proxy-
State in the packet) before forwarding the response to the NAS.
If a Proxy-State Attribute is added to a packet when forwarding

the packet, the Proxy-State Attribute MUST be added after any
existing Proxy-State attributes.
The content of any Proxy-State other than the one added by the
current server should be treated as opaque octets and MUST NOT
affect operation of the protocol.
Usage of the Proxy-State Attribute is implementation dependent. A

description of its function is outside the scope of this
specification.
A summary of the Proxy-State Attribute format is shown below. The

0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type
33 for Proxy-State.

Length
>= 3
String

5.34. Login-LAT-Service
Description
This Attribute indicates the system with which the user is to be

connected by LAT. It MAY be used in Access-Accept packets, but
only when LAT is specified as the Login-Service. It MAY be used
in an Access-Request packet as a hint to the server, but the
Administrators use the service attribute when dealing with

clustered systems, such as a VAX or Alpha cluster. In such an
environment several different time sharing hosts share the same
resources (disks, printers, etc.), and administrators often
configure each to offer access (service) to each of the shared
resources. In this case, each host in the cluster advertises its
services through LAT broadcasts.
Sophisticated users often know which service providers (machines)

are faster and tend to use a node name when initiating a LAT
connection. Alternately, some administrators want particular
users to use certain machines as a primitive form of load
balancing (although LAT knows how to do load balancing itself).
A summary of the Login-LAT-Service Attribute format is shown below.

0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

Type
34 for Login-LAT-Service.
Length
>= 3
String
The String field is one or more octets, and contains the identity
of the LAT service to use. The LAT Architecture allows this
string to contain $ (dollar), - (hyphen), . (period), _
(underscore), numerics, upper and lower case alphabetics, and the
ISO Latin-1 character set extension [11]. All LAT string
comparisons are case insensitive.
5.35. Login-LAT-Node
Description
This Attribute indicates the Node with which the user is to be

automatically connected by LAT. It MAY be used in Access-Accept
packets, but only when LAT is specified as the Login-Service. It
MAY be used in an Access-Request packet as a hint to the server,
but the server is not required to honor the hint.
A summary of the Login-LAT-Node Attribute format is shown below. The

0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type
35 for Login-LAT-Node.
Length
>= 3

String
of the LAT Node to connect the user to. The LAT Architecture
allows this string to contain $ (dollar), - (hyphen), . (period),
_ (underscore), numerics, upper and lower case alphabetics, and
the ISO Latin-1 character set extension. All LAT string
comparisons are case insensitive.
5.36. Login-LAT-Group
Description
This Attribute contains a string identifying the LAT group codes

which this user is authorized to use. It MAY be used in Access-
Accept packets, but only when LAT is specified as the Login-
Service. It MAY be used in an Access-Request packet as a hint to
the server, but the server is not required to honor the hint.
LAT supports 256 different group codes, which LAT uses as a form
of access rights. LAT encodes the group codes as a 256 bit
bitmap.
Administrators can assign one or more of the group code bits at

the LAT service provider; it will only accept LAT connections that
have these group codes set in the bit map. The administrators
assign a bitmap of authorized group codes to each user; LAT gets
these from the operating system, and uses these in its requests to
the service providers.
A summary of the Login-LAT-Group Attribute format is shown below.

0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type
36 for Login-LAT-Group.
Length
34

String
The String field is a 32 octet bit map, most significant octet

first. A robust implementation SHOULD support the field as

5.37. Framed-AppleTalk-Link
Description
This Attribute indicates the AppleTalk network number which should

be used for the serial link to the user, which is another
AppleTalk router. It is only used in Access-Accept packets. It
is never used when the user is not another router.
A summary of the Framed-AppleTalk-Link Attribute format is shown

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
37 for Framed-AppleTalk-Link.
Length
Value
values range from 0 to 65535. The special value of 0 indicates
that this is an unnumbered serial link. A value of 1-65535 means
that the serial line between the NAS and the user should be
assigned that value as an AppleTalk network number.

5.38. Framed-AppleTalk-Network
Description
This Attribute indicates the AppleTalk Network number which the

NAS should probe to allocate an AppleTalk node for the user. It
is only used in Access-Accept packets. It is never used when the
user is another router. Multiple instances of this Attribute
indicate that the NAS may probe using any of the network numbers
specified.
A summary of the Framed-AppleTalk-Network Attribute format is shown

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
38 for Framed-AppleTalk-Network.
Length
Value
values range from 0 to 65535. The special value 0 indicates that
the NAS should assign a network for the user, using its default
cable range. A value between 1 and 65535 (inclusive) indicates
the AppleTalk Network the NAS should probe to find an address for
the user.
5.39. Framed-AppleTalk-Zone
Description
This Attribute indicates the AppleTalk Default Zone to be used for

this user. It is only used in Access-Accept packets. Multiple
instances of this attribute in the same packet are not allowed.

A summary of the Framed-AppleTalk-Zone Attribute format is shown

0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type
39 for Framed-AppleTalk-Zone.
Length
>= 3
String
The name of the Default AppleTalk Zone to be used for this user.
A robust implementation SHOULD support the field as

5.40. CHAP-Challenge
Description
This Attribute contains the CHAP Challenge sent by the NAS to a

PPP Challenge-Handshake Authentication Protocol (CHAP) user. It
is only used in Access-Request packets.
If the CHAP challenge value is 16 octets long it MAY be placed in

the Request Authenticator field instead of using this attribute.
A summary of the CHAP-Challenge Attribute format is shown below. The

0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
| Type | Length | String...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

Type
60 for CHAP-Challenge.
Length
>= 7
String
The String field contains the CHAP Challenge.
5.41. NAS-Port-Type
Description
This Attribute indicates the type of the physical port of the NAS
which is authenticating the user. It can be used instead of or in
addition to the NAS-Port (5) attribute. It is only used in
Access-Request packets. Either NAS-Port (5) or NAS-Port-Type or
both SHOULD be present in an Access-Request packet, if the NAS
differentiates among its ports.
A summary of the NAS-Port-Type Attribute format is shown below. The

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
61 for NAS-Port-Type.
Length
Value
The Value field is four octets. "Virtual" refers to a connection

to the NAS via some transport protocol, instead of through a
physical port. For example, if a user telnetted into a NAS to

authenticate himself as an Outbound-User, the Access-Request might

include NAS-Port-Type = Virtual as a hint to the RADIUS server
that the user was not on a physical port.
0 Async
1 Sync
2 ISDN Sync
3 ISDN Async V.120
4 ISDN Async V.110
5 Virtual
6 PIAFS
7 HDLC Clear Channel
8 X.25
9 X.75
10 G.3 Fax
11 SDSL - Symmetric DSL
12 ADSL-CAP - Asymmetric DSL, Carrierless Amplitude Phase
Modulation
13 ADSL-DMT - Asymmetric DSL, Discrete Multi-Tone
14 IDSL - ISDN Digital Subscriber Line
15 Ethernet
16 xDSL - Digital Subscriber Line of unknown type
17 Cable
18 Wireless - Other
19 Wireless - IEEE 802.11
PIAFS is a form of wireless ISDN commonly used in Japan, and

stands for PHS (Personal Handyphone System) Internet Access Forum
Standard (PIAFS).
5.42. Port-Limit
Description
This Attribute sets the maximum number of ports to be provided to

the user by the NAS. This Attribute MAY be sent by the server to
the client in an Access-Accept packet. It is intended for use in
conjunction with Multilink PPP [12] or similar uses. It MAY also
be sent by the NAS to the server as a hint that that many ports
are desired for use, but the server is not required to honor the
hint.
A summary of the Port-Limit Attribute format is shown below. The


0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
62 for Port-Limit.
Length
Value

the maximum number of ports this user should be allowed to connect
to on the NAS.
5.43. Login-LAT-Port
Description
This Attribute indicates the Port with which the user is to be

connected by LAT. It MAY be used in Access-Accept packets, but
only when LAT is specified as the Login-Service. It MAY be used
in an Access-Request packet as a hint to the server, but the
A summary of the Login-LAT-Port Attribute format is shown below. The

0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type
63 for Login-LAT-Port.
Length
>= 3

String
of the LAT port to use. The LAT Architecture allows this string
to contain $ (dollar), - (hyphen), . (period), _ (underscore),
numerics, upper and lower case alphabetics, and the ISO Latin-1
character set extension. All LAT string comparisons are case
insensitive.
5.44. Table of Attributes
The following table provides a guide to which attributes may be found

in which kinds of packets, and in what quantity.
Request Accept Reject Challenge # Attribute

0-1 0-1 0 0 1 User-Name
0-1 0 0 0 2 User-Password [Note 1]
0-1 0 0 0 3 CHAP-Password [Note 1]
0-1 0 0 0 4 NAS-IP-Address [Note 2]
0-1 0 0 0 5 NAS-Port
0-1 0-1 0 0 6 Service-Type
0-1 0-1 0 0 7 Framed-Protocol
0-1 0-1 0 0 8 Framed-IP-Address
0-1 0-1 0 0 9 Framed-IP-Netmask
0 0-1 0 0 10 Framed-Routing
0 0+ 0 0 11 Filter-Id
0-1 0-1 0 0 12 Framed-MTU
0+ 0+ 0 0 13 Framed-Compression
0+ 0+ 0 0 14 Login-IP-Host
0 0-1 0 0 15 Login-Service
0 0-1 0 0 16 Login-TCP-Port
0 0+ 0+ 0+ 18 Reply-Message
0-1 0-1 0 0 19 Callback-Number
0 0-1 0 0 20 Callback-Id
0 0+ 0 0 22 Framed-Route
0 0-1 0 0 23 Framed-IPX-Network
0-1 0-1 0 0-1 24 State [Note 1]
0 0+ 0 0 25 Class
0+ 0+ 0 0+ 26 Vendor-Specific
0 0-1 0 0-1 27 Session-Timeout
0 0-1 0 0-1 28 Idle-Timeout
0 0-1 0 0 29 Termination-Action
0-1 0 0 0 30 Called-Station-Id
0-1 0 0 0 31 Calling-Station-Id
0-1 0 0 0 32 NAS-Identifier [Note 2]
0+ 0+ 0+ 0+ 33 Proxy-State
0-1 0-1 0 0 34 Login-LAT-Service
0-1 0-1 0 0 35 Login-LAT-Node

0-1 0-1 0 0 36 Login-LAT-Group

0 0-1 0 0 37 Framed-AppleTalk-Link
0 0+ 0 0 38 Framed-AppleTalk-Network
0 0-1 0 0 39 Framed-AppleTalk-Zone
0-1 0 0 0 60 CHAP-Challenge
0-1 0 0 0 61 NAS-Port-Type
0-1 0-1 0 0 62 Port-Limit
0-1 0-1 0 0 63 Login-LAT-Port
[Note 1] An Access-Request MUST contain either a User-Password or a

CHAP-Password or State. An Access-Request MUST NOT contain both a
User-Password and a CHAP-Password. If future extensions allow other
kinds of authentication information to be conveyed, the attribute for
that can be used in an Access-Request instead of User-Password or
CHAP-Password.
[Note 2] An Access-Request MUST contain either a NAS-IP-Address or a

NAS-Identifier (or both).
The following table defines the meaning of the above table entries.
0 This attribute MUST NOT be present in packet.

0+ Zero or more instances of this attribute MAY be present in packet.
0-1 Zero or one instance of this attribute MAY be present in packet.
1 Exactly one instance of this attribute MUST be present in packet.
6. IANA Considerations
This section provides guidance to the Internet Assigned Numbers

Authority (IANA) regarding registration of values related to the
RADIUS protocol, in accordance with BCP 26 [13].
There are three name spaces in RADIUS that require registration:

Packet Type Codes, Attribute Types, and Attribute Values (for certain
Attributes).
RADIUS is not intended as a general-purpose Network Access Server

(NAS) management protocol, and allocations should not be made for
purposes unrelated to Authentication, Authorization or Accounting.
6.1. Definition of Terms
The following terms are used here with the meanings defined in
BCP 26: "name space", "assigned value", "registration".

The following policies are used here with the meanings defined in
BCP 26: "Private Use", "First Come First Served", "Expert Review",
"Specification Required", "IETF Consensus", "Standards Action".
6.2. Recommended Registration Policies
For registration requests where a Designated Expert should be

consulted, the IESG Area Director for Operations should appoint the
Designated Expert.
For registration requests requiring Expert Review, the ietf-radius

mailing list should be consulted.
Packet Type Codes have a range from 1 to 254, of which 1-5,11-13 have
been allocated. Because a new Packet Type has considerable impact on
interoperability, a new Packet Type Code requires Standards Action,
and should be allocated starting at 14.
Attribute Types have a range from 1 to 255, and are the scarcest
resource in RADIUS, thus must be allocated with care. Attributes
1-53,55,60-88,90-91 have been allocated, with 17 and 21 available for
re-use. Attributes 17, 21, 54, 56-59, 89, 92-191 may be allocated
following Expert Review, with Specification Required. Release of
blocks of Attribute Types (more than 3 at a time for a given purpose)
should require IETF Consensus. It is recommended that attributes 17
and 21 be used only after all others are exhausted.
Note that RADIUS defines a mechanism for Vendor-Specific extensions

(Attribute 26) and the use of that should be encouraged instead of
allocation of global attribute types, for functions specific only to
one vendor's implementation of RADIUS, where no interoperability is
deemed useful.
As stated in the "Attributes" section above:
"[Attribute Type] Values 192-223 are reserved for experimental

use, values 224-240 are reserved for implementation-specific use,
and values 241-255 are reserved and should not be used."
Therefore Attribute values 192-240 are considered Private Use, and

values 241-255 require Standards Action.
Certain attributes (for example, NAS-Port-Type) in RADIUS define a

list of values to correspond with various meanings. There can be 4
billion (2^32) values for each attribute. Adding additional values to
the list can be done on a First Come, First Served basis by the IANA.

7. Examples
A few examples are presented to illustrate the flow of packets and

use of typical attributes. These examples are not intended to be
exhaustive, many others are possible. Hexadecimal dumps of the
example packets are given in network byte order, using the shared
secret "xyzzy5461".
7.1. User Telnet to Specified Host
The NAS at 192.168.1.16 sends an Access-Request UDP packet to the

RADIUS Server for a user named nemo logging in on port 3 with
password "arctangent".
The Request Authenticator is a 16 octet random number generated by

the NAS.
The User-Password is 16 octets of password padded at end with nulls,

XORed with MD5(shared secret|Request Authenticator).
01 00 00 38 0f 40 3f 94 73 97 80 57 bd 83 d5 cb
98 f4 22 7a 01 06 6e 65 6d 6f 02 12 0d be 70 8d
93 d4 13 ce 31 96 e4 3f 78 2a 0a ee 04 06 c0 a8
01 10 05 06 00 00 00 03
1 Code = Access-Request (1)

1 ID = 0
2 Length = 56
16 Request Authenticator
Attributes:
6 User-Name = "nemo"
18 User-Password
6 NAS-IP-Address = 192.168.1.16
6 NAS-Port = 3
The RADIUS server authenticates nemo, and sends an Access-Accept UDP

packet to the NAS telling it to telnet nemo to host 192.168.1.3.
The Response Authenticator is a 16-octet MD5 checksum of the code

(2), id (0), Length (38), the Request Authenticator from above, the
attributes in this reply, and the shared secret.

02 00 00 26 86 fe 22 0e 76 24 ba 2a 10 05 f6 bf
9b 55 e0 b2 06 06 00 00 00 01 0f 06 00 00 00 00
0e 06 c0 a8 01 03
1 Code = Access-Accept (2)

1 ID = 0 (same as in Access-Request)
2 Length = 38
16 Response Authenticator
Attributes:
6 Service-Type (6) = Login (1)
6 Login-Service (15) = Telnet (0)
6 Login-IP-Host (14) = 192.168.1.3
7.2. Framed User Authenticating with CHAP

RADIUS Server for a user named flopsy logging in on port 20 with PPP,
authenticating using CHAP. The NAS sends along the Service-Type and
Framed-Protocol attributes as a hint to the RADIUS server that this
user is looking for PPP, although the NAS is not required to do so.

the NAS, and is also used as the CHAP Challenge.
The CHAP-Password consists of a 1 octet CHAP ID, in this case 22,

followed by the 16 octet CHAP response.
01 01 00 47 2a ee 86 f0 8d 0d 55 96 9c a5 97 8e
0d 33 67 a2 01 08 66 6c 6f 70 73 79 03 13 16 e9
75 57 c3 16 18 58 95 f2 93 ff 63 44 07 72 75 04
06 c0 a8 01 10 05 06 00 00 00 14 06 06 00 00 00
02 07 06 00 00 00 01
1 Code = 1 (Access-Request)
1 ID = 1
2 Length = 71
Attributes:
8 User-Name (1) = "flopsy"
19 CHAP-Password (3)
6 NAS-IP-Address (4) = 192.168.1.16
6 NAS-Port (5) = 20
6 Service-Type (6) = Framed (2)
6 Framed-Protocol (7) = PPP (1)

The RADIUS server authenticates flopsy, and sends an Access-Accept

UDP packet to the NAS telling it to start PPP service and assign an
address for the user out of its dynamic address pool.

(2), id (1), Length (56), the Request Authenticator from above, the
02 01 00 38 15 ef bc 7d ab 26 cf a3 dc 34 d9 c0
3c 86 01 a4 06 06 00 00 00 02 07 06 00 00 00 01
08 06 ff ff ff fe 0a 06 00 00 00 02 0d 06 00 00
00 01 0c 06 00 00 05 dc
1 Code = Access-Accept (2)

2 Length = 56
Attributes:
6 Service-Type (6) = Framed (2)
6 Framed-Protocol (7) = PPP (1)
6 Framed-IP-Address (8) = 255.255.255.254
6 Framed-Routing (10) = None (0)
6 Framed-Compression (13) = VJ TCP/IP Header Compression (1)
6 Framed-MTU (12) = 1500
7.3. User with Challenge-Response card

RADIUS Server for a user named mopsy logging in on port 7. The user
enters the dummy password "challenge" in this example. The challenge
and response generated by the smart card for this example are
"32769430" and "99101462".

the NAS.
The User-Password is 16 octets of password, in this case "challenge",

padded at the end with nulls, XORed with MD5(shared secret|Request
Authenticator).
01 02 00 39 f3 a4 7a 1f 6a 6d 76 71 0b 94 7a b9
30 41 a0 39 01 07 6d 6f 70 73 79 02 12 33 65 75
73 77 82 89 b5 70 88 5e 15 08 48 25 c5 04 06 c0
a8 01 10 05 06 00 00 00 07


1 ID = 2
2 Length = 57
Attributes:
7 User-Name (1) = "mopsy"
18 User-Password (2)
6 NAS-IP-Address (4) = 192.168.1.16
6 NAS-Port (5) = 7
The RADIUS server decides to challenge mopsy, sending back a

challenge string and looking for a response. The RADIUS server
therefore and sends an Access-Challenge UDP packet to the NAS.

(11), id (2), length (78), the Request Authenticator from above, the
The Reply-Message is "Challenge 32769430. Enter response at prompt."
The State is a magic cookie to be returned along with user's

response; in this example 8 octets of data (33 32 37 36 39 34 33 30
in hex).
0b 02 00 4e 36 f3 c8 76 4a e8 c7 11 57 40 3c 0c
71 ff 9c 45 12 30 43 68 61 6c 6c 65 6e 67 65 20
33 32 37 36 39 34 33 30 2e 20 20 45 6e 74 65 72
20 72 65 73 70 6f 6e 73 65 20 61 74 20 70 72 6f
6d 70 74 2e 18 0a 33 32 37 36 39 34 33 30
1 Code = Access-Challenge (11)

2 Length = 78
Attributes:
48 Reply-Message (18)
10 State (24)
The user enters his response, and the NAS send a new Access-Request
with that response, and includes the State Attribute.
The Request Authenticator is a new 16 octet random number.
The User-Password is 16 octets of the user's response, in this case

"99101462", padded at the end with nulls, XORed with MD5(shared
secret|Request Authenticator).

The state is the magic cookie from the Access-Challenge packet,

unchanged.
01 03 00 43 b1 22 55 6d 42 8a 13 d0 d6 25 38 07
c4 57 ec f0 01 07 6d 6f 70 73 79 02 12 69 2c 1f
20 5f c0 81 b9 19 b9 51 95 f5 61 a5 81 04 06 c0
a8 01 10 05 06 00 00 00 07 18 10 33 32 37 36 39
34 33 30

1 ID = 3 (Note that this changes.)
2 Length = 67
Attributes:
7 User-Name = "mopsy"
18 User-Password
6 NAS-IP-Address (4) = 192.168.1.16
6 NAS-Port (5) = 7
10 State (24)
The Response was incorrect (for the sake of example), so the RADIUS
server tells the NAS to reject the login attempt.
The Response Authenticator is a 16 octet MD5 checksum of the code

(3), id (3), length(20), the Request Authenticator from above, the
attributes in this reply (in this case, none), and the shared secret.
03 03 00 14 a4 2f 4f ca 45 91 6c 4e 09 c8 34 0f
9e 74 6a a0
1 Code = Access-Reject (3)

2 Length = 20
Attributes:
(none, although a Reply-Message could be sent)

Security issues are the primary topic of this document.
In practice, within or associated with each RADIUS server, there is a

database which associates "user" names with authentication
information ("secrets"). It is not anticipated that a particular
named user would be authenticated by multiple methods. This would
make the user vulnerable to attacks which negotiate the least secure
method from among a set. Instead, for each named user there should
be an indication of exactly one method used to authenticate that user
name. If a user needs to make use of different authentication
methods under different circumstances, then distinct user names
SHOULD be employed, each of which identifies exactly one
authentication method.
Passwords and other secrets should be stored at the respective ends

such that access to them is as limited as possible. Ideally, the
secrets should only be accessible to the process requiring access in
order to perform the authentication.
The secrets should be distributed with a mechanism that limits the

number of entities that handle (and thus gain knowledge of) the
secret. Ideally, no unauthorized person should ever gain knowledge
of the secrets. It is possible to achieve this with SNMP Security
Protocols [14], but such a mechanism is outside the scope of this
specification.
Other distribution methods are currently undergoing research and

experimentation. The SNMP Security document [14] also has an
excellent overview of threats to network protocols.
The User-Password hiding mechanism described in Section 5.2 has not

been subjected to significant amounts of cryptanalysis in the
published literature. Some in the IETF community are concerned that
this method might not provide sufficient confidentiality protection
[15] to passwords transmitted using RADIUS. Users should evaluate
their threat environment and consider whether additional security
mechanisms should be employed.
9. Change Log
The following changes have been made from RFC 2138:
Strings should use UTF-8 instead of US-ASCII and should be handled as

8-bit data.
Integers and dates are now defined as 32 bit unsigned values.

Updated list of attributes that can be included in Access-Challenge

to be consistent with the table of attributes.
User-Name mentions Network Access Identifiers.
User-Name may now be sent in Access-Accept for use with accounting

and Rlogin.
Values added for Service-Type, Login-Service, Framed-Protocol,

Framed-Compression, and NAS-Port-Type.
NAS-Port can now use all 32 bits.
Examples now include hexadecimal displays of the packets.
Source UDP port must be used in conjunction with the Request

Identifier when identifying duplicates.
Multiple subattributes may be allowed in a Vendor-Specific attribute.
An Access-Request is now required to contain either a NAS-IP-Address

or NAS-Identifier (or may contain both).
Added notes under "Operations" with more information on proxy,

retransmissions, and keep-alives.
If multiple Attributes with the same Type are present, the order of
Attributes with the same Type MUST be preserved by any proxies.
Clarified Proxy-State.
Clarified that Attributes must not depend on position within the

packet, as long as Attributes of the same type are kept in order.
Added IANA Considerations section.
Updated section on "Proxy" under "Operations".
Framed-MTU can now be sent in Access-Request as a hint.
Updated Security Considerations.
Text strings identified as a subset of string, to clarify use of

UTF-8.

10. References
[1] Rigney, C., Rubens, A., Simpson, W. and S. Willens, "Remote

Authentication Dial In User Service (RADIUS)", RFC 2138, April
1997.
Levels", BCP 14, RFC 2119, March, 1997.
[3] Rivest, R. and S. Dusse, "The MD5 Message-Digest Algorithm",

RFC 1321, April 1992.
[4] Postel, J., "User Datagram Protocol", STD 6, RFC 768, August
1980.
[5] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000.
[6] Reynolds, J. and J. Postel, "Assigned Numbers", STD 2, RFC

1700, October 1994.
[7] Yergeau, F., "UTF-8, a transformation format of ISO 10646", RFC

2279, January 1998.
[8] Aboba, B. and M. Beadles, "The Network Access Identifier", RFC

2486, January 1999.
[9] Kaufman, C., Perlman, R., and Speciner, M., "Network Security:
Private Communications in a Public World", Prentice Hall, March
1995, ISBN 0-13-061466-1.
[10] Jacobson, V., "Compressing TCP/IP headers for low-speed serial

links", RFC 1144, February 1990.
[11] ISO 8859. International Standard -- Information Processing --

8-bit Single-Byte Coded Graphic Character Sets -- Part 1: Latin
Alphabet No. 1, ISO 8859-1:1987.
[12] Sklower, K., Lloyd, B., McGregor, G., Carr, D. and T.

Coradetti, "The PPP Multilink Protocol (MP)", RFC 1990, August
1996.
[13] Alvestrand, H. and T. Narten, "Guidelines for Writing an IANA

Considerations Section in RFCs", BCP 26, RFC 2434, October
1998.
[14] Galvin, J., McCloghrie, K. and J. Davin, "SNMP Security

Protocols", RFC 1352, July 1992.

[15] Dobbertin, H., "The Status of MD5 After a Recent Attack",

CryptoBytes Vol.2 No.2, Summer 1996.
11. Acknowledgements
RADIUS was originally developed by Steve Willens of Livingston

Enterprises for their PortMaster series of Network Access Servers.
12. Chair's Address
The working group can be contacted via the current chair:
Carl Rigney
Livingston Enterprises
4464 Willow Road
Pleasanton, California 94588
Phone: +1 925 737 2100

EMail: cdr@telemancy.com

13. Authors' Addresses
Questions about this memo can also be directed to:
Carl Rigney
4464 Willow Road
Phone: +1 925 737 2100

Allan C. Rubens
Merit Network, Inc.
4251 Plymouth Road
Ann Arbor, Michigan 48105-2785
EMail: acr@merit.edu
William Allen Simpson

Daydreamer
Computer Systems Consulting Services
1384 Fontaine
Madison Heights, Michigan 48071
EMail: wsimpson@greendragon.com
Steve Willens
4464 Willow Road
EMail: steve@livingston.com


English.

Acknowledgement

Internet Society.
Network Working Group C. Rigney

Request for Comments: 2866 Livingston
Category: Informational June 2000
Obsoletes: 2139
RADIUS Accounting
Status of this Memo
This memo provides information for the Internet community. It does

not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Abstract
This document describes a protocol for carrying accounting

information between a Network Access Server and a shared Accounting
Server.
Implementation Note
This memo documents the RADIUS Accounting protocol. The early

deployment of RADIUS Accounting was done using UDP port number 1646,
which conflicts with the "sa-msg-port" service. The officially
assigned port number for RADIUS Accounting is 1813.
Table of Contents
1. Introduction .................................... 2
1.1 Specification of Requirements ................. 3
1.2 Terminology ................................... 3
2. Operation ....................................... 4
2.1 Proxy ......................................... 4
3. Packet Format ................................... 5
4. Packet Types ................................... 7
4.1 Accounting-Request ............................ 8
4.2 Accounting-Response ........................... 9
5. Attributes ...................................... 10
5.1 Acct-Status-Type .............................. 12
5.2 Acct-Delay-Time ............................... 13
5.3 Acct-Input-Octets ............................. 14
5.4 Acct-Output-Octets ............................ 15
5.5 Acct-Session-Id ............................... 15
Rigney Informational [Page 1]

RFC 2866 RADIUS Accounting June 2000
5.6 Acct-Authentic ................................ 16

5.7 Acct-Session-Time ............................. 17
5.8 Acct-Input-Packets ............................ 18
5.9 Acct-Output-Packets ........................... 18
5.10 Acct-Terminate-Cause .......................... 19
5.11 Acct-Multi-Session-Id ......................... 21
5.12 Acct-Link-Count ............................... 22
5.13 Table of Attributes ........................... 23
6. IANA Considerations ............................. 25
7. Security Considerations ......................... 25
8. Change Log ...................................... 25
9. References ...................................... 26
10. Acknowledgements ................................ 26
11. Chair's Address ................................. 26
12. Author's Address ................................ 27
13. Full Copyright Statement ........................ 28
1. Introduction
Managing dispersed serial line and modem pools for large numbers of
users can create the need for significant administrative support.
Since modem pools are by definition a link to the outside world, they
require careful attention to security, authorization and accounting.
This can be best achieved by managing a single "database" of users,
which allows for authentication (verifying user name and password) as
well as configuration information detailing the type of service to
deliver to the user (for example, SLIP, PPP, telnet, rlogin).
The RADIUS (Remote Authentication Dial In User Service) document [2]

specifies the RADIUS protocol used for Authentication and
Authorization. This memo extends the use of the RADIUS protocol to
cover delivery of accounting information from the Network Access
Server (NAS) to a RADIUS accounting server.
This document obsoletes RFC 2139 [1]. A summary of the changes

between this document and RFC 2139 is available in the "Change Log"
appendix.
Key features of RADIUS Accounting are:
Client/Server Model
A Network Access Server (NAS) operates as a client of the

RADIUS accounting server. The client is responsible for
passing user accounting information to a designated RADIUS
accounting server.

The RADIUS accounting server is responsible for receiving the

accounting request and returning a response to the client
indicating that it has successfully received the request.
The RADIUS accounting server can act as a proxy client to

other kinds of accounting servers.
Network Security
Transactions between the client and RADIUS accounting server

are authenticated through the use of a shared secret, which is
never sent over the network.
Extensible Protocol
All transactions are comprised of variable length Attribute-

Length-Value 3-tuples. New attribute values can be added
without disturbing existing implementations of the protocol.
1.1. Specification of Requirements
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [3]. These
key words mean the same thing whether capitalized or not.
1.2. Terminology
This document uses the following terms:
service The NAS provides a service to the dial-in user, such as PPP
or Telnet.
session Each service provided by the NAS to a dial-in user

constitutes a session, with the beginning of the session
defined as the point where service is first provided and
the end of the session defined as the point where service
is ended. A user may have multiple sessions in parallel or
series if the NAS supports that, with each session
generating a separate start and stop accounting record with
its own Acct-Session-Id.
silently discard
This means the implementation discards the packet without
further processing. The implementation SHOULD provide the
capability of logging the error, including the contents of
the silently discarded packet, and SHOULD record the event
in a statistics counter.

2. Operation
When a client is configured to use RADIUS Accounting, at the start of

service delivery it will generate an Accounting Start packet
describing the type of service being delivered and the user it is
being delivered to, and will send that to the RADIUS Accounting
server, which will send back an acknowledgement that the packet has
been received. At the end of service delivery the client will
generate an Accounting Stop packet describing the type of service
that was delivered and optionally statistics such as elapsed time,
input and output octets, or input and output packets. It will send
that to the RADIUS Accounting server, which will send back an
acknowledgement that the packet has been received.
The Accounting-Request (whether for Start or Stop) is submitted to

the RADIUS accounting server via the network. It is recommended that
the client continue attempting to send the Accounting-Request packet
until it receives an acknowledgement, using some form of backoff. If
no response is returned within a length of time, the request is re-
sent a number of times. The client can also forward requests to an
alternate server or servers in the event that the primary server is
down or unreachable. An alternate server can be used either after a
number of tries to the primary server fail, or in a round-robin
fashion. Retry and fallback algorithms are the topic of current
research and are not specified in detail in this document.
The RADIUS accounting server MAY make requests of other servers in

order to satisfy the request, in which case it acts as a client.
If the RADIUS accounting server is unable to successfully record the

accounting packet it MUST NOT send an Accounting-Response
acknowledgment to the client.
2.1. Proxy
See the "RADIUS" RFC [2] for information on Proxy RADIUS. Proxy
Accounting RADIUS works the same way, as illustrated by the following
example.
1. The NAS sends an accounting-request to the forwarding server.
2. The forwarding server logs the accounting-request (if desired),

adds its Proxy-State (if desired) after any other Proxy-State
attributes, updates the Request Authenticator, and forwards the
request to the remote server.

3. The remote server logs the accounting-request (if desired),

copies all Proxy-State attributes in order and unmodified from
the request to the response packet, and sends the accounting-
response to the forwarding server.
4. The forwarding server strips the last Proxy-State (if it added

one in step 2), updates the Response Authenticator and sends
the accounting-response to the NAS.
A forwarding server MUST not modify existing Proxy-State or Class

attributes present in the packet.
A forwarding server may either perform its forwarding function in a

pass through manner, where it sends retransmissions on as soon as it
gets them, or it may take responsibility for retransmissions, for
example in cases where the network link between forwarding and remote
server has very different characteristics than the link between NAS
and forwarding server.
Extreme care should be used when implementing a proxy server that

takes responsibility for retransmissions so that its retransmission
policy is robust and scalable.
3. Packet Format
Exactly one RADIUS Accounting packet is encapsulated in the UDP Data

field [4], where the UDP Destination Port field indicates 1813
(decimal).
When a reply is generated, the source and destination ports are

reversed.
This memo documents the RADIUS Accounting protocol. The early

deployment of RADIUS Accounting was done using UDP port number 1646,
which conflicts with the "sa-msg-port" service. The officially
assigned port number for RADIUS Accounting is 1813.
A summary of the RADIUS data format is shown below. The fields are

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Authenticator |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attributes ...
+-+-+-+-+-+-+-+-+-+-+-+-+-
Code
The Code field is one octet, and identifies the type of RADIUS
packet. When a packet is received with an invalid Code field, it
is silently discarded.
RADIUS Accounting Codes (decimal) are assigned as follows:
4 Accounting-Request
5 Accounting-Response
Identifier
The Identifier field is one octet, and aids in matching requests

and replies. The RADIUS server can detect a duplicate request if
it has the same client source IP address and source UDP port and
Identifier within a short span of time.
Length
The Length field is two octets. It indicates the length of the

packet including the Code, Identifier, Length, Authenticator and
Attribute fields. Octets outside the range of the Length field
MUST be treated as padding and ignored on reception. If the
packet is shorter than the Length field indicates, it MUST be
silently discarded. The minimum length is 20 and maximum length
is 4095.
Authenticator
The Authenticator field is sixteen (16) octets. The most

significant octet is transmitted first. This value is used to
authenticate the messages between the client and RADIUS accounting
server.

In Accounting-Request Packets, the Authenticator value is a 16

octet MD5 [5] checksum, called the Request Authenticator.
The NAS and RADIUS accounting server share a secret. The Request
Authenticator field in Accounting-Request packets contains a one-
way MD5 hash calculated over a stream of octets consisting of the
Code + Identifier + Length + 16 zero octets + request attributes +
shared secret (where + indicates concatenation). The 16 octet MD5
hash value is stored in the Authenticator field of the
Accounting-Request packet.
Note that the Request Authenticator of an Accounting-Request can

not be done the same way as the Request Authenticator of a RADIUS
Access-Request, because there is no User-Password attribute in an
Accounting-Request.
The Authenticator field in an Accounting-Response packet is called

the Response Authenticator, and contains a one-way MD5 hash
calculated over a stream of octets consisting of the Accounting-
Response Code, Identifier, Length, the Request Authenticator field
from the Accounting-Request packet being replied to, and the
response attributes if any, followed by the shared secret. The
resulting 16 octet MD5 hash value is stored in the Authenticator
field of the Accounting-Response packet.
Attributes
Attributes may have multiple instances, in such a case the order

of attributes of the same type SHOULD be preserved. The order of
attributes of different types is not required to be preserved.
4. Packet Types
The RADIUS packet type is determined by the Code field in the first
octet of the packet.

4.1. Accounting-Request
Description
Accounting-Request packets are sent from a client (typically a

Network Access Server or its proxy) to a RADIUS accounting server,
and convey information used to provide accounting for a service
provided to a user. The client transmits a RADIUS packet with the
Code field set to 4 (Accounting-Request).
Upon receipt of an Accounting-Request, the server MUST transmit an

Accounting-Response reply if it successfully records the
accounting packet, and MUST NOT transmit any reply if it fails to
record the accounting packet.
Any attribute valid in a RADIUS Access-Request or Access-Accept

packet is valid in a RADIUS Accounting-Request packet, except that
the following attributes MUST NOT be present in an Accounting-
Request: User-Password, CHAP-Password, Reply-Message, State.
Either NAS-IP-Address or NAS-Identifier MUST be present in a
RADIUS Accounting-Request. It SHOULD contain a NAS-Port or NAS-
Port-Type attribute or both unless the service does not involve a
port or the NAS does not distinguish among its ports.
If the Accounting-Request packet includes a Framed-IP-Address,

that attribute MUST contain the IP address of the user. If the
Access-Accept used the special values for Framed-IP-Address
telling the NAS to assign or negotiate an IP address for the user,
the Framed-IP-Address (if any) in the Accounting-Request MUST
contain the actual IP address assigned or negotiated.
A summary of the Accounting-Request packet format is shown below.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Request Authenticator |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attributes ...
+-+-+-+-+-+-+-+-+-+-+-+-+-

Code
4 for Accounting-Request.
Identifier
The Identifier field MUST be changed whenever the content of the

Attributes field changes, and whenever a valid reply has been
received for a previous request. For retransmissions where the
contents are identical, the Identifier MUST remain unchanged.
Note that if Acct-Delay-Time is included in the attributes of an

Accounting-Request then the Acct-Delay-Time value will be updated
when the packet is retransmitted, changing the content of the
Attributes field and requiring a new Identifier and Request
Authenticator.
The Request Authenticator of an Accounting-Request contains a 16-octet

MD5 hash value calculated according to the method described in
"Request Authenticator" above.
Attributes

Attributes.
4.2. Accounting-Response
Description
Accounting-Response packets are sent by the RADIUS accounting

server to the client to acknowledge that the Accounting-Request
has been received and recorded successfully. If the Accounting-
Request was recorded successfully then the RADIUS accounting
server MUST transmit a packet with the Code field set to 5
(Accounting-Response). On reception of an Accounting-Response by
the client, the Identifier field is matched with a pending
Accounting-Request. The Response Authenticator field MUST contain
the correct response for the pending Accounting-Request. Invalid
packets are silently discarded.
A RADIUS Accounting-Response is not required to have any

attributes in it.
A summary of the Accounting-Response packet format is shown below.


0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attributes ...
+-+-+-+-+-+-+-+-+-+-+-+-+-
Code
5 for Accounting-Response.
Identifier

Accounting-Request which caused this Accounting-Response.
The Response Authenticator of an Accounting-Response contains a

16-octet MD5 hash value calculated according to the method
described in "Response Authenticator" above.
Attributes

5. Attributes
RADIUS Attributes carry the specific authentication, authorization

and accounting details for the request and response.
Some attributes MAY be included more than once. The effect of this
is attribute specific, and is specified in each attribute
description.
The end of the list of attributes is indicated by the Length of the

RADIUS packet.
A summary of the attribute format is shown below. The fields are


0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Value ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
The Type field is one octet. Up-to-date values of the RADIUS Type
field are specified in the most recent "Assigned Numbers" RFC [6].
Values 192-223 are reserved for experimental use, values 224-240
are reserved for implementation-specific use, and values 241-255
are reserved and should not be used. This specification concerns
the following values:
1-39 (refer to RADIUS document [2])

40 Acct-Status-Type
41 Acct-Delay-Time
42 Acct-Input-Octets
43 Acct-Output-Octets
44 Acct-Session-Id
45 Acct-Authentic
46 Acct-Session-Time
47 Acct-Input-Packets
48 Acct-Output-Packets
49 Acct-Terminate-Cause
50 Acct-Multi-Session-Id
51 Acct-Link-Count
60+ (refer to RADIUS document [2])
Length
The Length field is one octet, and indicates the length of this
attribute including the Type, Length and Value fields. If an
attribute is received in an Accounting-Request with an invalid
Length, the entire request MUST be silently discarded.
Value
The Value field is zero or more octets and contains information

specific to the attribute. The format and length of the Value
field is determined by the Type and Length fields.
Note that none of the types in RADIUS terminate with a NUL (hex
00). In particular, types "text" and "string" in RADIUS do not
terminate with a NUL (hex 00). The Attribute has a length field
and does not use a terminator. Text contains UTF-8 encoded 10646

[7] characters and String contains 8-bit binary data. Servers and
servers and clients MUST be able to deal with embedded nulls.
RADIUS implementers using C are cautioned not to use strcpy() when
handling strings.
The format of the value field is one of five data types. Note
that type "text" is a subset of type "string."
text 1-253 octets containing UTF-8 encoded 10646 [7]

characters. Text of length zero (0) MUST NOT be sent;
omit the entire attribute instead.
string 1-253 octets containing binary data (values 0 through 255

decimal, inclusive). Strings of length zero (0) MUST NOT
be sent; omit the entire attribute instead.
address 32 bit value, most significant octet first.
integer 32 bit unsigned value, most significant octet first.
time 32 bit unsigned value, most significant octet first --

seconds since 00:00:00 UTC, January 1, 1970. The
standard Attributes do not use this data type but it is
presented here for possible use in future attributes.
5.1. Acct-Status-Type
Description
This attribute indicates whether this Accounting-Request marks the

beginning of the user service (Start) or the end (Stop).
It MAY be used by the client to mark the start of accounting (for

example, upon booting) by specifying Accounting-On and to mark the
end of accounting (for example, just before a scheduled reboot) by
specifying Accounting-Off.
A summary of the Acct-Status-Type attribute format is shown below.

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Type
40 for Acct-Status-Type.
Length
Value
1 Start
2 Stop
3 Interim-Update
7 Accounting-On
8 Accounting-Off
9-14 Reserved for Tunnel Accounting
15 Reserved for Failed
5.2. Acct-Delay-Time
Description
This attribute indicates how many seconds the client has been
trying to send this record for, and can be subtracted from the
time of arrival on the server to find the approximate time of the
event generating this Accounting-Request. (Network transit time
is ignored.)
Note that changing the Acct-Delay-Time causes the Identifier to

change; see the discussion under Identifier above.
A summary of the Acct-Delay-Time attribute format is shown below.

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Type
41 for Acct-Delay-Time.
Length
Value
5.3. Acct-Input-Octets
Description
This attribute indicates how many octets have been received from
the port over the course of this service being provided, and can
only be present in Accounting-Request records where the Acct-
Status-Type is set to Stop.
A summary of the Acct-Input-Octets attribute format is shown below.

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
42 for Acct-Input-Octets.
Length
Value

5.4. Acct-Output-Octets
Description
This attribute indicates how many octets have been sent to the
port in the course of delivering this service, and can only be
present in Accounting-Request records where the Acct-Status-Type
is set to Stop.
A summary of the Acct-Output-Octets attribute format is shown below.

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
43 for Acct-Output-Octets.
Length
Value
5.5. Acct-Session-Id
Description
This attribute is a unique Accounting ID to make it easy to match

start and stop records in a log file. The start and stop records
for a given session MUST have the same Acct-Session-Id. An
Accounting-Request packet MUST have an Acct-Session-Id. An
Access-Request packet MAY have an Acct-Session-Id; if it does,
then the NAS MUST use the same Acct-Session-Id in the Accounting-
Request packets for that session.
The Acct-Session-Id SHOULD contain UTF-8 encoded 10646 [7]

characters.

For example, one implementation uses a string with an 8-digit

upper case hexadecimal number, the first two digits increment on
each reboot (wrapping every 256 reboots) and the next 6 digits
counting from 0 for the first person logging in after a reboot up
to 2^24-1, about 16 million. Other encodings are possible.
A summary of the Acct-Session-Id attribute format is shown below.

0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
44 for Acct-Session-Id.
Length
>= 3
String
The String field SHOULD be a string of UTF-8 encoded 10646 [7]

characters.
5.6. Acct-Authentic
Description
This attribute MAY be included in an Accounting-Request to

indicate how the user was authenticated, whether by RADIUS, the
NAS itself, or another remote authentication protocol. Users who
are delivered service without being authenticated SHOULD NOT
generate Accounting records.
A summary of the Acct-Authentic attribute format is shown below. The

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Type
45 for Acct-Authentic.
Length
Value
1 RADIUS
2 Local
3 Remote
5.7. Acct-Session-Time
Description
This attribute indicates how many seconds the user has received
service for, and can only be present in Accounting-Request records
where the Acct-Status-Type is set to Stop.
A summary of the Acct-Session-Time attribute format is shown below.

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
46 for Acct-Session-Time.
Length
Value

5.8. Acct-Input-Packets
Description
This attribute indicates how many packets have been received from
the port over the course of this service being provided to a
Framed User, and can only be present in Accounting-Request records
where the Acct-Status-Type is set to Stop.
A summary of the Acct-Input-packets attribute format is shown below.

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
47 for Acct-Input-Packets.
Length
Value
5.9. Acct-Output-Packets
Description
This attribute indicates how many packets have been sent to the
port in the course of delivering this service to a Framed User,
and can only be present in Accounting-Request records where the
Acct-Status-Type is set to Stop.
A summary of the Acct-Output-Packets attribute format is shown below.


0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
48 for Acct-Output-Packets.
Length
Value
5.10. Acct-Terminate-Cause
Description
This attribute indicates how the session was terminated, and can
only be present in Accounting-Request records where the Acct-
Status-Type is set to Stop.
A summary of the Acct-Terminate-Cause attribute format is shown

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Type
49 for Acct-Terminate-Cause
Length
Value
The Value field is four octets, containing an integer specifying

the cause of session termination, as follows:
1 User Request
2 Lost Carrier
3 Lost Service
4 Idle Timeout
5 Session Timeout
6 Admin Reset
7 Admin Reboot
8 Port Error
9 NAS Error
10 NAS Request
11 NAS Reboot
12 Port Unneeded
13 Port Preempted
14 Port Suspended
15 Service Unavailable
16 Callback
17 User Error
18 Host Request
The termination causes are as follows:
User Request User requested termination of service, for

example with LCP Terminate or by logging out.
Lost Carrier DCD was dropped on the port.
Lost Service Service can no longer be provided; for

example, user's connection to a host was
interrupted.
Idle Timeout Idle timer expired.
Session Timeout Maximum session length timer expired.
Admin Reset Administrator reset the port or session.

Admin Reboot Administrator is ending service on the NAS,

for example prior to rebooting the NAS.
Port Error NAS detected an error on the port which

required ending the session.
NAS Error NAS detected some error (other than on the

port) which required ending the session.
NAS Request NAS ended session for a non-error reason not

otherwise listed here.
NAS Reboot The NAS ended the session in order to reboot

non-administratively ("crash").
Port Unneeded NAS ended session because resource usage fell

below low-water mark (for example, if a
bandwidth-on-demand algorithm decided that
the port was no longer needed).
Port Preempted NAS ended session in order to allocate the

port to a higher priority use.
Port Suspended NAS ended session to suspend a virtual

session.
Service Unavailable NAS was unable to provide requested service.
Callback NAS is terminating current session in order

to perform callback for a new session.
User Error Input from user is in error, causing

termination of session.
Host Request Login Host terminated session normally.
5.11. Acct-Multi-Session-Id
Description
This attribute is a unique Accounting ID to make it easy to link

together multiple related sessions in a log file. Each session
linked together would have a unique Acct-Session-Id but the same
Acct-Multi-Session-Id. It is strongly recommended that the Acct-
Multi-Session-Id contain UTF-8 encoded 10646 [7] characters.
A summary of the Acct-Session-Id attribute format is shown below.


0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
50 for Acct-Multi-Session-Id.
Length
>= 3
String
The String field SHOULD contain UTF-8 encoded 10646 [7] characters.
5.12. Acct-Link-Count
Description
This attribute gives the count of links which are known to have been
in a given multilink session at the time the accounting record is
generated. The NAS MAY include the Acct-Link-Count attribute in any
Accounting-Request which might have multiple links.
A summary of the Acct-Link-Count attribute format is show below. The

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Type
51 for Acct-Link-Count.
Length
Value
The Value field is four octets, and contains the number of links
seen so far in this Multilink Session.
It may be used to make it easier for an accounting server to know

when it has all the records for a given Multilink session. When
the number of Accounting-Requests received with Acct-Status-Type =
Stop and the same Acct-Multi-Session-Id and unique Acct-Session-
Id's equals the largest value of Acct-Link-Count seen in those
Accounting-Requests, all Stop Accounting-Requests for that
Multilink Session have been received.
An example showing 8 Accounting-Requests should make things

clearer. For clarity only the relevant attributes are shown, but
additional attributes containing accounting information will also
be present in the Accounting-Request.
Multi-Session-Id Session-Id Status-Type Link-Count

"10" "10" Start 1
"10" "11" Start 2
"10" "11" Stop 2
"10" "12" Start 3
"10" "13" Start 4
"10" "12" Stop 4
"10" "13" Stop 4
"10" "10" Stop 4
5.13. Table of Attributes
The following table provides a guide to which attributes may be found

in Accounting-Request packets. No attributes should be found in
Accounting-Response packets except Proxy-State and possibly Vendor-
Specific.
# Attribute
0-1 User-Name
0 User-Password
0 CHAP-Password

0-1 NAS-IP-Address [Note 1]

0-1 NAS-Port
0-1 Service-Type
0-1 Framed-Protocol
0-1 Framed-IP-Address
0-1 Framed-IP-Netmask
0-1 Framed-Routing
0+ Filter-Id
0-1 Framed-MTU
0+ Framed-Compression
0+ Login-IP-Host
0-1 Login-Service
0-1 Login-TCP-Port
0 Reply-Message
0-1 Callback-Number
0-1 Callback-Id
0+ Framed-Route
0-1 Framed-IPX-Network
0 State
0+ Class
0+ Vendor-Specific
0-1 Session-Timeout
0-1 Idle-Timeout
0-1 Termination-Action
0-1 Called-Station-Id
0-1 Calling-Station-Id
0-1 NAS-Identifier [Note 1]
0+ Proxy-State
0-1 Login-LAT-Service
0-1 Login-LAT-Node
0-1 Login-LAT-Group
0-1 Framed-AppleTalk-Link
0-1 Framed-AppleTalk-Network
0-1 Framed-AppleTalk-Zone
1 Acct-Status-Type
0-1 Acct-Delay-Time
0-1 Acct-Input-Octets
0-1 Acct-Output-Octets
1 Acct-Session-Id
0-1 Acct-Authentic
0-1 Acct-Session-Time
0-1 Acct-Input-Packets
0-1 Acct-Output-Packets
0-1 Acct-Terminate-Cause
0+ Acct-Multi-Session-Id
0+ Acct-Link-Count
0 CHAP-Challenge

0-1 NAS-Port-Type
0-1 Port-Limit
0-1 Login-LAT-Port
[Note 1] An Accounting-Request MUST contain either a NAS-IP-Address

or a NAS-Identifier (or both).
The following table defines the above table entries.
0 This attribute MUST NOT be present

0+ Zero or more instances of this attribute MAY be present.
0-1 Zero or one instance of this attribute MAY be present.
1 Exactly one instance of this attribute MUST be present.
6. IANA Considerations
The Packet Type Codes, Attribute Types, and Attribute Values defined
in this document are registered by the Internet Assigned Numbers
Authority (IANA) from the RADIUS name spaces as described in the
"IANA Considerations" section of RFC 2865 [2], in accordance with BCP
26 [8].
Security issues are discussed in sections concerning the

authenticator included in accounting requests and responses, using a
shared secret which is never sent over the network.
8. Change Log
US-ASCII replaced by UTF-8.
Added notes on Proxy.
Framed-IP-Address should contain the actual IP address of the user.
If Acct-Session-ID was sent in an access-request, it must be used in

the accounting-request for that session.
New values added to Acct-Status-Type.
Added an IANA Considerations section.
Updated references.
Text strings identified as a subset of string, to clarify use of

UTF-8.

9. References
[1] Rigney, C., "RADIUS Accounting", RFC 2139, April 1997.
[2] Rigney, C., Willens, S., Rubens, A. and W. Simpson, "Remote

Authentication Dial In User Service (RADIUS)", RFC 2865, June
2000.
Levels", BCP 14, RFC 2119, March, 1997.
[4] Postel, J., "User Datagram Protocol", STD 6, RFC 768, August
1980.
[5] Rivest, R. and S. Dusse, "The MD5 Message-Digest Algorithm", RFC

1321, April 1992.
[6] Reynolds, J. and J. Postel, "Assigned Numbers", STD 2, RFC 1700,

October 1994.
[7] Yergeau, F., "UTF-8, a transformation format of ISO 10646", RFC

2279, January 1998.
[8] Alvestrand, H. and T. Narten, "Guidelines for Writing an IANA

Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
10. Acknowledgements
RADIUS and RADIUS Accounting were originally developed by Steve

Willens of Livingston Enterprises for their PortMaster series of
Network Access Servers.
11. Chair's Address
The RADIUS working group can be contacted via the current chair:
Carl Rigney
4464 Willow Road
Phone: +1 925 737 2100


12. Author's Address
Questions about this memo can also be directed to:
Carl Rigney
4464 Willow Road


English.

Acknowledgement

Internet Society.
Network Working Group D. Nelson

Request for Comments: 5080 Elbrys Networks, Inc
Updates: 2865, 2866, 2869, 3579 A. DeKok
Category: Standards Track FreeRADIUS
December 2007
Common Remote Authentication Dial In User Service (RADIUS)

Implementation Issues and Suggested Fixes
Status of This Memo

Abstract
This document describes common issues seen in Remote Authentication

Dial In User Service (RADIUS) implementations and suggests some
fixes. Where applicable, ambiguities and errors in previous RADIUS
specifications are clarified.
Nelson & DeKok Standards Track [Page 1]
RFC 5080 RADIUS Issues & Fixes December 2007
Table of Contents
1. Introduction ....................................................2
1.1. Terminology ................................................3
1.2. Requirements Language ......................................3
2. Issues ..........................................................3
2.1. Session Definition .........................................3
2.1.1. State Attribute .....................................3
2.1.2. Request-ID Supplementation ..........................6
2.2. Overload Conditions ........................................7
2.2.1. Retransmission Behavior .............................7
2.2.2. Duplicate Detection and Orderly Delivery ...........10
2.2.3. Server Response to Overload ........................11
2.3. Accounting Issues .........................................12
2.3.1. Attributes Allowed in an Interim Update ............12
2.3.2. Acct-Session-Id and Acct-Multi-Session-Id ..........12
2.3.3. Request Authenticator ..............................13
2.3.4. Interim-Accounting-Interval ........................13
2.3.5. Counter Values in the RADIUS Management
Information Base (MIB) .............................14
2.4. Multiple Filter-ID Attributes .............................15
2.5. Mandatory and Optional Attributes .........................16
2.6. Interpretation of Access-Reject ...........................18
2.6.1. Improper Use of Access-Reject ......................18
2.6.2. Service Request Denial .............................19
2.7. Addressing ................................................20
2.7.1. Link-Local Addresses ...............................20
2.7.2. Multiple Addresses .................................20
2.8. Idle-Timeout ..............................................21
2.9. Unknown Identity ..........................................21
2.10. Responses After Retransmissions ..........................22
2.11. Framed-IPv6-Prefix .......................................23
3. Security Considerations ........................................24
4. References .....................................................25
4.1. Normative References ......................................25
4.2. Informative References ....................................25
1. Introduction
The last few years have seen an increase in the deployment of RADIUS
clients and servers. This document describes common issues seen in
RADIUS implementations and suggests some fixes. Where applicable,
ambiguities and errors in previous RADIUS specifications are
clarified.

1.1. Terminology
This document uses the following terms:
Network Access Server (NAS)

The device providing access to the network. Also known as the
Authenticator in IEEE 802.1X or Extensible Authentication Protocol
(EAP) terminology, or RADIUS client.
service
The NAS provides a service to the user, such as network access via
802.11 or Point to Point Protocol (PPP).
session
Each service provided by the NAS to a peer constitutes a session,
with the beginning of the session defined as the point where
service is first provided, and the end of the session is defined
as the point where service is ended. A peer may have multiple
sessions in parallel or series if the NAS supports that, with each
session generating a separate start and stop accounting record.
silently discard
This means the implementation discards the packet without further
processing. The implementation SHOULD provide the capability of
logging the error, including the contents of the silently
discarded packet, and SHOULD record the event in a statistics
counter.
1.2. Requirements Language
In this document, several words are used to signify the requirements

of the specification. The key words "MUST", "MUST NOT", "REQUIRED",
"SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",
and "OPTIONAL" in this document are to be interpreted as described in
[RFC2119].
2. Issues
2.1. Session Definition
2.1.1. State Attribute
Regarding the State attribute, [RFC2865] Section 5.24 states:

in an Access-Challenge and MUST be sent unmodified from the client
to the server in the new Access-Request reply to that challenge,
if any.


in an Access-Accept that also includes a Termination-Action
Attribute with the value of RADIUS-Request. If the NAS performs
the Termination-Action by sending a new Access-Request upon
termination of the current session, it MUST include the State
attribute unchanged in that Access-Request.
Some RADIUS client implementations do not properly use the State

attribute in order to distinguish a restarted EAP authentication
process from the continuation of an ongoing process (by the same user
on the same NAS and port). Where an EAP-Message attribute is
included in an Access-Challenge or Access-Accept attribute, RADIUS
servers SHOULD also include a State attribute. See Section 2.1.2 on
Request ID supplementation for additional benefits to using the State
attribute in this fashion.
As defined in [RFC2865] Table 5.44, Access-Request packets may

contain a State attribute. The table does not qualify this
statement, while the text in Section 5.24 (quoted above) adds other
requirements not specified in that table.
We extend the requirements of [RFC2865] to say that Access-Requests

that are part of an ongoing Access-Request / Access-Challenge
authentication process SHOULD contain a State attribute. It is the
responsibility of the server, to send a State attribute in an
Access-Challenge packet, if that server needs a State attribute in a
subsequent Access-Request to tie multiple Access-Requests together
into one authentication session. As defined in [RFC2865] Section
5.24, the State MUST be sent unmodified from the client to the server
in the new Access-Request reply to that challenge, if any.
While most server implementations require the presence of a State

attribute in an Access-Challenge packet, some challenge-response
systems can distinguish the initial request from the response to the
challenge without using a State attribute to track an authentication
session. The Access-Challenge and subsequent Access-Request packets
for those systems do not need to contain a State attribute.
Other authentication mechanisms need to tie a sequence of Access-

Request / Access-Challenge packets together into one ongoing
authentication session. Servers implementing those authentication
mechanisms SHOULD include a State attribute in Access-Challenge
packets.
In general, if the authentication process involves one or more

Access-Request / Access-Challenge sequences, the State attribute
SHOULD be sent by the server in the Access-Challenge packets. Using
the State attribute to create a multi-packet session is the simplest

method available in RADIUS today. While other methods of creating

multi-packet sessions are possible (e.g., [RFC3579] Section 2.6.1),
those methods are NOT RECOMMENDED.
The only permissible values for a State attribute are values provided
in an Access-Accept, Access-Challenge, CoA-Request or Disconnect-
Request packet. A RADIUS client MUST use only those values for the
State attribute that it has previously received from a server. An
Access-Request sent as a result of a new or restarted authentication
run MUST NOT include the State attribute, even if a State attribute
has previously been received in an Access-Challenge for the same user
and port.
Access-Request packets that contain a Service-Type attribute with the

value Authorize Only (17) MUST contain a State attribute. Access-
Request packets that contain a Service-Type attribute with value Call
Check (10) SHOULD NOT contain a State attribute. Any other Access-
Request packet that performs authorization checks MUST contain a
State attribute. This last requirement often means that an Access-
Accept needs to contain a State attribute, which can then be used in
a later Access-Request that performs authorization checks.
The standard use case for Call Check is pre-screening authentication

based solely on the end-point identifier information, such as phone
number or Media Access Control (MAC) address in Calling-Station-ID
and optionally Called-Station-ID. In this use case, the NAS has no
way to obtain a State attribute suitable for inclusion in an Access-
Request. Other, non-standard, uses of Call Check may require or
permit the use of a State attribute, but are beyond the scope of this
document.
In an Access-Request with a Service-Type Attribute with value Call

Check, it is NOT RECOMMENDED for the User-Name and User-Password
attributes to contain the same values (e.g., a MAC address).
Implementing MAC address checking without using a Service-Type of
Call Check is NOT RECOMMENDED. This practice gives an attacker both
the clear-text and cipher-text of the User-Password field, which
permits many attacks on the security of the RADIUS protocol. For
example, if the Request Authenticator does not satisfy the [RFC2865]
requirements on global and temporal uniqueness, the practice
described above may lead to the compromise of the User-Password
attribute in other Access-Requests for unrelated users. Access to
the cipher-text enables offline dictionary attacks, potentially
exposing the shared secret and compromising the entire RADIUS
protocol.

Any Access-Request packet that performs authorization checks,

including Call Check, SHOULD contain a Message-Authenticator
attribute. Any response to an Access-Request performing an
authorization check MUST NOT contain confidential information about
any user (such as Tunnel-Password), unless that Access-Request
contains a State attribute. The use of State here permits the
authorization check to be tied to an earlier user authentication. In
that case, the server MAY respond to the NAS with confidential
information about that user. The server MUST NOT respond to that
authorization check with confidential information about any other
user.
For an Access-Request packet performing an authorization check that

does not contain a State attribute, the server MUST respond with an
Access-Reject.
2.1.2. Request-ID Supplementation
[RFC3579] Section 2.6.1 states:
In EAP, each session has its own unique Identifier space. RADIUS
server implementations MUST be able to distinguish between EAP
packets with the same Identifier existing within distinct
sessions, originating on the same NAS. For this purpose, sessions
can be distinguished based on NAS and session identification
attributes. NAS identification attributes include NAS-Identifier,
NAS-IPv6-Address and NAS-IPv4-Address. Session identification
attributes include User-Name, NAS-Port, NAS-Port-Type, NAS-Port-
Id, Called-Station-Id, Calling-Station-Id and Originating-Line-
Info.
There are issues with the suggested algorithm. Since proxies may
modify Access-Request attributes such as NAS-IP-Address, depending on
any attribute under control of the NAS to distinguish request
identifiers can result in deployment problems.
The FreeRADIUS implementation does not track EAP identifiers by NAS-

IP-Address or other non-EAP attributes sent by the NAS. Instead, it
uses the EAP identifier, source Internet Protocol (IP) address, and
the State attribute as a "key" to uniquely identify each EAP session.
Since the State attribute is under the control of the RADIUS server,
the uniqueness of each session is controlled by the server, not the
NAS. The algorithm used in FreeRADIUS is as follows:

if (EAP start, or EAP identity) {

allocate unique State Attribute
insert session into "active session" table with
key=(EAP identifier, State, source IP)
} else {
look up active session in table, with above key
}
This algorithm appears to work well in a variety of situations,

including situations where home servers receive messages via
intermediate RADIUS proxies.
Implementations that do not use this algorithm are often restricted

to having an EAP Identifier space per NAS, or perhaps one that is
global to the implementation. These restrictions are unnecessary
when the above algorithm is used, which gives each session a unique
EAP Identifier space. The above algorithm SHOULD be used to track
EAP sessions in preference to any other method.
2.2. Overload Conditions
2.2.1. Retransmission Behavior
[RFC2865] Section 2.4 describes the retransmission requirements for

RADIUS clients:
At one extreme, RADIUS does not require a "responsive" detection

of lost data. The user is willing to wait several seconds for the
authentication to complete. The generally aggressive Transmission
Control Protocol (TCP) retransmission (based on average round trip
time) is not required, nor is the acknowledgment overhead of TCP.
At the other extreme, the user is not willing to wait several

minutes for authentication. Therefore the reliable delivery of
TCP data two minutes later is not useful. The faster use of an
alternate server allows the user to gain access before giving up.
Some existing RADIUS clients implement excessively aggressive

retransmission behavior, utilizing default retransmission timeouts of
one second or less without support for congestive backoff. When
deployed at a large scale, these implementations are susceptible to
congestive collapse. For example, as the result of a power failure,
a network with 3,000 NAS devices with a fixed retransmission timer of
one second will continuously generate 3,000 RADIUS Access-Requests
per second. This is sufficient to overwhelm most RADIUS servers.

Suggested solutions include:
[a] Jitter. To avoid synchronization, a RADIUS client SHOULD

incorporate induced jitter within its retransmission
algorithm, as specified below.
[b] Congestive backoff. While it is not necessary for RADIUS

client implementations to implement complex retransmission
algorithms, implementations SHOULD support congestive
backoff.
RADIUS retransmission timers are based on the model used in Dynamic

Host Configuration Protocol for IPv6 (DHCPv6) [RFC3315]. Variables
used here are also borrowed from this specification. RADIUS is a
request/response-based protocol. The message exchange terminates
when the requester successfully receives the answer, or the message
exchange is considered to have failed according to the RECOMMENDED
retransmission mechanism described below. Other retransmission
mechanisms are possible, as long as they satisfy the requirements on
jitter and congestive backoff.
The following algorithms apply to any client that originates RADIUS

packets, including but not limited to Access-Request, Accounting-
Request, Disconnect-Request, and CoA-Request [RFC3576].
The retransmission behavior is controlled and described by the

following variables:
RT Retransmission timeout
IRT Initial retransmission time (default 2 seconds)
MRC Maximum retransmission count (default 5 attempts)
MRT Maximum retransmission time (default 16 seconds)
MRD Maximum retransmission duration (default 30 seconds)
RAND Randomization factor
With each message transmission or retransmission, the sender sets RT

according to the rules given below. If RT expires before the message
exchange terminates, the sender re-computes RT and retransmits the
message.

Each of the computations of a new RT include a randomization factor

(RAND), which is a random number chosen with a uniform distribution
between -0.1 and +0.1. The randomization factor is included to
minimize the synchronization of messages.
The algorithm for choosing a random number does not need to be

cryptographically sound. The algorithm SHOULD produce a different
sequence of random numbers from each invocation.
RT for the first message transmission is based on IRT:
RT = IRT + RAND*IRT
RT for each subsequent message retransmission is based on the

previous value of RT:
RT = 2*RTprev + RAND*RTprev
MRT specifies an upper bound on the value of RT (disregarding the

randomization added by the use of RAND). If MRT has a value of 0,
there is no upper limit on the value of RT. Otherwise:
if (RT > MRT)

RT = MRT + RAND*MRT
MRD specifies an upper bound on the length of time a sender may

retransmit a message. The message exchange fails once MRD seconds
have elapsed since the client first transmitted the message. MRD
MUST be set, and SHOULD have a value between 5 and 30 seconds. These
values mirror the values for a server's duplicate detection cache, as
described in the next section.
MRC specifies an upper bound on the number of times a sender may

retransmit a message. If MRC is zero, the message exchange fails
once MRD seconds have elapsed since the client first transmitted the
message. If MRC is non-zero, the message exchange fails when either
the sender has transmitted the message MRC times, or when MRD seconds
have elapsed since the client first transmitted the message.
For Accounting-Request packets, the default values for MRC, MRD, and
MRT SHOULD be zero. These settings will enable a RADIUS client to
continue sending accounting requests to a RADIUS server until the
request is acknowledged. If any of MRC, MRD, or MRT are non-zero,
then the accounting information could potentially be discarded
without being recorded.

2.2.2. Duplicate Detection and Orderly Delivery
When packets are retransmitted by a client, the server may receive

duplicate requests. The limitations of the transport protocol used
by RADIUS, the User Datagram Protocol (UDP), means that the Access-
Request packets may be received, and potentially processed, in an
order different from the order in which the packets were sent.
However, the discussion of the Identifier field in Section 3 of
[RFC2865] says:
The RADIUS server can detect a duplicate request if it has the

same client source IP address and source UDP port and Identifier
within a short span of time.
Also, Section 7 of [RFC4669] defines a

radiusAuthServDupAccessRequests object as:
The number of duplicate Access-Request packets received.
This text has a number of implications. First, without duplicate

detection, a RADIUS server may process an authentication request
twice, leading to an erroneous conclusion that a user has logged in
twice. That behavior is undesirable, so duplicate detection is
desirable. Second, the server may track not only the duplicate
request, but also the replies to those requests. This behavior
permits the server to send duplicate replies in response to duplicate
requests, increasing network stability.
Since Access-Request packets may also be sent by the client in

response to an Access-Challenge from the server, those packets form a
logically ordered stream, and, therefore have additional ordering
requirements over Access-Request packets for different sessions.
Implementing duplicate detection results in new packets being
processed only once, ensuring order.
RADIUS servers MUST therefore implement duplicate detection for

Access-Request packets, as described in Section 3 of [RFC2865].
Implementations MUST also cache the Responses (Access-Accept,
Access-Challenge, or Access-Reject) that they send in response to
Access-Request packets. If a server receives a valid duplicate
Access-Request for which it has already sent a Response, it MUST
resend its original Response without reprocessing the request. The
server MUST silently discard any duplicate Access-Requests for which
a Response has not yet been sent.

Each cache entry SHOULD be purged after a period of time. This time
SHOULD be no less than 5 seconds, and no more than 30 seconds. After
about 30 seconds, most RADIUS clients and end users will have given
up on the authentication request. Therefore, there is little value
in having a larger cache timeout.
Cache entries MUST also be purged if the server receives a valid

Access-Request packet that matches a cached Access-Request packet in
source address, source port, RADIUS Identifier, and receiving socket,
but where the Request Authenticator field is different from the one
in the cached packet. If the request contains a Message-
Authenticator attribute, the request MUST be processed as described
in [RFC3580] Section 3.2. Packets with invalid Message-
Authenticators MUST NOT affect the cache in any way.
However, Access-Request packets not containing a Message-

Authenticator attribute always affect the cache, even though they may
be trivially forged. To avoid this issue, server implementations may
be configured to require the presence of a Message-Authenticator
attribute in Access-Request packets. Requests not containing a
Message-Authenticator attribute MAY then be silently discarded.
Client implementations SHOULD include a Message-Authenticator

attribute in every Access-Request to further help mitigate this
issue.
When sending requests, RADIUS clients MUST NOT reuse Identifiers for
a source IP address and source UDP port until either a valid response
has been received, or the request has timed out. Clients SHOULD
allocate Identifiers via a least-recently-used (LRU) method for a
particular source IP address and source UDP port.
RADIUS clients do not have to perform duplicate detection. When a

client sends a request, it processes the first response that has a
valid Response Authenticator as defined in [RFC2865] Section 3. Any
later responses MUST be silently discarded, as they do not match a
pending request. That is, later responses are treated exactly the
same as unsolicited responses, and are silently discarded.
2.2.3. Server Response to Overload
Some RADIUS server implementations are not robust in response to

overload, dropping packets with even probability across multiple
sessions. In an overload situation, this results in a high failure
rate for multi-round authentication protocols such as EAP [RFC3579].
Typically, users will continually retry in an attempt to gain access,
increasing the load even further.

A more sensible approach is for a RADIUS server to preferentially

accept RADIUS Access-Request packets containing a valid State
attribute, so that multi-round authentication conversations, once
begun, will be more likely to succeed. Similarly, a server that is
proxying requests should preferentially process Access-Accept,
Access-Challenge, or Access-Reject packets from home servers before
processing new requests from a NAS.
These methods will allow some users to gain access to the network,
reducing the load created by ongoing access attempts.
2.3. Accounting Issues
2.3.1. Attributes Allowed in an Interim Update
[RFC2866] indicates that Acct-Input-Octets, Acct-Output-Octets,

Acct-Session-Time, Acct-Input-Packets, Acct-Output-Packets and Acct-
Terminate-Cause attributes "can only be present in Accounting-Request
records where the Acct-Status-Type is set to Stop".
However [RFC2869] Section 2.1 states:
It is envisioned that an Interim Accounting record (with Acct-

Status-Type = Interim-Update (3)) would contain all of the
attributes normally found in an Accounting Stop message with the
exception of the Acct-Term-Cause attribute.
Although [RFC2869] does not indicate that it updates [RFC2866], this

is an oversight, and the above attributes are allowable in an Interim
Accounting record.
2.3.2. Acct-Session-Id and Acct-Multi-Session-Id
[RFC2866] Section 5.5 describes Acct-Session-Id as Text within the

figure summarizing the attribute format, but then goes on to state
that "The String field SHOULD be a string of UTF-8 encoded 10646
characters".
[RFC2865] defines the Text type as "containing UTF-8 encoded 10646

characters", which is compatible with the description of Acct-
Session-Id. Since other attributes are consistently described as
"Text" within both the figure summarizing the attribute format, and
the following attribute definition, it appears that this is a
typographical error, and that Acct-Session-Id is of type Text, and
not of type String.

The definition of the Acct-Multi-Session-Id attribute also has

typographical errors. It says:
A summary of the Acct-Session-Id attribute format ...
This text should read:
A summary of the Acct-Multi-Session-Id attribute format ...
The Acct-Multi-Session-Id attribute is also defined as being of type

String. However, the language in the text strongly recommends that
implementors consider the attribute as being of type Text. It is
unclear why the type String was chosen for this attribute when the
type Text would be sufficient. This attribute SHOULD be treated as
Text.
2.3.3. Request Authenticator
[RFC2866] Section 4.1 states:
The Request Authenticator of an Accounting-Request contains a 16-

octet MD5 hash value calculated according to the method described
in "Request Authenticator" above.
However, the text does not indicate any action to take when an
Accounting-Request packet contains an invalid Request Authenticator.
The following text should be considered to be part of the above
description:
The Request Authenticator field MUST contain the correct data, as

given by the above calculation. Invalid packets are silently
discarded. Note that some early implementations always set the
Request Authenticator to all zeros. New implementations of RADIUS
clients MUST use the above algorithm to calculate the Request
Authenticator field. New RADIUS server implementations MUST
silently discard invalid packets.
2.3.4. Interim-Accounting-Interval
It is also possible to statically configure an interim value on

the NAS itself. Note that a locally configured value on the NAS
MUST override the value found in an Access-Accept.
This requirement may be phrased too strongly. It is conceivable that

a NAS implementation has a setting for a "minimum" value of Interim-
Accounting-Interval, based on resource constraints in the NAS, and

network loading in the local environment of the NAS. In such cases,

the value administratively provisioned in the NAS should not be
over-ridden by a smaller value from an Access-Accept message. The
NAS's value could be over-ridden by a larger one, however. The
intent is that the NAS sends accounting information at fixed
intervals that are short enough so that the potential loss of
billable revenue is limited, but also that the accounting updates are
infrequent enough so that the NAS, network, and RADIUS server are not
overloaded.
2.3.5. Counter Values in the RADIUS Management Information Base (MIB)
The RADIUS Authentication and Authorization Client MIB module

([RFC2618] [RFC4668]) includes counters of packet statistics. In the
descriptive text of the MIB module, formulas are provided for certain
counter objects. Implementors have noted apparent inconsistencies in
the formulas that could result in negative values.
Since the original MIB module specified in [RFC2618] had been widely
implemented, the RADEXT WG chose not to change the object definitions
or to create new ones within the revised MIB module [RFC4668].
However, this section explains the issues and provides guidance for
implementors regarding the interpretation of the textual description
and comments for certain MIB objects.
The issues raised can be summarized as follows:
Issue (1):
-- TotalIncomingPackets = Accepts + Rejects + Challenges +

UnknownTypes
--
-- TotalIncomingPackets - MalformedResponses - BadAuthenticators -
-- UnknownTypes - PacketsDropped = Successfully received
--
-- AccessRequests + PendingRequests + ClientTimeouts =
-- Successfully Received
It appears that the value of "Successfully Received" could be

negative, since various counters are subtracted from
TotalIncomingPackets that are not included in the calculation of
TotalIncomingPackets.
It also appears that "AccessRequests + PendingRequests +

ClientTimeouts = Successfully Received" should read "AccessRequests +
PendingRequests + ClientTimeouts = Successfully Transmitted".

"TotalIncomingPackets" and "Successfully Received" are temporary

variables, i.e., not objects within the MIB module. The comment text
in the MIB modules is intended, therefore, to aid in understanding.
What's of consequence is the consistency of values of the objects in
the MIB module, and that does not appear to be impacted by the
inconsistencies noted above. It does appear, however, that the
"Successfully Received" variable should be labeled "Successfully
Transmitted".
In addition, the definition of Accept, Reject or Challenge counters

indicates that they MUST be incremented before the message is
validated. If the message is invalid, one of MalformedResponses,
BadAuthenticators, or PacketsDropped counters will be additionally
incremented. In that case, the first two equations are consistent,
i.e., "Successfully Received" could not be negative.
Issue (2):
It appears that the radiusAuthClientPendingRequests counter is

decremented upon retransmission. That would mean a retransmitted
packet is not considered as being pending, although such
retransmissions can still be considered as being pending requests.
The definition of this MIB object in [RFC2618] is as follows:
The number of RADIUS Access-Request packets destined for this

server that have not yet timed out or received a response. This
variable is incremented when an Access-Request is sent and
decremented due to receipt of an Access-Accept, Access-Reject or
Access-Challenge, a timeout or retransmission.
This object purports to count the number of pending request packets.

It is open to interpretation whether or not retransmissions of a
request are to be counted as additional pending packets. In either
event, it seems appropriate to treat retransmissions consistently
with respect to incrementing and decrementing this counter.
2.4. Multiple Filter-ID Attributes
Zero or more Filter-Id attributes MAY be sent in an Access-Accept

packet.

In practice, the behavior of a RADIUS client receiving multiple

Filter-ID attributes is implementation dependent. For example, some
implementations treat multiple instances of the Filter-ID attribute
as alternative filters; the first Filter-ID attribute having a name
matching a locally defined filter is used, and the remaining ones are
discarded. Other implementations may combine matching filters.
As a result, the interpretation of multiple Filter-ID attributes is

undefined within RADIUS. The sending of multiple Filter-ID
attributes within an Access-Accept SHOULD be avoided within
heterogeneous deployments and roaming scenarios, where it is likely
to produce unpredictable results.
2.5. Mandatory and Optional Attributes
RADIUS attributes do not explicitly state whether they are optional

or mandatory. Nevertheless, there are instances where RADIUS
attributes need to be treated as mandatory.
A NAS that does not implement a given service MUST NOT implement
the RADIUS attributes for that service. For example, a NAS that
is unable to offer Apple Remote Access Protocol (ARAP) service
MUST NOT implement the RADIUS attributes for ARAP. A NAS MUST
treat a RADIUS access-accept authorizing an unavailable service as
an access-reject instead.
With respect to the Service-Type attribute, [RFC2865] Section 5.6

says:
This Attribute indicates the type of service the user has

requested, or the type of service to be provided. It MAY be used
in both Access-Request and Access-Accept packets. A NAS is not
required to implement all of these service types, and MUST treat
unknown or unsupported Service-Types as though an Access-Reject
had been received instead.
[RFC2865] Section 5 states:
A RADIUS server MAY ignore Attributes with an unknown Type.
A RADIUS client MAY ignore Attributes with an unknown Type.

With respect to Vendor-Specific Attributes (VSAs), [RFC2865] Section

5.26 states:
Servers not equipped to interpret the vendor-specific information

sent by a client MUST ignore it (although it may be reported).
Clients which do not receive desired vendor-specific information
SHOULD make an attempt to operate without it, although they may do
so (and report they are doing so) in a degraded mode.
It is possible for either a standard attribute or a VSA to represent

a request for an unavailable service. However, where the Type,
Vendor-ID, or Vendor-Type is unknown, a RADIUS client will not know
whether or not the attribute defines a service.
In general, it is best for a RADIUS client to err on the side of

caution. On receiving an Access-Accept including an attribute of
known Type for an unimplemented service, a RADIUS client MUST treat
it as an Access-Reject, as directed in [RFC2865] Section 1.1. On
receiving an Access-Accept including an attribute of unknown Type, a
RADIUS client SHOULD assume that it is a potential service
definition, and treat it as an Access-Reject. Unknown VSAs SHOULD be
ignored by RADIUS clients.
In order to avoid introducing changes in default behavior, existing

implementations that do not obey this recommendation should make the
behavior configurable, with the legacy behavior being enabled by
default. A configuration flag such as "treat unknown attributes as
reject" can be exposed to the system administrator. If the flag is
set to true, then Access-Accepts containing unknown attributes are
treated as Access-Rejects. If the flag is set to false, then unknown
attributes in Access-Accepts are silently ignored.
On receiving a packet including an attribute of unknown Type, RADIUS

authentication server implementations SHOULD ignore such attributes.
However, RADIUS accounting server implementations typically do not
need to understand attributes in order to write them to stable
storage or pass them to the billing engine. Therefore, accounting
server implementations SHOULD be equipped to handle unknown
attributes.
To avoid misinterpretation of service requests encoded within VSAs,

RADIUS servers SHOULD NOT send VSAs containing service requests to
RADIUS clients that are not known to understand them. For example, a
RADIUS server should not send a VSA encoding a filter without
knowledge that the RADIUS client supports the VSA.

2.6. Interpretation of Access-Reject
2.6.1. Improper Use of Access-Reject
The intent of an Access-Reject is to deny access to the requested

service. [RFC2865] Section 2 states:
If any condition is not met, the RADIUS server sends an "Access-

Reject" response indicating that this user request is invalid. If
desired, the server MAY include a text message in the Access-
Reject which MAY be displayed by the client to the user. No other
Attributes (except Proxy-State) are permitted in an Access-Reject.
This text makes it clear that RADIUS does not allow the provisioning
of services within an Access-Reject. If the desire is to allow
limited access, then an Access-Accept can be sent with attributes
provisioning limited access. Attributes within an Access-Reject are
restricted to those necessary to route the message (e.g., Proxy-
State), attributes providing the user with an indication that access
has been denied (e.g., an EAP-Message attribute containing an EAP-
Failure), or attributes conveying an error message (e.g., a Reply-
Message or Error-Cause attribute).
Unfortunately, there are examples where this requirement has been

misunderstood. [RFC2869] Section 2.2 states:
If that authentication fails, the RADIUS server should return an

Access-Reject packet to the NAS, with optional Password-Retry and
Reply-Messages attributes. The presence of Password-Retry
indicates the ARAP NAS MAY choose to initiate another challenge-
response cycle...
This paragraph is problematic from two perspectives. Firstly, a

Password-Retry attribute is being returned in an Access-Reject; this
attribute does not fit into the categories established in [RFC2865].
Secondly, an Access-Reject packet is being sent in the context of a
continuing authentication conversation; [RFC2865] requires use of an
Access-Challenge for this. [RFC2869] uses the phrase "challenge-
response" to describe this use of Access-Reject, indicating that the
semantics of Access-Challenge are being used.
[RFC2865] Section 4.4 addresses the semantics of Access-Challenge

being equivalent to Access-Reject in some cases:
If the NAS does not support challenge/response, it MUST treat an

Access-Challenge as though it had received an Access-Reject
instead.

While it is difficult to correct existing deployments of [RFC2869],

we make the following recommendations:
[1] New RADIUS specifications and implementations MUST NOT use

Access-Reject where the semantics of Access-Challenge are
intended.
[2] Access-Reject MUST mean denial of access to the requested

service. In response to an Access-Reject, the NAS MUST NOT
send any additional Access-Request packets for that user
session.
[3] New deployments of ARAP [RFC2869] SHOULD use Access-

Challenge instead of Access-Reject packets in the
conversations described in [RFC2869] Section 2.2.
We also note that the table of attributes in [RFC2869] Section 5.19

has an error for the Password-Retry attribute. It says:

0 0 0-1 0 75 Password-Retry
However, the text in [RFC2869], Section 2.3.2 says that Password-

Retry can be included within an Access-Challenge packet for EAP
authentication sessions. We recommend a correction to the table that
removes the "0-1" from the Reject column, and moves it to the
Challenge column. We also add a "Note 2" to follow the existing
"Note 1" in the document to clarify the use of this attribute.

0 0 0 0-1 75 Password-Retry [Note 2]
[Note 2] As per RFC 3579, the use of the Password-Retry in EAP

authentications is deprecated. The Password-Retry attribute can be
used only for ARAP authentication.
2.6.2. Service Request Denial
RADIUS has been deployed for purposes outside network access

authentication, authorization, and accounting. For example, RADIUS
has been deployed as a "back-end" for authenticating Voice Over IP
(VOIP) connections, Hypertext Transfer Protocol (HTTP) sessions
(e.g., Apache), File Transfer Protocol (FTP) sessions (e.g.,
proftpd), and machine logins for multiple operating systems (e.g.,
bsdi, pam, and gina). In those contexts, an Access-Reject sent to
the RADIUS client MUST be interpreted as a rejection of the request
for service, and the RADIUS client MUST NOT offer that service to the
user.

For example, when an authentication failure occurs in the context of

an FTP session, the normal semantics for rejecting FTP services
apply. The rejection does not necessarily cause the FTP server to
terminate the underlying TCP connection, but the FTP server MUST NOT
offer any services protected by user authentication.
Users may request multiple services from the NAS. Where those
services are independent, the deployment MUST treat the RADIUS
sessions as being independent.
For example, a NAS may offer multi-link services where a user may
have multiple simultaneous network connections. In that case, an
Access-Reject for a later multi-link connection request does not
necessarily mean that earlier multi-link connections are torn down.
Similarly, if a NAS offers both dialup and VOIP services, the
rejection of a VOIP attempt does not mean that the dialup session is
torn down.
2.7. Addressing
2.7.1. Link-Local Addresses
Since Link-Local addresses are unique only on the local link, if the
NAS and RADIUS server are not on the same link, then an IPv6 Link-
Local address [RFC4862] or an IPv4 Link-Local Address [RFC3927]
cannot be used to uniquely identify the NAS. A NAS SHOULD NOT
utilize a link-scope address within a NAS-IPv6-Address or NAS-IP-
Address attribute. A RADIUS server receiving a NAS-IPv6-Address or
NAS-IP-Address attribute containing a Link-Local address SHOULD NOT
count such an attribute toward satisfying the requirements of
[RFC3162] Section 2.1:
NAS-IPv6-Address and/or NAS-IP-Address MAY be present in an

Access-Request packet; however, if neither attribute is present
then NAS-Identifier MUST be present.
2.7.2. Multiple Addresses
There are situations in which a RADIUS client or server may have

multiple addresses. For example, a dual stack host can have both
IPv4 and IPv6 addresses; a host that is a member of multiple VLANs
could have IPv4 and/or IPv6 addresses on each VLAN; a host can have
multiple IPv4 or IPv6 addresses on a single interface. However,
[RFC2865] Section 5.44 only permits zero or one NAS-IP-Address
attributes within an Access-Request, and [RFC3162] Section 3 only
permits zero or one NAS-IPv6-Address attributes within an Access-
Request. When a NAS has more than one global address and no ability
to determine which is used for identification in a particular

request, it is RECOMMENDED that the NAS include the NAS-Identifier

attribute in an Access-Request in order to identify itself to the
RADIUS server.
[RFC2865] Section 3 states:
A RADIUS server MUST use the source IP address of the RADIUS UDP
packet to decide which shared secret to use, so that RADIUS
requests can be proxied.
Therefore, if a RADIUS client sends packets from more than one source
address, a shared secret will need to be configured on both the
client and server for each source address.
2.8. Idle-Timeout
With respect to the Idle-Timeout attribute, [RFC2865] Section 5.28

states:
This Attribute sets the maximum number of consecutive seconds of

idle connection allowed to the user before termination of the
session or prompt. This Attribute is available to be sent by the
server to the client in an Access-Accept or Access-Challenge.
The Idle-Timeout attribute is described in [RFC2865]. For IEEE

802 media other than 802.11 the media are always on. As a result
the Idle-Timeout attribute is typically only used with wireless
media such as IEEE 802.11. It is possible for a wireless device
to wander out of range of all Access Points. In this case, the
Idle-Timeout attribute indicates the maximum time that a wireless
device may remain idle.
In the above paragraphs "idle" may not necessarily mean "no traffic";
the NAS may support filters defining what traffic is included in the
idle time determination. As a result, an "idle connection" is
defined by local policy in the absence of other attributes.
2.9. Unknown Identity
If the Identity is unknown, the Identity Response field should be

zero bytes in length.

However, [RFC2865] Section 5.1 describes the User-Name attribute as

follows:
The String field is one or more octets.
How should the RADIUS client behave if it receives an EAP-

Response/Identity that is zero octets in length?
This Attribute indicates the name of the user to be authenticated.

It MUST be sent in Access-Request packets if available.
This suggests that the User-Name attribute may be omitted if it is

unavailable.
However, [RFC3579] Section 2.1 states:
In order to permit non-EAP aware RADIUS proxies to forward the

Access-Request packet, if the NAS initially sends an EAP-
Request/Identity message to the peer, the NAS MUST copy the
contents of the Type-Data field of the EAP-Response/Identity
received from the peer into the User-Name attribute and MUST
include the Type-Data field of the EAP-Response/Identity in the
User-Name attribute in every subsequent Access-Request.
This suggests that the User-Name attribute should contain the

contents of the Type-Data field of the EAP-Response/Identity, even if
it is zero octets in length.
Note that [RFC4282] does not permit a Network Access Identifier (NAI)
of zero octets, so that an EAP-Response/Identity with a Type-Data
field of zero octets MUST NOT be construed as a request for privacy
(e.g., anonymous NAI).
When a NAS receives an EAP-Response/Identity with a Type-Data field

that is zero octets in length, it is RECOMMENDED that it either omit
the User-Name attribute in the Access-Request or include the
Calling-Station-Id in the User-Name attribute, along with a Calling-
Station-Id attribute.
2.10. Responses After Retransmissions
Some implementations do not correctly handle the receipt of RADIUS

responses after retransmissions. [RFC2865] Section 2.5 states:

If the NAS is retransmitting a RADIUS request to the same server

as before, and the attributes haven't changed, you MUST use the
same Request Authenticator, ID, and source port. If any
attributes have changed, you MUST use a new Request Authenticator
and ID.
Note that changing the Request ID for a retransmission may have

undesirable side effects. Since RADIUS does not have a clear
definition of a "session", it is perfectly valid for a RADIUS server
to treat a retransmission as a new session request, and to reject it
due to, for example, the enforcement of restrictions on multiple
simultaneous logins.
In that situation, the NAS may receive a belated Access-Accept for

the first request, and an Access-Reject for the retransmitted
request, both of which apply to the same "session".
We suggest that the contents of Access-Request packets SHOULD NOT be

changed during retransmissions. If they must be changed due to the
inclusion of an Event-Timestamp attribute, for example, then
responses to earlier transmissions MUST be silently discarded. Any
response to the current request MUST be treated as the definitive
response, even if as noted above, it disagrees with earlier
responses.
This problem can be made worse by implementations that use a fixed

retransmission timeout (30 seconds is common). We reiterate the
suggestions in Section 2.1 about using congestive backoff. In that
case, responses to earlier transmissions MAY be used as data points
for congestive backoff, even if their contents are discarded.
2.11. Framed-IPv6-Prefix
[RFC3162] Section 2.3 says:
This Attribute indicates an IPv6 prefix (and corresponding route)

to be configured for the user. It MAY be used in Access-Accept
packets, and can appear multiple times. It MAY be used in an
Access-Request packet as a hint by the NAS to the server that it
would prefer these prefix(es), but the server is not required to
honor the hint. Since it is assumed that the NAS will plumb a
route corresponding to the prefix, it is not necessary for the
server to also send a Framed-IPv6-Route attribute for the same
prefix.
An Internet Service Provider (ISP) may desire to support Prefix

Delegation [RFC4818] at the same time that it would like to assign a
prefix for the link between the NAS and the user. The intent of the

paragraph was to enable the NAS to advertise the prefix (such as via
a Router Advertisement). If the Framed-Routing attribute is used, it
is also possible that the prefix would be advertised in a routing
protocol such as Routing Information Protocol Next Generation
(RIPNG). RFC 2865 Section 5.10 describes the purpose of Framed-
Routing:
This Attribute indicates the routing method for the user, when the
user is a router to a network. It is only used in Access-Accept
packets.
The description of the Prefix-Length field in RFC 3162 indicates

excessively wide latitude:
The length of the prefix, in bits. At least 0 and no larger than

128.
This length appears too broad, because it is not clear what a NAS
should do with a prefix of greater granularity than /64. For
example, the Framed-IPv6-Prefix may contain a /128. This does not
imply that the NAS should assign an IPv6 address to the end user,
because RFC 3162 already defines a Framed-IPv6-Identifier attribute
to handle the Identifier portion.
It appears that the Framed-IPv6-Prefix is used for the link between

the NAS and Customer Premises Equipment (CPE) only if a /64 prefix is
assigned. When a /64 or larger prefix is sent, the intent is for the
NAS to send a routing advertisement containing the information
present in the Framed-IPv6-Prefix attribute.
The CPE may also require a delegated prefix for its own use, if it is
decrementing the Hop Limit field of IP headers. In that case, it
should be delegated a prefix by the NAS via the Delegated-IPv6-Prefix
attribute [RFC4818]. If the CPE is not decrementing Hop Limit, it
does not require a delegated prefix.
The contents of the State attribute are available to both the RADIUS
client and observers of the RADIUS protocol. RADIUS server
implementations should ensure that the State attribute does not
disclose sensitive information to a RADIUS client or third parties
observing the RADIUS protocol.
The cache mechanism described in Section 2.2.2 is vulnerable to

attacks when Access-Request packets do not contain a Message-
Authenticator attribute. If the server accepts requests without a
Message-Authenticator, then RADIUS packets can be trivially forged by

an attacker. Cache entries can then be forcibly expired, negating

the utility of the cache. This attack can be mitigated by following
the suggestions in [RFC3579] Section 4, or by requiring the presence
of Message-Authenticator, as described in Sections 2.1.1 and 2.2.2.
Since this document describes the use of RADIUS for purposes of

authentication, authorization, and accounting in a wide variety of
networks, applications using these specifications are vulnerable to
all of the threats that are present in other RADIUS applications.
For a discussion of these threats, see [RFC2865], [RFC2607],
[RFC3162], [RFC3579], and [RFC3580].
4. References
4.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate

Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,

"Remote Authentication Dial In User Service (RADIUS)",
RFC 2865, June 2000.
[RFC4818] Salowey, J. and R. Droms, "RADIUS Delegated-IPv6-Prefix

Attribute", RFC 4818, April 2007.
4.2. Informative References
[RFC2607] Aboba, B. and J. Vollbrecht, "Proxy Chaining and Policy

Implementation in Roaming", RFC 2607, June 1999.
[RFC2618] Aboba, B. and G. Zorn, "RADIUS Authentication Client

MIB", RFC 2618, June 1999.
[RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000.
[RFC2869] Rigney, C., Willats, W., and P. Calhoun, "RADIUS

Extensions", RFC 2869, June 2000.
[RFC3162] Aboba, B., Zorn, G., and D. Mitton, "RADIUS and IPv6",
RFC 3162, August 2001.
[RFC3315] Droms, R., Ed., Bound, J., Volz, B., Lemon, T., Perkins,
C., and M. Carney, "Dynamic Host Configuration Protocol
for IPv6 (DHCPv6)", RFC 3315, July 2003.

[RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B.
Aboba, "Dynamic Authorization Extensions to Remote
Authentication Dial In User Service (RADIUS)", RFC 3576,
July 2003.
[RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication

Dial In User Service) Support For Extensible
Authentication Protocol (EAP)", RFC 3579, September 2003.
[RFC3580] Congdon, P., Aboba, B., Smith, A., Zorn, G., and J.
Roese, "IEEE 802.1X Remote Authentication Dial In User
Service (RADIUS) Usage Guidelines", RFC 3580, September
2003.
[RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H.
Levkowetz, Ed., "Extensible Authentication Protocol
(EAP)", RFC 3748, June 2004.
[RFC3927] Cheshire, S., Aboba, B., and E. Guttman, "Dynamic

Configuration of IPv4 Link-Local Addresses", RFC 3927,
May 2005.
[RFC4282] Aboba, B., Beadles, M., Arkko, J., and P. Eronen, "The
Network Access Identifier", RFC 4282, December 2005.
[RFC4668] Nelson, D., "RADIUS Authentication Client MIB for IPv6",

[RFC4669] Nelson, D., "RADIUS Authentication Server MIB for IPv6",

[RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless

Address Autoconfiguration", RFC 4862, September 2007.
[PANA] Forsberg, D., Ohba, Y.,Ed., Patil, B., Tschofenig, H.,

and A. Yegin, "Protocol for Carrying Authentication for
Network Access (PANA)", Work in Progress.

Acknowledgments
The authors would like to acknowledge Glen Zorn and Bernard Aboba for
contributions to this document.
The alternate algorithm to [RFC3579] Section 2.6.1 that is described

in Section 2.1.2 of this document was designed by Raghu Dendukuri.
The text discussing retransmissions in Section 2.2.1 is taken with

minor edits from Section 9 of" Protocol for Carrying Authentication
for Network Access (PANA)" [PANA].
Alan DeKok wishes to acknowledge the support of Quiconnect Inc.,

where he was employed during much of the work on this document.
David Nelson wishes to acknowledge the support of Enterasys Networks,

where he was employed during much of the work on this document.
Authors' Addresses
David B. Nelson
Elbrys Networks, Inc.
75 Rochester Ave., Unit 3
Portsmouth, N.H. 03801 USA
Phone: +1.603.570.2636
EMail: dnelson@elbrysnetworks.com
Alan DeKok
The FreeRADIUS Server Project
http://freeradius.org/
EMail: aland@freeradius.org

Full Copyright Statement
Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions

contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an

"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any

Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any

assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.

Rfcs As PDF

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Rfcs As PDF

Încărcat de

Drepturi de autor:

Formate disponibile

Network Working Group T.

The TLS Protocol

Status of this Memo

This document specifies an Internet standards track protocol for the

Copyright (C) The Internet Society (1999). All Rights Reserved.

This document specifies Version 1.0 of the Transport Layer Security

Dierks & Allen Standards Track [Page 1]

6.2. Record layer 16

Dierks & Allen Standards Track [Page 2]

- The connection is private. Symmetric cryptography is used for

- The connection is reliable. Message transport includes a message

Dierks & Allen Standards Track [Page 3]

this mode while another protocol is using the Record Protocol as

The TLS Record Protocol is used for encapsulation of various higher

- The peer's identity can be authenticated using asymmetric, or

- The negotiation of a shared secret is secure: the negotiated

- The negotiation is reliable: no attacker can modify the

One advantage of TLS is that it is application protocol independent.

The goals of TLS Protocol, in order of their priority, are:

1. Cryptographic security: TLS should be used to establish a secure

2. Interoperability: Independent programmers should be able to

3. Extensibility: TLS seeks to provide a framework into which new

Dierks & Allen Standards Track [Page 4]

the need to create a new protocol (and risking the introduction

4. Relative efficiency: Cryptographic operations tend to be highly

3. Goals of this document

This document is not intended to supply any details of service

This document deals with the formatting of data in an external

Dierks & Allen Standards Track [Page 5]

4.1. Basic block size

The representation of all data items is explicitly specified. The

value = (byte[0] << 8*(n-1)) | (byte[1] << 8*(n-2)) |

This byte ordering for multi-byte values is the commonplace network

Comments begin with "/*" and end with "*/".

Optional components are denoted by enclosing them in "[[ ]]" double

Single byte entities containing uninterpreted data are of type

A vector (single dimensioned array) is a stream of homogeneous data

Here T' occupies n bytes in the data stream, where n is a multiple of

In the following example, Datum is defined to be three consecutive

opaque Datum[3]; /* three uninterpreted bytes */

Dierks & Allen Standards Track [Page 6]

Variable length vectors are defined by specifying a subrange of legal

In the following example, mandatory is a vector that must contain

All values, here and elsewhere in the specification, are stored in

An additional sparse data type is available called enum. A field of

Dierks & Allen Standards Track [Page 7]

be assigned a value, as demonstrated in the following example. Since

enum { e1(v1), e2(v2), ... , en(vn) [[, (n)]] } Te;

Enumerateds occupy as much space in the byte stream as would its

enum { red(3), blue(5), white(7) } Color;

One may optionally specify a value without its associated tag to

enum { sweet(1), sour(2), bitter(4), (32000) } Taste;

The names of the elements of an enumeration are scoped within the

Color color = Color.blue; /* overspecified, legal */

For enumerateds that are never converted to external representation,

enum { low, medium, high } Amount;

4.6. Constructed types

Structure types may be constructed from primitive types for

Dierks & Allen Standards Track [Page 8]

Defined structures may have variants based on some knowledge that is

enum { apple, orange } VariantTag;

Variant structures may be qualified (narrowed) by specifying a value

value = (byte[0] << 8(n-1)) | (byte[1] << 8(n-2)) |

Comments begin with "/" and end with "/".