summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc2881.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc2881.txt')
-rw-r--r--doc/rfc/rfc2881.txt1123
1 files changed, 1123 insertions, 0 deletions
diff --git a/doc/rfc/rfc2881.txt b/doc/rfc/rfc2881.txt
new file mode 100644
index 0000000..b902cd3
--- /dev/null
+++ b/doc/rfc/rfc2881.txt
@@ -0,0 +1,1123 @@
+
+
+
+
+
+
+Network Working Group D. Mitton
+Request for Comments: 2881 Nortel Networks
+Category: Informational M. Beadles
+ SmartPipes Inc.
+ July 2000
+
+
+ Network Access Server Requirements Next Generation (NASREQNG)
+ NAS Model
+
+Status of this Memo
+
+ This memo provides information for the Internet community. It does
+ not specify an Internet standard of any kind. Distribution of this
+ memo is unlimited.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2000). All Rights Reserved.
+
+Abstract
+
+ This document describes the terminology and gives a model of typical
+ Network Access Server (NAS). The purpose of this effort is to set
+ the reference space for describing and evaluating NAS service
+ protocols, such as RADIUS (RFCs 2865, 2866) [1], [2] and follow-on
+ efforts like AAA Working Group, and the Diameter protocol [3]. These
+ are protocols for carrying user service information for
+ authentication, authorization, accounting, and auditing, between a
+ Network Access Server which desires to authenticate its incoming
+ calls and a shared authentication server.
+
+Table of Contents
+
+ 1. INTRODUCTION...................................................2
+ 1.1 Scope of this Document ......................................2
+ 1.2 Specific Terminology ........................................3
+ 2. NETWORK ACCESS SYSTEM EQUIPMENT ASSUMPTIONS....................3
+ 3. NAS SERVICES...................................................4
+ 4. AUTHENTICATION, AUTHORIZATION AND ACCOUNTING (AAA) SERVERS.....5
+ 5. TYPICAL NAS OPERATION SEQUENCE:................................5
+ 5.1 Characteristics of Systems and Sessions: ....................6
+ 5.2 Separation of NAS and AAA server functions ..................7
+ 5.3 Network Management and Administrative features ..............7
+ 6. AUTHENTICATION METHODS.........................................8
+ 7. SESSION AUTHORIZATION INFORMATION..............................8
+ 8. IP NETWORK INTERACTION.........................................9
+ 9. A NAS MODEL...................................................10
+
+
+
+Mitton & Beadles Informational [Page 1]
+
+RFC 2881 NASreq NAS Model July 2000
+
+
+ 9.1 A Reference Model of a NAS .................................10
+ 9.2 Terminology ................................................11
+ 9.3 Analysis ...................................................13
+ 9.3.1 Authentication and Security .............................13
+ 9.3.2 Authorization and Policy ................................14
+ 9.3.3 Accounting and Auditing .................................14
+ 9.3.4 Resource Management .....................................14
+ 9.3.5 Virtual Private Networks (VPN's) ........................14
+ 9.3.6 Service Quality .........................................15
+ 9.3.7 Roaming .................................................15
+ 10. SECURITY CONSIDERATIONS......................................15
+ 11. REFERENCES ..................................................16
+ 12. ACKNOWLEDGMENTS..............................................17
+ 13. AUTHORS' ADDRESSES ..........................................17
+ 14. APPENDIX - ACRONYMS AND GLOSSARY:............................18
+ 15. FULL COPYRIGHT STATEMENT.....................................20
+
+1. Introduction
+
+ A Network Access Server is the initial entry point to a network for
+ the majority of users of network services. It is the first device in
+ the network to provide services to an end user, and acts as a gateway
+ for all further services. As such, its importance to users and
+ service providers alike is paramount. However, the concept of a
+ Network Access Server has grown up over the years without being
+ formally defined or analyzed [4].
+
+1.1 Scope of this Document
+
+ There are several tradeoffs taken in this document. The purpose of
+ this document is to describe a model for evaluating NAS service
+ protocols. It will give examples of typical NAS hardware and
+ software features, but these are not to be taken as hard limitations
+ of the model, but merely illustrative of the points of discussion.
+ An important goal of the model is to offer a framework that allows
+ further development and expansion of capabilities in NAS
+ implementation.
+
+ As with most IETF projects, the focus is on standardizing the
+ protocol interaction between the components of the system. The
+ documents produced will not address the following areas:
+
+ - AAA server back-end implementation is abstracted and not
+ prescribed. The actual organization of the data in the server, its
+ internal interfaces, and capabilities are left to the
+ implementation.
+
+
+
+
+
+Mitton & Beadles Informational [Page 2]
+
+RFC 2881 NASreq NAS Model July 2000
+
+
+ - NAS front-end call technology is not assumed to be static.
+ Alternate and new technology will be accommodated. The resultant
+ protocol specifications must be flexible in design to allow for new
+ technologies and services to be added with minimal impact on
+ existing implementations.
+
+1.2 Specific Terminology
+
+ The following terms are used in this document in this manner: A
+ "Call" - the initiation of a network service request to the NAS.
+ This can mean the arrival of a telephone call via a dial-in or
+ switched telephone network connection, or the creation of a tunnel to
+ a tunnel server which becomes a virtual NAS. A "Session" - is the
+ NAS provided service to a specific authorized user entity.
+
+2. Network Access System Equipment Assumptions
+
+ A typical hardware-based NAS is implemented in a constrained system.
+ It is important that the NAS protocols don't assume unlimited
+ resources on the part of the platform. The following are typical
+ constraints:
+
+ - A computer system of minimal to moderate performance
+ (example processors: Intel 386 or 486, Motorola 68000)
+ - A moderate amount, but not large RAM (typically varies with
+ supported # of ports 1MB to 8MB)
+ - Some small amount of non-volatile memory, and/or way to be
+ configured out-of-band
+ - No assumption of a local file system or disk storage
+
+ A NAS system may consist of a system of interconnected specialized
+ processor system units. Typically they may be circuit boards (or
+ blades) that are arrayed in a card cage (or chassis) and referred to
+ by their position (i.e., slot number). The bus interconnection
+ methods are typically proprietary and will not be addressed here.
+
+ A NAS is sometimes referred to as a Remote Access Server (RAS) as it
+ typically allows remote access to a network. However, a more general
+ picture is that of an "Edge Server", where the NAS sits on the edge
+ of an IP network of some type, and allows dynamic access to it.
+
+ Such systems typically have;
+
+ - At least one LAN or high performance network interface (e.g.,
+ Ethernet, ATM, FR)
+
+
+
+
+
+
+Mitton & Beadles Informational [Page 3]
+
+RFC 2881 NASreq NAS Model July 2000
+
+
+ - At least one, but typically many, serial interface ports, which
+ could be;
+ - serial RS232 ports direct wired or wired to a modem, or
+ - have integral hardware or software modems (V.22bis,V.32, V.34,
+ X2, Kflex, V.90, etc.)
+ - have direct connections to telephone network digital WAN lines
+ (ISDN, T1, T3, NFAS, or SS7)
+ - an aggregation of xDSL connections or PPPoe sessions [5].
+
+ However, systems may perform some of the functions of a NAS, but not
+ have these kinds of hardware characteristics. An example would be a
+ industry personal computer server system, that has several modem line
+ connections. These lines will be managed like a dedicated NAS, but
+ the system itself is a general file server. Likewise, with the
+ development of tunneling protocols (L2F [6], ATMP [7], L2TP [8]),
+ tunnel server systems must behave like a "virtual" NAS, where the
+ calls come from the network tunneled sessions and not hardware ports
+ ([11], [9], [10]).
+
+3. NAS Services
+
+ The core of what a NAS provides, are dynamic network services. What
+ distinguishes a NAS from a typical routing system, is that these
+ services are provided on a per-user basis, based on an authentication
+ and the service is accounted for. This accounting may lead to
+ policies and controls to limit appropriate usage to levels based on
+ the availability of network bandwidth, or service agreements between
+ the user and the provider.
+
+ Typical services include:
+
+ - dial-up or direct access serial line access; Ability to access the
+ network using a the public telephone network.
+ - network access (SLIP, PPP, IPX, NETBEUI, ARAP); The NAS allows the
+ caller to access the network directly.
+ - asynchronous terminal services (Telnet, Rlogin, LAT, others); The
+ NAS implements the network protocol on behalf of the caller, and
+ presents a terminal interface.
+ - dial-out connections; Ability to cause the NAS to initiate a
+ connection over the public telephone network, typically based on the
+ arrival of traffic to a specific network system.
+ - callback (NAS generates call to caller); Ability to cause the NAS to
+ reverse or initiate a network connection based on the arrival of a
+ dial-in call.
+ - tunneling (from access connection to remote server); The NAS
+ transports the callers network packets over a network to a remote
+ server using an encapsulation protocol. (L2TP [8], RADIUS support
+ [11])
+
+
+
+Mitton & Beadles Informational [Page 4]
+
+RFC 2881 NASreq NAS Model July 2000
+
+
+4. Authentication, Authorization and Accounting (AAA) Servers
+
+ Because of the need to authenticate and account, and for practical
+ reasons of implementation, NAS systems have come to depend on
+ external server systems to implement authentication databases and
+ accounting recording.
+
+ By separating these functions from the NAS equipment, they can be
+ implemented in general purpose computer systems, that may provide
+ better suited long term storage media, and more sophisticated
+ database software infrastructures. Not to mention that a centralized
+ server can allow the coordinated administration of many NAS systems
+ as appropriate (for example a single server may service an entire POP
+ consisting of multiple NAS systems).
+
+ For ease of management, there is a strong desire to piggyback NAS
+ authentication information with other authentication databases, so
+ that authentication information can be managed for several services
+ (such as OS shell login, or Web Server access) from the same
+ provider, without creating separate passwords and accounts for the
+ user.
+
+ Session activity information is stored and processed to produce
+ accounting usage records. This is typically done with a long term
+ (nightly, weekly or monthly) batch type process.
+
+ However, as network operations grow in sophistication, there are
+ requirements to provide real-time monitoring of port and user status,
+ so that the state information can be used to implement policy
+ decisions, monitor user trends, and the ability to possibly terminate
+ access for administrative reasons. Typically only the NAS knows the
+ true dynamic state of a session.
+
+5. Typical NAS Operation Sequence:
+
+ The following details a typical NAS operational sequence:
+
+ - Call arrival on port or network
+ - Port:
+ - auto-detect (or not) type of call
+ - CLI/SLIP: prompt for username and password (if security
+ set)
+ - PPP: engage LCP, Authentication
+ - Request authentication from AAA server
+ - if okay, proceed to service
+ - may challenge
+ - may ask for password change/update
+
+
+
+
+Mitton & Beadles Informational [Page 5]
+
+RFC 2881 NASreq NAS Model July 2000
+
+
+ - Network:
+ - activate internal protocol server (telnet, ftp)
+ - engage protocol's authentication technique
+ - confirm authentication information with AAA server
+
+ - Call Management Services
+ - Information from the telephone system or gateway controller
+ arrives indicating that a call has been received
+ - The AAA server is consulted using the information supplied by
+ the telephone system (typically Called or Calling number
+ information)
+ - The server indicates whether to respond to the call by
+ answering it, or by returning a busy to the caller.
+ - The server may also need to allocate a port to receive a
+ call, and route it accordingly.
+
+ - Dial-out
+ - packet destination matches outbound route pre-configured
+ - find profile information to setup call
+ - Request information from AAA server for call details
+
+ - VPN/Tunneling (compulsory)
+ - authentication server identifies user as remote
+ - tunnel protocol is invoked to a remote server
+ - authentication information may be forwarded to remote AAA
+ server
+ - if successful, the local link is given a remote identity
+
+ - Multi-link aggregation
+ - after a new call is authenticated by the AAA server, if MP
+ options are present, then other bundles with the same
+ identifying information is searched for
+ - bundle searches are performed across multiple systems
+ - join calls that match authentication and originator
+ identities as one network addressable data source with a
+ single network IP address
+
+ - Hardwired (non-interactive) services
+ - permanent WAN connections (Frame Relay or PSVCs)
+ - permanent serial connections (printers)
+
+5.1 Characteristics of Systems and Sessions:
+
+ Sessions must have a user identifier and authenticator to complete
+ the authentication process. Accounting starts from time of call or
+ service, though finer details are allowed. At the end of service, the
+ call may be disconnected or allow re-authentication for additional
+ services.
+
+
+
+Mitton & Beadles Informational [Page 6]
+
+RFC 2881 NASreq NAS Model July 2000
+
+
+ Some systems allow decisions on call handling to be made based on
+ telephone system information provided before the call is answered
+ (e.g., caller id or destination number). In such systems, calls may
+ be busied-out or non-answered if system resources are not ready or
+ available.
+
+ Authorization to run services are supplied and applied after
+ authentication. A NAS may abort call if session authorization
+ information disagrees with call characteristics. Some system
+ resources may be controlled by server driven policies
+
+ Accounting messages are sent to the accounting server when service
+ begins, and ends, and possibly periodically during service delivery.
+ Accounting is not necessarily a real-time service, the NAS may be
+ queue and batch send event records.
+
+5.2 Separation of NAS and AAA server functions
+
+ As a distributed system, there is a separation of roles between the
+ NAS and the Server:
+
+ - Server provides authentication services; checks passwords
+ (static or dynamic)
+ - Server databases may be organized in any way (only protocol
+ specified)
+ - Server may use external systems to authenticate (including OS
+ user databases, token cards, one-time-lists, proxy or other
+ means)
+ - Server provides authorization information to NAS
+ - The process of providing a service may lead to requests for
+ additional information
+ - Service authorization may require real-time enforcement
+ (services may be based on Time of Day, or variable cost
+ debits)
+ - Session accounting information is tallied by the NAS and
+ reported to server
+
+5.3 Network Management and Administrative features
+
+ The NAS system is presumed to have a method of configuration that
+ allows it to know it's identity and network parameters at boot time.
+ Likewise, this configuration information is typically managed using
+ the standard management protocols (e.g., SNMP). This would include
+ the configuration of the parameters necessary to contact the AAA
+ server itself. The purpose of the AAA server is not to provide
+ network management for the NAS, but to authorize and characterize the
+ individual services for the users. Therefore any feature that can be
+ user specific is open to supply from the AAA server.
+
+
+
+Mitton & Beadles Informational [Page 7]
+
+RFC 2881 NASreq NAS Model July 2000
+
+
+ The system may have other operational services that are used to run
+ and control the NAS. Some users that have _Administrative_
+ privileges may have access to system configuration tools, or services
+ that affect the operation and configuration of the system (e.g.,
+ loading boot images, internal file system access, etc..) Access to
+ these facilities may also be authenticated by the AAA server
+ (provided it is configured and reachable!) and levels of access
+ authorization may be provided.
+
+6. Authentication Methods
+
+ A NAS system typically supports a number of authentication systems.
+ For async terminal users, these may be a simple as a prompt and
+ input. For network datalink users, such as PPP, several different
+ authentication methods will be supported (PAP, CHAP [12], MS-CHAP
+ [13]). Some of these may actually be protocols in and of themselves
+ (EAP [14] [15], and Kerberos).
+
+ Additionally, the content of the authentication exchanges may not be
+ straightforward. Hard token cards, such as the Safeword and SecurId,
+ systems may generate one-time passphrases that must be validated
+ against a proprietary server. In the case of multi-link support, it
+ may be necessary to remember a session token or certificate for the
+ later authentication of additional links.
+
+ In the cases of VPN and compulsory tunneling services, typically a
+ Network Access Identifier (RFC 2486 [16]) is presented by the user.
+ This NAI is parsed into a destination network identifier either by
+ the NAS or by the AAA server. The authentication information will
+ typically not be validated locally, but by a AAA service at the
+ remote end of the tunnel service.
+
+7. Session Authorization Information
+
+ Once a user has been authenticated, there are a number of individual
+ bits of information that the network management may wish to configure
+ and authorize for the given user or class of users.
+
+ Typical examples include:
+
+ For async terminal users:
+
+ - banners
+ - custom prompts
+ - menus
+ - CLI macros - which could be used for: shortcuts, compound
+ commands, restrictive scripts
+
+
+
+
+Mitton & Beadles Informational [Page 8]
+
+RFC 2881 NASreq NAS Model July 2000
+
+
+ For network users:
+
+ - addresses, and routes
+ - callback instructions
+ - packet and activity filters
+ - network server addresses
+ - host server addresses
+
+ Some services may require dynamic allocation of resources.
+ Information about the resources required may not be known during the
+ authentication phase, it may come up later. (e.g., IP Addresses for
+ multi-link bundles) It's also possible that the authorization will
+ change over the time of the session. To provide these there has to be
+ a division of responsibility between the NAS and the AAA server, or a
+ cooperation using a stateful service.
+
+ Such services include:
+
+ - IP Address management
+ - Concurrent login limitations
+ - Tunnel usage limitations
+ - Real-time account expirations
+ - Call management policies
+
+ In the process of resolving resource information, it may be required
+ that a certain level of service be supplied, and if not available,
+ the request refused, or corrective action taken.
+
+8. IP Network Interaction
+
+ As the NAS participates in the IP network, it interacts with the
+ routing mechanisms of the network itself. These interactions may
+ also be controlled on a per-user/session basis.
+
+ For example, some input streams may be directed to specific hosts
+ other than the default gateway for the destination subnet. In order
+ to control services within the network provider's infrastructure,
+ some types of packets may be discarded (filtered) before entering the
+ network. These filters could be applied based on examination of
+ destination address and port number. Anti-spoofing packet controls
+ may be applied to disallow traffic sourced from addresses other than
+ what was assigned to the port.
+
+ A NAS may also be an edge router system, and apply Quality of Service
+ (QoS) policies to the packets. This makes it a QOS Policy
+ Enforcement Point [19], [17]. It may learn QOS and other network
+ policies for the user via the AAA service.
+
+
+
+
+Mitton & Beadles Informational [Page 9]
+
+RFC 2881 NASreq NAS Model July 2000
+
+
+9. A NAS Model
+
+ So far we have looked at examples of things that NASes do. The
+ following attempts to define a NAS model that captures the
+ fundamentals of NAS structure to better categorize how it interacts
+ with other network components.
+
+ A Network Access Server is a device which sits on the edge of a
+ network, and provides access to services on that network in a
+ controlled fashion, based on the identity of the user of the network
+ services in question and on the policy of the provider of these
+ services. For the purposes of this document, a Network Access Server
+ is defined primarily as a device which accepts multiple point-to-
+ point [18] links on one set of interfaces, providing access to a
+ routed network or networks on another set of interfaces.
+
+ Note that there are many things that a Network Access Server is not.
+ A NAS is not simply a router, although it will typically include
+ routing functionality in it's interface to the network. A NAS is not
+ necessarily a dial access server, although dial access is one common
+ means of network access, and brings its own particular set of
+ requirements to NAS's.
+
+ A NAS is the first device in the IP network to provide services to an
+ end user, and acts as a gateway for all further services. It is the
+ point at which users are authenticated, access policy is enforced,
+ network services are authorized, network usage is audited, and
+ resource consumption is tracked. That is, a NAS often acts as the
+ policy enforcement point for network AAAA (authentication,
+ authorization, accounting, and auditing) services. A NAS is
+ typically the first place in a network where security measures and
+ policy may be implemented.
+
+9.1 A Reference Model of a NAS
+
+ For reference in the following discussion, a diagram of a NAS, its
+ dependencies, and its interfaces is given below. This diagram is
+ intended as an abstraction of a NAS as a reference model, and is not
+ intended to represent any particular NAS implementation.
+
+
+
+
+
+
+
+
+
+
+
+
+Mitton & Beadles Informational [Page 10]
+
+RFC 2881 NASreq NAS Model July 2000
+
+
+ Users
+ v v v v v v v
+ | | PSTN | |
+ | | or | |
+ |encapsulated
+ +-----------------+
+ | (Modems) |
+ +-----------------+
+ | | | | | | |
+ +--+----------------------------+
+ | | |
+ |N | Client Interface |
+ | | |
+ |A +----------Routing ----------+
+ | | |
+ |S | Network Interface |
+ | | |
+ +--+----------------------------+
+ / | \
+ / | \
+ / | \
+ / | \
+ POLICY MANAGEMENT/ | \ DEVICE MANAGEMENT
+ +---------------+ | +-------------------+
+ | Authentication| _/^\_ |Device Provisioning|
+ +---------------+ _/ \_ +-------------------+
+ | Authorization | _/ \_ |Device Monitoring |
+ +---------------+ _/ \_ +-------------------+
+ | Accounting | / The \
+ +---------------+ \_ Network(s) _/
+ | Auditing | \_ _/
+ +---------------+ \_ _/
+ \_ _/
+ \_/
+
+9.2 Terminology
+
+ Following is a description of the modules and interfaces in the
+ reference model for a NAS given above:
+
+ Client Interfaces - A NAS has one or more client interfaces, which
+ provide the interface to the end users who are requesting network
+ access. Users may connect to these client interfaces via modems
+ over a PSTN, or via tunnels over a data network. Two broad
+ classes of NAS's may be defined, based on the nature of the
+ incoming client interfaces, as follows. Note that a single NAS
+ device may serve in both classes:
+
+
+
+
+Mitton & Beadles Informational [Page 11]
+
+RFC 2881 NASreq NAS Model July 2000
+
+
+ Dial Access Servers - A Dial Access Server is a NAS whose client
+ interfaces consist of modems, either local or remote, which are
+ attached to a PSTN.
+
+ Tunnel Servers - A Tunnel Server is a NAS whose client interfaces
+ consists of tunneling endpoints in a protocol such as L2TP
+
+ Network Interfaces - A NAS has one or more network interfaces, which
+ connect to the networks to which access is being granted.
+
+ Routing - If the network to which access is being granted is a routed
+ network, then a NAS will typically include routing functionality.
+
+ Policy Management Interface - A NAS provides an interface which
+ allows access to network services to be managed on a per-user
+ basis. This interface may be a configuration file, a graphical
+ user interface, an API, or a protocol such as RADIUS, Diameter, or
+ COPS [19]. This interface provides a mechanism for granular
+ resource management and policy enforcement.
+
+ Authentication - Authentication refers to the confirmation that a
+ user who is requesting services is a valid user of the network
+ services requested. Authentication is accomplished via the
+ presentation of an identity and credentials. Examples of types of
+ credentials are passwords, one-time tokens, digital certificates,
+ and phone numbers (calling/called).
+
+ Authorization - Authorization refers to the granting of specific
+ types of service (including "no service") to a user, based on
+ their authentication, what services they are requesting, and the
+ current system state. Authorization may be based on restrictions,
+ for example time-of-day restrictions, or physical location
+ restrictions, or restrictions against multiple logins by the same
+ user. Authorization determines the nature of the service which is
+ granted to a user. Examples of types of service include, but are
+ not limited to: IP address filtering, address assignment, route
+ assignment, QoS/differential services, bandwidth control/traffic
+ management, compulsory tunneling to a specific endpoint, and
+ encryption.
+
+ Accounting - Accounting refers to the tracking of the consumption of
+ NAS resources by users. This information may be used for
+ management, planning, billing, or other purposes. Real-time
+ accounting refers to accounting information that is delivered
+ concurrently with the consumption of the resources. Batch
+ accounting refers to accounting information that is saved until it
+
+
+
+
+
+Mitton & Beadles Informational [Page 12]
+
+RFC 2881 NASreq NAS Model July 2000
+
+
+ is delivered at a later time. Typical information that is
+ gathered in accounting is the identity of the user, the nature of
+ the service delivered, when the service began, and when it ended.
+
+ Auditing - Auditing refers to the tracking of activity by users. As
+ opposed to accounting, where the purpose is to track consumption
+ of resources, the purpose of auditing is to determine the nature
+ of a user's network activity. Examples of auditing information
+ include the identity of the user, the nature of the services used,
+ what hosts were accessed when, what protocols were used, etc.
+
+ AAAA Server - An AAAA Server is a server or servers that provide
+ authentication, authorization, accounting, and auditing services.
+ These may be co-located with the NAS, or more typically, are
+ located on a separate server and communicate with the NAS's User
+ Management Interface via an AAAA protocol. The four AAAA
+ functions may be located on a single server, or may be broken up
+ among multiple servers.
+
+ Device Management Interface - A NAS is a network device which is
+ owned, operated, and managed by some entity. This interface
+ provides a means for this entity to operate and manage the NAS.
+ This interface may be a configuration file, a graphical user
+ interface, an API, or a protocol such as SNMP [20].
+
+ Device Monitoring - Device monitoring refers to the tracking of
+ status, activity, and usage of the NAS as a network device.
+
+ Device Provisioning - Device provisioning refers to the
+ configurations, settings, and control of the NAS as a network
+ device.
+
+9.3 Analysis
+
+ Following is an analysis of the functions of a NAS using the
+ reference model above:
+
+9.3.1 Authentication and Security
+
+ NAS's serve as the first point of authentication for network users,
+ providing security to user sessions. This security is typically
+ performed by checking credentials such as a PPP PAP user
+ name/password pair or a PPP CHAP user name and challenge/response,
+ but may be extended to authentication via telephone number
+ information, digital certificates, or biometrics. NAS's also may
+ authenticate themselves to users. Since a NAS may be shared among
+ multiple administrative entities, authentication may actually be
+ performed via a back-end proxy, referral, or brokering process.
+
+
+
+Mitton & Beadles Informational [Page 13]
+
+RFC 2881 NASreq NAS Model July 2000
+
+
+ In addition to user security, NAS's may themselves be operated as
+ secure devices. This may include secure methods of management and
+ monitoring, use of IP Security [21] and even participation in a
+ Public Key Infrastructure.
+
+9.3.2 Authorization and Policy
+
+ NAS's are the first point of authorization for usage of network
+ resources, and NAS's serve as policy enforcement points for the
+ services that they deliver to users. NAS's may provision these
+ services to users in a statically or dynamically configured fashion.
+ Resource management can be performed at a NAS by granting specific
+ types of service based on the current network state. In the case of
+ shared operation, NAS policy may be determined based on the policy of
+ multiple end systems.
+
+9.3.3 Accounting and Auditing
+
+ Since NAS services are consumable resources, usage information must
+ often be collected for the purposes of soft policy management,
+ reporting, planning, and accounting. A dynamic, real-time view of
+ NAS usage is often required for network auditing purposes. Since a
+ NAS may be shared among multiple administrative entities, usage
+ information must often be delivered to multiple endpoints.
+ Accounting is performed using such protocols as RADIUS [2].
+
+9.3.4 Resource Management
+
+ NAS's deliver resources to users, often in a dynamic fashion.
+ Examples of the types of resources doled out by NAS's are IP
+ addresses, network names and name server identities, tunnels, and
+ PSTN resources such as phone lines and numbers. Note that NAS's may
+ be operated in a outsourcing model, where multiple entities are
+ competing for the same resources.
+
+9.3.5 Virtual Private Networks (VPN's)
+
+ NAS's often participate in VPN's, and may serve as the means by which
+ VPN's are implemented. Examples of the use of NAS's in VPN's are:
+ Dial Access Servers that build compulsory tunnels, Dial Access
+ Servers that provide services to voluntary tunnelers, and Tunnel
+ Servers that provide tunnel termination services. NAS's may
+ simultaneously provide VPN and public network services to different
+ users, based on policy and user identity.
+
+
+
+
+
+
+
+Mitton & Beadles Informational [Page 14]
+
+RFC 2881 NASreq NAS Model July 2000
+
+
+9.3.6 Service Quality
+
+ A NAS may delivery different qualities, types, or levels of service
+ to different users based on policy and identity. NAS's may perform
+ bandwidth management, allow differential speeds or methods of access,
+ or even participate in provisioned or signaled Quality of Service
+ (QoS) networks.
+
+9.3.7 Roaming
+
+ NAS's are often operated in a shared or outsourced manner, or a NAS
+ operator may enter into agreements with other service providers to
+ grant access to users from these providers (roaming operations).
+ NAS's often are operated as part of a global network. All these
+ imply that a NAS often provides services to users from multiple
+ administrative domains simultaneously. The features of NAS's may
+ therefore be driven by requirements of roaming [22].
+
+10. Security Considerations
+
+ This document describes a model not a particular solution.
+
+ As mentioned in section 9.3.1 and elsewhere, NAS'es are concerned
+ about the security of several aspects of their operation, including:
+
+ - Providing sufficiently robust authentication techniques as
+ required by network policies,
+ - NAS authentication of configured authentication server(s),
+ - Server ability to authenticate configured clients,
+ - Hiding of the authentication information from network snooping
+ to protect from attacks and provide user privacy,
+ - Protecting the integrity of message exchanges from attacks
+ such as; replay, or man-in-the middle,
+ - Inability of other hosts to interfere with services authorized
+ to NAS, or gain unauthorized services,
+ - Inability of other hosts to probe or guess at authentication
+ information.
+ - Protection of NAS system configuration and administration from
+ unauthorized users
+ - Protection of the network from illegal packets sourced by
+ accessing connections
+
+
+
+
+
+
+
+
+
+
+Mitton & Beadles Informational [Page 15]
+
+RFC 2881 NASreq NAS Model July 2000
+
+
+11. References
+
+ [1] Rigney, C., Willens, S., Rubens, A. and W. Simpson, "Remote
+ Authentication Dial In User Service (RADIUS)", RFC 2865, June
+ 2000.
+
+ [2] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000.
+
+ [3] Calhoun, P., "Diameter Base Protocol", Work in Progress.
+
+ [4] Zorn, G., "Yet Another Authentication Protocol (YAAP)", Work in
+ Progress.
+
+ [5] Mamakos, L., Lidl, K., Evarts, K., Carrel, D., Simone, D. and R.
+ Wheeler, "A Method for Transmitting PPP Over Ethernet (PPPoE)",
+ RFC 2516, February 1999.
+
+ [6] Valencia, A., Littlewood, M. and T. Kolar, "Cisco Layer Two
+ Forwarding (Protocol) L2F", RFC 2341, May 1998.
+
+ [7] Hamzeh, K., "Ascend Tunnel Management Protocol - ATMP", RFC
+ 2107, February 1997.
+
+ [8] Valencia, A., Townsley, W., Rubens, A., Pall, G., Zorn, G., and
+ B. Palter, "Layer Two Tunneling Protocol (L2TP)", RFC 2661,
+ August 1999.
+
+ [9] Zorn, G., Leifer, D., Rubens, A., Shriver, J. and M. Holdrege,
+ "RADIUS Attributes for Tunnel Protocol Support", RFC 2868, June
+ 2000.
+
+ [10] Zorn, G., Aboba, B. and D. Mitton, "RADIUS Accounting
+ Modifications for Tunnel Protocol Support", RFC 2867, June 2000.
+
+ [11] Aboba, B. and G. Zorn, "Implementation of PPTP/L2TP Compulsory
+ Tunneling via RADIUS", RFC 2809, April 2000.
+
+ [12] Simpson, W., "PPP Challenge Handshake Authentication Protocol
+ (CHAP)", RFC 1994, August 1996.
+
+ [13] Zorn, G. and S. Cobb, "Microsoft PPP CHAP Extensions", RFC 2433,
+ March 1998.
+
+ [14] Blunk, L. and J. Vollbrecht, "PPP Extensible Authentication
+ Protocol (EAP)", RFC 2284, March 1998.
+
+ [15] Calhoun, et al., "Extensible Authentication Protocol Support in
+ RADIUS", Work in Progress.
+
+
+
+Mitton & Beadles Informational [Page 16]
+
+RFC 2881 NASreq NAS Model July 2000
+
+
+ [16] Aboba, B. and M. Beadles, "The Network Access Identifier", RFC
+ 2486, January 1999.
+
+ [17] Braden, R., Zhang, L., Berson, S., Herzog, S. and S. Jamin,
+ "Resource ReSerVation Protocol (RSVP) Version 1 Functional
+ Specification", RFC 2205, September 1997.
+
+ [18] Simpson, W., Editor, "The Point-to-Point Protocol (PPP)", STD
+ 51, RFC 1661, July 1994.
+
+ [19] Boyle, J., Cohen, R., Durham, D., Herzog, S., Raja, R. and A.
+ Sastry. "The COPS (Common Open Policy Service) Protocol", RFC
+ 2748, January 2000.
+
+ [20] Case, J., Fedor, M., Schoffstall, M. and J. Davin. "A Simple
+ Network Management Protocol (SNMP)", STD 15, RFC 1157, May 1990.
+
+ [21] Atkinson, R. and S. Kent, "Security Architecture for the
+ Internet Protocol", RFC 2401, November 1998.
+
+ [22] Aboba, Zorn, "Dialup Roaming Requirements", Work in Progress.
+
+12. Acknowledgments
+
+ This document is a synthesis of my earlier draft and Mark Beadles'
+ NAS Reference Model draft.
+
+13. Authors' Addresses
+
+ David Mitton
+ Nortel Networks
+ 880 Technology Park Drive
+ Billerica, MA 01821
+
+ Phone: 978-288-4570
+ EMail: dmitton@nortelnetworks.com
+
+
+ Mark Beadles
+ SmartPipes Inc.
+ 545 Metro Place South
+ Suite 100
+ Dublin, OH 43017
+
+ Phone: 614-327-8046
+ EMail: mbeadles@smartpipes.com
+
+
+
+
+
+Mitton & Beadles Informational [Page 17]
+
+RFC 2881 NASreq NAS Model July 2000
+
+
+14. Appendix - Acronyms and Glossary:
+
+ AAA - Authentication, Authorization, Accounting, The three primary
+ services required by a NAS server or protocol.
+
+ NAS - Network Access Server, a system that provides access to a
+ network. In some cases also know as a RAS, Remote Access Server.
+
+ CLI - Command Line Interface, an interface to a command line service
+ for use with an common asynchronous terminal facility.
+
+ SLIP - Serial Line Internet Protocol, an IP-only serial datalink,
+ predecessor to PPP.
+
+ PPP - Point-to-Point Protocol; a serial datalink level protocol that
+ supports IP as well as other network protocols. PPP has three major
+ states of operation: LCP - Link layer Control Protocol,
+ Authentication, of which there are several types (PAP, CHAP, EAP),
+ and NCP - Network layer Control Protocol, which negotiates the
+ network layer parameters for each of the protocols in use.
+
+ IPX - Novell's NetWare transport protocol
+
+ NETBEUI - A Microsoft/IBM LAN protocol used by Microsoft file
+ services and the NETBIOS applications programming interface.
+
+ ARAP - AppleTalk Remote Access Protocol
+
+ LAT - Local Area Transport; a Digital Equipment Corp. LAN protocol
+ for terminal services.
+
+ PPPoe - PPP over Ethernet; a protocol that forwards PPP frames on an
+ LAN infrastructure. Often used to aggregate PPP streams at a common
+ server bank.
+
+ VPN - Virtual Private Network; a term for networks that appear to be
+ private to the user by the use of tunneling techniques.
+
+ FR - Frame Relay, a synchronous WAN protocol and telephone network
+ intraconnect service.
+
+ PSVC - Permanent Switched Virtual Circuit - a service which delivers
+ an virtual permanent circuit by a switched network.
+
+ PSTN - Public Switched Telephone Network
+
+
+
+
+
+
+Mitton & Beadles Informational [Page 18]
+
+RFC 2881 NASreq NAS Model July 2000
+
+
+ ISDN - Integrated Services Digital Network, a telephone network
+ facility for transmitting digital and analog information over a
+ digital network connection. A NAS may have the ability to receive
+ the information from the telephone network in digital form.
+
+ ISP - Internet Service Provider; a provider of Internet access (also
+ Network Service Provider, NSP).
+
+ BRI - Basic Rate Interface; a digital telephone interface.
+
+ PRI - Primary Rate Interface; a digital telephone interface of 64K
+ bits per second.
+
+ T1 - A digital telephone interface which provides 24-36 channels of
+ PRI data and one control channel (2.048 Mbps).
+
+ T3 - A digital telephone interface which provides 28 T1 services.
+ Signalling control for the entire connection is provided on a
+ dedicated in-band channel.
+
+ NFAS - Non-Facility Associated Signaling, a telephone network
+ protocol/service for providing call information on a separate wire
+ connection from the call itself. Used with multiple T1 or T3
+ connections.
+
+ SS7 - A telephone network protocol for communicating call supervision
+ information on a separate data network from the voice network.
+
+ POP - Point Of Presence; a geographic location of equipment and
+ interconnection to the network. An ISP typically manages all
+ equipment in a single POP in a similar manner.
+
+ VSA - Vendor Specific Attributes; RADIUS attributes defined by
+ vendors using the provision of attribute 26.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Mitton & Beadles Informational [Page 19]
+
+RFC 2881 NASreq NAS Model July 2000
+
+
+15. Full Copyright Statement
+
+ Copyright (C) The Internet Society (2000). All Rights Reserved.
+
+ This document and translations of it may be copied and furnished to
+ others, and derivative works that comment on or otherwise explain it
+ or assist in its implementation may be prepared, copied, published
+ and distributed, in whole or in part, without restriction of any
+ kind, provided that the above copyright notice and this paragraph are
+ included on all such copies and derivative works. However, this
+ document itself may not be modified in any way, such as by removing
+ the copyright notice or references to the Internet Society or other
+ Internet organizations, except as needed for the purpose of
+ developing Internet standards in which case the procedures for
+ copyrights defined in the Internet Standards process must be
+ followed, or as required to translate it into languages other than
+ English.
+
+ The limited permissions granted above are perpetual and will not be
+ revoked by the Internet Society or its successors or assigns.
+
+ This document and the information contained herein is provided on an
+ "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+ TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+ BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+ HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+ Funding for the RFC Editor function is currently provided by the
+ Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Mitton & Beadles Informational [Page 20]
+