From 4bfd864f10b68b71482b35c818559068ef8d5797 Mon Sep 17 00:00:00 2001 From: Thomas Voss Date: Wed, 27 Nov 2024 20:54:24 +0100 Subject: doc: Add RFC documents --- doc/rfc/rfc2903.txt | 1459 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 1459 insertions(+) create mode 100644 doc/rfc/rfc2903.txt (limited to 'doc/rfc/rfc2903.txt') diff --git a/doc/rfc/rfc2903.txt b/doc/rfc/rfc2903.txt new file mode 100644 index 0000000..44fe067 --- /dev/null +++ b/doc/rfc/rfc2903.txt @@ -0,0 +1,1459 @@ + + + + + + +Network Working Group C. de Laat +Request for Comments: 2903 Utrecht University +Category: Experimental G. Gross + Lucent Technologies + L. Gommans + Enterasys Networks EMEA + J. Vollbrecht + D. Spence + Interlink Networks, Inc. + August 2000 + + + Generic AAA Architecture + +Status of this Memo + + This memo defines an Experimental Protocol for the Internet + community. It does not specify an Internet standard of any kind. + Discussion and suggestions for improvement are requested. + Distribution of this memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (2000). All Rights Reserved. + +Abstract + + This memo proposes an Authentication, Authorization, Accounting (AAA) + architecture that would incorporate a generic AAA server along with + an application interface to a set of Application Specific Modules + that could perform application specific AAA functions. A separation + of AAA functions required in a multi-domain environment is then + proposed using a layered protocol abstraction. The long term goal is + to create a generic framework which allows complex authorizations to + be realized through a network of interconnected AAA servers. + + + + + + + + + + + + + + + + +de Laat, et al. Experimental [Page 1] + +RFC 2903 Generic AAA Architecture August 2000 + + +Table of Contents + + 1. Introduction ................................................ 2 + 2. Generic AAA Architecture .................................... 4 + 2.1. Architectural Components of a Generic AAA Server ....... 4 + 2.1.1. Authorization Rule Evaluation ................... 4 + 2.1.2. Application Specific Module (ASM) ............... 5 + 2.1.3. Authorization Event Log ......................... 6 + 2.1.4. Policy Repository ............................... 6 + 2.1.5. Request Forwarding .............................. 6 + 2.2. Generic AAA Server Model ............................... 6 + 2.2.1. Generic AAA Server Interactions ................. 7 + 2.2.2. Compatibility with Legacy Protocols ............. 7 + 2.2.3. Interaction between the ASM and the Service ..... 9 + 2.2.4. Multi-domain Architecture ....................... 10 + 2.3. Model Observations ..................................... 10 + 2.4. Suggestions for Future Work ............................ 11 + 3. Layered AAA Protocol Model .................................. 12 + 3.1. Elements of a Layered Architecture ..................... 14 + 3.1.1. Service Layer Abstract Interface Primitives ..... 14 + 3.1.2. Service Layer Peer End Point Name Space ......... 14 + 3.1.3. Peer Registration, Discovery, and Location + Resolution ............................................. 14 + 3.1.4. Trust Relationships Between Peer End Points ..... 14 + 3.1.5. Service Layer Finite State Machine .............. 15 + 3.1.6. Protocol Data Unit Types ........................ 15 + 3.2. AAA Application Specific Service Layer ................. 15 + 3.3. Presentation Service Layer ............................. 16 + 3.4. AAA Transaction/Session Management Service Layer ....... 17 + 3.5. AAA-TSM Service Layer Program Interface Primitives ..... 20 + 3.6. AAA-TSM Layer End Point Name Space ..................... 21 + 3.7. Protocol Stack Examples ................................ 22 + 4. Security Considerations ..................................... 22 + Glossary ....................................................... 23 + References ..................................................... 24 + Authors' Addresses ............................................. 24 + Full Copyright Statement ....................................... 26 + +1. Introduction + + The work for this memo was done by a group that originally was the + Authorization subgroup of the AAA Working Group of the IETF. When + the charter of the AAA working group was changed to focus on MobileIP + and NAS requirements, the AAAarch Research Group was chartered within + the IRTF to continue and expand the architectural work started by the + Authorization subgroup. This memo is one of four which were created + by the subgroup. This memo is a starting point for further work + within the AAAarch Research Group. It is still a work in progress + + + +de Laat, et al. Experimental [Page 2] + +RFC 2903 Generic AAA Architecture August 2000 + + + and is published so that the work will be available for the AAAarch + subgroup and others working in this area, not as a definitive + description of architecture or requirements. + + The authorization subgroup of the AAA Working Group proposed an "AAA + Authorization Framework" [2] illustrated with numerous application + examples [3] which in turn motivates a proposed list of authorization + requirements [4]. This memo builds on the framework presented in [2] + by proposing an AAA infrastructure consisting of a network of + cooperating generic AAA servers communicating via a standard + protocol. The protocol should be quite general and should support + the needs of a wide variety of applications requiring AAA + functionality. To realize this goal, the protocol will need to + operate in a multi-domain environment with multiple service providers + as well as entities taking on other AAA roles such as User Home + Organizations and brokers. It should be possible to combine requests + for multiple authorizations of different types in the same + authorization transaction. The AAA infrastructure will be required + to forward the components of such requests to the appropriate AAA + servers for authorization and to collect the authorization decisions + from the various AAA servers consulted. All of this activity is + perfectly general in nature and can be realized in the common + infrastructure. + + But the applications requiring AAA services will each have their own + unique needs. After a service is authorized, it must be configured + and initialized. This will require application specific knowledge + and may require application specific protocols to communicate with + application specific service components. To handle these application + specific functions, we propose an application interface between a + generic AAA server and a set of one or more Application Specific + Modules (ASMs) which can carry out the unique functionality required + by each application. + + Since the data required by each application for authentication, + authorization, or accounting may have unique structure, the standard + AAA protocol should allow the encapsulation of opaque units of + Application Specific Information (ASI). These units would begin with + a standard header to allow them to be forwarded by the generic + infrastructure. When delivered to the final destination, an ASI unit + would be passed by a generic AAA server across its program interface + to an appropriate ASM for application specific processing. + Nevertheless, it remains a goal of the design for information units + to be encoded in standard ways as much as possible so as to enable + processing by a generic rule based engine. + + + + + + +de Laat, et al. Experimental [Page 3] + +RFC 2903 Generic AAA Architecture August 2000 + + + The interactions of the generic AAA server with the Application + Specific Modules and with each other to realize complex AAA functions + is explored in section 2. Then, in section 3, we attempt to further + organize the AAA functions into logical groups using a protocol + layering abstraction. This abstraction is not intended to be a + reference model ready to be used for protocol design. At this point + in the work, there are numerous questions that need to be addressed + and numerous problems that remain to be solved. It may be that an + abstraction other than layering will prove to be more useful or, more + likely, that the application layer will require some substructure of + its own. + + Finally, in section 4, we show how the security requirements + identified in [4] can be met in the generic server and the + Application Specific Modules by applying security techniques such as + public key encryption or digital signatures to the Application + Specific Information units individually, so that different + stakeholders in the AAA server network can protect selected + information units from being deciphered or altered by other + stakeholders in an authentication, authorization, or accounting + chain. + +2. Generic AAA Architecture + + For the long term we envision a generic AAA server which is capable + of authenticating users, handling authorization requests, and + collecting accounting data. For a service provider, such a generic + AAA server would be interfaced to an application specific module + which manages the resource for which authorization is required. + Generic AAA components would also be deployed in other administrative + domains performing authorization functions. + +2.1. Architectural Components of a Generic AAA Server + +2.1.1. Authorization Rule Evaluation + + The first step in the authorization process is for the user or an + entity operating on the user's behalf to submit a well-formatted + request to an AAA server. A generic AAA server has rules (logic + and/or algebraic formulas) to inspect the request and come to an + authorization decision. The first problem which arises is that + Application Specific Information (ASI) has to be separated from the + underlying logic for the authorization. Ideally the AAA server would + have a rule based engine at this point which would know the logic + rules and understand some generic information in the request, but it + would not know anything about application specific information except + where this information can be evaluated to give a boolean or + numerical value. It should be possible to create rules that refer to + + + +de Laat, et al. Experimental [Page 4] + +RFC 2903 Generic AAA Architecture August 2000 + + + data elements that were not considered when the application was + created. For example, one could request to do a remote virtual + control room experiment from home using a dialin provider. The + request would only be successful if the dialin access server allows + it and if there is bandwidth available (bandwidth broker) and if the + experimenter has the money to pay for it (E-Commerce). Possibly the + people who specified the bandwidth broker protocol did not think of + combining quality of service with a network service authorization in + a single AAA request, but this generic model would allow it. + + +------+ +-------+ +-------+ +-------+ +-------+ + | | auth | | auth | | auth | | auth | | + | |<---->| AAA |<---->| AAA |<---->| AAA |<---->| AAA | + | | | | | | | | | | + | | +-------+ +-------+ +-------+ +-------+ + | User | | | | | + | | | +-------+ +-------+ +-------+ + | | | | BB | | BB | |Budget | + | | | +-------+ +-------+ +-------+ + | | | | | + | | +-------+ | | + | | |dial in| +-------+ +-------+ + | |<====>|service|<====>|network|<====>|network|<===> Experiment + +------+ +-------+ +-------+ +-------+ + + user <-> dialin <-> backbone with BB <-> + + Fig. 1 -- Example of a Multi Domain Multi Type of Server Request + +2.1.2. Application Specific Module (ASM) + + Ultimately an AAA server needs to interact with an application + specific module (ASM). In a service provider, the ASM would manage + resources and configure the service equipment to provide the + authorized service. It might also involve itself in the + authorization decision because it has the application specific + knowledge required. A user home organization (UHO) may require ASMs + as well, to perform application specific user authorization + functions. For example, a UHO ASM might be required to access + certain application specific databases or interpret application + specific service level specifications. + + Whatever the role of an administration relative to an authorization + decision, the capabilities of the generic AAA server and the + interface between it and the ASMs remains the same. This interface + may be an Application Program Interface (API) or could even be a + protocol based interface. In this model, however, the application + + + + +de Laat, et al. Experimental [Page 5] + +RFC 2903 Generic AAA Architecture August 2000 + + + specific module is regarded as as separate architectural component + from the generic AAA server. As such, it must be addressable and + must therefore be part of a global naming space. + +2.1.3. Authorization Event Log + + For auditing purposes, the generic server must have some form of + database to store time-stamped events which occur in the AAA server. + This database can be used to account for authorizations which were + given, but it can also be used in rules. One can imagine rules in + which an authorization is only given if some other event was logged + in the past. With the aid of certificates, this database could + support non-repudiation. + +2.1.4. Policy Repository + + A database containing the available services and resources about + which authorization decisions can be made and the policy rules to + make them is also needed. Here too, the naming space for the + services and resources is important since they must be addressable + from other AAA servers to be able to build complex authorization + requests. + +2.1.5. Request Forwarding + + Due to the multiple administrative domain (multi-kingdom) nature of + the AAA problem, a mechanism to forward messages between AAA servers + is needed. The protocol by which two AAA servers communicate should + be a peer-to-peer protocol. + +2.2. Generic AAA Server Model + + With the implementation of the above mentioned components, the AAA + server would be able to handle AAA requests. It would inspect the + contents of the request, determine what authorization is requested, + retrieve the policy rules from the repository, perform various local + functions, and then choose one of the following options to further + process each of the components of the request: + + a) Let the component be evaluated by an attached ASM. + + b) Query the authorization event log or the policy repository for the + answer. + + c) Forward the component(s) to another AAA server for evaluation. + + In the following sections we present the generic model. + + + + +de Laat, et al. Experimental [Page 6] + +RFC 2903 Generic AAA Architecture August 2000 + + +2.2.1. Generic AAA Server Interactions + + Figure 2 illustrates a generic AAA Server with connections to the + various architectural components described above. In this model, the + user or another AAA server contacts the AAA server to get + authorization, and the AAA server interacts with the service. The + request is sent to the AAA server using the future AAA protocol. The + server interacts with the service via a second protocol which we have + labeled as type "2" in the figure. We say no more of the type 2 + protocol than that it must support some global naming space for the + application specific items. The same holds for the type 3 + communication used to access the repository. + + +------------------+ + | | + request <-----1----->|Generic AAA Server|<---1---> AAA server + |Rule based engine | + | |\ + +------------------+ 3 +------------+ + ^ \| Policy and | + | | event | + 2 | repository | + | +------------+ + v + +------------------+ + | Application | + | Specific | + | Module | + +------------------+ + + The numbers in the links denote types of communication. + + Fig. 2 -- Generic AAA Server Interactions + +2.2.2. Compatibility with Legacy Protocols + + Because of the widespread deployment of equipment that implements + legacy AAA protocols and the desire to realize the functionality of + the new AAA protocol while protecting the investment in existing + infrastructure, it may be useful to implement a AAA gateway function + that can encapsulate legacy protocol data units within the messages + of the new protocol. Use of this technique, for example, would allow + Radius attribute value pairs to be encapsulated in Application + Specific Information (ASI) units of the new protocol in such a way + that the ASI units can be digitally signed and encrypted for end-to- + end protection between a service provider's AAA server and a home AAA + server communicating via a marginally trusted proxy AAA server. The + service provider's NAS would communicate via Radius to the service + + + +de Laat, et al. Experimental [Page 7] + +RFC 2903 Generic AAA Architecture August 2000 + + + provider's AAA server, but the AAA servers would communicate among + themselves via the new AAA protocol. In this case, the AAA gateway + would be a software module residing in the service provider's AAA + server. Alternatively the AAA gateway could be implemented as a + standalone process. + + Figure 3 illustrates an AAA gateway. Communication type 4 is the + legacy protocol. Communication type 1 is the future standard AAA + protocol. And communication type 2 is for application specific + communication to Application Specific Modules (ASMs) or Service + Equipment. + + +-------+ + | AAA |<---1---> to AAA server as in fig. 2 + request <---4--->|GateWay| + | |<---2---> optionally to ASM/service + +-------+ + + The numbers in the links denote types of communication. + + Fig. 3 -- AAA Gateway for Legacy AAA Protocols + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +de Laat, et al. Experimental [Page 8] + +RFC 2903 Generic AAA Architecture August 2000 + + +2.2.3. Interaction between the ASM and the Service + + In a service provider, the Application Specific Module (ASM) and the + software providing the service itself may be tightly bound into a + single "Service Application". In this case, the interface between + them is just a software interface. But the service itself may be + provided by equipment external to the ASM, for example, a router in + the bandwidth broker application. In this case, the ASM communicates + with the service via some protocol. These two possibilities are + illustrated in figure 4. In both cases, we have labeled the + communication between the ASM and the service as communication type + 5, which of course, is service specific. + + | | + +--------------|----+ | + | Service 2 | 2 + | Application | | | + | +-------------+ | +-------------+ + | | Application | | | Application | + | | Specific | | | Specific | + | | Module | | | Module | + | +-------------+ | +-------------+ + | | | | + | 5 | 5 + | | | | + | +-------------+ | +-------------+ + | | Service | | | Service | + | | | | | Equipment | + | +-------------+ | +-------------+ + +-------------------+ + + Fig. 4 -- ASM to Service Interaction (two views) + + + + + + + + + + + + + + + + + + + +de Laat, et al. Experimental [Page 9] + +RFC 2903 Generic AAA Architecture August 2000 + + +2.2.4. Multi-domain Architecture + + The generic AAA server modules can use communication type 1 to + contact each other to evaluate parts of requests. Figure 5 + illustrates a network of generic AAA servers in different + administrative domains communicating via communication type 1. + + +-----+ + o--------| AAA |---->... + / | | + / +-----+\ + / | \+----+ + / +-----+ | RP | + / | ASM | +----+ + +--------+ +-----+ / | | + | Client |------| AAA |-------o +-----+ + +--------+ | | \ + +-----+ \ + | +----+ \ +-----+ + +-----+ | RP | o-----| AAA |---->... + | ASM | +----+ | | + | | +-----+\ + +-----+ | \+----+ + +-----+ | RP | + | ASM | +----+ + | | + +-----+ + + The AAA servers use only communication type 1 to communicate. + ASM = Application Specific Module + RP = Repository + + Fig. 5 -- Multi-domain Multi-type of Service Architecture + +2.3. Model Observations + + Some key points of the generic architecture are: + + 1) The same generic AAA server can function in all three + authorization models: agent, pull, and push [2]. + + 2) The rule based engine knows how to evaluate logical formulas and + how to parse AAA requests. + + 3) The Generic AAA server has no knowledge whatsoever about the + application specific services so the application specific + information it forwards is opaque to it. + + + + +de Laat, et al. Experimental [Page 10] + +RFC 2903 Generic AAA Architecture August 2000 + + + 4) Communication types 1, 2, and 3 each present their own naming + space problems. Solving these problems is fundamental to + forwarding AAA messages, locating application specific entities, + and locating applicable rules in the rule repositories. + + 5) A standard AAA protocol for use in communication type 1 should be + a peer-to-peer protocol without imposing client and server roles + on the communicating entities. + + 6) A standard AAA protocol should allow information units for + multiple different services belonging to multiple different + applications in multiple different administrative domains to be + combined in a single AAA protocol message. + +2.4. Suggestions for Future Work + + It is hoped that by using this generic model it will be feasible to + design a AAA protocol that is "future proof", in a sense, because + much of what we do not think about now can be encoded as application + specific information and referenced by policy rules stored in a + policy repository. From this model, some generic requirements arise + that will require some further study. For example, suppose a new + user is told that somewhere on a specific AAA server a certain + authorization can be obtained. The user will need a AAA protocol + that can: + + 1) send a query to find out which authorizations can be obtained from + a specific server, + + 2) provide a mechanism for determining what components must be put in + an AAA request for a specific authorization, and + + 3) formulate and transmit the authorization request. + + Some areas where further work is particularly needed are in + identifying and designing the generic components of a AAA protocol + and in determining the basis upon which component forwarding and + policy retrieval decisions are made. + + In addition to these areas, there is a need to explore the management + of rules in a multi-domain AAA environment because the development + and future deployment of a generic multi-domain AAA infrastructure is + largely dependent on its manageability. Multi-domain AAA + environments housing many rules distributed over several AAA servers + quickly become unmanageable if there is not some form of automated + rule creation and housekeeping. Organizations that allow their + services to be governed by rules, based on some form of commercial + contract, require the contract to be implemented with the least + + + +de Laat, et al. Experimental [Page 11] + +RFC 2903 Generic AAA Architecture August 2000 + + + possible effort. This can, for example, be achieved in a scalable + fashion if the individual user or user organization requesting a + service is able to establish the service itself. This kind of + interaction requires policy rule establishment between AAA servers + belonging to multiple autonomous administrative domains. + +3. Layered AAA Protocol Model + + In the previous section, we proposed the idea of a generic AAA server + with an interface to one or more Application Specific Modules (ASMs). + The generic server would handle many common functions including the + forwarding of AAA messages between servers in different + administrative domains. We envision message transport, hop-by-hop + security, and message forwarding as clearly being functions of the + generic server. The application specific modules would handle all + application specific tasks such as communication with service + equipment and access to special purpose databases. Between these two + sets of functions is another set of functions that presumably could + take place in either the generic server or an ASM or possibly by a + collaboration of both. These functions include the evaluation of + authorization rules against data that may reside in various places + including attributes from the authorization request itself. The more + we can push these functions down into the generic server, the more + powerful the generic server can be and the simpler the ASMs can be. + + One way of organizing the different functions mentioned above would + be to assign them to a layered hierarchy. In fact, we have found the + layer paradigm to be a useful one in understanding AAA functionality. + This section explores the use of a layered hierarchy consisting of + the following AAA layers as a way of organizing the AAA functions: + + Application Specific Service Layer + Presentation Service Layer + Transaction/Session Management Service Layer + Reliable/Secure Transport Service Layer + + Nevertheless, the interface between the generic AAA server and the + ASMs proposed in the previous section may be more complex than a + simple layered model would allow. Even the division of functionality + proposed in this section goes beyond a strict understanding of + layering. Therefore this paper can probably best be understood as + the beginnings of a work to understand and organize the common + functionality required for a general purpose AAA infrastructure + rather than as a mature reference model for the creation of AAA + protocols. + + + + + + +de Laat, et al. Experimental [Page 12] + +RFC 2903 Generic AAA Architecture August 2000 + + + In our view of AAA services modeled as a hierarchy of service layers, + there is a set of distributed processes at each service layer that + cooperate and are responsible for implementing that service layer's + functions. These processes communicate with each other using a + protocol specialized to carry out the functions and responsibilities + assigned to their service layer. The protocol at service layer n + communicates to its peers by depending on the services available to + it from service layer n-1. The service layer n also has a protocol + end point address space, through which the peer processes at service + layer n can send messages to each other. Together, these AAA service + layers can be assembled into an AAA protocol stack. + + The advantage of this approach is that there is not just one + monolithic "AAA protocol". Instead there is a suite of protocols, + and each one is optimized to solve the problems found at its layer of + the AAA protocol stack hierarchy. + + This approach realizes several key benefits: + + - The protocol used at any particular layer in the protocol stack + can be substituted for another functionally equivalent protocol + without disrupting the services in adjacent layers. + + - Requirements in one layer may be met without impact on protocols + operating in other layers. For example, local security + requirements may dictate the substitution of stronger or weaker + "reliable secure transport" layer security algorithms or + protocols. These can be introduced with no change or awareness of + the substitution by the layers above the Reliable/Secure Transport + layer. + + - The protocol used for a given layer is simpler because it is + focused on a specific narrow problem that is assigned to its + service layer. In particular, it should be feasible to leverage + existing protocol designs for some aspects of this protocol stack + (e.g. CORBA GIOP/CDR for the presentation layer). + + - A legacy AAA protocol message (e.g. a RADIUS message) can be + encapsulated within the protocol message(s) of a lower layer + protocol, preserving the investment of a Service Provider or User + Home Organization in their existing AAA infrastructure. + + - At each service layer, a suite of alternatives can be designed, + and the service layer above it can choose which alternative makes + sense for a given application. However, it should be a primary + goal of the AAA protocol standardization effort to specify one + mandatory to implement protocol at the AAA Transaction/Session + Management (AAA-TSM) service layer (see section 3.4). + + + +de Laat, et al. Experimental [Page 13] + +RFC 2903 Generic AAA Architecture August 2000 + + +3.1. Elements of a Layered Architecture + + At each layer of a layered architecture, a number of elements need to + be defined. These elements are discussed in the following sections. + +3.1.1. Service Layer Abstract Interface Primitives + + The service layer n is assumed to present a program interface through + which its adjacent service layer n+1 can access its services. The + types of abstract program service primitives and associated + parameters exchanged across the boundary between these service layers + must be specified. + +3.1.2. Service Layer Peer End Point Name Space + + Each service layer is treated as a set of cooperating processes + distributed across multiple computing systems. The service layer + must manage an end point name space that identifies these peer + processes. The conventions by which a service layer assigns a unique + end point name to each such peer process must be specified. + +3.1.3. Peer Registration, Discovery, and Location Resolution + + Along with defining an end point name space, a service layer must + also specify how its peers: + + - announce their presence and availability, + + - discover one another when they first begin operation, and + + - detect loss of connectivity or service withdrawal. + + It is also necessary to specify what mechanisms, if any, exist to + resolve a set of service layer specific search attributes into one or + more peer end point names that match the search criteria. + +3.1.4. Trust Relationships Between Peer End Points + + Once an end point has established its initial contact with another + peer, it must decide what authentication policy to adapt. It can + trust whatever authentication was done on its behalf by a lower + service layer or, through a pre-provisioning process, implicitly + trust the peer, or else go through an authentication process with its + peer. The supported mechanisms for establishing a service layer's + end point trust relationships must be specified. + + + + + + +de Laat, et al. Experimental [Page 14] + +RFC 2903 Generic AAA Architecture August 2000 + + +3.1.5. Service Layer Finite State Machine + + To the extent that a service layer's internal states are externally + visible, the layer's behavior in terms of a Finite State Machine + (FSM) should be specified. Events that can drive the FSM state + transitions may include: + + - service layer n+1 interface primitive requests + + - protocol data unit arrivals from peer service layer n end points + received through the layer n-1 access point + + - service layer n-1 interface primitives (e.g. call backs or + interrupts) + + - timer expirations + +3.1.6. Protocol Data Unit Types + + Each service layer defines a lexicon of protocol data units (PDUs) + that communicate between the layer's peer processes the information + that controls and/or monitors that service layer's distributed state + and allows the service processes of that layer to perform their + functions. Embedded in the PDUs of each layer are the PDUs of the + higher layers which depend on its services. The PDUs of each service + layer must be specified. + +3.2. AAA Application Specific Service Layer + + AAA applications have almost unlimited diversity, but imposing some + constraints and commonality is required for them to participate in + this generic AAA architectural framework. To satisfy these + constraints, participating AAA applications would derive their + application specific program logic from a standardized "Authorization + Server" abstract base object class. They would also support an + "Authorized Session" object class. An Authorization Session object + instance represents an approved authorization request that has a + long-lived allocation of services or resources. The generic AAA + architecture could be extended to include other abstract base object + classes in the future (e.g. Authorization Reservation, Authentication + Server, etc.). How to implement the derived Authorization Server + class's public methods for a given problem domain is entirely up to + the application. One technique might be to place a software + "wrapper" around an existing embedded application specific service to + adapt it to the standardized Authorization Server object paradigm. + The major Authorization Server class methods are: + + + + + +de Laat, et al. Experimental [Page 15] + +RFC 2903 Generic AAA Architecture August 2000 + + + - Publish an advertisement that describes the Authorization Server's + service attributes and its application specific service layer end + point address. Once the Authorization Server has registered, peer + processes can discover its presence or send messages addressed to + it. + + - Application Specific Authorization Decision Function (AS-ADF) + method takes a User's application specific authorization request + and returns a decision of approve, deny, or conditionally approve + with referral to another stakeholder. In the latter case, the + application may create a reservation for the requested services or + resources. This method represents the "condition" side of a + policy rule's condition/action pair. + + - Commit a service or set of resources to a previously conditionally + approved authorization decision. For those authorization requests + that have a long-term lifecycle (as opposed to being + transactions), this method mobilizes a reservation into an + Authorized Session object instance. This method represents the + "action" side of a policy rule's condition/action pair. + + - Cancel a previously conditionally approved Authorization request. + This method releases any associated reservations for services or + resources. + + - Withdraw the Authorization Server's service advertisement. + + A key motivation for structuring an AAA application as an + Authorization Server object instance is to separate the generic + authorization decision logic from the application-specific + authorization decision logic. In many cases, the application can be + divorced from the AAA problem altogether, and its AAA responsibility + can be assigned to an external rules based generic AAA Server. (The + idea is similar to that of a trust management policy server as + defined in [5].) This would facilitate a security administrator + deploying AAA policy in a central repository. The AAA policy is + applied consistently across all users of the applications, resources, + and services controlled by the AAA server. However, it is recognized + that for many problem domains, there are unique rules intrinsic to + the application. In these cases, the generic AAA Server must refer + the User's authorization request to the relevant Application Specific + Module. + +3.3. Presentation Service Layer + + The presentation service layer solves the data representation + problems that are encountered when communicating peers exchange + complex data structures or objects between their heterogeneous + + + +de Laat, et al. Experimental [Page 16] + +RFC 2903 Generic AAA Architecture August 2000 + + + computing systems. The goal is to transfer semantically equivalent + application layer data structures regardless of the local machine + architecture, operating system, compiler, or other potential inter- + system differences. + + One way to better understand the role of the presentation layer is to + evaluate an existing example. The Generic Inter-ORB Protocol (GIOP) + and its Common Data Representation (CDR) is a presentation service + layer protocol developed by the Object Management Group (OMG) + industry consortium. GIOP is one component within the Common Object + Request Broker Architecture (CORBA). Peer Object Request Brokers + (ORB) executing on heterogeneous systems use GIOP to invoke remote + CORBA object interface methods. GIOP encodes an object method's + input and output parameters in the Common Data Representation (CDR). + While there are other presentation service layer protocols in the + industry, GIOP in combination with CDR represents a mature, + comprehensive solution that exhibits many of the presentation service + layer requirements that are applicable within the AAA protocol model. + + In the context of Internet access AAA protocols, RADIUS and its + successors use the Attribute Value Pair (AVP) paradigm as the + presentation service layer encoding scheme. While such an approach + is versatile, it is also prone to becoming splintered into many ad + hoc and vendor specific dialects. There is no structure imposed or + method to negotiate the constraints on which AVPs are combined and + interpreted for a given conversation in a consistent way across AAA + protocol implementations or problem domains. At run-time, it can be + hard for the communicating peers to negotiate to a common inter- + operable set of AVPs. + + To avoid this pitfall, a primary presentation service layer + responsibility is the ability to let peers negotiate from a base + Authorization Server object class towards a commonly understood + derived Authorization Server object class that both presentation + service layer peers have implemented for their application specific + problem domain. This negotiation implies a requirement for a + globally registered and maintained presentation service layer + hierarchy of Authorization Server object class names. + +3.4. AAA Transaction/Session Management Service Layer + + The AAA Transaction/Session Management (AAA-TSM) service layer is a + distributed set of AAA Servers, which typically reside in different + administrative domains. Collectively they are responsible for the + following three services: + + + + + + +de Laat, et al. Experimental [Page 17] + +RFC 2903 Generic AAA Architecture August 2000 + + + Authentication -- Execute the procedure(s) needed to confirm the + identity of the other parties with which the AAA TSM entity has a + trust relationship. + + Authorization -- Make an authorization decision to grant or deny a + User's request for services or resources. The generic rules based + policy engine described earlier in this document executes the + authorization decision function. When the User's request is + instantaneous and transient, then its authorization approval is + treated as an ephemeral transaction. If the authorization + approval implies a sustained consumption of a service or + resources, then the request is transformed into an Authorized + Session. For the duration of the Authorized Session's lifetime: + + - its state may be queried and reported, or + + - it may be canceled before service is completed, or + + - the service being delivered may be modified to operate under + new parameters and conditions, or + + - the service may complete on its own accord. + + In each of these cases, the AAA-TSM service layer must synchronize + the Authorized Session's distributed state across all of those AAA + Servers which are implementing that specific Authorized Session. + + Accounting -- Generate any relevant accounting information regarding + the authorization decision and the associated Authorized Session + (if any) that represents the ongoing consumption of those services + or resources. + + The peer AAA servers and their AAA-TSM end points exchange AAA-TSM + messages to realize these AAA functions. A central AAA-TSM concept + is that there is a set of one or more AAA Server stakeholders who are + solicited to approve/disapprove a User request for application layer + services. The AAA-TSM service layer routes the User's request from + one stakeholder to the next, accumulating the requisite approvals + until they have all been asked to make an authorization decision. + + The AAA Servers may also do User authentication (or re- + authentication) as part of this approval process. The overall flow + of the routing from one stakeholder to another may take the form of + the "push", "pull", or "agent" authorization models developed in [2]. + However, in principle, it is feasible to have an arbitrary routing + path of an AAA-TSM authorization request among stakeholders. Once the + final approval is received, the AAA-TSM service layer commits the + requested service by notifying all of those stakeholders that require + + + +de Laat, et al. Experimental [Page 18] + +RFC 2903 Generic AAA Architecture August 2000 + + + a confirmation (i.e. turn on a pending reservation and do a + transaction commit). Alternatively, any stakeholder among those on + the consent list can veto the authorization request. In that case, + all stakeholders who previously approved the request and had asked + for a confirmation are told that the request has been denied (i.e., + cancel reservation and do a transaction rollback). + + The AAA-TSM authorization request payload must carry its own "Context + State", such that when an AAA server receives it, there is sufficient + information that it is essentially self-contained. Embedding the + Context State within the AAA-TSM message provides two benefits. + First, the message can be immediately processed with respect to the + AAA Server's local policy, and this minimizes or altogether avoids + the need for the AAA Server to exchange additional AAA-TSM messages + with its peers to complete its piece of the overall authorization + decision. The other benefit is that the AAA Server minimizes the + amount of state information resources that it commits to a user's + pending request until it is fully approved. This helps protect + against denial of service attacks. + + One can envision many possible message elements that could be part of + the Context State carried within an AAA-TSM request message: + + - AAA-TSM session identifier, a unique handle representing this + authorization request. All AAA servers who participate in a + request's approval process and its subsequent monitoring + throughout its Session lifetime refer to this handle. + + - permission lists stating which AAA Servers are allowed to modify + which parts of the message. + + - User's authorization request, encoded as a presentation layer PDU. + + - User authentication information, (e.g. an X.509 public key + certificate). + + - User credentials information, or else a pointer to where that + information can be found by an AAA server. An example of such + credentials would be an X.509 attributes certificate. + + - the list of AAA Server stakeholders who have yet to be visited to + gain full approval of the User's authorization request. Each + element in that list contains a presentation layer message + encoding how the user authorization request should be evaluated by + its application specific Authorization Decision Function (ADF). + + - the current position in the list of AAA Server stakeholders to be + visited. + + + +de Laat, et al. Experimental [Page 19] + +RFC 2903 Generic AAA Architecture August 2000 + + + - a list of those AAA servers which have already conditionally + approved the User's authorization request, but which have + predicated their approval on the request also completing its + approval from those stakeholders who have not yet seen the + request. Each element in the list has a digital signature or + comparable mechanism by which their approval can be subsequently + verified. + + - an expiration time stamp, expressed in a universally understood + time reference, which sets a lifetime limit on the AAA-TSM + message's validity. This offers some replay attack protection, + and inhibits messages from circulating indefinitely seeking the + completion of a request's approval. + + - a message payload modification audit trail, tracing which parties + introduced changes into the User's authorization request terms and + conditions. + + - an AAA-TSM message integrity check, computed across the whole + message rather than its individual elements, and signed by the + most recent AAA-TSM layer end point process to modify the AAA-TSM + message before its transmission to its AAA-TSM peer. This + function may be delegated to the underlying Reliable Secure + Transport layer connection to that destination peer. + +3.5. AAA-TSM Service Layer Program Interface Primitives + + The AAA-TSM service layer and its adjacent presentation service layer + communicate across their boundary through a set of program interface + primitives. A key design goal is to keep these primitives the same + regardless of the higher level AAA application, analogous to a + callable "plug-in". The two service layers are responsible for + coordinating their state information. This responsibility includes + all of the pending Authorization requests and the Authorization + Sessions that they are both controlling and monitoring. The initial + contact between these two layers is through an abstract object that + is called an AAA-TSM Service Access Point (SAP). A particular + service instance between these two layers is realized in an abstract + object that is called an Authorized Session. The presentation + service layer invokes AAA-TSM interface primitives against an AAA-TSM + SAP. + + The AAA-TSM service layer interface primitives can be broadly + characterized as follows: + + - Register a presentation end point address identifier and its + associated set of attributes to a service access point. + + + + +de Laat, et al. Experimental [Page 20] + +RFC 2903 Generic AAA Architecture August 2000 + + + - Send a presentation layer message to a specified destination + presentation layer peer end point address. + + - Receive a presentation layer message from another presentation + layer end point address. A receive operation may select a + specific originating presentation layer end point address from + which the message is expected, or receive a message from any + presentation layer peer. + + - The AAA-TSM service layer calls an application specific + authorization decision function, which returns a condition code + expressing an approval, denial, or partially approves with a + referral to another AAA Server. + + - AAA-TSM service layer tells the presentation layer to commit an + earlier partially approved authorization request. + + - Cancel an earlier partially approved authorization request (i.e. + rollback). + + - The presentation service layer notifies the AAA-TSM service layer + that it has terminated an in-progress Authorized Session. + + - AAA-TSM service layer notifies the presentation service layer that + another presentation service layer peer has terminated an + Authorized Session. + + - Un-register a presentation service layer end point address. + +3.6. AAA-TSM Layer End Point Name Space + + The AAA-TSM service layer end point name space is the N-tuple formed + by concatenating the following components: + + - AAA Server's Reliable/Secure Transport layer end point address + + - AAA-TSM authorization request serial number, a unique durable + unsigned integer generated by the AAA Server who first receives + the User's authorization request. + + Some AAA applications may require that each assigned AAA-TSM + transaction serial number be stored in persistent storage, and + require that it be recoverable across AAA Server system re-boots. + The serial number generation algorithm must be guaranteed unique even + if the AAA Server does a re-boot. + + + + + + +de Laat, et al. Experimental [Page 21] + +RFC 2903 Generic AAA Architecture August 2000 + + +3.7. Protocol Stack Examples + + The layering paradigm makes it possible to use the most appropriate + syntax for each application for encoding the Application Specific + Information units of that application. This encoding would take + place at the presentation layer. Similarly the application layer can + recognize the semantics specific to each application. Figure 6 + illustrates some possible AAA protocol stacks. + + +------------++------------++-----------++-----------++----------+ + | || Application|| E-Commerce|| Bandwidth || Roaming &| + | AAA || specific || Internet || Broker || mobile IP| + | Application||object class|| Open ||cross-admin|| remote | + | Service || interface || Trading || domain || access | + | Layer ||specified in|| Protocol || COPS || AVP | + | || CORBA IDL || (IOTP) || extensions|| lexicons | + +------------++------------++-----------++-----------++----------+ + | || CORBA ||Extensible || Common || DIAMETER | + |Presentation|| Generic || Markup || Open || or | + | Service || Inter-ORB || Language || Policy || RADIUS | + | Layer || Protocol || (XML) ||Specificatn||Attribute | + | || (GIOP) || || (COPS) ||Value/Pair| + +------------++------------++-----------++-----------++----------+ + | AAA-TSM Service Layer Application Program Interface (API) | + +----------------------------------------------------------------+ + | AAA Transaction/Session Management (AAA-TSM) Service Layer | + +----------------------------------------------------------------+ + | Reliable Secure Transport Layer | + +----------------------------------------------------------------+ + + Fig. 6 -- Possible AAA Protocol Stacks + +4. Security Considerations + + Security considerations for the framework on which the work described + in this memo is based are discussed in [2]. Security requirements + for authorization are listed in section 2.2 of [3]. + + This memo identifies a basic set of AAA functions that are general in + nature and common to many different AAA applications. We propose + that a standard set of security mechanisms should be defined as part + of a base AAA protocol which would include such things as public key + encryption and digital signatures that could be applied to individual + information units within an AAA message. Security with this + granularity is needed to meet the end-to-end security requirement + specified in section 2.2.7 of [3] because a single AAA message may + + + + + +de Laat, et al. Experimental [Page 22] + +RFC 2903 Generic AAA Architecture August 2000 + + + contain multiple information units each generated by AAA servers from + different administrative domains and destined to AAA servers in + different domains. + + In addition, it may be necessary to encrypt or sign an entire AAA + message on a hop-by-hop basis. This could be handled by a standard, + lower layer protocol such as IPSEC. If so, then certain auditing + requirements will have to be met so that it can be established later + that the messages relative to some specific session ID were, in fact, + protected in a particular way. Alternatively, hop-by-hop security + mechanisms may be built into the base AAA protocol itself. + +Glossary + + Application Specific Information (ASI) -- information in an AAA + protocol message that is specific to a particular application. + + Application Specific Module (ASM) -- a software module that + implements a program interface to a generic AAA server which + handles application specific functionality for an AAA protocol + message. + + Service Provider -- an organization which provides a service. + + User -- the entity seeking authorization to use a resource or a + service. + + User Home Organization (UHO) -- An organization with whom the User + has a contractual relationship which can authenticate the User and + may be able to authorize access to resources or services. + + + + + + + + + + + + + + + + + + + + + +de Laat, et al. Experimental [Page 23] + +RFC 2903 Generic AAA Architecture August 2000 + + +References + + [1] Bradner, S., "The Internet Standards Process -- Revision 3", BCP + 9, RFC 2026, October 1996. + + [2] Vollbrecht, J., Calhoun, P., Farrell, S., Gommans, L., Gross, + G., de Bruijn, B., de Laat, D., Holdrege, M. and D. Spence, "AAA + Authorization Framework", RFC 2904, August 2000. + + [3] Vollbrecht, J., Calhoun, P., Farrell, S., Gommans, L., Gross, + G., de Bruijn, B., de Laat, C., Holdrege, M. and D. Spence, "AAA + Authorization Application Examples", RFC 2905, August 2000. + + [4] Farrell, S., Vollbrecht, J., Calhoun, P., Gommans, L., Gross, + G., de Bruijn, B., de Laat, C., Holdrege, M. and D. Spence, "AAA + Authorization Requirements", RFC 2906, August 2000. + + [5] Blaze, M., Feigenbaum, J., Ioannidis, J. and A. Keromytis, "The + KeyNote Trust-Management System Version 2", RFC 2704, September + 1999. + +Authors' Addresses + + Cees T.A.M. de Laat + Physics and Astronomy dept. + Utrecht University + Pincetonplein 5, + 3584CC Utrecht + Netherlands + + Phone: +31 30 2534585 + Phone: +31 30 2537555 + EMail: delaat@phys.uu.nl + + + George M. Gross + Lucent Technologies + 184 Liberty Corner Road, m.s. LC2N-D13 + Warren, NJ 07059 + USA + + Phone: +1 908 580 4589 + Fax: +1 908-580-4991 + EMail: gmgross@lucent.com + + + + + + + +de Laat, et al. Experimental [Page 24] + +RFC 2903 Generic AAA Architecture August 2000 + + + Leon Gommans + Enterasys Networks EMEA + Kerkplein 24 + 2841 XM Moordrecht + The Netherlands + + Phone: +31 182 379279 + email: gommans@cabletron.com + or at University of Utrecht: + l.h.m.gommans@phys.uu.nl + + + John R. Vollbrecht + Interlink Networks, Inc. + 775 Technology Drive, Suite 200 + Ann Arbor, MI 48108 + USA + + Phone: +1 734 821 1205 + Fax: +1 734 821 1235 + EMail: jrv@interlinknetworks.com + + + David W. Spence + Interlink Networks, Inc. + 775 Technology Drive, Suite 200 + Ann Arbor, MI 48108 + USA + + Phone: +1 734 821 1203 + Fax: +1 734 821 1235 + EMail: dspence@interlinknetworks.com + + + + + + + + + + + + + + + + + + + +de Laat, et al. Experimental [Page 25] + +RFC 2903 Generic AAA Architecture August 2000 + + +Full Copyright Statement + + Copyright (C) The Internet Society (2000). All Rights Reserved. + + This document and translations of it may be copied and furnished to + others, and derivative works that comment on or otherwise explain it + or assist in its implementation may be prepared, copied, published + and distributed, in whole or in part, without restriction of any + kind, provided that the above copyright notice and this paragraph are + included on all such copies and derivative works. However, this + document itself may not be modified in any way, such as by removing + the copyright notice or references to the Internet Society or other + Internet organizations, except as needed for the purpose of + developing Internet standards in which case the procedures for + copyrights defined in the Internet Standards process must be + followed, or as required to translate it into languages other than + English. + + The limited permissions granted above are perpetual and will not be + revoked by the Internet Society or its successors or assigns. + + This document and the information contained herein is provided on an + "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING + TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING + BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION + HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF + MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Acknowledgement + + Funding for the RFC Editor function is currently provided by the + Internet Society. + + + + + + + + + + + + + + + + + + + +de Laat, et al. Experimental [Page 26] + -- cgit v1.2.3