idnits 2.17.1 draft-beadles-nas-00.txt: ** The Abstract section seems to be numbered Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Cannot find the required boilerplate sections (Copyright, IPR, etc.) in this document. Expected boilerplate is as follows today (2024-04-16) according to https://trustee.ietf.org/license-info : IETF Trust Legal Provisions of 28-dec-2009, Section 6.a: This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 2: Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 3: This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? ** The document seems to lack a 1id_guidelines paragraph about the list of current Internet-Drafts. ** The document seems to lack a 1id_guidelines paragraph about the list of Shadow Directories. == The page length should not exceed 58 lines per page, but there was 6 longer pages, the longest (page 2) being 66 lines == It seems as if not all pages are separated by form feeds - found 0 form feeds but 6 pages Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Introduction section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** There are 65 instances of weird spacing in the document. Is it really formatted ragged-right, rather than justified? ** There are 117 instances of too long lines in the document, the longest one being 6 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == Line 13 has weird spacing: '...), its areas...' == Line 14 has weird spacing: '... its worki...' == Line 18 has weird spacing: '... and may ...' == Line 19 has weird spacing: '...ference mate...' == Line 22 has weird spacing: '... To learn...' == (60 more instances...) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (7 August 1998) is 9384 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- ** Obsolete normative reference: RFC 2138 (ref. '1') (Obsoleted by RFC 2865) Summary: 13 errors (**), 0 flaws (~~), 8 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force Mark A. Beadles 3 INTERNET-DRAFT WorldCom Advanced Networks 4 Category: Informational 5 6 7 August 1998 8 The Network Access Server 10 1. Status of this Memo 12 This document is an Internet-Draft. Internet-Drafts are working docu- 13 ments of the Internet Engineering Task Force (IETF), its areas, and 14 its working groups. Note that other groups may also distribute work- 15 ing documents as Internet-Drafts. 17 Internet-Drafts are draft documents valid for a maximum of six months 18 and may be updated, replaced, or obsoleted by other documents at any 19 time. It is inappropriate to use Internet-Drafts as reference mate- 20 rial or to cite them other than as ``work in progress.'' 22 To learn the current status of any Internet-Draft, please check the 23 ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow 24 Directories on ftp.ietf.org (US East Coast), nic.nordu.net 25 (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim). 27 The distribution of this memo is unlimited. It is filed as and expires February 7, 1999. Please send comments 29 to the author. 31 2. Abstract 33 The Network Access Server is the initial entry point to a network for 34 the majority of users of network services. It is the first device in 35 the network to provide services to an end user, and acts as a gateway 36 for all further services. As such, its importance to users and ser- 37 vice providers alike is paramount. However, the concept of a Network 38 Access Server has grown up over the years without being formally 39 defined. This document offers a framework for the definition of a 40 modern Network Access Server. 42 3. Definition of a Network Access Server 44 A Network Access Server is a device which sits on the edge of a net- 45 work, and provides access to services on that network in a controlled 46 fashion, based on the identity of the user of the network services in 47 question. Examples of a network access server include: 49 A text-mode terminal server. 51 A remote access server which provides access to a private network 52 via attached modems which are directly dialed by the user. 54 A tunneling server which sits at the border of a protected net- 55 work, and acts as a gateway for users to enter the protected net- 56 work from the Internet. 58 A shared commercial dial access server operated by a Network Ser- 59 vice Provider, where incoming users connect via modems operated 60 by a Telephone Service Provider, and access is provided to many 61 dissimilar private and public networks. 63 Note that there are many things that a Network Access Server is not. 64 A NAS is not simply a router, although it will typically include rout- 65 ing functionality. A NAS is not necessarily a dial access server, 66 although dial access is one common means of network access. 68 A NAS is the first device in the network to provide services to an end 69 user, and acts as a gateway for all further services. It is the point 70 at which users are authenticated, access policy is enforced, network 71 services are authorized, network usage is audited, and resource con- 72 sumption is tracked. That is, a NAS acts as the enforcement point for 73 network AAAA (authentication, authorization, accounting, and auditing) 74 services. A NAS is typically the first place in a network where secu- 75 rity measures may be implemented. 77 4. Interested parties 79 The following are examples of parties who are concerned with the oper- 80 ation of Network Access Servers. This list is by no means exhaustive. 82 Network Service Providers (NSPs) who operate and manage NAS's, 83 AAAA servers, policy servers, and networks; and who provide net- 84 work services to end users. 86 End users who gain access to their private and public networks 87 through NAS's. 89 Businesses and other entities who operate NAS's for their users' 90 public and private network access, or who outsource the operation 91 and management of NAS's to a NSP. 93 Telephone Service Providers (TSPs) who operate and manage modems 94 and telephony networks; and who provide telephony services to end 95 users, NSPs, and businesses. 97 Manufacturers of NAS's, AAAA servers, policy servers, modems, 98 etc. 100 5. Reference Model of a NAS 102 For reference in the following discussion, a diagram of a NAS, its 103 dependencies, and its interfaces is given below. This diagram is 104 intended as an abstraction of a NAS as a reference model, and is not 105 intended to represent any particular NAS implementation. 107 Users 108 v v v v v v v 109 | | PSTN | | 110 | | or | | 111 |encapsulated 112 +-----------------+ 113 | (Modems) | 114 +-----------------+ 115 | | | | | | | 116 | | | | | | | 117 | | | | | | | 118 +--+----------------------------+ 119 | | | 120 |N | Client Interface | 121 | | | 122 |A +----------Routing ----------+ 123 | | | 124 |S | Network Interface | 125 | | | 126 +--+----------------------------+ 127 / | \ 128 / | \ 129 / | \ 130 / | \ 131 USER MANAGEMENT / | \ DEVICE MANAGEMENT 132 +---------------+ | +-------------------+ 133 | Authentication| _/^\_ |Device Provisioning| 134 +---------------+ _/ \_ +-------------------+ 135 | Authorization | _/ \_ |Device Monitoring | 136 +---------------+ _/ \_ +-------------------+ 137 | Accounting | / The \ 138 +---------------+ \_ Network(s) _/ 139 | Auditing | \_ _/ 140 +---------------+ \_ _/ 141 \_ _/ 142 \_/ 144 5.1. Terminology 146 Following is a description of the modules and interfaces in the refer- 147 ence model for a NAS given above: 149 Client Interfaces 150 A NAS has one or more client interfaces, which provide the 151 interface to the end users who are requesting network 152 access. Users may connect to these client interfaces via 153 modems over a PSTN, via tunnels over data network, or by 154 some other means. 156 Network Interfaces 157 A NAS has one or more network interfaces, which connect to 158 the networks to which access is being granted. 160 Routing If the network to which access is being granted is a routed 161 network, then a NAS will typically include routing function- 162 ality. 164 User Management Interface 165 A NAS provides an interface which allows access to network 166 services to be managed on a per-user basis. This interface 167 may be a configuration file, a graphical user interface, an 168 API, or a protocol such as RADIUS [1]. This interface pro- 169 vides a mechanism for granular resource management and pol- 170 icy enforcement. 172 Authentication 173 Authentication refers to the confirmation that a user who is 174 requesting services is a valid user of the network services 175 requested. Authentication is accomplished via the presenta- 176 tion of an identity and credentials. Examples of types of 177 credentials are passwords, one-time tokens, digital certifi- 178 cates, and phone numbers (calling/called). 180 Authorization 181 Authorization refers to the granting of specific types of 182 service (including "no service") to a user, based on their 183 authentication, what services they are requesting, and the 184 current system state. Authorization may be based on restric- 185 tions, for example time-of-day restrictions, or physical 186 location restrictions, or restrictions against multiple 187 logins by the same user. Authorization determines the 188 nature of the service which is granted to a user. Examples 189 of types of service include, but are not limited to: IP 190 address filtering, address assignment, route assignment, 191 QoS/differential services, bandwidth control/traffic manage- 192 ment, compulsory tunneling to a specific endpoint, and 193 encryption. 195 Accounting 196 Accounting refers to the tracking of the consumption of NAS 197 resources by users. This information may be used for man- 198 agement, planning, billing, or other purposes. Real-time 199 accounting refers to accounting information that is deliv- 200 ered concurrently with the consumption of the resources. 201 Batch accounting refers to accounting information that is 202 saved until it is delivered at a later time. Typical infor- 203 mation that is gathered in accounting is the identity of the 204 user, the nature of the service delivered, when the service 205 began, and when it ended. 207 Auditing Auditing refers to the tracking of activity by users. As 208 opposed to accounting, where the purpose is to track con- 209 sumption of resources, the purpose of auditing is to deter- 210 mine the nature of a user's network activity. Examples of 211 auditing information include the identity of the user, the 212 nature of the services used, what hosts were accessed when, 213 what protocols were used, etc. 215 AAAA Server 216 An AAAA Server is a server or servers that provide authenti- 217 cation, authorization, accounting, and auditing services. 218 These may be colocated with the NAS, or more typically, are 219 located on a separate server and communicate with the NAS's 220 User Management Interface via an AAAA protocol. The four 221 AAAA functions may be located on a single server, or may be 222 broken up among multiple servers. 224 Device Management Interface 225 A NAS is a network device which is owned, operated, and man- 226 aged by some entity. This interface provides a means for 227 this entity to operate and manage the NAS. This interface 228 may be a configuration file, a graphical user interface, an 229 API, or a protocol such as SNMP [2]. 231 Device Monitoring 232 Device monitoring refers to the tracking of status, activ- 233 ity, and usage of the NAS as a network device. 235 Device Provisioning 236 Device provisioning refers to the configurations, settings, 237 and control of the NAS as a network device. 239 6. Security Considerations 241 As mentioned, a NAS is typically the first place in a network where secu- 242 rity measures may be implemented. Also, since a NAS is often a shared 243 device, its various interfaces (client, user management, and device man- 244 agement) may need to be secured by integrity and/or confidentiality meas- 245 ures. 247 7. References 249 [1] C. Rigney, A. Rubens, W. Simpson, S. Willens. "Remote Authenti- 250 cation Dial In User Service (RADIUS)." RFC 2138, Livingston, Merit, 251 Daydreamer, April, 1997. 253 [2] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "A Simple 254 Network Management Protocol (SNMP)", RFC 1157, SNMP Research, Perfor- 255 mance Systems International, Performance Systems International, and 256 MIT Laboratory for Computer Science, May 1990. 258 8. Author's Address 260 Mark A. Beadles 261 WorldCom Advanced Networks 262 5000 Britton Rd. 263 Hilliard, OH 43026 265 Phone: 614-723-1941 266 EMail: mbeadles@wcom.net