idnits 2.17.1 draft-beadles-nas-01.txt: ** The Abstract section seems to be numbered Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Cannot find the required boilerplate sections (Copyright, IPR, etc.) in this document. Expected boilerplate is as follows today (2024-04-19) according to https://trustee.ietf.org/license-info : IETF Trust Legal Provisions of 28-dec-2009, Section 6.a: This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 2: Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 3: This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? ** The document seems to lack a 1id_guidelines paragraph about the list of current Internet-Drafts. ** The document seems to lack a 1id_guidelines paragraph about the list of Shadow Directories. == The page length should not exceed 58 lines per page, but there was 7 longer pages, the longest (page 2) being 66 lines == It seems as if not all pages are separated by form feeds - found 0 form feeds but 8 pages Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Introduction section. ** The document seems to lack a Security Considerations section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 111 instances of weird spacing in the document. Is it really formatted ragged-right, rather than justified? ** There are 182 instances of too long lines in the document, the longest one being 3 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == Line 12 has weird spacing: '...), its areas...' == Line 13 has weird spacing: '... its worki...' == Line 17 has weird spacing: '... and may ...' == Line 18 has weird spacing: '...ference mate...' == Line 21 has weird spacing: '... To learn...' == (106 more instances...) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (12 November 1998) is 9290 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Missing reference section? 'PPP' on line 352 looks like a reference -- Missing reference section? 'L2TP' on line 359 looks like a reference -- Missing reference section? 'RADIUS' on line 340 looks like a reference -- Missing reference section? 'COPS' on line 355 looks like a reference -- Missing reference section? 'DIAME-TER' on line 181 looks like a reference -- Missing reference section? 'SNMP' on line 346 looks like a reference -- Missing reference section? 'IPSEC' on line 363 looks like a reference -- Missing reference section? 'RADIUS-ACCT' on line 343 looks like a reference -- Missing reference section? 'ROAMREQ' on line 366 looks like a reference -- Missing reference section? 'DIAMETER' on line 349 looks like a reference Summary: 12 errors (**), 0 flaws (~~), 8 warnings (==), 12 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Internet Engineering Task Force Mark A. Beadles 2 INTERNET-DRAFT MCI WorldCom Advanced Networks 3 Category: Informational 4 5 12 November 1998 7 The Network Access Server 9 1. Status of this Memo 11 This document is an Internet-Draft. Internet-Drafts are working docu- 12 ments of the Internet Engineering Task Force (IETF), its areas, and 13 its working groups. Note that other groups may also distribute work- 14 ing documents as Internet-Drafts. 16 Internet-Drafts are draft documents valid for a maximum of six months 17 and may be updated, replaced, or obsoleted by other documents at any 18 time. It is inappropriate to use Internet-Drafts as reference mate- 19 rial or to cite them other than as ``work in progress.'' 21 To learn the current status of any Internet-Draft, please check the 22 ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow 23 Directories on ftp.ietf.org (US East Coast), nic.nordu.net 24 (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim). 26 The distribution of this memo is unlimited. It is filed as and expires May 13, 1999. Please send comments to 28 the author. 30 2. Abstract 32 The Network Access Server is the initial entry point to a network for 33 the majority of users of network services. It is the first device in 34 the network to provide services to an end user, and acts as a gateway 35 for all further services. As such, its importance to users and ser- 36 vice providers alike is paramount. However, the concept of a Network 37 Access Server has grown up over the years without being formally 38 defined or analyzed. This document offers a framework for the defini- 39 tion and analysis of a modern Network Access Server. 41 3. Definition of a Network Access Server 43 A Network Access Server is a device which sits on the edge of a net- 44 work, and provides access to services on that network in a controlled 45 fashion, based on the identity of the user of the network services in 46 question and on the policy of the provider of these services. For the 47 purposes of this document, a Network Access Server is defined as a 48 device which accepts multiple point-to-point [PPP] links on one set of 49 interfaces, providing access to a routed network or networks on 50 another set of interfaces. Examples of a network access server 51 include: 53 A remote access server which provides access to a private network 54 via attached modems which are directly dialed by the user. 56 A tunneling server which sits at the border of a protected net- 57 work, and acts as a gateway for users to enter the protected net- 58 work from the Internet. 60 A shared commercial dial access server operated by a Network Ser- 61 vice Provider, where incoming users connect via modems operated 62 by a Telephone Service Provider, and access is provided to many 63 dissimilar private and public networks. 65 Note that there are many things that a Network Access Server is not. 66 A NAS is not simply a router, although it will typically include rout- 67 ing functionality. However, the boundary between NAS and router is 68 admittedly fuzzy. A NAS is not necessarily a dial access server, 69 although dial access is one common means of network access, and brings 70 its own particular set of requirements to NAS's. 72 A NAS is the first device in the network to provide services to an end 73 user, and acts as a gateway for all further services. It is the point 74 at which users are authenticated, access policy is enforced, network 75 services are authorized, network usage is audited, and resource con- 76 sumption is tracked. That is, a NAS often acts as the policy enforce- 77 ment point for network AAAA (authentication, authorization, account- 78 ing, and auditing) services. A NAS is typically the first place in a 79 network where security measures and policy may be implemented. 81 4. Interested parties 83 The following are examples of parties who are concerned with the oper- 84 ation of Network Access Servers. This list is by no means exhaustive. 86 Network Service Providers (NSPs) who operate and manage NAS's, 87 AAAA servers, policy servers, and networks; and who provide net- 88 work services to end users. 90 End users who gain access to their private and public networks 91 through NAS's. 93 Businesses and other entities who operate NAS's for their users' 94 public and private network access, or who outsource the operation 95 and management of NAS's to a NSP. 97 Telephone Service Providers (TSPs) who operate and manage modems 98 and telephony networks; and who provide telephony services to end 99 users, NSP's, and businesses. 101 Manufacturers of NAS's, AAAA servers, policy servers, modems, 102 etc. 104 5. Reference Model of a NAS 106 For reference in the following discussion, a diagram of a NAS, its 107 dependencies, and its interfaces is given below. This diagram is 108 intended as an abstraction of a NAS as a reference model, and is not 109 intended to represent any particular NAS implementation. 111 Users 112 v v v v v v v 113 | | PSTN | | 114 | | or | | 115 |encapsulated 116 +-----------------+ 117 | (Modems) | 118 +-----------------+ 119 | | | | | | | 120 +--+----------------------------+ 121 | | | 122 |N | Client Interface | 123 | | | 124 |A +----------Routing ----------+ 125 | | | 126 |S | Network Interface | 127 | | | 128 +--+----------------------------+ 129 / | \ 130 / | \ 131 / | \ 132 / | \ 133 POLICY MANAGEMENT/ | \ DEVICE MANAGEMENT 134 +---------------+ | +-------------------+ 135 | Authentication| _/^\_ |Device Provisioning| 136 +---------------+ _/ \_ +-------------------+ 137 | Authorization | _/ \_ |Device Monitoring | 138 +---------------+ _/ \_ +-------------------+ 139 | Accounting | / The \ 140 +---------------+ \_ Network(s) _/ 141 | Auditing | \_ _/ 142 +---------------+ \_ _/ 143 \_ _/ 144 \_/ 146 5.1. Terminology 148 Following is a description of the modules and interfaces in the refer- 149 ence model for a NAS given above: 151 Client Interfaces 152 A NAS has one or more client interfaces, which provide the 153 interface to the end users who are requesting network 154 access. Users may connect to these client interfaces via 155 modems over a PSTN, or via tunnels over a data network. Two 156 broad classes of NAS's may be defined, based on the nature 157 of the incoming client interfaces, as follows. Note that a 158 single NAS device may serve in both classes: 160 Dial Access Servers 161 A Dial Access Server is a NAS whose client interfaces 162 consist of modems, either local or remote, which are 163 attached to a PSTN. 165 Tunnel Servers A Tunnel Server is a NAS whose client interfaces con- 166 sists of tunneling enpoints in a protocol such as L2TP 167 [L2TP]. 169 Network Interfaces 170 A NAS has one or more network interfaces, which connect to 171 the networks to which access is being granted. 173 Routing If the network to which access is being granted is a routed 174 network, then a NAS will typically include routing function- 175 ality. 177 Policy Management Interface 178 A NAS provides an interface which allows access to network 179 services to be managed on a per-user basis. This interface 180 may be a configuration file, a graphical user interface, an 181 API, or a protocol such as RADIUS [RADIUS], Diameter [DIAME- 182 TER], or COPS [COPS]. This interface provides a mechanism 183 for granular resource management and policy enforcement. 185 Authentication 186 Authentication refers to the confirmation that a user who is 187 requesting services is a valid user of the network services 188 requested. Authentication is accomplished via the presenta- 189 tion of an identity and credentials. Examples of types of 190 credentials are passwords, one-time tokens, digital certifi- 191 cates, and phone numbers (calling/called). 193 Authorization 194 Authorization refers to the granting of specific types of 195 service (including "no service") to a user, based on their 196 authentication, what services they are requesting, and the 197 current system state. Authorization may be based on 198 restrictions, for example time-of-day restrictions, or phys- 199 ical location restrictions, or restrictions against multiple 200 logins by the same user. Authorization determines the 201 nature of the service wich is granted to a user. Examples 202 of types of service include, but are not limited to: IP 203 address filtering, address assignment, route assignment, 204 QoS/differential services, bandwidth control/traffic manage- 205 ment, compulsory tunneling to a specific endpoint, and 206 encryption. 208 Accounting 209 Accounting refers to the tracking of the consumption of NAS 210 resources by users. This information may be used for man- 211 agement, planning, billing, or other purposes. Real-time 212 accounting refers to accounting information that is deliv- 213 ered concurrently with the consumption of the resources. 214 Batch accounting refers to accounting information that is 215 saved until it is delivered at a later time. Typical infor- 216 mation that is gathered in accounting is the identity of the 217 user, the nature of the service delivered, when the service 218 began, and when it ended. 220 Auditing Auditing refers to the tracking of activity by users. As 221 opposed to accounting, where the purpose is to track con- 222 sumption of resources, the purpose of auditing is to deter- 223 mine the nature of a user's network activity. Examples of 224 auditing information include the identity of the user, the 225 nature of the services used, what hosts were accessed when, 226 what protocols were used, etc. 228 AAAA Server 229 An AAAA Server is a server or servers that provide authenti- 230 cation, authorization, accounting, and auditing services. 231 These may be colocated with the NAS, or more typically, are 232 located on a seperate server and communicate with the NAS's 233 User Management Interface via an AAAA protocol. The four 234 AAAA functions may be located on a single server, or may be 235 broken up among multiple servers. 237 Device Management Interface 238 A NAS is a network device which is owned, operated, and man- 239 aged by some entity. This interface provides a means for 240 this entity to operate and manage the NAS. This interface 241 may be a configuration file, a graphical user interface, an 242 API, or a protocol such as SNMP [SNMP]. 244 Device Monitoring 245 Device monitoring refers to the tracking of status, activ- 246 ity, and usage of the NAS as a network device. 248 Device Provisioning 249 Device provisioning refers to the configurations, settings, 250 and control of the NAS as a network device. 252 5.2. Analysis 254 Following is an analysis of the functions of a NAS using the reference 255 model above: 257 5.2.1. Authentication and Security 259 NAS's serve as the first point of authentication for network users, 260 providing security to user sessions. This security is typically per- 261 formed by checking credentials such as a PPP PAP user name/password 262 pair or a PPP CHAP user name and challenge/response, but may be 263 extended to authentication via telephone number information, digital 264 certificates, or biometrics. NAS's also may authenticate themselves 265 to users. Since a NAS may be shared among multiple administrative 266 entities, authentication may actually be performed via a back-end 267 proxy, referral, or brokering process. 269 In addition to user security, NAS's may themselves be operated as 270 secure devices. This may include secure methods of management and 271 monitoring, use of IP Security [IPSEC] and even participation in a 272 Public Key Infrastcture. 274 5.2.2. Authorization and Policy 276 NAS's are the first point of authorization for usage of network 277 resources, and NAS's serve as policy enforcement points for the ser- 278 vices that they deliver to users. NAS's may provision these services 279 to users in a statically or dynamically configured fashion. Resource 280 management can be performed at a NAS by granting specific types of 281 service based on the current network state. In the case of shared 282 operation, NAS policy may be determined based on the policy of multi- 283 ple end systems. 285 5.2.3. Accounting and Auditing 287 Since NAS services are consumable resources, usage information must 288 often be collected for for the purposes of soft policy management, 289 reporting, planning, and accounting. A dynamic, real-time view of NAS 290 usage is often required for network auditing purposes. Since a NAS 291 may be shared among multiple administrative entities, usage informa- 292 tion must often be delivered to multiple endpoints. Accounting is 293 performed using such protocols as RADIUS [RADIUS-ACCT]. 295 5.2.4. Resource Management 297 NAS's deliver resources to users, often in a dynamic fashion. Exam- 298 ples of the types of resources doled out by NAS's are IP addresses, 299 network names and name server identities, tunnels, and PSTN resources 300 such as phone lines and numbers. Note that NAS's may be operated in a 301 outsourcing model, where multiple entities are competing for the same 302 resources. 304 5.2.5. Virtual Private Networks (VPN's) 306 NAS's often participate in VPN's, and may serve as the means by which 307 VPN's are implemented. Examples of the use of NAS's in VPN's are: 308 Dial Access Servers that build compulsory tunnels, Dial Access Servers 309 that provide services to voluntary tunnelers, and Tunnel Servers that 310 provide tunnel termination services. NAS's may simultaneously provide 311 VPN and public network services to different users, based on policy 312 and identity. 314 5.2.6. Service Quality 316 A NAS may delivery different qualities, types, or levels of service to 317 different users based on policy and identity. NAS's may perform band- 318 width management, allow differential speeds or methods of access, or 319 even participate in provisioned or signaled Quality of Service (QoS) 320 networks. 322 5.2.7. Roaming 324 NAS's are often operated in a shared or outsourced manner, or a NAS 325 operator may enter into agreements with other service providers to 326 grant access to users from these providers (roaming operations). 327 NAS's often are operated as part of a global network. All these imply 328 that a NAS often provides services to users from multiple administra- 329 tive domains simultaneously. The features of NAS's may therefore be 330 driven by requirements of roaming [ROAMREQ]. 332 6. Acknowledgements 334 Thanks to Dave Mitton (Nortel Networks), John Vollbrecht (Merit), and 335 Rich Petke (MCI WorldCom) for useful discussions of this problem 336 space. 338 7. References 340 [RADIUS] Rigney, Rubens, Simpson, Willens. "Remote Authentication 341 Dial In User Service (RADIUS)", RFC 2138, April 1997. 343 [RADIUS-ACCT] Rigney, et. al. "RADIUS Accounting", RFC 2139, April 344 1977. 346 [SNMP] Case, Fedor, Schoffstall, and Davin. "A Simple Network Manage- 347 ment Protocol (SNMP)", RFC 1157, May 1990. 349 [DIAMETER] Calhoun, Rubens. "DIAMETER Base Protocol", draft-calhoun- 350 diameter-06.txt, October 1998. 352 [PPP] Simpson, Editor. "The Point-to-Point Protocol (PPP)", RFC 1661, 353 July 1994. 355 [COPS] Boyle, Cohen, Durham, Herzog, Raja, Sastry. "The COPS (Common 356 Open Policy Service) Protocol", draft-ietf-rap-cops-02.txt, 357 August 1998. 359 [L2TP] Hamzeh, Kolar, Littlewood, Singh Pall, Taarud, Valencia, Ver- 360 thein, Townsley, Palter, Rubens. "Layer Two Tunneling Protocol 361 (L2TP)", draft-ietf-pppext-l2tp-12.txt, October 1998. 363 [IPSEC] Atkinson, Kent. "Security Architecture for the Internet Proto- 364 col", draft-ietf-ipsec-arch-sec-07.txt, July 1998. 366 [ROAMREQ] Aboba, Zorn. "Roaming Requirements", draft-ietf-roamops- 367 romreq-10.txt, August 1998. 369 8. Author's Address 371 Mark A. Beadles 372 MCI WorldCom Advanced Networks 373 5000 Britton Rd. 374 Hilliard, OH 43026 376 Phone: 614-723-1941 377 EMail: mbeadles@wcom.net