idnits 2.17.1 draft-ietf-nasreq-nasmodel-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack an Authors' Addresses Section. ** The abstract seems to contain references ([2], [3], [1]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (June 1999) is 9074 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Missing reference section? '1' on line 692 looks like a reference -- Missing reference section? '2' on line 695 looks like a reference -- Missing reference section? '3' on line 697 looks like a reference -- Missing reference section? '4' on line 700 looks like a reference -- Missing reference section? '5' on line 703 looks like a reference -- Missing reference section? '6' on line 705 looks like a reference -- Missing reference section? '7' on line 708 looks like a reference -- Missing reference section? '8' on line 711 looks like a reference -- Missing reference section? '11' on line 721 looks like a reference -- Missing reference section? '9' on line 714 looks like a reference -- Missing reference section? '10' on line 718 looks like a reference -- Missing reference section? '12' on line 724 looks like a reference -- Missing reference section? '13' on line 366 looks like a reference -- Missing reference section? '14' on line 730 looks like a reference -- Missing reference section? '15' on line 733 looks like a reference -- Missing reference section? '16' on line 736 looks like a reference -- Missing reference section? '19' on line 746 looks like a reference -- Missing reference section? '17' on line 739 looks like a reference -- Missing reference section? '18' on line 743 looks like a reference -- Missing reference section? '20' on line 749 looks like a reference -- Missing reference section? '21' on line 752 looks like a reference -- Missing reference section? '22' on line 753 looks like a reference Summary: 6 errors (**), 0 flaws (~~), 1 warning (==), 25 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Network Access Server Requirements David Mitton 2 Internet Draft Nortel Networks 3 Expires December 1999 Mark Beadles 4 UUNET Technologies 5 June 1999 7 Network Access Server Requirements Next Generation (NASREQNG) 8 NAS Model 9 draft-ietf-nasreq-nasmodel-00.txt 11 Status of this Memo 13 This document is an Internet-Draft and is in full conformance with all 14 provisions of Section 10 of RFC2026. 16 This memo provides information for the Internet community. This memo 17 does not specify an Internet standard of any kind. Distribution of 18 this memo is unlimited. 20 Internet-Drafts are working documents of the Internet Engineering Task 21 Force (IETF), its areas, and its working groups. Note that other 22 groups may also distribute working documents as Internet-Drafts. 24 Internet-Drafts are draft documents valid for a maximum of six months 25 and may be updated, replaced, or obsoleted by other documents at any 26 time. It is inappropriate to use Internet-Drafts as reference material 27 or to cite them other than as "work in progress." 29 The list of current Internet-Drafts can be accessed at 30 http://www.ietf.org/ietf/1id-abstracts.txt 32 The list of Internet-Draft Shadow Directories can be accessed at 33 http://www.ietf.org/shadow.html. 35 This document is a product of the Network-Access-Server Requirements 36 Next Generation (NASREQNG) Working Group of the Internet Engineering 37 Task Force (IETF). Comments should be submitted to the mailing list 38 nasreq@tdmx.rutgers.edu. 40 Abstract 42 This document describes the terminology and gives a model of typical 43 Network Access Server (NAS). The purpose of this effort is to set the 44 reference space for describing and evaluating NAS service protocols, 45 such as RADIUS (RFC 2138, 2139)[1],[2] and follow-on efforts like AAA 46 Working Group, and the Diameter protocol [3]. These are protocols for 47 carrying user service information for authentication, authorization, 48 accounting, and auditing, between a Network Access Server which desires 49 to authenticate its incoming calls and a shared authentication server. 51 Table of Contents 53 1. INTRODUCTION.......................................................3 55 1.1 Scope of this Document ..........................................3 56 1.2 Specific Terminology ............................................3 57 2. NETWORK ACCESS SYSTEM EQUIPMENT ASSUMPTIONS........................3 59 3. NAS SERVICES.......................................................4 61 4. AUTHENTICATION, AUTHORIZATION AND ACCOUNTING (AAA) SERVERS.........5 63 5. TYPICAL NAS OPERATION SEQUENCE:....................................5 65 5.1 Characteristics of Systems and Sessions: ........................7 66 5.2 Separation of NAS and AAA server functions ......................7 67 5.3 Network Management and Administrative features ..................7 68 6. AUTHENTICATION METHODS.............................................8 70 7. SESSION AUTHORIZATION INFORMATION..................................8 72 8. IP NETWORK INTERACTION.............................................9 74 9. A NAS MODEL........................................................9 76 9.1 A Reference Model of a NAS .....................................11 77 9.2 Terminology ....................................................12 78 9.3 Analysis .......................................................13 79 9.3.1 Authentication and Security .................................13 80 9.3.2 Authorization and Policy ....................................14 81 9.3.3 Accounting and Auditing .....................................14 82 9.3.4 Resource Management .........................................14 83 9.3.5 Virtual Private Networks (VPN's) ............................14 84 9.3.6 Service Quality .............................................15 85 9.3.7 Roaming .....................................................15 86 10. REFERENCES:......................................................16 88 11. ACKNOWLEDGMENTS..................................................17 90 12. AUTHOR'S INFORMATION:............................................17 92 13. FULL COPYRIGHT STATEMENT.........................................18 94 14. APPENDIX - ACRONYMS AND GLOSSARY:................................18 95 1. Introduction 97 A Network Access Server is the initial entry point to a network for the 98 majority of users of network services. It is the first device in the 99 network to provide services to an end user, and acts as a gateway for 100 all further services. As such, its importance to users and service 101 providers alike is paramount. However, the concept of a Network Access 102 Server has grown up over the years without being formally defined or 103 analyzed. [4] 105 1.1 Scope of this Document 107 There are several tradeoffs taken in this document. The purpose of 108 this document is to describe a model for evaluating NAS service 109 protocols. It will give examples of typical NAS hardware and software 110 features, but these are not to be taken as hard limitations of the 111 model, but merely illustrative of the points of discussion. An 112 important goal of the model is to offer a framework that allows further 113 development and expansion of capabilities in NAS implementation. 115 As with most IETF projects, the focus is on standardizing the protocol 116 interaction between the components of the system. The documents 117 produced will not address the following areas: 119 - AAA server back-end implementation is abstracted and not prescribed. 120 The actual organization of the data in the server, its internal 121 interfaces, and capabilities are left to the implementation. 122 - NAS front-end call technology is not assumed to be static. Alternate 123 and new technology will be accommodated. The resultant protocol 124 specifications must be flexible in design to allow for new 125 technologies and services to be added with minimal impact on existing 126 implementations. 128 1.2 Specific Terminology 130 The following terms are used in this document in this manner: 131 A "Call" - the initiation of a network service request to the NAS. 132 This can mean the arrival of a telephone call via a dial-in or switched 133 telephone network connection, or the creation of a tunnel to a tunnel 134 server which becomes a virtual NAS. 135 A "Session" - is the NAS provided service to a specific authorized user 136 entity. 138 2. Network Access System Equipment Assumptions 140 A typical hardware-based NAS is implemented in a constrained system. 141 It is important that the NAS protocols don't assume unlimited resources 142 on the part of the platform. The following are typical constraints: 144 - A computer system of minimal to moderate performance 145 (example processors: Intel 386 or 486, Motorola 68000) 146 - A moderate amount, but not large RAM (typically varies with supported 147 # of ports 1MB to 8MB) 148 - Some small amount of non-volatile memory, and/or way to be configured 149 out-of-band 150 - No assumption of a local file system or disk storage 152 A NAS system may consist of a system of interconnected specialized 153 processor system units. Typically they may be circuit boards (or 154 blades) that are arrayed in a card cage (or chassis) and referred to by 155 their position (i.e. slot number). The bus interconnection methods are 156 typically proprietary and will not be addressed here. 158 A NAS is sometimes referred to as a Remote Access Server (RAS) as it 159 typically allows remote access to a network. However, a more general 160 picture is that of an "Edge Server", where the NAS sits on the edge of 161 an IP network of some type, and allows dynamic access to it. 163 Such systems typically have; 164 - At least one LAN or high performance network interface (e.g. 165 Ethernet, ATM, FR) 166 - At least one, but typically many, serial interface ports, which could 167 be; 168 - serial RS232 ports direct wired or wired to a modem, or 169 - have integral hardware or software modems (V.22bis,V.32, V.34, X2, 170 Kflex, V.90, etc.) 171 - have direct connections to telephone network digital WAN lines 172 (ISDN, T1, T3, NFAS, or SS7) 173 - an aggregation of xDSL connections or PPPoe sessions[5]. 175 However, systems may perform some of the functions of a NAS, but not 176 have these kinds of hardware characteristics. An example would be a 177 industry personal computer server system, that has several modem line 178 connections. These lines will be managed like a dedicated NAS, but the 179 system itself is a general file server. Likewise, with the development 180 of tunneling protocols (L2F[6], ATMP[7], L2TP[8]), tunnel server 181 systems must behave like a "virtual" NAS, where the calls come from the 182 network tunneled sessions and not hardware ports ([11][9][10]). 184 3. NAS Services 186 The core of what a NAS provides, are dynamic network services. What 187 distinguishes a NAS from a typical routing system, is that these 188 services are provided on a per-user basis, based on an authentication 189 and the service is accounted for. This accounting may lead to policies 190 and controls to limit appropriate usage to levels based on the 191 availability of network bandwidth, or service agreements between the 192 user and the provider. 194 Typical services include: 196 - dial-up or direct access serial line access; Ability to access the 197 network using a the public telephone network. 198 - network access (SLIP, PPP, IPX, NETBEUI, ARAP); The NAS allows the 199 caller to access the network directly. 200 - asynchronous terminal services (Telnet, Rlogin, LAT, others); The NAS 201 implements the network protocol on behalf of the caller, and presents 202 a terminal interface. 203 - dial-out connections; Ability to cause the NAS to initiate a 204 connection over the public telephone network, typically based on the 205 arrival of traffic to a specific network system. 206 - callback (NAS generates call to caller); Ability to cause the NAS to 207 reverse or initiate a network connection based on the arrival of a 208 dial-in call. 209 - tunneling (from access connection to remote server); The NAS 210 transports the callers network packets over a network to a remote 211 server using an encapsulation protocol. (L2TP[8] RADIUS support[11]) 213 4. Authentication, Authorization and Accounting (AAA) Servers 215 Because of the need to authenticate and account, and for practical 216 reasons of implementation, NAS systems have come to depend on external 217 server systems to implement authentication databases and accounting 218 recording. 220 By separating these functions from the NAS equipment, they can be 221 implemented in general purpose computer systems, that may provide 222 better suited long term storage media, and more sophisticated database 223 software infrastructures. Not to mention that a centralized server can 224 allow the coordinated administration of many NAS systems as appropriate 225 (for example a single server may service an entire POP consisting of 226 multiple NAS systems). 228 For ease of management, there is a strong desire to piggyback NAS 229 authentication information with other authentication databases, so that 230 authentication information can be managed for several services (such as 231 OS shell login, or Web Server access) from the same provider, without 232 creating separate passwords and accounts for the user. 234 Session activity information is stored and processed to produce 235 accounting usage records. This is typically done with a long term 236 (nightly, weekly or monthly) batch type process. 238 However, as network operations grow in sophistication, there are 239 requirements to provide real-time monitoring of port and user status, 240 so that the state information can be used to implement policy 241 decisions, monitor user trends, and the ability to possibly terminate 242 access for administrative reasons. Typically only the NAS knows the 243 true dynamic state of a session. 245 5. Typical NAS Operation Sequence: 247 The following details a typical NAS operational sequence: 248 - Call arrival on port or network 249 - Port: 250 - auto-detect (or not) type of call 251 - CLI/SLIP: prompt for username and password (if security 252 set) 253 - PPP: engage LCP, Authentication 254 - Request authentication from AAA server 255 - if okay, proceed to service 256 - may challenge 257 - may ask for password change/update 258 - Network: 259 - activate internal protocol server (telnet, ftp) 260 - engage protocol's authentication technique 261 - confirm authentication information with AAA server 263 - Call Management Services 264 - Information from the telephone system arrives indicating that 265 a call has been placed 266 - The AAA server is consulted using the information supplied by 267 the telephone system (typically Called or Calling number 268 information) 269 - The server indicates whether to respond to the call by 270 answering it, or by returning a busy to the caller. 271 - The server may also need to allocate a port to receive a 272 call, and route it accordingly. 274 - Dial-out 275 - packet destination matches outbound route pre-configured 276 - find profile information to setup call 277 - Request information from AAA server for call details 279 - VPN/Tunneling (mandatory) 280 - authentication server identifies user as remote 281 - tunnel protocol is invoked to a remote server 282 - authentication information may be forwarded to remote AAA 283 server 284 - if successful, the local link is given a remote identity 286 - Multi-link aggregation 287 - after a new call is authenticated by the AAA server, if MP 288 options are present, then other bundles with the same 289 identifying information is searched for 290 - bundle searches are performed across multiple systems 291 - join calls that match authentication and originator 292 identities as one network addressable data source with a 293 single network IP address 295 - Hardwired (non-interactive) services 296 - permanent WAN connections (Frame Relay or PSVCs) 297 - permanent serial connections (printers) 299 5.1 Characteristics of Systems and Sessions: 301 Sessions must have a user identifier and authenticator to complete the 302 authentication process. Accounting starts from time of call or service, 303 though finer details are allowed. At the end of service, the call may 304 be disconnected or allow re-authentication for additional services. 306 Some systems allow decisions on call handling to be made based on 307 telephone system information provided before the call is answered (e.g. 308 caller id or destination number). In such systems, calls may be busied- 309 out or non-answered if system resources are not ready or available. 311 Authorization to run services are supplied and applied after 312 authentication. A NAS may abort call if session authorization 313 information disagrees with call characteristics. Some system resources 314 may be controlled by server driven policies 316 Accounting messages are sent to the accounting server when service 317 begins, and ends, and possibly periodically during service delivery. 318 Accounting is not necessarily a real-time service, the NAS may be queue 319 and batch send event records. 321 5.2 Separation of NAS and AAA server functions 323 As a distributed system, there is a separation of roles between the NAS 324 and the Server: 326 - Server provides authentication services; checks passwords 327 (static or dynamic) 328 - Server databases may be organized in any way (only protocol 329 specified) 330 - Server may use external systems to authenticate (including OS 331 user databases, token cards, one-time-lists, proxy or other 332 means) 333 - Server provides authorization information to NAS 334 - The process of providing a service may lead to requests for 335 additional information 336 - Service authorization may require real-time enforcement 337 (services may be based on Time of Day, or variable cost debits) 338 - Session accounting information is tallied by the NAS and 339 reported to server 341 5.3 Network Management and Administrative features 343 The NAS system is presumed to have a method of configuration that 344 allows it to know it's identity and network parameters at boot time. 345 Likewise, this configuration information is typically managed using the 346 standard management protocols (e.g. SNMP). This would include the 347 configuration of the parameters necessary to contact the AAA server 348 itself. The purpose of the AAA server is not to provide network 349 management for the NAS, but to authorize and characterize the 350 individual services for the users. Therefore any feature that can be 351 user specific is open to supply from the AAA server. 353 The system may have other operational services that are used to run and 354 control the NAS. Some users that have _Administrative_ privileges may 355 have access to system configuration tools, or services that affect the 356 operation and configuration of the system (e.g. loading boot images, 357 internal file system access, etc..) Access to these facilities may 358 also be authenticated by the AAA server (provided it is configured and 359 reachable!) and levels of access authorization may be provided. 361 6. Authentication Methods 363 A NAS system typically supports a number of authentication systems. 364 For async terminal users, these may be a simple as a prompt and input. 365 For network datalink users, such as PPP, several different 366 authentication methods will be supported (PAP, CHAP[12], MS-CHAP[13]). 367 Some of these may actually be protocols in and of themselves 368 (EAP[14][15], and Kerberos). 370 Additionally, the content of the authentication exchanges may not be 371 straightforward. Hard token cards, such as the Safeword and SecurId, 372 systems may generate one-time passphrases that must be validated 373 against a proprietary server. In the case of multi-link support, it 374 may be necessary to remember a session token or certificate for the 375 later authentication of additional links. 377 In the cases of VPN and mandatory tunneling services, typically a 378 Network Access Identifier (RFC 2486[16]) is presented by the user. 379 This NAI is parsed into a destination network identifier either by the 380 NAS or by the AAA server. The authentication information will 381 typically not be validated locally, but by a AAA service at the remote 382 end of the tunnel service. 384 7. Session Authorization Information 386 Once a user has been authenticated, there are a number of individual 387 bits of information that the network management may wish to configure 388 and authorize for the given user or class of users. 390 Typical examples include: 392 For async terminal users: 393 - banners 394 - custom prompts 395 - menus 396 - CLI macros - which could be used for: shortcuts, compound 397 commands, restrictive scripts 399 For network users: 400 - addresses, and routes 401 - callback instructions 402 - packet and activity filters 403 - network server addresses 404 - host server addresses 406 Some services may require dynamic allocation of resources. Information 407 about the resources required may not be known during the authentication 408 phase, it may come up later. (e.g. IP Addresses for multi-link bundles) 409 It's also possible that the authorization will change over the time of 410 the session. To provide these there has to be a division of 411 responsibility between the NAS and the AAA server, or a cooperation 412 using a stateful service. 414 Such services include: 416 - IP Address management 417 - Concurrent login limitations 418 - Tunnel usage limitations 419 - Real-time account expirations 420 - Call management policies 422 In the process of resolving resource information, it may be required 423 that a certain level of service be supplied, and if not available, the 424 request refused, or corrective action taken. 426 8. IP Network Interaction 428 As the NAS participates in the IP network, it interacts with the 429 routing mechanisms of the network itself. These interactions may also 430 be controlled on a per-user/session basis. 432 For example, some input streams may be directed to specific hosts other 433 than the default gateway for the destination subnet. In order to 434 control services within the network provider's infrastructure, some 435 types of packets may be discarded (filtered) when entering the network. 436 These filters could be applied based on examination of destination 437 address and port number. Anti-spoofing packet controls may be applied 438 to disallow traffic sourced from addresses other than what was assigned 439 to the port. 441 A NAS may also be an edge router system, and apply Quality of Service 442 (QoS) policies to the packets. This makes it a QOS Policy Enforcement 443 Point. [19][17] It may learn QOS and other network policies for the 444 user via the AAA service. 446 9. A NAS Model 448 So far we have looked at examples of things that NASes do. The 449 following attempts to define a NAS model that captures the fundamentals 450 of NAS structure to better categorize how it interacts with other 451 network components. 453 A Network Access Server is a device which sits on the edge of a 454 network, and provides access to services on that network in a 455 controlled fashion, based on the identity of the user of the network 456 services in question and on the policy of the provider of these 457 services. For the purposes of this document, a Network Access Server 458 is defined primarily as a device which accepts multiple point-to-point 459 [18] links on one set of interfaces, providing access to a routed 460 network or networks on another set of interfaces. 462 Note that there are many things that a Network Access Server is not. A 463 NAS is not simply a router, although it will typically include routing 464 functionality in it's interface to the network. A NAS is not 465 necessarily a dial access server, although dial access is one common 466 means of network access, and brings its own particular set of 467 requirements to NAS's. 469 A NAS is the first device in the network to provide services to an end 470 user, and acts as a gateway for all further services. It is the point 471 at which users are authenticated, access policy is enforced, network 472 services are authorized, network usage is audited, and resource 473 consumption is tracked. That is, a NAS often acts as the policy 474 enforcement point for network AAAA (authentication, authorization, 475 accounting, and auditing) services. A NAS is typically the first place 476 in a network where security measures and policy may be implemented. 478 9.1 A Reference Model of a NAS 480 For reference in the following discussion, a diagram of a NAS, its 481 dependencies, and its interfaces is given below. This diagram is 482 intended as an abstraction of a NAS as a reference model, and is not 483 intended to represent any particular NAS implementation. 485 Users 486 v v v v v v v 487 | | PSTN | | 488 | | or | | 489 |encapsulated 490 +-----------------+ 491 | (Modems) | 492 +-----------------+ 493 | | | | | | | 494 +--+----------------------------+ 495 | | | 496 |N | Client Interface | 497 | | | 498 |A +----------Routing ----------+ 499 | | | 500 |S | Network Interface | 501 | | | 502 +--+----------------------------+ 503 / | \ 504 / | \ 505 / | \ 506 / | \ 507 POLICY MANAGEMENT/ | \ DEVICE MANAGEMENT 508 +---------------+ | +-------------------+ 509 | Authentication| _/^\_ |Device Provisioning| 510 +---------------+ _/ \_ +-------------------+ 511 | Authorization | _/ \_ |Device Monitoring | 512 +---------------+ _/ \_ +-------------------+ 513 | Accounting | / The \ 514 +---------------+ \_ Network(s) _/ 515 | Auditing | \_ _/ 516 +---------------+ \_ _/ 517 \_ _/ 518 \_/ 520 9.2 Terminology 522 Following is a description of the modules and interfaces in the 523 reference model for a NAS given above: 525 Client Interfaces - A NAS has one or more client interfaces, which 526 provide the interface to the end users who are requesting network 527 access. Users may connect to these client interfaces via modems 528 over a PSTN, or via tunnels over a data network. Two broad classes 529 of NAS's may be defined, based on the nature of the incoming client 530 interfaces, as follows. Note that a single NAS device may serve in 531 both classes: 533 Dial Access Servers - A Dial Access Server is a NAS whose client 534 interfaces consist of modems, either local or remote, which are 535 attached to a PSTN. 537 Tunnel Servers - A Tunnel Server is a NAS whose client interfaces 538 consists of tunneling endpoints in a protocol such as L2TP 540 Network Interfaces - A NAS has one or more network interfaces, which 541 connect to the networks to which access is being granted. 543 Routing -If the network to which access is being granted is a routed 544 network, then a NAS will typically include routing functionality. 546 Policy Management Interface - A NAS provides an interface which allows 547 access to network services to be managed on a per-user basis. This 548 interface may be a configuration file, a graphical user interface, 549 an API, or a protocol such as RADIUS, Diameter, or COPS [19]. This 550 interface provides a mechanism for granular resource management and 551 policy enforcement. 553 Authentication - Authentication refers to the confirmation that a user 554 who is requesting services is a valid user of the network services 555 requested. Authentication is accomplished via the presentation of 556 an identity and credentials. Examples of types of credentials are 557 passwords, one-time tokens, digital certificates, and phone numbers 558 (calling/called). 560 Authorization - Authorization refers to the granting of specific types 561 of service (including "no service") to a user, based on their 562 authentication, what services they are requesting, and the current 563 system state. Authorization may be based on restrictions, for 564 example time-of-day restrictions, or physical location restrictions, 565 or restrictions against multiple logins by the same user. 566 Authorization determines the nature of the service which is granted 567 to a user. Examples of types of service include, but are not 568 limited to: IP address filtering, address assignment, route 569 assignment, QoS/differential services, bandwidth control/traffic 570 management, compulsory tunneling to a specific endpoint, and 571 encryption. 573 Accounting - Accounting refers to the tracking of the consumption of 574 NAS resources by users. This information may be used for management, 575 planning, billing, or other purposes. Real-time accounting refers 576 to accounting information that is delivered concurrently with the 577 consumption of the resources. Batch accounting refers to accounting 578 information that is saved until it is delivered at a later time. 579 Typical information that is gathered in accounting is the identity 580 of the user, the nature of the service delivered, when the service 581 began, and when it ended. 583 Auditing - Auditing refers to the tracking of activity by users. As 584 opposed to accounting, where the purpose is to track consumption of 585 resources, the purpose of auditing is to determine the nature of a 586 user's network activity. Examples of auditing information include 587 the identity of the user, the nature of the services used, what 588 hosts were accessed when, what protocols were used, etc. 590 AAAA Server - An AAAA Server is a server or servers that provide 591 authentication, authorization, accounting, and auditing services. 592 These may be co-located with the NAS, or more typically, are located 593 on a separate server and communicate with the NAS's User Management 594 Interface via an AAAA protocol. The four AAAA functions may be 595 located on a single server, or may be broken up among multiple 596 servers. 598 Device Management Interface - A NAS is a network device which is owned, 599 operated, and managed by some entity. This interface provides a 600 means for this entity to operate and manage the NAS. This interface 601 may be a configuration file, a graphical user interface, an API, or 602 a protocol such as SNMP [20]. 604 Device Monitoring - Device monitoring refers to the tracking of status, 605 activity, and usage of the NAS as a network device. 607 Device Provisioning - Device provisioning refers to the configurations, 608 settings, and control of the NAS as a network device. 610 9.3 Analysis 612 Following is an analysis of the functions of a NAS using the reference 613 model above: 615 9.3.1 Authentication and Security 617 NAS's serve as the first point of authentication for network users, 618 providing security to user sessions. This security is typically 619 performed by checking credentials such as a PPP PAP user name/password 620 pair or a PPP CHAP user name and challenge/response, but may be 621 extended to authentication via telephone number information, digital 622 certificates, or biometrics. NAS's also may authenticate themselves to 623 users. Since a NAS may be shared among multiple administrative 624 entities, authentication may actually be performed via a back-end 625 proxy, referral, or brokering process. 627 In addition to user security, NAS's may themselves be operated as 628 secure devices. This may include secure methods of management and 629 monitoring, use of IP Security [21] and even participation in a Public 630 Key Infrastructure. 632 9.3.2 Authorization and Policy 634 NAS's are the first point of authorization for usage of network 635 resources, and NAS's serve as policy enforcement points for the 636 services that they deliver to users. NAS's may provision these 637 services to users in a statically or dynamically configured fashion. 638 Resource management can be performed at a NAS by granting specific 639 types of service based on the current network state. In the case of 640 shared operation, NAS policy may be determined based on the policy of 641 multiple end systems. 643 9.3.3 Accounting and Auditing 645 Since NAS services are consumable resources, usage information must 646 often be collected for the purposes of soft policy management, 647 reporting, planning, and accounting. A dynamic, real-time view of NAS 648 usage is often required for network auditing purposes. Since a NAS may 649 be shared among multiple administrative entities, usage information 650 must often be delivered to multiple endpoints. Accounting is performed 651 using such protocols as RADIUS[2]. 653 9.3.4 Resource Management 655 NAS's deliver resources to users, often in a dynamic fashion. Examples 656 of the types of resources doled out by NAS's are IP addresses, network 657 names and name server identities, tunnels, and PSTN resources such as 658 phone lines and numbers. Note that NAS's may be operated in a 659 outsourcing model, where multiple entities are competing for the same 660 resources. 662 9.3.5 Virtual Private Networks (VPN's) 664 NAS's often participate in VPN's, and may serve as the means by which 665 VPN's are implemented. Examples of the use of NAS's in VPN's are: Dial 666 Access Servers that build compulsory tunnels, Dial Access Servers that 667 provide services to voluntary tunnelers, and Tunnel Servers that 668 provide tunnel termination services. NAS's may simultaneously provide 669 VPN and public network services to different users, based on policy and 670 user identity. 672 9.3.6 Service Quality 674 A NAS may delivery different qualities, types, or levels of service to 675 different users based on policy and identity. NAS's may perform 676 bandwidth management, allow differential speeds or methods of access, 677 or even participate in provisioned or signaled Quality of Service (QoS) 678 networks. 680 9.3.7 Roaming 682 NAS's are often operated in a shared or outsourced manner, or a NAS 683 operator may enter into agreements with other service providers to 684 grant access to users from these providers (roaming operations). NAS's 685 often are operated as part of a global network. All these imply that a 686 NAS often provides services to users from multiple administrative 687 domains simultaneously. The features of NAS's may therefore be driven 688 by requirements of roaming [22]. 690 References: 692 [1] C. Rigney, et.al. "Remote Authentication Dial In User Service 693 (RADIUS)" RFC 2138, April 1977. 695 [2] C. Rigney, et.al. "RADIUS Accounting", RFC 2139, April 1977. 697 [3] P. Calhoun "Diameter Base Protocol", draft-calhoun-diameter-07.txt, 698 November 1998. 700 [4] G. Zorn, "Yet Another Authentication Protocol (YAAP)", draft-zorn- 701 yaap-01.txt, 30 June 1996. 703 [5] PPP Over Ethernet 705 [6] A. Valencia, M. Littlewood, T. Kolar, "Cisco Layer Two Forwarding 706 (Protocol) L2F", RFC 2341, May 1998 708 [7] Hamzeh, K., "Ascend Tunnel Management Protocol - ATMP", RFC 2107, 709 February 1997 711 [8] A. Valencia, et.al. "Layer Two Tunneling Protocol (L2TP)", draft- 712 ietf-pppext-l2tp-12.txt, Oct 1998 714 [9] G. Zorn, D. Leifer, A. Rubens, J. Shriver, "RADIUS Attributes for 715 Tunnel Protocol Support", draft-ietf-radius-tunnel-auth-06.txt, 716 September 1998 718 [10] G. Zorn, D. Mitton, "RADIUS Accounting Modifications for Tunnel 719 Protocol Support",draft-ietf-radius-tunnel-acct-02.txt, September 1999 721 [11] Aboba, Zorn, "Implementation of PPTP/L2TP Compulsory Tunneling via 722 RADIUS", draft-ietf-radius-tunnel-imp-03.txt, July 1997. 724 [12] Simpson, W., "PPP Challenge Handshake Authentication Protocol 725 (CHAP)", RFC 1994, August 1996 727 [13]G. Zorn, S. Cobb, Microsoft PPP CHAP Extensions, draft-ietf-pppext- 728 mschap-00.txt, March 1998. 730 [14] L. Blunk, J. Vollbrecht. "PPP Extensible Authentication Protocol 731 (EAP)." RFC 2284, March 1998. 733 [15] Calhoun, et.al. "Extensible Authentication Protocol Support in 734 RADIUS", draft-ietf-radius-eap-05.txt, May 1998. 736 [16] B. Aboba, M. Beadles, "The Network Access Identifier" RFC 2486, 737 Jan 1999. 739 [17] R. Braden, L. Zhang, S. Berson, S. Herzog, S. Jamin, "Resource 740 ReSerVation Protocol (RSVP) Version 1 Functional Specification ", RFC 741 2205, September 1997. 743 [18] Simpson, Editor. "The Point-to-Point Protocol (PPP)", RFC 1661, 744 July 1994. 746 [19] Boyle, Cohen, Durham, Herzog, Raja, Sastry. "The COPS (Common Open 747 Policy Service) Protocol", draft-ietf-rap-cops-06.txt, February 1999. 749 [20] Case, Fedor, Schoffstall, and Davin. "A Simple Network Management 750 Protocol (SNMP)", RFC 1157, May 1990. 752 [21] Atkinson, Kent. "Security Architecture for the Internet Protocol", 753 [22] Aboba, Zorn, "Dialup Roaming Requirements", draft-ietf-roamops- 754 roamreq-05.txt, July 1997 756 10. Acknowledgments 758 This document is a synthesis of my earlier draft and Mark Beadles NAS 759 Reference Model draft (draft-beadles-nas-01.txt). 761 11. Author's Information: 763 David Mitton 764 Nortel Networks 765 8 Federal St. BL8-05 766 Billerica, MA 01821 768 Phone: 978-288-4570 769 Email: dmitton@nortelnetworks.com 771 Mark Beadles 772 UUNET, an MCI WorldCom Company 773 5000 Britton Rd 774 Hilliard, OH 43026 776 Phone: 614-723-1941 777 Email: mbeadles@wcom.net 779 12. Full Copyright Statement 781 Copyright (C) The Internet Society (May 1999). All Rights Reserved. 783 This document and translations of it may be copied and furnished to 784 others, and derivative works that comment on or otherwise explain it or 785 assist in its implementation may be prepared, copied, published and 786 distributed, in whole or in part, without restriction of any kind, 787 provided that the above copyright notice and this paragraph are 788 included on all such copies and derivative works. However, this 789 document itself may not be modified in any way, such as by removing the 790 copyright notice or references to the Internet Society or other 791 Internet organizations, except as needed for the purpose of developing 792 Internet standards in which case the procedures for copyrights defined 793 in the Internet Standards process must be followed, or as required to 794 translate it into languages other than English. 796 The limited permissions granted above are perpetual and will not be 797 revoked by the Internet Society or its successors or assigns. 799 This document and the information contained herein is provided on an 800 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 801 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT 802 NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL 803 NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR 804 FITNESS FOR A PARTICULAR PURPOSE." 806 13. Appendix - Acronyms and Glossary: 808 AAA - Authentication, Authorization, Accounting, The three primary 809 services required by a NAS server or protocol. 810 NAS - Network Access Server, a system that provides access to a 811 network. In some cases also know as a RAS, Remote Access Server. 812 CLI - Command Line Interface, an interface to a command line 813 service for use with an common asynchronous terminal facility. 814 SLIP - Serial Line Internet Protocol, an IP-only serial datalink, 815 predecessor to PPP 816 PPP - Point-to-Point Protocol; a serial datalink level protocol 817 that supports IP as well as other network protocols. PPP has three 818 major states of operation: LCP - Link layer Control Protocol, 819 Authentication, of which there are several types (PAP, CHAP, EAP), 820 and NCP - Network layer Control Protocol, which negotiates the 821 network layer parameters for each of the protocols in use. 822 IPX - Novell's NetWare transport protocol 823 NETBEUI - A Microsoft/IBM LAN protocol used by Microsoft file 824 services and the NETBIOS applications programming interface. 825 ARAP - AppleTalk Remote Access Protocol 826 LAT - Local Area Transport; a Digital Equipment Corp. LAN protocol 827 for terminal services 828 PPPoe - PPP over Ethernet; a protocol that forwards PPP frames on 829 an LAN infrastructure. Often used to aggregate PPP streams at a 830 common server bank. 831 VPN - Virtual Private Network; a term for networks that appear to 832 be private to the user by the use of tunneling techniques. 833 FR - Frame Relay, a synchronous WAN protocol and telephone network 834 intraconnect service. 835 PSVC - Permanent Switched Virtual Circuit - a service which 836 delivers an virtual permanent circuit by a switched network. 837 PSTN - Public Switched Telephone Network 838 ISDN - Integrated Services Digital Network, a telephone network 839 facility for transmitting digital and analog information over a 840 digital network connection. A NAS may have the ability to receive 841 the information from the telephone network in digital form. 842 ISP - Internet Service Provider; a provider of Internet access 843 (also Network Service Provider, NSP) 844 BRI - Basic Rate Interface; a digital telephone interface 845 PRI - Primary Rate Interface; a digital telephone interface of 64K 846 bits per second. 847 T1 - A digital telephone interface which provides 24-36 channels 848 of PRI data and one control channel (2.048 Mbps). 849 T3 - A digital telephone interface which provides 28 T1 services. 850 Signalling control for the entire connection is provided on a 851 dedicated in-band channel. 852 NFAS - Non-Facility Associated Signaling, a telephone network 853 protocol/service for providing call information on a separate wire 854 connection from the call itself. Used with multiple T1 or T3 855 connections. 856 SS7 - A telephone network protocol for communicating call 857 information on a separate data network from the voice network. 858 POP - Point Of Presence; a geographic location of equipment and 859 interconnection to the network. An ISP typically manages all 860 equipment in a single POP in a similar manner. 861 VSA - Vendor Specific Attributes; RADIUS attributes defined by 862 vendors using the provision of attribute 26.