idnits 2.17.1 draft-ietf-nasreq-nasmodel-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack an Authors' Addresses Section. ** The abstract seems to contain references ([2], [3], [1]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (October 1999) is 8961 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Missing reference section? '1' on line 690 looks like a reference -- Missing reference section? '2' on line 693 looks like a reference -- Missing reference section? '3' on line 695 looks like a reference -- Missing reference section? '4' on line 698 looks like a reference -- Missing reference section? '5' on line 701 looks like a reference -- Missing reference section? '6' on line 704 looks like a reference -- Missing reference section? '7' on line 707 looks like a reference -- Missing reference section? '8' on line 710 looks like a reference -- Missing reference section? '11' on line 720 looks like a reference -- Missing reference section? '9' on line 713 looks like a reference -- Missing reference section? '10' on line 717 looks like a reference -- Missing reference section? '12' on line 723 looks like a reference -- Missing reference section? '13' on line 364 looks like a reference -- Missing reference section? '14' on line 729 looks like a reference -- Missing reference section? '15' on line 732 looks like a reference -- Missing reference section? '16' on line 735 looks like a reference -- Missing reference section? '19' on line 745 looks like a reference -- Missing reference section? '17' on line 738 looks like a reference -- Missing reference section? '18' on line 742 looks like a reference -- Missing reference section? '20' on line 748 looks like a reference -- Missing reference section? '21' on line 751 looks like a reference -- Missing reference section? '22' on line 752 looks like a reference Summary: 5 errors (**), 0 flaws (~~), 1 warning (==), 25 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Network Access Server Requirements David Mitton 2 Internet Draft Nortel Networks 3 Expires April 2000 Mark Beadles 4 UUNET Technologies 5 October 1999 7 Network Access Server Requirements Next Generation (NASREQNG) 8 NAS Model 9 draft-ietf-nasreq-nasmodel-01.txt 11 Status of this Memo 13 This document is an Internet-Draft and is in full conformance with all 14 provisions of Section 10 of RFC2026. 16 This memo provides information for the Internet community. This memo 17 does not specify an Internet standard of any kind. Distribution of 18 this memo is unlimited. 20 Internet-Drafts are working documents of the Internet Engineering Task 21 Force (IETF), its areas, and its working groups. Note that other 22 groups may also distribute working documents as Internet-Drafts. 24 Internet-Drafts are draft documents valid for a maximum of six months 25 and may be updated, replaced, or obsoleted by other documents at any 26 time. It is inappropriate to use Internet-Drafts as reference material 27 or to cite them other than as "work in progress." 29 The list of current Internet-Drafts can be accessed at 30 http://www.ietf.org/ietf/1id-abstracts.txt 32 The list of Internet-Draft Shadow Directories can be accessed at 33 http://www.ietf.org/shadow.html. 35 This document is a product of the Network-Access-Server Requirements 36 Next Generation (NASREQNG) Working Group of the Internet Engineering 37 Task Force (IETF). Comments should be submitted to the mailing list 38 nasreq@tdmx.rutgers.edu. 40 Abstract 42 This document describes the terminology and gives a model of typical 43 Network Access Server (NAS). The purpose of this effort is to set the 44 reference space for describing and evaluating NAS service protocols, 45 such as RADIUS (RFC 2138, 2139)[1],[2] and follow-on efforts like AAA 46 Working Group, and the Diameter protocol [3]. These are protocols for 47 carrying user service information for authentication, authorization, 48 accounting, and auditing, between a Network Access Server which desires 49 to authenticate its incoming calls and a shared authentication server. 51 Table of Contents 53 1. INTRODUCTION.......................................................3 55 1.1 Scope of this Document ..........................................3 56 1.2 Specific Terminology ............................................3 57 2. NETWORK ACCESS SYSTEM EQUIPMENT ASSUMPTIONS........................3 59 3. NAS SERVICES.......................................................4 61 4. AUTHENTICATION, AUTHORIZATION AND ACCOUNTING (AAA) SERVERS.........5 63 5. TYPICAL NAS OPERATION SEQUENCE:....................................5 65 5.1 Characteristics of Systems and Sessions: ........................7 66 5.2 Separation of NAS and AAA server functions ......................7 67 5.3 Network Management and Administrative features ..................7 68 6. AUTHENTICATION METHODS.............................................8 70 7. SESSION AUTHORIZATION INFORMATION..................................8 72 8. IP NETWORK INTERACTION.............................................9 74 9. A NAS MODEL........................................................9 76 9.1 A Reference Model of a NAS .....................................11 77 9.2 Terminology ....................................................12 78 9.3 Analysis .......................................................13 79 9.3.1 Authentication and Security .................................13 80 9.3.2 Authorization and Policy ....................................14 81 9.3.3 Accounting and Auditing .....................................14 82 9.3.4 Resource Management .........................................14 83 9.3.5 Virtual Private Networks (VPN's) ............................14 84 9.3.6 Service Quality .............................................15 85 9.3.7 Roaming .....................................................15 86 10. ACKNOWLEDGMENTS..................................................17 88 11. AUTHOR'S INFORMATION:............................................17 90 12. FULL COPYRIGHT STATEMENT.........................................18 92 13. APPENDIX - ACRONYMS AND GLOSSARY:................................18 93 1. Introduction 95 A Network Access Server is the initial entry point to a network for the 96 majority of users of network services. It is the first device in the 97 network to provide services to an end user, and acts as a gateway for 98 all further services. As such, its importance to users and service 99 providers alike is paramount. However, the concept of a Network Access 100 Server has grown up over the years without being formally defined or 101 analyzed. [4] 103 1.1 Scope of this Document 105 There are several tradeoffs taken in this document. The purpose of 106 this document is to describe a model for evaluating NAS service 107 protocols. It will give examples of typical NAS hardware and software 108 features, but these are not to be taken as hard limitations of the 109 model, but merely illustrative of the points of discussion. An 110 important goal of the model is to offer a framework that allows further 111 development and expansion of capabilities in NAS implementation. 113 As with most IETF projects, the focus is on standardizing the protocol 114 interaction between the components of the system. The documents 115 produced will not address the following areas: 117 - AAA server back-end implementation is abstracted and not prescribed. 118 The actual organization of the data in the server, its internal 119 interfaces, and capabilities are left to the implementation. 120 - NAS front-end call technology is not assumed to be static. Alternate 121 and new technology will be accommodated. The resultant protocol 122 specifications must be flexible in design to allow for new 123 technologies and services to be added with minimal impact on existing 124 implementations. 126 1.2 Specific Terminology 128 The following terms are used in this document in this manner: 129 A "Call" - the initiation of a network service request to the NAS. 130 This can mean the arrival of a telephone call via a dial-in or switched 131 telephone network connection, or the creation of a tunnel to a tunnel 132 server which becomes a virtual NAS. 133 A "Session" - is the NAS provided service to a specific authorized user 134 entity. 136 2. Network Access System Equipment Assumptions 138 A typical hardware-based NAS is implemented in a constrained system. 139 It is important that the NAS protocols don't assume unlimited resources 140 on the part of the platform. The following are typical constraints: 142 - A computer system of minimal to moderate performance 143 (example processors: Intel 386 or 486, Motorola 68000) 144 - A moderate amount, but not large RAM (typically varies with supported 145 # of ports 1MB to 8MB) 146 - Some small amount of non-volatile memory, and/or way to be configured 147 out-of-band 148 - No assumption of a local file system or disk storage 150 A NAS system may consist of a system of interconnected specialized 151 processor system units. Typically they may be circuit boards (or 152 blades) that are arrayed in a card cage (or chassis) and referred to by 153 their position (i.e. slot number). The bus interconnection methods are 154 typically proprietary and will not be addressed here. 156 A NAS is sometimes referred to as a Remote Access Server (RAS) as it 157 typically allows remote access to a network. However, a more general 158 picture is that of an "Edge Server", where the NAS sits on the edge of 159 an IP network of some type, and allows dynamic access to it. 161 Such systems typically have; 162 - At least one LAN or high performance network interface (e.g. 163 Ethernet, ATM, FR) 164 - At least one, but typically many, serial interface ports, which could 165 be; 166 - serial RS232 ports direct wired or wired to a modem, or 167 - have integral hardware or software modems (V.22bis,V.32, V.34, X2, 168 Kflex, V.90, etc.) 169 - have direct connections to telephone network digital WAN lines 170 (ISDN, T1, T3, NFAS, or SS7) 171 - an aggregation of xDSL connections or PPPoe sessions[5]. 173 However, systems may perform some of the functions of a NAS, but not 174 have these kinds of hardware characteristics. An example would be a 175 industry personal computer server system, that has several modem line 176 connections. These lines will be managed like a dedicated NAS, but the 177 system itself is a general file server. Likewise, with the development 178 of tunneling protocols (L2F[6], ATMP[7], L2TP[8]), tunnel server 179 systems must behave like a "virtual" NAS, where the calls come from the 180 network tunneled sessions and not hardware ports ([11][9][10]). 182 3. NAS Services 184 The core of what a NAS provides, are dynamic network services. What 185 distinguishes a NAS from a typical routing system, is that these 186 services are provided on a per-user basis, based on an authentication 187 and the service is accounted for. This accounting may lead to policies 188 and controls to limit appropriate usage to levels based on the 189 availability of network bandwidth, or service agreements between the 190 user and the provider. 192 Typical services include: 194 - dial-up or direct access serial line access; Ability to access the 195 network using a the public telephone network. 196 - network access (SLIP, PPP, IPX, NETBEUI, ARAP); The NAS allows the 197 caller to access the network directly. 198 - asynchronous terminal services (Telnet, Rlogin, LAT, others); The NAS 199 implements the network protocol on behalf of the caller, and presents 200 a terminal interface. 201 - dial-out connections; Ability to cause the NAS to initiate a 202 connection over the public telephone network, typically based on the 203 arrival of traffic to a specific network system. 204 - callback (NAS generates call to caller); Ability to cause the NAS to 205 reverse or initiate a network connection based on the arrival of a 206 dial-in call. 207 - tunneling (from access connection to remote server); The NAS 208 transports the callers network packets over a network to a remote 209 server using an encapsulation protocol. (L2TP[8] RADIUS support[11]) 211 4. Authentication, Authorization and Accounting (AAA) Servers 213 Because of the need to authenticate and account, and for practical 214 reasons of implementation, NAS systems have come to depend on external 215 server systems to implement authentication databases and accounting 216 recording. 218 By separating these functions from the NAS equipment, they can be 219 implemented in general purpose computer systems, that may provide 220 better suited long term storage media, and more sophisticated database 221 software infrastructures. Not to mention that a centralized server can 222 allow the coordinated administration of many NAS systems as appropriate 223 (for example a single server may service an entire POP consisting of 224 multiple NAS systems). 226 For ease of management, there is a strong desire to piggyback NAS 227 authentication information with other authentication databases, so that 228 authentication information can be managed for several services (such as 229 OS shell login, or Web Server access) from the same provider, without 230 creating separate passwords and accounts for the user. 232 Session activity information is stored and processed to produce 233 accounting usage records. This is typically done with a long term 234 (nightly, weekly or monthly) batch type process. 236 However, as network operations grow in sophistication, there are 237 requirements to provide real-time monitoring of port and user status, 238 so that the state information can be used to implement policy 239 decisions, monitor user trends, and the ability to possibly terminate 240 access for administrative reasons. Typically only the NAS knows the 241 true dynamic state of a session. 243 5. Typical NAS Operation Sequence: 245 The following details a typical NAS operational sequence: 246 - Call arrival on port or network 247 - Port: 248 - auto-detect (or not) type of call 249 - CLI/SLIP: prompt for username and password (if security 250 set) 251 - PPP: engage LCP, Authentication 252 - Request authentication from AAA server 253 - if okay, proceed to service 254 - may challenge 255 - may ask for password change/update 256 - Network: 257 - activate internal protocol server (telnet, ftp) 258 - engage protocol's authentication technique 259 - confirm authentication information with AAA server 261 - Call Management Services 262 - Information from the telephone system or gateway controller 263 arrives indicating that a call has been received 264 - The AAA server is consulted using the information supplied by 265 the telephone system (typically Called or Calling number 266 information) 267 - The server indicates whether to respond to the call by 268 answering it, or by returning a busy to the caller. 269 - The server may also need to allocate a port to receive a 270 call, and route it accordingly. 272 - Dial-out 273 - packet destination matches outbound route pre-configured 274 - find profile information to setup call 275 - Request information from AAA server for call details 277 - VPN/Tunneling (compulsory) 278 - authentication server identifies user as remote 279 - tunnel protocol is invoked to a remote server 280 - authentication information may be forwarded to remote AAA 281 server 282 - if successful, the local link is given a remote identity 284 - Multi-link aggregation 285 - after a new call is authenticated by the AAA server, if MP 286 options are present, then other bundles with the same 287 identifying information is searched for 288 - bundle searches are performed across multiple systems 289 - join calls that match authentication and originator 290 identities as one network addressable data source with a 291 single network IP address 293 - Hardwired (non-interactive) services 294 - permanent WAN connections (Frame Relay or PSVCs) 295 - permanent serial connections (printers) 297 5.1 Characteristics of Systems and Sessions: 299 Sessions must have a user identifier and authenticator to complete the 300 authentication process. Accounting starts from time of call or service, 301 though finer details are allowed. At the end of service, the call may 302 be disconnected or allow re-authentication for additional services. 304 Some systems allow decisions on call handling to be made based on 305 telephone system information provided before the call is answered (e.g. 306 caller id or destination number). In such systems, calls may be busied- 307 out or non-answered if system resources are not ready or available. 309 Authorization to run services are supplied and applied after 310 authentication. A NAS may abort call if session authorization 311 information disagrees with call characteristics. Some system resources 312 may be controlled by server driven policies 314 Accounting messages are sent to the accounting server when service 315 begins, and ends, and possibly periodically during service delivery. 316 Accounting is not necessarily a real-time service, the NAS may be queue 317 and batch send event records. 319 5.2 Separation of NAS and AAA server functions 321 As a distributed system, there is a separation of roles between the NAS 322 and the Server: 324 - Server provides authentication services; checks passwords 325 (static or dynamic) 326 - Server databases may be organized in any way (only protocol 327 specified) 328 - Server may use external systems to authenticate (including OS 329 user databases, token cards, one-time-lists, proxy or other 330 means) 331 - Server provides authorization information to NAS 332 - The process of providing a service may lead to requests for 333 additional information 334 - Service authorization may require real-time enforcement 335 (services may be based on Time of Day, or variable cost debits) 336 - Session accounting information is tallied by the NAS and 337 reported to server 339 5.3 Network Management and Administrative features 341 The NAS system is presumed to have a method of configuration that 342 allows it to know it's identity and network parameters at boot time. 343 Likewise, this configuration information is typically managed using the 344 standard management protocols (e.g. SNMP). This would include the 345 configuration of the parameters necessary to contact the AAA server 346 itself. The purpose of the AAA server is not to provide network 347 management for the NAS, but to authorize and characterize the 348 individual services for the users. Therefore any feature that can be 349 user specific is open to supply from the AAA server. 351 The system may have other operational services that are used to run and 352 control the NAS. Some users that have _Administrative_ privileges may 353 have access to system configuration tools, or services that affect the 354 operation and configuration of the system (e.g. loading boot images, 355 internal file system access, etc..) Access to these facilities may 356 also be authenticated by the AAA server (provided it is configured and 357 reachable!) and levels of access authorization may be provided. 359 6. Authentication Methods 361 A NAS system typically supports a number of authentication systems. 362 For async terminal users, these may be a simple as a prompt and input. 363 For network datalink users, such as PPP, several different 364 authentication methods will be supported (PAP, CHAP[12], MS-CHAP[13]). 365 Some of these may actually be protocols in and of themselves 366 (EAP[14][15], and Kerberos). 368 Additionally, the content of the authentication exchanges may not be 369 straightforward. Hard token cards, such as the Safeword and SecurId, 370 systems may generate one-time passphrases that must be validated 371 against a proprietary server. In the case of multi-link support, it 372 may be necessary to remember a session token or certificate for the 373 later authentication of additional links. 375 In the cases of VPN and compulsory tunneling services, typically a 376 Network Access Identifier (RFC 2486[16]) is presented by the user. 377 This NAI is parsed into a destination network identifier either by the 378 NAS or by the AAA server. The authentication information will 379 typically not be validated locally, but by a AAA service at the remote 380 end of the tunnel service. 382 7. Session Authorization Information 384 Once a user has been authenticated, there are a number of individual 385 bits of information that the network management may wish to configure 386 and authorize for the given user or class of users. 388 Typical examples include: 390 For async terminal users: 391 - banners 392 - custom prompts 393 - menus 394 - CLI macros - which could be used for: shortcuts, compound 395 commands, restrictive scripts 397 For network users: 398 - addresses, and routes 399 - callback instructions 400 - packet and activity filters 401 - network server addresses 402 - host server addresses 404 Some services may require dynamic allocation of resources. Information 405 about the resources required may not be known during the authentication 406 phase, it may come up later. (e.g. IP Addresses for multi-link bundles) 407 It's also possible that the authorization will change over the time of 408 the session. To provide these there has to be a division of 409 responsibility between the NAS and the AAA server, or a cooperation 410 using a stateful service. 412 Such services include: 414 - IP Address management 415 - Concurrent login limitations 416 - Tunnel usage limitations 417 - Real-time account expirations 418 - Call management policies 420 In the process of resolving resource information, it may be required 421 that a certain level of service be supplied, and if not available, the 422 request refused, or corrective action taken. 424 8. IP Network Interaction 426 As the NAS participates in the IP network, it interacts with the 427 routing mechanisms of the network itself. These interactions may also 428 be controlled on a per-user/session basis. 430 For example, some input streams may be directed to specific hosts other 431 than the default gateway for the destination subnet. In order to 432 control services within the network provider's infrastructure, some 433 types of packets may be discarded (filtered) before entering the 434 network. These filters could be applied based on examination of 435 destination address and port number. Anti-spoofing packet controls may 436 be applied to disallow traffic sourced from addresses other than what 437 was assigned to the port. 439 A NAS may also be an edge router system, and apply Quality of Service 440 (QoS) policies to the packets. This makes it a QOS Policy Enforcement 441 Point. [19][17] It may learn QOS and other network policies for the 442 user via the AAA service. 444 9. A NAS Model 446 So far we have looked at examples of things that NASes do. The 447 following attempts to define a NAS model that captures the fundamentals 448 of NAS structure to better categorize how it interacts with other 449 network components. 451 A Network Access Server is a device which sits on the edge of a 452 network, and provides access to services on that network in a 453 controlled fashion, based on the identity of the user of the network 454 services in question and on the policy of the provider of these 455 services. For the purposes of this document, a Network Access Server 456 is defined primarily as a device which accepts multiple point-to-point 457 [18] links on one set of interfaces, providing access to a routed 458 network or networks on another set of interfaces. 460 Note that there are many things that a Network Access Server is not. A 461 NAS is not simply a router, although it will typically include routing 462 functionality in it's interface to the network. A NAS is not 463 necessarily a dial access server, although dial access is one common 464 means of network access, and brings its own particular set of 465 requirements to NAS's. 467 A NAS is the first device in the IP network to provide services to an 468 end user, and acts as a gateway for all further services. It is the 469 point at which users are authenticated, access policy is enforced, 470 network services are authorized, network usage is audited, and resource 471 consumption is tracked. That is, a NAS often acts as the policy 472 enforcement point for network AAAA (authentication, authorization, 473 accounting, and auditing) services. A NAS is typically the first place 474 in a network where security measures and policy may be implemented. 476 9.1 A Reference Model of a NAS 478 For reference in the following discussion, a diagram of a NAS, its 479 dependencies, and its interfaces is given below. This diagram is 480 intended as an abstraction of a NAS as a reference model, and is not 481 intended to represent any particular NAS implementation. 483 Users 484 v v v v v v v 485 | | PSTN | | 486 | | or | | 487 |encapsulated 488 +-----------------+ 489 | (Modems) | 490 +-----------------+ 491 | | | | | | | 492 +--+----------------------------+ 493 | | | 494 |N | Client Interface | 495 | | | 496 |A +----------Routing ----------+ 497 | | | 498 |S | Network Interface | 499 | | | 500 +--+----------------------------+ 501 / | \ 502 / | \ 503 / | \ 504 / | \ 505 POLICY MANAGEMENT/ | \ DEVICE MANAGEMENT 506 +---------------+ | +-------------------+ 507 | Authentication| _/^\_ |Device Provisioning| 508 +---------------+ _/ \_ +-------------------+ 509 | Authorization | _/ \_ |Device Monitoring | 510 +---------------+ _/ \_ +-------------------+ 511 | Accounting | / The \ 512 +---------------+ \_ Network(s) _/ 513 | Auditing | \_ _/ 514 +---------------+ \_ _/ 515 \_ _/ 516 \_/ 518 9.2 Terminology 520 Following is a description of the modules and interfaces in the 521 reference model for a NAS given above: 523 Client Interfaces - A NAS has one or more client interfaces, which 524 provide the interface to the end users who are requesting network 525 access. Users may connect to these client interfaces via modems 526 over a PSTN, or via tunnels over a data network. Two broad classes 527 of NAS's may be defined, based on the nature of the incoming client 528 interfaces, as follows. Note that a single NAS device may serve in 529 both classes: 531 Dial Access Servers - A Dial Access Server is a NAS whose client 532 interfaces consist of modems, either local or remote, which are 533 attached to a PSTN. 535 Tunnel Servers - A Tunnel Server is a NAS whose client interfaces 536 consists of tunneling endpoints in a protocol such as L2TP 538 Network Interfaces - A NAS has one or more network interfaces, which 539 connect to the networks to which access is being granted. 541 Routing -If the network to which access is being granted is a routed 542 network, then a NAS will typically include routing functionality. 544 Policy Management Interface - A NAS provides an interface which allows 545 access to network services to be managed on a per-user basis. This 546 interface may be a configuration file, a graphical user interface, 547 an API, or a protocol such as RADIUS, Diameter, or COPS [19]. This 548 interface provides a mechanism for granular resource management and 549 policy enforcement. 551 Authentication - Authentication refers to the confirmation that a user 552 who is requesting services is a valid user of the network services 553 requested. Authentication is accomplished via the presentation of 554 an identity and credentials. Examples of types of credentials are 555 passwords, one-time tokens, digital certificates, and phone numbers 556 (calling/called). 558 Authorization - Authorization refers to the granting of specific types 559 of service (including "no service") to a user, based on their 560 authentication, what services they are requesting, and the current 561 system state. Authorization may be based on restrictions, for 562 example time-of-day restrictions, or physical location restrictions, 563 or restrictions against multiple logins by the same user. 564 Authorization determines the nature of the service which is granted 565 to a user. Examples of types of service include, but are not 566 limited to: IP address filtering, address assignment, route 567 assignment, QoS/differential services, bandwidth control/traffic 568 management, compulsory tunneling to a specific endpoint, and 569 encryption. 571 Accounting - Accounting refers to the tracking of the consumption of 572 NAS resources by users. This information may be used for management, 573 planning, billing, or other purposes. Real-time accounting refers 574 to accounting information that is delivered concurrently with the 575 consumption of the resources. Batch accounting refers to accounting 576 information that is saved until it is delivered at a later time. 577 Typical information that is gathered in accounting is the identity 578 of the user, the nature of the service delivered, when the service 579 began, and when it ended. 581 Auditing - Auditing refers to the tracking of activity by users. As 582 opposed to accounting, where the purpose is to track consumption of 583 resources, the purpose of auditing is to determine the nature of a 584 user's network activity. Examples of auditing information include 585 the identity of the user, the nature of the services used, what 586 hosts were accessed when, what protocols were used, etc. 588 AAAA Server - An AAAA Server is a server or servers that provide 589 authentication, authorization, accounting, and auditing services. 590 These may be co-located with the NAS, or more typically, are located 591 on a separate server and communicate with the NAS's User Management 592 Interface via an AAAA protocol. The four AAAA functions may be 593 located on a single server, or may be broken up among multiple 594 servers. 596 Device Management Interface - A NAS is a network device which is owned, 597 operated, and managed by some entity. This interface provides a 598 means for this entity to operate and manage the NAS. This interface 599 may be a configuration file, a graphical user interface, an API, or 600 a protocol such as SNMP [20]. 602 Device Monitoring - Device monitoring refers to the tracking of status, 603 activity, and usage of the NAS as a network device. 605 Device Provisioning - Device provisioning refers to the configurations, 606 settings, and control of the NAS as a network device. 608 9.3 Analysis 610 Following is an analysis of the functions of a NAS using the reference 611 model above: 613 9.3.1 Authentication and Security 615 NAS's serve as the first point of authentication for network users, 616 providing security to user sessions. This security is typically 617 performed by checking credentials such as a PPP PAP user name/password 618 pair or a PPP CHAP user name and challenge/response, but may be 619 extended to authentication via telephone number information, digital 620 certificates, or biometrics. NAS's also may authenticate themselves to 621 users. Since a NAS may be shared among multiple administrative 622 entities, authentication may actually be performed via a back-end 623 proxy, referral, or brokering process. 625 In addition to user security, NAS's may themselves be operated as 626 secure devices. This may include secure methods of management and 627 monitoring, use of IP Security [21] and even participation in a Public 628 Key Infrastructure. 630 9.3.2 Authorization and Policy 632 NAS's are the first point of authorization for usage of network 633 resources, and NAS's serve as policy enforcement points for the 634 services that they deliver to users. NAS's may provision these 635 services to users in a statically or dynamically configured fashion. 636 Resource management can be performed at a NAS by granting specific 637 types of service based on the current network state. In the case of 638 shared operation, NAS policy may be determined based on the policy of 639 multiple end systems. 641 9.3.3 Accounting and Auditing 643 Since NAS services are consumable resources, usage information must 644 often be collected for the purposes of soft policy management, 645 reporting, planning, and accounting. A dynamic, real-time view of NAS 646 usage is often required for network auditing purposes. Since a NAS may 647 be shared among multiple administrative entities, usage information 648 must often be delivered to multiple endpoints. Accounting is performed 649 using such protocols as RADIUS[2]. 651 9.3.4 Resource Management 653 NAS's deliver resources to users, often in a dynamic fashion. Examples 654 of the types of resources doled out by NAS's are IP addresses, network 655 names and name server identities, tunnels, and PSTN resources such as 656 phone lines and numbers. Note that NAS's may be operated in a 657 outsourcing model, where multiple entities are competing for the same 658 resources. 660 9.3.5 Virtual Private Networks (VPN's) 662 NAS's often participate in VPN's, and may serve as the means by which 663 VPN's are implemented. Examples of the use of NAS's in VPN's are: Dial 664 Access Servers that build compulsory tunnels, Dial Access Servers that 665 provide services to voluntary tunnelers, and Tunnel Servers that 666 provide tunnel termination services. NAS's may simultaneously provide 667 VPN and public network services to different users, based on policy and 668 user identity. 670 9.3.6 Service Quality 672 A NAS may delivery different qualities, types, or levels of service to 673 different users based on policy and identity. NAS's may perform 674 bandwidth management, allow differential speeds or methods of access, 675 or even participate in provisioned or signaled Quality of Service (QoS) 676 networks. 678 9.3.7 Roaming 680 NAS's are often operated in a shared or outsourced manner, or a NAS 681 operator may enter into agreements with other service providers to 682 grant access to users from these providers (roaming operations). NAS's 683 often are operated as part of a global network. All these imply that a 684 NAS often provides services to users from multiple administrative 685 domains simultaneously. The features of NAS's may therefore be driven 686 by requirements of roaming [22]. 688 References: 690 [1] C. Rigney, et.al. "Remote Authentication Dial In User Service 691 (RADIUS)" RFC 2138, April 1977. 693 [2] C. Rigney, et.al. "RADIUS Accounting", RFC 2139, April 1977. 695 [3] P. Calhoun "Diameter Base Protocol", draft-calhoun-diameter-07.txt, 696 November 1998. 698 [4] G. Zorn, "Yet Another Authentication Protocol (YAAP)", draft-zorn- 699 yaap-01.txt, 30 June 1996. 701 [5] L. Mamakos et al. "A Method for Transmitting PPP Over Ethernet 702 (PPPoE)." RFC 2516, UUNET Technologies, Inc., February 1999. 704 [6] A. Valencia, M. Littlewood, T. Kolar, "Cisco Layer Two Forwarding 705 (Protocol) L2F", RFC 2341, May 1998 707 [7] Hamzeh, K., "Ascend Tunnel Management Protocol - ATMP", RFC 2107, 708 February 1997 710 [8] A. Valencia, et.al. "Layer Two Tunneling Protocol (L2TP)", draft- 711 ietf-pppext-l2tp-12.txt, Oct 1998 713 [9] G. Zorn, D. Leifer, A. Rubens, J. Shriver, "RADIUS Attributes for 714 Tunnel Protocol Support", draft-ietf-radius-tunnel-auth-06.txt, 715 September 1998 717 [10] G. Zorn, D. Mitton, "RADIUS Accounting Modifications for Tunnel 718 Protocol Support",draft-ietf-radius-tunnel-acct-02.txt, September 1999 720 [11] Aboba, Zorn, "Implementation of PPTP/L2TP Compulsory Tunneling via 721 RADIUS", draft-ietf-radius-tunnel-imp-03.txt, July 1997. 723 [12] Simpson, W., "PPP Challenge Handshake Authentication Protocol 724 (CHAP)", RFC 1994, August 1996 726 [13]G. Zorn, S. Cobb, Microsoft PPP CHAP Extensions, draft-ietf-pppext- 727 mschap-00.txt, March 1998. 729 [14] L. Blunk, J. Vollbrecht. "PPP Extensible Authentication Protocol 730 (EAP)." RFC 2284, March 1998. 732 [15] Calhoun, et.al. "Extensible Authentication Protocol Support in 733 RADIUS", draft-ietf-radius-eap-05.txt, May 1998. 735 [16] B. Aboba, M. Beadles, "The Network Access Identifier" RFC 2486, 736 Jan 1999. 738 [17] R. Braden, L. Zhang, S. Berson, S. Herzog, S. Jamin, "Resource 739 ReSerVation Protocol (RSVP) Version 1 Functional Specification ", RFC 740 2205, September 1997. 742 [18] Simpson, Editor. "The Point-to-Point Protocol (PPP)", RFC 1661, 743 July 1994. 745 [19] Boyle, Cohen, Durham, Herzog, Raja, Sastry. "The COPS (Common Open 746 Policy Service) Protocol", draft-ietf-rap-cops-06.txt, February 1999. 748 [20] Case, Fedor, Schoffstall, and Davin. "A Simple Network Management 749 Protocol (SNMP)", RFC 1157, May 1990. 751 [21] Atkinson, Kent. "Security Architecture for the Internet Protocol", 752 [22] Aboba, Zorn, "Dialup Roaming Requirements", draft-ietf-roamops- 753 roamreq-05.txt, July 1997 755 10. Acknowledgments 757 This document is a synthesis of my earlier draft and Mark Beadles NAS 758 Reference Model draft (draft-beadles-nas-01.txt). 760 11. Author's Information: 762 David Mitton 763 Nortel Networks 764 8 Federal St. BL8-05 765 Billerica, MA 01821 767 Phone: 978-288-4570 768 Email: dmitton@nortelnetworks.com 770 Mark Beadles 771 UUNET, an MCI WorldCom Company 772 5000 Britton Rd 773 Hilliard, OH 43026 775 Phone: 614-723-1941 776 Email: mbeadles@wcom.net 778 12. Full Copyright Statement 780 Copyright (C) The Internet Society (May 1999). All Rights Reserved. 782 This document and translations of it may be copied and furnished to 783 others, and derivative works that comment on or otherwise explain it or 784 assist in its implementation may be prepared, copied, published and 785 distributed, in whole or in part, without restriction of any kind, 786 provided that the above copyright notice and this paragraph are 787 included on all such copies and derivative works. However, this 788 document itself may not be modified in any way, such as by removing the 789 copyright notice or references to the Internet Society or other 790 Internet organizations, except as needed for the purpose of developing 791 Internet standards in which case the procedures for copyrights defined 792 in the Internet Standards process must be followed, or as required to 793 translate it into languages other than English. 795 The limited permissions granted above are perpetual and will not be 796 revoked by the Internet Society or its successors or assigns. 798 This document and the information contained herein is provided on an 799 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 800 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT 801 NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL 802 NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR 803 FITNESS FOR A PARTICULAR PURPOSE." 805 13. Appendix - Acronyms and Glossary: 807 AAA - Authentication, Authorization, Accounting, The three primary 808 services required by a NAS server or protocol. 809 NAS - Network Access Server, a system that provides access to a 810 network. In some cases also know as a RAS, Remote Access Server. 811 CLI - Command Line Interface, an interface to a command line 812 service for use with an common asynchronous terminal facility. 813 SLIP - Serial Line Internet Protocol, an IP-only serial datalink, 814 predecessor to PPP 815 PPP - Point-to-Point Protocol; a serial datalink level protocol 816 that supports IP as well as other network protocols. PPP has three 817 major states of operation: LCP - Link layer Control Protocol, 818 Authentication, of which there are several types (PAP, CHAP, EAP), 819 and NCP - Network layer Control Protocol, which negotiates the 820 network layer parameters for each of the protocols in use. 821 IPX - Novell's NetWare transport protocol 822 NETBEUI - A Microsoft/IBM LAN protocol used by Microsoft file 823 services and the NETBIOS applications programming interface. 824 ARAP - AppleTalk Remote Access Protocol 825 LAT - Local Area Transport; a Digital Equipment Corp. LAN protocol 826 for terminal services 827 PPPoe - PPP over Ethernet; a protocol that forwards PPP frames on 828 an LAN infrastructure. Often used to aggregate PPP streams at a 829 common server bank. 830 VPN - Virtual Private Network; a term for networks that appear to 831 be private to the user by the use of tunneling techniques. 832 FR - Frame Relay, a synchronous WAN protocol and telephone network 833 intraconnect service. 834 PSVC - Permanent Switched Virtual Circuit - a service which 835 delivers an virtual permanent circuit by a switched network. 836 PSTN - Public Switched Telephone Network 837 ISDN - Integrated Services Digital Network, a telephone network 838 facility for transmitting digital and analog information over a 839 digital network connection. A NAS may have the ability to receive 840 the information from the telephone network in digital form. 841 ISP - Internet Service Provider; a provider of Internet access 842 (also Network Service Provider, NSP) 843 BRI - Basic Rate Interface; a digital telephone interface 844 PRI - Primary Rate Interface; a digital telephone interface of 64K 845 bits per second. 846 T1 - A digital telephone interface which provides 24-36 channels 847 of PRI data and one control channel (2.048 Mbps). 848 T3 - A digital telephone interface which provides 28 T1 services. 849 Signalling control for the entire connection is provided on a 850 dedicated in-band channel. 851 NFAS - Non-Facility Associated Signaling, a telephone network 852 protocol/service for providing call information on a separate wire 853 connection from the call itself. Used with multiple T1 or T3 854 connections. 855 SS7 - A telephone network protocol for communicating call 856 supervision information on a separate data network from the voice 857 network. 858 POP - Point Of Presence; a geographic location of equipment and 859 interconnection to the network. An ISP typically manages all 860 equipment in a single POP in a similar manner. 861 VSA - Vendor Specific Attributes; RADIUS attributes defined by 862 vendors using the provision of attribute 26.