1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123
|
Network Working Group D. Mitton
Request for Comments: 2881 Nortel Networks
Category: Informational M. Beadles
SmartPipes Inc.
July 2000
Network Access Server Requirements Next Generation (NASREQNG)
NAS Model
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2000). All Rights Reserved.
Abstract
This document describes the terminology and gives a model of typical
Network Access Server (NAS). The purpose of this effort is to set
the reference space for describing and evaluating NAS service
protocols, such as RADIUS (RFCs 2865, 2866) [1], [2] and follow-on
efforts like AAA Working Group, and the Diameter protocol [3]. These
are protocols for carrying user service information for
authentication, authorization, accounting, and auditing, between a
Network Access Server which desires to authenticate its incoming
calls and a shared authentication server.
Table of Contents
1. INTRODUCTION...................................................2
1.1 Scope of this Document ......................................2
1.2 Specific Terminology ........................................3
2. NETWORK ACCESS SYSTEM EQUIPMENT ASSUMPTIONS....................3
3. NAS SERVICES...................................................4
4. AUTHENTICATION, AUTHORIZATION AND ACCOUNTING (AAA) SERVERS.....5
5. TYPICAL NAS OPERATION SEQUENCE:................................5
5.1 Characteristics of Systems and Sessions: ....................6
5.2 Separation of NAS and AAA server functions ..................7
5.3 Network Management and Administrative features ..............7
6. AUTHENTICATION METHODS.........................................8
7. SESSION AUTHORIZATION INFORMATION..............................8
8. IP NETWORK INTERACTION.........................................9
9. A NAS MODEL...................................................10
Mitton & Beadles Informational [Page 1]
RFC 2881 NASreq NAS Model July 2000
9.1 A Reference Model of a NAS .................................10
9.2 Terminology ................................................11
9.3 Analysis ...................................................13
9.3.1 Authentication and Security .............................13
9.3.2 Authorization and Policy ................................14
9.3.3 Accounting and Auditing .................................14
9.3.4 Resource Management .....................................14
9.3.5 Virtual Private Networks (VPN's) ........................14
9.3.6 Service Quality .........................................15
9.3.7 Roaming .................................................15
10. SECURITY CONSIDERATIONS......................................15
11. REFERENCES ..................................................16
12. ACKNOWLEDGMENTS..............................................17
13. AUTHORS' ADDRESSES ..........................................17
14. APPENDIX - ACRONYMS AND GLOSSARY:............................18
15. FULL COPYRIGHT STATEMENT.....................................20
1. Introduction
A Network Access Server is the initial entry point to a network for
the majority of users of network services. It is the first device in
the network to provide services to an end user, and acts as a gateway
for all further services. As such, its importance to users and
service providers alike is paramount. However, the concept of a
Network Access Server has grown up over the years without being
formally defined or analyzed [4].
1.1 Scope of this Document
There are several tradeoffs taken in this document. The purpose of
this document is to describe a model for evaluating NAS service
protocols. It will give examples of typical NAS hardware and
software features, but these are not to be taken as hard limitations
of the model, but merely illustrative of the points of discussion.
An important goal of the model is to offer a framework that allows
further development and expansion of capabilities in NAS
implementation.
As with most IETF projects, the focus is on standardizing the
protocol interaction between the components of the system. The
documents produced will not address the following areas:
- AAA server back-end implementation is abstracted and not
prescribed. The actual organization of the data in the server, its
internal interfaces, and capabilities are left to the
implementation.
Mitton & Beadles Informational [Page 2]
RFC 2881 NASreq NAS Model July 2000
- NAS front-end call technology is not assumed to be static.
Alternate and new technology will be accommodated. The resultant
protocol specifications must be flexible in design to allow for new
technologies and services to be added with minimal impact on
existing implementations.
1.2 Specific Terminology
The following terms are used in this document in this manner: A
"Call" - the initiation of a network service request to the NAS.
This can mean the arrival of a telephone call via a dial-in or
switched telephone network connection, or the creation of a tunnel to
a tunnel server which becomes a virtual NAS. A "Session" - is the
NAS provided service to a specific authorized user entity.
2. Network Access System Equipment Assumptions
A typical hardware-based NAS is implemented in a constrained system.
It is important that the NAS protocols don't assume unlimited
resources on the part of the platform. The following are typical
constraints:
- A computer system of minimal to moderate performance
(example processors: Intel 386 or 486, Motorola 68000)
- A moderate amount, but not large RAM (typically varies with
supported # of ports 1MB to 8MB)
- Some small amount of non-volatile memory, and/or way to be
configured out-of-band
- No assumption of a local file system or disk storage
A NAS system may consist of a system of interconnected specialized
processor system units. Typically they may be circuit boards (or
blades) that are arrayed in a card cage (or chassis) and referred to
by their position (i.e., slot number). The bus interconnection
methods are typically proprietary and will not be addressed here.
A NAS is sometimes referred to as a Remote Access Server (RAS) as it
typically allows remote access to a network. However, a more general
picture is that of an "Edge Server", where the NAS sits on the edge
of an IP network of some type, and allows dynamic access to it.
Such systems typically have;
- At least one LAN or high performance network interface (e.g.,
Ethernet, ATM, FR)
Mitton & Beadles Informational [Page 3]
RFC 2881 NASreq NAS Model July 2000
- At least one, but typically many, serial interface ports, which
could be;
- serial RS232 ports direct wired or wired to a modem, or
- have integral hardware or software modems (V.22bis,V.32, V.34,
X2, Kflex, V.90, etc.)
- have direct connections to telephone network digital WAN lines
(ISDN, T1, T3, NFAS, or SS7)
- an aggregation of xDSL connections or PPPoe sessions [5].
However, systems may perform some of the functions of a NAS, but not
have these kinds of hardware characteristics. An example would be a
industry personal computer server system, that has several modem line
connections. These lines will be managed like a dedicated NAS, but
the system itself is a general file server. Likewise, with the
development of tunneling protocols (L2F [6], ATMP [7], L2TP [8]),
tunnel server systems must behave like a "virtual" NAS, where the
calls come from the network tunneled sessions and not hardware ports
([11], [9], [10]).
3. NAS Services
The core of what a NAS provides, are dynamic network services. What
distinguishes a NAS from a typical routing system, is that these
services are provided on a per-user basis, based on an authentication
and the service is accounted for. This accounting may lead to
policies and controls to limit appropriate usage to levels based on
the availability of network bandwidth, or service agreements between
the user and the provider.
Typical services include:
- dial-up or direct access serial line access; Ability to access the
network using a the public telephone network.
- network access (SLIP, PPP, IPX, NETBEUI, ARAP); The NAS allows the
caller to access the network directly.
- asynchronous terminal services (Telnet, Rlogin, LAT, others); The
NAS implements the network protocol on behalf of the caller, and
presents a terminal interface.
- dial-out connections; Ability to cause the NAS to initiate a
connection over the public telephone network, typically based on the
arrival of traffic to a specific network system.
- callback (NAS generates call to caller); Ability to cause the NAS to
reverse or initiate a network connection based on the arrival of a
dial-in call.
- tunneling (from access connection to remote server); The NAS
transports the callers network packets over a network to a remote
server using an encapsulation protocol. (L2TP [8], RADIUS support
[11])
Mitton & Beadles Informational [Page 4]
RFC 2881 NASreq NAS Model July 2000
4. Authentication, Authorization and Accounting (AAA) Servers
Because of the need to authenticate and account, and for practical
reasons of implementation, NAS systems have come to depend on
external server systems to implement authentication databases and
accounting recording.
By separating these functions from the NAS equipment, they can be
implemented in general purpose computer systems, that may provide
better suited long term storage media, and more sophisticated
database software infrastructures. Not to mention that a centralized
server can allow the coordinated administration of many NAS systems
as appropriate (for example a single server may service an entire POP
consisting of multiple NAS systems).
For ease of management, there is a strong desire to piggyback NAS
authentication information with other authentication databases, so
that authentication information can be managed for several services
(such as OS shell login, or Web Server access) from the same
provider, without creating separate passwords and accounts for the
user.
Session activity information is stored and processed to produce
accounting usage records. This is typically done with a long term
(nightly, weekly or monthly) batch type process.
However, as network operations grow in sophistication, there are
requirements to provide real-time monitoring of port and user status,
so that the state information can be used to implement policy
decisions, monitor user trends, and the ability to possibly terminate
access for administrative reasons. Typically only the NAS knows the
true dynamic state of a session.
5. Typical NAS Operation Sequence:
The following details a typical NAS operational sequence:
- Call arrival on port or network
- Port:
- auto-detect (or not) type of call
- CLI/SLIP: prompt for username and password (if security
set)
- PPP: engage LCP, Authentication
- Request authentication from AAA server
- if okay, proceed to service
- may challenge
- may ask for password change/update
Mitton & Beadles Informational [Page 5]
RFC 2881 NASreq NAS Model July 2000
- Network:
- activate internal protocol server (telnet, ftp)
- engage protocol's authentication technique
- confirm authentication information with AAA server
- Call Management Services
- Information from the telephone system or gateway controller
arrives indicating that a call has been received
- The AAA server is consulted using the information supplied by
the telephone system (typically Called or Calling number
information)
- The server indicates whether to respond to the call by
answering it, or by returning a busy to the caller.
- The server may also need to allocate a port to receive a
call, and route it accordingly.
- Dial-out
- packet destination matches outbound route pre-configured
- find profile information to setup call
- Request information from AAA server for call details
- VPN/Tunneling (compulsory)
- authentication server identifies user as remote
- tunnel protocol is invoked to a remote server
- authentication information may be forwarded to remote AAA
server
- if successful, the local link is given a remote identity
- Multi-link aggregation
- after a new call is authenticated by the AAA server, if MP
options are present, then other bundles with the same
identifying information is searched for
- bundle searches are performed across multiple systems
- join calls that match authentication and originator
identities as one network addressable data source with a
single network IP address
- Hardwired (non-interactive) services
- permanent WAN connections (Frame Relay or PSVCs)
- permanent serial connections (printers)
5.1 Characteristics of Systems and Sessions:
Sessions must have a user identifier and authenticator to complete
the authentication process. Accounting starts from time of call or
service, though finer details are allowed. At the end of service, the
call may be disconnected or allow re-authentication for additional
services.
Mitton & Beadles Informational [Page 6]
RFC 2881 NASreq NAS Model July 2000
Some systems allow decisions on call handling to be made based on
telephone system information provided before the call is answered
(e.g., caller id or destination number). In such systems, calls may
be busied-out or non-answered if system resources are not ready or
available.
Authorization to run services are supplied and applied after
authentication. A NAS may abort call if session authorization
information disagrees with call characteristics. Some system
resources may be controlled by server driven policies
Accounting messages are sent to the accounting server when service
begins, and ends, and possibly periodically during service delivery.
Accounting is not necessarily a real-time service, the NAS may be
queue and batch send event records.
5.2 Separation of NAS and AAA server functions
As a distributed system, there is a separation of roles between the
NAS and the Server:
- Server provides authentication services; checks passwords
(static or dynamic)
- Server databases may be organized in any way (only protocol
specified)
- Server may use external systems to authenticate (including OS
user databases, token cards, one-time-lists, proxy or other
means)
- Server provides authorization information to NAS
- The process of providing a service may lead to requests for
additional information
- Service authorization may require real-time enforcement
(services may be based on Time of Day, or variable cost
debits)
- Session accounting information is tallied by the NAS and
reported to server
5.3 Network Management and Administrative features
The NAS system is presumed to have a method of configuration that
allows it to know it's identity and network parameters at boot time.
Likewise, this configuration information is typically managed using
the standard management protocols (e.g., SNMP). This would include
the configuration of the parameters necessary to contact the AAA
server itself. The purpose of the AAA server is not to provide
network management for the NAS, but to authorize and characterize the
individual services for the users. Therefore any feature that can be
user specific is open to supply from the AAA server.
Mitton & Beadles Informational [Page 7]
RFC 2881 NASreq NAS Model July 2000
The system may have other operational services that are used to run
and control the NAS. Some users that have _Administrative_
privileges may have access to system configuration tools, or services
that affect the operation and configuration of the system (e.g.,
loading boot images, internal file system access, etc..) Access to
these facilities may also be authenticated by the AAA server
(provided it is configured and reachable!) and levels of access
authorization may be provided.
6. Authentication Methods
A NAS system typically supports a number of authentication systems.
For async terminal users, these may be a simple as a prompt and
input. For network datalink users, such as PPP, several different
authentication methods will be supported (PAP, CHAP [12], MS-CHAP
[13]). Some of these may actually be protocols in and of themselves
(EAP [14] [15], and Kerberos).
Additionally, the content of the authentication exchanges may not be
straightforward. Hard token cards, such as the Safeword and SecurId,
systems may generate one-time passphrases that must be validated
against a proprietary server. In the case of multi-link support, it
may be necessary to remember a session token or certificate for the
later authentication of additional links.
In the cases of VPN and compulsory tunneling services, typically a
Network Access Identifier (RFC 2486 [16]) is presented by the user.
This NAI is parsed into a destination network identifier either by
the NAS or by the AAA server. The authentication information will
typically not be validated locally, but by a AAA service at the
remote end of the tunnel service.
7. Session Authorization Information
Once a user has been authenticated, there are a number of individual
bits of information that the network management may wish to configure
and authorize for the given user or class of users.
Typical examples include:
For async terminal users:
- banners
- custom prompts
- menus
- CLI macros - which could be used for: shortcuts, compound
commands, restrictive scripts
Mitton & Beadles Informational [Page 8]
RFC 2881 NASreq NAS Model July 2000
For network users:
- addresses, and routes
- callback instructions
- packet and activity filters
- network server addresses
- host server addresses
Some services may require dynamic allocation of resources.
Information about the resources required may not be known during the
authentication phase, it may come up later. (e.g., IP Addresses for
multi-link bundles) It's also possible that the authorization will
change over the time of the session. To provide these there has to be
a division of responsibility between the NAS and the AAA server, or a
cooperation using a stateful service.
Such services include:
- IP Address management
- Concurrent login limitations
- Tunnel usage limitations
- Real-time account expirations
- Call management policies
In the process of resolving resource information, it may be required
that a certain level of service be supplied, and if not available,
the request refused, or corrective action taken.
8. IP Network Interaction
As the NAS participates in the IP network, it interacts with the
routing mechanisms of the network itself. These interactions may
also be controlled on a per-user/session basis.
For example, some input streams may be directed to specific hosts
other than the default gateway for the destination subnet. In order
to control services within the network provider's infrastructure,
some types of packets may be discarded (filtered) before entering the
network. These filters could be applied based on examination of
destination address and port number. Anti-spoofing packet controls
may be applied to disallow traffic sourced from addresses other than
what was assigned to the port.
A NAS may also be an edge router system, and apply Quality of Service
(QoS) policies to the packets. This makes it a QOS Policy
Enforcement Point [19], [17]. It may learn QOS and other network
policies for the user via the AAA service.
Mitton & Beadles Informational [Page 9]
RFC 2881 NASreq NAS Model July 2000
9. A NAS Model
So far we have looked at examples of things that NASes do. The
following attempts to define a NAS model that captures the
fundamentals of NAS structure to better categorize how it interacts
with other network components.
A Network Access Server is a device which sits on the edge of a
network, and provides access to services on that network in a
controlled fashion, based on the identity of the user of the network
services in question and on the policy of the provider of these
services. For the purposes of this document, a Network Access Server
is defined primarily as a device which accepts multiple point-to-
point [18] links on one set of interfaces, providing access to a
routed network or networks on another set of interfaces.
Note that there are many things that a Network Access Server is not.
A NAS is not simply a router, although it will typically include
routing functionality in it's interface to the network. A NAS is not
necessarily a dial access server, although dial access is one common
means of network access, and brings its own particular set of
requirements to NAS's.
A NAS is the first device in the IP network to provide services to an
end user, and acts as a gateway for all further services. It is the
point at which users are authenticated, access policy is enforced,
network services are authorized, network usage is audited, and
resource consumption is tracked. That is, a NAS often acts as the
policy enforcement point for network AAAA (authentication,
authorization, accounting, and auditing) services. A NAS is
typically the first place in a network where security measures and
policy may be implemented.
9.1 A Reference Model of a NAS
For reference in the following discussion, a diagram of a NAS, its
dependencies, and its interfaces is given below. This diagram is
intended as an abstraction of a NAS as a reference model, and is not
intended to represent any particular NAS implementation.
Mitton & Beadles Informational [Page 10]
RFC 2881 NASreq NAS Model July 2000
Users
v v v v v v v
| | PSTN | |
| | or | |
|encapsulated
+-----------------+
| (Modems) |
+-----------------+
| | | | | | |
+--+----------------------------+
| | |
|N | Client Interface |
| | |
|A +----------Routing ----------+
| | |
|S | Network Interface |
| | |
+--+----------------------------+
/ | \
/ | \
/ | \
/ | \
POLICY MANAGEMENT/ | \ DEVICE MANAGEMENT
+---------------+ | +-------------------+
| Authentication| _/^\_ |Device Provisioning|
+---------------+ _/ \_ +-------------------+
| Authorization | _/ \_ |Device Monitoring |
+---------------+ _/ \_ +-------------------+
| Accounting | / The \
+---------------+ \_ Network(s) _/
| Auditing | \_ _/
+---------------+ \_ _/
\_ _/
\_/
9.2 Terminology
Following is a description of the modules and interfaces in the
reference model for a NAS given above:
Client Interfaces - A NAS has one or more client interfaces, which
provide the interface to the end users who are requesting network
access. Users may connect to these client interfaces via modems
over a PSTN, or via tunnels over a data network. Two broad
classes of NAS's may be defined, based on the nature of the
incoming client interfaces, as follows. Note that a single NAS
device may serve in both classes:
Mitton & Beadles Informational [Page 11]
RFC 2881 NASreq NAS Model July 2000
Dial Access Servers - A Dial Access Server is a NAS whose client
interfaces consist of modems, either local or remote, which are
attached to a PSTN.
Tunnel Servers - A Tunnel Server is a NAS whose client interfaces
consists of tunneling endpoints in a protocol such as L2TP
Network Interfaces - A NAS has one or more network interfaces, which
connect to the networks to which access is being granted.
Routing - If the network to which access is being granted is a routed
network, then a NAS will typically include routing functionality.
Policy Management Interface - A NAS provides an interface which
allows access to network services to be managed on a per-user
basis. This interface may be a configuration file, a graphical
user interface, an API, or a protocol such as RADIUS, Diameter, or
COPS [19]. This interface provides a mechanism for granular
resource management and policy enforcement.
Authentication - Authentication refers to the confirmation that a
user who is requesting services is a valid user of the network
services requested. Authentication is accomplished via the
presentation of an identity and credentials. Examples of types of
credentials are passwords, one-time tokens, digital certificates,
and phone numbers (calling/called).
Authorization - Authorization refers to the granting of specific
types of service (including "no service") to a user, based on
their authentication, what services they are requesting, and the
current system state. Authorization may be based on restrictions,
for example time-of-day restrictions, or physical location
restrictions, or restrictions against multiple logins by the same
user. Authorization determines the nature of the service which is
granted to a user. Examples of types of service include, but are
not limited to: IP address filtering, address assignment, route
assignment, QoS/differential services, bandwidth control/traffic
management, compulsory tunneling to a specific endpoint, and
encryption.
Accounting - Accounting refers to the tracking of the consumption of
NAS resources by users. This information may be used for
management, planning, billing, or other purposes. Real-time
accounting refers to accounting information that is delivered
concurrently with the consumption of the resources. Batch
accounting refers to accounting information that is saved until it
Mitton & Beadles Informational [Page 12]
RFC 2881 NASreq NAS Model July 2000
is delivered at a later time. Typical information that is
gathered in accounting is the identity of the user, the nature of
the service delivered, when the service began, and when it ended.
Auditing - Auditing refers to the tracking of activity by users. As
opposed to accounting, where the purpose is to track consumption
of resources, the purpose of auditing is to determine the nature
of a user's network activity. Examples of auditing information
include the identity of the user, the nature of the services used,
what hosts were accessed when, what protocols were used, etc.
AAAA Server - An AAAA Server is a server or servers that provide
authentication, authorization, accounting, and auditing services.
These may be co-located with the NAS, or more typically, are
located on a separate server and communicate with the NAS's User
Management Interface via an AAAA protocol. The four AAAA
functions may be located on a single server, or may be broken up
among multiple servers.
Device Management Interface - A NAS is a network device which is
owned, operated, and managed by some entity. This interface
provides a means for this entity to operate and manage the NAS.
This interface may be a configuration file, a graphical user
interface, an API, or a protocol such as SNMP [20].
Device Monitoring - Device monitoring refers to the tracking of
status, activity, and usage of the NAS as a network device.
Device Provisioning - Device provisioning refers to the
configurations, settings, and control of the NAS as a network
device.
9.3 Analysis
Following is an analysis of the functions of a NAS using the
reference model above:
9.3.1 Authentication and Security
NAS's serve as the first point of authentication for network users,
providing security to user sessions. This security is typically
performed by checking credentials such as a PPP PAP user
name/password pair or a PPP CHAP user name and challenge/response,
but may be extended to authentication via telephone number
information, digital certificates, or biometrics. NAS's also may
authenticate themselves to users. Since a NAS may be shared among
multiple administrative entities, authentication may actually be
performed via a back-end proxy, referral, or brokering process.
Mitton & Beadles Informational [Page 13]
RFC 2881 NASreq NAS Model July 2000
In addition to user security, NAS's may themselves be operated as
secure devices. This may include secure methods of management and
monitoring, use of IP Security [21] and even participation in a
Public Key Infrastructure.
9.3.2 Authorization and Policy
NAS's are the first point of authorization for usage of network
resources, and NAS's serve as policy enforcement points for the
services that they deliver to users. NAS's may provision these
services to users in a statically or dynamically configured fashion.
Resource management can be performed at a NAS by granting specific
types of service based on the current network state. In the case of
shared operation, NAS policy may be determined based on the policy of
multiple end systems.
9.3.3 Accounting and Auditing
Since NAS services are consumable resources, usage information must
often be collected for the purposes of soft policy management,
reporting, planning, and accounting. A dynamic, real-time view of
NAS usage is often required for network auditing purposes. Since a
NAS may be shared among multiple administrative entities, usage
information must often be delivered to multiple endpoints.
Accounting is performed using such protocols as RADIUS [2].
9.3.4 Resource Management
NAS's deliver resources to users, often in a dynamic fashion.
Examples of the types of resources doled out by NAS's are IP
addresses, network names and name server identities, tunnels, and
PSTN resources such as phone lines and numbers. Note that NAS's may
be operated in a outsourcing model, where multiple entities are
competing for the same resources.
9.3.5 Virtual Private Networks (VPN's)
NAS's often participate in VPN's, and may serve as the means by which
VPN's are implemented. Examples of the use of NAS's in VPN's are:
Dial Access Servers that build compulsory tunnels, Dial Access
Servers that provide services to voluntary tunnelers, and Tunnel
Servers that provide tunnel termination services. NAS's may
simultaneously provide VPN and public network services to different
users, based on policy and user identity.
Mitton & Beadles Informational [Page 14]
RFC 2881 NASreq NAS Model July 2000
9.3.6 Service Quality
A NAS may delivery different qualities, types, or levels of service
to different users based on policy and identity. NAS's may perform
bandwidth management, allow differential speeds or methods of access,
or even participate in provisioned or signaled Quality of Service
(QoS) networks.
9.3.7 Roaming
NAS's are often operated in a shared or outsourced manner, or a NAS
operator may enter into agreements with other service providers to
grant access to users from these providers (roaming operations).
NAS's often are operated as part of a global network. All these
imply that a NAS often provides services to users from multiple
administrative domains simultaneously. The features of NAS's may
therefore be driven by requirements of roaming [22].
10. Security Considerations
This document describes a model not a particular solution.
As mentioned in section 9.3.1 and elsewhere, NAS'es are concerned
about the security of several aspects of their operation, including:
- Providing sufficiently robust authentication techniques as
required by network policies,
- NAS authentication of configured authentication server(s),
- Server ability to authenticate configured clients,
- Hiding of the authentication information from network snooping
to protect from attacks and provide user privacy,
- Protecting the integrity of message exchanges from attacks
such as; replay, or man-in-the middle,
- Inability of other hosts to interfere with services authorized
to NAS, or gain unauthorized services,
- Inability of other hosts to probe or guess at authentication
information.
- Protection of NAS system configuration and administration from
unauthorized users
- Protection of the network from illegal packets sourced by
accessing connections
Mitton & Beadles Informational [Page 15]
RFC 2881 NASreq NAS Model July 2000
11. References
[1] Rigney, C., Willens, S., Rubens, A. and W. Simpson, "Remote
Authentication Dial In User Service (RADIUS)", RFC 2865, June
2000.
[2] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000.
[3] Calhoun, P., "Diameter Base Protocol", Work in Progress.
[4] Zorn, G., "Yet Another Authentication Protocol (YAAP)", Work in
Progress.
[5] Mamakos, L., Lidl, K., Evarts, K., Carrel, D., Simone, D. and R.
Wheeler, "A Method for Transmitting PPP Over Ethernet (PPPoE)",
RFC 2516, February 1999.
[6] Valencia, A., Littlewood, M. and T. Kolar, "Cisco Layer Two
Forwarding (Protocol) L2F", RFC 2341, May 1998.
[7] Hamzeh, K., "Ascend Tunnel Management Protocol - ATMP", RFC
2107, February 1997.
[8] Valencia, A., Townsley, W., Rubens, A., Pall, G., Zorn, G., and
B. Palter, "Layer Two Tunneling Protocol (L2TP)", RFC 2661,
August 1999.
[9] Zorn, G., Leifer, D., Rubens, A., Shriver, J. and M. Holdrege,
"RADIUS Attributes for Tunnel Protocol Support", RFC 2868, June
2000.
[10] Zorn, G., Aboba, B. and D. Mitton, "RADIUS Accounting
Modifications for Tunnel Protocol Support", RFC 2867, June 2000.
[11] Aboba, B. and G. Zorn, "Implementation of PPTP/L2TP Compulsory
Tunneling via RADIUS", RFC 2809, April 2000.
[12] Simpson, W., "PPP Challenge Handshake Authentication Protocol
(CHAP)", RFC 1994, August 1996.
[13] Zorn, G. and S. Cobb, "Microsoft PPP CHAP Extensions", RFC 2433,
March 1998.
[14] Blunk, L. and J. Vollbrecht, "PPP Extensible Authentication
Protocol (EAP)", RFC 2284, March 1998.
[15] Calhoun, et al., "Extensible Authentication Protocol Support in
RADIUS", Work in Progress.
Mitton & Beadles Informational [Page 16]
RFC 2881 NASreq NAS Model July 2000
[16] Aboba, B. and M. Beadles, "The Network Access Identifier", RFC
2486, January 1999.
[17] Braden, R., Zhang, L., Berson, S., Herzog, S. and S. Jamin,
"Resource ReSerVation Protocol (RSVP) Version 1 Functional
Specification", RFC 2205, September 1997.
[18] Simpson, W., Editor, "The Point-to-Point Protocol (PPP)", STD
51, RFC 1661, July 1994.
[19] Boyle, J., Cohen, R., Durham, D., Herzog, S., Raja, R. and A.
Sastry. "The COPS (Common Open Policy Service) Protocol", RFC
2748, January 2000.
[20] Case, J., Fedor, M., Schoffstall, M. and J. Davin. "A Simple
Network Management Protocol (SNMP)", STD 15, RFC 1157, May 1990.
[21] Atkinson, R. and S. Kent, "Security Architecture for the
Internet Protocol", RFC 2401, November 1998.
[22] Aboba, Zorn, "Dialup Roaming Requirements", Work in Progress.
12. Acknowledgments
This document is a synthesis of my earlier draft and Mark Beadles'
NAS Reference Model draft.
13. Authors' Addresses
David Mitton
Nortel Networks
880 Technology Park Drive
Billerica, MA 01821
Phone: 978-288-4570
EMail: dmitton@nortelnetworks.com
Mark Beadles
SmartPipes Inc.
545 Metro Place South
Suite 100
Dublin, OH 43017
Phone: 614-327-8046
EMail: mbeadles@smartpipes.com
Mitton & Beadles Informational [Page 17]
RFC 2881 NASreq NAS Model July 2000
14. Appendix - Acronyms and Glossary:
AAA - Authentication, Authorization, Accounting, The three primary
services required by a NAS server or protocol.
NAS - Network Access Server, a system that provides access to a
network. In some cases also know as a RAS, Remote Access Server.
CLI - Command Line Interface, an interface to a command line service
for use with an common asynchronous terminal facility.
SLIP - Serial Line Internet Protocol, an IP-only serial datalink,
predecessor to PPP.
PPP - Point-to-Point Protocol; a serial datalink level protocol that
supports IP as well as other network protocols. PPP has three major
states of operation: LCP - Link layer Control Protocol,
Authentication, of which there are several types (PAP, CHAP, EAP),
and NCP - Network layer Control Protocol, which negotiates the
network layer parameters for each of the protocols in use.
IPX - Novell's NetWare transport protocol
NETBEUI - A Microsoft/IBM LAN protocol used by Microsoft file
services and the NETBIOS applications programming interface.
ARAP - AppleTalk Remote Access Protocol
LAT - Local Area Transport; a Digital Equipment Corp. LAN protocol
for terminal services.
PPPoe - PPP over Ethernet; a protocol that forwards PPP frames on an
LAN infrastructure. Often used to aggregate PPP streams at a common
server bank.
VPN - Virtual Private Network; a term for networks that appear to be
private to the user by the use of tunneling techniques.
FR - Frame Relay, a synchronous WAN protocol and telephone network
intraconnect service.
PSVC - Permanent Switched Virtual Circuit - a service which delivers
an virtual permanent circuit by a switched network.
PSTN - Public Switched Telephone Network
Mitton & Beadles Informational [Page 18]
RFC 2881 NASreq NAS Model July 2000
ISDN - Integrated Services Digital Network, a telephone network
facility for transmitting digital and analog information over a
digital network connection. A NAS may have the ability to receive
the information from the telephone network in digital form.
ISP - Internet Service Provider; a provider of Internet access (also
Network Service Provider, NSP).
BRI - Basic Rate Interface; a digital telephone interface.
PRI - Primary Rate Interface; a digital telephone interface of 64K
bits per second.
T1 - A digital telephone interface which provides 24-36 channels of
PRI data and one control channel (2.048 Mbps).
T3 - A digital telephone interface which provides 28 T1 services.
Signalling control for the entire connection is provided on a
dedicated in-band channel.
NFAS - Non-Facility Associated Signaling, a telephone network
protocol/service for providing call information on a separate wire
connection from the call itself. Used with multiple T1 or T3
connections.
SS7 - A telephone network protocol for communicating call supervision
information on a separate data network from the voice network.
POP - Point Of Presence; a geographic location of equipment and
interconnection to the network. An ISP typically manages all
equipment in a single POP in a similar manner.
VSA - Vendor Specific Attributes; RADIUS attributes defined by
vendors using the provision of attribute 26.
Mitton & Beadles Informational [Page 19]
RFC 2881 NASreq NAS Model July 2000
15. Full Copyright Statement
Copyright (C) The Internet Society (2000). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Mitton & Beadles Informational [Page 20]
|