File: rfc2881.txt

package info (click to toggle)
doc-rfc 20181229-2
  • links: PTS, VCS
  • area: non-free
  • in suites: buster
  • size: 570,944 kB
  • sloc: xml: 285,646; sh: 107; python: 90; perl: 42; makefile: 14
file content (1123 lines) | stat: -rw-r--r-- 45,029 bytes parent folder | download | duplicates (5)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123






Network Working Group                                            D. Mitton
Request for Comments: 2881                                 Nortel Networks
Category: Informational                                         M. Beadles
                                                           SmartPipes Inc.
                                                                 July 2000


     Network Access Server Requirements Next Generation (NASREQNG)
                               NAS Model

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2000).  All Rights Reserved.

Abstract

   This document describes the terminology and gives a model of typical
   Network Access Server (NAS).  The purpose of this effort is to set
   the reference space for describing and evaluating NAS service
   protocols, such as RADIUS (RFCs 2865, 2866) [1], [2] and follow-on
   efforts like AAA Working Group, and the Diameter protocol [3].  These
   are protocols for carrying user service information for
   authentication, authorization, accounting, and auditing, between a
   Network Access Server which desires to authenticate its incoming
   calls and a shared authentication server.

Table of Contents

   1. INTRODUCTION...................................................2
    1.1 Scope of this Document ......................................2
    1.2 Specific Terminology ........................................3
   2. NETWORK ACCESS SYSTEM EQUIPMENT ASSUMPTIONS....................3
   3. NAS SERVICES...................................................4
   4. AUTHENTICATION, AUTHORIZATION AND ACCOUNTING (AAA) SERVERS.....5
   5. TYPICAL NAS OPERATION SEQUENCE:................................5
    5.1 Characteristics of Systems and Sessions: ....................6
    5.2 Separation of NAS and AAA server functions ..................7
    5.3 Network Management and Administrative features ..............7
   6. AUTHENTICATION METHODS.........................................8
   7. SESSION AUTHORIZATION INFORMATION..............................8
   8. IP NETWORK INTERACTION.........................................9
   9. A NAS MODEL...................................................10



Mitton & Beadles             Informational                      [Page 1]

RFC 2881                    NASreq NAS Model                   July 2000


    9.1 A Reference Model of a NAS .................................10
    9.2 Terminology ................................................11
    9.3 Analysis ...................................................13
     9.3.1 Authentication and Security .............................13
     9.3.2 Authorization and Policy ................................14
     9.3.3 Accounting and Auditing .................................14
     9.3.4 Resource Management .....................................14
     9.3.5 Virtual Private Networks (VPN's) ........................14
     9.3.6 Service Quality .........................................15
     9.3.7 Roaming .................................................15
   10. SECURITY CONSIDERATIONS......................................15
   11. REFERENCES ..................................................16
   12. ACKNOWLEDGMENTS..............................................17
   13. AUTHORS' ADDRESSES ..........................................17
   14. APPENDIX - ACRONYMS AND GLOSSARY:............................18
   15. FULL COPYRIGHT STATEMENT.....................................20

1. Introduction

   A Network Access Server is the initial entry point to a network for
   the majority of users of network services.  It is the first device in
   the network to provide services to an end user, and acts as a gateway
   for all further services.  As such, its importance to users and
   service providers alike is paramount.  However, the concept of a
   Network Access Server has grown up over the years without being
   formally defined or analyzed [4].

1.1 Scope of this Document

   There are several tradeoffs taken in this document.  The purpose of
   this document is to describe a model for evaluating NAS service
   protocols.  It will give examples of typical NAS hardware and
   software features, but these are not to be taken as hard limitations
   of the model, but merely illustrative of the points of discussion.
   An important goal of the model is to offer a framework that allows
   further development and expansion of capabilities in NAS
   implementation.

   As with most IETF projects, the focus is on standardizing the
   protocol interaction between the components of the system.  The
   documents produced will not address the following areas:

   - AAA server back-end implementation is abstracted and not
     prescribed.  The actual organization of the data in the server, its
     internal interfaces, and capabilities are left to the
     implementation.





Mitton & Beadles             Informational                      [Page 2]

RFC 2881                    NASreq NAS Model                   July 2000


   - NAS front-end call technology is not assumed to be static.
     Alternate and new technology will be accommodated.  The resultant
     protocol specifications must be flexible in design to allow for new
     technologies and services to be added with minimal impact on
     existing implementations.

1.2 Specific Terminology

   The following terms are used in this document in this manner:  A
   "Call" - the initiation of a network service request to the NAS.
   This can mean the arrival of a telephone call via a dial-in or
   switched telephone network connection, or the creation of a tunnel to
   a tunnel server which becomes a virtual NAS.  A "Session" - is the
   NAS provided service to a specific authorized user entity.

2. Network Access System Equipment Assumptions

   A typical hardware-based NAS is implemented in a constrained system.
   It is important that the NAS protocols don't assume unlimited
   resources on the part of the platform.  The following are typical
   constraints:

   - A computer system of minimal to moderate performance
     (example processors: Intel 386 or 486, Motorola 68000)
   - A moderate amount, but not large RAM (typically varies with
     supported # of ports 1MB to 8MB)
   - Some small amount of non-volatile memory, and/or way to be
     configured out-of-band
   - No assumption of a local file system or disk storage

   A NAS system may consist of a system of interconnected specialized
   processor system units.  Typically they may be circuit boards (or
   blades) that are arrayed in a card cage (or chassis) and referred to
   by their position (i.e., slot number).  The bus interconnection
   methods are typically proprietary and will not be addressed here.

   A NAS is sometimes referred to as a Remote Access Server (RAS) as it
   typically allows remote access to a network.  However, a more general
   picture is that of an "Edge Server", where the NAS sits on the edge
   of an IP network of some type, and allows dynamic access to it.

   Such systems typically have;

   - At least one LAN or high performance network interface (e.g.,
     Ethernet, ATM, FR)






Mitton & Beadles             Informational                      [Page 3]

RFC 2881                    NASreq NAS Model                   July 2000


   - At least one, but typically many, serial interface ports, which
     could be;
     -  serial RS232 ports direct wired or wired to a modem, or
     -  have integral hardware or software modems (V.22bis,V.32, V.34,
        X2, Kflex, V.90, etc.)
     -  have direct connections to telephone network digital WAN lines
        (ISDN, T1, T3, NFAS, or SS7)
     -  an aggregation of xDSL connections or PPPoe sessions [5].

   However, systems may perform some of the functions of a NAS, but not
   have these kinds of hardware characteristics.  An example would be a
   industry personal computer server system, that has several modem line
   connections.  These lines will be managed like a dedicated NAS, but
   the system itself is a general file server.  Likewise, with the
   development of tunneling protocols (L2F [6], ATMP [7], L2TP [8]),
   tunnel server systems must behave like a "virtual" NAS, where the
   calls come from the network tunneled sessions and not hardware ports
   ([11], [9], [10]).

3. NAS Services

   The core of what a NAS provides, are dynamic network services.  What
   distinguishes a NAS from a typical routing system, is that these
   services are provided on a per-user basis, based on an authentication
   and the service is accounted for.  This accounting may lead to
   policies and controls to limit appropriate usage to levels based on
   the availability of network bandwidth, or service agreements between
   the user and the provider.

   Typical services include:

   - dial-up or direct access serial line access; Ability to access the
     network using a the public telephone network.
   - network access (SLIP, PPP, IPX, NETBEUI, ARAP); The NAS allows the
     caller to access the network directly.
   - asynchronous terminal services (Telnet, Rlogin, LAT, others); The
     NAS implements the network protocol on behalf of the caller, and
     presents a terminal interface.
   - dial-out connections; Ability to cause the NAS to initiate a
     connection over the public telephone network, typically based on the
     arrival of traffic to a specific network system.
   - callback (NAS generates call to caller); Ability to cause the NAS to
     reverse or initiate a network connection based on the arrival of a
     dial-in call.
   - tunneling (from access connection to remote server); The NAS
     transports the callers network packets over a network to a remote
     server using an encapsulation protocol. (L2TP [8], RADIUS support
     [11])



Mitton & Beadles             Informational                      [Page 4]

RFC 2881                    NASreq NAS Model                   July 2000


4. Authentication, Authorization and Accounting (AAA) Servers

   Because of the need to authenticate and account, and for practical
   reasons of implementation, NAS systems have come to depend on
   external server systems to implement authentication databases and
   accounting recording.

   By separating these functions from the NAS equipment, they can be
   implemented in general purpose computer systems, that may provide
   better suited long term storage media, and more sophisticated
   database software infrastructures.  Not to mention that a centralized
   server can allow the coordinated administration of many NAS systems
   as appropriate (for example a single server may service an entire POP
   consisting of multiple NAS systems).

   For ease of management, there is a strong desire to piggyback NAS
   authentication information with other authentication databases, so
   that authentication information can be managed for several services
   (such as OS shell login, or Web Server access) from the same
   provider, without creating separate passwords and accounts for the
   user.

   Session activity information is stored and processed to produce
   accounting usage records.  This is typically done with a long term
   (nightly, weekly or monthly) batch type process.

   However, as network operations grow in sophistication, there are
   requirements to provide real-time monitoring of port and user status,
   so that the state information can be used to implement policy
   decisions, monitor user trends, and the ability to possibly terminate
   access for administrative reasons.  Typically only the NAS knows the
   true dynamic state of a session.

5. Typical NAS Operation Sequence:

   The following details a typical NAS operational sequence:

      - Call arrival on port or network
        -  Port:
           - auto-detect (or not) type of call
           - CLI/SLIP: prompt for username and password (if security
             set)
           - PPP: engage LCP, Authentication
           - Request authentication from AAA server
           - if okay, proceed to service
           - may challenge
           - may ask for password change/update




Mitton & Beadles             Informational                      [Page 5]

RFC 2881                    NASreq NAS Model                   July 2000


        -  Network:
           - activate internal protocol server (telnet, ftp)
           - engage protocol's authentication technique
           - confirm authentication information with AAA server

      - Call Management Services
        -  Information from the telephone system or gateway controller
           arrives indicating that a call has been received
        -  The AAA server is consulted using the information supplied by
           the telephone system (typically Called or Calling number
           information)
        -  The server indicates whether to respond to the call by
           answering it, or by returning a busy to the caller.
        -  The server may also need to allocate a port to receive a
           call, and route it accordingly.

      - Dial-out
        -  packet destination matches outbound route pre-configured
        -  find profile information to setup call
        -  Request information from AAA server for call details

      - VPN/Tunneling (compulsory)
        -  authentication server identifies user as remote
        -  tunnel protocol is invoked to a remote server
        -  authentication information may be forwarded to remote AAA
           server
        -  if successful, the local link is given a remote identity

      - Multi-link aggregation
        -  after a new call is authenticated by the AAA server, if MP
           options are present, then other bundles with the same
           identifying information is searched for
        -  bundle searches are performed across multiple systems
        -  join calls that match authentication and originator
           identities as one network addressable data source with a
           single network IP address

      - Hardwired (non-interactive) services
        -  permanent WAN connections (Frame Relay or PSVCs)
        -  permanent serial connections (printers)

5.1 Characteristics of Systems and Sessions:

   Sessions must have a user identifier and authenticator to complete
   the authentication process. Accounting starts from time of call or
   service, though finer details are allowed. At the end of service, the
   call may be disconnected or allow re-authentication for additional
   services.



Mitton & Beadles             Informational                      [Page 6]

RFC 2881                    NASreq NAS Model                   July 2000


   Some systems allow decisions on call handling to be made based on
   telephone system information provided before the call is answered
   (e.g., caller id or destination number). In such systems, calls may
   be busied-out or non-answered if system resources are not ready or
   available.

   Authorization to run services are supplied and applied after
   authentication. A NAS may abort call if session authorization
   information disagrees with call characteristics. Some system
   resources may be controlled by server driven policies

   Accounting messages are sent to the accounting server when service
   begins, and ends, and possibly periodically during service delivery.
   Accounting is not necessarily a real-time service, the NAS may be
   queue and batch send event records.

5.2 Separation of NAS and AAA server functions

   As a distributed system, there is a separation of roles between the
   NAS and the Server:

     - Server provides authentication services; checks passwords
       (static or dynamic)
     - Server databases may be organized in any way (only protocol
       specified)
     - Server may use external systems to authenticate (including OS
       user databases, token cards, one-time-lists, proxy or other
       means)
     - Server provides authorization information to NAS
     - The process of providing a service may lead to requests for
       additional information
     - Service authorization may require real-time enforcement
       (services may be based on Time of Day, or variable cost
       debits)
     - Session accounting information is tallied by the NAS and
       reported to server

5.3 Network Management and Administrative features

   The NAS system is presumed to have a method of configuration that
   allows it to know it's identity and network parameters at boot time.
   Likewise, this configuration information is typically managed using
   the standard management protocols (e.g., SNMP).  This would include
   the configuration of the parameters necessary to contact the AAA
   server itself.  The purpose of the AAA server is not to provide
   network management for the NAS, but to authorize and characterize the
   individual services for the users.  Therefore any feature that can be
   user specific is open to supply from the AAA server.



Mitton & Beadles             Informational                      [Page 7]

RFC 2881                    NASreq NAS Model                   July 2000


   The system may have other operational services that are used to run
   and control the NAS.  Some users that have _Administrative_
   privileges may have access to system configuration tools, or services
   that affect the operation and configuration of the system (e.g.,
   loading boot images, internal file system access, etc..)  Access to
   these facilities may also be authenticated by the AAA server
   (provided it is configured and reachable!) and levels of access
   authorization may be provided.

6. Authentication Methods

   A NAS system typically supports a number of authentication systems.
   For async terminal users, these may be a simple as a prompt and
   input.  For network datalink users, such as PPP, several different
   authentication methods will be supported (PAP, CHAP [12], MS-CHAP
   [13]).  Some of these may actually be protocols in and of themselves
   (EAP [14] [15], and Kerberos).

   Additionally, the content of the authentication exchanges may not be
   straightforward.  Hard token cards, such as the Safeword and SecurId,
   systems may generate one-time passphrases that must be validated
   against a proprietary server.  In the case of multi-link support, it
   may be necessary to remember a session token or certificate for the
   later authentication of additional links.

   In the cases of VPN and compulsory tunneling services, typically a
   Network Access Identifier (RFC 2486 [16]) is presented by the user.
   This NAI is parsed into a destination network identifier either by
   the NAS or by the AAA server.  The authentication information will
   typically not be validated locally, but by a AAA service at the
   remote end of the tunnel service.

7. Session Authorization Information

   Once a user has been authenticated, there are a number of individual
   bits of information that the network management may wish to configure
   and authorize for the given user or class of users.

   Typical examples include:

        For async terminal users:

        - banners
        - custom prompts
        - menus
        - CLI macros - which could be used for: shortcuts, compound
          commands, restrictive scripts




Mitton & Beadles             Informational                      [Page 8]

RFC 2881                    NASreq NAS Model                   July 2000


        For network users:

        - addresses, and routes
        - callback instructions
        - packet and activity filters
        - network server addresses
        - host server addresses

   Some services may require dynamic allocation of resources.
   Information about the resources required may not be known during the
   authentication phase, it may come up later. (e.g., IP Addresses for
   multi-link bundles) It's also possible that the authorization will
   change over the time of the session. To provide these there has to be
   a division of responsibility between the NAS and the AAA server, or a
   cooperation using a stateful service.

   Such services include:

        - IP Address management
        - Concurrent login limitations
        - Tunnel usage limitations
        - Real-time account expirations
        - Call management policies

   In the process of resolving resource information, it may be required
   that a certain level of service be supplied, and if not available,
   the request refused, or corrective action taken.

8. IP Network Interaction

   As the NAS participates in the IP network, it interacts with the
   routing mechanisms of the network itself.  These interactions may
   also be controlled on a per-user/session basis.

   For example, some input streams may be directed to specific hosts
   other than the default gateway for the destination subnet.  In order
   to control services within the network provider's infrastructure,
   some types of packets may be discarded (filtered) before entering the
   network.  These filters could be applied based on examination of
   destination address and port number.  Anti-spoofing packet controls
   may be applied to disallow traffic sourced from addresses other than
   what was assigned to the port.

   A NAS may also be an edge router system, and apply Quality of Service
   (QoS) policies to the packets.  This makes it a QOS Policy
   Enforcement Point [19], [17].  It may learn QOS and other network
   policies for the user via the AAA service.




Mitton & Beadles             Informational                      [Page 9]

RFC 2881                    NASreq NAS Model                   July 2000


9. A NAS Model

   So far we have looked at examples of things that NASes do.  The
   following attempts to define a NAS model that captures the
   fundamentals of NAS structure to better categorize how it interacts
   with other network components.

   A Network Access Server is a device which sits on the edge of a
   network, and provides access to services on that network in a
   controlled fashion, based on the identity of the user of the network
   services in question and on the policy of the provider of these
   services.  For the purposes of this document, a Network Access Server
   is defined primarily as a device which accepts multiple point-to-
   point [18] links on one set of interfaces, providing access to a
   routed network or networks on another set of interfaces.

   Note that there are many things that a Network Access Server is not.
   A NAS is not simply a router, although it will typically include
   routing functionality in it's interface to the network.  A NAS is not
   necessarily a dial access server, although dial access is one common
   means of network access, and brings its own particular set of
   requirements to NAS's.

   A NAS is the first device in the IP network to provide services to an
   end user, and acts as a gateway for all further services.  It is the
   point at which users are authenticated, access policy is enforced,
   network services are authorized, network usage is audited, and
   resource consumption is tracked.  That is, a NAS often acts as the
   policy enforcement point for network AAAA (authentication,
   authorization, accounting, and auditing) services.  A NAS is
   typically the first place in a network where security measures and
   policy may be implemented.

9.1 A Reference Model of a NAS

   For reference in the following discussion, a diagram of a NAS, its
   dependencies, and its interfaces is given below.  This diagram is
   intended as an abstraction of a NAS as a reference model, and is not
   intended to represent any particular NAS implementation.












Mitton & Beadles             Informational                     [Page 10]

RFC 2881                    NASreq NAS Model                   July 2000


                               Users
                             v v v v v v v
                             | | PSTN  | |
                             | |  or   | |
                             |encapsulated
                          +-----------------+
                          |    (Modems)     |
                          +-----------------+
                             | | | | | | |
                   +--+----------------------------+
                   |  |                            |
                   |N |     Client Interface       |
                   |  |                            |
                   |A +----------Routing ----------+
                   |  |                            |
                   |S |    Network Interface       |
                   |  |                            |
                   +--+----------------------------+
                           /      |     \
                          /       |      \
                         /        |       \
                        /         |        \
      POLICY MANAGEMENT/          |         \  DEVICE MANAGEMENT
      +---------------+           |          +-------------------+
      | Authentication|         _/^\_        |Device Provisioning|
      +---------------+       _/     \_      +-------------------+
      | Authorization |     _/         \_    |Device Monitoring  |
      +---------------+   _/             \_  +-------------------+
      | Accounting    |  /       The       \
      +---------------+  \_   Network(s)  _/
      | Auditing      |    \_           _/
      +---------------+      \_       _/
                               \_   _/
                                 \_/

9.2 Terminology

   Following is a description of the modules and interfaces in the
   reference model for a NAS given above:

   Client Interfaces - A NAS has one or more client interfaces, which
      provide the interface to the end users who are requesting network
      access.  Users may connect to these client interfaces via modems
      over a PSTN, or via tunnels over a data network.  Two broad
      classes of NAS's may be defined, based on the nature of the
      incoming client interfaces, as follows. Note that a single NAS
      device may serve in both classes:




Mitton & Beadles             Informational                     [Page 11]

RFC 2881                    NASreq NAS Model                   July 2000


   Dial Access Servers - A Dial Access Server is a NAS whose client
      interfaces consist of modems, either local or remote, which are
      attached to a PSTN.

   Tunnel Servers - A Tunnel Server is a NAS whose client interfaces
      consists of tunneling endpoints in a protocol such as L2TP

   Network Interfaces - A NAS has one or more network interfaces, which
      connect to the networks to which access is being granted.

   Routing - If the network to which access is being granted is a routed
      network, then a NAS will typically include routing functionality.

   Policy Management Interface - A NAS provides an interface which
      allows access to network services to be managed on a per-user
      basis. This interface may be a configuration file, a graphical
      user interface, an API, or a protocol such as RADIUS, Diameter, or
      COPS [19].  This interface provides a mechanism for granular
      resource management and policy enforcement.

   Authentication - Authentication refers to the confirmation that a
      user who is requesting services is a valid user of the network
      services requested.  Authentication is accomplished via the
      presentation of an identity and credentials.  Examples of types of
      credentials are passwords, one-time tokens, digital certificates,
      and phone numbers (calling/called).

   Authorization - Authorization refers to the granting of specific
      types of service (including "no service") to a user, based on
      their authentication, what services they are requesting, and the
      current system state.  Authorization may be based on restrictions,
      for example time-of-day restrictions, or physical location
      restrictions, or restrictions against multiple logins by the same
      user.  Authorization determines the nature of the service which is
      granted to a user.  Examples of types of service include, but are
      not limited to: IP address filtering, address assignment, route
      assignment, QoS/differential services, bandwidth control/traffic
      management, compulsory tunneling to a specific endpoint, and
      encryption.

   Accounting - Accounting refers to the tracking of the consumption of
      NAS resources by users. This information may be used for
      management, planning, billing, or other purposes.  Real-time
      accounting refers to accounting information that is delivered
      concurrently with the consumption of the resources.  Batch
      accounting refers to accounting information that is saved until it





Mitton & Beadles             Informational                     [Page 12]

RFC 2881                    NASreq NAS Model                   July 2000


      is delivered at a later time.  Typical information that is
      gathered in accounting is the identity of the user, the nature of
      the service delivered, when the service began, and when it ended.

   Auditing - Auditing refers to the tracking of activity by users.  As
      opposed to accounting, where the purpose is to track consumption
      of resources, the purpose of auditing is to determine the nature
      of a user's network activity.  Examples of auditing information
      include the identity of the user, the nature of the services used,
      what hosts were accessed when, what protocols were used, etc.

   AAAA Server - An AAAA Server is a server or servers that provide
      authentication, authorization, accounting, and auditing services.
      These may be co-located with the NAS, or more typically, are
      located on a separate server and communicate with the NAS's User
      Management Interface via an AAAA protocol.  The four AAAA
      functions may be located on a single server, or may be broken up
      among multiple servers.

   Device Management Interface - A NAS is a network device which is
      owned, operated, and managed by some entity.  This interface
      provides a means for this entity to operate and manage the NAS.
      This interface may be a configuration file, a graphical user
      interface, an API, or a protocol such as SNMP [20].

   Device Monitoring - Device monitoring refers to the tracking of
      status, activity, and usage of the NAS as a network device.

   Device Provisioning - Device provisioning refers to the
      configurations, settings, and control of the NAS as a network
      device.

9.3 Analysis

   Following is an analysis of the functions of a NAS using the
   reference model above:

9.3.1 Authentication and Security

   NAS's serve as the first point of authentication for network users,
   providing security to user sessions.  This security is typically
   performed by checking credentials such as a PPP PAP user
   name/password pair or a PPP CHAP user name and challenge/response,
   but may be extended to authentication via telephone number
   information, digital certificates, or biometrics.  NAS's also may
   authenticate themselves to users.  Since a NAS may be shared among
   multiple administrative entities, authentication may actually be
   performed via a back-end proxy, referral, or brokering process.



Mitton & Beadles             Informational                     [Page 13]

RFC 2881                    NASreq NAS Model                   July 2000


   In addition to user security, NAS's may themselves be operated as
   secure devices.  This may include secure methods of management and
   monitoring, use of IP Security [21] and even participation in a
   Public Key Infrastructure.

9.3.2 Authorization and Policy

   NAS's are the first point of authorization for usage of network
   resources, and NAS's serve as policy enforcement points for the
   services that they deliver to users.  NAS's may provision these
   services to users in a statically or dynamically configured fashion.
   Resource management can be performed at a NAS by granting specific
   types of service based on the current network state.  In the case of
   shared operation, NAS policy may be determined based on the policy of
   multiple end systems.

9.3.3 Accounting and Auditing

   Since NAS services are consumable resources, usage information must
   often be collected for the purposes of soft policy management,
   reporting, planning, and accounting.  A dynamic, real-time view of
   NAS usage is often required for network auditing purposes.  Since a
   NAS may be shared among multiple administrative entities, usage
   information must often be delivered to multiple endpoints.
   Accounting is performed using such protocols as RADIUS [2].

9.3.4 Resource Management

   NAS's deliver resources to users, often in a dynamic fashion.
   Examples of the types of resources doled out by NAS's are IP
   addresses, network names and name server identities, tunnels, and
   PSTN resources such as phone lines and numbers.  Note that NAS's may
   be operated in a outsourcing model, where multiple entities are
   competing for the same resources.

9.3.5 Virtual Private Networks (VPN's)

   NAS's often participate in VPN's, and may serve as the means by which
   VPN's are implemented.  Examples of the use of NAS's in VPN's are:
   Dial Access Servers that build compulsory tunnels, Dial Access
   Servers that provide services to voluntary tunnelers, and Tunnel
   Servers that provide tunnel termination services.  NAS's may
   simultaneously provide VPN and public network services to different
   users, based on policy and user identity.







Mitton & Beadles             Informational                     [Page 14]

RFC 2881                    NASreq NAS Model                   July 2000


9.3.6 Service Quality

   A NAS may delivery different qualities, types, or levels of service
   to different users based on policy and identity.  NAS's may perform
   bandwidth management, allow differential speeds or methods of access,
   or even participate in provisioned or signaled Quality of Service
   (QoS) networks.

9.3.7 Roaming

   NAS's are often operated in a shared or outsourced manner, or a NAS
   operator may enter into agreements with other service providers to
   grant access to users from these providers (roaming operations).
   NAS's often are operated as part of a global network.  All these
   imply that a NAS often provides services to users from multiple
   administrative domains simultaneously.  The features of NAS's may
   therefore be driven by requirements of roaming [22].

10. Security Considerations

   This document describes a model not a particular solution.

   As mentioned in section 9.3.1 and elsewhere, NAS'es are concerned
   about the security of several aspects of their operation, including:

      - Providing sufficiently robust authentication techniques as
        required by network policies,
      - NAS authentication of configured authentication server(s),
      - Server ability to authenticate configured clients,
      - Hiding of the authentication information from network snooping
        to protect from attacks and provide user privacy,
      - Protecting the integrity of message exchanges from attacks
        such as; replay, or man-in-the middle,
      - Inability of other hosts to interfere with services authorized
        to NAS, or gain unauthorized services,
      - Inability of other hosts to probe or guess at authentication
        information.
      - Protection of NAS system configuration and administration from
        unauthorized users
      - Protection of the network from illegal packets sourced by
        accessing connections










Mitton & Beadles             Informational                     [Page 15]

RFC 2881                    NASreq NAS Model                   July 2000


11. References

   [1]  Rigney, C., Willens, S., Rubens, A. and W. Simpson, "Remote
        Authentication Dial In User Service (RADIUS)", RFC 2865, June
        2000.

   [2]  Rigney, C., "RADIUS Accounting", RFC 2866, June 2000.

   [3]  Calhoun, P., "Diameter Base Protocol", Work in Progress.

   [4]  Zorn, G., "Yet Another Authentication Protocol (YAAP)", Work in
        Progress.

   [5]  Mamakos, L., Lidl, K., Evarts, K., Carrel, D., Simone, D. and R.
        Wheeler, "A Method for Transmitting PPP Over Ethernet (PPPoE)",
        RFC 2516, February 1999.

   [6]  Valencia, A., Littlewood, M. and T. Kolar, "Cisco Layer Two
        Forwarding (Protocol) L2F", RFC 2341, May 1998.

   [7]  Hamzeh, K., "Ascend Tunnel Management Protocol - ATMP", RFC
        2107, February 1997.

   [8]  Valencia, A., Townsley, W., Rubens, A., Pall, G., Zorn, G., and
        B. Palter, "Layer Two Tunneling Protocol (L2TP)", RFC 2661,
        August 1999.

   [9]  Zorn, G., Leifer, D., Rubens, A., Shriver, J. and M. Holdrege,
        "RADIUS Attributes for Tunnel Protocol Support", RFC 2868, June
        2000.

   [10] Zorn, G., Aboba, B. and D. Mitton, "RADIUS Accounting
        Modifications for Tunnel Protocol Support", RFC 2867, June 2000.

   [11] Aboba, B. and G. Zorn, "Implementation of PPTP/L2TP Compulsory
        Tunneling via RADIUS", RFC 2809, April 2000.

   [12] Simpson, W., "PPP Challenge Handshake Authentication Protocol
        (CHAP)", RFC 1994, August 1996.

   [13] Zorn, G. and S. Cobb, "Microsoft PPP CHAP Extensions", RFC 2433,
        March 1998.

   [14] Blunk, L. and J. Vollbrecht, "PPP Extensible Authentication
        Protocol (EAP)", RFC 2284, March 1998.

   [15] Calhoun, et al., "Extensible Authentication Protocol Support in
        RADIUS", Work in Progress.



Mitton & Beadles             Informational                     [Page 16]

RFC 2881                    NASreq NAS Model                   July 2000


   [16] Aboba, B. and M. Beadles, "The Network Access Identifier", RFC
        2486, January 1999.

   [17] Braden, R., Zhang, L., Berson, S., Herzog, S. and S. Jamin,
        "Resource ReSerVation Protocol (RSVP) Version 1 Functional
        Specification", RFC 2205, September 1997.

   [18] Simpson, W., Editor, "The Point-to-Point Protocol (PPP)", STD
        51, RFC 1661, July 1994.

   [19] Boyle, J., Cohen, R., Durham, D., Herzog, S., Raja, R. and A.
        Sastry. "The COPS (Common Open Policy Service) Protocol", RFC
        2748, January 2000.

   [20] Case, J., Fedor, M., Schoffstall, M. and J. Davin. "A Simple
        Network Management Protocol (SNMP)", STD 15, RFC 1157, May 1990.

   [21] Atkinson, R. and S. Kent, "Security Architecture for the
        Internet Protocol", RFC 2401, November 1998.

   [22] Aboba, Zorn, "Dialup Roaming Requirements", Work in Progress.

12. Acknowledgments

   This document is a synthesis of my earlier draft and Mark Beadles'
   NAS Reference Model draft.

13. Authors' Addresses

   David Mitton
   Nortel Networks
   880 Technology Park Drive
   Billerica, MA 01821

   Phone: 978-288-4570
   EMail: dmitton@nortelnetworks.com


   Mark Beadles
   SmartPipes Inc.
   545 Metro Place South
   Suite 100
   Dublin, OH 43017

   Phone: 614-327-8046
   EMail: mbeadles@smartpipes.com





Mitton & Beadles             Informational                     [Page 17]

RFC 2881                    NASreq NAS Model                   July 2000


14. Appendix - Acronyms and Glossary:

   AAA - Authentication, Authorization, Accounting, The three primary
   services required by a NAS server or protocol.

   NAS - Network Access Server, a system that provides access to a
   network.  In some cases also know as a RAS, Remote Access Server.

   CLI - Command Line Interface, an interface to a command line service
   for use with an common asynchronous terminal facility.

   SLIP - Serial Line Internet Protocol, an IP-only serial datalink,
   predecessor to PPP.

   PPP - Point-to-Point Protocol; a serial datalink level protocol that
   supports IP as well as other network protocols. PPP has three major
   states of operation: LCP - Link layer Control Protocol,
   Authentication, of which there are several types (PAP, CHAP, EAP),
   and NCP - Network layer Control Protocol, which negotiates the
   network layer parameters for each of the protocols in use.

   IPX - Novell's NetWare transport protocol

   NETBEUI - A Microsoft/IBM LAN protocol used by Microsoft file
   services and the NETBIOS applications programming interface.

   ARAP - AppleTalk Remote Access Protocol

   LAT - Local Area Transport; a Digital Equipment Corp. LAN protocol
   for terminal services.

   PPPoe - PPP over Ethernet; a protocol that forwards PPP frames on an
   LAN infrastructure.  Often used to aggregate PPP streams at a common
   server bank.

   VPN - Virtual Private Network; a term for networks that appear to be
   private to the user by the use of tunneling techniques.

   FR - Frame Relay, a synchronous WAN protocol and telephone network
   intraconnect service.

   PSVC - Permanent Switched Virtual Circuit - a service which delivers
   an virtual permanent circuit by a switched network.

   PSTN - Public Switched Telephone Network






Mitton & Beadles             Informational                     [Page 18]

RFC 2881                    NASreq NAS Model                   July 2000


   ISDN - Integrated Services Digital Network, a telephone network
   facility for transmitting digital and analog information over a
   digital network connection.  A NAS may have the ability to receive
   the information from the telephone network in digital form.

   ISP - Internet Service Provider; a provider of Internet access (also
   Network Service Provider, NSP).

   BRI - Basic Rate Interface; a digital telephone interface.

   PRI - Primary Rate Interface; a digital telephone interface of 64K
   bits per second.

   T1 - A digital telephone interface which provides 24-36 channels of
   PRI data and one control channel (2.048 Mbps).

   T3 - A digital telephone interface which provides 28 T1 services.
   Signalling control for the entire connection is provided on a
   dedicated in-band channel.

   NFAS - Non-Facility Associated Signaling, a telephone network
   protocol/service for providing call information on a separate wire
   connection from the call itself.  Used with multiple T1 or T3
   connections.

   SS7 - A telephone network protocol for communicating call supervision
   information on a separate data network from the voice network.

   POP - Point Of Presence; a geographic location of equipment and
   interconnection to the network.  An ISP typically manages all
   equipment in a single POP in a similar manner.

   VSA - Vendor Specific Attributes; RADIUS attributes defined by
   vendors using the provision of attribute 26.

















Mitton & Beadles             Informational                     [Page 19]

RFC 2881                    NASreq NAS Model                   July 2000


15.  Full Copyright Statement

   Copyright (C) The Internet Society (2000).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement

   Funding for the RFC Editor function is currently provided by the
   Internet Society.



















Mitton & Beadles             Informational                     [Page 20]