rfc2977.txt
字号:
Network Working Group S. Glass
Request for Comments: 2977 Sun Microsystems
Category: Informational T. Hiller
Lucent Technologies
S. Jacobs
GTE Laboratories
C. Perkins
Nokia Research Center
October 2000
Mobile IP Authentication, Authorization, and Accounting Requirements
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2000). All Rights Reserved.
Abstract
The Mobile IP and Authentication, Authorization, Accounting (AAA)
working groups are currently looking at defining the requirements for
Authentication, Authorization, and Accounting. This document
contains the requirements which would have to be supported by a AAA
service to aid in providing Mobile IP services.
1. Introduction
Clients obtain Internet services by negotiating a point of attachment
to a "home domain", generally from an ISP, or other organization from
which service requests are made, and fulfilled. With the increasing
popularity of mobile devices, a need has been generated to allow
users to attach to any domain convenient to their current location.
In this way, a client needs access to resources being provided by an
administrative domain different than their home domain (called a
"foreign domain"). The need for service from a foreign domain
requires, in many models, Authorization, which leads directly to
Authentication, and of course Accounting (whence, "AAA"). There is
some argument which of these leads to, or is derived from the others,
but there is common agreement that the three AAA functions are
closely interdependent.
Glass, et al. Informational [Page 1]
RFC 2977 Mobile IP AAA Requirements October 2000
An agent in a foreign domain, being called on to provide access to a
resource by a mobile user, is likely to request or require the client
to provide credentials which can be authenticated before access to
resources is permitted. The resource may be as simple as a conduit
to the Internet, or may be as complex as access to specific private
resources within the foreign domain. Credentials can be exchanged in
many different ways, all of which are beyond the scope of this
document. Once authenticated, the mobile user may be authorized to
access services within the foreign domain. An accounting of the
actual resources may then be assembled.
Mobile IP is a technology that allows a network node ("mobile node")
to migrate from its "home" network to other networks, either within
the same administrative domain, or to other administrative domains.
The possibility of movement between domains which require AAA
services has created an immediate demand to design and specify AAA
protocols. Once available, the AAA protocols and infrastructure will
provide the economic incentive for a wide-ranging deployment of
Mobile IP. This document will identify, describe, and discuss the
functional and performance requirements that Mobile IP places on AAA
protocols.
The formal description of Mobile IP can be found in [13,12,14,17].
In this document, we have attempted to exhibit requirements in a
progressive fashion. After showing the basic AAA model for Mobile
IP, we derive requirements as follows:
- requirements based on the general model
- requirements based on providing IP service for mobile nodes
- requirements derived from specific Mobile IP protocol needs
Then, we exhibit some related AAA models and describe requirements
derived from the related models.
2. Terminology
This document frequently uses the following terms in addition to
those defined in RFC 2002 [13]:
Accounting The act of collecting information on resource usage
for the purpose of trend analysis, auditing, billing,
or cost allocation.
Glass, et al. Informational [Page 2]
RFC 2977 Mobile IP AAA Requirements October 2000
Administrative Domain
An intranet, or a collection of networks, computers,
and databases under a common administration.
Computer entities operating in a common
administration may be assumed to share
administratively created security associations.
Attendant A node designed to provide the service interface
between a client and the local domain.
Authentication
The act of verifying a claimed identity, in the form
of a pre-existing label from a mutually known name
space, as the originator of a message (message
authentication) or as the end-point of a channel
(entity authentication).
Authorization
The act of determining if a particular right, such as
access to some resource, can be granted to the
presenter of a particular credential.
Billing The act of preparing an invoice.
Broker An intermediary agent, trusted by two other AAA
servers, able to obtain and provide security services
from those AAA servers. For instance, a broker may
obtain and provide authorizations, or assurances that
credentials are valid.
Client A node wishing to obtain service from an attendant
within an administrative domain.
Foreign Domain
An administrative domain, visited by a Mobile IP
client, and containing the AAA infrastructure needed
to carry out the necessary operations enabling Mobile
IP registrations. From the point of view of the
foreign agent, the foreign domain is the local
domain.
Inter-domain Accounting
Inter-domain accounting is the collection of
information on resource usage of an entity with an
administrative domain, for use within another
administrative domain. In inter-domain accounting,
accounting packets and session records will typically
cross administrative boundaries.
Glass, et al. Informational [Page 3]
RFC 2977 Mobile IP AAA Requirements October 2000
Intra-domain Accounting
Intra-domain accounting is the collection of
information on resource within an administrative
domain, for use within that domain. In intra-domain
accounting, accounting packets and session records
typically do not cross administrative boundaries.
Local Domain
An administrative domain containing the AAA
infrastructure of immediate interest to a Mobile IP
client when it is away from home.
Real-time Accounting
Real-time accounting involves the processing of
information on resource usage within a defined time
window. Time constraints are typically imposed in
order to limit financial risk.
Session record
A session record represents a summary of the resource
consumption of a user over the entire session.
Accounting gateways creating the session record may
do so by processing interim accounting events.
In this document, the key words "MAY", "MUST, "MUST NOT", "optional",
"recommended", "SHOULD", and "SHOULD NOT", are to be interpreted as
described in [4].
3. Basic Model
In this section, we attempt to capture the main features of a basic
model for operation of AAA servers that seems to have good support
within the Mobile IP working group. Within the Internet, a client
belonging to one administrative domain (called the home domain) often
needs to use resources provided by another administrative domain
(called the foreign domain). An agent in the foreign domain that
attends to the client's request (call the agent the "attendant") is
likely to require that the client provide some credentials that can
be authenticated before access to the resources is permitted. These
credentials may be something the foreign domain understands, but in
most cases they are assigned by, and understood only by the home
domain, and may be used for setting up secure channels with the
mobile node.
Glass, et al. Informational [Page 4]
RFC 2977 Mobile IP AAA Requirements October 2000
Local Domain Home Domain
+--------------+ +----------------------+
| +------+ | | +------+ |
| | | | | | | |
| | AAAL | | | | AAAH | |
| | +-------------------+ | |
| +---+--+ | | +------+ |
| | | | |
| | | +----------------------+
+------+ | +---+--+ |
| | | | | | C = client
| C |- -|- -| A | | A = attendant
| | | | | | AAAL = local authority
+------+ | +------+ | AAAH = home authority
| |
+--------------+
Figure 1: AAA Servers in Home and Local Domains
The attendant often does not have direct access to the data needed to
complete the transaction. Instead, the attendant is expected to
consult an authority (typically in the same foreign domain) in order
to request proof that the client has acceptable credentials. Since
the attendant and the local authority are part of the same
administrative domain, they are expected to have established, or be
able to establish for the necessary lifetime, a secure channel for
the purposes of exchanging sensitive (access) information, and
keeping it private from (at least) the visiting mobile node.
The local authority (AAAL) itself may not have enough information
stored locally to carry out the verification for the credentials of
the client. In contrast to the attendant, however, the AAAL is
expected to be configured with enough information to negotiate the
verification of client credentials with external authorities. The
local and the external authorities should be configured with
sufficient security relationships and access controls so that they,
possibly without the need for any other AAA agents, can negotiate the
authorization that may enable the client to have access to any/all
requested resources. In many typical cases, the authorization
depends only upon secure authentication of the client's credentials.
Once the authorization has been obtained by the local authority, and
the authority has notified the attendant about the successful
negotiation, the attendant can provide the requested resources to the
client.
Glass, et al. Informational [Page 5]
RFC 2977 Mobile IP AAA Requirements October 2000
In the picture, there might be many attendants for each AAAL, and
there might be many clients from many different Home Domains. Each
Home Domain provides a AAAH that can check credentials originating
from clients administered by that Home Domain.
There is a security model implicit in the above figure, and it is
crucial to identify the specific security associations assumed in the
security model.
First, it is natural to assume that the client has a security
association with the AAAH, since that is roughly what it means for
the client to belong to the home domain.
Second, from the model illustrated in figure 1 it is clear that AAAL
and AAAH have to share a security association, because otherwise they
could not rely on the authentication results, authorizations, nor
even the accounting data which might be transacted between them.
Requiring such bilateral security relationships is, however, in the
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -