rfc2881.txt
来自「RFC 的详细文档!」· 文本 代码 · 共 1,124 行 · 第 1/4 页
TXT
1,124 行
Network Working Group D. Mitton
Request for Comments: 2881 Nortel Networks
Category: Informational M. Beadles
SmartPipes Inc.
July 2000
Network Access Server Requirements Next Generation (NASREQNG)
NAS Model
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2000). All Rights Reserved.
Abstract
This document describes the terminology and gives a model of typical
Network Access Server (NAS). The purpose of this effort is to set
the reference space for describing and evaluating NAS service
protocols, such as RADIUS (RFCs 2865, 2866) [1], [2] and follow-on
efforts like AAA Working Group, and the Diameter protocol [3]. These
are protocols for carrying user service information for
authentication, authorization, accounting, and auditing, between a
Network Access Server which desires to authenticate its incoming
calls and a shared authentication server.
Table of Contents
1. INTRODUCTION...................................................2
1.1 Scope of this Document ......................................2
1.2 Specific Terminology ........................................3
2. NETWORK ACCESS SYSTEM EQUIPMENT ASSUMPTIONS....................3
3. NAS SERVICES...................................................4
4. AUTHENTICATION, AUTHORIZATION AND ACCOUNTING (AAA) SERVERS.....5
5. TYPICAL NAS OPERATION SEQUENCE:................................5
5.1 Characteristics of Systems and Sessions: ....................6
5.2 Separation of NAS and AAA server functions ..................7
5.3 Network Management and Administrative features ..............7
6. AUTHENTICATION METHODS.........................................8
7. SESSION AUTHORIZATION INFORMATION..............................8
8. IP NETWORK INTERACTION.........................................9
9. A NAS MODEL...................................................10
Mitton & Beadles Informational [Page 1]
RFC 2881 NASreq NAS Model July 2000
9.1 A Reference Model of a NAS .................................10
9.2 Terminology ................................................11
9.3 Analysis ...................................................13
9.3.1 Authentication and Security .............................13
9.3.2 Authorization and Policy ................................14
9.3.3 Accounting and Auditing .................................14
9.3.4 Resource Management .....................................14
9.3.5 Virtual Private Networks (VPN's) ........................14
9.3.6 Service Quality .........................................15
9.3.7 Roaming .................................................15
10. SECURITY CONSIDERATIONS......................................15
11. REFERENCES ..................................................16
12. ACKNOWLEDGMENTS..............................................17
13. AUTHORS' ADDRESSES ..........................................17
14. APPENDIX - ACRONYMS AND GLOSSARY:............................18
15. FULL COPYRIGHT STATEMENT.....................................20
1. Introduction
A Network Access Server is the initial entry point to a network for
the majority of users of network services. It is the first device in
the network to provide services to an end user, and acts as a gateway
for all further services. As such, its importance to users and
service providers alike is paramount. However, the concept of a
Network Access Server has grown up over the years without being
formally defined or analyzed [4].
1.1 Scope of this Document
There are several tradeoffs taken in this document. The purpose of
this document is to describe a model for evaluating NAS service
protocols. It will give examples of typical NAS hardware and
software features, but these are not to be taken as hard limitations
of the model, but merely illustrative of the points of discussion.
An important goal of the model is to offer a framework that allows
further development and expansion of capabilities in NAS
implementation.
As with most IETF projects, the focus is on standardizing the
protocol interaction between the components of the system. The
documents produced will not address the following areas:
- AAA server back-end implementation is abstracted and not
prescribed. The actual organization of the data in the server, its
internal interfaces, and capabilities are left to the
implementation.
Mitton & Beadles Informational [Page 2]
RFC 2881 NASreq NAS Model July 2000
- NAS front-end call technology is not assumed to be static.
Alternate and new technology will be accommodated. The resultant
protocol specifications must be flexible in design to allow for new
technologies and services to be added with minimal impact on
existing implementations.
1.2 Specific Terminology
The following terms are used in this document in this manner: A
"Call" - the initiation of a network service request to the NAS.
This can mean the arrival of a telephone call via a dial-in or
switched telephone network connection, or the creation of a tunnel to
a tunnel server which becomes a virtual NAS. A "Session" - is the
NAS provided service to a specific authorized user entity.
2. Network Access System Equipment Assumptions
A typical hardware-based NAS is implemented in a constrained system.
It is important that the NAS protocols don't assume unlimited
resources on the part of the platform. The following are typical
constraints:
- A computer system of minimal to moderate performance
(example processors: Intel 386 or 486, Motorola 68000)
- A moderate amount, but not large RAM (typically varies with
supported # of ports 1MB to 8MB)
- Some small amount of non-volatile memory, and/or way to be
configured out-of-band
- No assumption of a local file system or disk storage
A NAS system may consist of a system of interconnected specialized
processor system units. Typically they may be circuit boards (or
blades) that are arrayed in a card cage (or chassis) and referred to
by their position (i.e., slot number). The bus interconnection
methods are typically proprietary and will not be addressed here.
A NAS is sometimes referred to as a Remote Access Server (RAS) as it
typically allows remote access to a network. However, a more general
picture is that of an "Edge Server", where the NAS sits on the edge
of an IP network of some type, and allows dynamic access to it.
Such systems typically have;
- At least one LAN or high performance network interface (e.g.,
Ethernet, ATM, FR)
Mitton & Beadles Informational [Page 3]
RFC 2881 NASreq NAS Model July 2000
- At least one, but typically many, serial interface ports, which
could be;
- serial RS232 ports direct wired or wired to a modem, or
- have integral hardware or software modems (V.22bis,V.32, V.34,
X2, Kflex, V.90, etc.)
- have direct connections to telephone network digital WAN lines
(ISDN, T1, T3, NFAS, or SS7)
- an aggregation of xDSL connections or PPPoe sessions [5].
However, systems may perform some of the functions of a NAS, but not
have these kinds of hardware characteristics. An example would be a
industry personal computer server system, that has several modem line
connections. These lines will be managed like a dedicated NAS, but
the system itself is a general file server. Likewise, with the
development of tunneling protocols (L2F [6], ATMP [7], L2TP [8]),
tunnel server systems must behave like a "virtual" NAS, where the
calls come from the network tunneled sessions and not hardware ports
([11], [9], [10]).
3. NAS Services
The core of what a NAS provides, are dynamic network services. What
distinguishes a NAS from a typical routing system, is that these
services are provided on a per-user basis, based on an authentication
and the service is accounted for. This accounting may lead to
policies and controls to limit appropriate usage to levels based on
the availability of network bandwidth, or service agreements between
the user and the provider.
Typical services include:
- dial-up or direct access serial line access; Ability to access the
network using a the public telephone network.
- network access (SLIP, PPP, IPX, NETBEUI, ARAP); The NAS allows the
caller to access the network directly.
- asynchronous terminal services (Telnet, Rlogin, LAT, others); The
NAS implements the network protocol on behalf of the caller, and
presents a terminal interface.
- dial-out connections; Ability to cause the NAS to initiate a
connection over the public telephone network, typically based on the
arrival of traffic to a specific network system.
- callback (NAS generates call to caller); Ability to cause the NAS to
reverse or initiate a network connection based on the arrival of a
dial-in call.
- tunneling (from access connection to remote server); The NAS
transports the callers network packets over a network to a remote
server using an encapsulation protocol. (L2TP [8], RADIUS support
[11])
Mitton & Beadles Informational [Page 4]
RFC 2881 NASreq NAS Model July 2000
4. Authentication, Authorization and Accounting (AAA) Servers
Because of the need to authenticate and account, and for practical
reasons of implementation, NAS systems have come to depend on
external server systems to implement authentication databases and
accounting recording.
By separating these functions from the NAS equipment, they can be
implemented in general purpose computer systems, that may provide
better suited long term storage media, and more sophisticated
database software infrastructures. Not to mention that a centralized
server can allow the coordinated administration of many NAS systems
as appropriate (for example a single server may service an entire POP
consisting of multiple NAS systems).
For ease of management, there is a strong desire to piggyback NAS
authentication information with other authentication databases, so
that authentication information can be managed for several services
(such as OS shell login, or Web Server access) from the same
provider, without creating separate passwords and accounts for the
user.
Session activity information is stored and processed to produce
accounting usage records. This is typically done with a long term
(nightly, weekly or monthly) batch type process.
However, as network operations grow in sophistication, there are
requirements to provide real-time monitoring of port and user status,
so that the state information can be used to implement policy
decisions, monitor user trends, and the ability to possibly terminate
access for administrative reasons. Typically only the NAS knows the
true dynamic state of a session.
5. Typical NAS Operation Sequence:
The following details a typical NAS operational sequence:
- Call arrival on port or network
- Port:
- auto-detect (or not) type of call
- CLI/SLIP: prompt for username and password (if security
set)
- PPP: engage LCP, Authentication
- Request authentication from AAA server
- if okay, proceed to service
- may challenge
- may ask for password change/update
⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?