📄 rfc3127.txt
字号:
Mitton, et al. Informational [Page 12]
RFC 3127 AAA Protocol Evaluation Process June 2001
3.4.2 Mandatory Compact Encoding - SNMP:T, RADIUS:T, Diameter:T,
COPS:T
3.4.3 Accounting Record Extensibility - SNMP:T, RADIUS:T,
Diameter:T, COPS:T
3.4.4 Batch Accounting - SNMP:T, RADIUS:F, Diameter:P, COPS:P
Some members of the group are not sure how this fits into the rest of
the AAA protocol, which is primarily real-time and event driven.
Would this be better met with FTP?
3.4.5 Guaranteed Delivery - SNMP:T, RADIUS:T, Diameter:T, COPS:T
3.4.6 Accounting Timestamps - SNMP:T, RADIUS:T, Diameter:T,
COPS:T
3.4.7 Dynamic Accounting - SNMP:T, RADIUS:T, Diameter:T, COPS:T
3.5 MOBILE IP Requirements
3.5.1 Encoding of MOBILE IP Registration Messages - SNMP:T,
RADIUS:T/P, Diameter:T, COPS:T
3.5.2 Firewall Friendly - SNMP:F, RADIUS:T, Diameter:P, COPS:P
There was considerable discussion about what it means to be "firewall
friendly". It was suggested that not making the firewall look into
packets much beyond the application port number. Protocols such as
SNMP and COPS are at a disadvantage, as you must look far into the
packet to understand the intended operation. Diameter will have the
disadvantage of SCTP, which is not well deployed or recognized at the
moment.
SNMP and COPS also have the problem that they are used for other
types of operations than just AAA.
Should firewalls have AAA Proxy engines?
We didn't look at "NAT friendly" issues either.
COPS:T
The group is not clear on how this requirement impacts the actual
protocol. Raj explained it to us, but we mostly took it on faith.
Mitton, et al. Informational [Page 13]
RFC 3127 AAA Protocol Evaluation Process June 2001
4. Protocol Evaluation Summaries
4.1. SNMP
SNMP is generally not acceptable as a general AAA protocol. There
may be some utility in its use for accounting, but the amount of
engineering to turn it into a viable A&A protocol argues against
further consideration.
4.2. Radius++
Radius++ is not considered acceptable as an AAA protocol. There is a
fairly substantial amount of engineering required to make it meet all
requirements, and that engineering would most likely result in
something close to the functionality of Diameter.
4.3. Diameter
Diameter is considered acceptable as an AAA protocol. There is some
minor engineering required to bring it into complete compliance with
the requirements but well within short term capabilities. Diameter
might also benefit from the inclusion of a broader data model ala
COPS.
4.4. COPS
COPS is considered acceptable as an AAA protocol. There is some
minor to medium engineering required to bring it into complete
compliance with the requirements.
4.5. Summary Recommendation
The panel expresses a slight preference for Diameter based on the
perception that the work for Diameter is further along than for COPS.
However, using SCTP as the transport mechanism for Diameter places
SCTP on the critical path for Diameter. This may ultimately result
in COPS being a faster approach if SCTP is delayed in any way.
5. Security Considerations
AAA protocols enforce the security of access to the Internet. The
design of these protocols and this evaluation process took many
security requirements as critical issues for evaluation. A candidate
protocol must meet the security requirements as documented, and must
be engineered and reviewed properly as developed and deployed.
Mitton, et al. Informational [Page 14]
RFC 3127 AAA Protocol Evaluation Process June 2001
6. References
[AAAReqts] Aboba, B., Clahoun, P., Glass, S., Hiller, T., McCann, P.,
Shiino, H., Walsh, P., Zorn, G., Dommety, G., Perkins, C.,
Patil, B., Mitton, D., Manning, S., Beadles, M., Chen, X.,
Sivalingham, S., Hameed, A., Munson, M., Jacobs, S., Lim,
B., Hirschman, B., Hsu, R., Koo, H., Lipford, M.,
Campbell, E., Xu, Y., Baba, S. and E. Jaques, "Criteria
for Evaluating AAA Protocols for Network Access", RFC
2989, April 2000.
[AAAComp] Ekstein, TJoens, Sales and Paridaens, "AAA Protocols:
Comparison between RADIUS, Diameter and COPS", Work in
Progress.
[SNMPComp] Natale, "Comparison of SNMPv3 Against AAA Network Access
Requirements", Work in Progress.
[RADComp] TJoens and DeVries, "Comparison of RADIUS Against AAA
Network Access Requirements", Work in Progress.
[RADExt] TJoens, Ekstein and DeVries, "Framework for the extension
of the RADIUS (v2) protocol", Work in Progress,
[DIAComp] Calhoun, "Comparison of Diameter Against AAA Network
Access Requirements", Work in Progress.
[COPSComp] Khosravi, Durham and Walker, "Comparison of COPS Against
the AAA NA Requirements", Work in Progress.
[COPSAAA] Durham, Khosravi, Weiss and Filename, "COPS Usage for
AAA", Work in Progress.
7. Authors' Addresses
David Mitton
Nortel Networks
880 Technology Park Drive
Billerica, MA 01821
Phone: 978-288-4570
EMail: dmitton@nortelnetworks.com
Mitton, et al. Informational [Page 15]
RFC 3127 AAA Protocol Evaluation Process June 2001
Michael StJohns
Rainmaker Technologies
19050 Pruneridge Ave, Suite 150
Cupertino, CA 95014
Phone: 408-861-9550 x5735
EMail: stjohns@rainmakertechnologies.com
Stuart Barkley
UUNET
F1-1-612
22001 Loudoun County Parkway
Ashburn, VA 20147 US
Phone: 703-886-5645
EMail: stuartb@uu.net
David B. Nelson
Enterasys Networks, Inc. (a Cabletron Systems company)
50 Minuteman Road
Andover, MA 01810-1008
Phone: 978-684-1330
EMail: dnelson@enterasys.com
Basavaraj Patil
Nokia
6000 Connection Dr.
Irving, TX 75039
Phone: +1 972-894-6709
EMail: Basavaraj.Patil@nokia.com
Mark Stevens
Ellacoya Networks
7 Henry Clay Drive
Merrimack, NH 03054
Phone: 603-577-5544 ext. 325
EMail: mstevens@ellacoya.com
Barney Wolff, Pres.
Databus Inc.
15 Victor Drive
Irvington, NY 10533-1919 USA
Phone: 914-591-5677
EMail: barney@databus.com
Mitton, et al. Informational [Page 16]
RFC 3127 AAA Protocol Evaluation Process June 2001
Appendix A - Summary Evaluations Consensus Results by Requirement
and Protocol
Requirement Section SNMP Radius++ Diameter COPS
1.1.1 P P T T
1.1.2 P P P T/P
1.1.3 T T/P T T
1.1.4 T P T T
1.1.5 P P T T
1.1.6 F P T T
1.1.7 T T T T
1.1.8 P P T T
1.1.9 T T T T
1.1.10 P T T T
1.1.11 F P T P
1.1.12 F F T P
1.1.13 P/T T T T
1.1.14 T T T T
1.2.1 T T T T
1.2.2 T T T T
1.2.3 T T T T
1.2.4 T T T T
1.2.5 T P P T
1.2.6 P T/P T T
1.3.1 P/F T T T
1.3.2 P T T/P P
1.3.3 T/P/F T T P
1.3.4 F T T T
1.3.5 P/F P T/P T
1.3.6 P P P T/P
1.3.7 F P/F P T/P
1.3.8 T P T T
1.4.1 T T T T
1.4.2 T T T T
1.4.3 T T T T
1.4.4 T F P P
1.4.5 T T T T
1.4.6 T T T T
1.4.7 T T T T
1.5.1 T T/P T T
1.5.2 F T P P
1.5.3 F P T T
Mitton, et al. Informational [Page 17]
RFC 3127 AAA Protocol Evaluation Process June 2001
Appendix B - Review of the Requirements
Comments from the Panel on then work in progress, "Criteria for
Evaluating AAA Protocols for Network Access" now revised and
published as RFC 2989. This became the group standard interpretation
of the requirements at the time.
B.1 General Requirements
Scalability - In clarification [a], delete "and tens of thousands of
simultaneous requests." This does not appear to be supported by any
of the three base documents.
Transmission level security - [Table] Delete the ROAMOPS "M" and
footnote "6". This appears to be an over generalization of the
roaming protocol requirement not necessarily applicable to AAA.
Data object confidentiality - [Table] Delete the MOBILE IP "S" and
footnote "33". The base document text does not appear to support
this requirement.
Reliable AAA transport mechanism - In clarification [h] delete
everything after the "...packet loss" and replace with a ".". The
requirements listed here are not necessarily supported by the base
document and could be mistakenly taken as requirements for the AAA
protocol in their entirety.
Run over IPv4 - [Table] Replace the MOBILE IP footnote "17" with
footnote "33". This appears to be a incorrect reference.
Run over IPv6 - [Table] Replace the MOBILE IP footnote "18" with a
footnote pointing to section 8 of [8]. This appears to be an
incorrect reference.
Auditability - Clarification [j] does not appear to coincide with the
NASREQ meaning of Auditability. Given that NASREQ is the only
protocol with an auditability requirement, this section should be
aligned with that meaning.
Shared secret not required - [Table] General - This section is
misleadingly labeled. Our team has chosen to interpret it as
specified in clarification [k] rather than any of the possible
interpretations of "shared secret not required". We recommend the
tag in the table be replaced with "Dual App and Transport Security
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -