rfc3169.txt
来自「RFC 的详细文档!」· 文本 代码 · 共 956 行 · 第 1/3 页
TXT
956 行
- A series of binary challenges and responses of arbitrary length
- An authentication failure reason to be transmitted from the NAS
to the user
- Callback to a pre-determined phone number
5.2.1.4. Extensible Authentication Types
Security protocol development is going on constantly as new threats
are identified and better cracking methods are developed. Today's
secure authentication methods may be proven insecure tomorrow. The
AAA protocol MUST provide some support for addition of new
authentication credential types.
Beadles & Mitton Informational [Page 6]
RFC 3169 Criteria for Evaluating NAS Protocols September 2001
5.2.2. Authentication Attribute Requirements
In addition to the minimum attribute set, the AAA protocol must
support and define attributes that provide the following functions:
5.2.2.1. PPP Authentication protocols
Many authentication protocols are defined within the framework of
PPP. The AAA protocol MUST be able to act as an intermediary
protocol between the authenticate and the authenticator for the
following authentication protocols:
- PPP Password Authentication Protocol [PPP]
- PPP Challenge Handshake Authentication Protocol [CHAP]
- PPP Extensible Authentication Protocol [EAP]
5.2.2.2. User Identification
The following are common types of credentials used for user
identification. The AAA protocol MUST be able to carry the following
types of identity credentials:
- A user name in the form of a Network Access Identifier [NAI].
- An Extensible Authentication Protocol [EAP] Identity Request
Type packet.
- Telephony dialing information such as Dialed Number
Identification Service (DNIS) and Caller ID.
If a particular type of authentication credential is not needed for a
particular user session, the AAA protocol MUST NOT require that dummy
credentials be filled in. That is, the AAA protocol MUST support
authorization by identification or assertion only.
5.2.2.3. Authentication Credentials
The following are common types of credentials used for
authentication. The AAA protocol MUST be able to carry the following
types of authenticating credentials at a minimum:
- A secret or password.
- A response to a challenge presented by the NAS to the user
- A one-time password
Beadles & Mitton Informational [Page 7]
RFC 3169 Criteria for Evaluating NAS Protocols September 2001
- An X.509 digital certificate [X.509]
- A Kerberos v5 ticket [KERBEROS]
5.2.3. Authentication Protocol Security Requirements
5.2.3.1. End-to-End Hiding of Credentials
Where passwords are used as authentication credentials, the AAA
protocol MUST provide a secure means of hiding the password from
intermediates in the AAA conversation. Where challenge/response
mechanisms are used, the AAA protocol MUST also prevent against
replay attacks.
5.3. Authorization, Policy, and Resource management
5.3.1. Authorization Protocol Requirements
In all cases, the protocol MUST specify that authorization data sent
from the NAS to the AAA server is to be regarded as information or
"hints", and not directives. The AAA protocol MUST be designed so
that the AAA server makes all final authorization decisions and does
not depend on a certain state being expected by the NAS.
5.3.1.1. Dynamic Authorization
The AAA protocol MUST support dynamic re-authorization at any time
during a user session. This re-authorization may be initiated in
either direction. This dynamic re-authorization capability MUST
include the capability to request a NAS to disconnect a user on
demand.
5.3.1.2. Resource Management
Resource Management MUST be supported on demand by the NAS or AAA
Server at any time during the course of a user session. This would
be the ability for the NAS to allocate and deallocate shared
resources from a AAA server servicing multiple NASes. These
resources may include, but are not limited to; IP addresses,
concurrent usage limits, port usage limits, and tunnel limits. This
capability should have error detection and synchronization features
that will recover state after network and system failures. This may
be accomplished by session information timeouts and explicit interim
status and disconnect messages. There should not be any dependencies
on the Accounting message stream, as per current practices.
Beadles & Mitton Informational [Page 8]
RFC 3169 Criteria for Evaluating NAS Protocols September 2001
This feature is primarily intended for NAS-local network resources.
In a proxy or multi-domain environment, resource information should
only be retained by the server doing the allocation, and perhaps it's
backups. Authorization resources in remote domains should use the
dynamic authorization features to change and revoke authorization
status.
5.3.2. Authorization Attribute Requirements
5.3.2.1. Authorization Attribute Requirements - Access Restrictions
The AAA protocol serves as a primary means of gathering data used for
making Policy decisions for network access. Therefore, the AAA
protocol MUST allow network operators to make policy decisions based
on the following parameters:
- Time/day restrictions. The AAA protocol MUST be able to
provide an unambiguous time stamp, NAS time zone indication,
and date indication to the AAA server in the Authorization
information.
- Location restrictions: The AAA protocol MUST be able to
provide an unambiguous location code that reflects the
geographic location of the NAS. Note that this is not the same
type of thing as either the dialing or dialed station.
- Dialing restrictions: The AAA protocol MUST be able to provide
accurate dialed and dialing station indications.
- Concurrent login limitations: The AAA protocol MUST allow an
AAA Server to limit concurrent logins by a particular user or
group of users. This mechanism does not need to be explicitly
built into the AAA protocol, but the AAA protocol must provide
sufficient authorization information for an AAA server to make
that determination through an out-of-band mechanism.
5.3.2.2. Authorization Attribute Requirements - Authorization Profiles
The AAA protocol is used to enforce policy at the NAS. Essentially,
on granting of access, a particular access profile is applied to the
user's session. The AAA protocol MUST at a minimum provide a means
of applying profiles containing the following types of information:
- IP Address assignment: The AAA protocol MUST provide a means of
assigning an IPv4 or IPv6 address to an incoming user.
Beadles & Mitton Informational [Page 9]
RFC 3169 Criteria for Evaluating NAS Protocols September 2001
- Protocol Filter application: The AAA protocol MUST provide a
means of applying IP protocol filters to user sessions. Two
different methods MUST be supported.
First, the AAA protocol MUST provide a means of selecting a
protocol filter by reference to an identifier, with the details
of the filter action being specified out of band. The AAA
protocol SHOULD define this out-of-band reference mechanism.
Second, the AAA protocol MUST provide a means of passing a
protocol filter by value. This means explicit passing of
pass/block information by address range, TCP/UDP port number,
and IP protocol number at a minimum.
- Compulsory Tunneling: The AAA protocol MUST provide a means of
directing a NAS to build a tunnel or tunnels to a specified
end- point. It MUST support creation of multiple simultaneous
tunnels in a specified order. The protocol MUST allow, at a
minimum, specification of the tunnel endpoints, tunneling
protocol type, underlying tunnel media type, and tunnel
authentication credentials (if required by the tunnel type).
The AAA protocol MUST support at least the creation of tunnels
using the L2TP [L2TP], ESP [ESP], and AH [AH] protocols. The
protocol MUST provide means of adding new tunnel types as they
are standardized.
- Routing: The AAA protocol MUST provide a means of assigning a
particular static route to an incoming user session.
- Expirations/timeouts: The AAA protocol MUST provide a means of
communication session expiration information to a NAS. Types
of expirations that MUST be supported are: total session time,
idle time, total bytes transmitted, and total bytes received.
- Quality of Service: The AAA protocol MUST provide a means for
supplying Quality of Service parameters to the NAS for
individual user sessions.
5.3.2.3. Resource Management Requirements
The AAA protocol is a means for network operators to perform
management of network resources. The AAA protocol MUST provide a
means of collecting resource state information, and controlling
resource allocation for the following types of network resources.
- Network bandwidth usage per session, including multilink
sessions.
Beadles & Mitton Informational [Page 10]
RFC 3169 Criteria for Evaluating NAS Protocols September 2001
- Access port usage, including concurrent usage and usage pools.
- Connect time.
- IP Addresses and pools.
- Compulsory tunnel limits.
5.3.3. Authorization Protocol Security Requirements
5.3.3.1. Security of Compulsory Tunnel Credentials
When an AAA protocol passes credentials that will be used to
authenticate compulsory tunnels, the AAA protocol MUST provide a
means of securing the credentials from end-to-end of the AAA
conversation. The AAA protocol MUST also provide protection against
replay attacks in this situation.
5.4. Accounting and Auditing Requirements
5.4.1. Accounting Protocol Requirements
5.4.1.1. Guaranteed Delivery
The accounting and auditing functions of the AAA protocol are used
for network planning, resource management, policy decisions, and
other functions that require accurate knowledge of the state of the
NAS. NAS operators need to be able to engineer their network usage
measurement systems to a predictable level of accuracy. Therefore,
an AAA protocol MUST provide a means of guaranteed delivery of
accounting information between the NAS and the AAA Server(s).
5.4.1.2. Real Time Accounting
NAS operators often require a real time view onto the status of
sessions served by a NAS. Therefore, the AAA protocol MUST support
real-time delivery of accounting and auditing information. In this
context, real time is defined as accounting information delivery
beginning within one second of the triggering event.
5.4.1.3. Batch Accounting
The AAA protocol SHOULD also support delivery of stored accounting
and auditing information in batches (non-real time).
Beadles & Mitton Informational [Page 11]
RFC 3169 Criteria for Evaluating NAS Protocols September 2001
5.4.1.4. Accounting Time Stamps
There may be delays associated with the delivery of accounting
information. The NAS operator will desire to know the time an event
actually occurred, rather than simply the time when notification of
the event was received. Therefore, the AAA protocol MUST carry an
unambiguous time stamp associated with each accounting event. This
time stamp MUST be unambiguous with regard to time zone. Note that
this assumes that the NAS has access to a reliable time source.
5.4.1.5. Accounting Events
At a minimum, the AAA protocol MUST support delivery of accounting
information triggered by the following events:
- Start of a user session
⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?