rfc3169.txt
来自「RFC 的详细文档!」· 文本 代码 · 共 956 行 · 第 1/3 页
TXT
956 行
- End of a user session
- Expiration of a predetermined repeating time interval during a
user session. The AAA protocol MUST provide a means for the
AAA server to request that a NAS use a certain interval
accounting time.
- Dynamic re-authorization during a user session (e.g., new
resources being delivered to the user)
- Dynamic re-authentication during a user session
5.4.1.6. On-Demand Accounting
NAS operators need to maintain an accurate view onto the status of
sessions served by a NAS, even through failure of an AAA server.
Therefore, the AAA protocol MUST support a means of requesting
current session state and accounting from the NAS on demand.
5.4.2. Accounting Attribute Requirements
At a minimum, the AAA protocol MUST support delivery of the following
types of accounting/auditing data:
- All parameters used to authenticate a session.
- Details of the authorization profile that was applied to the
session.
- The duration of the session.
Beadles & Mitton Informational [Page 12]
RFC 3169 Criteria for Evaluating NAS Protocols September 2001
- The cumulative number of bytes sent by the user during the
session.
- The cumulative number of bytes received by the user during the
session.
- The cumulative number of packets sent by the user during the
session.
- The cumulative number of packets received by the user during
the session.
- Details of the access protocol used during the session (port
type, connect speeds, etc.)
5.4.3. Accounting Protocol Security Requirements
5.4.3.1. Integrity and Confidentiality
Note that accounting and auditing data are operationally sensitive
information. The AAA protocol MUST provide a means to assure end-
to-end integrity of this data. The AAA protocol SHOULD provide a
means of assuring the end-to-end confidentiality of this data.
5.4.3.2. Auditibility
Network operators use accounting data for network planning, resource
management, and other business-critical functions that require
confidence in the correctness of this data. The AAA protocol SHOULD
provide a mechanism to ensure that the source of accounting data
cannot easily repudiate this data after transmission.
6. Device Management Protocols
This document does not specify any requirements for device management
protocols.
7. Acknowledgments
Many of the requirements in this document first took form in Glen
Zorn's, "Yet Another Authentication Protocol (YAAP)" document, for
which grateful acknowledgment is made.
8. Security Considerations
See above for security requirements for the NAS AAA protocol.
Beadles & Mitton Informational [Page 13]
RFC 3169 Criteria for Evaluating NAS Protocols September 2001
Where an AAA architecture spans multiple domains of authority, AAA
information may need to cross trust boundaries. In this situation, a
NAS might operate as a shared device that services multiple
administrative domains. Network operators are advised take this into
consideration when deploying NAS's and AAA Servers.
9. IANA Considerations
This document does not directly specify any IANA considerations.
However, the following recommendations are made:
Future development and extension of an AAA protocol will be made much
easier if new attributes and values can be requested or registered
directly through IANA, rather than through an IETF Standardization
process.
The AAA protocol might use enumerated values for some attributes,
which enumerate already-defined IANA types (such as protocol number).
In these cases, the AAA protocol SHOULD use the IANA assigned numbers
as the enumerated values.
10. References
[AH] Kent, S. and R. Atkinson, "IP Authentication
Header (AH)", RFC 2402, November 1998.
[CHAP] Simpson, J., "PPP Challenge Handshake
Authentication Protocol (CHAP)", RFC 1994,
August 1996.
[CONGEST] Floyd, S., "Congestion Control Principles",
RFC 2914, Sept. 2000.
[EAP] Blunk, L. and J. Vollbrecht, "PPP Extensible
Authentication Protocol (EAP)", RFC 2284,
March 1998.
[ESP] Kent, S. and R. Atkinson, "IP Encapsulating
Security Payload (ESP)", RFC 2406, November
1998.
[KEYWORDS] Bradner, S., "Key words for use in RFCs to
Indicate Requirement Levels", BCP 14, RFC
2119, March 1997.
[KERBEROS] Kohl, J. and C. Neuman, "The Kerberos Network
Authentication Service (V5)", RFC 1510,
September 1993.
Beadles & Mitton Informational [Page 14]
RFC 3169 Criteria for Evaluating NAS Protocols September 2001
[IPV6] Deering, S. and R. Hinden, "Internet
Protocol, Version 6 (IPv6) Specification",
RFC 2460, December 1998.
[L2TP] Townsley, W., Valencia, A., Rubens, A., Pall,
G., Zorn, G. and B. Plater, "Layer Two
Tunneling Protocol (L2TP)", RFC 2661, August
1999.
[NAI] Aboba, B. and M. Beadles, "The Network Access
Identifier", RFC 2486, January 1999.
[NAS-MODEL] Mitton, D. and M. Beadles, "Network Access
Server Requirements Next Generation
(NASREQNG) NAS Model", RFC 2881, July 2000.
[NAS-EXT] Mitton, D., "Network Access Servers
Requirements: Extended RADIUS Practices", RFC
2882, July 2000.
[PPP] Simpson, W., "The Point-to-Point Protocol
(PPP)", STD 51, RFC 1661, July 1994.
[PPPOE] Mamakos, L., Lidl, K., Evarts, J., Carrel,
D., Simone, D. and R. Wheeler, "A Method for
Transmitting PPP Over Ethernet (PPPoE)", RFC
2516, February 1999.
[ROUTING-REQUIREMENTS] Baker, F., "Requirements for IP Version 4
Routers", RFC 1812, June 1995.
[TELNET] Postel, J. and J. Reynolds, "Telnet Protocol
Specification", STD 8, RFC 854, May 1983.
[RFC 2277] Alvestrand, H., "IETF Policy on Character
Sets and Languages", BCP 18, RFC 2277,
January 1998.
[X.509] ITU-T Recommendation X.509 (1997 E):
Information Technology - Open Systems
Interconnection - The Directory:
Authentication Framework, June 1997.
[RADIUS] Rigney, C., Rubens. A., Simpson, W. and S.
Willens, "Remote Authentication Dial In User
Service (RADIUS)", RFC 2138, April 1997.
Beadles & Mitton Informational [Page 15]
RFC 3169 Criteria for Evaluating NAS Protocols September 2001
[RADIUS-ACCOUNTING] Rigney, C., "RADIUS Accounting", RFC 2139,
April 1997.
[ROAMING-REQUIREMENTS] Aboba, B. and G. Zorn, "Criteria for
Evaluating Roaming Protocols", RFC 2477,
January 1999.
11. Authors' Addresses
Mark Anthony Beadles
SmartPipes, Inc.
565 Metro Place South Suite 300
Dublin, OH 43017
Phone: 614-923-6200
David Mitton
Nortel Networks
880 Technology Park Drive
Billerica, MA 01821
Phone: 978-288-4570
EMail: dmitton@nortelnetworks.com
Beadles & Mitton Informational [Page 16]
RFC 3169 Criteria for Evaluating NAS Protocols September 2001
12. Full Copyright Statement
Copyright (C) The Internet Society (2001). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Beadles & Mitton Informational [Page 17]
⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?