📄 rfc2809.txt
字号:
Network Working Group B. Aboba
Request for Comments: 2809 Microsoft
Category: Informational G. Zorn
Cisco
April 2000
Implementation of L2TP Compulsory Tunneling via RADIUS
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2000). All Rights Reserved.
Abstract
This document discusses implementation issues arising in the
provisioning of compulsory tunneling in dial-up networks using the
L2TP protocol. This provisioning can be accomplished via the
integration of RADIUS and tunneling protocols. Implementation issues
encountered with other tunneling protocols are left to separate
documents.
本文档讨论了在拨号网络中使用L2TP协议提供强制隧道连接服务中出现的应用问题。
此服务的提供能够通过RADIUS协议和隧道连接协议的结合来完成。其他隧道协议遇到
的应用问题遗留到其他独立的文档描述。
1. Terminology
Voluntary Tunneling
自发隧道连接
In voluntary tunneling, a tunnel is created by the user,
typically via use of a tunneling client.
在自发隧道连接中,隧道由用户创建,典型的是通过应用隧道连
接客户端。
Compulsory Tunneling
强制隧道连接
In compulsory tunneling, a tunnel is created without any
action from the user and without allowing the user any
choice.
在强制隧道连接中,隧道的创建不涉及到任何的用户行为,并且不允许
用户有任何选择。
Tunnel Network Server
隧道网络服务器
This is a server which terminates a tunnel. In L2TP
terminology, this is known as the L2TP Network Server
(LNS).
这是用来终结隧道的服务器。在L2TP的术语中,此服务器被称为L2TP
网络服务器(LNS)。
Aboba & Zorn Informational [Page 1]
RFC 2809 L2TP Compulsory Tunneling via RADIUS April 2000
Network Access Server
网络接入服务器
The Network Access Server (NAS) is the device that clients
contact in order to get access to the network. In L2TP
terminology, a NAS performing compulsory tunneling is
referred to as the L2TP Access Concentrator (LAC).
网络接入服务器(NAS)是客户端为了接入网络而连接的网络设备。在L2TP
术语中,执行强制隧道连接的NAS被称为L2TP接入集中器(LAC)。
RADIUS authentication server
RADIUS 认证服务器
This is a server which provides for
authentication/authorization via the protocol described in
[1].
这是通过〔1〕协议提供认证/授权服务的服务器。
RADIUS proxy
RADIUS 代理
In order to provide for the routing of RADIUS
authentication requests, a RADIUS proxy can be employed.
To the NAS, the RADIUS proxy appears to act as a RADIUS
server, and to the RADIUS server, the proxy appears to act
as a RADIUS client. Can be used to locate the tunnel
endpoint when realm-based tunneling is used.
为了提供RADIUS认证请求的转发功能,可以使用RADIUS 代理。
在NAS看来,RADIUS 代理表现为一个RADIUS服务器;对于Radius 服务器,
RADIUS 代理表现为一个RADIUS 客户端。当实现基于域的隧道连接时,
这可以用来定位隧道的终结点。
2. Requirements language
In this document, the key words "MAY", "MUST, "MUST NOT", "optional",
"recommended", "SHOULD", and "SHOULD NOT", are to be interpreted as
described in [4].
3. Introduction
Many applications of tunneling protocols involve dial-up network
access. Some, such as the provisioning of secure access to corporate
intranets via the Internet, are characterized by voluntary tunneling:
the tunnel is created at the request of the user for a specific
purpose. Other applications involve compulsory tunneling: the tunnel
is created without any action from the user and without allowing the
user any choice.
许多隧道连接协议应用涉及到拨号网络。其中一些,如通过Internet提供到
企业Intranets的安全访问服务,表现出自发隧道连接的特征:隧道创建基于
用户的请求,是为了明确的目的。其他一些应用涉及到强制隧道连接:隧道的
创建没有任何用户的行为并且不允许任何用户的选择。
Examples of applications that might be implemented using compulsory
tunnels are Internet software upgrade servers, software registration
servers and banking services. These are all services which, without
compulsory tunneling, would probably be provided using dedicated
networks or at least dedicated network access servers (NAS), since
they are characterized by the need to limit user access to specific
hosts.
如软件升级服务器、软件注册服务器和银行服务,是可以通过使用强制隧道的实现例子。
如果没有强制隧道连接的话,这些服务将可能使用专门的网络,或者至少是专门的
网络接入服务器(NAS)来实现。其原因是这些服务的需求特征是限制用户访问特
殊的服务器。
Given the existence of widespread support for compulsory tunneling,
however, these types of services could be accessed via any Internet
service provider (ISP). The most popular means of authorizing dial-
up network users today is through the RADIUS protocol. The use of
RADIUS allows the dial-up users' authorization and authentication
Aboba & Zorn Informational [Page 2]
RFC 2809 L2TP Compulsory Tunneling via RADIUS April 2000
data to be maintained in a central location, rather than on each NAS.
It makes sense to use RADIUS to centrally administer compulsory
tunneling, since RADIUS is widely deployed and was designed to carry
this type of information. New RADIUS attributes are needed to carry
the tunneling information from the RADIUS server to the NAS. Those
attributes are defined in [3].
但是,在存在对强制隧道连接分布广泛的支持的条件下,这些类型的服务能够通
过任何Internet服务提供商(ISP)得到。今天,拨号网络用户授权的最普遍的协
议是通过RADIUS。使用RADIUS允许拨号用户的认证和授权数据能被保存在一个中心
存储地,而不是在每个NAS上。使用RADIUS来集中的管理强制隧道连接是有意义的,
因为RADIUS被广泛的部署,并且被设计来承载此类型的信息。需要新的RADIUS属性
来承载从RADIUS服务器到NAS的隧道连接信息。这些属性被定义在〔3〕中。
3.1. Advantages of RADIUS-based compulsory tunneling
基于RADIUS的强制隧道连接的优点
Current proposals for routing of tunnel requests include static
tunneling, where all users are automatically tunneled to a given
endpoint, and realm-based tunneling, where the tunnel endpoint is
determined from the realm portion of the userID. User-based tunneling
as provided by integration of RADIUS and tunnel protocols offers
significant advantages over both of these approaches.
当前的对路由隧道请求的建议包括了静态隧道连接和基于域的隧道连接。静态隧道
连接中所有的用户被自动隧道定向到一个指定的终结点;基于域的隧道连接的终结
点由用户ID(userID)的域部分决定。基于用户的隧道连接,因为由RADIUS和隧道协
议相结合来提供,具有超过此两种方法的重要的优势。
Static tunneling requires dedication of a NAS device to the purpose.
In the case of an ISP, this is undesirable because it requires them
to dedicate a NAS to tunneling service for a given customer, rather
than allowing them to use existing NASes deployed in the field. As a
result static tunneling is likely to be costly for deployment of a
global service.
静态隧道连接需要NAS设备来决定目的地。在ISP的情形下,这并不如其所愿,
因为这需要他们必须专用一个NAS设备于一个给定的用户提供隧道连接服务,而不是
允许他们使用已经部署在这地区的NAS设备。导致的结果,静态隧道连接如果全局部
署的话,将会导致高额成本。
Realm-based tunneling assumes that all users within a given realm
wish to be treated the same way. This limits flexibility in account
management. For example, BIGCO may desire to provide Janet with an
account that allows access to both the Internet and the intranet,
with Janet's intranet access provided by a tunnel server located in
the engineering department. However BIGCO may desire to provide Fred
with an account that provides only access to the intranet, with
Fred's intranet access provided by a tunnel network server located in
the sales department. Such a situation cannot be accommodated with
realm-based tunneling, but can be accommodated via user-based
tunneling as enabled by the attributes defined in [3].
基于域的隧道连接认为所有的在给定域中的用户将被相同对待。这限制了账号管理的
灵活性。例如,BIGCO 可能希望提供Janet一个允许同时访问Internet和Intranet的
账号,Janet的Intranet连接由工程部的隧道网络服务器提供;然而,BIGCO可能希望
提供Fred只能访问Intranet的账号,而Fred的Intranet连接由销售部的隧道网络服务
器提供。这种的情况不能被基于域的隧道连接所兼容,但是能被基于用户的隧道连接
所包含。〔3〕中定义的属性使这种基于用户的连接成为可能。
4. Authentication alternatives
认证的两种选择
RADIUS-based compulsory tunneling can support both single
authentication, where the user is authenticated at the NAS or tunnel
server, or dual authentication, where the user is authenticated at
both the NAS and the tunnel server. When single authentication is
supported, a variety of modes are possible, including telephone-
number based authentication. When dual-authentication is used, a
number of modes are available, including dual CHAP authentications;
Aboba & Zorn Informational [Page 3]
RFC 2809 L2TP Compulsory Tunneling via RADIUS April 2000
CHAP/EAP authentication; CHAP/PAP(token) authentication; and EAP/EAP
authentication, using the same EAP type for both authentications. EAP
is described in [5].
基于RADIUS的强制隧道连接既能支持在NAS或隧道服务器的单一认证,又能支持需在
两端进行的双重认证。当支持单一认证的时候,多种模式就变为可能了,包括
基于电话号码的认证。当支持双重认证的时候,一些模式就可实现了,包括双重CHAP认证、
CHAP/EAP 认证、CHAP/PAP(token)认证、EAP/EAP认证(两端认证使用相同的EAP类型)。
EAP认证在〔5〕中描述。
The alternatives are described in more detail below.
认证方式在下面详细描述。
4.1. Single authentication
单一认证
Single authentication alternatives include:
单一认证包括:
NAS authentication
NAS authentication with RADIUS reply forwarding
Tunnel server authentication
NAS 认证
RADIUS回应转发的NAS认证
隧道服务器认证
4.1.1. NAS authentication
NAS 认证
With this approach, authentication and authorization (including
tunneling information) occurs once, at the NAS. The advantages of
this approach are that it disallows network access for unauthorized
NAS users, and permits accounting to done at the NAS. Disadvantages
are that it requires that the tunnel server trust the NAS, since no
user authentication occurs at the tunnel server. Due to the lack of
user authentication, accounting cannot take place at the tunnel
server with strong assurance that the correct party is being billed.
使用这种方式,认证和授权(包括隧道连接信息)在NAS端发生一次。这种方式的
优点是,它不允许未授权的用户访问网络,而且可以在NAS端实现计费。缺点是它
必须建立在隧道服务器信任(trust)NAS的基础上,因为用户认证不发生在隧道服
务器端。由于没有用户认证,不能在隧道服务器端实现能确保正确部分被记帐的计费。
NAS-only authentication is most typically employed along with LCP
forwarding and tunnel authentication, both of which are supported in
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -