rfc2881.txt

来自「著名的RFC文档,其中有一些文档是已经翻译成中文的的.」· 文本 代码 · 共 1,124 行 · 第 1/3 页

       debits)
     - Session accounting information is tallied by the NAS and
       reported to server

5.3 Network Management and Administrative features

   The NAS system is presumed to have a method of configuration that
   allows it to know it's identity and network parameters at boot time.
   Likewise, this configuration information is typically managed using
   the standard management protocols (e.g., SNMP).  This would include
   the configuration of the parameters necessary to contact the AAA
   server itself.  The purpose of the AAA server is not to provide
   network management for the NAS, but to authorize and characterize the
   individual services for the users.  Therefore any feature that can be
   user specific is open to supply from the AAA server.



Mitton & Beadles             Informational                      [Page 7]

RFC 2881                    NASreq NAS Model                   July 2000


   The system may have other operational services that are used to run
   and control the NAS.  Some users that have _Administrative_
   privileges may have access to system configuration tools, or services
   that affect the operation and configuration of the system (e.g.,
   loading boot images, internal file system access, etc..)  Access to
   these facilities may also be authenticated by the AAA server
   (provided it is configured and reachable!) and levels of access
   authorization may be provided.

6. Authentication Methods

   A NAS system typically supports a number of authentication systems.
   For async terminal users, these may be a simple as a prompt and
   input.  For network datalink users, such as PPP, several different
   authentication methods will be supported (PAP, CHAP [12], MS-CHAP
   [13]).  Some of these may actually be protocols in and of themselves
   (EAP [14] [15], and Kerberos).

   Additionally, the content of the authentication exchanges may not be
   straightforward.  Hard token cards, such as the Safeword and SecurId,
   systems may generate one-time passphrases that must be validated
   against a proprietary server.  In the case of multi-link support, it
   may be necessary to remember a session token or certificate for the
   later authentication of additional links.

   In the cases of VPN and compulsory tunneling services, typically a
   Network Access Identifier (RFC 2486 [16]) is presented by the user.
   This NAI is parsed into a destination network identifier either by
   the NAS or by the AAA server.  The authentication information will
   typically not be validated locally, but by a AAA service at the
   remote end of the tunnel service.

7. Session Authorization Information

   Once a user has been authenticated, there are a number of individual
   bits of information that the network management may wish to configure
   and authorize for the given user or class of users.

   Typical examples include:

        For async terminal users:

        - banners
        - custom prompts
        - menus
        - CLI macros - which could be used for: shortcuts, compound
          commands, restrictive scripts




Mitton & Beadles             Informational                      [Page 8]

RFC 2881                    NASreq NAS Model                   July 2000


        For network users:

        - addresses, and routes
        - callback instructions
        - packet and activity filters
        - network server addresses
        - host server addresses

   Some services may require dynamic allocation of resources.
   Information about the resources required may not be known during the
   authentication phase, it may come up later. (e.g., IP Addresses for
   multi-link bundles) It's also possible that the authorization will
   change over the time of the session. To provide these there has to be
   a division of responsibility between the NAS and the AAA server, or a
   cooperation using a stateful service.

   Such services include:

        - IP Address management
        - Concurrent login limitations
        - Tunnel usage limitations
        - Real-time account expirations
        - Call management policies

   In the process of resolving resource information, it may be required
   that a certain level of service be supplied, and if not available,
   the request refused, or corrective action taken.

8. IP Network Interaction

   As the NAS participates in the IP network, it interacts with the
   routing mechanisms of the network itself.  These interactions may
   also be controlled on a per-user/session basis.

   For example, some input streams may be directed to specific hosts
   other than the default gateway for the destination subnet.  In order
   to control services within the network provider's infrastructure,
   some types of packets may be discarded (filtered) before entering the
   network.  These filters could be applied based on examination of
   destination address and port number.  Anti-spoofing packet controls
   may be applied to disallow traffic sourced from addresses other than
   what was assigned to the port.

   A NAS may also be an edge router system, and apply Quality of Service
   (QoS) policies to the packets.  This makes it a QOS Policy
   Enforcement Point [19], [17].  It may learn QOS and other network
   policies for the user via the AAA service.




Mitton & Beadles             Informational                      [Page 9]

RFC 2881                    NASreq NAS Model                   July 2000


9. A NAS Model

   So far we have looked at examples of things that NASes do.  The
   following attempts to define a NAS model that captures the
   fundamentals of NAS structure to better categorize how it interacts
   with other network components.

   A Network Access Server is a device which sits on the edge of a
   network, and provides access to services on that network in a
   controlled fashion, based on the identity of the user of the network
   services in question and on the policy of the provider of these
   services.  For the purposes of this document, a Network Access Server
   is defined primarily as a device which accepts multiple point-to-
   point [18] links on one set of interfaces, providing access to a
   routed network or networks on another set of interfaces.

   Note that there are many things that a Network Access Server is not.
   A NAS is not simply a router, although it will typically include
   routing functionality in it's interface to the network.  A NAS is not
   necessarily a dial access server, although dial access is one common
   means of network access, and brings its own particular set of
   requirements to NAS's.

   A NAS is the first device in the IP network to provide services to an
   end user, and acts as a gateway for all further services.  It is the
   point at which users are authenticated, access policy is enforced,
   network services are authorized, network usage is audited, and
   resource consumption is tracked.  That is, a NAS often acts as the
   policy enforcement point for network AAAA (authentication,
   authorization, accounting, and auditing) services.  A NAS is
   typically the first place in a network where security measures and
   policy may be implemented.

9.1 A Reference Model of a NAS

   For reference in the following discussion, a diagram of a NAS, its
   dependencies, and its interfaces is given below.  This diagram is
   intended as an abstraction of a NAS as a reference model, and is not
   intended to represent any particular NAS implementation.












Mitton & Beadles             Informational                     [Page 10]

RFC 2881                    NASreq NAS Model                   July 2000


                               Users
                             v v v v v v v
                             | | PSTN  | |
                             | |  or   | |
                             |encapsulated
                          +-----------------+
                          |    (Modems)     |
                          +-----------------+
                             | | | | | | |
                   +--+----------------------------+
                   |  |                            |
                   |N |     Client Interface       |
                   |  |                            |
                   |A +----------Routing ----------+
                   |  |                            |
                   |S |    Network Interface       |
                   |  |                            |
                   +--+----------------------------+
                           /      |     \
                          /       |      \
                         /        |       \
                        /         |        \
      POLICY MANAGEMENT/          |         \  DEVICE MANAGEMENT
      +---------------+           |          +-------------------+
      | Authentication|         _/^\_        |Device Provisioning|
      +---------------+       _/     \_      +-------------------+
      | Authorization |     _/         \_    |Device Monitoring  |
      +---------------+   _/             \_  +-------------------+
      | Accounting    |  /       The       \
      +---------------+  \_   Network(s)  _/
      | Auditing      |    \_           _/
      +---------------+      \_       _/
                               \_   _/
                                 \_/

9.2 Terminology

   Following is a description of the modules and interfaces in the
   reference model for a NAS given above:

   Client Interfaces - A NAS has one or more client interfaces, which
      provide the interface to the end users who are requesting network
      access.  Users may connect to these client interfaces via modems
      over a PSTN, or via tunnels over a data network.  Two broad
      classes of NAS's may be defined, based on the nature of the
      incoming client interfaces, as follows. Note that a single NAS
      device may serve in both classes:




Mitton & Beadles             Informational                     [Page 11]

RFC 2881                    NASreq NAS Model                   July 2000


   Dial Access Servers - A Dial Access Server is a NAS whose client
      interfaces consist of modems, either local or remote, which are
      attached to a PSTN.

   Tunnel Servers - A Tunnel Server is a NAS whose client interfaces
      consists of tunneling endpoints in a protocol such as L2TP

   Network Interfaces - A NAS has one or more network interfaces, which
      connect to the networks to which access is being granted.

   Routing - If the network to which access is being granted is a routed
      network, then a NAS will typically include routing functionality.

   Policy Management Interface - A NAS provides an interface which
      allows access to network services to be managed on a per-user
      basis. This interface may be a configuration file, a graphical
      user interface, an API, or a protocol such as RADIUS, Diameter, or
      COPS [19].  This interface provides a mechanism for granular
      resource management and policy enforcement.

   Authentication - Authentication refers to the confirmation that a
      user who is requesting services is a valid user of the network
      services requested.  Authentication is accomplished via the
      presentation of an identity and credentials.  Examples of types of
      credentials are passwords, one-time tokens, digital certificates,
      and phone numbers (calling/called).

   Authorization - Authorization refers to the granting of specific
      types of service (including "no service") to a user, based on
      their authentication, what services they are requesting, and the
      current system state.  Authorization may be based on restrictions,
      for example time-of-day restrictions, or physical location
      restrictions, or restrictions against multiple logins by the same
      user.  Authorization determines the nature of the service which is
      granted to a user.  Examples of types of service include, but are
      not limited to: IP address filtering, address assignment, route
      assignment, QoS/differential services, bandwidth control/traffic
      management, compulsory tunneling to a specific endpoint, and
      encryption.

   Accounting - Accounting refers to the tracking of the consumption of
      NAS resources by users. This information may be used for
      management, planning, billing, or other purposes.  Real-time
      accounting refers to accounting information that is delivered
      concurrently with the consumption of the resources.  Batch
      accounting refers to accounting information that is saved until it





Mitton & Beadles             Informational                     [Page 12]

RFC 2881                    NASreq NAS Model                   July 2000


      is delivered at a later time.  Typical information that is
      gathered in accounting is the identity of the user, the nature of
      the service delivered, when the service began, and when it ended.

   Auditing - Auditing refers to the tracking of activity by users.  As
      opposed to accounting, where the purpose is to track consumption
      of resources, the purpose of auditing is to determine the nature
      of a user's network activity.  Examples of auditing information
      include the identity of the user, the nature of the services used,
      what hosts were accessed when, what protocols were used, etc.

   AAAA Server - An AAAA Server is a server or servers that provide
      authentication, authorization, accounting, and auditing services.
      These may be co-located with the NAS, or more typically, are
      located on a separate server and communicate with the NAS's User
      Management Interface via an AAAA protocol.  The four AAAA
      functions may be located on a single server, or may be broken up
      among multiple servers.

   Device Management Interface - A NAS is a network device which is
      owned, operated, and managed by some entity.  This interface
      provides a means for this entity to operate and manage the NAS.
      This interface may be a configuration file, a graphical user
      interface, an API, or a protocol such as SNMP [20].

   Device Monitoring - Device monitoring refers to the tracking of
      status, activity, and usage of the NAS as a network device.

   Device Provisioning - Device provisioning refers to the
      configurations, settings, and control of the NAS as a network
      device.

9.3 Analysis

   Following is an analysis of the functions of a NAS using the
   reference model above:

9.3.1 Authentication and Security

   NAS's serve as the first point of authentication for network users,
   providing security to user sessions.  This security is typically
   performed by checking credentials such as a PPP PAP user
   name/password pair or a PPP CHAP user name and challenge/response,
   but may be extended to authentication via telephone number
   information, digital certificates, or biometrics.  NAS's also may
   authenticate themselves to users.  Since a NAS may be shared among
   multiple administrative entities, authentication may actually be
   performed via a back-end proxy, referral, or brokering process.



Mitton & Beadles             Informational                     [Page 13]

RFC 2881                    NASreq NAS Model                   July 2000


   In addition to user security, NAS's may themselves be operated as
   secure devices.  This may include secure methods of management and
   monitoring, use of IP Security [21] and even participation in a
   Public Key Infrastructure.

9.3.2 Authorization and Policy

   NAS's are the first point of authorization for usage of network
   resources, and NAS's serve as policy enforcement points for the
   services that they deliver to users.  NAS's may provision these
   services to users in a statically or dynamically configured fashion.
   Resource management can be performed at a NAS by granting specific
   types of service based on the current network state.  In the case of
   shared operation, NAS policy may be determined based on the policy of
   multiple end systems.