rfc2881.txt
来自「中、英文RFC文档大全打包下载完全版 .」· 文本 代码 · 共 1,124 行 · 第 1/3 页
TXT
1,124 行
Network Working Group D. MittonRequest for Comments: 2881 Nortel NetworksCategory: Informational M. Beadles SmartPipes Inc. July 2000 Network Access Server Requirements Next Generation (NASREQNG) NAS ModelStatus of this Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.Copyright Notice Copyright (C) The Internet Society (2000). All Rights Reserved.Abstract This document describes the terminology and gives a model of typical Network Access Server (NAS). The purpose of this effort is to set the reference space for describing and evaluating NAS service protocols, such as RADIUS (RFCs 2865, 2866) [1], [2] and follow-on efforts like AAA Working Group, and the Diameter protocol [3]. These are protocols for carrying user service information for authentication, authorization, accounting, and auditing, between a Network Access Server which desires to authenticate its incoming calls and a shared authentication server.Table of Contents 1. INTRODUCTION...................................................2 1.1 Scope of this Document ......................................2 1.2 Specific Terminology ........................................3 2. NETWORK ACCESS SYSTEM EQUIPMENT ASSUMPTIONS....................3 3. NAS SERVICES...................................................4 4. AUTHENTICATION, AUTHORIZATION AND ACCOUNTING (AAA) SERVERS.....5 5. TYPICAL NAS OPERATION SEQUENCE:................................5 5.1 Characteristics of Systems and Sessions: ....................6 5.2 Separation of NAS and AAA server functions ..................7 5.3 Network Management and Administrative features ..............7 6. AUTHENTICATION METHODS.........................................8 7. SESSION AUTHORIZATION INFORMATION..............................8 8. IP NETWORK INTERACTION.........................................9 9. A NAS MODEL...................................................10Mitton & Beadles Informational [Page 1]
RFC 2881 NASreq NAS Model July 2000 9.1 A Reference Model of a NAS .................................10 9.2 Terminology ................................................11 9.3 Analysis ...................................................13 9.3.1 Authentication and Security .............................13 9.3.2 Authorization and Policy ................................14 9.3.3 Accounting and Auditing .................................14 9.3.4 Resource Management .....................................14 9.3.5 Virtual Private Networks (VPN's) ........................14 9.3.6 Service Quality .........................................15 9.3.7 Roaming .................................................15 10. SECURITY CONSIDERATIONS......................................15 11. REFERENCES ..................................................16 12. ACKNOWLEDGMENTS..............................................17 13. AUTHORS' ADDRESSES ..........................................17 14. APPENDIX - ACRONYMS AND GLOSSARY:............................18 15. FULL COPYRIGHT STATEMENT.....................................201. Introduction A Network Access Server is the initial entry point to a network for the majority of users of network services. It is the first device in the network to provide services to an end user, and acts as a gateway for all further services. As such, its importance to users and service providers alike is paramount. However, the concept of a Network Access Server has grown up over the years without being formally defined or analyzed [4].1.1 Scope of this Document There are several tradeoffs taken in this document. The purpose of this document is to describe a model for evaluating NAS service protocols. It will give examples of typical NAS hardware and software features, but these are not to be taken as hard limitations of the model, but merely illustrative of the points of discussion. An important goal of the model is to offer a framework that allows further development and expansion of capabilities in NAS implementation. As with most IETF projects, the focus is on standardizing the protocol interaction between the components of the system. The documents produced will not address the following areas: - AAA server back-end implementation is abstracted and not prescribed. The actual organization of the data in the server, its internal interfaces, and capabilities are left to the implementation.Mitton & Beadles Informational [Page 2]
RFC 2881 NASreq NAS Model July 2000 - NAS front-end call technology is not assumed to be static. Alternate and new technology will be accommodated. The resultant protocol specifications must be flexible in design to allow for new technologies and services to be added with minimal impact on existing implementations.1.2 Specific Terminology The following terms are used in this document in this manner: A "Call" - the initiation of a network service request to the NAS. This can mean the arrival of a telephone call via a dial-in or switched telephone network connection, or the creation of a tunnel to a tunnel server which becomes a virtual NAS. A "Session" - is the NAS provided service to a specific authorized user entity.2. Network Access System Equipment Assumptions A typical hardware-based NAS is implemented in a constrained system. It is important that the NAS protocols don't assume unlimited resources on the part of the platform. The following are typical constraints: - A computer system of minimal to moderate performance (example processors: Intel 386 or 486, Motorola 68000) - A moderate amount, but not large RAM (typically varies with supported # of ports 1MB to 8MB) - Some small amount of non-volatile memory, and/or way to be configured out-of-band - No assumption of a local file system or disk storage A NAS system may consist of a system of interconnected specialized processor system units. Typically they may be circuit boards (or blades) that are arrayed in a card cage (or chassis) and referred to by their position (i.e., slot number). The bus interconnection methods are typically proprietary and will not be addressed here. A NAS is sometimes referred to as a Remote Access Server (RAS) as it typically allows remote access to a network. However, a more general picture is that of an "Edge Server", where the NAS sits on the edge of an IP network of some type, and allows dynamic access to it. Such systems typically have; - At least one LAN or high performance network interface (e.g., Ethernet, ATM, FR)Mitton & Beadles Informational [Page 3]
RFC 2881 NASreq NAS Model July 2000 - At least one, but typically many, serial interface ports, which could be; - serial RS232 ports direct wired or wired to a modem, or - have integral hardware or software modems (V.22bis,V.32, V.34, X2, Kflex, V.90, etc.) - have direct connections to telephone network digital WAN lines (ISDN, T1, T3, NFAS, or SS7) - an aggregation of xDSL connections or PPPoe sessions [5]. However, systems may perform some of the functions of a NAS, but not have these kinds of hardware characteristics. An example would be a industry personal computer server system, that has several modem line connections. These lines will be managed like a dedicated NAS, but the system itself is a general file server. Likewise, with the development of tunneling protocols (L2F [6], ATMP [7], L2TP [8]), tunnel server systems must behave like a "virtual" NAS, where the calls come from the network tunneled sessions and not hardware ports ([11], [9], [10]).3. NAS Services The core of what a NAS provides, are dynamic network services. What distinguishes a NAS from a typical routing system, is that these services are provided on a per-user basis, based on an authentication and the service is accounted for. This accounting may lead to policies and controls to limit appropriate usage to levels based on the availability of network bandwidth, or service agreements between the user and the provider. Typical services include: - dial-up or direct access serial line access; Ability to access the network using a the public telephone network. - network access (SLIP, PPP, IPX, NETBEUI, ARAP); The NAS allows the caller to access the network directly. - asynchronous terminal services (Telnet, Rlogin, LAT, others); The NAS implements the network protocol on behalf of the caller, and presents a terminal interface. - dial-out connections; Ability to cause the NAS to initiate a connection over the public telephone network, typically based on the arrival of traffic to a specific network system. - callback (NAS generates call to caller); Ability to cause the NAS to reverse or initiate a network connection based on the arrival of a dial-in call. - tunneling (from access connection to remote server); The NAS transports the callers network packets over a network to a remote server using an encapsulation protocol. (L2TP [8], RADIUS support [11])Mitton & Beadles Informational [Page 4]
RFC 2881 NASreq NAS Model July 20004. Authentication, Authorization and Accounting (AAA) Servers Because of the need to authenticate and account, and for practical reasons of implementation, NAS systems have come to depend on external server systems to implement authentication databases and accounting recording. By separating these functions from the NAS equipment, they can be implemented in general purpose computer systems, that may provide better suited long term storage media, and more sophisticated database software infrastructures. Not to mention that a centralized server can allow the coordinated administration of many NAS systems as appropriate (for example a single server may service an entire POP consisting of multiple NAS systems). For ease of management, there is a strong desire to piggyback NAS authentication information with other authentication databases, so that authentication information can be managed for several services (such as OS shell login, or Web Server access) from the same provider, without creating separate passwords and accounts for the user. Session activity information is stored and processed to produce accounting usage records. This is typically done with a long term (nightly, weekly or monthly) batch type process. However, as network operations grow in sophistication, there are requirements to provide real-time monitoring of port and user status, so that the state information can be used to implement policy decisions, monitor user trends, and the ability to possibly terminate access for administrative reasons. Typically only the NAS knows the true dynamic state of a session.5. Typical NAS Operation Sequence: The following details a typical NAS operational sequence: - Call arrival on port or network - Port: - auto-detect (or not) type of call - CLI/SLIP: prompt for username and password (if security set) - PPP: engage LCP, Authentication - Request authentication from AAA server - if okay, proceed to service - may challenge - may ask for password change/updateMitton & Beadles Informational [Page 5]
RFC 2881 NASreq NAS Model July 2000 - Network: - activate internal protocol server (telnet, ftp) - engage protocol's authentication technique - confirm authentication information with AAA server - Call Management Services - Information from the telephone system or gateway controller arrives indicating that a call has been received - The AAA server is consulted using the information supplied by the telephone system (typically Called or Calling number information) - The server indicates whether to respond to the call by answering it, or by returning a busy to the caller. - The server may also need to allocate a port to receive a call, and route it accordingly. - Dial-out - packet destination matches outbound route pre-configured - find profile information to setup call - Request information from AAA server for call details - VPN/Tunneling (compulsory) - authentication server identifies user as remote - tunnel protocol is invoked to a remote server - authentication information may be forwarded to remote AAA server - if successful, the local link is given a remote identity - Multi-link aggregation - after a new call is authenticated by the AAA server, if MP options are present, then other bundles with the same identifying information is searched for - bundle searches are performed across multiple systems - join calls that match authentication and originator identities as one network addressable data source with a single network IP address - Hardwired (non-interactive) services - permanent WAN connections (Frame Relay or PSVCs) - permanent serial connections (printers)5.1 Characteristics of Systems and Sessions: Sessions must have a user identifier and authenticator to complete the authentication process. Accounting starts from time of call or service, though finer details are allowed. At the end of service, the call may be disconnected or allow re-authentication for additional services.Mitton & Beadles Informational [Page 6]
RFC 2881 NASreq NAS Model July 2000 Some systems allow decisions on call handling to be made based on telephone system information provided before the call is answered (e.g., caller id or destination number). In such systems, calls may be busied-out or non-answered if system resources are not ready or available. Authorization to run services are supplied and applied after authentication. A NAS may abort call if session authorization information disagrees with call characteristics. Some system resources may be controlled by server driven policies Accounting messages are sent to the accounting server when service begins, and ends, and possibly periodically during service delivery. Accounting is not necessarily a real-time service, the NAS may be queue and batch send event records.5.2 Separation of NAS and AAA server functions As a distributed system, there is a separation of roles between the NAS and the Server: - Server provides authentication services; checks passwords (static or dynamic) - Server databases may be organized in any way (only protocol specified) - Server may use external systems to authenticate (including OS user databases, token cards, one-time-lists, proxy or other means) - Server provides authorization information to NAS - The process of providing a service may lead to requests for additional information - Service authorization may require real-time enforcement (services may be based on Time of Day, or variable cost⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?