rfc2881.txt

来自「中、英文RFC文档大全打包下载完全版 .」· 文本 代码 · 共 1,124 行 · 第 1/3 页

9.3.3 Accounting and Auditing

   Since NAS services are consumable resources, usage information must
   often be collected for the purposes of soft policy management,
   reporting, planning, and accounting.  A dynamic, real-time view of
   NAS usage is often required for network auditing purposes.  Since a
   NAS may be shared among multiple administrative entities, usage
   information must often be delivered to multiple endpoints.
   Accounting is performed using such protocols as RADIUS [2].

9.3.4 Resource Management

   NAS's deliver resources to users, often in a dynamic fashion.
   Examples of the types of resources doled out by NAS's are IP
   addresses, network names and name server identities, tunnels, and
   PSTN resources such as phone lines and numbers.  Note that NAS's may
   be operated in a outsourcing model, where multiple entities are
   competing for the same resources.

9.3.5 Virtual Private Networks (VPN's)

   NAS's often participate in VPN's, and may serve as the means by which
   VPN's are implemented.  Examples of the use of NAS's in VPN's are:
   Dial Access Servers that build compulsory tunnels, Dial Access
   Servers that provide services to voluntary tunnelers, and Tunnel
   Servers that provide tunnel termination services.  NAS's may
   simultaneously provide VPN and public network services to different
   users, based on policy and user identity.







Mitton & Beadles             Informational                     [Page 14]

RFC 2881                    NASreq NAS Model                   July 2000


9.3.6 Service Quality

   A NAS may delivery different qualities, types, or levels of service
   to different users based on policy and identity.  NAS's may perform
   bandwidth management, allow differential speeds or methods of access,
   or even participate in provisioned or signaled Quality of Service
   (QoS) networks.

9.3.7 Roaming

   NAS's are often operated in a shared or outsourced manner, or a NAS
   operator may enter into agreements with other service providers to
   grant access to users from these providers (roaming operations).
   NAS's often are operated as part of a global network.  All these
   imply that a NAS often provides services to users from multiple
   administrative domains simultaneously.  The features of NAS's may
   therefore be driven by requirements of roaming [22].

10. Security Considerations

   This document describes a model not a particular solution.

   As mentioned in section 9.3.1 and elsewhere, NAS'es are concerned
   about the security of several aspects of their operation, including:

      - Providing sufficiently robust authentication techniques as
        required by network policies,
      - NAS authentication of configured authentication server(s),
      - Server ability to authenticate configured clients,
      - Hiding of the authentication information from network snooping
        to protect from attacks and provide user privacy,
      - Protecting the integrity of message exchanges from attacks
        such as; replay, or man-in-the middle,
      - Inability of other hosts to interfere with services authorized
        to NAS, or gain unauthorized services,
      - Inability of other hosts to probe or guess at authentication
        information.
      - Protection of NAS system configuration and administration from
        unauthorized users
      - Protection of the network from illegal packets sourced by
        accessing connections










Mitton & Beadles             Informational                     [Page 15]

RFC 2881                    NASreq NAS Model                   July 2000


11. References

   [1]  Rigney, C., Willens, S., Rubens, A. and W. Simpson, "Remote
        Authentication Dial In User Service (RADIUS)", RFC 2865, June
        2000.

   [2]  Rigney, C., "RADIUS Accounting", RFC 2866, June 2000.

   [3]  Calhoun, P., "Diameter Base Protocol", Work in Progress.

   [4]  Zorn, G., "Yet Another Authentication Protocol (YAAP)", Work in
        Progress.

   [5]  Mamakos, L., Lidl, K., Evarts, K., Carrel, D., Simone, D. and R.
        Wheeler, "A Method for Transmitting PPP Over Ethernet (PPPoE)",
        RFC 2516, February 1999.

   [6]  Valencia, A., Littlewood, M. and T. Kolar, "Cisco Layer Two
        Forwarding (Protocol) L2F", RFC 2341, May 1998.

   [7]  Hamzeh, K., "Ascend Tunnel Management Protocol - ATMP", RFC
        2107, February 1997.

   [8]  Valencia, A., Townsley, W., Rubens, A., Pall, G., Zorn, G., and
        B. Palter, "Layer Two Tunneling Protocol (L2TP)", RFC 2661,
        August 1999.

   [9]  Zorn, G., Leifer, D., Rubens, A., Shriver, J. and M. Holdrege,
        "RADIUS Attributes for Tunnel Protocol Support", RFC 2868, June
        2000.

   [10] Zorn, G., Aboba, B. and D. Mitton, "RADIUS Accounting
        Modifications for Tunnel Protocol Support", RFC 2867, June 2000.

   [11] Aboba, B. and G. Zorn, "Implementation of PPTP/L2TP Compulsory
        Tunneling via RADIUS", RFC 2809, April 2000.

   [12] Simpson, W., "PPP Challenge Handshake Authentication Protocol
        (CHAP)", RFC 1994, August 1996.

   [13] Zorn, G. and S. Cobb, "Microsoft PPP CHAP Extensions", RFC 2433,
        March 1998.

   [14] Blunk, L. and J. Vollbrecht, "PPP Extensible Authentication
        Protocol (EAP)", RFC 2284, March 1998.

   [15] Calhoun, et al., "Extensible Authentication Protocol Support in
        RADIUS", Work in Progress.



Mitton & Beadles             Informational                     [Page 16]

RFC 2881                    NASreq NAS Model                   July 2000


   [16] Aboba, B. and M. Beadles, "The Network Access Identifier", RFC
        2486, January 1999.

   [17] Braden, R., Zhang, L., Berson, S., Herzog, S. and S. Jamin,
        "Resource ReSerVation Protocol (RSVP) Version 1 Functional
        Specification", RFC 2205, September 1997.

   [18] Simpson, W., Editor, "The Point-to-Point Protocol (PPP)", STD
        51, RFC 1661, July 1994.

   [19] Boyle, J., Cohen, R., Durham, D., Herzog, S., Raja, R. and A.
        Sastry. "The COPS (Common Open Policy Service) Protocol", RFC
        2748, January 2000.

   [20] Case, J., Fedor, M., Schoffstall, M. and J. Davin. "A Simple
        Network Management Protocol (SNMP)", STD 15, RFC 1157, May 1990.

   [21] Atkinson, R. and S. Kent, "Security Architecture for the
        Internet Protocol", RFC 2401, November 1998.

   [22] Aboba, Zorn, "Dialup Roaming Requirements", Work in Progress.

12. Acknowledgments

   This document is a synthesis of my earlier draft and Mark Beadles'
   NAS Reference Model draft.

13. Authors' Addresses

   David Mitton
   Nortel Networks
   880 Technology Park Drive
   Billerica, MA 01821

   Phone: 978-288-4570
   EMail: dmitton@nortelnetworks.com


   Mark Beadles
   SmartPipes Inc.
   545 Metro Place South
   Suite 100
   Dublin, OH 43017

   Phone: 614-327-8046
   EMail: mbeadles@smartpipes.com





Mitton & Beadles             Informational                     [Page 17]

RFC 2881                    NASreq NAS Model                   July 2000


14. Appendix - Acronyms and Glossary:

   AAA - Authentication, Authorization, Accounting, The three primary
   services required by a NAS server or protocol.

   NAS - Network Access Server, a system that provides access to a
   network.  In some cases also know as a RAS, Remote Access Server.

   CLI - Command Line Interface, an interface to a command line service
   for use with an common asynchronous terminal facility.

   SLIP - Serial Line Internet Protocol, an IP-only serial datalink,
   predecessor to PPP.

   PPP - Point-to-Point Protocol; a serial datalink level protocol that
   supports IP as well as other network protocols. PPP has three major
   states of operation: LCP - Link layer Control Protocol,
   Authentication, of which there are several types (PAP, CHAP, EAP),
   and NCP - Network layer Control Protocol, which negotiates the
   network layer parameters for each of the protocols in use.

   IPX - Novell's NetWare transport protocol

   NETBEUI - A Microsoft/IBM LAN protocol used by Microsoft file
   services and the NETBIOS applications programming interface.

   ARAP - AppleTalk Remote Access Protocol

   LAT - Local Area Transport; a Digital Equipment Corp. LAN protocol
   for terminal services.

   PPPoe - PPP over Ethernet; a protocol that forwards PPP frames on an
   LAN infrastructure.  Often used to aggregate PPP streams at a common
   server bank.

   VPN - Virtual Private Network; a term for networks that appear to be
   private to the user by the use of tunneling techniques.

   FR - Frame Relay, a synchronous WAN protocol and telephone network
   intraconnect service.

   PSVC - Permanent Switched Virtual Circuit - a service which delivers
   an virtual permanent circuit by a switched network.

   PSTN - Public Switched Telephone Network






Mitton & Beadles             Informational                     [Page 18]

RFC 2881                    NASreq NAS Model                   July 2000


   ISDN - Integrated Services Digital Network, a telephone network
   facility for transmitting digital and analog information over a
   digital network connection.  A NAS may have the ability to receive
   the information from the telephone network in digital form.

   ISP - Internet Service Provider; a provider of Internet access (also
   Network Service Provider, NSP).

   BRI - Basic Rate Interface; a digital telephone interface.

   PRI - Primary Rate Interface; a digital telephone interface of 64K
   bits per second.

   T1 - A digital telephone interface which provides 24-36 channels of
   PRI data and one control channel (2.048 Mbps).

   T3 - A digital telephone interface which provides 28 T1 services.
   Signalling control for the entire connection is provided on a
   dedicated in-band channel.

   NFAS - Non-Facility Associated Signaling, a telephone network
   protocol/service for providing call information on a separate wire
   connection from the call itself.  Used with multiple T1 or T3
   connections.

   SS7 - A telephone network protocol for communicating call supervision
   information on a separate data network from the voice network.

   POP - Point Of Presence; a geographic location of equipment and
   interconnection to the network.  An ISP typically manages all
   equipment in a single POP in a similar manner.

   VSA - Vendor Specific Attributes; RADIUS attributes defined by
   vendors using the provision of attribute 26.

















Mitton & Beadles             Informational                     [Page 19]

RFC 2881                    NASreq NAS Model                   July 2000


15.  Full Copyright Statement

   Copyright (C) The Internet Society (2000).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement

   Funding for the RFC Editor function is currently provided by the
   Internet Society.



















Mitton & Beadles             Informational                     [Page 20]