Network Working Group M. Beadles Request for Comments: 3169 SmartPipes, Inc. Category: Informational D. Mitton Nortel Networks September 2001 Criteria for Evaluating Network Access Server Protocols Status of this Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2001). All Rights Reserved.
AbstractThis document defines requirements for protocols used by Network Access Servers (NAS). KEYWORDS]. NAS-MODEL]. PPP]
carried over a telephony protocol. Second are broadband pseudo- telephony access protocols, which are carried over xDSL or cable modems, for example. These protocols typically support an encapsulation method such as PPP over Ethernet [PPPOE]. Finally are the virtual access protocols used by NAS's that terminate tunnels. One example of this type of protocol is L2TP [L2TP]. It is a central assumption of the NAS model used here that a NAS accepts multiple point-to-point links via one of the above access protocols. Therefore, at a minimum, any NAS access protocol MUST be able to carry PPP. The exception to this requirement is for NAS's that support legacy text login methods such as telnet [TELNET], rlogin, or LAT. Only these access protocols are exempt from the requirement to support PPP. ROUTING-REQUIREMENTS], but there are no additional protocol requirements imposed by virtue of the device being a NAS. RADIUS], gateways to new protocols must be practical to encourage migration. The design MUST comply with congestion control recommendations in RFC 2914 [CONGEST].
services that travel between multiple domains of authority. The AAA protocol MUST NOT use a model that assumes a single domain of authority. The AAA protocol MUST NOT dictate particular business models for the relationship between the administrative domains. The AAA protocol MUST support proxy, and in addition SHOULD support other multi-domain relationships such as brokering and referral. The AAA protocol MUST also meet the protocol requirements specified in [ROAMING-REQUIREMENTS]. IPV6] addresses. Wherever text information is carried within the AAA protocol, the protocol MUST comply with the IETF Policy on Character Sets and Languages [RFC 2277]. RADIUS] and RADIUS Accounting [RADIUS-ACCOUNTING]. If the base AAA protocol does not support this complete set of attributes, then an extension to that protocol MUST be defined which supports this set.
MUST support selective encryption of attributes on an attribute-by- attribute basis, even within the same message. This requirement applies equally to Authentication, Authorization, and Accounting data. CHAP].
PPP] - PPP Challenge Handshake Authentication Protocol [CHAP] - PPP Extensible Authentication Protocol [EAP] NAI]. - An Extensible Authentication Protocol [EAP] Identity Request Type packet. - Telephony dialing information such as Dialed Number Identification Service (DNIS) and Caller ID. If a particular type of authentication credential is not needed for a particular user session, the AAA protocol MUST NOT require that dummy credentials be filled in. That is, the AAA protocol MUST support authorization by identification or assertion only.
This feature is primarily intended for NAS-local network resources. In a proxy or multi-domain environment, resource information should only be retained by the server doing the allocation, and perhaps it's backups. Authorization resources in remote domains should use the dynamic authorization features to change and revoke authorization status.
- Protocol Filter application: The AAA protocol MUST provide a means of applying IP protocol filters to user sessions. Two different methods MUST be supported. First, the AAA protocol MUST provide a means of selecting a protocol filter by reference to an identifier, with the details of the filter action being specified out of band. The AAA protocol SHOULD define this out-of-band reference mechanism. Second, the AAA protocol MUST provide a means of passing a protocol filter by value. This means explicit passing of pass/block information by address range, TCP/UDP port number, and IP protocol number at a minimum. - Compulsory Tunneling: The AAA protocol MUST provide a means of directing a NAS to build a tunnel or tunnels to a specified end- point. It MUST support creation of multiple simultaneous tunnels in a specified order. The protocol MUST allow, at a minimum, specification of the tunnel endpoints, tunneling protocol type, underlying tunnel media type, and tunnel authentication credentials (if required by the tunnel type). The AAA protocol MUST support at least the creation of tunnels using the L2TP [L2TP], ESP [ESP], and AH [AH] protocols. The protocol MUST provide means of adding new tunnel types as they are standardized. - Routing: The AAA protocol MUST provide a means of assigning a particular static route to an incoming user session. - Expirations/timeouts: The AAA protocol MUST provide a means of communication session expiration information to a NAS. Types of expirations that MUST be supported are: total session time, idle time, total bytes transmitted, and total bytes received. - Quality of Service: The AAA protocol MUST provide a means for supplying Quality of Service parameters to the NAS for individual user sessions.
- Access port usage, including concurrent usage and usage pools. - Connect time. - IP Addresses and pools. - Compulsory tunnel limits.
- The cumulative number of bytes sent by the user during the session. - The cumulative number of bytes received by the user during the session. - The cumulative number of packets sent by the user during the session. - The cumulative number of packets received by the user during the session. - Details of the access protocol used during the session (port type, connect speeds, etc.)
Where an AAA architecture spans multiple domains of authority, AAA information may need to cross trust boundaries. In this situation, a NAS might operate as a shared device that services multiple administrative domains. Network operators are advised take this into consideration when deploying NAS's and AAA Servers. [AH] Kent, S. and R. Atkinson, "IP Authentication Header (AH)", RFC 2402, November 1998. [CHAP] Simpson, J., "PPP Challenge Handshake Authentication Protocol (CHAP)", RFC 1994, August 1996. [CONGEST] Floyd, S., "Congestion Control Principles", RFC 2914, Sept. 2000. [EAP] Blunk, L. and J. Vollbrecht, "PPP Extensible Authentication Protocol (EAP)", RFC 2284, March 1998. [ESP] Kent, S. and R. Atkinson, "IP Encapsulating Security Payload (ESP)", RFC 2406, November 1998. [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [KERBEROS] Kohl, J. and C. Neuman, "The Kerberos Network Authentication Service (V5)", RFC 1510, September 1993.
[IPV6] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", RFC 2460, December 1998. [L2TP] Townsley, W., Valencia, A., Rubens, A., Pall, G., Zorn, G. and B. Plater, "Layer Two Tunneling Protocol (L2TP)", RFC 2661, August 1999. [NAI] Aboba, B. and M. Beadles, "The Network Access Identifier", RFC 2486, January 1999. [NAS-MODEL] Mitton, D. and M. Beadles, "Network Access Server Requirements Next Generation (NASREQNG) NAS Model", RFC 2881, July 2000. [NAS-EXT] Mitton, D., "Network Access Servers Requirements: Extended RADIUS Practices", RFC 2882, July 2000. [PPP] Simpson, W., "The Point-to-Point Protocol (PPP)", STD 51, RFC 1661, July 1994. [PPPOE] Mamakos, L., Lidl, K., Evarts, J., Carrel, D., Simone, D. and R. Wheeler, "A Method for Transmitting PPP Over Ethernet (PPPoE)", RFC 2516, February 1999. [ROUTING-REQUIREMENTS] Baker, F., "Requirements for IP Version 4 Routers", RFC 1812, June 1995. [TELNET] Postel, J. and J. Reynolds, "Telnet Protocol Specification", STD 8, RFC 854, May 1983. [RFC 2277] Alvestrand, H., "IETF Policy on Character Sets and Languages", BCP 18, RFC 2277, January 1998. [X.509] ITU-T Recommendation X.509 (1997 E): Information Technology - Open Systems Interconnection - The Directory: Authentication Framework, June 1997. [RADIUS] Rigney, C., Rubens. A., Simpson, W. and S. Willens, "Remote Authentication Dial In User Service (RADIUS)", RFC 2138, April 1997.
[RADIUS-ACCOUNTING] Rigney, C., "RADIUS Accounting", RFC 2139, April 1997. [ROAMING-REQUIREMENTS] Aboba, B. and G. Zorn, "Criteria for Evaluating Roaming Protocols", RFC 2477, January 1999.
Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society.