Internet Engineering Task Force Mark A. Beadles
INTERNET-DRAFT MCI WorldCom Advanced Networks
Category: Informational
<draft-beadles-nas-01.txt>
12 November 1998
The Network Access Server
1. Status of this Memo
This document is an Internet-Draft. Internet-Drafts are working docu-
ments of the Internet Engineering Task Force (IETF), its areas, and
its working groups. Note that other groups may also distribute work-
ing documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference mate-
rial or to cite them other than as ``work in progress.''
To learn the current status of any Internet-Draft, please check the
``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow
Directories on ftp.ietf.org (US East Coast), nic.nordu.net
(Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim).
The distribution of this memo is unlimited. It is filed as <draft-
beadles-nas-01.txt> and expires May 13, 1999. Please send comments to
the author.
2. Abstract
The Network Access Server is the initial entry point to a network for
the majority of users of network services. It is the first device in
the network to provide services to an end user, and acts as a gateway
for all further services. As such, its importance to users and ser-
vice providers alike is paramount. However, the concept of a Network
Access Server has grown up over the years without being formally
defined or analyzed. This document offers a framework for the defini-
tion and analysis of a modern Network Access Server.
3. Definition of a Network Access Server
A Network Access Server is a device which sits on the edge of a net-
work, and provides access to services on that network in a controlled
fashion, based on the identity of the user of the network services in
question and on the policy of the provider of these services. For the
Beadles [Page 1]
INTERNET-DRAFT 12 November 1998
purposes of this document, a Network Access Server is defined as a
device which accepts multiple point-to-point [PPP] links on one set of
interfaces, providing access to a routed network or networks on
another set of interfaces. Examples of a network access server
include:
A remote access server which provides access to a private network
via attached modems which are directly dialed by the user.
A tunneling server which sits at the border of a protected net-
work, and acts as a gateway for users to enter the protected net-
work from the Internet.
A shared commercial dial access server operated by a Network Ser-
vice Provider, where incoming users connect via modems operated
by a Telephone Service Provider, and access is provided to many
dissimilar private and public networks.
Note that there are many things that a Network Access Server is not.
A NAS is not simply a router, although it will typically include rout-
ing functionality. However, the boundary between NAS and router is
admittedly fuzzy. A NAS is not necessarily a dial access server,
although dial access is one common means of network access, and brings
its own particular set of requirements to NAS's.
A NAS is the first device in the network to provide services to an end
user, and acts as a gateway for all further services. It is the point
at which users are authenticated, access policy is enforced, network
services are authorized, network usage is audited, and resource con-
sumption is tracked. That is, a NAS often acts as the policy enforce-
ment point for network AAAA (authentication, authorization, account-
ing, and auditing) services. A NAS is typically the first place in a
network where security measures and policy may be implemented.
4. Interested parties
The following are examples of parties who are concerned with the oper-
ation of Network Access Servers. This list is by no means exhaustive.
Network Service Providers (NSPs) who operate and manage NAS's,
AAAA servers, policy servers, and networks; and who provide net-
work services to end users.
End users who gain access to their private and public networks
through NAS's.
Businesses and other entities who operate NAS's for their users'
public and private network access, or who outsource the operation
Beadles [Page 2]
INTERNET-DRAFT 12 November 1998
and management of NAS's to a NSP.
Telephone Service Providers (TSPs) who operate and manage modems
and telephony networks; and who provide telephony services to end
users, NSP's, and businesses.
Manufacturers of NAS's, AAAA servers, policy servers, modems,
etc.
5. Reference Model of a NAS
For reference in the following discussion, a diagram of a NAS, its
dependencies, and its interfaces is given below. This diagram is
intended as an abstraction of a NAS as a reference model, and is not
intended to represent any particular NAS implementation.
Users
v v v v v v v
| | PSTN | |
| | or | |
|encapsulated
+-----------------+
| (Modems) |
+-----------------+
| | | | | | |
+--+----------------------------+
| | |
|N | Client Interface |
| | |
|A +----------Routing ----------+
| | |
|S | Network Interface |
| | |
+--+----------------------------+
/ | \
/ | \
/ | \
/ | \
POLICY MANAGEMENT/ | \ DEVICE MANAGEMENT
+---------------+ | +-------------------+
| Authentication| _/^\_ |Device Provisioning|
+---------------+ _/ \_ +-------------------+
| Authorization | _/ \_ |Device Monitoring |
+---------------+ _/ \_ +-------------------+
| Accounting | / The \
+---------------+ \_ Network(s) _/
| Auditing | \_ _/
+---------------+ \_ _/
\_ _/
\_/
Beadles [Page 3]
INTERNET-DRAFT 12 November 1998
5.1. Terminology
Following is a description of the modules and interfaces in the refer-
ence model for a NAS given above:
Client Interfaces
A NAS has one or more client interfaces, which provide the
interface to the end users who are requesting network
access. Users may connect to these client interfaces via
modems over a PSTN, or via tunnels over a data network. Two
broad classes of NAS's may be defined, based on the nature
of the incoming client interfaces, as follows. Note that a
single NAS device may serve in both classes:
Dial Access Servers
A Dial Access Server is a NAS whose client interfaces
consist of modems, either local or remote, which are
attached to a PSTN.
Tunnel Servers A Tunnel Server is a NAS whose client interfaces con-
sists of tunneling enpoints in a protocol such as L2TP
[L2TP].
Network Interfaces
A NAS has one or more network interfaces, which connect to
the networks to which access is being granted.
Routing If the network to which access is being granted is a routed
network, then a NAS will typically include routing function-
ality.
Policy Management Interface
A NAS provides an interface which allows access to network
services to be managed on a per-user basis. This interface
may be a configuration file, a graphical user interface, an
API, or a protocol such as RADIUS [RADIUS], Diameter [DIAME-
TER], or COPS [COPS]. This interface provides a mechanism
for granular resource management and policy enforcement.
Authentication
Authentication refers to the confirmation that a user who is
requesting services is a valid user of the network services
requested. Authentication is accomplished via the presenta-
tion of an identity and credentials. Examples of types of
credentials are passwords, one-time tokens, digital certifi-
cates, and phone numbers (calling/called).
Authorization
Authorization refers to the granting of specific types of
service (including "no service") to a user, based on their
authentication, what services they are requesting, and the
current system state. Authorization may be based on
Beadles [Page 4]
INTERNET-DRAFT 12 November 1998
restrictions, for example time-of-day restrictions, or phys-
ical location restrictions, or restrictions against multiple
logins by the same user. Authorization determines the
nature of the service wich is granted to a user. Examples
of types of service include, but are not limited to: IP
address filtering, address assignment, route assignment,
QoS/differential services, bandwidth control/traffic manage-
ment, compulsory tunneling to a specific endpoint, and
encryption.
Accounting
Accounting refers to the tracking of the consumption of NAS
resources by users. This information may be used for man-
agement, planning, billing, or other purposes. Real-time
accounting refers to accounting information that is deliv-
ered concurrently with the consumption of the resources.
Batch accounting refers to accounting information that is
saved until it is delivered at a later time. Typical infor-
mation that is gathered in accounting is the identity of the
user, the nature of the service delivered, when the service
began, and when it ended.
Auditing Auditing refers to the tracking of activity by users. As
opposed to accounting, where the purpose is to track con-
sumption of resources, the purpose of auditing is to deter-
mine the nature of a user's network activity. Examples of
auditing information include the identity of the user, the
nature of the services used, what hosts were accessed when,
what protocols were used, etc.
AAAA Server
An AAAA Server is a server or servers that provide authenti-
cation, authorization, accounting, and auditing services.
These may be colocated with the NAS, or more typically, are
located on a seperate server and communicate with the NAS's
User Management Interface via an AAAA protocol. The four
AAAA functions may be located on a single server, or may be
broken up among multiple servers.
Device Management Interface
A NAS is a network device which is owned, operated, and man-
aged by some entity. This interface provides a means for
this entity to operate and manage the NAS. This interface
may be a configuration file, a graphical user interface, an
API, or a protocol such as SNMP [SNMP].
Device Monitoring
Device monitoring refers to the tracking of status, activ-
ity, and usage of the NAS as a network device.
Device Provisioning
Device provisioning refers to the configurations, settings,
and control of the NAS as a network device.
Beadles [Page 5]
INTERNET-DRAFT 12 November 1998
5.2. Analysis
Following is an analysis of the functions of a NAS using the reference
model above:
5.2.1. Authentication and Security
NAS's serve as the first point of authentication for network users,
providing security to user sessions. This security is typically per-
formed by checking credentials such as a PPP PAP user name/password
pair or a PPP CHAP user name and challenge/response, but may be
extended to authentication via telephone number information, digital
certificates, or biometrics. NAS's also may authenticate themselves
to users. Since a NAS may be shared among multiple administrative
entities, authentication may actually be performed via a back-end
proxy, referral, or brokering process.
In addition to user security, NAS's may themselves be operated as
secure devices. This may include secure methods of management and
monitoring, use of IP Security [IPSEC] and even participation in a
Public Key Infrastcture.
5.2.2. Authorization and Policy
NAS's are the first point of authorization for usage of network
resources, and NAS's serve as policy enforcement points for the ser-
vices that they deliver to users. NAS's may provision these services
to users in a statically or dynamically configured fashion. Resource
management can be performed at a NAS by granting specific types of
service based on the current network state. In the case of shared
operation, NAS policy may be determined based on the policy of multi-
ple end systems.
5.2.3. Accounting and Auditing
Since NAS services are consumable resources, usage information must
often be collected for for the purposes of soft policy management,
reporting, planning, and accounting. A dynamic, real-time view of NAS
usage is often required for network auditing purposes. Since a NAS
may be shared among multiple administrative entities, usage informa-
tion must often be delivered to multiple endpoints. Accounting is
performed using such protocols as RADIUS [RADIUS-ACCT].
Beadles [Page 6]
INTERNET-DRAFT 12 November 1998
5.2.4. Resource Management
NAS's deliver resources to users, often in a dynamic fashion. Exam-
ples of the types of resources doled out by NAS's are IP addresses,
network names and name server identities, tunnels, and PSTN resources
such as phone lines and numbers. Note that NAS's may be operated in a
outsourcing model, where multiple entities are competing for the same
resources.
5.2.5. Virtual Private Networks (VPN's)
NAS's often participate in VPN's, and may serve as the means by which
VPN's are implemented. Examples of the use of NAS's in VPN's are:
Dial Access Servers that build compulsory tunnels, Dial Access Servers
that provide services to voluntary tunnelers, and Tunnel Servers that
provide tunnel termination services. NAS's may simultaneously provide
VPN and public network services to different users, based on policy
and identity.
5.2.6. Service Quality
A NAS may delivery different qualities, types, or levels of service to
different users based on policy and identity. NAS's may perform band-
width management, allow differential speeds or methods of access, or
even participate in provisioned or signaled Quality of Service (QoS)
networks.
5.2.7. Roaming
NAS's are often operated in a shared or outsourced manner, or a NAS
operator may enter into agreements with other service providers to
grant access to users from these providers (roaming operations).
NAS's often are operated as part of a global network. All these imply
that a NAS often provides services to users from multiple administra-
tive domains simultaneously. The features of NAS's may therefore be
driven by requirements of roaming [ROAMREQ].
6. Acknowledgements
Thanks to Dave Mitton (Nortel Networks), John Vollbrecht (Merit), and
Rich Petke (MCI WorldCom) for useful discussions of this problem
space.
Beadles [Page 7]
INTERNET-DRAFT 12 November 1998
7. References
[RADIUS] Rigney, Rubens, Simpson, Willens. "Remote Authentication
Dial In User Service (RADIUS)", RFC 2138, April 1997.
[RADIUS-ACCT] Rigney, et. al. "RADIUS Accounting", RFC 2139, April
1977.
[SNMP] Case, Fedor, Schoffstall, and Davin. "A Simple Network Manage-
ment Protocol (SNMP)", RFC 1157, May 1990.
[DIAMETER] Calhoun, Rubens. "DIAMETER Base Protocol", draft-calhoun-
diameter-06.txt, October 1998.
[PPP] Simpson, Editor. "The Point-to-Point Protocol (PPP)", RFC 1661,
July 1994.
[COPS] Boyle, Cohen, Durham, Herzog, Raja, Sastry. "The COPS (Common
Open Policy Service) Protocol", draft-ietf-rap-cops-02.txt,
August 1998.
[L2TP] Hamzeh, Kolar, Littlewood, Singh Pall, Taarud, Valencia, Ver-
thein, Townsley, Palter, Rubens. "Layer Two Tunneling Protocol
(L2TP)", draft-ietf-pppext-l2tp-12.txt, October 1998.
[IPSEC] Atkinson, Kent. "Security Architecture for the Internet Proto-
col", draft-ietf-ipsec-arch-sec-07.txt, July 1998.
[ROAMREQ] Aboba, Zorn. "Roaming Requirements", draft-ietf-roamops-
romreq-10.txt, August 1998.
8. Author's Address
Mark A. Beadles
MCI WorldCom Advanced Networks
5000 Britton Rd.
Hilliard, OH 43026
Phone: 614-723-1941
EMail: mbeadles@wcom.net
Beadles [Page 8]