NASREQ Working Group M. Beadles
INTERNET-DRAFT UUNET Technologies
Category: Informational
<draft-ietf-nasreq-criteria-01.txt>
24 June 1999
Criteria for Evaluating Network Access Server Protocols
1. Status of this Memo
This document is an Internet-Draft and is in full conformance with all
provisions of Section 10 of RFC2026. Internet-Drafts are working doc-
uments of the Internet Engineering Task Force (IETF), its areas, and
its working groups. Note that other groups may also distribute work-
ing documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet- Drafts as reference mate-
rial or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
The distribution of this draft is unlimited. It is filed as
<draft-ietf-nasreq-criteria-01.txt> and expires December 24, 1999.
Please send comments to the author.
2. Copyright Statement
Copyright (C) The Internet Society 1999. All Rights Reserved.
3. Abstract
This document analyzes and defines requirements for protocols used by
Network Access Servers (NAS). Protocols used by NAS's may be divided
into four spaces: Access protocols, Network protocols, AAA protocols,
and Management protocols. Primary attention is given to setting
requirements for AAA protocols, since that space is currently the
least well defined.
Beadles Category: Informational [Page 1]
INTERNET-DRAFT Criteria for NAS Protocols 24 June 1999
4. Requirements language
In this document, the key words "MAY", "MUST, "MUST NOT", "optional",
"recommended", "SHOULD", and "SHOULD NOT", are to be interpreted as
described in [KEYWORDS].
5. Introduction
This document analyzes and defines requirements for protocols used by
Network Access Servers (NAS). Protocols used by NAS's may be divided
into four spaces: Access protocols, Network protocols, AAA protocols,
and Device Management protocols. The primary focus of this document
is on AAA protocols. The reference model of a NAS used by this docu-
ment, and the analysis of the functions of a NAS which led to the
development of these requirements, may be found in [NAS-MODEL].
6. Access Protocol Requirements
There are three basic types of access protocols used by NAS's. First
are the traditional telephony-based access protocols, which interface
to the NAS via a modem or terminal adapter or similar device. These
protocols typically support asynchronous or synchronous PPP carried
over a telephony protocol. Second are broadband pseudo-telephony
access protocols, which are carried over xDSL or cable modems, for
example. These protocols typically support an encapsulation method
such as PPP over Ethernet [PPPOE]. Finally are the virtual access
protocols used by NAS's that terminate tunnels. One example of this
type of protocol is L2TP [L2TP].
It is a central assumption of the NAS model used here that a NAS
accepts multiple point-to-point [PPP] links via one of the above
access protocol or protocols. Therefore, at a minimum, any NAS access
protocol MUST be able to carry PPP. The exception to this requirement
is for NAS's that support legacy text login methods such as telnet
[TELNET], rlogin, or LAT. Only these access protocols are exempt from
the requirement to support PPP.
7. Network Protocol Requirements
The network protocols supported by a NAS depend entirely on the kind
of network to which a NAS is providing access. This document does not
impose any additional requirements on network protocols beyond the
protocol specifications themselves. For example, if a NAS that serves
a routed network includes internet routing functionality, then that
NAS must adhere to [ROUTING-REQUIREMENTS], but there are no additional
protocol requirements imposed by virtue of the device being a NAS.
Beadles Category: Informational [Page 2]
INTERNET-DRAFT Criteria for NAS Protocols 24 June 1999
8. AAA Protocol Requirements
8.1. General protocol characteristics
There are certain general characteristics that any AAA protocol used
by NAS's must meet. Note that the transport requirements for authen-
tication/authorization are not necessarily the same as those for
accounting/auditing. An AAA protocol suite MAY use the same transport
and protocol for both functions, but this is not strictly required.
The accounting and auditing functions of the AAA protocol are used for
network planning, resource management, policy decisions, and other
functions that require accurate knowledge of the state of the NAS.
NAS operators need to be able to engineer their network usage measure-
ment systems to a predictable level of accuracy. Therefore, an AAA
protocol MUST provide a means of guaranteed delivery of accounting
information between the NAS and the AAA Server.
Very large scale NAS's that serve up to thousands of simultaneous ses-
sions are now being deployed. This means that, in the extreme, there
may be an almost constant exchange of many small packets between the
NAS and the AAA server. An AAA protocol SHOULD be carried on a trans-
port protocol that is optimized for a long-term exchange of small
packets in a stream between a pair of hosts.
In order to operationally support these large streams of data, load
balancing of AAA servers may be required. The AAA protocol MUST allow
NAS's to balance AAA sessions between two or more AAA servers. The
load balancing mechanism SHOULD be built in to the protocol, but if
not, the protocol MUST NOT prevent external load balancing mechanisms
from operating.
The AAA protocol design cannot allow for a single point of failure
during the AAA process. The AAA protocol MUST allow any sessions
between a NAS and a given AAA server to fail over to a secondary
server without loss of state information. The fail-over mechanism
SHOULD be built in to the protocol, but if not, the protocol MUST NOT
prevent external fail-over mechanisms from operating.
Next-generation NAS's will be built that provide access to IPv6 net-
works. Wherever internet protocol addresses are carried within the
AAA protocol, the protocol MUST support both IPv4 and IPv6 [IPV6]
addresses.
Wherever textual information is carried within the AAA protocol, the
protocol MUST comply with the IETF Policy on Character Sets and Lan-
guages [RFC 2277].
NAS and AAA development is always progressing. In order to prevent
the AAA protocol from being a limiting factor in NAS and AAA Server
development, the AAA protocol MUST provide a built-in extensibility
Beadles Category: Informational [Page 3]
INTERNET-DRAFT Criteria for NAS Protocols 24 June 1999
mechanism. This mechanism MUST include a means for adding new stan-
dard extensions, and also MUST include a means for individual vendors
to add value through vendor-specific extensions.
Dial roaming is now a nearly ubiquitous service. NAS's operated by
one authority provide network access services for clients operated by
another authority, to network destinations operated by yet another
authority. This type of arrangement is of growing importance. There-
fore an AAA protocol MUST support AAA services that travel between
multiple domains of authority. This document does not specify how
this must be implemented (for example, via proxy, via brokering, via a
combination of methods), but it does set strict requirements that an
AAA protocol MUST NOT use a model that assumes a single domain of
authority. The AAA protocol MUST also meet the protocol requirements
specified in [ROAMING-REQUIREMENTS].
8.2. Authentication and User Security Requirements
End users who are requesting network access through a NAS may present
various types of credentials. It is the purpose of the AAA protocol
to transport these credentials between the NAS and the AAA server.
The AAA protocol MUST also support transport of credentials from the
AAA server to the NAS for the purpose of mutual (bi-directional)
authentication.
The AAA protocol MUST support re-authentication at any time during the
course of a session, initiated from either end of the user session.
The AAA protocol MUST be able to support multi-phase authentication
methods, including support for:
-Prompting from the NAS to the user
-A series of challenges and responses of arbitrary length
-An authentication failure reason to be transmitted from the NAS
to the user
-Callback to a pre-determined phone number
Many authentication protocols are defined within the framework of PPP.
The AAA protocol MUST be able to act as an intermediary protocol
between the authenticatee and the authenticator for the following
authentication protocols:
-PPP Password Authentication Protocol [PPP]
-PPP Challenge Handshake Authentication Protocol [CHAP]
-PPP Extensible Authentication Protocol [EAP]
The following are common types of credentials used for user identifi-
cation. The AAA protocol MUST be able to carry the following types of
identity credentials:
Beadles Category: Informational [Page 4]
INTERNET-DRAFT Criteria for NAS Protocols 24 June 1999
-A user name in the form of a Network Access Identifier [NAI].
-An Extensible Authentication Protocol [EAP] Identity Request
Type packet.
-Telephony dialing information such as Dialed Number Identifica-
tion Service (DNIS) and Caller ID.
If a particular type of identity credential is not needed for a par-
ticular user session, the AAA protocol MUST NOT require that dummy
credentials be filled in.
The following are common types of credentials used for authentication.
The AAA protocol MUST be able to carry the following types of authen-
ticating credentials at a minimum:
-A secret or password.
-A response to a challenge presented by the NAS to the user
-A one-time password
-An X.509 digital certificate [X.509]
-A Kerberos v5 ticket [KERBEROS]
Security protocol development is going on constantly as new threats
are identified and better cracking methods are developed. Today's
secure authentication methods may be proven insecure tomorrow. The
AAA protocol MUST provide an extension mechanism so that new authenti-
cation credential types can be added.
8.3. Authorization, Policy, and Resource management
8.3.1. General Authorization Requirements
In all cases, authorization data sent from the NAS to the AAA server
is to be regarded as information or "hints", and not directives. The
AAA protocol MUST be designed so that the AAA server makes all final
authorization decisions and does not depend on a certain state being
expected by the NAS.
The AAA protocol MUST support dynamic re-authorization at any time
during a user session. This re-authorization may be initiated in
either direction. This dynamic re-authorization capability MUST
include the capability to request a NAS to disconnect a user on
demand.
Beadles Category: Informational [Page 5]
INTERNET-DRAFT Criteria for NAS Protocols 24 June 1999
8.3.2. Policy Requirements - Access Restrictions
The AAA protocol serves as a primary means of gathering data used for
making Policy decisions for network access. Therefore, the AAA pro-
tocol MUST allow network operators to make policy decisions based on
the following parameters:
-Time/day restrictions. The AAA protocol MUST be able to provide
an unambiguous time stamp, NAS time zone indication, and date
indication to the AAA server in the Authorization information.
-Location restrictions: The AAA protocol MUST be able to provide
an unambiguous location code that reflects the geographic loca-
tion of the NAS.
-Dialing restrictions: The AAA protocol MUST be able to provide
accurate dialed and dialing station indications.
-Concurrent login limitations: The AAA protocol MUST allow an
AAA Server to limit concurrent logins by a particular user or
group of users. This mechanism does not need to be explicitly
built into the AAA protocol, but the AAA protocol must provide
sufficient authorization information for an AAA server to make
that determination through an out-of-band mechanism.
8.3.3. Policy Requirements - Authorization Profiles
The AAA protocol is used to enforce policy at the NAS. Essentially,
on granting of access, a particular access profile is applied to the
user's session. The AAA protocol MUST at a minimum provide a means of
applying profiles containing the following types of information:
-IP Address assignment: The AAA protocol MUST provide a means of
assigning an IPv4 or IPv6 address to an incoming user.
-Protocol Filter application: The AAA protocol MUST provide a
means of applying protocol filters to user sessions. Two differ-
ent methods MUST be supported. First, the AAA protocol MUST pro-
vide a means of selecting a protocol filter by reference to an
identifier, with the details of the filter action being specified
out of band. Second, the AAA protocol MUST provide a means of
passing a protocol filter by value. This means explicit passing
of pass/block information by address range, TCP/UDP port number,
and IP protocol number at a minimum.
-Compulsory Tunneling: The AAA protocol MUST provide a means of
directing a NAS to build a tunnel or tunnels to a specified end-
point. It MUST support creation of multiple simultaneous tunnels
in a specified order. The protocol MUST allow, at a minimum,
specification of the tunnel endpoints, tunneling protocol type,
underlying tunnel media type, and tunnel authentication
Beadles Category: Informational [Page 6]
INTERNET-DRAFT Criteria for NAS Protocols 24 June 1999
credentials (if required by the tunnel type). The AAA protocol
MUST support at least the creation of tunnels using the L2TP
[L2TP], ESP [ESP], and AH [AH] protocols. The protocol MUST pro-
vide means of adding new tunnel types as they are standardized.
-Routing: The AAA protocol MUST provide a means of assigning a
particular static route to an incoming user session.
-Expirations/timeouts: The AAA protocol MUST provide a means of
communication session expiration information to a NAS. Types of
expirations that MUST be supported are: total session time, idle
time, total bytes transmitted, and total bytes received.
-Quality of Service: The AAA protocol MUST provide a means of
applying Quality of Service parameters to individual user ses-
sions.
8.3.4. Resource Management Requirements
The AAA protocol is a means for network operators to perform manage-
ment of network resources. The AAA protocol MUST provide a means of
collecting resource state information, and controlling resource allo-
cation for the following types of network resources.
-Network bandwidth usage per session, including multilink ses-
sions.
-Access port usage.
-IP Addresses and pools.
Resource management MUST be supported on demand at any time during the
course of a user session.
8.4. Accounting and Auditing Requirements
NAS operators often require a real time view onto the status of ses-
sions served by a NAS. Therefore, the AAA protocol MUST support real-
time delivery of accounting and auditing information. In this con-
text, real time is defined as accounting information delivery begin-
ning within one second of the triggering event.
There may be delays associated with the delivery of accounting infor-
mation. The NAS operator will desire to know the time an event actu-
ally occurred, rather than simply the time when notification of the
event was received. Therefore, the AAA protocol MUST carry an unam-
biguous time stamp associated with each accounting event.
At a minimum, the AAA protocol MUST support delivery of accounting
information triggered by the following events:
Beadles Category: Informational [Page 7]
INTERNET-DRAFT Criteria for NAS Protocols 24 June 1999
-Start of a user session
-End of a user session
-Expiration of a predetermined repeating time interval during a
user session. The AAA protocol MUST provide a means for the AAA
server to request that a NAS use a certain interval accounting
time.
-Dynamic re-authorization during a user session (e.g., new
resources being delivered to the user)
-Dynamic re-authentication during a user session
NAS operators need to maintain an accurate view onto the status of
sessions served by a NAS, even through failure of an AAA server.
Therefore, the AAA protocol MUST support a means of requesting current
session state from the NAS on demand.
At a minimum, the AAA protocol MUST support delivery of the following
types of accounting/auditing data:
-All parameters used to authenticate a session.
-Details of the authorization profile that was applied to the
session.
-The duration of the session.
-The cumulative number of bytes sent by the user during the ses-
sion.
-The cumulative number of bytes received by the user during the
session.
-The cumulative number of packets sent by the user during the
session.
-The cumulative number of packets received by the user during the
session.
-Details of the access protocol used during the session (port
type, connect speeds, etc.)
9. Device Management Protocols
This document does not currently specify any requirements for device
management protocols.
Beadles Category: Informational [Page 8]
INTERNET-DRAFT Criteria for NAS Protocols 24 June 1999
10. Security considerations
It is poor security practice for a NAS to communicate with an AAA
server that is not trusted, and vice versa. At a minimum, the AAA
protocol MUST support use of a secret shared pairwise between each NAS
and AAA server to mutually verify identity. However, AAA server/NAS
identity verification based solely on shared secrets can be difficult
to deploy properly at large scale, and it can be tempting for NAS
operators to use a single shared secret (that rarely changes) across
all NAS's. This can lead to easy compromise of the secret. There-
fore, the AAA protocol SHOULD also support verification of identity
using a public-key infrastructure that supports expiration and revoca-
tion of keys.
When passwords are used as authentication credentials by users, the
AAA protocol MUST provide a secure means of hiding the password from
end to end of the AAA conversation. When a challenge/response mecha-
nism is used, the AAA protocol MUST also prevent against replay
attacks.
When an AAA protocol passes credentials that will be used to authenti-
cate compulsory tunnels, the AAA protocol MUST provide a secure means
of securing the credentials from end to end of the AAA conversation.
The AAA protocol MUST also provide protection against replay attacks
in this situation.
Note that accounting and auditing data are operationally sensitive
information that may require measures to assure integrity and confi-
dentiality.
Where an AAA architecture spans multiple domains of authority, AAA
information may need to cross trust boundaries. In this situation, a
NAS may operate as a shared device that services multiple administra-
tive domains. Network operators must take this into consideration
when deploying NAS's and AAA Servers.
11. References
[KEYWORDS] S. Bradner. "Key words for use in RFCs to Indicate
Requirement Levels." RFC 2119, Harvard University, March 1997.
[NAS-MODEL] D. Mitton, M. Beadles. "Network Access Server Require-
ments Next Generation (NASREQNG) NAS Model." Work in progress.
[PPPOE] L. Mamakos et al. "A Method for Transmitting PPP Over Ether-
net (PPPoE)." RFC 2516, UUNET Technologies, Inc., February 1999.
[L2TP] W. M. Townsley, et al. "Layer Two Tunneling Protocol (L2TP)."
Work in progress.
[PPP] W. Simpson. "The Point-to-Point Protocol (PPP)." RFC 1661,
Beadles Category: Informational [Page 9]
INTERNET-DRAFT Criteria for NAS Protocols 24 June 1999
Daydreamer, July 1994.
[TELNET] J. Postel, J. Reynolds. "Telnet Protocol Specification."
STD 8, RFC 854, ISI, May 1983.
[ROUTING-REQUIREMENTS] F. Baker. "Requirements for IP Version 4
Routers." RFC 1812, Cisco Systems, June 1995.
[IPV6] S. Deering, R. Hinden. "Internet Protocol, Version 6 (IPv6)
Specification." RFC 2460, Cisco, Nokia, December 1998.
[RFC 2277] H. Alvestrand. "IETF Policy on Character Sets and Lan-
guages." RFC 2277, UNINETT, January 1998.
[CHAP] W. Simpson. "PPP Challenge Handshake Authentication Protocol
(CHAP)." RFC 1994, Daydreamer, August 1996.
[EAP] L. Blunk, J. Vollbrecht. "PPP Extensible Authentication Proto-
col (EAP)." RFC 2284, Merit Network, Inc., March 1998.
[NAI] B. Aboba, M. Beadles. "The Network Access Identifier." RFC
2486, Microsoft, WorldCom Advanced Networks, January 1999.
[X.509] ITU-T Recommendation X.509 (1997 E): Information Technology -
Open Systems Interconnection - The Directory: Authentication Frame-
work, June 1997.
[KERBEROS] J. Kohl, C. Neuman. "The Kerberos Network Authentication
Service (V5)." RFC 1510, Digital Equipment Corporation, ISI, Septem-
ber 1993.
[ESP] S. Kent, R. Atkinson. "IP Encapsulating Security Payload
(ESP)." RFC 2406, BBN Corp, @Home Network, November 1998.
[AH] S. Kent, R. Atkinson. "IP Authentication Header (AH)." RFC
2402, BBN Corp, @Home Network, November 1998.
[ROAMING-REQUIREMENTS] B. Aboba, G. Zorn. "Criteria for Evaluating
Roaming Protocols." RFC 2477, Microsoft, January 1999.
12. Author's Address
Mark Anthony Beadles
UUNET, an MCI WorldCom Company
5000 Britton Rd.
Hilliard, OH 43026
Phone: 614-723-1941
EMail: mbeadles@wcom.net
Beadles Category: Informational [Page 10]
INTERNET-DRAFT Criteria for NAS Protocols 24 June 1999
13. Full Copyright Statement
Copyright (C) The Internet Society (1999). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implmentation may be prepared, copied, published and
distributed, in whole or in part, without restriction of any kind,
provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this docu-
ment itself may not be modified in any way, such as by removing the
copyright notice or references to the Internet Society or other Inter-
net organizations, except as needed for the purpose of developing
Internet standards in which case the procedures for copyrights defined
in the Internet Standards process must be followed, or as required to
translate it into languages other than English. The limited permis-
sions granted above are perpetual and will not be revoked by the
Internet Society or its successors or assigns. This document and the
information contained herein is provided on an "AS IS" basis and THE
INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL
WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WAR-
RANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY
RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
PARTICULAR PURPOSE."
14. Expiration Date
This document is filed as <draft-ietf-nasreq-criteria-01.txt>, and
expires December 24, 1999.
Beadles Category: Informational [Page 11]
