NASREQ Working Group M. Beadles
INTERNET-DRAFT MCI WorldCom
Category: Informational
<draft-ietf-nasreq-criteria-00.txt>
25 February 1999
Criteria for Evaluating Network Access Server Protocols
1. Status of this Memo
This document is an Internet-Draft and is in full conformance with all
provisions of Section 10 of RFC2026. Internet-Drafts are working doc-
uments of the Internet Engineering Task Force (IETF), its areas, and
its working groups. Note that other groups may also distribute work-
ing documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet- Drafts as reference mate-
rial or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
The distribution of this draft is unlimited. It is filed as
<draft-ietf-nasreq-criteria-00.txt> and expires August 25, 1999.
Please send comments to the author.
2. Copyright Statement
Copyright (C) The Internet Society 1999. All Rights Reserved.
3. Abstract
This document defines and analyzes requirements for modern Network
Access Servers (NAS). The NAS is the initial entry point to a network
for the majority of users of network services. It is the first device
in the network to provide services and enforce policy for an end user,
and acts as a gateway for all further services. As such, its impor-
tance to users and service providers alike is paramount. However, the
concept of a NAS has grown up over the years without a formal defini-
tion or framework for analysis. This document defines a NAS, analyzes
the functionality of NAS's, and sets requirements for protocols that
Beadles Category: Informational [Page 1]
INTERNET-DRAFT Criteria for NAS Protocols 25 February 1999
provide this functionality. Functions provided adequately by already
standardized protocols will be documented as such.
4. Requirements language
In this document, the key words "MAY", "MUST, "MUST NOT", "optional",
"recommended", "SHOULD", and "SHOULD NOT", are to be interpreted as
described in [KEYWORDS].
5. Introduction
This document defines a Network Access Server (NAS), analyzes the
functionality of NAS's, and sets requirements for protocols that pro-
vide this functionality. This document does not define what a NAS
must do. Rather, it defines how a NAS must do what it does if it
chooses to. That is, it does not set functional requirements, but
sets requirements for protocols or systems that provide functionality.
Implementors may choose not to provide certain features at their dis-
cretion.
This document makes reference to many standard protocols that a NAS
will use. This document incorporates by reference the RFC's and other
documents describing the current specifications for these protocols.
It adds additional discussion and guidance for implementors of these
protocols where they apply to a NAS. Where existing protocols meeet
these requirements, they will be noted. In particular, [ROUTER
REQUIREMENTS] is referred to as a primary source for requirements and
implementation of the routing functionality of a NAS.
Note that, although NAS's often support more than one protocol suite,
this document is only concerned with requirements for NAS's that use
the TCP/IP protocol suite.
6. Definition of a Network Access Server
A Network Access Server is a device which sits on the edge of a net-
work, and provides access to services on that network in a controlled
fashion, based on the identity of the user of the network services in
question. For the purposes of this document, a Network Access Server
is a device which accepts multiple point-to-point [PPP] links on one
set of interfaces, providing access to a routed TCP/IP network or net-
works on another set of interfaces. Examples of Network Access
Servers include:
A remote access server which provides access to a private network
via attached modems which are directly dialed by the user.
Beadles Category: Informational [Page 2]
INTERNET-DRAFT Criteria for NAS Protocols 25 February 1999
A tunneling server which sits at the border of a protected net-
work, and acts as a gateway for users to enter the protected net-
work from the Internet.
A shared commercial dial access server operated by a Network Ser-
vice Provider, where incoming users connect via modems operated
by a Telephone Service Provider, and access is provided to many
dissimilar private and public networks, including the Internet.
A broadband access server which provides authenticated access to
the Internet for users connecting via point-to-point links over
broadband media such as xDSL or cable modems.
Note that there are many things that a Network Access Server is not.
A NAS is not just a router, although all NAS's are routers. A NAS is
not necessarily a dial access server, although dial access is one com-
mon means of network access, and brings its own particular set of
requirements to NAS's.
A NAS is the first device in the network to provide services to an end
user and acts as a gateway for all further services. It is the point
at which users are authenticated, access policy is enforced, network
services are authorized, network usage is audited, and resource con-
sumption is tracked. That is, a NAS acts as the Policy Enforcement
Point (PEP) for network AAA (authentication, authorization, and
accounting) services. A NAS is typically the first place in a network
where security measures and policy may be implemented.
7. Interested parties
The following are examples of parties who are concerned with the oper-
ation of Network Access Servers. This list is by no means exhaustive.
Network Service Providers (NSPs) who operate and manage NAS's,
AAA servers, policy servers, and networks; and who provide net-
work services to end users.
End users who gain access to their private and public networks
through NAS's.
Businesses and other entities who operate NAS's for their users'
public and private network access, or who outsource the operation
and management of NAS's to a NSP.
Telephone Service Providers (TSPs) who operate and manage modems
and telephony networks; and who provide telephony services to end
users, NSP's, and businesses.
Manufacturers of NAS's, AAA servers, policy servers, modems, etc.
Beadles Category: Informational [Page 3]
INTERNET-DRAFT Criteria for NAS Protocols 25 February 1999
8. Reference Model of a NAS
For reference in discussion of NAS requirements, a diagram of a NAS,
its dependencies, and its interfaces is given below. This diagram is
intended as an abstraction of a NAS as a reference model, and is not
intended to represent any particular NAS implementation.
Users
v v v v v v v
| | Telco | |
| | or | |
|encapsulated
+-------------------+
| Modems or Virtual |
+-------------------+
| | | | | | |
| | | | | | |
| | | | | | |
+--+----------------------------+
| | |
|N | Client Interface |
| | |
|A +----------Routing ----------+
| | |
|S | Network Interface |
| | |
+--+----------------------------+
/ | \
/ | \
/ | \
/ | \
POLICY MANAGEMENT/ | \ DEVICE MANAGEMENT
+---------------+ | +-------------------+
| Authentication| _/^\_ |Device Provisioning|
+---------------+ _/ \_ +-------------------+
| Authorization | _/ \_ |Device Monitoring |
+---------------+ _/ \_ +-------------------+
| Accounting | / The \
+---------------+ \_ Network(s) _/
\_ _/
\_ _/
\_ _/
\_/
8.1. Description of Model Elements
Following is a description of the modules and interfaces in the refer-
ence model for a NAS given above:
Beadles Category: Informational [Page 4]
INTERNET-DRAFT Criteria for NAS Protocols 25 February 1999
Client Interfaces
A NAS has one or more client interfaces, which provide the
interface to the end users who are requesting network
access. Users may connect to these client interfaces via
modems over a switched telephone network, via encapsulated
tunnels over data network, or by some similar means.
Network Interfaces
A NAS has one or more network interfaces, which connect to
the TCP/IP networks to which access is being granted.
Routing Since this document assumes that the network to which access
is being granted is a routed TCP/IP network, a NAS includes
routing functionality.
Policy Management Interface
Policy is defined as a set of business rules for operation
of a network, applied here to the authorization of network
access. The specific application of policy rules depends on
user identity and the current network state. A NAS provides
an interface which allows access to network services to be
managed on a per-user, per-session basis. Although this
interface historically may have been a configuration file, a
graphical user interface, or an API, this document assumes
that a AAA protocol provides this interface. This interface
provides a mechanism for granular resource management and
policy enforcement.
Authentication
Authentication refers to the confirmation that a user who is
requesting services is a valid user of the network services
requested. . Authentication does not establish that a user
is authorized to receive any services, it just establishes
who the user is to a predetermined degree of certainty.
Authentication is accomplished via the presentation of an
identity and credentials. Examples of types of credentials
are passwords, one-time tokens, digital certificates, and
phone numbers (calling/called).
Authorization
Authorization refers to the granting of specific types of
service (including "no service") to a user, based on their
authentication, what services they are requesting, and the
current system state. Authorization may be based on restric-
tions, for example time-of-day restrictions, or physical
location restrictions, or restrictions against multiple
logins by the same user. Authorization determines the
nature of the service which is granted to a user. Examples
of types of service include, but are not limited to: IP
Beadles Category: Informational [Page 5]
INTERNET-DRAFT Criteria for NAS Protocols 25 February 1999
address filtering, address assignment, route assignment,
QoS/differential services, bandwidth control/traffic manage-
ment, compulsory tunneling to a specific endpoint, and
encryption.
Accounting
Accounting refers to the tracking of the consumption of
resources by users. This information may be used for man-
agement, planning, billing, auditing, or other purposes.
Real-time accounting refers to accounting information that
is delivered concurrently with the consumption of the
resources. Batch accounting refers to accounting informa-
tion that is saved until it is delivered at a later time.
Typical information that is gathered in accounting is the
identity of the user, the nature of the service delivered,
when the service began, and when it ended.
AAA Server
A AAA Server is a server or servers that provide authentica-
tion, authorization, and accounting services. These may be
colocated with the NAS, but this document assumes they are
located on a seperate server and communicate with the NAS's
User Management Interface via a AAA protocol. The three AAA
functions may be located on a single server, or may be bro-
ken up among multiple servers.
Device Management Interface
A NAS is a network device which is owned, operated, and man-
aged by some entity. This interface provides a means for
this entity to operate, manage, and maintain the NAS. This
is a logically separate function from policy management, and
in fact separate entities may manage the policy and the
device itself. This interface may be a configuration file,
a graphical user interface, an API, or a protocol such as
SNMP [SNMP].
Device Monitoring
Device monitoring refers to the tracking of status, activ-
ity, and usage of the NAS as a network device. It does not
mean the tracking of individual user activity or status.
Device Provisioning
Device provisioning refers to the configurations, settings,
and control of the NAS as a network device. This means gen-
eral device settings and control, and not the dynamic con-
trol that is associated with authorizing a particular user
to receive services within the context of a session.
Beadles Category: Informational [Page 6]
INTERNET-DRAFT Criteria for NAS Protocols 25 February 1999
9. Analysis and Requirements
Using the reference model above , the following is an analysis of the
functions of a NAS and requirements for protocols and services to per-
form these functions.
9.1. NAS Interfaces
NAS's have two basic sets of interfaces; one set provides client con-
nections serving individual users, and the other set faces the net-
works on which access is controlled.
9.1.1. Client Interface
The NAS Client Interface accepts individual point-to-point connec-
tions. This interface MUST support the Point- to-Point Protocol
[PPP].
9.1.2. Access Media
Various access media can be supported by the NAS. They can be divided
into three types: dial telephony, encapsulated tunnels, and broadband
media. Dial telephony includes POTS and ISDN and is provided through
a modem, terminal adapter, or similar device. Encapsulated tunnels
include Layer Two Tunneling Protocol [L2TP] sessions encapsulating
PPP, provided through a virtual interface. Broadband media, such as
xDSL and Cable Modems, can be considered a special case of encapsu-
lated media.
9.1.3. Network Interface
If the network that the NAS controls access on is a routed TCP/IP net-
work, a NAS MUST provide routing functionality as defined in [ROUTER
REQUIREMENTS].
9.2. Services provided by a NAS
Beadles Category: Informational [Page 7]
INTERNET-DRAFT Criteria for NAS Protocols 25 February 1999
9.2.1. Authentication and Security
A NAS provides authentication services to end users. The NAS does not
check the user's credentials itself; rather it offloads authentication
to an external authentication server via a AAA protocol. The types of
authentication provided by a NAS can range from simple identification
to advanced multi-phase authentication methods. Identification (pre-
sentation of some form of identity with no supporting credentials) can
include presentation of a user name alone, or even presentation of no
user name at all, relying on (for example) a calling phone number to
identify a user. Therefore a AAA protocol MUST support authentication
sessions that carry a user name with no password, and authentication
sessions that carry no user name. For standard authentication by user
name and password, a AAA protocol MUST support carrying a user name
and associated password, both in clear text and secured by challenge-
response [PPP CHAP]. Advanced authentication methods such as one-time
passwords or digital certificates are enabled in PPP by the Extensible
Authentication Protocol [EAP]. Therefore a AAA protocol MUST support
transporting of EAP sessions.
Since a NAS may need to participate in a public key infrastructure, a
AAA protocol SHOULD support a standard key exchange mechanism.
9.2.2. Authorization and Policy
A NAS is the initial point where services are authorized to end users.
The NAS does not itself authorize services; it performs the delivery
of services authorized by an external authorization server via a AAA
protocol. Since a user's authorization profile is a reflection of
policy, the NAS can be regarded as a Policy Enforcement Point for net-
work access. The AAA protocol communicates profile information from
the AAA server, which acts a the Policy Decision Point for network
access. Since policy is a reflection of business rules that may
change arbitrarily, and authorization profiles may grow to include new
functionality as it arises, the AAA protocol MUST provide a built-in
extension mechanism for adding new types of authorization profile
information to be transmitted to the NAS.
Authorization is performed based on user identity and affiliation,
policy rules, and system state. User identity and affiliation are
commonly derived from the Network Access Identifier [NAI]; the AAA
protocol MUST support the NAI format for user identity. System state
includes information about the NAS itself (such as an identifier or an
address), information about the access medium (such as phone numbers
and speeds), and real-world information (such as locale and time of
day). TO DO: Expand this list in detail: what attributes are required
in a AAA protocol?
Profile information directs the NAS to deliver specific services to
the user. Examples of services are IP address filtering, address
assignment, route assignment, QoS/differential services, bandwidth
control/traffic management, compulsory tunneling to a specific
Beadles Category: Informational [Page 8]
INTERNET-DRAFT Criteria for NAS Protocols 25 February 1999
endpoint, and encryption. TO DO: Expand this list in detail. What
attributes are required?
A user's requested or authorized service profile may change dynami-
cally at any time during a session. The AAA protocol MUST support
dynamic authorization at any time during delivery of services to the
user.
9.2.3. Accounting
A NAS provides accounting of the resources consumed and released by
users. This accounting information is used for a variety of purposes.
Some of these purposes impose no restrictions on the timing of
accounting; other purposes, such as on-line auditing and dynamic
resource management, require that accounting information be transmit-
ted in real time, as resources are consumed. Therefore a AAA protocol
MUST support real-time accounting, and SHOULD support a batch method
of accounting when the overhead of real-time accounting is not
required.
Component failures and data loss may occur at any place in a network,
but tracking of resource consumption is required functionality regard-
less. Also, tracking of current NAS state is required in order to
implement resource management policy. Since a NAS or a AAA server may
fail and then come back on line, a AAA protocol MUST support on-demand
accounting to provide recovery. As a safeguard against data loss, a
AAA protocol SHOULD support periodic updates of accounting, rather
than simply accounting at the beginning and end of a session.
9.3. Applications of NAS's
9.3.1. Virtual Private Networks
NAS's often particpate in VPN's or provide VPN services to users.
Examples include dial NAS's building compulsory VPN's, dial NAS's pro-
viding services to voluntary VPN users, and tunnel NAS's providing
tunnel termination services. If a NAS provides compulsory VPN's, it
MUST support the building of L2TP tunnels [L2TP] secured by IPSec
[L2TP-IPSEC].
9.3.2. Roaming
NAS's are often used to provide roaming services. If a NAS is part of
a network that provides roaming, then the AAA protocol that it imple-
ments MUST support roaming requirements as detailed in [ROAMING
Beadles Category: Informational [Page 9]
INTERNET-DRAFT Criteria for NAS Protocols 25 February 1999
REQUIREMENTS].
10. Acknowledgements
Some of the text in this document is taken from [ROUTER REQUIREMENTS],
and many thanks go to its author. Thanks also to Dave Mitton of Bay
Networks and Rich Petke of MCI WorldCom for many useful discussions of
this problem space.
11. References
[SNMP] J. Case, M. Fedor, M. Schoffstall, and J. Davin. "A Simple
Network Management Protocol (SNMP)." RFC 1157, SNMP Research, Perfor-
mance Systems International, Performance Systems International, and
MIT Laboratory for Computer Science, May 1990.
[PPP] W. Simpson. "The Point-to-Point Protocol (PPP)." RFC 1661,
Daydreamer, July 1994.
[KEYWORDS] S. Bradner. "Key words for use in RFCs to Indicate
Requirement Levels." RFC 2119, Harvard University, March 1997.
[ROUTER REQUIREMENTS] F. Baker. "Requirements for IP Version 4
Routers." RFC 1812, Cisco Systems, June 1995.
[L2TP] W. M. Townsley, et al. "Layer Two Tunneling Protocol (L2TP)."
Work in progress.
[PPP CHAP] W. Simpson. "PPP Challenge Handshake Authentication Pro-
tocol (CHAP)." RFC 1994, Daydreamer, August 1996.
[EAP] L. Blunk, J. Vollbrecht. "PPP Extensible Authentication Proto-
col (EAP)." RFC 2284, Merit Network, Inc., March 1998.
[NAI] B. Aboba, M. Beadles. "The Network Access Identifier." RFC
2486, Microsoft, WorldCom Advanced Networks, January 1999.
[ROAMING REQUIREMENTS] B. Aboba, G. Zorn. "Criteria for Evaluating
Roaming Protocols." RFC 2477, Microsoft, January 1999.
[L2TP-IPSEC] B. Patel, B. Aboba. "Securing L2TP using IPSec." Work
in progress.
12. Author's Address
Mark Anthony Beadles
MCI WorldCom
Beadles Category: Informational [Page 10]
INTERNET-DRAFT Criteria for NAS Protocols 25 February 1999
5000 Britton Rd.
Hilliard, OH 43026
Phone: 614-723-1941
EMail: mbeadles@wcom.net
13. Full Copyright Statement
Copyright (C) The Internet Society (1999). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implmentation may be prepared, copied, published and
distributed, in whole or in part, without restriction of any kind,
provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this docu-
ment itself may not be modified in any way, such as by removing the
copyright notice or references to the Internet Society or other Inter-
net organizations, except as needed for the purpose of developing
Internet standards in which case the procedures for copyrights defined
in the Internet Standards process must be followed, or as required to
translate it into languages other than English. The limited permis-
sions granted above are perpetual and will not be revoked by the
Internet Society or its successors or assigns. This document and the
information contained herein is provided on an "AS IS" basis and THE
INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL
WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WAR-
RANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY
RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
PARTICULAR PURPOSE."
14. Expiration Date
This document is filed as <draft-ietf-nasreq-criteria-00.txt>, and
expires August 25, 1999.
Beadles Category: Informational [Page 11]
