NASREQ Working Group M. Beadles INTERNET-DRAFT MCI WorldCom Category: Informational 25 February 1999 Criteria for Evaluating Network Access Server Protocols 1. Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working doc- uments of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute work- ing documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet- Drafts as reference mate- rial or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. The distribution of this draft is unlimited. It is filed as and expires August 25, 1999. Please send comments to the author. 2. Copyright Statement Copyright (C) The Internet Society 1999. All Rights Reserved. 3. Abstract This document defines and analyzes requirements for modern Network Access Servers (NAS). The NAS is the initial entry point to a network for the majority of users of network services. It is the first device in the network to provide services and enforce policy for an end user, and acts as a gateway for all further services. As such, its impor- tance to users and service providers alike is paramount. However, the concept of a NAS has grown up over the years without a formal defini- tion or framework for analysis. This document defines a NAS, analyzes the functionality of NAS's, and sets requirements for protocols that Beadles Category: Informational [Page 1] INTERNET-DRAFT Criteria for NAS Protocols 25 February 1999 provide this functionality. Functions provided adequately by already standardized protocols will be documented as such. 4. Requirements language In this document, the key words "MAY", "MUST, "MUST NOT", "optional", "recommended", "SHOULD", and "SHOULD NOT", are to be interpreted as described in [KEYWORDS]. 5. Introduction This document defines a Network Access Server (NAS), analyzes the functionality of NAS's, and sets requirements for protocols that pro- vide this functionality. This document does not define what a NAS must do. Rather, it defines how a NAS must do what it does if it chooses to. That is, it does not set functional requirements, but sets requirements for protocols or systems that provide functionality. Implementors may choose not to provide certain features at their dis- cretion. This document makes reference to many standard protocols that a NAS will use. This document incorporates by reference the RFC's and other documents describing the current specifications for these protocols. It adds additional discussion and guidance for implementors of these protocols where they apply to a NAS. Where existing protocols meeet these requirements, they will be noted. In particular, [ROUTER REQUIREMENTS] is referred to as a primary source for requirements and implementation of the routing functionality of a NAS. Note that, although NAS's often support more than one protocol suite, this document is only concerned with requirements for NAS's that use the TCP/IP protocol suite. 6. Definition of a Network Access Server A Network Access Server is a device which sits on the edge of a net- work, and provides access to services on that network in a controlled fashion, based on the identity of the user of the network services in question. For the purposes of this document, a Network Access Server is a device which accepts multiple point-to-point [PPP] links on one set of interfaces, providing access to a routed TCP/IP network or net- works on another set of interfaces. Examples of Network Access Servers include: A remote access server which provides access to a private network via attached modems which are directly dialed by the user. Beadles Category: Informational [Page 2] INTERNET-DRAFT Criteria for NAS Protocols 25 February 1999 A tunneling server which sits at the border of a protected net- work, and acts as a gateway for users to enter the protected net- work from the Internet. A shared commercial dial access server operated by a Network Ser- vice Provider, where incoming users connect via modems operated by a Telephone Service Provider, and access is provided to many dissimilar private and public networks, including the Internet. A broadband access server which provides authenticated access to the Internet for users connecting via point-to-point links over broadband media such as xDSL or cable modems. Note that there are many things that a Network Access Server is not. A NAS is not just a router, although all NAS's are routers. A NAS is not necessarily a dial access server, although dial access is one com- mon means of network access, and brings its own particular set of requirements to NAS's. A NAS is the first device in the network to provide services to an end user and acts as a gateway for all further services. It is the point at which users are authenticated, access policy is enforced, network services are authorized, network usage is audited, and resource con- sumption is tracked. That is, a NAS acts as the Policy Enforcement Point (PEP) for network AAA (authentication, authorization, and accounting) services. A NAS is typically the first place in a network where security measures and policy may be implemented. 7. Interested parties The following are examples of parties who are concerned with the oper- ation of Network Access Servers. This list is by no means exhaustive. Network Service Providers (NSPs) who operate and manage NAS's, AAA servers, policy servers, and networks; and who provide net- work services to end users. End users who gain access to their private and public networks through NAS's. Businesses and other entities who operate NAS's for their users' public and private network access, or who outsource the operation and management of NAS's to a NSP. Telephone Service Providers (TSPs) who operate and manage modems and telephony networks; and who provide telephony services to end users, NSP's, and businesses. Manufacturers of NAS's, AAA servers, policy servers, modems, etc. Beadles Category: Informational [Page 3] INTERNET-DRAFT Criteria for NAS Protocols 25 February 1999 8. Reference Model of a NAS For reference in discussion of NAS requirements, a diagram of a NAS, its dependencies, and its interfaces is given below. This diagram is intended as an abstraction of a NAS as a reference model, and is not intended to represent any particular NAS implementation. Users v v v v v v v | | Telco | | | | or | | |encapsulated +-------------------+ | Modems or Virtual | +-------------------+ | | | | | | | | | | | | | | | | | | | | | +--+----------------------------+ | | | |N | Client Interface | | | | |A +----------Routing ----------+ | | | |S | Network Interface | | | | +--+----------------------------+ / | \ / | \ / | \ / | \ POLICY MANAGEMENT/ | \ DEVICE MANAGEMENT +---------------+ | +-------------------+ | Authentication| _/^\_ |Device Provisioning| +---------------+ _/ \_ +-------------------+ | Authorization | _/ \_ |Device Monitoring | +---------------+ _/ \_ +-------------------+ | Accounting | / The \ +---------------+ \_ Network(s) _/ \_ _/ \_ _/ \_ _/ \_/ 8.1. Description of Model Elements Following is a description of the modules and interfaces in the refer- ence model for a NAS given above: Beadles Category: Informational [Page 4] INTERNET-DRAFT Criteria for NAS Protocols 25 February 1999 Client Interfaces A NAS has one or more client interfaces, which provide the interface to the end users who are requesting network access. Users may connect to these client interfaces via modems over a switched telephone network, via encapsulated tunnels over data network, or by some similar means. Network Interfaces A NAS has one or more network interfaces, which connect to the TCP/IP networks to which access is being granted. Routing Since this document assumes that the network to which access is being granted is a routed TCP/IP network, a NAS includes routing functionality. Policy Management Interface Policy is defined as a set of business rules for operation of a network, applied here to the authorization of network access. The specific application of policy rules depends on user identity and the current network state. A NAS provides an interface which allows access to network services to be managed on a per-user, per-session basis. Although this interface historically may have been a configuration file, a graphical user interface, or an API, this document assumes that a AAA protocol provides this interface. This interface provides a mechanism for granular resource management and policy enforcement. Authentication Authentication refers to the confirmation that a user who is requesting services is a valid user of the network services requested. . Authentication does not establish that a user is authorized to receive any services, it just establishes who the user is to a predetermined degree of certainty. Authentication is accomplished via the presentation of an identity and credentials. Examples of types of credentials are passwords, one-time tokens, digital certificates, and phone numbers (calling/called). Authorization Authorization refers to the granting of specific types of service (including "no service") to a user, based on their authentication, what services they are requesting, and the current system state. Authorization may be based on restric- tions, for example time-of-day restrictions, or physical location restrictions, or restrictions against multiple logins by the same user. Authorization determines the nature of the service which is granted to a user. Examples of types of service include, but are not limited to: IP Beadles Category: Informational [Page 5] INTERNET-DRAFT Criteria for NAS Protocols 25 February 1999 address filtering, address assignment, route assignment, QoS/differential services, bandwidth control/traffic manage- ment, compulsory tunneling to a specific endpoint, and encryption. Accounting Accounting refers to the tracking of the consumption of resources by users. This information may be used for man- agement, planning, billing, auditing, or other purposes. Real-time accounting refers to accounting information that is delivered concurrently with the consumption of the resources. Batch accounting refers to accounting informa- tion that is saved until it is delivered at a later time. Typical information that is gathered in accounting is the identity of the user, the nature of the service delivered, when the service began, and when it ended. AAA Server A AAA Server is a server or servers that provide authentica- tion, authorization, and accounting services. These may be colocated with the NAS, but this document assumes they are located on a seperate server and communicate with the NAS's User Management Interface via a AAA protocol. The three AAA functions may be located on a single server, or may be bro- ken up among multiple servers. Device Management Interface A NAS is a network device which is owned, operated, and man- aged by some entity. This interface provides a means for this entity to operate, manage, and maintain the NAS. This is a logically separate function from policy management, and in fact separate entities may manage the policy and the device itself. This interface may be a configuration file, a graphical user interface, an API, or a protocol such as SNMP [SNMP]. Device Monitoring Device monitoring refers to the tracking of status, activ- ity, and usage of the NAS as a network device. It does not mean the tracking of individual user activity or status. Device Provisioning Device provisioning refers to the configurations, settings, and control of the NAS as a network device. This means gen- eral device settings and control, and not the dynamic con- trol that is associated with authorizing a particular user to receive services within the context of a session. Beadles Category: Informational [Page 6] INTERNET-DRAFT Criteria for NAS Protocols 25 February 1999 9. Analysis and Requirements Using the reference model above , the following is an analysis of the functions of a NAS and requirements for protocols and services to per- form these functions. 9.1. NAS Interfaces NAS's have two basic sets of interfaces; one set provides client con- nections serving individual users, and the other set faces the net- works on which access is controlled. 9.1.1. Client Interface The NAS Client Interface accepts individual point-to-point connec- tions. This interface MUST support the Point- to-Point Protocol [PPP]. 9.1.2. Access Media Various access media can be supported by the NAS. They can be divided into three types: dial telephony, encapsulated tunnels, and broadband media. Dial telephony includes POTS and ISDN and is provided through a modem, terminal adapter, or similar device. Encapsulated tunnels include Layer Two Tunneling Protocol [L2TP] sessions encapsulating PPP, provided through a virtual interface. Broadband media, such as xDSL and Cable Modems, can be considered a special case of encapsu- lated media. 9.1.3. Network Interface If the network that the NAS controls access on is a routed TCP/IP net- work, a NAS MUST provide routing functionality as defined in [ROUTER REQUIREMENTS]. 9.2. Services provided by a NAS Beadles Category: Informational [Page 7] INTERNET-DRAFT Criteria for NAS Protocols 25 February 1999 9.2.1. Authentication and Security A NAS provides authentication services to end users. The NAS does not check the user's credentials itself; rather it offloads authentication to an external authentication server via a AAA protocol. The types of authentication provided by a NAS can range from simple identification to advanced multi-phase authentication methods. Identification (pre- sentation of some form of identity with no supporting credentials) can include presentation of a user name alone, or even presentation of no user name at all, relying on (for example) a calling phone number to identify a user. Therefore a AAA protocol MUST support authentication sessions that carry a user name with no password, and authentication sessions that carry no user name. For standard authentication by user name and password, a AAA protocol MUST support carrying a user name and associated password, both in clear text and secured by challenge- response [PPP CHAP]. Advanced authentication methods such as one-time passwords or digital certificates are enabled in PPP by the Extensible Authentication Protocol [EAP]. Therefore a AAA protocol MUST support transporting of EAP sessions. Since a NAS may need to participate in a public key infrastructure, a AAA protocol SHOULD support a standard key exchange mechanism. 9.2.2. Authorization and Policy A NAS is the initial point where services are authorized to end users. The NAS does not itself authorize services; it performs the delivery of services authorized by an external authorization server via a AAA protocol. Since a user's authorization profile is a reflection of policy, the NAS can be regarded as a Policy Enforcement Point for net- work access. The AAA protocol communicates profile information from the AAA server, which acts a the Policy Decision Point for network access. Since policy is a reflection of business rules that may change arbitrarily, and authorization profiles may grow to include new functionality as it arises, the AAA protocol MUST provide a built-in extension mechanism for adding new types of authorization profile information to be transmitted to the NAS. Authorization is performed based on user identity and affiliation, policy rules, and system state. User identity and affiliation are commonly derived from the Network Access Identifier [NAI]; the AAA protocol MUST support the NAI format for user identity. System state includes information about the NAS itself (such as an identifier or an address), information about the access medium (such as phone numbers and speeds), and real-world information (such as locale and time of day). TO DO: Expand this list in detail: what attributes are required in a AAA protocol? Profile information directs the NAS to deliver specific services to the user. Examples of services are IP address filtering, address assignment, route assignment, QoS/differential services, bandwidth control/traffic management, compulsory tunneling to a specific Beadles Category: Informational [Page 8] INTERNET-DRAFT Criteria for NAS Protocols 25 February 1999 endpoint, and encryption. TO DO: Expand this list in detail. What attributes are required? A user's requested or authorized service profile may change dynami- cally at any time during a session. The AAA protocol MUST support dynamic authorization at any time during delivery of services to the user. 9.2.3. Accounting A NAS provides accounting of the resources consumed and released by users. This accounting information is used for a variety of purposes. Some of these purposes impose no restrictions on the timing of accounting; other purposes, such as on-line auditing and dynamic resource management, require that accounting information be transmit- ted in real time, as resources are consumed. Therefore a AAA protocol MUST support real-time accounting, and SHOULD support a batch method of accounting when the overhead of real-time accounting is not required. Component failures and data loss may occur at any place in a network, but tracking of resource consumption is required functionality regard- less. Also, tracking of current NAS state is required in order to implement resource management policy. Since a NAS or a AAA server may fail and then come back on line, a AAA protocol MUST support on-demand accounting to provide recovery. As a safeguard against data loss, a AAA protocol SHOULD support periodic updates of accounting, rather than simply accounting at the beginning and end of a session. 9.3. Applications of NAS's 9.3.1. Virtual Private Networks NAS's often particpate in VPN's or provide VPN services to users. Examples include dial NAS's building compulsory VPN's, dial NAS's pro- viding services to voluntary VPN users, and tunnel NAS's providing tunnel termination services. If a NAS provides compulsory VPN's, it MUST support the building of L2TP tunnels [L2TP] secured by IPSec [L2TP-IPSEC]. 9.3.2. Roaming NAS's are often used to provide roaming services. If a NAS is part of a network that provides roaming, then the AAA protocol that it imple- ments MUST support roaming requirements as detailed in [ROAMING Beadles Category: Informational [Page 9] INTERNET-DRAFT Criteria for NAS Protocols 25 February 1999 REQUIREMENTS]. 10. Acknowledgements Some of the text in this document is taken from [ROUTER REQUIREMENTS], and many thanks go to its author. Thanks also to Dave Mitton of Bay Networks and Rich Petke of MCI WorldCom for many useful discussions of this problem space. 11. References [SNMP] J. Case, M. Fedor, M. Schoffstall, and J. Davin. "A Simple Network Management Protocol (SNMP)." RFC 1157, SNMP Research, Perfor- mance Systems International, Performance Systems International, and MIT Laboratory for Computer Science, May 1990. [PPP] W. Simpson. "The Point-to-Point Protocol (PPP)." RFC 1661, Daydreamer, July 1994. [KEYWORDS] S. Bradner. "Key words for use in RFCs to Indicate Requirement Levels." RFC 2119, Harvard University, March 1997. [ROUTER REQUIREMENTS] F. Baker. "Requirements for IP Version 4 Routers." RFC 1812, Cisco Systems, June 1995. [L2TP] W. M. Townsley, et al. "Layer Two Tunneling Protocol (L2TP)." Work in progress. [PPP CHAP] W. Simpson. "PPP Challenge Handshake Authentication Pro- tocol (CHAP)." RFC 1994, Daydreamer, August 1996. [EAP] L. Blunk, J. Vollbrecht. "PPP Extensible Authentication Proto- col (EAP)." RFC 2284, Merit Network, Inc., March 1998. [NAI] B. Aboba, M. Beadles. "The Network Access Identifier." RFC 2486, Microsoft, WorldCom Advanced Networks, January 1999. [ROAMING REQUIREMENTS] B. Aboba, G. Zorn. "Criteria for Evaluating Roaming Protocols." RFC 2477, Microsoft, January 1999. [L2TP-IPSEC] B. Patel, B. Aboba. "Securing L2TP using IPSec." Work in progress. 12. Author's Address Mark Anthony Beadles MCI WorldCom Beadles Category: Informational [Page 10] INTERNET-DRAFT Criteria for NAS Protocols 25 February 1999 5000 Britton Rd. Hilliard, OH 43026 Phone: 614-723-1941 EMail: mbeadles@wcom.net 13. Full Copyright Statement Copyright (C) The Internet Society (1999). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implmentation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this docu- ment itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Inter- net organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permis- sions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WAR- RANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." 14. Expiration Date This document is filed as , and expires August 25, 1999. Beadles Category: Informational [Page 11]