Network Working Group                                          B. Aboba
Request for Comments: 2477                                      G. Zorn
Category: Informational                           Microsoft Corporation
                                                           January 1999
        
Network Working Group                                          B. Aboba
Request for Comments: 2477                                      G. Zorn
Category: Informational                           Microsoft Corporation
                                                           January 1999
        

Criteria for Evaluating Roaming Protocols

评估漫游协议的标准

Status of this Memo

本备忘录的状况

This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.

本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。

Copyright Notice

版权公告

Copyright (C) The Internet Society (1999). All Rights Reserved.

版权所有(C)互联网协会(1999年)。版权所有。

1. Abstract
1. 摘要

This document describes requirements for the provisioning of "roaming capability" for dialup Internet users. "Roaming capability" is defined as the ability to use multiple Internet service providers (ISPs), while maintaining a formal, customer-vendor relationship with only one.

本文档描述了为拨号Internet用户提供“漫游功能”的要求。“漫游能力”被定义为使用多个互联网服务提供商(ISP)的能力,同时只与一个ISP保持正式的客户-供应商关系。

2. Introduction
2. 介绍

Operational roaming services are currently providing worldwide roaming capabilities, and these services continue to grow in popularity [1]. Interested parties have included:

运营漫游服务目前提供全球漫游功能,并且这些服务继续受到欢迎[1]。有关人士包括:

Regional Internet Service Providers (ISPs) operating within a particular state or province, looking to combine their efforts with those of other regional providers to offer services over a wider area.

区域互联网服务提供商(ISP)在特定州或省内运营,希望将其努力与其他区域提供商的努力结合起来,在更广泛的领域提供服务。

National ISPs wishing to combine their operations with those of one or more ISPs in another nation to provide greater coverage in a group of countries or on a continent.

希望将其业务与另一个国家的一家或多家ISP的业务相结合的国家ISP,以便在一组国家或一个大陆上提供更大的覆盖范围。

Businesses desiring to offer their employees a comprehensive package of dialup services on a global basis. Those services can include Internet access as well as secure access to corporate intranets via a Virtual Private Network (VPN).

希望在全球范围内为员工提供全面的拨号服务的企业。这些服务包括互联网接入以及通过虚拟专用网(VPN)安全访问公司内部网。

This document provides an architectural framework for the provisioning of roaming capabilities, as well as describing the requirements that must be met by elements of the architecture.

本文档提供了提供漫游功能的体系结构框架,并描述了体系结构元素必须满足的要求。

2.1. Requirements language
2.1. 需求语言

In this document, the key words "MAY", "MUST, "MUST NOT", "optional", "recommended", "SHOULD", and "SHOULD NOT", are to be interpreted as described in [4].

在本文件中,关键词“可能”、“必须”、“不得”、“可选”、“建议”、“应该”和“不应该”的解释如[4]所述。

Please note that the requirements specified in this document are to be used in evaluating protocol submissions. As such, the requirements language refers to capabilities of these protocols; the protocol documents will specify whether these features are required, recommended, or optional for use in roaming. For example, requiring that a protocol support confidentiality is NOT the same thing as requiring that all protocol traffic be encrypted.

请注意,本文件中规定的要求将用于评估协议提交。因此,需求语言指的是这些协议的能力;协议文档将指定在漫游中使用这些功能是必需的、推荐的还是可选的。例如,要求协议支持保密性与要求对所有协议通信量进行加密不同。

A protocol submission is not compliant if it fails to satisfy one or more of the must or must not requirements for the capabilities that it implements. A protocol submission that satisfies all the must, must not, should and should not requirements for its capabilities is said to be "unconditionally compliant"; one that satisfies all the must and must not requirements but not all the should or should not requirements for its protocols is said to be "conditionally compliant."

如果协议提交未能满足其实现的功能的一个或多个必须或不得要求,则该协议提交不符合要求。满足其能力的所有必须、不得、应该和不应该要求的协议提交称为“无条件符合”;满足其协议的所有必须和不得要求,但并非所有应该或不应该要求的协议称为“有条件兼容”

2.2. Terminology
2.2. 术语

This document frequently uses the following terms:

本文件经常使用以下术语:

phone book This is a database or document containing data pertaining to dialup access, including phone numbers and any associated attributes.

电话簿这是一个数据库或文档,包含有关拨号访问的数据,包括电话号码和任何相关属性。

phone book server This is a server that maintains the latest version of the phone book. Clients communicate with phone book servers in order to keep their phone books up to date.

电话簿服务器这是一台维护电话簿最新版本的服务器。客户机与电话簿服务器通信,以使其电话簿保持最新。

Network Access Server The Network Access Server (NAS) is the device that clients dial in order to get access to the network.

网络访问服务器网络访问服务器(NAS)是客户端拨号以访问网络的设备。

Authentication server This is a server which provides for authentication/authorization within the roaming architecture.

身份验证服务器这是一个在漫游体系结构中提供身份验证/授权的服务器。

Accounting server This is a server which provides for accounting within the roaming architecture.

记帐服务器这是一个在漫游体系结构中提供记帐功能的服务器。

Authentication proxy Authentication proxies may be deployed within the roaming architecture for several purposes, including authentication forwarding, policy implementation, shared secret management, and attribute editing. To the NAS, the authentication proxy appears to act as an authentication server; to the authentication server, the proxy appears to act as an authentication client.

身份验证代理身份验证代理可以出于多种目的部署在漫游体系结构中,包括身份验证转发、策略实现、共享秘密管理和属性编辑。对于NAS,身份验证代理似乎充当身份验证服务器;对于身份验证服务器,代理似乎充当身份验证客户端。

Accounting proxy Accounting proxies may be deployed within the roaming architecture for several purposes, including accounting forwarding, reliability improvement, auditing, and "pseudo-transactional" capability. To the NAS, the accounting proxy appears to act as an accounting server; to the accounting server, the proxy appears to act as an accounting client.

记帐代理记帐代理可在漫游体系结构中部署用于多种目的,包括记帐转发、可靠性改进、审核和“伪事务”功能。对于NAS,记帐代理似乎充当记帐服务器;对于记帐服务器,代理似乎充当记帐客户端。

Network Access Identifier In order to provide for the routing of authentication and accounting packets, user name MAY contain structure. This structure provides a means by which the authentication or accounting proxies will locate the authentication or accounting server that is to receive the request.

网络访问标识符为了提供身份验证和计费数据包的路由,用户名可以包含结构。此结构提供了一种方式,身份验证或记帐代理将通过该方式定位要接收请求的身份验证或记帐服务器。

3. Architectural framework
3. 建筑框架

The roaming architecture consists of three major subsystems:

漫游体系结构由三个主要子系统组成:

Phone book Subsystem Authentication Subsystem Accounting Subsystem

电话簿子系统认证子系统计费子系统

The phone book subsystem is concerned with the maintenance and updating of the user phone book. The phone book provides the user with information on the location and phone numbers of Points of Presence (POPs) that are roaming enabled. The function of the authentication subsystem is to provide authorized users with access to the POPs in the phonebook, and to deny access to unauthorized users. The goal of the accounting subsystem is to provide information on the resources utilized during the user's session.

电话簿子系统负责维护和更新用户电话簿。电话簿向用户提供启用漫游功能的存在点(POP)的位置和电话号码信息。认证子系统的功能是为授权用户提供对电话簿中POP的访问权限,并拒绝未授权用户的访问。记帐子系统的目标是提供有关用户会话期间使用的资源的信息。

3.1. Phone Book Subsystem
3.1. 电话簿子系统

The phone book subsystem provides for the following:

电话簿子系统提供以下功能:

Phone number presentation Phone number exchange Phone book compilation Phone book update

电话号码演示电话号码交换电话簿编辑电话簿更新

Phone number presentation Phone number presentation involves the display of available phone numbers to the user, and culminates in the choosing of a number. Since the user interface and sequence of events involved in phone number presentation is a function of the connection management software being used, it is likely that individual vendors will take different approaches to the problem. These differences can include variances in the format of the client phone books, varying approaches to presentation, etc. There is no inherent problem with this. As a result, phone number presentation need not be standardized.

电话号码显示电话号码显示包括向用户显示可用的电话号码,并最终选择一个号码。由于电话号码显示中涉及的用户界面和事件顺序是所使用的连接管理软件的一项功能,因此各个供应商可能会采取不同的方法来解决该问题。这些差异可能包括客户电话簿格式的差异、演示方法的差异等。这没有内在的问题。因此,电话号码表示不需要标准化。

Phone number exchange Phone number exchange involves propagation of phone number changes between providers in a roaming association. Current roaming implementations do not provide for complete automation of the phone number exchange process [1]. As a result, phone number exchange need not be standardized at this time.

电话号码交换电话号码交换涉及在漫游关联中的提供商之间传播电话号码更改。当前的漫游实施不提供电话号码交换过程的完全自动化[1]。因此,目前电话号码交换不需要标准化。

Phone book compilation Once an ISP's phone book server has received its updates it needs to compile a new phone book and propagate this phone book to all the phone book servers operated by that ISP. Given that the compilation process does not affect protocol interoperability, it need not be standardized.

电话簿编译ISP的电话簿服务器收到更新后,需要编译新的电话簿,并将此电话簿传播到该ISP操作的所有电话簿服务器。鉴于编译过程不影响协议互操作性,因此无需对其进行标准化。

Phone book update Once the phone book is compiled, it needs to be propagated to users. Standardization of the phone book update process allows for providers to update user phone books, independent of their client software or operating system.

电话簿更新一旦电话簿被编译,就需要将其传播给用户。电话簿更新过程的标准化允许提供商独立于其客户端软件或操作系统更新用户电话簿。

3.2. Authentication Subsystem
3.2. 认证子系统

The authentication subsystem provides for the following:

身份验证子系统提供以下功能:

Connection management Authentication NAS Configuration/Authorization Address Assignment/Routing Security

连接管理身份验证NAS配置/授权地址分配/路由安全

Connection management In order to be able to use the POPs of the local provider, it is first necessary to bring up a connection.

连接管理为了能够使用本地提供商的POP,首先需要建立连接。

Identification Authentication consists of two parts: the claim of identity (or identification) and the proof of the claim (or verification). As part of the authentication process, users identify themselves to the Network Access Server (NAS) in a manner that allows the authentication request to be routed its home destination.

身份认证由两部分组成:身份声明(或身份证明)和声明证明(或验证)。作为身份验证过程的一部分,用户以允许将身份验证请求路由到其主目的地的方式向网络访问服务器(NAS)标识自己。

Authentication Authentication is typically required prior to allowing access to the network. CHAP [8] and PAP [9] are the two authentication protocols most commonly used within the PPP [10] framework today. Some groups of users are requiring different forms of proof of identity (e.g., token or smart cards, Kerberos credentials, etc.) for special purposes (such as acquiring access to corporate intranets). The Extensible Authentication Protocol (EAP) [7] was created in order to provide a general mechanism for support of these methods.

在允许访问网络之前,通常需要进行身份验证。CHAP[8]和PAP[9]是目前PPP[10]框架中最常用的两种身份验证协议。某些用户组出于特殊目的(如获取对公司内部网的访问权)需要不同形式的身份证明(例如令牌或智能卡、Kerberos凭据等)。创建可扩展身份验证协议(EAP)[7]是为了提供支持这些方法的通用机制。

NAS configuration/authorization In order to set up the session, authorization parameters need to be sent to from the home authentication server to the local ISP's NAS.

NAS配置/授权为了设置会话,需要将授权参数从家庭身份验证服务器发送到本地ISP的NAS。

Address assignment/routing If it is desired that the user be able to communicate with the rest of the Internet, then the session will be assigned a routable IP address by the NAS.

地址分配/路由如果希望用户能够与Internet的其余部分通信,则NAS将为会话分配一个可路由的IP地址。

Security In the process of authenticating and authorizing the user session, it may be desirable to provide protection against a variety of security threats.

安全性在认证和授权用户会话的过程中,可能需要针对各种安全威胁提供保护。

3.3. Accounting Subsystem
3.3. 会计子系统

The function of the accounting subsystem is to enable the participants in the roaming consortium to keep track of what resources are used during a session. Relevant information includes how long the user was connected to the service, connection speed, port type, etc.

计费子系统的功能是使漫游联盟的参与者能够跟踪会话期间使用的资源。相关信息包括用户连接服务的时间、连接速度、端口类型等。

4. Roaming Requirements
4. 漫游要求
4.1. Phonebook requirements
4.1. 电话簿要求
4.1.1. Phone book update protocol
4.1.1. 电话簿更新协议

Portability The update protocol MUST allow for updating of clients on a range of platforms and operating systems. Therefore the update mechanism MUST NOT impose any operating system-specific requirements.

可移植性更新协议必须允许在一系列平台和操作系统上更新客户端。因此,更新机制不得强加任何特定于操作系统的要求。

Authentication The client MUST be able to determine the authenticity of the server sending the phone book update. The server MAY also be able to authenticate the client.

身份验证客户端必须能够确定发送电话簿更新的服务器的真实性。服务器还可以对客户端进行身份验证。

Versioning The update protocol MUST provide for updating of the phone book from an arbitrary previous version to the latest available version.

更新协议的版本控制必须提供将电话簿从任意先前版本更新到最新可用版本的功能。

Integrity Checking The client MUST be able to determine the integrity of the received update before applying it, and MUST be able to determine the integrity of the newly produced phone book after updating it.

完整性检查客户端必须能够在应用之前确定接收到的更新的完整性,并且必须能够在更新之后确定新生成的电话簿的完整性。

Light weight transfers Since the client may be a low-end machine or internet appliance, the update protocol MUST be lightweight.

轻量级传输由于客户端可能是低端计算机或internet设备,因此更新协议必须是轻量级的。

Language support The phone book update mechanism MUST support the ability to request that the phone book be transmitted in a particular language and character set. For example, if the customer has a Russian language software package, then the propagation and update protocols MUST provide a mechanism for the user to request a Russian language phone book.

语言支持通讯录更新机制必须支持请求以特定语言和字符集传输通讯录的功能。例如,如果客户有俄语软件包,则传播和更新协议必须为用户提供请求俄语电话簿的机制。

4.1.2. Phone book format
4.1.2. 电话簿格式

Phone number attributes The phone book format MUST support phone number attributes commonly used by Internet service providers. These attributes are required in order to provide users with information on the capabilities of the available phone numbers.

电话号码属性电话簿格式必须支持Internet服务提供商常用的电话号码属性。这些属性是必需的,以便向用户提供有关可用电话号码功能的信息。

Provider attributes In addition to providing information relating to a given phone number, the phone book MUST provide information on the individual

提供商属性除了提供与给定电话号码相关的信息外,电话簿还必须提供有关个人的信息

roaming consortium members. These attributes are required in order to provide users with information about the individual providers in the roaming consortium.

漫游联盟成员。这些属性是为用户提供漫游联盟中各个提供商的信息所必需的。

Service attributes In addition to providing information relating to a given phone number, and service provider, the phone book MUST provide information relevant to configuration of the service. These attributes are necessary to provide the client with information relating to the operation of the service.

服务属性除了提供与给定电话号码和服务提供商相关的信息外,电话簿还必须提供与服务配置相关的信息。这些属性是向客户机提供与服务操作相关的信息所必需的。

Extensibility Since it will frequently be necessary to add phone book attributes, the phone book format MUST support the addition of phone number, provider and service attributes without modification to the update protocol. Registration of new phone book attributes will be handled by IANA. The attribute space MUST be sufficiently large to accomodate growth.

扩展性由于经常需要添加电话簿属性,因此电话簿格式必须支持添加电话号码、提供商和服务属性,而无需修改更新协议。新电话簿属性的注册将由IANA处理。属性空间必须足够大,以容纳增长。

Compactness Since phone book will typically be frequently updated, the phone book format MUST be compact so as to minimize the bandwidth used in updating it.

紧凑性由于电话簿通常会频繁更新,因此电话簿格式必须紧凑,以尽量减少更新时使用的带宽。

4.2. Authentication requirements
4.2. 认证要求
4.2.1. Connection Management
4.2.1. 连接管理

Given the current popularity and near ubiquity of PPP, a roaming standard MUST provide support for PPP and IP. A roaming standard MAY provide support for other framing protocols such as SLIP. However, SLIP support is expected to prove difficult since SLIP does not support negotiation of connection parameters and lacks support for protocols other than IP.

鉴于PPP目前的流行和几乎无处不在,漫游标准必须为PPP和IP提供支持。漫游标准可以提供对其他帧协议(例如SLIP)的支持。然而,由于SLIP不支持连接参数的协商,并且不支持IP以外的协议,因此SLIP支持预计将很难实现。

A roaming standard MAY provide support for non-IP protocols (e.g., IPX or AppleTalk) since these may be useful for the provision of corporate intranet access via the Internet. Since it is intended that the client will begin PPP negotiation immediately on connection, support for scripting SHOULD NOT be part of a roaming standard.

漫游标准可提供对非IP协议(例如IPX或AppleTalk)的支持,因为这些协议可用于通过Internet提供公司内部网访问。由于客户端将在连接时立即开始PPP协商,因此对脚本的支持不应成为漫游标准的一部分。

4.2.2. Identification
4.2.2. 识别

A roaming standard MUST provide a standardized format for the userID and realm presented to the NAS.

漫游标准必须为提供给NAS的用户ID和领域提供标准格式。

4.2.3. Verification of Identity
4.2.3. 身份验证

Authentication types A roaming standard MUST support CHAP, and SHOULD support EAP. Due to security concerns, PAP authentication SHOULD NOT be supported. A possible exception is where PAP is used to support a one time password or token.

身份验证类型漫游标准必须支持CHAP,并且应支持EAP。出于安全考虑,不应支持PAP身份验证。一个可能的例外是PAP用于支持一次性密码或令牌。

Scalability A roaming standard, once available, is likely to be widely deployed on the Internet. A roaming standard MUST therefore provide sufficient scalability to allow for the formation of roaming associations with thousands of ISP members.

可扩展性漫游标准一旦可用,很可能会在互联网上广泛部署。因此,漫游标准必须提供足够的可扩展性,以允许与数千名ISP成员形成漫游关联。

RADIUS Support Given the current popularity and near ubiquity of RADIUS [2,3] as an authentication, authorization and accounting solution, a roaming standard MUST be able to incorporate RADIUS-enabled devices within the roaming architecture. It is expected that this will be accomplished by development of gateways between RADIUS and the roaming standard authentication, authorization, and accounting protocol.

RADIUS支持鉴于RADIUS[2,3]作为身份验证、授权和计费解决方案的当前流行程度和几乎无处不在,漫游标准必须能够在漫游体系结构中包含启用RADIUS的设备。预计这将通过开发RADIUS和漫游标准认证、授权和计费协议之间的网关来实现。

4.2.4. NAS Configuration/Authorization
4.2.4. NAS配置/授权

In order to ensure compatibility with the NAS or the local network, authentication/authorization proxies often will add, delete, or modify attributes returned by the home authentication server. In addition, an authentication proxy will often carry out resource management and policy functions. As a result, a roaming standard MUST support the ability of proxies to perform attribute editing and implement policy.

为了确保与NAS或本地网络的兼容性,身份验证/授权代理通常会添加、删除或修改家庭身份验证服务器返回的属性。此外,身份验证代理通常执行资源管理和策略功能。因此,漫游标准必须支持代理执行属性编辑和实现策略的能力。

4.2.5. Address assignment/routing
4.2.5. 地址分配/路由

A roaming standard MUST support dynamic address assignment. Static address assignment MAY be supported, most likely via layer 2 or layer 3 tunneling.

漫游标准必须支持动态地址分配。可以支持静态地址分配,最有可能通过第2层或第3层隧道。

Layer 2 tunneling protocols Layer-2 tunneling protocols, such as PPTP, L2F, or L2TP, hold great promise for the implementation of Virtual Private Networks as a means for inexpensive access to remote networks. Therefore proxy implementations MUST NOT preclude use of layer 2 tunneling.

第二层隧道协议第二层隧道协议,如PPTP、L2F或L2TP,对于实现虚拟专用网络作为廉价访问远程网络的手段具有巨大的前景。因此,代理实现不能排除第2层隧道的使用。

Layer 3 tunneling protocols Layer-3 tunneling protocols as embodied in Mobile IP [5], hold great promise for providing "live", transparent mobility on the

第三层隧道协议第三层隧道协议体现在移动IP[5]中,对于在网络上提供“实时、透明的移动性”有着巨大的希望

part of mobile nodes on the Internet. Therefore, a roaming standard MUST NOT preclude the provisioning of Mobile IP Foreign Agents or other Mobile IP functionality on the part of service providers.

互联网上的部分移动节点。因此,漫游标准不得排除服务提供商提供移动IP外部代理或其他移动IP功能。

4.2.6. Security
4.2.6. 安全

Security analysis A roaming standard MUST include a thorough security analysis, including a description of security threats and countermeasures. This includes specification of mechanisms for fraud prevention and detection.

安全分析漫游标准必须包括全面的安全分析,包括安全威胁和对策的描述。这包括欺诈预防和检测机制的规范。

Hop by hop security A roaming standard MUST provide for hop-by-hop integrity protection and confidentiality. This MAY be accomplished through support of network layer security (IPSEC) [6].

逐跳安全漫游标准必须提供逐跳完整性保护和机密性。这可以通过支持网络层安全(IPSEC)[6]来实现。

End-to-end security As policy implementation and attribute editing are common in roaming systems, proxies may need to modify packets in transit between a local NAS and the home server. In order to permit authorized modifications while at the same time guarding against attacks by rogue proxies, it is necessary for a roaming standard to support data object security. As a result, a roaming standard MUST provide end-to-end confidentiality and integrity protection on an attribute-by-attribute basis. However, non-repudiation is NOT a requirement for a roaming standard.

端到端安全由于策略实施和属性编辑在漫游系统中很常见,代理可能需要修改本地NAS和家庭服务器之间传输的数据包。为了允许授权修改,同时防止恶意代理的攻击,漫游标准必须支持数据对象安全。因此,漫游标准必须逐属性提供端到端的机密性和完整性保护。然而,不可否认性不是漫游标准的要求。

4.3. Accounting requirements
4.3. 会计要求

Real-time accounting In today's roaming implementations, real-time accounting is a practical necessity in order to support fraud detection and risk management. As a result, a roaming standard MUST provide support for real-time accounting.

实时会计在当今的漫游实施中,实时会计是支持欺诈检测和风险管理的实际需要。因此,漫游标准必须支持实时计费。

Accounting record formats Today there is no proposed standard for NAS accounting, and there is wide variation in the protocols used by providers to communicate accounting information within their own organizations. Therefore, a roaming standard MUST prescribe a standardized format for accounting records. For the sake of efficiency, the record format MUST be compact.

会计记录格式目前还没有针对NAS会计的拟议标准,提供商在其组织内交流会计信息所使用的协议也存在很大差异。因此,漫游标准必须规定会计记录的标准格式。为了提高效率,记录格式必须紧凑。

Extensibility A standard accounting record format MUST be able to encode metrics commonly used to determine the user's bill. Since these metrics

扩展性标准会计记录格式必须能够对通常用于确定用户账单的指标进行编码。因为这些指标

change over time, the accounting record format MUST be extensible so as to be able to add future metrics as they come along. The record format MUST support both standard metrics as well as vendor-specific metrics.

随着时间的推移,会计记录格式必须是可扩展的,以便能够添加未来的指标。记录格式必须支持标准度量和供应商特定度量。

5. References
5. 工具书类

[1] Aboba, B., Lu, J., Alsop, J., Ding, J. and W. Wang, "Review of Roaming Implementations", RFC 2194, September 1997.

[1] Aboba,B.,Lu,J.,Alsop,J.,Ding,J.和W.Wang,“漫游实现的回顾”,RFC 2194,1997年9月。

[2] Rigney, C., Rubens, A., Simpson, W. and S. Willens, "Remote Authentication Dial In User Service (RADIUS)", RFC 2138, April 1997.

[2] Rigney,C.,Rubens,A.,Simpson,W.和S.Willens,“远程认证拨入用户服务(RADIUS)”,RFC 21381997年4月。

[3] Rigney, C., "RADIUS Accounting", RFC 2139, April 1997.

[3] 里格尼,C.,“半径会计”,RFC 21391997年4月。

[4] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[4] Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。

[5] Perkins, C., "IP Mobility Support", RFC 2002, October 1996.

[5] Perkins,C.,“IP移动支持”,RFC 2002,1996年10月。

[6] Kent, S. and R. Atkinson, "Security Architecture for the Internet Protocol", RFC 2401, November 1998.

[6] Kent,S.和R.Atkinson,“互联网协议的安全架构”,RFC 2401,1998年11月。

[7] Blunk, L. and J. Vollbrecht, "PPP Extensible Authentication Protocol (EAP)", RFC 2284, March 1998.

[7] Blunk,L.和J.Vollbrecht,“PPP可扩展认证协议(EAP)”,RFC 2284,1998年3月。

[8] Simpson, W., "PPP Challenge Handshake Authentication Protocol (CHAP)", RFC 1994, August 1996.

[8] 辛普森,W.,“PPP挑战握手认证协议(CHAP)”,RFC 1994,1996年8月。

[9] Lloyd, B. and Simpson, W., "PPP Authentication Protocols", RFC 1334, October 1992.

[9] Lloyd,B.和Simpson,W.,“PPP认证协议”,RFC 13341992年10月。

[10] Simpson, W., "The Point-to-Point Protocol (PPP)", STD 51, RFC 1661, July 1994.

[10] 辛普森,W.,“点对点协议(PPP)”,STD 51,RFC 1661994年7月。

6. Security Considerations
6. 安全考虑

This document, being a requirements document, does not have any security concerns. The security requirements on protocols to be evaluated using this document are mainly described in section 5.2.

本文件为需求文件,不存在任何安全问题。使用本文件评估的协议的安全要求主要在第5.2节中描述。

7. Acknowledgements
7. 致谢

Thanks to Pat Calhoun (pcalhoun@eng.sun.com), Butch Anton (butch@ipass.com) and John Vollbrecht (jrv@merit.edu) for many useful discussions of this problem space.

多亏了帕特·卡尔霍恩(pcalhoun@eng.sun.com)布奇·安东(butch@ipass.com)还有约翰·沃尔布雷希特(jrv@merit.edu)对于这个问题空间的许多有用的讨论。

8. Authors' Addresses
8. 作者地址

Bernard Aboba Microsoft Corporation One Microsoft Way Redmond, WA 98052

伯纳德·阿博巴(Bernard Aboba)微软公司华盛顿州雷德蒙微软大道一号,邮编:98052

Phone: 425-936-6605 EMail: bernarda@microsoft.com

电话:425-936-6605电子邮件:bernarda@microsoft.com

Glen Zorn Microsoft Corporation One Microsoft Way Redmond, WA 98052

格伦·佐恩微软公司华盛顿州雷德蒙微软大道一号,邮编:98052

Phone: 425-703-1559 EMail: glennz@microsoft.com

电话:425-703-1559电子邮件:glennz@microsoft.com

9. Full Copyright Statement
9. 完整版权声明

Copyright (C) The Internet Society (1999). All Rights Reserved.

版权所有(C)互联网协会(1999年)。版权所有。

This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.

本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。

The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.

上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。

This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。