Network Working Group M. Beadles
Request for Comments: 3169 SmartPipes, Inc.
Category: Informational D. Mitton
Nortel Networks
September 2001
Network Working Group M. Beadles
Request for Comments: 3169 SmartPipes, Inc.
Category: Informational D. Mitton
Nortel Networks
September 2001
Criteria for Evaluating Network Access Server Protocols
评估网络访问服务器协议的标准
Status of this Memo
本备忘录的状况
This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2001). All Rights Reserved.
版权所有(C)互联网协会(2001年)。版权所有。
Abstract
摘要
This document defines requirements for protocols used by Network Access Servers (NAS).
本文档定义了网络访问服务器(NAS)使用的协议要求。
In this document, the key words "MAY", "MUST, "MUST NOT", "optional", "recommended", "SHOULD", and "SHOULD NOT", are to be interpreted as described in [KEYWORDS].
在本文件中,关键词“可能”、“必须”、“不得”、“可选”、“建议”、“应该”和“不应该”应按照[关键词]中所述进行解释。
This document defines requirements for protocols used by Network Access Servers (NAS). Protocols used by NAS's may be divided into four spaces: Access protocols, Network protocols, AAA protocols, and Device Management protocols. The primary focus of this document is on AAA protocols.
本文档定义了网络访问服务器(NAS)使用的协议要求。NAS使用的协议可分为四个空间:访问协议、网络协议、AAA协议和设备管理协议。本文档的主要重点是AAA协议。
The reference model of a NAS used by this document, and the analysis of the functions of a NAS which led to the development of these requirements, may be found in [NAS-MODEL].
本文件使用的NAS参考模型以及导致这些需求发展的NAS功能分析可在[NAS-model]中找到。
There are three basic types of access protocols used by NAS's. First are the traditional telephony-based access protocols, which interface to the NAS via a modem or terminal adapter or similar device. These protocols typically support asynchronous or synchronous PPP [PPP]
NAS使用的访问协议有三种基本类型。首先是传统的基于电话的访问协议,它通过调制解调器或终端适配器或类似设备与NAS连接。这些协议通常支持异步或同步PPP[PPP]
carried over a telephony protocol. Second are broadband pseudo-telephony access protocols, which are carried over xDSL or cable modems, for example. These protocols typically support an encapsulation method such as PPP over Ethernet [PPPOE]. Finally are the virtual access protocols used by NAS's that terminate tunnels. One example of this type of protocol is L2TP [L2TP].
通过电话协议传送。第二种是宽带伪电话接入协议,例如通过xDSL或电缆调制解调器传输。这些协议通常支持一种封装方法,如以太网PPP(PPPOE)。最后是NAS用于终止隧道的虚拟访问协议。这种类型的协议的一个例子是L2TP[L2TP]。
It is a central assumption of the NAS model used here that a NAS accepts multiple point-to-point links via one of the above access protocols. Therefore, at a minimum, any NAS access protocol MUST be able to carry PPP. The exception to this requirement is for NAS's that support legacy text login methods such as telnet [TELNET], rlogin, or LAT. Only these access protocols are exempt from the requirement to support PPP.
这里使用的NAS模型的中心假设是NAS通过上述访问协议之一接受多个点到点链路。因此,任何NAS访问协议至少必须能够承载PPP。此要求的例外情况是支持传统文本登录方法(如telnet[telnet]、rlogin或LAT)的NAS。只有这些访问协议不受支持PPP要求的限制。
The network protocols supported by a NAS depend entirely on the kind of network to which a NAS is providing access. This document does not impose any additional requirements on network protocols beyond the protocol specifications themselves. For example, if a NAS that serves a routed network includes internet routing functionality, then that NAS must adhere to [ROUTING-REQUIREMENTS], but there are no additional protocol requirements imposed by virtue of the device being a NAS.
NAS支持的网络协议完全取决于NAS提供访问的网络类型。除协议规范本身外,本文件不对网络协议提出任何附加要求。例如,如果为路由网络提供服务的NAS包括internet路由功能,则该NAS必须遵守[路由要求],但由于设备是NAS,因此没有附加的协议要求。
There are certain general characteristics that any AAA protocol used by NAS's must meet. Note that the transport requirements for authentication/authorization are not necessarily the same as those for accounting/auditing. An AAA protocol suite MAY use the same transport and protocol for both functions, but this is not strictly required.
NAS使用的任何AAA协议都必须满足某些一般特征。请注意,身份验证/授权的传输要求不一定与会计/审计的传输要求相同。AAA协议套件可以对这两个功能使用相同的传输和协议,但这不是严格要求的。
The design of the AAA protocol MUST be transport independent. Existing infrastructures use UDP-based protocols [RADIUS], gateways to new protocols must be practical to encourage migration. The design MUST comply with congestion control recommendations in RFC 2914 [CONGEST].
AAA协议的设计必须与传输无关。现有基础设施使用基于UDP的协议[RADIUS],新协议的网关必须实用,以鼓励迁移。设计必须符合RFC 2914[拥塞]中的拥塞控制建议。
Very large scale NAS's that serve up to thousands of simultaneous sessions are now being deployed. And a single server system may service a large number of ports. This means that, in the extreme, there may be an almost constant exchange of many small packets between the NASes and the AAA server. An AAA protocol transport SHOULD support being optimized for a long-term exchange of small packets in a stream between a pair of hosts.
目前正在部署可同时服务数千个会话的超大规模NAS。单个服务器系统可以为大量端口提供服务。这意味着,在极端情况下,NASE和AAA服务器之间可能会有许多小数据包几乎不间断的交换。AAA协议传输应支持针对一对主机之间的流中小数据包的长期交换进行优化。
The protocol MUST be designed to support a large number of ports, clients, and concurrent sessions. Examples of poor design would include message identifiers which values are so small that queues and reception windows wrap under load, unique session identifier ranges that are so small that they wrap within the lifetime of potential long sessions, counter values that cannot accommodate reasonable current and future bandwidth usage, and computational processes with high overhead that must be performed frequently.
协议必须设计为支持大量端口、客户端和并发会话。设计不佳的示例包括消息标识符,其值小到队列和接收窗口在负载下包裹,唯一会话标识符范围小到在潜在长会话的生命周期内包裹,计数器值不能容纳合理的当前和未来带宽使用,以及必须频繁执行的高开销计算过程。
In order to operationally support large loads, load balancing and fail-over to multiple AAA servers will be required. The AAA protocol MUST provide for NAS's to balance individual AAA requests between two or more AAA servers. The load balancing mechanism SHOULD be built in to the AAA protocol itself.
为了在操作上支持大负载,需要负载平衡和故障转移到多个AAA服务器。AAA协议必须为NAS提供平衡两个或多个AAA服务器之间的单个AAA请求的功能。负载平衡机制应该内置在AAA协议本身中。
The AAA protocol MUST be able to detect a failure of the transport protocol to deliver a message or messages within a known and controllable time period, so it can engage retransmission or server fail-over processes. The reliability and robustness of authentication requests MUST be predictable and configurable.
AAA协议必须能够检测传输协议的故障,以便在已知和可控的时间段内传递一条或多条消息,因此它可以参与重传或服务器故障转移过程。身份验证请求的可靠性和健壮性必须是可预测和可配置的。
The AAA protocol design MUST NOT introduce a single point of failure during the AAA process. The AAA protocol MUST allow any sessions between a NAS and a given AAA server to fail-over to a secondary server without loss of state information. This fail-over mechanism SHOULD be built in to the AAA protocol itself.
AAA协议设计不得在AAA过程中引入单点故障。AAA协议必须允许NAS和给定AAA服务器之间的任何会话故障转移到辅助服务器,而不会丢失状态信息。这种故障转移机制应该内置在AAA协议本身中。
NAS's operated by one authority provide network access services for clients operated by another authority, to network destinations operated by yet another authority. This type of arrangement is of growing importance; for example, dial roaming is now a nearly ubiquitous service. Therefore, the AAA protocol MUST support AAA
由一个机构运营的NAS为另一个机构运营的客户端提供网络访问服务,以访问由另一个机构运营的网络目的地。这种安排越来越重要;例如,拨号漫游现在几乎是一种无处不在的服务。因此,AAA协议必须支持AAA
services that travel between multiple domains of authority. The AAA protocol MUST NOT use a model that assumes a single domain of authority.
在多个权限域之间移动的服务。AAA协议不得使用假定为单一权限域的模型。
The AAA protocol MUST NOT dictate particular business models for the relationship between the administrative domains. The AAA protocol MUST support proxy, and in addition SHOULD support other multi-domain relationships such as brokering and referral.
AAA协议不得规定管理域之间关系的特定业务模型。AAA协议必须支持代理,此外还应支持其他多域关系,如代理和转介。
The AAA protocol MUST also meet the protocol requirements specified in [ROAMING-REQUIREMENTS].
AAA协议还必须满足[漫游要求]中规定的协议要求。
Years of operational experience with AAA protocols and NAS's has proven that the Attribute-Value protocol model is an optimal representation of AAA data. The protocol SHOULD use an Attribute-Value representation for AAA data. This document will assume such a model. Even if the AAA protocol does not use this as an on-the-wire data representation, Attribute-Value can serve as abstraction for discussing AAA information.
多年使用AAA协议和NAS的运营经验证明,属性值协议模型是AAA数据的最佳表示形式。协议应使用AAA数据的属性值表示。本文件将采用这种模式。即使AAA协议没有将其用作在线数据表示,属性值也可以用作讨论AAA信息的抽象。
Experience has also shown that attribute space tends to run out quickly. In order to provide room for expansion in the attribute space, the AAA protocol MUST support a minimum of 64K Attributes (16 bits), each with a minimum length of 64K (16 bits).
经验还表明,属性空间往往会很快用完。为了在属性空间中提供扩展空间,AAA协议必须支持至少64K个属性(16位),每个属性的最小长度为64K(16位)。
The AAA protocol MUST support simple attribute data types, including integer, enumeration, text string, IP address, and date/time. The AAA protocol MUST also provide some support for complex structured data types. Wherever IP addresses are carried within the AAA protocol, the protocol MUST support both IPv4 and IPv6 [IPV6] addresses. Wherever text information is carried within the AAA protocol, the protocol MUST comply with the IETF Policy on Character Sets and Languages [RFC 2277].
AAA协议必须支持简单的属性数据类型,包括整数、枚举、文本字符串、IP地址和日期/时间。AAA协议还必须为复杂的结构化数据类型提供一些支持。只要AAA协议中包含IP地址,该协议必须同时支持IPv4和IPv6[IPv6]地址。凡AAA协议中包含文本信息,协议必须符合IETF字符集和语言政策[RFC 2277]。
At a minimum, the AAA protocol MUST support, or be easily extended to support, the set of attributes supported by RADIUS [RADIUS] and RADIUS Accounting [RADIUS-ACCOUNTING]. If the base AAA protocol does not support this complete set of attributes, then an extension to that protocol MUST be defined which supports this set.
AAA协议至少必须支持RADIUS[RADIUS]和RADIUS Accounting[RADIUS-Accounting]支持的一组属性,或者可以轻松扩展以支持这些属性。如果基本AAA协议不支持此完整属性集,则必须定义支持此属性集的该协议的扩展。
NAS and AAA development is always progressing. In order to prevent the AAA protocol from being a limiting factor in NAS and AAA Server development, the AAA protocol MUST provide a built-in extensibility mechanism, which MUST include a means for adding new standard attribute extensions. This MUST include a method for registering or requesting extensions through IANA, so that long-term working group involvement is not required to create new attribute types. Ideally, the AAA protocol SHOULD separate specification of the transport from specification of the attributes.
NAS和AAA开发始终在进行中。为了防止AAA协议成为NAS和AAA服务器开发中的限制因素,AAA协议必须提供内置的扩展机制,其中必须包括添加新标准属性扩展的方法。这必须包括通过IANA注册或请求扩展的方法,以便不需要长期工作组参与来创建新的属性类型。理想情况下,AAA协议应该将传输规范和属性规范分开。
The AAA protocol MUST include a means for individual vendors to add value through vendor-specific attributes and SHOULD include support for vendor-specific data types.
AAA协议必须包括单个供应商通过供应商特定属性增加价值的方法,并应包括对供应商特定数据类型的支持。
It is poor security practice for a NAS to communicate with an AAA server that is not trusted, and vice versa. The AAA protocol MUST provide mutual authentication between AAA server and NAS.
NAS与不受信任的AAA服务器通信的安全性较差,反之亦然。AAA协议必须在AAA服务器和NAS之间提供相互身份验证。
At a minimum, the AAA protocol SHOULD support use of a secret shared pairwise between each NAS and AAA server to mutually verify identity. This is intended for small-scale deployments. The protocol MAY provide stronger mutual security techniques.
AAA协议至少应支持在每个NAS和AAA服务器之间使用秘密共享配对,以相互验证身份。这适用于小规模部署。该协议可以提供更强的相互安全技术。
AAA server/NAS identity verification based solely on shared secrets can be difficult to deploy properly at large scale, and it can be tempting for NAS operators to use a single shared secret (that rarely changes) across all NAS's. This can lead to an easy compromise of the secret. Therefore, the AAA protocol MUST also support mutual verification of identity using a public-key infrastructure that supports expiration and revocation of keys.
仅基于共享机密的AAA服务器/NAS身份验证很难大规模正确部署,而且NAS运营商很容易在所有NAS中使用单个共享机密(很少更改)。这可能导致秘密的轻易妥协。因此,AAA协议还必须使用支持密钥过期和撤销的公钥基础设施支持身份的相互验证。
Some attributes are more operationally sensitive than others. Also, in a multi-domain scenario, attributes may be inserted by servers from different administrative domains. Therefore, the AAA protocol
某些属性在操作上比其他属性更敏感。此外,在多域场景中,属性可能由来自不同管理域的服务器插入。因此,AAA协议
MUST support selective encryption of attributes on an attribute-by-attribute basis, even within the same message. This requirement applies equally to Authentication, Authorization, and Accounting data.
必须支持在逐个属性的基础上对属性进行选择性加密,即使在同一消息中也是如此。此要求同样适用于身份验证、授权和会计数据。
End users who are requesting network access through a NAS will present various types of credentials. It is the purpose of the AAA protocol to transport these credentials between the NAS and the AAA server.
通过NAS请求网络访问的最终用户将提供各种类型的凭据。AAA协议的目的是在NAS和AAA服务器之间传输这些凭据。
The AAA protocol MUST support transport of credentials from the AAA server to the NAS, between the User and the NAS, and between the NAS and the AAA server.
AAA协议必须支持从AAA服务器到NAS、用户和NAS之间以及NAS和AAA服务器之间的凭据传输。
The AAA protocol MUST support re-authentication at any time during the course of a session, initiated from either the NAS or the AAA server. This is a requirement of CHAP [CHAP].
AAA协议必须在从NAS或AAA服务器启动的会话过程中的任何时候支持重新身份验证。这是CHAP[CHAP]的要求。
The AAA protocol MUST be able to support multi-phase authentication methods, including but not limited to support for:
AAA协议必须能够支持多阶段身份验证方法,包括但不限于支持:
- Text prompting from the NAS to the user
- 从NAS向用户发送的文本提示
- A series of binary challenges and responses of arbitrary length
- 一系列任意长度的二进制挑战和响应
- An authentication failure reason to be transmitted from the NAS to the user
- 要从NAS传输到用户的身份验证失败原因
- Callback to a pre-determined phone number
- 回拨到预先确定的电话号码
Security protocol development is going on constantly as new threats are identified and better cracking methods are developed. Today's secure authentication methods may be proven insecure tomorrow. The AAA protocol MUST provide some support for addition of new authentication credential types.
随着新威胁的识别和更好的破解方法的开发,安全协议的开发也在不断进行。今天的安全身份验证方法明天可能会被证明是不安全的。AAA协议必须为添加新的身份验证凭据类型提供一些支持。
In addition to the minimum attribute set, the AAA protocol must support and define attributes that provide the following functions:
除了最小属性集之外,AAA协议还必须支持和定义提供以下功能的属性:
Many authentication protocols are defined within the framework of PPP. The AAA protocol MUST be able to act as an intermediary protocol between the authenticate and the authenticator for the following authentication protocols:
许多认证协议都是在PPP框架内定义的。AAA协议必须能够充当以下身份验证协议的身份验证和身份验证之间的中间协议:
- PPP Password Authentication Protocol [PPP]
- PPP密码认证协议[PPP]
- PPP Challenge Handshake Authentication Protocol [CHAP]
- PPP质询握手认证协议[CHAP]
- PPP Extensible Authentication Protocol [EAP]
- PPP可扩展身份验证协议[EAP]
The following are common types of credentials used for user identification. The AAA protocol MUST be able to carry the following types of identity credentials:
以下是用于用户标识的常见凭据类型。AAA协议必须能够携带以下类型的身份凭证:
- A user name in the form of a Network Access Identifier [NAI].
- 网络访问标识符[NAI]形式的用户名。
- An Extensible Authentication Protocol [EAP] Identity Request Type packet.
- 可扩展身份验证协议[EAP]身份请求类型数据包。
- Telephony dialing information such as Dialed Number Identification Service (DNIS) and Caller ID.
- 电话拨号信息,如拨号号码识别服务(DNIS)和呼叫者ID。
If a particular type of authentication credential is not needed for a particular user session, the AAA protocol MUST NOT require that dummy credentials be filled in. That is, the AAA protocol MUST support authorization by identification or assertion only.
如果特定用户会话不需要特定类型的身份验证凭据,则AAA协议不得要求填写虚拟凭据。也就是说,AAA协议必须仅支持通过标识或断言进行授权。
The following are common types of credentials used for authentication. The AAA protocol MUST be able to carry the following types of authenticating credentials at a minimum:
以下是用于身份验证的常见凭据类型。AAA协议必须至少能够承载以下类型的身份验证凭据:
- A secret or password.
- 秘密或密码。
- A response to a challenge presented by the NAS to the user
- 对NAS向用户提出的质询的响应
- A one-time password
- 一次性密码
- An X.509 digital certificate [X.509]
- X.509数字证书[X.509]
- A Kerberos v5 ticket [KERBEROS]
- Kerberos v5票证[Kerberos]
Where passwords are used as authentication credentials, the AAA protocol MUST provide a secure means of hiding the password from intermediates in the AAA conversation. Where challenge/response mechanisms are used, the AAA protocol MUST also prevent against replay attacks.
在将密码用作身份验证凭据的情况下,AAA协议必须提供一种安全的方法,在AAA会话中向中间人隐藏密码。在使用质询/响应机制的情况下,AAA协议还必须防止重播攻击。
In all cases, the protocol MUST specify that authorization data sent from the NAS to the AAA server is to be regarded as information or "hints", and not directives. The AAA protocol MUST be designed so that the AAA server makes all final authorization decisions and does not depend on a certain state being expected by the NAS.
在所有情况下,协议必须指定从NAS发送到AAA服务器的授权数据将被视为信息或“提示”,而不是指令。AAA协议的设计必须确保AAA服务器做出所有最终授权决策,并且不依赖于NAS预期的特定状态。
The AAA protocol MUST support dynamic re-authorization at any time during a user session. This re-authorization may be initiated in either direction. This dynamic re-authorization capability MUST include the capability to request a NAS to disconnect a user on demand.
AAA协议必须在用户会话期间的任何时候支持动态重新授权。此重新授权可在任一方向启动。此动态重新授权功能必须包括请求NAS按需断开用户连接的功能。
Resource Management MUST be supported on demand by the NAS or AAA Server at any time during the course of a user session. This would be the ability for the NAS to allocate and deallocate shared resources from a AAA server servicing multiple NASes. These resources may include, but are not limited to; IP addresses, concurrent usage limits, port usage limits, and tunnel limits. This capability should have error detection and synchronization features that will recover state after network and system failures. This may be accomplished by session information timeouts and explicit interim status and disconnect messages. There should not be any dependencies on the Accounting message stream, as per current practices.
在用户会话过程中,NAS或AAA服务器必须随时按需支持资源管理。这将是NAS从为多个NASE提供服务的AAA服务器分配和取消分配共享资源的能力。这些资源可能包括但不限于:;IP地址、并发使用限制、端口使用限制和隧道限制。此功能应具有错误检测和同步功能,可在网络和系统故障后恢复状态。这可以通过会话信息超时和显式临时状态以及断开连接消息来实现。根据当前的实践,对记帐消息流不应有任何依赖关系。
This feature is primarily intended for NAS-local network resources. In a proxy or multi-domain environment, resource information should only be retained by the server doing the allocation, and perhaps it's backups. Authorization resources in remote domains should use the dynamic authorization features to change and revoke authorization status.
此功能主要用于NAS本地网络资源。在代理或多域环境中,资源信息只应由进行分配的服务器保留,可能还包括其备份。远程域中的授权资源应使用动态授权功能更改和撤销授权状态。
The AAA protocol serves as a primary means of gathering data used for making Policy decisions for network access. Therefore, the AAA protocol MUST allow network operators to make policy decisions based on the following parameters:
AAA协议是收集数据的主要手段,用于制定网络访问的决策。因此,AAA协议必须允许网络运营商根据以下参数做出决策:
- Time/day restrictions. The AAA protocol MUST be able to provide an unambiguous time stamp, NAS time zone indication, and date indication to the AAA server in the Authorization information.
- 时间/天数限制。AAA协议必须能够在授权信息中向AAA服务器提供明确的时间戳、NAS时区指示和日期指示。
- Location restrictions: The AAA protocol MUST be able to provide an unambiguous location code that reflects the geographic location of the NAS. Note that this is not the same type of thing as either the dialing or dialed station.
- 位置限制:AAA协议必须能够提供反映NAS地理位置的明确位置代码。请注意,这与拨号或拨号站的类型不同。
- Dialing restrictions: The AAA protocol MUST be able to provide accurate dialed and dialing station indications.
- 拨号限制:AAA协议必须能够提供准确的拨号和拨号站指示。
- Concurrent login limitations: The AAA protocol MUST allow an AAA Server to limit concurrent logins by a particular user or group of users. This mechanism does not need to be explicitly built into the AAA protocol, but the AAA protocol must provide sufficient authorization information for an AAA server to make that determination through an out-of-band mechanism.
- 并发登录限制:AAA协议必须允许AAA服务器限制特定用户或用户组的并发登录。此机制不需要显式构建到AAA协议中,但AAA协议必须为AAA服务器提供足够的授权信息,以便通过带外机制进行确定。
The AAA protocol is used to enforce policy at the NAS. Essentially, on granting of access, a particular access profile is applied to the user's session. The AAA protocol MUST at a minimum provide a means of applying profiles containing the following types of information:
AAA协议用于在NAS上实施策略。本质上,在授予访问权限时,特定的访问配置文件应用于用户的会话。AAA协议必须至少提供应用包含以下类型信息的配置文件的方法:
- IP Address assignment: The AAA protocol MUST provide a means of assigning an IPv4 or IPv6 address to an incoming user.
- IP地址分配:AAA协议必须提供将IPv4或IPv6地址分配给传入用户的方法。
- Protocol Filter application: The AAA protocol MUST provide a means of applying IP protocol filters to user sessions. Two different methods MUST be supported.
- 协议过滤器应用:AAA协议必须提供一种将IP协议过滤器应用于用户会话的方法。必须支持两种不同的方法。
First, the AAA protocol MUST provide a means of selecting a protocol filter by reference to an identifier, with the details of the filter action being specified out of band. The AAA protocol SHOULD define this out-of-band reference mechanism.
首先,AAA协议必须提供通过引用标识符选择协议筛选器的方法,并在带外指定筛选器操作的详细信息。AAA协议应该定义这种带外参考机制。
Second, the AAA protocol MUST provide a means of passing a protocol filter by value. This means explicit passing of pass/block information by address range, TCP/UDP port number, and IP protocol number at a minimum.
其次,AAA协议必须提供按值传递协议筛选器的方法。这意味着至少通过地址范围、TCP/UDP端口号和IP协议号显式传递传递传递/块信息。
- Compulsory Tunneling: The AAA protocol MUST provide a means of directing a NAS to build a tunnel or tunnels to a specified end- point. It MUST support creation of multiple simultaneous tunnels in a specified order. The protocol MUST allow, at a minimum, specification of the tunnel endpoints, tunneling protocol type, underlying tunnel media type, and tunnel authentication credentials (if required by the tunnel type). The AAA protocol MUST support at least the creation of tunnels using the L2TP [L2TP], ESP [ESP], and AH [AH] protocols. The protocol MUST provide means of adding new tunnel types as they are standardized.
- 强制隧道:AAA协议必须提供一种引导NAS构建一个或多个隧道到指定端点的方法。它必须支持按指定顺序同时创建多个隧道。协议必须至少允许指定隧道端点、隧道协议类型、底层隧道媒体类型和隧道身份验证凭据(如果隧道类型需要)。AAA协议必须至少支持使用L2TP[L2TP]、ESP[ESP]和AH[AH]协议创建隧道。协议必须提供在标准化时添加新隧道类型的方法。
- Routing: The AAA protocol MUST provide a means of assigning a particular static route to an incoming user session.
- 路由:AAA协议必须提供一种将特定静态路由分配给传入用户会话的方法。
- Expirations/timeouts: The AAA protocol MUST provide a means of communication session expiration information to a NAS. Types of expirations that MUST be supported are: total session time, idle time, total bytes transmitted, and total bytes received.
- 过期/超时:AAA协议必须向NAS提供通信会话过期信息的方式。必须支持的过期类型有:总会话时间、空闲时间、传输的总字节数和接收的总字节数。
- Quality of Service: The AAA protocol MUST provide a means for supplying Quality of Service parameters to the NAS for individual user sessions.
- 服务质量:AAA协议必须提供一种向NAS提供单个用户会话的服务质量参数的方法。
The AAA protocol is a means for network operators to perform management of network resources. The AAA protocol MUST provide a means of collecting resource state information, and controlling resource allocation for the following types of network resources.
AAA协议是网络运营商管理网络资源的一种手段。AAA协议必须提供一种收集资源状态信息的方法,并控制以下类型网络资源的资源分配。
- Network bandwidth usage per session, including multilink sessions.
- 每个会话的网络带宽使用率,包括多链路会话。
- Access port usage, including concurrent usage and usage pools.
- 访问端口使用情况,包括并发使用和使用池。
- Connect time.
- 连接时间。
- IP Addresses and pools.
- IP地址和池。
- Compulsory tunnel limits.
- 强制隧道限制。
When an AAA protocol passes credentials that will be used to authenticate compulsory tunnels, the AAA protocol MUST provide a means of securing the credentials from end-to-end of the AAA conversation. The AAA protocol MUST also provide protection against replay attacks in this situation.
当AAA协议传递将用于验证强制隧道的凭据时,AAA协议必须提供一种从AAA会话的端到端保护凭据的方法。在这种情况下,AAA协议还必须提供防止重播攻击的保护。
The accounting and auditing functions of the AAA protocol are used for network planning, resource management, policy decisions, and other functions that require accurate knowledge of the state of the NAS. NAS operators need to be able to engineer their network usage measurement systems to a predictable level of accuracy. Therefore, an AAA protocol MUST provide a means of guaranteed delivery of accounting information between the NAS and the AAA Server(s).
AAA协议的记帐和审核功能用于网络规划、资源管理、策略决策和其他需要准确了解NAS状态的功能。NAS运营商需要能够将其网络使用率测量系统设计到可预测的精度水平。因此,AAA协议必须提供保证在NAS和AAA服务器之间传递记帐信息的方法。
NAS operators often require a real time view onto the status of sessions served by a NAS. Therefore, the AAA protocol MUST support real-time delivery of accounting and auditing information. In this context, real time is defined as accounting information delivery beginning within one second of the triggering event.
NAS运营商通常需要实时查看NAS所服务会话的状态。因此,AAA协议必须支持会计和审计信息的实时传递。在这种情况下,实时被定义为在触发事件的一秒钟内开始的会计信息传递。
The AAA protocol SHOULD also support delivery of stored accounting and auditing information in batches (non-real time).
AAA协议还应支持成批(非实时)交付存储的会计和审计信息。
There may be delays associated with the delivery of accounting information. The NAS operator will desire to know the time an event actually occurred, rather than simply the time when notification of the event was received. Therefore, the AAA protocol MUST carry an unambiguous time stamp associated with each accounting event. This time stamp MUST be unambiguous with regard to time zone. Note that this assumes that the NAS has access to a reliable time source.
可能存在与会计信息交付相关的延迟。NAS运营商希望知道事件实际发生的时间,而不仅仅是收到事件通知的时间。因此,AAA协议必须带有与每个记帐事件相关联的明确时间戳。这个时间戳必须是明确的时区。请注意,这假定NAS可以访问可靠的时间源。
At a minimum, the AAA protocol MUST support delivery of accounting information triggered by the following events:
AAA协议至少必须支持由以下事件触发的会计信息的传递:
- Start of a user session
- 启动用户会话
- End of a user session
- 用户会话的结束
- Expiration of a predetermined repeating time interval during a user session. The AAA protocol MUST provide a means for the AAA server to request that a NAS use a certain interval accounting time.
- 在用户会话期间预定的重复时间间隔到期。AAA协议必须为AAA服务器提供一种方法,以请求NAS使用特定的间隔记帐时间。
- Dynamic re-authorization during a user session (e.g., new resources being delivered to the user)
- 用户会话期间的动态重新授权(例如,向用户交付新资源)
- Dynamic re-authentication during a user session
- 用户会话期间的动态重新身份验证
NAS operators need to maintain an accurate view onto the status of sessions served by a NAS, even through failure of an AAA server. Therefore, the AAA protocol MUST support a means of requesting current session state and accounting from the NAS on demand.
NAS运营商需要对NAS服务的会话状态保持准确的视图,即使AAA服务器出现故障。因此,AAA协议必须支持按需从NAS请求当前会话状态和记帐的方法。
At a minimum, the AAA protocol MUST support delivery of the following types of accounting/auditing data:
AAA协议至少必须支持以下类型的会计/审计数据的交付:
- All parameters used to authenticate a session.
- 用于验证会话的所有参数。
- Details of the authorization profile that was applied to the session.
- 应用于会话的授权配置文件的详细信息。
- The duration of the session.
- 会议的持续时间。
- The cumulative number of bytes sent by the user during the session.
- 会话期间用户发送的累积字节数。
- The cumulative number of bytes received by the user during the session.
- 会话期间用户接收的累积字节数。
- The cumulative number of packets sent by the user during the session.
- 会话期间用户发送的数据包的累积数量。
- The cumulative number of packets received by the user during the session.
- 会话期间用户接收的数据包的累积数量。
- Details of the access protocol used during the session (port type, connect speeds, etc.)
- 会话期间使用的访问协议的详细信息(端口类型、连接速度等)
Note that accounting and auditing data are operationally sensitive information. The AAA protocol MUST provide a means to assure end-to-end integrity of this data. The AAA protocol SHOULD provide a means of assuring the end-to-end confidentiality of this data.
请注意,会计和审计数据是运营敏感信息。AAA协议必须提供一种方法来确保该数据的端到端完整性。AAA协议应提供确保该数据端到端机密性的方法。
Network operators use accounting data for network planning, resource management, and other business-critical functions that require confidence in the correctness of this data. The AAA protocol SHOULD provide a mechanism to ensure that the source of accounting data cannot easily repudiate this data after transmission.
网络运营商将会计数据用于网络规划、资源管理和其他关键业务功能,这些功能需要对这些数据的正确性有信心。AAA协议应提供一种机制,以确保会计数据源在传输后不能轻易否认该数据。
This document does not specify any requirements for device management protocols.
本文件未规定设备管理协议的任何要求。
Many of the requirements in this document first took form in Glen Zorn's, "Yet Another Authentication Protocol (YAAP)" document, for which grateful acknowledgment is made.
本文件中的许多要求首先在Glen Zorn的“另一个认证协议(YAAP)”文件中形成,对此表示感谢。
See above for security requirements for the NAS AAA protocol.
有关NAS AAA协议的安全要求,请参见上文。
Where an AAA architecture spans multiple domains of authority, AAA information may need to cross trust boundaries. In this situation, a NAS might operate as a shared device that services multiple administrative domains. Network operators are advised take this into consideration when deploying NAS's and AAA Servers.
当AAA体系结构跨越多个权限域时,AAA信息可能需要跨越信任边界。在这种情况下,NAS可能作为服务于多个管理域的共享设备运行。建议网络运营商在部署NAS和AAA服务器时考虑这一点。
This document does not directly specify any IANA considerations. However, the following recommendations are made:
本文件未直接规定任何IANA注意事项。然而,提出了以下建议:
Future development and extension of an AAA protocol will be made much easier if new attributes and values can be requested or registered directly through IANA, rather than through an IETF Standardization process.
如果可以直接通过IANA而不是通过IETF标准化过程请求或注册新的属性和值,AAA协议的未来开发和扩展将变得更加容易。
The AAA protocol might use enumerated values for some attributes, which enumerate already-defined IANA types (such as protocol number). In these cases, the AAA protocol SHOULD use the IANA assigned numbers as the enumerated values.
AAA协议可能对某些属性使用枚举值,这些属性枚举已定义的IANA类型(如协议编号)。在这些情况下,AAA协议应使用IANA分配的编号作为枚举值。
[AH] Kent, S. and R. Atkinson, "IP Authentication Header (AH)", RFC 2402, November 1998.
[AH]Kent,S.和R.Atkinson,“IP认证头(AH)”,RFC 2402,1998年11月。
[CHAP] Simpson, J., "PPP Challenge Handshake Authentication Protocol (CHAP)", RFC 1994, August 1996.
[CHAP]Simpson,J.,“PPP挑战握手认证协议(CHAP)”,RFC 1994,1996年8月。
[CONGEST] Floyd, S., "Congestion Control Principles", RFC 2914, Sept. 2000.
[拥塞]Floyd,S.,“拥塞控制原则”,RFC 29142000年9月。
[EAP] Blunk, L. and J. Vollbrecht, "PPP Extensible Authentication Protocol (EAP)", RFC 2284, March 1998.
[EAP]Blunk,L.和J.Vollbrecht,“PPP可扩展认证协议(EAP)”,RFC 2284,1998年3月。
[ESP] Kent, S. and R. Atkinson, "IP Encapsulating Security Payload (ESP)", RFC 2406, November 1998.
[ESP]Kent,S.和R.Atkinson,“IP封装安全有效负载(ESP)”,RFC 2406,1998年11月。
[KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[关键词]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[KERBEROS] Kohl, J. and C. Neuman, "The Kerberos Network Authentication Service (V5)", RFC 1510, September 1993.
[KERBEROS]Kohl,J.和C.Neuman,“KERBEROS网络身份验证服务(V5)”,RFC15101993年9月。
[IPV6] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", RFC 2460, December 1998.
[IPV6]Deering,S.和R.Hinden,“互联网协议,第6版(IPV6)规范”,RFC 2460,1998年12月。
[L2TP] Townsley, W., Valencia, A., Rubens, A., Pall, G., Zorn, G. and B. Plater, "Layer Two Tunneling Protocol (L2TP)", RFC 2661, August 1999.
[L2TP]Townsley,W.,Valencia,A.,Rubens,A.,Pall,G.,Zorn,G.和B.Plater,“第二层隧道协议(L2TP)”,RFC 26611999年8月。
[NAI] Aboba, B. and M. Beadles, "The Network Access Identifier", RFC 2486, January 1999.
[NAI]Aboba,B.和M.Beadles,“网络接入标识符”,RFC 2486,1999年1月。
[NAS-MODEL] Mitton, D. and M. Beadles, "Network Access Server Requirements Next Generation (NASREQNG) NAS Model", RFC 2881, July 2000.
[NAS-MODEL]Mitton,D.和M.Beadles,“网络访问服务器需求下一代(NASREQNG)NAS模型”,RFC 28812000年7月。
[NAS-EXT] Mitton, D., "Network Access Servers Requirements: Extended RADIUS Practices", RFC 2882, July 2000.
[NAS-EXT]Mitton,D.,“网络访问服务器要求:扩展RADIUS实践”,RFC 28822000年7月。
[PPP] Simpson, W., "The Point-to-Point Protocol (PPP)", STD 51, RFC 1661, July 1994.
[PPP]辛普森,W.“点对点协议(PPP)”,STD 51,RFC 1661994年7月。
[PPPOE] Mamakos, L., Lidl, K., Evarts, J., Carrel, D., Simone, D. and R. Wheeler, "A Method for Transmitting PPP Over Ethernet (PPPoE)", RFC 2516, February 1999.
[PPPOE]Mamakos,L.,Lidl,K.,Evarts,J.,Carrel,D.,Simone,D.和R.Wheeler,“通过以太网传输PPP的方法(PPPOE)”,RFC 25161999年2月。
[ROUTING-REQUIREMENTS] Baker, F., "Requirements for IP Version 4 Routers", RFC 1812, June 1995.
[路由要求]Baker,F.,“IP版本4路由器的要求”,RFC 1812,1995年6月。
[TELNET] Postel, J. and J. Reynolds, "Telnet Protocol Specification", STD 8, RFC 854, May 1983.
[TELNET]Postel,J.和J.Reynolds,“TELNET协议规范”,STD 8,RFC 854,1983年5月。
[RFC 2277] Alvestrand, H., "IETF Policy on Character Sets and Languages", BCP 18, RFC 2277, January 1998.
[RFC 2277]Alvestrand,H.,“IETF字符集和语言政策”,BCP 18,RFC 2277,1998年1月。
[X.509] ITU-T Recommendation X.509 (1997 E): Information Technology - Open Systems Interconnection - The Directory: Authentication Framework, June 1997.
[X.509]ITU-T建议X.509(1997 E):信息技术——开放系统互连——目录:认证框架,1997年6月。
[RADIUS] Rigney, C., Rubens. A., Simpson, W. and S. Willens, "Remote Authentication Dial In User Service (RADIUS)", RFC 2138, April 1997.
[半径]里格尼,C.,鲁本斯。A.,Simpson,W.和S.Willens,“远程认证拨入用户服务(RADIUS)”,RFC 21381997年4月。
[RADIUS-ACCOUNTING] Rigney, C., "RADIUS Accounting", RFC 2139, April 1997.
[RADIUS会计]里格尼,C.,“RADIUS会计”,RFC 21391997年4月。
[ROAMING-REQUIREMENTS] Aboba, B. and G. Zorn, "Criteria for Evaluating Roaming Protocols", RFC 2477, January 1999.
[漫游要求]Aboba,B.和G.Zorn,“漫游协议评估标准”,RFC 2477,1999年1月。
Mark Anthony Beadles SmartPipes, Inc. 565 Metro Place South Suite 300 Dublin, OH 43017
Mark Anthony Beadles SmartPipes,Inc.俄亥俄州都柏林市城南565号300套房,邮编43017
Phone: 614-923-6200
电话:614-923-6200
David Mitton Nortel Networks 880 Technology Park Drive Billerica, MA 01821
David Mitton Nortel Networks马萨诸塞州比尔里卡科技园大道880号01821
Phone: 978-288-4570 EMail: dmitton@nortelnetworks.com
电话:978-288-4570电子邮件:dmitton@nortelnetworks.com
Copyright (C) The Internet Society (2001). All Rights Reserved.
版权所有(C)互联网协会(2001年)。版权所有。
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。