RFC relevance of possible

As per Relevance of the word possible, we have this rfc below:

Network Working Group S.
Request for Comments: 2906 Baltimore
Category: Informational J.
Interlink Networks, Inc
P.
Sun Microsystems, Inc
L.
Enterasys Networks
G.
Lucent
B. de
Interpay Nederland B.V
C. de
Utrecht
M.

D.
Interlink Networks, Inc
August 2000

AAA Authorization

Status of this

This memo provides information for the Internet community. It
not specify an Internet standard of any kind. Distribution of
memo is unlimited

Copyright

Copyright (C) The Internet Society (2000). All Rights Reserved

This document specifies the requirements that
Authorization Accounting (AAA) protocols must meet in order
support authorization services in the Internet. The requirements
been elicited from a study of a range of applications
mobile-IP, roamops and others

Farrell, et al. Informational [Page 1]

RFC 2906 AAA Authorization Requirements August 2000

Table Of

1. Introduction.................................................2
2. Requirements.................................................3
2.1 Authorization Information..............................3
2.2 Security of authorization information..................7
2.3 Time...................................................9
2.4 Topology..............................................10
2.5 Application Proxying..................................12
2.6 Trust Model...........................................12
2.7 Not just transactions.................................14
2.8 Administration........................................15
2.9 Bytes on-the-wire.....................................16
2.10 Interfaces............................................17
2.11 Negotiation...........................................18
3. Security Considerations.....................................19
4. References..................................................20
Authors' Addresses.............................................20
Full Copyright Statement.......................................23

1.

This document is one of a series of three documents
consideration by the AAAarch RG dealing with the
requirements for AAA protocols. The three documents are

AAA Authorization Framework [FRMW
AAA Authorization Requirements (this document
AAA Authorization Application Examples [SAMP

The work for this memo was done by a group that originally was
Authorization subgroup of the AAA Working Group of the IETF.
the charter of the AAA working group was changed to focus on
and NAS requirements, the AAAarch Research Group was chartered
the IRTF to continue and expand the architectural work started by
Authorization subgroup. This memo is one of four which were
by the subgroup. This memo is a starting point for further
within the AAAarch Research Group. It is still a work in
and is published so that the work will be available for the
subgroup and others working in this area, not as a
description of architecture or requirements

The process followed in producing this document was to analyze
requirements from [SAMP] based on a common understanding of the
authorization framework [FRMW]. This document assumes
with both the general issues involved in authorization and,
particular, the reader will benefit from a reading of [FRMW] where
for example, definitions of terms can be found

Farrell, et al. Informational [Page 2]

RFC 2906 AAA Authorization Requirements August 2000

The key words "MUST", "REQUIRED", "SHOULD", "RECOMMENDED", and "MAY
in this document are to be interpreted as described in [RFC2119].

2.

Requirements are grouped under headings for convenience;
grouping is not significant

Definitions and explanations of some of the technical terms used
this document may be found in [FRMW].

Each requirement is presented as a succinct (usually a sentence
two) statement. Most are followed by a paragraph of
material, which sometimes contains an example. Fully
examples may be found in [SAMP].

The requirements presented are not intended to be "orthogonal",
is, some of them repeat, or overlap, with others

2.1 Authorization

2.1.1 Authorization decisions MUST be able to be based on
about the requestor, the service/method requested, and the
environment (authorization information). AAA protocols are
to transport this information

This simply states the requirement for a protocol and an
decision function, which takes inputs, based on the requestor,
resource requested and the environment

2.1.2 It MUST be possible to represent authorization information
sets of attributes. It MAY be possible to represent
information as objects

This states that authorization information must be decomposable
sets of attributes. It is not intended to imply any
mechanism for representing attributes

2.1.3 It MUST be possible to package authorization information so
the authorization information for multiple services or
can be carried in a single message in a AAA or application protocol

This states that a protocol, which always required separate
messages/transactions for each service/application, would not
the requirement. For example, it should be possible for a single
message/transaction to be sufficient to allow both network
application access

Farrell, et al. Informational [Page 3]

RFC 2906 AAA Authorization Requirements August 2000

2.1.4 Standard attributes types SHOULD be defined which are
to many Internet applications/services (e.g. identity information
group information, ...)

There are many attributes that are used in lots of contexts,
these should only be defined once, in order to
interoperability and prevent duplication of effort

2.1.5 Authorization decisions MUST NOT be limited to being based
identity information, i.e. AAA protocols MUST support the use
non-identifying information, e.g. to support role based
control (RBAC).

Authorization based on clearances, roles, groups or other
is required to be supported. A AAA protocol that only
identity information would not meet the requirement

2.1.6 Authorization data MAY include limits in addition to
which are directly "owned" by end entities

This states that some attributes do not simply represent
of an entity, for example a spending limit of IR 1,000 is not
intrinsic attribute of an entity. This also impacts on the
decision function, in that the comparison to be made is not a
equality match

2.1.7 It MUST be possible for other (non-AAA) protocols to
their own attribute types, which can then be carried within
authorization package in a AAA or application protocol

This states that the attributes that are significant in
authorization decision, may be application protocol dependent.
example, many attribute types are defined by [RFC2138] and
for the semantics of these attributes will be required. Of course
only AAA entities that are aware of the added attribute types
make use of them

2.1.8 It SHOULD be possible for administrators of deployed systems
define their own attribute types, which can then be carried within
authorization package in a AAA or application protocol

This states that the attributes that are significant in
authorization decision, may be dependent on a closed environment
For example, many organizations have a well-defined scheme
seniority, which can be used to determine access levels. Of course
only AAA entities that are aware of the added attribute types
make use of them

Farrell, et al. Informational [Page 4]

RFC 2906 AAA Authorization Requirements August 2000

2.1.9 It SHOULD be possible to define new attribute types
central administration and control of attribute name space

A centralized or distributed registration scheme of some sort
needed if collisions in attribute type allocations are to be avoided
However a AAA protocol which always requires use of such
centralized registration would not meet the requirement. Of course
collisions should be avoided where possible

2.1.10 It MUST be possible to define attribute types so that
instance of an attribute in a single AAA message can have
values

This states that a protocol which does not allow multiple
of an attribute in a message/transaction would not meet
requirement. For example it should be possible to have a "group
attribute which contains more than one groupname (or number
whatever).

2.1.11 If MUST be possible to distinguish different instances of
same authorization attribute type or value, on the basis of "
domain" or "authority".

This recognizes that it is important to be able to
between attributes based not only on their value. For example, all
domains (which use the English language) have an
group, an access decision function has to be able to determine
which of these groups the requestor belongs

2.1.12 AAA protocols MUST specify mechanisms for updating the
which will be used to control authorization decisions

This states that a AAA protocol that cannot provide a mechanism
distributing authorization rules is not sufficient. For example,
could be used to download ACLs to a PDP

Note that this is not meant to mean that this AAA protocol
must always be used, simply that it must be available for use.
particular, storing authorization rules in a trusted repository (
many cases an LDAP server) will in many cases be used instead of
a AAA protocol mechanism. Neither does this requirement call for
standardized format for authorization rules, merely that there be
mechanism for transporting these

Farrell, et al. Informational [Page 5]

RFC 2906 AAA Authorization Requirements August 2000

2.1.13 The AAA protocol MUST allow for chains of AAA entities to
involved in an authorization decision

This states that more than one AAA server may have to be involved
a single authorization decision. This may occur either due to
decision being spread across more than one "domain" or in order
distribute authorization within a single "domain".

2.1.14 The AAA protocol MUST allow for intermediate AAA entities to
their own local authorization information to a AAA request
response

This states that where more than one AAA entity is involved in
authorization decision each of the AAA entities may manipulate
AAA messages involved either by adding more information or
processing parts of the information

2.1.15 AAA entities MAY be either be deployed independently
integrated with application entities

This states that the AAA entities may either be implemented as
servers or integrated with application entities

2.1.16 The AAA protocol MUST support the creation and encoding of
that are to be active inside one AAA server based on
published by another AAA server. The level of authorization of
requesting AAA Server MAY govern the view on attributes

This states that one AAA entity may have to distribute
rules to another, and that the AAA entity that receives the rules
only be seeing part of the story

2.1.17 AAA protocols MAY have to support the idea of critical and non
critical attribute types

This is analogous to the use of the criticality flag in public
certificate extensions

2.1.18 A AAA protocol MUST allow authorization rules to be expressed
terms of combinations of other authorization rules which have
evaluated

For example, access may only be granted if the requestor is member
the backup users group and not a member of the administrator's group
Note that this requirement does not state which types of
are to be supported

Farrell, et al. Informational [Page 6]

RFC 2906 AAA Authorization Requirements August 2000

2.1.19 It SHOULD be possible to make authorization decisions based
the geographic location of a requestor, service or AAA entity

This is just an example of an authorization attribute type,
because it requires different underlying implementation mechanisms

2.1.20 It SHOULD be possible to make authorization decisions based
the identity or the equipment used by a requestor, service or
entity

This is just an example of an authorization attribute type,
because it may require different underlying implementation
(if IPSec isn't available).

2.1.21 When there are multiple instances of a given attribute,
must be an unambiguous mechanism by which a receiving peer
determine the value of specified instance

2.2 Security of authorization

2.2.1 It MUST be possible for authorization information to
communicated securely in AAA and application protocols.
that preserve authenticity, integrity and privacy for
information MUST be specified

This states that there must be a well-defined method for
authorization information, not that such methods must always be used
Whether support for these mechanisms is to be required
conformance is left open. In particular, mechanisms must be
so that a service administrator in the middle of a chain cannot
or change authorization information being sent between other
entities

2.2.2 AAA protocols MUST allow for use of an appropriate level
security for authorization information. AAA protocols MUST be able
support both highly secure and less secure mechanisms for
integrity/confidentiality etc

It is important that AAA protocols do not mandate too heavy
security overhead, thus the security mechanisms specified don'
always need to be used (though not using them may affect
authorization decision).

2.2.3 The security requirements MAY differ between different parts
a package of authorization information

Some parts may require confidentiality and integrity, some may
require integrity. This effectively states that we require

Farrell, et al. Informational [Page 7]

RFC 2906 AAA Authorization Requirements August 2000

like selective field security mechanisms. For example,
required to gain access to a network may have to be in clear,
information required for access to an application within that
may have to be encrypted in the AAA protocol

2.2.4 AAA protocols MUST provide mechanisms that prevent
administrators breaching security

This is a basic requirement to prevent man-in-the-middle attacks,
example where an intermediate administrator changes AAA messages
the fly

2.2.5 AAA protocols MUST NOT open up replay attacks based on replay
the authorization information

For example, a AAA protocol should not allow flooding attacks
the attacker replays AAA messages that require the recipient to use
lot of CPU or communications before the replay is detected

2.2.6 AAA protocols MUST be capable of leveraging any underlying
entity authentication mechanisms that may have been applied -
MAY provide additional assurance that the owner of the
information is the same as the authenticated entity. For example,
IPSec provides sufficient authentication, then it must be possible
omit AAA protocol authentication

2.2.7 End-to-end confidentiality, integrity, peer-entity
authentication, or non-repudiation MAY be required for packages
authorization information

This states that confidentiality, (resp. the other
services), may have to be provided for parts of a AAA message,
where it is transmitted via other AAA entities. It does allow
such a AAA message may also contain non-confidential, resp. the
security services), parts. In addition, intermediate AAA entities
themselves be considered end-points for end-to-end security
applied to other parts of the AAA message

2.2.8 AAA protocols MUST be usable even in environments where no
entity authentication is required (e.g. a network address on a
LAN may be enough to decide).

This requirement (in a sense the opposite of 2.2.6), indicates
level of flexibility that is required in order to make the
protocol useful across a broad range of applications/services

Farrell, et al. Informational [Page 8]

RFC 2906 AAA Authorization Requirements August 2000

2.2.9 AAA protocols MUST specify "secure" defaults for all
options. Implementations of AAA entities MUST use these "secure
defaults unless otherwise configured/administered

This states that the out-of-the-box configuration must be "secure",
for example, authorization decisions should result in denial
access until a AAA entity is configured. Note that the
of "secure" will vary on a case-by-case basis, though the
remains the same

2.3

2.3.1 Authorization information MUST be timely, which means that
MUST expire and in some cases MAY be revoked before expiry

This states that authorization information itself is never to
considered valid for all time, every piece of
information must have associated either an explicit or
validity period or time-to-live

2.3.2 AAA protocols MUST provide mechanisms for revoking
information, in particular privileges

Where the validity or time-to-live is long, it may be necessary
revoke the authorization information, e.g. where someone leaves
company. Note that this requirement does not mandate a
scheme for revocation, so that it is not a requirement for
or CRLs

2.3.3 A set of attributes MAY have an associated validity period -
such that that the set MUST only be used for authorization
during that period. The validity period may be relatively long, (e.g
months) or short (hours, minutes).

This states that explicit validity periods are, in some cases,
at the field level

2.3.4 Authorization decisions MAY be time sensitive. Support for e.g
"working hours" or equivalent MUST be possible

This states that the AAA protocol must be able to support
transmission of time control attributes, although it does not
that AAA protocols must include a standard way of expressing
"working hours" type constraint

Farrell, et al. Informational [Page 9]

RFC 2906 AAA Authorization Requirements August 2000

2.3.5 It MUST be possible to support authorization decisions
produce time dependent results

For example, an authorization result may be that service should
provided for a certain period. In such cases a AAA protocol must
able to transport this information, possibly as a specific result
the authorization decision, or, as an additional "termination
service" AAA message transmitted later

2.3.6 It MUST be possible to support models where the
information is issued in well in advance of an authorization
rather than near the time of the authorization decision

This is required in order to support pre-paid (as opposed
subscription) scenarios (e.g. for VoIP).

2.3.7 It SHOULD be possible to support models where the
decision is made in advance of a service request

This is for some applications such as backup, where actions
scheduled for future dates. It also covers applications that
reservation of resources

2.3.8 A AAA mechanism must allow time stamp information to be
along with authorization information (e.g. for non-repudiation).

The PKIX WG is developing a time stamp protocol, which can be used
part of a non-repudiation solution. In some environments it may
necessary that certain AAA protocol messages are timestamped (by
trusted authority) and that the timestamps are forwarded
subsequent AAA messages

2.4

2.4.1 AAA protocols MUST be able to support the use of the push,
and agent models

This states that a protocol that only supported one model, say pull
would not meet the requirements of all the applications. The
are defined in [FRMW].

2.4.2 In transactions/sessions, which involve more than one
entity, each "hop" MAY use a different push/pull/agent model

For example, in the mobile IP case, a "foreign" AAA server might
authorization information from a broker, whereas the broker
push some authorization information to a "home" AAA server

Farrell, et al. Informational [Page 10]

RFC 2906 AAA Authorization Requirements August 2000

2.4.3 AAA Protocols MUST cater for applications and services where
entities involved in the application or AAA protocols belong
different (security) domains

This states that it must be possible for any AAA protocol message
cross security or administrative domain boundaries. Typically,
levels of security will be applied when crossing such boundaries,
accounting mechanisms may also have to be more stringent

2.4.4 AAA protocols MUST support roaming

Roaming here may also be thought of as "away-from-home" operation
For example, this is a fundamental requirement for the mobile
case

2.4.5 AAA protocols SHOULD support dynamic

Dynamic mobility here means that a client moves from one domain
another, without having to completely re-establish e.g. whatever
session information is being maintained

2.4.6 An authorization decision MAY have to be made before
requestor has any other connection to a network

For example, this means that the requestor can't go anywhere on
network to fetch anything and must do requests via
application/service or via an intermediate AAA entity. The
protocol should not overexpose such a server to denial-of-
attacks

2.4.7 AAA protocols MUST support the use of intermediate AAA
which take part in authorization transactions but which don't "own
any of the end entities or authorization data

In some environments (e.g. roamops), these entities are
brokers (though these are not the same as bandwidth brokers in
QoS environment).

2.4.8 AAA protocols MAY support cases where an intermediate AAA
returns a forwarding address to a requestor or AAA entity, in
that the requestor or originating AAA entity can contact another
entity

This requirement recognizes that there will be routing issues
AAA servers, and that this requires that AAA protocols are able
help with such routing. For example, in the mobile IP case, a
may be required, in part to allow the foreign and home AAA servers
get in contact

Farrell, et al. Informational [Page 11]

RFC 2906 AAA Authorization Requirements August 2000

2.4.9 It MUST be possible for an access decision function to
the AAA server of a requestor. If the requestor provides
used in this discovery process then the access decision function
be able to verify this information in a trusted manner

This states that not only do AAA servers have to be able to find
another, but that sometimes an application entity may have to find
appropriate AAA server

2.5 Application

2.5.1 AAA protocols MUST support cases where applications use proxies
that is, an application entity (C), originates a service request to
peer (I) and this intermediary (I) also initiates a service
on behalf of the client (C) to a final target (T). AAA
MUST be such that the authorization decision made at T, MAY depend
the authorization information associated with C and/or with I.
"application proxying" must not introduce new security weaknesses
the AAA protocols. There MAY be chains of application proxies of
length

Note that this requirement addresses application layer proxying -
chains of AAA servers. For example, a chain of HTTP proxies
each want to restrict the content they serve to the "outside".
the HTTP GET message goes from HTTP proxy to HTTP proxy,
requirement states that it must be possible that the
decisions made at each stage can depend on the user at the browser
and not say, solely on the previous HTTP proxy's identity. Of
there may only be a single AAA server involved, or there may be many

2.5.2 Where there is a chain of application proxies, the AAA
flows at each stage MAY be independent, i.e. the first hop may
the push model, the second pull, the third the agent model

This simply restates a previous requirement (no. 2.4.7), to make
clear that this also applies when application proxying is being used

2.6 Trust

2.6.1 AAA entities MUST be able to make decisions about which
AAA entities are trusted for which sorts of
information

This is analogous to a requirement in public key infrastructures
Just because someone can produce a cryptographically correct
key certificate does not mean that I should trust them for anything
in particular, I might trust the issuer for some purposes, but
for others

Farrell, et al. Informational [Page 12]

RFC 2906 AAA Authorization Requirements August 2000

2.6.2 AAA protocols MUST allow entities to be trusted for
purposes, trust MUST NOT be an all-or-nothing issue

This relates the packaging (no. 2.1.3) and trust (no. 2.6.1)
requirements. For example, a AAA entity may trust some parts of
authorization package but not others

2.6.3 A confirmation of authorization MAY be required in order
initialize or resynchronize a AAA entity

This states that a AAA entity may need to process some AAA
messages in order to initialize itself. In particular, a AAA
may need to check that a previous AAA message remains "valid", e.g
at boot-time

2.6.4 A negation of static authorization MAY be required to shut
certain services

This is the converse of 2.6.5 above. It means that a AAA entity
be "told" by another that a previous AAA message is no
"valid". See also 2.3.2 and 2.7.6.

2.6.5 It MUST be possible to configure sets of AAA entities
belong to a local domain, so that they are mutually trusting, but
that any external trust MUST be via some nominated subset of
entities

This states that for efficiency or organizational reasons, it must
possible to set up some AAA servers through which all "external"
services are handled. It also states that it must be possible to
this without over-burdening the "internal-only" AAA servers
onerous security mechanisms, just because some AAA servers do
external relations

2.6.6 Intermediate AAA entities in a chain MUST be able to refuse
connection approved by an earlier entity in the chain

For example, in mobile IP the home network may authorize
connection, but the foreign network may refuse to allow
connection due to the settings chosen by the home network, say if
home network will refuse to pay

2.6.7 It SHOULD be possible to modify authorization for
while a session is in progress without destroying other
information

Farrell, et al. Informational [Page 13]

RFC 2906 AAA Authorization Requirements August 2000

For example, a "parent" AAA server should be able to modify
authorization state of sessions managed by a "child" AAA server,
by changing the maximum number of simultaneous sessions which
allowed

2.7 Not just

2.7.1 Authorization decisions MAY be context sensitive, AAA
MUST enable such decisions

This states that AAA protocols need to support cases where
authorization depends, (perhaps even only depends), on the
state of the system, e.g. only seven sessions allowed,
decision depends on existence of six current sessions. Since
context might involve more than one service, the AAA protocol
likely to have to offer some support

2.7.2 AAA protocols SHOULD support both the authorization
transactions and continuing authorization of sessions

This states that AAA entities may have to maintain state and act
the state indicates some condition has been met

2.7.3 Within a single session or transaction, it MUST be possible
interleave authentication, authorization and accounting AAA messages

This states, that e.g. a session may have to use
authentication, authorization and accounting AAA message(s), but
have to include e.g. re-authentication every 30 minutes, or
continuous "drip-drip" of accounting AAA messages

2.7.4 Authorization decisions may result in a "not ready" answer

This states that yes and no are not the only outcomes of
authorization decision. In particular, if the AAA entity cannot
give a decision, it might have to return such a result. This
analogous to how public key certification requests are
handled in PKI management protocols

2.7.5 A AAA entity MAY re-direct a AAA request that it has received

This states that if entity "a" asks "b", then "b" may say: "don't
me, ask 'c'". This is analogous to HTTP re-direction (status
307).

2.7.6 AAA protocols SHOULD allow a AAA entity to "take back"
authorization

Farrell, et al. Informational [Page 14]

RFC 2906 AAA Authorization Requirements August 2000

The expectation is that AAA protocols will support the ability of
AAA entity to signal an application or other AAA entity that
authorization (possibly previously granted by a third AAA entity)
no longer valid

2.8

2.8.1 It MUST be possible for authorization data to be administered
behalf of the end entities and AAA entities

This requirement indicates that administration of AAA has to
considered as part of protocol design - a AAA protocol,
required all AAA entities act independent of all other AAA entities
would not meet the requirement

2.8.2 Centralizable administration of all features SHOULD
supported

It should be possible (if it meets the domain requirements)
centralize or distribute the administration of AAA

2.8.3 AAA protocols SHOULD support cases where the user (as opposed
an administrator) authorizes a transaction

For example, a user might want to control anti-spam measures
authorize things like a purchase. In such cases, the user is
somewhat like an administrator

2.8.4 One AAA entity MAY create authorization rules for another
entity

This is required to properly support delegation of authority,
when allowed, this must be able to be done in a secure fashion

2.8.5 AAA protocols SHOULD support failure recovery when one
entity in a chain of AAA entities that maintain state about a
fails

For example, in a network access situation it may be required that
AAA server which has crashed be able to determine how many
are in progress, in order to make the "next" authorization decision

2.8.6 It SHOULD be possible for a AAA entity to query
authorization state of another AAA entity

This may be required as part of a failure recovery procedure

Farrell, et al. Informational [Page 15]

RFC 2906 AAA Authorization Requirements August 2000

2.8.7 AAA protocols MUST be able to support "hot fail-over" for
components without loss of state information

This states that AAA protocols must be able to support cases where
when a server is no longer operable, a secondary server
automatically be brought "live" without losing important
information

2.9 Bytes on-the-

2.9.1 Authorization separate from authentication SHOULD be
when necessary, but the AAA protocols MUST also allow for a
message to request both authentication and authorization

AAA protocols have to allow a split between authentication
authorization so that different mechanisms are used for each.
states that sometimes both types of information need to be carried
the same message

2.9.2 In order to minimize resource usage (e.g. reduce roundtrips)
MUST be possible to embed AAA PDUs into other protocols

This states that the AAA protocol authorization packages must
defined so that they can also be carried in other protocols.
example, depending on AAA protocol header information in order
reference an authorization package could cause a protocol to fail
meet the requirement

2.9.3 A AAA protocol MAY provide mechanisms for replication of
information

This can be required e.g. to support resiliency in cases where
fail-over is required. Note that AAA protocols are of course,
to normal protocol design requirements to do with reliability,
single-point-of-failure etc even though these are not all
here

2.9.4 A AAA protocol SHOULD allow the possibility for
of a gateway function between the AAA protocol and other legacy
related protocols

For example, some form of support for [RFC2138] as a legacy
is very likely to be required. Of course, the use of such a
is almost certain to mean not meeting some other requirements, (e.g
end-to-end security), for transactions routed through the gateway
There is no implication that such gateway functionality needs to be
separate server

Farrell, et al. Informational [Page 16]

RFC 2906 AAA Authorization Requirements August 2000

2.9.5 A AAA protocol MUST be able to support use of a wide range
primitive data types, including RFC2277.

For example, various sized, signed and unsigned integers,
including multi-precision integers will almost certainly need to
transported. Floating point support according to ANSI IEEE 754-1985
may also be required

2.9.6 A AAA protocol transport SHOULD support being optimized for
long-term exchange of small packets in a stream between a pair
hosts

NASes typically have a high number of transactions/second, so the
protocol MUST allow the flow of requests to be controlled in
for the server to make efficient use of it's receive buffers

2.9.7 A AAA protocol MUST provide support for load balancing

In the event that a peer's cannot receive any immediate requests,
AAA protocol MUST allow for an implementation to balance the load
requests among a set of peers

2.10

2.10.1 It SHOULD be possible that authorization data can be used
application purposes

For example, in web access, if the authorization data includes
group name, mechanisms to make this data available to the
so that it can modify the URL originally requested are desirable

2.10.2 It SHOULD be possible that authorization data can be used
mediate the response to a request

For example, with web access the clearance attribute value may
the content of the HTTP response message

2.10.3 AAA protocols SHOULD be able to operate in environments
requestors are not pre-registered (at least for
purposes, but possibly also for authentication purposes).

This is necessary to be able to scale a AAA solution where there
many requestors

2.10.4 AAA protocols MUST be able to support a linkage
authorization and accounting mechanisms

Motherhood and apple-pie

Farrell, et al. Informational [Page 17]

RFC 2906 AAA Authorization Requirements August 2000

2.10.5 AAA protocols MUST be able to support
(audit/non-repudiation) mechanisms

Sometimes, an authorization decision will be made where the
has not authenticated. In such cases, it must be possible that
authorization data used is linked to audit or other
mechanisms. Note that this requirement does not call for
support for digital signatures, or other parts of a non-
solution

2.11

2.11.1 AAA protocols MUST support the ability to refer to sets
authorization packages in order to allow peers negotiate a
set

Given that peers may support different combinations of
attribute types and packages, the requirement states that
support is required to ensure that the peers use packages
by both peers

2.11.2 It MUST be possible to negotiate authorization packages
AAA entities that are not in direct communication

This states that where, e.g. a broker is involved, the end
servers might still need to negotiate

2.11.3 Where negotiation fails to produce an acceptable
supported set then access MUST be denied

For example, a server cannot grant access if it cannot understand
attributes of the requestor

2.11.4 Where negotiation fails to produce an acceptable
supported set then it SHOULD be possible to generate an
indication to be sent to another AAA entity

If negotiation fails, then some administrator intervention is
required, and protocol support for this should be provided

2.11.5 It MUST be possible to pre-provision the result of
negotiation, but in such cases, the AAA protocol MUST include
confirmation of the "negotiation result".

Even if the supported packages of a peer are configured, this must
confirmed before assuming both sides are similarly configured

Farrell, et al. Informational [Page 18]

RFC 2906 AAA Authorization Requirements August 2000

2.11.6 For each application making use of a AAA protocol, there MUST
one inter-operable IETF standards-track specification of
authorization package types that are "mandatory to implement".

This requirement assures that communicating peers can count
finding at least one IETF specified inter-operable AAA
dialect provided they are doing authorization for a
application specific problem domain. This does not preclude
negotiation of commonly understood but private AAA
authorization package types (e.g. vendor specific).

2.11.7 It SHOULD also be possible to rank AAA negotiation options
order of preference

This states that, when negotiating, peers must be able to
preferences as well as capabilities

2.11.8 The negotiation mechanisms used by AAA protocols SHOULD NOT
vulnerable to a "bidding-down" attack

A "bidding-down" attack is where an attacker forces the
parties to choose the "weakest" option available. This is
to forcing 40-bit encryption on a link. The requirement
that protocol support is needed to prevent such attacks, for
by including the negotiation messages as part of a later
calculation, if authentication has produced a shared secret

2.11.9 A peer MUST NOT send an attribute within an
package or attribute that was not agreed to by a prior
negotiation. If this AAA protocol violation occurs, then it MUST
possible to send an error indication to the misbehaving peer,
generate an error indication to the network operator

2.11.10 A peer MUST declare all of the sets of the
packages that it understands in its initial negotiation bid message

3. Security

This document includes specific security requirements

This document does not state any detailed requirements for
interplay with authentication, accounting or accountability (audit).
A AAA protocol, which meets all of the above requirements, may
leave vulnerabilities due to such interactions. Such issues must
considered as part of AAA protocol design

Farrell, et al. Informational [Page 19]

RFC 2906 AAA Authorization Requirements August 2000

4.

[FRMW] Vollbrecht, J., Calhoun, P., Farrell, S., Gommans, L.,
Gross, G., de Bruijn, B., de Laat, C., Holdrege, M. and D
Spence, "AAA Authorization Framework", RFC 2904,
2000.

[RFC2026] Bradner, S., "The Internet Standards Process --
3", BCP 9, RFC 2026, October 1996.

[RFC2119] Bradner, S., "Key words for use in RFCs to
Requirement Levels", BCP 14, RFC 2119, March 1997.

[RFC2138] Rigney, C., Rubens, A., Simpson, W. and S. Willens
"Remote Authentication Dial In User Service (RADIUS)",
2138, April 1997.

[RFC2277] Alvestrand, H., "IETF Policy on Character Sets
Languages", RFC 2277, January 1998.

[SAMP] Vollbrecht, J., Calhoun, P., Farrell, S., Gommans, L.,
Gross, G., de Bruijn, B., de Laat, C., Holdrege, M. and D
Spence, "AAA Authorization Application Examples",
2905, August 2000.

Authors'

Stephen
Baltimore
61/62 Fitzwilliam
Dublin 2,

Phone: +353-1-647-7300
Fax: +353-1-647-7499
EMail: stephen.farrell@baltimore.

John R.
Interlink Networks, Inc
775 Technology Drive, Suite 200
Ann Arbor, MI 48108

Phone: +1 734 821 1205
Fax: +1 734 821 1235
EMail: jrv@interlinknetworks.

Farrell, et al. Informational [Page 20]

RFC 2906 AAA Authorization Requirements August 2000

Pat R.
Network and Security
Center, Sun
Sun Microsystems, Inc
15 Network
Menlo Park, California, 94025

Phone: +1 650 786 7733
Fax: +1 650 786 6445
EMail: pcalhoun@eng.sun.

Leon
Enterasys Networks
Kerkplein 24
2841 XM
The

Phone: +31 182 379279
email: gommans@cabletron.
or at University of Utrecht
l.h.m.gommans@phys.uu.

George M.
Lucent
184 Liberty Corner Road, m.s
LC2N-D13
Warren, NJ 07059

Phone: +1 908 580 4589
Fax: +1 908-580-4991
EMail: gmgross@lucent.

Betty de
Interpay Nederland B.V
Eendrachtlaan 315
3526 LB
The

Phone: +31 30 2835104
EMail: betty@euronet.

Farrell, et al. Informational [Page 21]

RFC 2906 AAA Authorization Requirements August 2000

Cees T.A.M. de
Physics and Astronomy dept
Utrecht
Pincetonplein 5,
3584CC

Phone: +31 30 2534585
Phone: +31 30 2537555
EMail: delaat@phys.uu.

Matt

223 Ximeno Ave
Long Beach, CA 90803

EMail: matt@ipverse.

David W.
Interlink Networks, Inc
775 Technology Drive, Suite 200
Ann Arbor, MI 48108

Phone: +1 734 821 1203
Fax: +1 734 821 1235
EMail: dspence@interlinknetworks.

Farrell, et al. Informational [Page 22]

RFC 2906 AAA Authorization Requirements August 2000

Full Copyright

Copyright (C) The Internet Society (2000). All Rights Reserved

This document and translations of it may be copied and furnished
others, and derivative works that comment on or otherwise explain
or assist in its implementation may be prepared, copied,
and distributed, in whole or in part, without restriction of
kind, provided that the above copyright notice and this paragraph
included on all such copies and derivative works. However,
document itself may not be modified in any way, such as by
the copyright notice or references to the Internet Society or
Internet organizations, except as needed for the purpose
developing Internet standards in which case the procedures
copyrights defined in the Internet Standards process must
followed, or as required to translate it into languages other
English

The limited permissions granted above are perpetual and will not
revoked by the Internet Society or its successors or assigns

This document and the information contained herein is provided on
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE

Funding for the RFC Editor function is currently provided by
Internet Society

Farrell, et al. Informational [Page 23]

if you see any problems within the linking, don't worry be happy,
this is version 0.1 of the Relevance System and you gotta expect some crappy subroutines sometimes,
just be content we did not write this in Java, which would have made this "bigger and better" HAHAHHA.

RFC documents can be found at I.E.T.F.

Relevance System Copyright © 2002 Spectrum WorldResearch
other technical nosh by ServerMasters Corporation
collaboration of BobX