As per Relevance of the word services, we have this rfc below:
Network Working Group D.
Request for Comments: 2881 Nortel
Category: Informational M.
SmartPipes Inc
July 2000
Network Access Server Requirements Next Generation (NASREQNG
NAS
Status of this
This memo provides information for the Internet community. It
not specify an Internet standard of any kind. Distribution of
memo is unlimited
Copyright
Copyright (C) The Internet Society (2000). All Rights Reserved
This document describes the terminology and gives a model of
Network Access Server (NAS). The purpose of this effort is to
the reference space for describing and evaluating NAS
protocols, such as RADIUS (RFCs 2865, 2866) [1], [2] and follow-
efforts like AAA Working Group, and the Diameter protocol [3].
are protocols for carrying user service information
authentication, authorization, accounting, and auditing, between
Network Access Server which desires to authenticate its
calls and a shared authentication server
Table of
1. INTRODUCTION...................................................2
1.1 Scope of this Document ......................................2
1.2 Specific Terminology ........................................3
2. NETWORK ACCESS SYSTEM EQUIPMENT ASSUMPTIONS....................3
3. NAS SERVICES...................................................4
4. AUTHENTICATION, AUTHORIZATION AND ACCOUNTING (AAA) SERVERS.....5
5. TYPICAL NAS OPERATION SEQUENCE:................................5
5.1 Characteristics of Systems and Sessions: ....................6
5.2 Separation of NAS and AAA server functions ..................7
5.3 Network Management and Administrative features ..............7
6. AUTHENTICATION METHODS.........................................8
7. SESSION AUTHORIZATION INFORMATION..............................8
8. IP NETWORK INTERACTION.........................................9
9. A NAS MODEL...................................................10
Mitton & Beadles Informational [Page 1]
RFC 2881 NASreq NAS Model July 2000
9.1 A Reference Model of a NAS .................................10
9.2 Terminology ................................................11
9.3 Analysis ...................................................13
9.3.1 Authentication and Security .............................13
9.3.2 Authorization and Policy ................................14
9.3.3 Accounting and Auditing .................................14
9.3.4 Resource Management .....................................14
9.3.5 Virtual Private Networks (VPN's) ........................14
9.3.6 Service Quality .........................................15
9.3.7 Roaming .................................................15
10. SECURITY CONSIDERATIONS......................................15
11. REFERENCES ..................................................16
12. ACKNOWLEDGMENTS..............................................17
13. AUTHORS' ADDRESSES ..........................................17
14. APPENDIX - ACRONYMS AND GLOSSARY:............................18
15. FULL COPYRIGHT STATEMENT.....................................20
1.
A Network Access Server is the initial entry point to a network
the majority of users of network services. It is the first device
the network to provide services to an end user, and acts as a
for all further services. As such, its importance to users
service providers alike is paramount. However, the concept of
Network Access Server has grown up over the years without
formally defined or analyzed [4].
1.1 Scope of this
There are several tradeoffs taken in this document. The purpose
this document is to describe a model for evaluating NAS
protocols. It will give examples of typical NAS hardware
software features, but these are not to be taken as hard
of the model, but merely illustrative of the points of discussion
An important goal of the model is to offer a framework that
further development and expansion of capabilities in
implementation
As with most IETF projects, the focus is on standardizing
protocol interaction between the components of the system.
documents produced will not address the following areas
- AAA server back-end implementation is abstracted and
prescribed. The actual organization of the data in the server,
internal interfaces, and capabilities are left to
implementation
Mitton & Beadles Informational [Page 2]
RFC 2881 NASreq NAS Model July 2000
- NAS front-end call technology is not assumed to be static
Alternate and new technology will be accommodated. The
protocol specifications must be flexible in design to allow for
technologies and services to be added with minimal impact
existing implementations
1.2 Specific
The following terms are used in this document in this manner:
"Call" - the initiation of a network service request to the NAS
This can mean the arrival of a telephone call via a dial-in
switched telephone network connection, or the creation of a tunnel
a tunnel server which becomes a virtual NAS. A "Session" - is
NAS provided service to a specific authorized user entity
2. Network Access System Equipment
A typical hardware-based NAS is implemented in a constrained system
It is important that the NAS protocols don't assume
resources on the part of the platform. The following are
constraints
- A computer system of minimal to moderate
(example processors: Intel 386 or 486, Motorola 68000)
- A moderate amount, but not large RAM (typically varies
supported # of ports 1MB to 8MB
- Some small amount of non-volatile memory, and/or way to
configured out-of-
- No assumption of a local file system or disk
A NAS system may consist of a system of interconnected
processor system units. Typically they may be circuit boards (
blades) that are arrayed in a card cage (or chassis) and referred
by their position (i.e., slot number). The bus
methods are typically proprietary and will not be addressed here
A NAS is sometimes referred to as a Remote Access Server (RAS) as
typically allows remote access to a network. However, a more
picture is that of an "Edge Server", where the NAS sits on the
of an IP network of some type, and allows dynamic access to it
Such systems typically have
- At least one LAN or high performance network interface (e.g.,
Ethernet, ATM, FR
Mitton & Beadles Informational [Page 3]
RFC 2881 NASreq NAS Model July 2000
- At least one, but typically many, serial interface ports,
could be
- serial RS232 ports direct wired or wired to a modem,
- have integral hardware or software modems (V.22bis,V.32, V.34,
X2, Kflex, V.90, etc.)
- have direct connections to telephone network digital WAN
(ISDN, T1, T3, NFAS, or SS7)
- an aggregation of xDSL connections or PPPoe sessions [5].
However, systems may perform some of the functions of a NAS, but
have these kinds of hardware characteristics. An example would be
industry personal computer server system, that has several modem
connections. These lines will be managed like a dedicated NAS,
the system itself is a general file server. Likewise, with
development of tunneling protocols (L2F [6], ATMP [7], L2TP [8]),
tunnel server systems must behave like a "virtual" NAS, where
calls come from the network tunneled sessions and not hardware
([11], [9], [10]).
3. NAS
The core of what a NAS provides, are dynamic network services.
distinguishes a NAS from a typical routing system, is that
services are provided on a per-user basis, based on an
and the service is accounted for. This accounting may lead
policies and controls to limit appropriate usage to levels based
the availability of network bandwidth, or service agreements
the user and the provider
Typical services include
- dial-up or direct access serial line access; Ability to access
network using a the public telephone network
- network access (SLIP, PPP, IPX, NETBEUI, ARAP); The NAS allows
caller to access the network directly
- asynchronous terminal services (Telnet, Rlogin, LAT, others);
NAS implements the network protocol on behalf of the caller,
presents a terminal interface
- dial-out connections; Ability to cause the NAS to initiate
connection over the public telephone network, typically based on
arrival of traffic to a specific network system
- callback (NAS generates call to caller); Ability to cause the NAS
reverse or initiate a network connection based on the arrival of
dial-in call
- tunneling (from access connection to remote server); The
transports the callers network packets over a network to a
server using an encapsulation protocol. (L2TP [8], RADIUS
[11])
Mitton & Beadles Informational [Page 4]
RFC 2881 NASreq NAS Model July 2000
4. Authentication, Authorization and Accounting (AAA)
Because of the need to authenticate and account, and for
reasons of implementation, NAS systems have come to depend
external server systems to implement authentication databases
accounting recording
By separating these functions from the NAS equipment, they can
implemented in general purpose computer systems, that may
better suited long term storage media, and more
database software infrastructures. Not to mention that a
server can allow the coordinated administration of many NAS
as appropriate (for example a single server may service an entire
consisting of multiple NAS systems).
For ease of management, there is a strong desire to piggyback
authentication information with other authentication databases,
that authentication information can be managed for several
(such as OS shell login, or Web Server access) from the
provider, without creating separate passwords and accounts for
user
Session activity information is stored and processed to
accounting usage records. This is typically done with a long
(nightly, weekly or monthly) batch type process
However, as network operations grow in sophistication, there
requirements to provide real-time monitoring of port and user status
so that the state information can be used to implement
decisions, monitor user trends, and the ability to possibly
access for administrative reasons. Typically only the NAS knows
true dynamic state of a session
5. Typical NAS Operation Sequence
The following details a typical NAS operational sequence
- Call arrival on port or
- Port
- auto-detect (or not) type of
- CLI/SLIP: prompt for username and password (if
set
- PPP: engage LCP,
- Request authentication from AAA
- if okay, proceed to
- may
- may ask for password change/
Mitton & Beadles Informational [Page 5]
RFC 2881 NASreq NAS Model July 2000
- Network
- activate internal protocol server (telnet, ftp
- engage protocol's authentication
- confirm authentication information with AAA
- Call Management
- Information from the telephone system or gateway
arrives indicating that a call has been
- The AAA server is consulted using the information supplied
the telephone system (typically Called or Calling
information
- The server indicates whether to respond to the call
answering it, or by returning a busy to the caller
- The server may also need to allocate a port to receive
call, and route it accordingly
- Dial-
- packet destination matches outbound route pre-
- find profile information to setup
- Request information from AAA server for call
- VPN/Tunneling (compulsory
- authentication server identifies user as
- tunnel protocol is invoked to a remote
- authentication information may be forwarded to remote
- if successful, the local link is given a remote
- Multi-link
- after a new call is authenticated by the AAA server, if
options are present, then other bundles with the
identifying information is searched
- bundle searches are performed across multiple
- join calls that match authentication and
identities as one network addressable data source with
single network IP
- Hardwired (non-interactive)
- permanent WAN connections (Frame Relay or PSVCs
- permanent serial connections (printers
5.1 Characteristics of Systems and Sessions
Sessions must have a user identifier and authenticator to
the authentication process. Accounting starts from time of call
service, though finer details are allowed. At the end of service,
call may be disconnected or allow re-authentication for
services
Mitton & Beadles Informational [Page 6]
RFC 2881 NASreq NAS Model July 2000
Some systems allow decisions on call handling to be made based
telephone system information provided before the call is
(e.g., caller id or destination number). In such systems, calls
be busied-out or non-answered if system resources are not ready
available
Authorization to run services are supplied and applied
authentication. A NAS may abort call if session
information disagrees with call characteristics. Some
resources may be controlled by server driven
Accounting messages are sent to the accounting server when
begins, and ends, and possibly periodically during service delivery
Accounting is not necessarily a real-time service, the NAS may
queue and batch send event records
5.2 Separation of NAS and AAA server
As a distributed system, there is a separation of roles between
NAS and the Server
- Server provides authentication services; checks
(static or dynamic
- Server databases may be organized in any way (only
specified
- Server may use external systems to authenticate (including
user databases, token cards, one-time-lists, proxy or
means
- Server provides authorization information to
- The process of providing a service may lead to requests
additional
- Service authorization may require real-time
(services may be based on Time of Day, or variable
debits
- Session accounting information is tallied by the NAS
reported to
5.3 Network Management and Administrative
The NAS system is presumed to have a method of configuration
allows it to know it's identity and network parameters at boot time
Likewise, this configuration information is typically managed
the standard management protocols (e.g., SNMP). This would
the configuration of the parameters necessary to contact the
server itself. The purpose of the AAA server is not to
network management for the NAS, but to authorize and characterize
individual services for the users. Therefore any feature that can
user specific is open to supply from the AAA server
Mitton & Beadles Informational [Page 7]
RFC 2881 NASreq NAS Model July 2000
The system may have other operational services that are used to
and control the NAS. Some users that have _Administrative
privileges may have access to system configuration tools, or
that affect the operation and configuration of the system (e.g.,
loading boot images, internal file system access, etc..) Access
these facilities may also be authenticated by the AAA
(provided it is configured and reachable!) and levels of
authorization may be provided
6. Authentication
A NAS system typically supports a number of authentication systems
For async terminal users, these may be a simple as a prompt
input. For network datalink users, such as PPP, several
authentication methods will be supported (PAP, CHAP [12], MS-
[13]). Some of these may actually be protocols in and of
(EAP [14] [15], and Kerberos).
Additionally, the content of the authentication exchanges may not
straightforward. Hard token cards, such as the Safeword and SecurId
systems may generate one-time passphrases that must be
against a proprietary server. In the case of multi-link support,
may be necessary to remember a session token or certificate for
later authentication of additional links
In the cases of VPN and compulsory tunneling services, typically
Network Access Identifier (RFC 2486 [16]) is presented by the user
This NAI is parsed into a destination network identifier either
the NAS or by the AAA server. The authentication information
typically not be validated locally, but by a AAA service at
remote end of the tunnel service
7. Session Authorization
Once a user has been authenticated, there are a number of
bits of information that the network management may wish to
and authorize for the given user or class of users
Typical examples include
For async terminal users
-
- custom
-
- CLI macros - which could be used for: shortcuts,
commands, restrictive
Mitton & Beadles Informational [Page 8]
RFC 2881 NASreq NAS Model July 2000
For network users
- addresses, and
- callback
- packet and activity
- network server
- host server
Some services may require dynamic allocation of resources
Information about the resources required may not be known during
authentication phase, it may come up later. (e.g., IP Addresses
multi-link bundles) It's also possible that the authorization
change over the time of the session. To provide these there has to
a division of responsibility between the NAS and the AAA server, or
cooperation using a stateful service
Such services include
- IP Address
- Concurrent login
- Tunnel usage
- Real-time account
- Call management
In the process of resolving resource information, it may be
that a certain level of service be supplied, and if not available
the request refused, or corrective action taken
8. IP Network
As the NAS participates in the IP network, it interacts with
routing mechanisms of the network itself. These interactions
also be controlled on a per-user/session basis
For example, some input streams may be directed to specific
other than the default gateway for the destination subnet. In
to control services within the network provider's infrastructure
some types of packets may be discarded (filtered) before entering
network. These filters could be applied based on examination
destination address and port number. Anti-spoofing packet
may be applied to disallow traffic sourced from addresses other
what was assigned to the port
A NAS may also be an edge router system, and apply Quality of
(QoS) policies to the packets. This makes it a QOS
Enforcement Point [19], [17]. It may learn QOS and other
policies for the user via the AAA service
Mitton & Beadles Informational [Page 9]
RFC 2881 NASreq NAS Model July 2000
9. A NAS
So far we have looked at examples of things that NASes do.
following attempts to define a NAS model that captures
fundamentals of NAS structure to better categorize how it
with other network components
A Network Access Server is a device which sits on the edge of
network, and provides access to services on that network in
controlled fashion, based on the identity of the user of the
services in question and on the policy of the provider of
services. For the purposes of this document, a Network Access
is defined primarily as a device which accepts multiple point-to
point [18] links on one set of interfaces, providing access to
routed network or networks on another set of interfaces
Note that there are many things that a Network Access Server is not
A NAS is not simply a router, although it will typically
routing functionality in it's interface to the network. A NAS is
necessarily a dial access server, although dial access is one
means of network access, and brings its own particular set
requirements to NAS's
A NAS is the first device in the IP network to provide services to
end user, and acts as a gateway for all further services. It is
point at which users are authenticated, access policy is enforced
network services are authorized, network usage is audited,
resource consumption is tracked. That is, a NAS often acts as
policy enforcement point for network AAAA (authentication
authorization, accounting, and auditing) services. A NAS
typically the first place in a network where security measures
policy may be implemented
9.1 A Reference Model of a
For reference in the following discussion, a diagram of a NAS,
dependencies, and its interfaces is given below. This diagram
intended as an abstraction of a NAS as a reference model, and is
intended to represent any particular NAS implementation
Mitton & Beadles Informational [Page 10]
RFC 2881 NASreq NAS Model July 2000
v v v v v v
| | PSTN | |
| | or | |
|
+-----------------+
| (Modems) |
+-----------------+
| | | | | | |
+--+----------------------------+
| | |
|N | Client Interface |
| | |
|A +----------Routing ----------+
| | |
|S | Network Interface |
| | |
+--+----------------------------+
/ | \
/ | \
/ | \
/ | \
POLICY MANAGEMENT/ | \ DEVICE
+---------------+ | +-------------------+
| Authentication| _/^\_ |Device Provisioning
+---------------+ _/ \_ +-------------------+
| Authorization | _/ \_ |Device Monitoring |
+---------------+ _/ \_ +-------------------+
| Accounting | / The \
+---------------+ \_ Network(s) _/
| Auditing | \_ _/
+---------------+ \_ _/
\_ _/
\_/
9.2
Following is a description of the modules and interfaces in
reference model for a NAS given above
Client Interfaces - A NAS has one or more client interfaces,
provide the interface to the end users who are requesting
access. Users may connect to these client interfaces via
over a PSTN, or via tunnels over a data network. Two
classes of NAS's may be defined, based on the nature of
incoming client interfaces, as follows. Note that a single
device may serve in both classes
Mitton & Beadles Informational [Page 11]
RFC 2881 NASreq NAS Model July 2000
Dial Access Servers - A Dial Access Server is a NAS whose
interfaces consist of modems, either local or remote, which
attached to a PSTN
Tunnel Servers - A Tunnel Server is a NAS whose client
consists of tunneling endpoints in a protocol such as L2
Network Interfaces - A NAS has one or more network interfaces,
connect to the networks to which access is being granted
Routing - If the network to which access is being granted is a
network, then a NAS will typically include routing functionality
Policy Management Interface - A NAS provides an interface
allows access to network services to be managed on a per-
basis. This interface may be a configuration file, a
user interface, an API, or a protocol such as RADIUS, Diameter,
COPS [19]. This interface provides a mechanism for
resource management and policy enforcement
Authentication - Authentication refers to the confirmation that
user who is requesting services is a valid user of the
services requested. Authentication is accomplished via
presentation of an identity and credentials. Examples of types
credentials are passwords, one-time tokens, digital certificates
and phone numbers (calling/called).
Authorization - Authorization refers to the granting of
types of service (including "no service") to a user, based
their authentication, what services they are requesting, and
current system state. Authorization may be based on restrictions
for example time-of-day restrictions, or physical
restrictions, or restrictions against multiple logins by the
user. Authorization determines the nature of the service which
granted to a user. Examples of types of service include, but
not limited to: IP address filtering, address assignment,
assignment, QoS/differential services, bandwidth control/
management, compulsory tunneling to a specific endpoint,
encryption
Accounting - Accounting refers to the tracking of the consumption
NAS resources by users. This information may be used
management, planning, billing, or other purposes. Real-
accounting refers to accounting information that is
concurrently with the consumption of the resources.
accounting refers to accounting information that is saved until
Mitton & Beadles Informational [Page 12]
RFC 2881 NASreq NAS Model July 2000
is delivered at a later time. Typical information that
gathered in accounting is the identity of the user, the nature
the service delivered, when the service began, and when it ended
Auditing - Auditing refers to the tracking of activity by users.
opposed to accounting, where the purpose is to track
of resources, the purpose of auditing is to determine the
of a user's network activity. Examples of auditing
include the identity of the user, the nature of the services used
what hosts were accessed when, what protocols were used, etc
AAAA Server - An AAAA Server is a server or servers that
authentication, authorization, accounting, and auditing services
These may be co-located with the NAS, or more typically,
located on a separate server and communicate with the NAS's
Management Interface via an AAAA protocol. The four
functions may be located on a single server, or may be broken
among multiple servers
Device Management Interface - A NAS is a network device which
owned, operated, and managed by some entity. This
provides a means for this entity to operate and manage the NAS
This interface may be a configuration file, a graphical
interface, an API, or a protocol such as SNMP [20].
Device Monitoring - Device monitoring refers to the tracking
status, activity, and usage of the NAS as a network device
Device Provisioning - Device provisioning refers to
configurations, settings, and control of the NAS as a
device
9.3
Following is an analysis of the functions of a NAS using
reference model above
9.3.1 Authentication and
NAS's serve as the first point of authentication for network users
providing security to user sessions. This security is
performed by checking credentials such as a PPP PAP
name/password pair or a PPP CHAP user name and challenge/response
but may be extended to authentication via telephone
information, digital certificates, or biometrics. NAS's also
authenticate themselves to users. Since a NAS may be shared
multiple administrative entities, authentication may actually
performed via a back-end proxy, referral, or brokering process
Mitton & Beadles Informational [Page 13]
RFC 2881 NASreq NAS Model July 2000
In addition to user security, NAS's may themselves be operated
secure devices. This may include secure methods of management
monitoring, use of IP Security [21] and even participation in
Public Key Infrastructure
9.3.2 Authorization and
NAS's are the first point of authorization for usage of
resources, and NAS's serve as policy enforcement points for
services that they deliver to users. NAS's may provision
services to users in a statically or dynamically configured fashion
Resource management can be performed at a NAS by granting
types of service based on the current network state. In the case
shared operation, NAS policy may be determined based on the policy
multiple end systems
9.3.3 Accounting and
Since NAS services are consumable resources, usage information
often be collected for the purposes of soft policy management
reporting, planning, and accounting. A dynamic, real-time view
NAS usage is often required for network auditing purposes. Since
NAS may be shared among multiple administrative entities,
information must often be delivered to multiple endpoints
Accounting is performed using such protocols as RADIUS [2].
9.3.4 Resource
NAS's deliver resources to users, often in a dynamic fashion
Examples of the types of resources doled out by NAS's are
addresses, network names and name server identities, tunnels,
PSTN resources such as phone lines and numbers. Note that NAS's
be operated in a outsourcing model, where multiple entities
competing for the same resources
9.3.5 Virtual Private Networks (VPN's
NAS's often participate in VPN's, and may serve as the means by
VPN's are implemented. Examples of the use of NAS's in VPN's are
Dial Access Servers that build compulsory tunnels, Dial
Servers that provide services to voluntary tunnelers, and
Servers that provide tunnel termination services. NAS's
simultaneously provide VPN and public network services to
users, based on policy and user identity
Mitton & Beadles Informational [Page 14]
RFC 2881 NASreq NAS Model July 2000
9.3.6 Service
A NAS may delivery different qualities, types, or levels of
to different users based on policy and identity. NAS's may
bandwidth management, allow differential speeds or methods of access
or even participate in provisioned or signaled Quality of
(QoS) networks
9.3.7
NAS's are often operated in a shared or outsourced manner, or a
operator may enter into agreements with other service providers
grant access to users from these providers (roaming operations).
NAS's often are operated as part of a global network. All
imply that a NAS often provides services to users from
administrative domains simultaneously. The features of NAS's
therefore be driven by requirements of roaming [22].
10. Security
This document describes a model not a particular solution
As mentioned in section 9.3.1 and elsewhere, NAS'es are
about the security of several aspects of their operation, including
- Providing sufficiently robust authentication techniques
required by network policies
- NAS authentication of configured authentication server(s),
- Server ability to authenticate configured clients
- Hiding of the authentication information from network
to protect from attacks and provide user privacy
- Protecting the integrity of message exchanges from
such as; replay, or man-in-the middle
- Inability of other hosts to interfere with services
to NAS, or gain unauthorized services
- Inability of other hosts to probe or guess at
information
- Protection of NAS system configuration and administration
unauthorized
- Protection of the network from illegal packets sourced
accessing
Mitton & Beadles Informational [Page 15]
RFC 2881 NASreq NAS Model July 2000
11.
[1] Rigney, C., Willens, S., Rubens, A. and W. Simpson, "
Authentication Dial In User Service (RADIUS)", RFC 2865,
2000.
[2] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000.
[3] Calhoun, P., "Diameter Base Protocol", Work in Progress
[4] Zorn, G., "Yet Another Authentication Protocol (YAAP)", Work
Progress
[5] Mamakos, L., Lidl, K., Evarts, K., Carrel, D., Simone, D. and R
Wheeler, "A Method for Transmitting PPP Over Ethernet (PPPoE)",
RFC 2516, February 1999.
[6] Valencia, A., Littlewood, M. and T. Kolar, "Cisco Layer
Forwarding (Protocol) L2F", RFC 2341, May 1998.
[7] Hamzeh, K., "Ascend Tunnel Management Protocol - ATMP",
2107, February 1997.
[8] Valencia, A., Townsley, W., Rubens, A., Pall, G., Zorn, G.,
B. Palter, "Layer Two Tunneling Protocol (L2TP)", RFC 2661,
August 1999.
[9] Zorn, G., Leifer, D., Rubens, A., Shriver, J. and M. Holdrege
"RADIUS Attributes for Tunnel Protocol Support", RFC 2868,
2000.
[10] Zorn, G., Aboba, B. and D. Mitton, "RADIUS
Modifications for Tunnel Protocol Support", RFC 2867, June 2000.
[11] Aboba, B. and G. Zorn, "Implementation of PPTP/L2TP
Tunneling via RADIUS", RFC 2809, April 2000.
[12] Simpson, W., "PPP Challenge Handshake Authentication
(CHAP)", RFC 1994, August 1996.
[13] Zorn, G. and S. Cobb, "Microsoft PPP CHAP Extensions", RFC 2433,
March 1998.
[14] Blunk, L. and J. Vollbrecht, "PPP Extensible
Protocol (EAP)", RFC 2284, March 1998.
[15] Calhoun, et al., "Extensible Authentication Protocol Support
RADIUS", Work in Progress
Mitton & Beadles Informational [Page 16]
RFC 2881 NASreq NAS Model July 2000
[16] Aboba, B. and M. Beadles, "The Network Access Identifier",
2486, January 1999.
[17] Braden, R., Zhang, L., Berson, S., Herzog, S. and S. Jamin
"Resource ReSerVation Protocol (RSVP) Version 1
Specification", RFC 2205, September 1997.
[18] Simpson, W., Editor, "The Point-to-Point Protocol (PPP)",
51, RFC 1661, July 1994.
[19] Boyle, J., Cohen, R., Durham, D., Herzog, S., Raja, R. and A
Sastry. "The COPS (Common Open Policy Service) Protocol",
2748, January 2000.
[20] Case, J., Fedor, M., Schoffstall, M. and J. Davin. "A
Network Management Protocol (SNMP)", STD 15, RFC 1157, May 1990.
[21] Atkinson, R. and S. Kent, "Security Architecture for
Internet Protocol", RFC 2401, November 1998.
[22] Aboba, Zorn, "Dialup Roaming Requirements", Work in Progress
12.
This document is a synthesis of my earlier draft and Mark Beadles
NAS Reference Model draft
13. Authors'
David
Nortel
880 Technology Park
Billerica, MA 01821
Phone: 978-288-4570
EMail: dmitton@nortelnetworks.
Mark
SmartPipes Inc
545 Metro Place
Suite 100
Dublin, OH 43017
Phone: 614-327-8046
EMail: mbeadles@smartpipes.
Mitton & Beadles Informational [Page 17]
RFC 2881 NASreq NAS Model July 2000
14. Appendix - Acronyms and Glossary
AAA - Authentication, Authorization, Accounting, The three
services required by a NAS server or protocol
NAS - Network Access Server, a system that provides access to
network. In some cases also know as a RAS, Remote Access Server
CLI - Command Line Interface, an interface to a command line
for use with an common asynchronous terminal facility
SLIP - Serial Line Internet Protocol, an IP-only serial datalink
predecessor to PPP
PPP - Point-to-Point Protocol; a serial datalink level protocol
supports IP as well as other network protocols. PPP has three
states of operation: LCP - Link layer Control Protocol
Authentication, of which there are several types (PAP, CHAP, EAP),
and NCP - Network layer Control Protocol, which negotiates
network layer parameters for each of the protocols in use
IPX - Novell's NetWare transport
NETBEUI - A Microsoft/IBM LAN protocol used by Microsoft
services and the NETBIOS applications programming interface
ARAP - AppleTalk Remote Access
LAT - Local Area Transport; a Digital Equipment Corp. LAN
for terminal services
PPPoe - PPP over Ethernet; a protocol that forwards PPP frames on
LAN infrastructure. Often used to aggregate PPP streams at a
server bank
VPN - Virtual Private Network; a term for networks that appear to
private to the user by the use of tunneling techniques
FR - Frame Relay, a synchronous WAN protocol and telephone
intraconnect service
PSVC - Permanent Switched Virtual Circuit - a service which
an virtual permanent circuit by a switched network
PSTN - Public Switched Telephone
Mitton & Beadles Informational [Page 18]
RFC 2881 NASreq NAS Model July 2000
ISDN - Integrated Services Digital Network, a telephone
facility for transmitting digital and analog information over
digital network connection. A NAS may have the ability to
the information from the telephone network in digital form
ISP - Internet Service Provider; a provider of Internet access (
Network Service Provider, NSP).
BRI - Basic Rate Interface; a digital telephone interface
PRI - Primary Rate Interface; a digital telephone interface of 64
bits per second
T1 - A digital telephone interface which provides 24-36 channels
PRI data and one control channel (2.048 Mbps).
T3 - A digital telephone interface which provides 28 T1 services
Signalling control for the entire connection is provided on
dedicated in-band channel
NFAS - Non-Facility Associated Signaling, a telephone
protocol/service for providing call information on a separate
connection from the call itself. Used with multiple T1 or T
connections
SS7 - A telephone network protocol for communicating call
information on a separate data network from the voice network
POP - Point Of Presence; a geographic location of equipment
interconnection to the network. An ISP typically manages
equipment in a single POP in a similar manner
VSA - Vendor Specific Attributes; RADIUS attributes defined
vendors using the provision of attribute 26.
Mitton & Beadles Informational [Page 19]
RFC 2881 NASreq NAS Model July 2000
15. Full Copyright
Copyright (C) The Internet Society (2000). All Rights Reserved
This document and translations of it may be copied and furnished
others, and derivative works that comment on or otherwise explain
or assist in its implementation may be prepared, copied,
and distributed, in whole or in part, without restriction of
kind, provided that the above copyright notice and this paragraph
included on all such copies and derivative works. However,
document itself may not be modified in any way, such as by
the copyright notice or references to the Internet Society or
Internet organizations, except as needed for the purpose
developing Internet standards in which case the procedures
copyrights defined in the Internet Standards process must
followed, or as required to translate it into languages other
English
The limited permissions granted above are perpetual and will not
revoked by the Internet Society or its successors or assigns
This document and the information contained herein is provided on
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE
Funding for the RFC Editor function is currently provided by
Internet Society
Mitton & Beadles Informational [Page 20]
if you see any problems within the linking, don't worry be happy,
this is version 0.1 of the Relevance System and you gotta expect some crappy subroutines sometimes,
just be content we did not write this in Java, which would have made this "bigger and better" HAHAHHA.
RFC documents can be found at I.E.T.F.
Relevance System Copyright © 2002 Spectrum WorldResearch
other technical nosh by ServerMasters Corporation
collaboration of BobX
