Network Working Group B. Aboba
Request for Comments: 2486 Microsoft
Category: Standards Track M. Beadles
WorldCom Advanced Networks
January 1999
Network Working Group B. Aboba
Request for Comments: 2486 Microsoft
Category: Standards Track M. Beadles
WorldCom Advanced Networks
January 1999
The Network Access Identifier
网络访问标识符
Status of this Memo
本备忘录的状况
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (1999). All Rights Reserved.
版权所有(C)互联网协会(1999年)。版权所有。
In order to enhance the interoperability of roaming and tunneling services, it is desirable to have a standardized method for identifying users. This document proposes syntax for the Network Access Identifier (NAI), the userID submitted by the client during PPP authentication. It is expected that this will be of interest for support of roaming as well as tunneling. "Roaming capability" may be loosely defined as the ability to use any one of multiple Internet service providers (ISPs), while maintaining a formal, customer-vendor relationship with only one. Examples of where roaming capabilities might be required include ISP "confederations" and ISP-provided corporate network access support.
为了增强漫游和隧道服务的互操作性,需要一种识别用户的标准化方法。本文档提出了网络访问标识符(NAI)的语法,即客户端在PPP身份验证期间提交的用户ID。预计这将有助于支持漫游和隧道。“漫游能力”可以粗略地定义为能够使用多个互联网服务提供商(ISP)中的任何一个,同时只与一个ISP保持正式的客户-供应商关系。可能需要漫游功能的示例包括ISP“联盟”和ISP提供的公司网络访问支持。
Considerable interest has arisen recently in a set of features that fit within the general category of "roaming capability" for dialup Internet users. Interested parties have included:
最近,人们对一系列适合拨号上网用户的“漫游能力”的功能产生了极大的兴趣。有关人士包括:
Regional Internet Service Providers (ISPs) operating within a particular state or province, looking to combine their efforts with those of other regional providers to offer dialup service over a wider area.
区域互联网服务提供商(ISP)在特定州或省内运营,希望与其他区域提供商合作,在更大范围内提供拨号服务。
National ISPs wishing to combine their operations with those of one or more ISPs in another nation to offer more comprehensive dialup service in a group of countries or on a continent.
希望将其业务与另一个国家的一家或多家ISP的业务结合起来,以便在一组国家或一个大陆上提供更全面的拨号服务的国家ISP。
Businesses desiring to offer their employees a comprehensive package of dialup services on a global basis. Those services may include Internet access as well as secure access to corporate intranets via a Virtual Private Network (VPN), enabled by tunneling protocols such as PPTP, L2F, L2TP, and IPSEC tunnel mode.
希望在全球范围内为员工提供全面的拨号服务的企业。这些服务可以包括因特网接入以及通过虚拟专用网(VPN)对公司内部网的安全接入,该虚拟专用网由隧道协议(如PPTP、L2F、L2TP和IPSEC隧道模式)启用。
In order to enhance the interoperability of roaming and tunneling services, it is desirable to have a standardized method for identifying users. This document proposes syntax for the Network Access Identifier (NAI). Examples of implementations that use the NAI, and descriptions of its semantics, can be found in [1].
为了增强漫游和隧道服务的互操作性,需要一种识别用户的标准化方法。本文档提出了网络访问标识符(NAI)的语法。使用NAI的实现示例及其语义描述见[1]。
This document frequently uses the following terms:
本文件经常使用以下术语:
Network Access Identifier The Network Access Identifier (NAI) is the userID submitted by the client during PPP authentication. In roaming, the purpose of the NAI is to identify the user as well as to assist in the routing of the authentication request. Please note that the NAI may not necessarily be the same as the user's e-mail address or the userID submitted in an application layer authentication.
网络访问标识符网络访问标识符(NAI)是客户端在PPP身份验证期间提交的用户ID。在漫游中,NAI的目的是识别用户以及协助认证请求的路由。请注意,NAI不一定与应用层身份验证中提交的用户电子邮件地址或用户ID相同。
Network Access Server The Network Access Server (NAS) is the device that clients dial in order to get access to the network. In PPTP terminology this is referred to as the PPTP Access Concentrator (PAC), and in L2TP terminology, it is referred to as the L2TP Access Concentrator (LAC).
网络访问服务器网络访问服务器(NAS)是客户端拨号以访问网络的设备。在PPTP术语中,这被称为PPTP接入集中器(PAC),在L2TP术语中,它被称为L2TP接入集中器(LAC)。
Roaming Capability Roaming capability can be loosely defined as the ability to use any one of multiple Internet service providers (ISPs), while maintaining a formal, customer-vendor relationship with only one. Examples of cases where roaming capability might be required include ISP "confederations" and ISP-provided corporate network access support.
漫游能力漫游能力可以粗略地定义为能够使用多个互联网服务提供商(ISP)中的任何一个,同时只与一个ISP保持正式的客户-供应商关系。可能需要漫游功能的案例包括ISP“联盟”和ISP提供的公司网络访问支持。
Tunneling Service A tunneling service is any network service enabled by tunneling protocols such as PPTP, L2F, L2TP, and IPSEC tunnel mode. One example of a tunneling service is secure access to corporate intranets via a Virtual Private Network (VPN).
隧道服务隧道服务是通过隧道协议(如PPTP、L2F、L2TP和IPSEC隧道模式)启用的任何网络服务。隧道服务的一个示例是通过虚拟专用网络(VPN)安全访问公司内部网。
In this document, the key words "MAY", "MUST, "MUST NOT", "optional", "recommended", "SHOULD", and "SHOULD NOT", are to be interpreted as described in [9].
在本文件中,关键词“可能”、“必须”、“不得”、“可选”、“建议”、“应该”和“不应该”的解释如[9]所述。
As described in [1], there are now a number of services implementing dialup roaming, and the number of Internet Service Providers involved in roaming consortia is increasing rapidly.
如[1]所述,现在有许多服务实现拨号漫游,参与漫游联盟的互联网服务提供商数量正在迅速增加。
In order to be able to offer roaming capability, one of the requirements is to be able to identify the user's home authentication server. For use in roaming, this function is accomplished via the Network Access Identifier (NAI) submitted by the user to the NAS in the initial PPP authentication. It is also expected that NASes will use the NAI as part of the process of opening a new tunnel, in order to determine the tunnel endpoint.
为了能够提供漫游功能,其中一个要求是能够识别用户的家庭身份验证服务器。对于漫游,此功能通过用户在初始PPP身份验证中提交给NAS的网络访问标识符(NAI)实现。此外,预计NASes将使用NAI作为打开新隧道过程的一部分,以确定隧道终点。
As proposed in this document, the Network Access Identifier is of the form user@realm. Please note that while the user portion of the NAI conforms to the BNF described in [5], the BNF of the realm portion allows the realm to begin with a digit, which is not permitted by the BNF described in [4]. This change was made to reflect current practice; although not permitted by the BNF described in [4], FQDNs such as 3com.com are commonly used, and accepted by current software.
如本文件所述,网络访问标识符的形式如下user@realm. 请注意,虽然NAI的用户部分符合[5]中描述的BNF,但领域部分的BNF允许领域以数字开头,这是[4]中描述的BNF所不允许的。这一变化是为了反映当前的做法;尽管[4]中所述的BNF不允许使用FQDN,但诸如3com.com等FQDN是常用的,并为当前软件所接受。
Please note that NAS vendors may need to modify their devices so as to support the NAI as described in this document. Devices handling NAIs MUST support an NAI length of at least 72 octets.
请注意,NAS供应商可能需要修改其设备以支持本文档中所述的NAI。处理NAI的设备必须支持至少72个八位字节的NAI长度。
The grammar for the NAI is given below, described in ABNF as documented in [7]. The grammar for the username is taken from [5], and the grammar for the realm is an updated version of [4].
NAI的语法如下所示,如[7]所述,在ABNF中描述。用户名的语法取自[5],领域的语法是[4]的更新版本。
nai = username / ( username "@" realm )
nai = username / ( username "@" realm )
username = dot-string
username = dot-string
realm = realm "." label
领域=领域“.”标签
label = let-dig * (ldh-str)
label=let dig*(ldh str)
ldh-str = *( Alpha / Digit / "-" ) let-dig
ldh-str = *( Alpha / Digit / "-" ) let-dig
dot-string = string / ( dot-string "." string )
点字符串=字符串/(点字符串“.”字符串)
string = char / ( string char )
字符串=字符/(字符串字符)
char = c / ( "\" x )
char=c/(“\”x)
let-dig = Alpha / Digit
let-dig = Alpha / Digit
Alpha = %x41-5A / %x61-7A ; A-Z / a-z
Alpha = %x41-5A / %x61-7A ; A-Z / a-z
Digit = %x30-39 ;0-9
Digit = %x30-39 ;0-9
c = < any one of the 128 ASCII characters, but
not any special or SP >
c = < any one of the 128 ASCII characters, but
not any special or SP >
x = %x00-7F
; all 127 ASCII characters, no exception
x = %x00-7F
; all 127 ASCII characters, no exception
SP = %x20 ; Space character
SP = %x20 ; Space character
special = "<" / ">" / "(" / ")" / "[" / "]" / "\" / "."
/ "," / ";" / ":" / "@" / %x22 / Ctl
special = "<" / ">" / "(" / ")" / "[" / "]" / "\" / "."
/ "," / ";" / ":" / "@" / %x22 / Ctl
Ctl = %x00-1F / %x7F
; the control characters (ASCII codes 0 through 31
; inclusive and 127)
Ctl = %x00-1F / %x7F
; the control characters (ASCII codes 0 through 31
; inclusive and 127)
Examples of valid Network Access Identifiers include:
有效网络访问标识符的示例包括:
fred@3com.com
fred@foo-9.com
fred_smith@big-co.com
fred=?#$&*+-/^smith@bigco.com
fred@bigco.com
nancy@eng.bigu.edu
eng!nancy@bigu.edu
eng%nancy@bigu.edu
fred@3com.com
fred@foo-9.com
fred_smith@big-co.com
fred=?#$&*+-/^smith@bigco.com
fred@bigco.com
nancy@eng.bigu.edu
eng!nancy@bigu.edu
eng%nancy@bigu.edu
Examples of invalid Network Access Identifiers include:
无效网络访问标识符的示例包括:
fred@foo
fred@foo_9.com
@howard.edu
fred@bigco.com@smallco.com
eng:nancy@bigu.edu
eng;nancy@bigu.edu
<nancy>@bigu.edu
fred@foo
fred@foo_9.com
@howard.edu
fred@bigco.com@smallco.com
eng:nancy@bigu.edu
eng;nancy@bigu.edu
<nancy>@bigu.edu
[1] Aboba, B., Lu J., Alsop J., Ding J. and W. Wang, "Review of Roaming Implementations", RFC 2194, September 1997.
[1] Aboba,B.,Lu J.,Alsop J.,Ding J.和W.Wang,“漫游实现的回顾”,RFC 2194,1997年9月。
[2] Rigney C., Rubens A., Simpson W. and S. Willens, "Remote Authentication Dial In User Service (RADIUS)", RFC 2138, April 1997.
[2] Rigney C.,Rubens A.,Simpson W.和S.Willens,“远程认证拨入用户服务(RADIUS)”,RFC 21381997年4月。
[3] Rigney C., "RADIUS Accounting", RFC 2139, April 1997.
[3] Rigney C.“半径会计”,RFC 2139,1997年4月。
[4] Mockapetris, P., "Domain Names - Implementation and Specification", STD 13, RFC 1035, November 1987.
[4] Mockapetris,P.,“域名-实现和规范”,STD 13,RFC 10351987年11月。
[5] Postel, J., "Simple Mail Transfer Protocol", STD 10, RFC 821, August 1982.
[5] Postel,J.,“简单邮件传输协议”,STD 10,RFC 821,1982年8月。
[6] Gulbrandsen A. and P. Vixie, "A DNS RR for specifying the location of services (DNS SRV)", RFC 2052, October 1996.
[6] Gulbrandsen A.和P.Vixie,“用于指定服务位置(DNS SRV)的DNS RR”,RFC 2052,1996年10月。
[7] Crocker, D. and P. Overrell, "Augmented BNF for Syntax Specifications: ABNF", RFC 2234, November 1997.
[7] Crocker,D.和P.Overrell,“语法规范的扩充BNF:ABNF”,RFC 2234,1997年11月。
[8] Kent, S. and R. Atkinson, "Security Architecture for the Internet Protocol", RFC 2401, November 1998.
[8] Kent,S.和R.Atkinson,“互联网协议的安全架构”,RFC 2401,1998年11月。
[9] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[9] Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
Since an NAI reveals the home affiliation of a user, it may assist an attacker in further probing the username space. Typically this problem is of most concern in protocols which transmit the user name in clear-text across the Internet, such as in RADIUS, described in [2] and [3]. In order to prevent snooping of the user name, protocols may use confidentiality services provided by IPSEC, described in [8].
由于NAI揭示了用户的家庭从属关系,因此它可能有助于攻击者进一步探测用户名空间。通常,这个问题在通过互联网以明文形式传输用户名的协议中最受关注,如[2]和[3]中所述的RADIUS协议。为了防止窥探用户名,协议可以使用IPSEC提供的保密服务,如[8]所述。
This document defines a new namespace that will need to be administered, namely the NAI realm namespace. In order to to avoid creating any new administrative procedures, administration of the NAI realm namespace will piggyback on the administration of the DNS namespace.
本文档定义了一个需要管理的新名称空间,即NAI领域名称空间。为了避免创建任何新的管理过程,NAI领域名称空间的管理将依靠DNS名称空间的管理。
NAI realm names are required to be unique and the rights to use a given NAI realm for roaming purposes are obtained coincident with acquiring the rights to use a particular fully qualified domain name (FQDN). Those wishing to use an NAI realm name should first acquire the rights to use the corresponding FQDN. Using an NAI realm without ownership of the corresponding FQDN creates the possibility of conflict and therefore is to be discouraged.
NAI域名必须是唯一的,并且在获得使用特定完全限定域名(FQDN)的权利的同时,还可以获得为漫游目的使用给定NAI域名的权利。希望使用NAI领域名称的用户应首先获得使用相应FQDN的权限。使用没有相应FQDN所有权的NAI领域可能会产生冲突,因此不鼓励使用。
Note that the use of an FQDN as the realm name does not imply use of the DNS for location of the authentication server or for authentication routing. Since to date roaming has been implemented on a relatively small scale, existing implementations typically handle location of authentication servers within a domain and perform authentication routing based on local knowledge expressed in proxy configuration files. The implementations described in [1] have not found a need for use of DNS for location of the authentication server within a domain, although this can be accomplished via use of the DNS SRV record, described in [6]. Similarly, existing implementations have not found a need for dynamic routing protocols, or propagation of global routing information. Note also that there is no requirement that the NAI represent a valid email address.
请注意,使用FQDN作为域名称并不意味着将DNS用于身份验证服务器的位置或身份验证路由。由于迄今为止漫游的实现规模相对较小,因此现有实现通常处理域内身份验证服务器的位置,并基于代理配置文件中表示的本地知识执行身份验证路由。[1]中描述的实现没有发现需要使用DNS来定位域中的认证服务器,尽管这可以通过使用[6]中描述的DNS SRV记录来实现。类似地,现有的实现没有发现对动态路由协议或全局路由信息传播的需求。还要注意的是,没有要求NAI代表有效的电子邮件地址。
Thanks to Glen Zorn of Microsoft for many useful discussions of this problem space.
感谢微软的格伦·佐恩(Glen Zorn)对这个问题空间进行了许多有益的讨论。
Bernard Aboba Microsoft Corporation One Microsoft Way Redmond, WA 98052
伯纳德·阿博巴(Bernard Aboba)微软公司华盛顿州雷德蒙微软大道一号,邮编:98052
Phone: 425-936-6605 EMail: bernarda@microsoft.com
电话:425-936-6605电子邮件:bernarda@microsoft.com
Mark A. Beadles WorldCom Advanced Networks 5000 Britton Rd. Hilliard, OH 43026
俄亥俄州希利亚德布里顿路5000号,邮编43026
Phone: 614-723-1941 EMail: mbeadles@wcom.net
电话:614-723-1941电子邮件:mbeadles@wcom.net
Copyright (C) The Internet Society (1999). All Rights Reserved.
版权所有(C)互联网协会(1999年)。版权所有。
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。