Network Working Group                                            D. Mitton
Request for Comments: 2881                                 Nortel Networks
Category: Informational                                         M. Beadles
                                                           SmartPipes Inc.
                                                                 July 2000
        
Network Working Group                                            D. Mitton
Request for Comments: 2881                                 Nortel Networks
Category: Informational                                         M. Beadles
                                                           SmartPipes Inc.
                                                                 July 2000
        

Network Access Server Requirements Next Generation (NASREQNG) NAS Model

网络访问服务器要求下一代(NASREQNG)NAS机型

Status of this Memo

本备忘录的状况

This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.

本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。

Copyright Notice

版权公告

Copyright (C) The Internet Society (2000). All Rights Reserved.

版权所有(C)互联网协会(2000年)。版权所有。

Abstract

摘要

This document describes the terminology and gives a model of typical Network Access Server (NAS). The purpose of this effort is to set the reference space for describing and evaluating NAS service protocols, such as RADIUS (RFCs 2865, 2866) [1], [2] and follow-on efforts like AAA Working Group, and the Diameter protocol [3]. These are protocols for carrying user service information for authentication, authorization, accounting, and auditing, between a Network Access Server which desires to authenticate its incoming calls and a shared authentication server.

本文档描述了术语,并给出了典型网络访问服务器(NAS)的模型。这项工作的目的是为描述和评估NAS服务协议设置参考空间,如RADIUS(RFCs 2865、2866)[1],[2]以及后续工作,如AAA工作组和Diameter协议[3]。这些协议用于在希望对其传入呼叫进行身份验证的网络访问服务器和共享身份验证服务器之间承载用于身份验证、授权、记帐和审核的用户服务信息。

Table of Contents

目录

   1. INTRODUCTION...................................................2
    1.1 Scope of this Document ......................................2
    1.2 Specific Terminology ........................................3
   2. NETWORK ACCESS SYSTEM EQUIPMENT ASSUMPTIONS....................3
   3. NAS SERVICES...................................................4
   4. AUTHENTICATION, AUTHORIZATION AND ACCOUNTING (AAA) SERVERS.....5
   5. TYPICAL NAS OPERATION SEQUENCE:................................5
    5.1 Characteristics of Systems and Sessions: ....................6
    5.2 Separation of NAS and AAA server functions ..................7
    5.3 Network Management and Administrative features ..............7
   6. AUTHENTICATION METHODS.........................................8
   7. SESSION AUTHORIZATION INFORMATION..............................8
   8. IP NETWORK INTERACTION.........................................9
   9. A NAS MODEL...................................................10
        
   1. INTRODUCTION...................................................2
    1.1 Scope of this Document ......................................2
    1.2 Specific Terminology ........................................3
   2. NETWORK ACCESS SYSTEM EQUIPMENT ASSUMPTIONS....................3
   3. NAS SERVICES...................................................4
   4. AUTHENTICATION, AUTHORIZATION AND ACCOUNTING (AAA) SERVERS.....5
   5. TYPICAL NAS OPERATION SEQUENCE:................................5
    5.1 Characteristics of Systems and Sessions: ....................6
    5.2 Separation of NAS and AAA server functions ..................7
    5.3 Network Management and Administrative features ..............7
   6. AUTHENTICATION METHODS.........................................8
   7. SESSION AUTHORIZATION INFORMATION..............................8
   8. IP NETWORK INTERACTION.........................................9
   9. A NAS MODEL...................................................10
        
    9.1 A Reference Model of a NAS .................................10
    9.2 Terminology ................................................11
    9.3 Analysis ...................................................13
     9.3.1 Authentication and Security .............................13
     9.3.2 Authorization and Policy ................................14
     9.3.3 Accounting and Auditing .................................14
     9.3.4 Resource Management .....................................14
     9.3.5 Virtual Private Networks (VPN's) ........................14
     9.3.6 Service Quality .........................................15
     9.3.7 Roaming .................................................15
   10. SECURITY CONSIDERATIONS......................................15
   11. REFERENCES ..................................................16
   12. ACKNOWLEDGMENTS..............................................17
   13. AUTHORS' ADDRESSES ..........................................17
   14. APPENDIX - ACRONYMS AND GLOSSARY:............................18
   15. FULL COPYRIGHT STATEMENT.....................................20
        
    9.1 A Reference Model of a NAS .................................10
    9.2 Terminology ................................................11
    9.3 Analysis ...................................................13
     9.3.1 Authentication and Security .............................13
     9.3.2 Authorization and Policy ................................14
     9.3.3 Accounting and Auditing .................................14
     9.3.4 Resource Management .....................................14
     9.3.5 Virtual Private Networks (VPN's) ........................14
     9.3.6 Service Quality .........................................15
     9.3.7 Roaming .................................................15
   10. SECURITY CONSIDERATIONS......................................15
   11. REFERENCES ..................................................16
   12. ACKNOWLEDGMENTS..............................................17
   13. AUTHORS' ADDRESSES ..........................................17
   14. APPENDIX - ACRONYMS AND GLOSSARY:............................18
   15. FULL COPYRIGHT STATEMENT.....................................20
        
1. Introduction
1. 介绍

A Network Access Server is the initial entry point to a network for the majority of users of network services. It is the first device in the network to provide services to an end user, and acts as a gateway for all further services. As such, its importance to users and service providers alike is paramount. However, the concept of a Network Access Server has grown up over the years without being formally defined or analyzed [4].

网络访问服务器是大多数网络服务用户进入网络的初始入口点。它是网络中第一个向最终用户提供服务的设备,并充当所有后续服务的网关。因此,它对用户和服务提供商都至关重要。然而,多年来,网络访问服务器的概念一直在发展,没有得到正式定义或分析[4]。

1.1 Scope of this Document
1.1 本文件的范围

There are several tradeoffs taken in this document. The purpose of this document is to describe a model for evaluating NAS service protocols. It will give examples of typical NAS hardware and software features, but these are not to be taken as hard limitations of the model, but merely illustrative of the points of discussion. An important goal of the model is to offer a framework that allows further development and expansion of capabilities in NAS implementation.

本文档中有几个折衷方案。本文档的目的是描述用于评估NAS服务协议的模型。它将给出典型NAS硬件和软件功能的示例,但这些不应被视为模型的硬限制,而只是说明讨论要点。该模型的一个重要目标是提供一个框架,允许进一步开发和扩展NAS实施中的功能。

As with most IETF projects, the focus is on standardizing the protocol interaction between the components of the system. The documents produced will not address the following areas:

与大多数IETF项目一样,重点是标准化系统组件之间的协议交互。编制的文件不涉及以下方面:

- AAA server back-end implementation is abstracted and not prescribed. The actual organization of the data in the server, its internal interfaces, and capabilities are left to the implementation.

- AAA服务器后端实现是抽象的,没有规定。服务器中数据的实际组织、内部接口和功能由实现决定。

- NAS front-end call technology is not assumed to be static. Alternate and new technology will be accommodated. The resultant protocol specifications must be flexible in design to allow for new technologies and services to be added with minimal impact on existing implementations.

- NAS前端呼叫技术不是静态的。将采用替代和新技术。最终的协议规范在设计上必须灵活,以允许在对现有实现影响最小的情况下添加新技术和服务。

1.2 Specific Terminology
1.2 特定术语

The following terms are used in this document in this manner: A "Call" - the initiation of a network service request to the NAS. This can mean the arrival of a telephone call via a dial-in or switched telephone network connection, or the creation of a tunnel to a tunnel server which becomes a virtual NAS. A "Session" - is the NAS provided service to a specific authorized user entity.

本文档中以这种方式使用以下术语:“呼叫”-向NAS发起网络服务请求。这可能意味着电话呼叫通过拨号或交换电话网络连接到达,或者创建到隧道服务器的隧道,该隧道服务器将成为虚拟NAS。“会话”-是NAS向特定授权用户实体提供的服务。

2. Network Access System Equipment Assumptions
2. 网络接入系统设备设想

A typical hardware-based NAS is implemented in a constrained system. It is important that the NAS protocols don't assume unlimited resources on the part of the platform. The following are typical constraints:

典型的基于硬件的NAS是在受限系统中实现的。重要的是,NAS协议不要假定平台上有无限的资源。以下是典型的约束条件:

- A computer system of minimal to moderate performance (example processors: Intel 386 or 486, Motorola 68000) - A moderate amount, but not large RAM (typically varies with supported # of ports 1MB to 8MB) - Some small amount of non-volatile memory, and/or way to be configured out-of-band - No assumption of a local file system or disk storage

- 一种性能从最低到中等的计算机系统(例如处理器:英特尔386或486、摩托罗拉68000)—数量适中,但不太大的RAM(通常随支持的1MB到8MB端口而变化)—少量非易失性内存,和/或带外配置方式—无需假设本地文件系统或磁盘存储

A NAS system may consist of a system of interconnected specialized processor system units. Typically they may be circuit boards (or blades) that are arrayed in a card cage (or chassis) and referred to by their position (i.e., slot number). The bus interconnection methods are typically proprietary and will not be addressed here.

NAS系统可以由互连的专用处理器系统单元组成。通常,它们可能是排列在卡固定框架(或机箱)中的电路板(或刀片),并通过其位置(即插槽号)来表示。总线互连方法通常是专有的,此处不讨论。

A NAS is sometimes referred to as a Remote Access Server (RAS) as it typically allows remote access to a network. However, a more general picture is that of an "Edge Server", where the NAS sits on the edge of an IP network of some type, and allows dynamic access to it.

NAS有时被称为远程访问服务器(RAS),因为它通常允许远程访问网络。然而,更一般的情况是“边缘服务器”,其中NAS位于某种类型的IP网络的边缘,并允许对其进行动态访问。

Such systems typically have;

此类系统通常具有:;

- At least one LAN or high performance network interface (e.g., Ethernet, ATM, FR)

- 至少一个LAN或高性能网络接口(如以太网、ATM、FR)

- At least one, but typically many, serial interface ports, which could be; - serial RS232 ports direct wired or wired to a modem, or - have integral hardware or software modems (V.22bis,V.32, V.34, X2, Kflex, V.90, etc.) - have direct connections to telephone network digital WAN lines (ISDN, T1, T3, NFAS, or SS7) - an aggregation of xDSL connections or PPPoe sessions [5].

- 至少一个(但通常是多个)串行接口端口,可以是;-串行RS232端口直接连接或连接到调制解调器,或-具有集成硬件或软件调制解调器(V.22bis、V.32、V.34、X2、Kflex、V.90等)-直接连接到电话网络数字WAN线路(ISDN、T1、T3、NFA或SS7)-xDSL连接或PPPoe会话的集合[5]。

However, systems may perform some of the functions of a NAS, but not have these kinds of hardware characteristics. An example would be a industry personal computer server system, that has several modem line connections. These lines will be managed like a dedicated NAS, but the system itself is a general file server. Likewise, with the development of tunneling protocols (L2F [6], ATMP [7], L2TP [8]), tunnel server systems must behave like a "virtual" NAS, where the calls come from the network tunneled sessions and not hardware ports ([11], [9], [10]).

但是,系统可能执行NAS的某些功能,但不具有这些类型的硬件特性。例如,工业个人计算机服务器系统具有多个调制解调器线路连接。这些行将像专用NAS一样进行管理,但系统本身是一个通用文件服务器。同样,随着隧道协议(L2F[6]、ATMP[7]、L2TP[8])的发展,隧道服务器系统的行为必须类似于“虚拟”NAS,其中调用来自网络隧道会话,而不是硬件端口([11]、[9]、[10])。

3. NAS Services
3. NAS服务

The core of what a NAS provides, are dynamic network services. What distinguishes a NAS from a typical routing system, is that these services are provided on a per-user basis, based on an authentication and the service is accounted for. This accounting may lead to policies and controls to limit appropriate usage to levels based on the availability of network bandwidth, or service agreements between the user and the provider.

NAS提供的核心是动态网络服务。NAS与典型路由系统的区别在于,这些服务是基于身份验证以每个用户为基础提供的,并对服务进行说明。这种核算可能导致制定政策和控制措施,根据网络带宽的可用性或用户与提供商之间的服务协议,将适当的使用限制在一定的水平。

Typical services include:

典型服务包括:

- dial-up or direct access serial line access; Ability to access the network using a the public telephone network. - network access (SLIP, PPP, IPX, NETBEUI, ARAP); The NAS allows the caller to access the network directly. - asynchronous terminal services (Telnet, Rlogin, LAT, others); The NAS implements the network protocol on behalf of the caller, and presents a terminal interface. - dial-out connections; Ability to cause the NAS to initiate a connection over the public telephone network, typically based on the arrival of traffic to a specific network system. - callback (NAS generates call to caller); Ability to cause the NAS to reverse or initiate a network connection based on the arrival of a dial-in call. - tunneling (from access connection to remote server); The NAS transports the callers network packets over a network to a remote server using an encapsulation protocol. (L2TP [8], RADIUS support [11])

- 拨号或直接接入串行线路接入;能够使用公共电话网络的网络连接。-网络接入(SLIP、PPP、IPX、NETBEUI、ARAP);NAS允许呼叫方直接访问网络。-异步终端服务(Telnet、Rlogin、LAT等);NAS代表呼叫者实施网络协议,并提供终端接口。-拨出连接;使NAS通过公共电话网络启动连接的能力,通常基于特定网络系统的流量到达。-回调(NAS生成对调用方的调用);能够使NAS基于拨号呼叫的到达而反转或启动网络连接。-隧道(从访问连接到远程服务器);NAS使用封装协议通过网络将呼叫者网络数据包传输到远程服务器。(L2TP[8],半径支撑[11])

4. Authentication, Authorization and Accounting (AAA) Servers
4. 身份验证、授权和记帐(AAA)服务器

Because of the need to authenticate and account, and for practical reasons of implementation, NAS systems have come to depend on external server systems to implement authentication databases and accounting recording.

由于需要进行身份验证和记帐,并且出于实施的实际原因,NAS系统已经开始依赖外部服务器系统来实现身份验证数据库和记帐记录。

By separating these functions from the NAS equipment, they can be implemented in general purpose computer systems, that may provide better suited long term storage media, and more sophisticated database software infrastructures. Not to mention that a centralized server can allow the coordinated administration of many NAS systems as appropriate (for example a single server may service an entire POP consisting of multiple NAS systems).

通过将这些功能与NAS设备分离,它们可以在通用计算机系统中实现,从而提供更适合的长期存储介质和更复杂的数据库软件基础架构。更不用说,集中式服务器可以允许对多个NAS系统进行适当的协调管理(例如,单个服务器可以为由多个NAS系统组成的整个POP提供服务)。

For ease of management, there is a strong desire to piggyback NAS authentication information with other authentication databases, so that authentication information can be managed for several services (such as OS shell login, or Web Server access) from the same provider, without creating separate passwords and accounts for the user.

为了便于管理,人们强烈希望将NAS身份验证信息与其他身份验证数据库相结合,以便可以管理来自同一提供商的多个服务(如操作系统外壳登录或Web服务器访问)的身份验证信息,而无需为用户创建单独的密码和帐户。

Session activity information is stored and processed to produce accounting usage records. This is typically done with a long term (nightly, weekly or monthly) batch type process.

存储和处理会话活动信息以生成记帐使用记录。这通常是通过长期(夜间、每周或每月)批处理类型的过程来完成的。

However, as network operations grow in sophistication, there are requirements to provide real-time monitoring of port and user status, so that the state information can be used to implement policy decisions, monitor user trends, and the ability to possibly terminate access for administrative reasons. Typically only the NAS knows the true dynamic state of a session.

然而,随着网络运营日益复杂,需要提供对端口和用户状态的实时监控,以便状态信息可用于执行策略决策、监控用户趋势,以及出于管理原因可能终止访问的能力。通常只有NAS知道会话的真实动态状态。

5. Typical NAS Operation Sequence:

5. 典型的NAS操作顺序:

The following details a typical NAS operational sequence:

以下详细说明了典型的NAS操作顺序:

- Call arrival on port or network - Port: - auto-detect (or not) type of call - CLI/SLIP: prompt for username and password (if security set) - PPP: engage LCP, Authentication - Request authentication from AAA server - if okay, proceed to service - may challenge - may ask for password change/update

- 端口或网络上的呼叫到达-端口:-自动检测(或不检测)呼叫类型-CLI/SLIP:提示输入用户名和密码(如果设置了安全性)-PPP:启用LCP,身份验证-请求AAA服务器的身份验证-如果可以,继续服务-可能提出质疑-可能要求更改/更新密码

- Network: - activate internal protocol server (telnet, ftp) - engage protocol's authentication technique - confirm authentication information with AAA server

- 网络:-激活内部协议服务器(telnet、ftp)-使用协议的身份验证技术-与AAA服务器确认身份验证信息

- Call Management Services - Information from the telephone system or gateway controller arrives indicating that a call has been received - The AAA server is consulted using the information supplied by the telephone system (typically Called or Calling number information) - The server indicates whether to respond to the call by answering it, or by returning a busy to the caller. - The server may also need to allocate a port to receive a call, and route it accordingly.

- 呼叫管理服务-来自电话系统或网关控制器的信息到达,表明已收到呼叫-使用电话系统提供的信息咨询AAA服务器(通常为被叫或主叫号码信息)-服务器指示是否通过接听呼叫来响应呼叫,或者通过向来电者返回忙碌状态。-服务器可能还需要分配一个端口来接收呼叫,并相应地对其进行路由。

- Dial-out - packet destination matches outbound route pre-configured - find profile information to setup call - Request information from AAA server for call details

- 拨出-数据包目的地与预先配置的出站路由匹配-查找配置文件信息以设置呼叫-来自AAA服务器的呼叫请求信息以获取呼叫详细信息

- VPN/Tunneling (compulsory) - authentication server identifies user as remote - tunnel protocol is invoked to a remote server - authentication information may be forwarded to remote AAA server - if successful, the local link is given a remote identity

- VPN/隧道(强制)-身份验证服务器将用户标识为远程-将隧道协议调用到远程服务器-身份验证信息可转发到远程AAA服务器-如果成功,本地链路将获得远程身份

- Multi-link aggregation - after a new call is authenticated by the AAA server, if MP options are present, then other bundles with the same identifying information is searched for - bundle searches are performed across multiple systems - join calls that match authentication and originator identities as one network addressable data source with a single network IP address

- 多链路聚合-在AAA服务器对新呼叫进行身份验证后,如果存在MP选项,然后搜索具有相同标识信息的其他捆绑包-跨多个系统执行捆绑包搜索-将符合身份验证和发起者身份的调用连接为一个网络可寻址数据源和一个网络IP地址

- Hardwired (non-interactive) services - permanent WAN connections (Frame Relay or PSVCs) - permanent serial connections (printers)

- 硬连线(非交互式)服务.永久性WAN连接(帧中继或PSVCs).永久性串行连接(打印机)

5.1 Characteristics of Systems and Sessions:

5.1 系统和会话的特点:

Sessions must have a user identifier and authenticator to complete the authentication process. Accounting starts from time of call or service, though finer details are allowed. At the end of service, the call may be disconnected or allow re-authentication for additional services.

会话必须具有用户标识符和身份验证器才能完成身份验证过程。记帐从通话或服务时开始,但允许提供更详细的信息。在服务结束时,呼叫可能被断开或允许对附加服务进行重新身份验证。

Some systems allow decisions on call handling to be made based on telephone system information provided before the call is answered (e.g., caller id or destination number). In such systems, calls may be busied-out or non-answered if system resources are not ready or available.

一些系统允许根据接听电话之前提供的电话系统信息(例如,呼叫者id或目的地号码)做出关于呼叫处理的决定。在这样的系统中,如果系统资源未准备就绪或不可用,则呼叫可能会被占用或无人接听。

Authorization to run services are supplied and applied after authentication. A NAS may abort call if session authorization information disagrees with call characteristics. Some system resources may be controlled by server driven policies

提供运行服务的授权,并在身份验证后应用。如果会话授权信息与呼叫特征不一致,NAS可能会中止呼叫。某些系统资源可能由服务器驱动的策略控制

Accounting messages are sent to the accounting server when service begins, and ends, and possibly periodically during service delivery. Accounting is not necessarily a real-time service, the NAS may be queue and batch send event records.

记帐消息在服务开始和结束时发送到记帐服务器,可能在服务交付期间定期发送。记帐不一定是实时服务,NAS可能是队列和批发送事件记录。

5.2 Separation of NAS and AAA server functions
5.2 NAS和AAA服务器功能的分离

As a distributed system, there is a separation of roles between the NAS and the Server:

作为分布式系统,NAS和服务器之间存在角色分离:

- Server provides authentication services; checks passwords (static or dynamic) - Server databases may be organized in any way (only protocol specified) - Server may use external systems to authenticate (including OS user databases, token cards, one-time-lists, proxy or other means) - Server provides authorization information to NAS - The process of providing a service may lead to requests for additional information - Service authorization may require real-time enforcement (services may be based on Time of Day, or variable cost debits) - Session accounting information is tallied by the NAS and reported to server

- 服务器提供认证服务;检查密码(静态或动态)-服务器数据库可以任何方式组织(仅指定协议)-服务器可以使用外部系统进行身份验证(包括操作系统用户数据库、令牌卡、一次性列表、代理或其他方式)-服务器向NAS提供授权信息-提供服务的过程可能会导致请求其他信息-服务授权可能需要实时执行(服务可能基于一天中的时间或可变成本借记)-NAS统计会话记帐信息并向服务器报告

5.3 Network Management and Administrative features
5.3 网络管理和管理功能

The NAS system is presumed to have a method of configuration that allows it to know it's identity and network parameters at boot time. Likewise, this configuration information is typically managed using the standard management protocols (e.g., SNMP). This would include the configuration of the parameters necessary to contact the AAA server itself. The purpose of the AAA server is not to provide network management for the NAS, but to authorize and characterize the individual services for the users. Therefore any feature that can be user specific is open to supply from the AAA server.

假定NAS系统具有一种配置方法,允许它在引导时了解其标识和网络参数。同样,此配置信息通常使用标准管理协议(例如SNMP)进行管理。这将包括联系AAA服务器本身所需的参数配置。AAA服务器的目的不是为NAS提供网络管理,而是为用户授权和描述各个服务。因此,任何特定于用户的功能都可以从AAA服务器提供。

The system may have other operational services that are used to run and control the NAS. Some users that have _Administrative_ privileges may have access to system configuration tools, or services that affect the operation and configuration of the system (e.g., loading boot images, internal file system access, etc..) Access to these facilities may also be authenticated by the AAA server (provided it is configured and reachable!) and levels of access authorization may be provided.

系统可能具有用于运行和控制NAS的其他操作服务。一些具有“管理”权限的用户可以访问系统配置工具,或影响系统操作和配置的服务(例如,加载引导映像、内部文件系统访问等)。对这些设施的访问也可以由AAA服务器进行身份验证(前提是已配置且可访问!)并且可以提供访问授权级别。

6. Authentication Methods
6. 认证方法

A NAS system typically supports a number of authentication systems. For async terminal users, these may be a simple as a prompt and input. For network datalink users, such as PPP, several different authentication methods will be supported (PAP, CHAP [12], MS-CHAP [13]). Some of these may actually be protocols in and of themselves (EAP [14] [15], and Kerberos).

NAS系统通常支持多种身份验证系统。对于异步终端用户,这些可能是一个简单的提示和输入。对于网络数据链路用户,如PPP,将支持几种不同的身份验证方法(PAP、CHAP[12],MS-CHAP[13])。其中一些协议本身可能是协议(EAP[14][15]和Kerberos)。

Additionally, the content of the authentication exchanges may not be straightforward. Hard token cards, such as the Safeword and SecurId, systems may generate one-time passphrases that must be validated against a proprietary server. In the case of multi-link support, it may be necessary to remember a session token or certificate for the later authentication of additional links.

此外,认证交换的内容可能并不简单。硬令牌卡(如Safeword和SecurId)系统可能会生成一次性密码,必须针对专有服务器进行验证。在支持多链路的情况下,可能需要记住会话令牌或证书,以便以后对其他链路进行身份验证。

In the cases of VPN and compulsory tunneling services, typically a Network Access Identifier (RFC 2486 [16]) is presented by the user. This NAI is parsed into a destination network identifier either by the NAS or by the AAA server. The authentication information will typically not be validated locally, but by a AAA service at the remote end of the tunnel service.

在VPN和强制隧道服务的情况下,通常由用户提供网络访问标识符(RFC 2486[16])。此NAI由NAS或AAA服务器解析为目标网络标识符。身份验证信息通常不会在本地进行验证,而是由隧道服务远程端的AAA服务进行验证。

7. Session Authorization Information
7. 会话授权信息

Once a user has been authenticated, there are a number of individual bits of information that the network management may wish to configure and authorize for the given user or class of users.

一旦用户已通过身份验证,网络管理可能希望为给定用户或用户类别配置和授权许多单独的信息位。

Typical examples include:

典型的例子包括:

For async terminal users:

对于异步终端用户:

- banners - custom prompts - menus - CLI macros - which could be used for: shortcuts, compound commands, restrictive scripts

- 横幅-自定义提示-菜单-CLI宏-可用于:快捷方式、复合命令、限制性脚本

For network users:

对于网络用户:

- addresses, and routes - callback instructions - packet and activity filters - network server addresses - host server addresses

- 地址和路由-回调指令-数据包和活动筛选器-网络服务器地址-主机服务器地址

Some services may require dynamic allocation of resources. Information about the resources required may not be known during the authentication phase, it may come up later. (e.g., IP Addresses for multi-link bundles) It's also possible that the authorization will change over the time of the session. To provide these there has to be a division of responsibility between the NAS and the AAA server, or a cooperation using a stateful service.

有些服务可能需要动态分配资源。有关所需资源的信息在身份验证阶段可能未知,稍后可能会出现。(例如,多链路捆绑包的IP地址)授权也可能随会话时间而改变。要提供这些服务,必须在NAS和AAA服务器之间进行责任划分,或者使用有状态服务进行协作。

Such services include:

这些服务包括:

- IP Address management - Concurrent login limitations - Tunnel usage limitations - Real-time account expirations - Call management policies

- IP地址管理-并发登录限制-隧道使用限制-实时帐户过期-呼叫管理策略

In the process of resolving resource information, it may be required that a certain level of service be supplied, and if not available, the request refused, or corrective action taken.

在解析资源信息的过程中,可能需要提供一定级别的服务,如果不可用,则拒绝请求或采取纠正措施。

8. IP Network Interaction
8. IP网络交互

As the NAS participates in the IP network, it interacts with the routing mechanisms of the network itself. These interactions may also be controlled on a per-user/session basis.

当NAS参与IP网络时,它会与网络本身的路由机制进行交互。这些交互也可以基于每个用户/会话进行控制。

For example, some input streams may be directed to specific hosts other than the default gateway for the destination subnet. In order to control services within the network provider's infrastructure, some types of packets may be discarded (filtered) before entering the network. These filters could be applied based on examination of destination address and port number. Anti-spoofing packet controls may be applied to disallow traffic sourced from addresses other than what was assigned to the port.

例如,一些输入流可能被定向到目标子网的默认网关以外的特定主机。为了控制网络提供商基础设施内的服务,某些类型的数据包可能在进入网络之前被丢弃(过滤)。这些过滤器可以基于对目标地址和端口号的检查来应用。反欺骗数据包控制可用于禁止来自地址(分配给端口的地址除外)的流量。

A NAS may also be an edge router system, and apply Quality of Service (QoS) policies to the packets. This makes it a QOS Policy Enforcement Point [19], [17]. It may learn QOS and other network policies for the user via the AAA service.

NAS也可以是边缘路由器系统,并对数据包应用服务质量(QoS)策略。这使其成为QOS策略实施点[19],[17]。它可以通过AAA服务为用户学习QOS和其他网络策略。

9. A NAS Model
9. NAS模型

So far we have looked at examples of things that NASes do. The following attempts to define a NAS model that captures the fundamentals of NAS structure to better categorize how it interacts with other network components.

到目前为止,我们已经看到了NASE所做事情的例子。下面尝试定义一个NAS模型,该模型捕获NAS结构的基本原理,以便更好地对其与其他网络组件的交互方式进行分类。

A Network Access Server is a device which sits on the edge of a network, and provides access to services on that network in a controlled fashion, based on the identity of the user of the network services in question and on the policy of the provider of these services. For the purposes of this document, a Network Access Server is defined primarily as a device which accepts multiple point-to-point [18] links on one set of interfaces, providing access to a routed network or networks on another set of interfaces.

网络访问服务器是一种位于网络边缘的设备,它基于所述网络服务的用户的身份和这些服务的提供商的策略,以受控方式提供对该网络上的服务的访问。在本文档中,网络访问服务器主要定义为在一组接口上接受多个点对点[18]链路的设备,提供对路由网络或另一组接口上网络的访问。

Note that there are many things that a Network Access Server is not. A NAS is not simply a router, although it will typically include routing functionality in it's interface to the network. A NAS is not necessarily a dial access server, although dial access is one common means of network access, and brings its own particular set of requirements to NAS's.

请注意,有许多东西是网络访问服务器所不具备的。NAS不仅仅是一个路由器,尽管它通常在与网络的接口中包含路由功能。NAS不一定是拨号访问服务器,尽管拨号访问是一种常见的网络访问方式,并给NAS带来了自己的一组特定要求。

A NAS is the first device in the IP network to provide services to an end user, and acts as a gateway for all further services. It is the point at which users are authenticated, access policy is enforced, network services are authorized, network usage is audited, and resource consumption is tracked. That is, a NAS often acts as the policy enforcement point for network AAAA (authentication, authorization, accounting, and auditing) services. A NAS is typically the first place in a network where security measures and policy may be implemented.

NAS是IP网络中向最终用户提供服务的第一个设备,并充当所有后续服务的网关。它是用户进行身份验证、实施访问策略、授权网络服务、审核网络使用情况以及跟踪资源消耗的时间点。也就是说,NAS通常充当网络AAAA(身份验证、授权、记帐和审核)服务的策略实施点。NAS通常是网络中可以实施安全措施和策略的第一个位置。

9.1 A Reference Model of a NAS
9.1 NAS的参考模型

For reference in the following discussion, a diagram of a NAS, its dependencies, and its interfaces is given below. This diagram is intended as an abstraction of a NAS as a reference model, and is not intended to represent any particular NAS implementation.

下面给出了NAS、其依赖关系及其接口的示意图,供下文讨论参考。此图旨在将NAS抽象为参考模型,而不是表示任何特定的NAS实现。

                               Users
                             v v v v v v v
                             | | PSTN  | |
                             | |  or   | |
                             |encapsulated
                          +-----------------+
                          |    (Modems)     |
                          +-----------------+
                             | | | | | | |
                   +--+----------------------------+
                   |  |                            |
                   |N |     Client Interface       |
                   |  |                            |
                   |A +----------Routing ----------+
                   |  |                            |
                   |S |    Network Interface       |
                   |  |                            |
                   +--+----------------------------+
                           /      |     \
                          /       |      \
                         /        |       \
                        /         |        \
      POLICY MANAGEMENT/          |         \  DEVICE MANAGEMENT
      +---------------+           |          +-------------------+
      | Authentication|         _/^\_        |Device Provisioning|
      +---------------+       _/     \_      +-------------------+
      | Authorization |     _/         \_    |Device Monitoring  |
      +---------------+   _/             \_  +-------------------+
      | Accounting    |  /       The       \
      +---------------+  \_   Network(s)  _/
      | Auditing      |    \_           _/
      +---------------+      \_       _/
                               \_   _/
                                 \_/
        
                               Users
                             v v v v v v v
                             | | PSTN  | |
                             | |  or   | |
                             |encapsulated
                          +-----------------+
                          |    (Modems)     |
                          +-----------------+
                             | | | | | | |
                   +--+----------------------------+
                   |  |                            |
                   |N |     Client Interface       |
                   |  |                            |
                   |A +----------Routing ----------+
                   |  |                            |
                   |S |    Network Interface       |
                   |  |                            |
                   +--+----------------------------+
                           /      |     \
                          /       |      \
                         /        |       \
                        /         |        \
      POLICY MANAGEMENT/          |         \  DEVICE MANAGEMENT
      +---------------+           |          +-------------------+
      | Authentication|         _/^\_        |Device Provisioning|
      +---------------+       _/     \_      +-------------------+
      | Authorization |     _/         \_    |Device Monitoring  |
      +---------------+   _/             \_  +-------------------+
      | Accounting    |  /       The       \
      +---------------+  \_   Network(s)  _/
      | Auditing      |    \_           _/
      +---------------+      \_       _/
                               \_   _/
                                 \_/
        
9.2 Terminology
9.2 术语

Following is a description of the modules and interfaces in the reference model for a NAS given above:

以下是上述NAS参考模型中的模块和接口说明:

Client Interfaces - A NAS has one or more client interfaces, which provide the interface to the end users who are requesting network access. Users may connect to these client interfaces via modems over a PSTN, or via tunnels over a data network. Two broad classes of NAS's may be defined, based on the nature of the incoming client interfaces, as follows. Note that a single NAS device may serve in both classes:

客户端接口—NAS有一个或多个客户端接口,为请求网络访问的最终用户提供接口。用户可以通过PSTN上的调制解调器或通过数据网络上的隧道连接到这些客户端接口。根据传入客户端接口的性质,可以定义两大类NAS,如下所示。请注意,单个NAS设备可在两种类别中使用:

Dial Access Servers - A Dial Access Server is a NAS whose client interfaces consist of modems, either local or remote, which are attached to a PSTN.

拨号访问服务器-拨号访问服务器是一种NAS,其客户端接口由连接到PSTN的本地或远程调制解调器组成。

Tunnel Servers - A Tunnel Server is a NAS whose client interfaces consists of tunneling endpoints in a protocol such as L2TP

隧道服务器-隧道服务器是一种NAS,其客户端接口由协议(如L2TP)中的隧道端点组成

Network Interfaces - A NAS has one or more network interfaces, which connect to the networks to which access is being granted.

网络接口—NAS有一个或多个网络接口,连接到被授予访问权限的网络。

Routing - If the network to which access is being granted is a routed network, then a NAS will typically include routing functionality.

路由-如果授予访问权限的网络是路由网络,则NAS通常包括路由功能。

Policy Management Interface - A NAS provides an interface which allows access to network services to be managed on a per-user basis. This interface may be a configuration file, a graphical user interface, an API, or a protocol such as RADIUS, Diameter, or COPS [19]. This interface provides a mechanism for granular resource management and policy enforcement.

策略管理接口—NAS提供了一个接口,允许对网络服务的访问按用户进行管理。该接口可以是配置文件、图形用户界面、API或协议,如RADIUS、Diameter或COPS[19]。此接口为细粒度资源管理和策略实施提供了一种机制。

Authentication - Authentication refers to the confirmation that a user who is requesting services is a valid user of the network services requested. Authentication is accomplished via the presentation of an identity and credentials. Examples of types of credentials are passwords, one-time tokens, digital certificates, and phone numbers (calling/called).

身份验证-身份验证是指确认请求服务的用户是所请求网络服务的有效用户。身份验证是通过显示身份和凭据来完成的。凭据类型的示例包括密码、一次性令牌、数字证书和电话号码(呼叫/被叫)。

Authorization - Authorization refers to the granting of specific types of service (including "no service") to a user, based on their authentication, what services they are requesting, and the current system state. Authorization may be based on restrictions, for example time-of-day restrictions, or physical location restrictions, or restrictions against multiple logins by the same user. Authorization determines the nature of the service which is granted to a user. Examples of types of service include, but are not limited to: IP address filtering, address assignment, route assignment, QoS/differential services, bandwidth control/traffic management, compulsory tunneling to a specific endpoint, and encryption.

授权-授权是指根据用户的身份验证、用户请求的服务以及当前系统状态,向用户授予特定类型的服务(包括“无服务”)。授权可能基于限制,例如时间限制、物理位置限制或对同一用户多次登录的限制。授权确定授予用户的服务的性质。服务类型的示例包括但不限于:IP地址过滤、地址分配、路由分配、QoS/差异服务、带宽控制/流量管理、到特定端点的强制隧道以及加密。

Accounting - Accounting refers to the tracking of the consumption of NAS resources by users. This information may be used for management, planning, billing, or other purposes. Real-time accounting refers to accounting information that is delivered concurrently with the consumption of the resources. Batch accounting refers to accounting information that is saved until it

记帐-记帐是指跟踪用户对NAS资源的消耗。此信息可用于管理、规划、计费或其他目的。实时会计是指与资源消耗同时传递的会计信息。批量核算是指会计信息保存到

is delivered at a later time. Typical information that is gathered in accounting is the identity of the user, the nature of the service delivered, when the service began, and when it ended.

将在稍后时间交付。会计中收集的典型信息是用户的身份、提供的服务的性质、服务开始的时间和结束的时间。

Auditing - Auditing refers to the tracking of activity by users. As opposed to accounting, where the purpose is to track consumption of resources, the purpose of auditing is to determine the nature of a user's network activity. Examples of auditing information include the identity of the user, the nature of the services used, what hosts were accessed when, what protocols were used, etc.

审计-审计是指用户对活动的跟踪。与会计不同,会计的目的是跟踪资源的消耗,审计的目的是确定用户网络活动的性质。审计信息的示例包括用户身份、所使用服务的性质、何时访问哪些主机、使用了哪些协议等。

AAAA Server - An AAAA Server is a server or servers that provide authentication, authorization, accounting, and auditing services. These may be co-located with the NAS, or more typically, are located on a separate server and communicate with the NAS's User Management Interface via an AAAA protocol. The four AAAA functions may be located on a single server, or may be broken up among multiple servers.

AAAA服务器—AAAA服务器是提供身份验证、授权、记帐和审核服务的一台或多台服务器。它们可以与NAS共存,或者更典型地,位于单独的服务器上,并通过AAAA协议与NAS的用户管理界面通信。四个AAAA功能可能位于一台服务器上,也可能在多台服务器之间分离。

Device Management Interface - A NAS is a network device which is owned, operated, and managed by some entity. This interface provides a means for this entity to operate and manage the NAS. This interface may be a configuration file, a graphical user interface, an API, or a protocol such as SNMP [20].

设备管理接口-NAS是由某个实体拥有、操作和管理的网络设备。此接口为该实体提供了操作和管理NAS的方法。该接口可以是配置文件、图形用户界面、API或SNMP等协议[20]。

Device Monitoring - Device monitoring refers to the tracking of status, activity, and usage of the NAS as a network device.

设备监控—设备监控是指跟踪NAS作为网络设备的状态、活动和使用情况。

Device Provisioning - Device provisioning refers to the configurations, settings, and control of the NAS as a network device.

设备配置—设备配置是指NAS作为网络设备的配置、设置和控制。

9.3 Analysis
9.3 分析

Following is an analysis of the functions of a NAS using the reference model above:

以下是使用上述参考模型对NAS功能的分析:

9.3.1 Authentication and Security
9.3.1 认证和安全

NAS's serve as the first point of authentication for network users, providing security to user sessions. This security is typically performed by checking credentials such as a PPP PAP user name/password pair or a PPP CHAP user name and challenge/response, but may be extended to authentication via telephone number information, digital certificates, or biometrics. NAS's also may authenticate themselves to users. Since a NAS may be shared among multiple administrative entities, authentication may actually be performed via a back-end proxy, referral, or brokering process.

NAS作为网络用户的第一个身份验证点,为用户会话提供安全性。此安全性通常通过检查凭证(如PPP PAP用户名/密码对或PPP CHAP用户名和质询/响应)来执行,但也可以扩展到通过电话号码信息、数字证书或生物特征进行身份验证。NAS还可以向用户进行身份验证。由于NAS可以在多个管理实体之间共享,因此实际上可以通过后端代理、转介或代理过程来执行身份验证。

In addition to user security, NAS's may themselves be operated as secure devices. This may include secure methods of management and monitoring, use of IP Security [21] and even participation in a Public Key Infrastructure.

除了用户安全之外,NAS本身也可以作为安全设备进行操作。这可能包括管理和监控的安全方法、IP安全的使用[21],甚至参与公钥基础设施。

9.3.2 Authorization and Policy
9.3.2 授权和策略

NAS's are the first point of authorization for usage of network resources, and NAS's serve as policy enforcement points for the services that they deliver to users. NAS's may provision these services to users in a statically or dynamically configured fashion. Resource management can be performed at a NAS by granting specific types of service based on the current network state. In the case of shared operation, NAS policy may be determined based on the policy of multiple end systems.

NAS是使用网络资源的第一个授权点,NAS是向用户提供服务的策略实施点。NAS可以以静态或动态配置的方式向用户提供这些服务。通过基于当前网络状态授予特定类型的服务,可以在NAS上执行资源管理。在共享操作的情况下,可以基于多个终端系统的策略来确定NAS策略。

9.3.3 Accounting and Auditing
9.3.3 会计和审计

Since NAS services are consumable resources, usage information must often be collected for the purposes of soft policy management, reporting, planning, and accounting. A dynamic, real-time view of NAS usage is often required for network auditing purposes. Since a NAS may be shared among multiple administrative entities, usage information must often be delivered to multiple endpoints. Accounting is performed using such protocols as RADIUS [2].

由于NAS服务是可消耗资源,因此必须经常收集使用信息,以便进行软策略管理、报告、规划和记帐。出于网络审核目的,通常需要动态、实时地查看NAS使用情况。由于NAS可以在多个管理实体之间共享,因此使用信息通常必须传递到多个端点。使用RADIUS[2]等协议执行记帐。

9.3.4 Resource Management
9.3.4 资源管理

NAS's deliver resources to users, often in a dynamic fashion. Examples of the types of resources doled out by NAS's are IP addresses, network names and name server identities, tunnels, and PSTN resources such as phone lines and numbers. Note that NAS's may be operated in a outsourcing model, where multiple entities are competing for the same resources.

NAS通常以动态方式向用户提供资源。NAS分配的资源类型包括IP地址、网络名称和名称服务器标识、隧道和PSTN资源,如电话线和号码。请注意,NAS可在外包模式下运行,其中多个实体竞争相同的资源。

9.3.5 Virtual Private Networks (VPN's)
9.3.5 虚拟专用网络(VPN)

NAS's often participate in VPN's, and may serve as the means by which VPN's are implemented. Examples of the use of NAS's in VPN's are: Dial Access Servers that build compulsory tunnels, Dial Access Servers that provide services to voluntary tunnelers, and Tunnel Servers that provide tunnel termination services. NAS's may simultaneously provide VPN and public network services to different users, based on policy and user identity.

NAS通常参与VPN,并可作为实现VPN的手段。在VPN中使用NAS的示例包括:构建强制隧道的拨号访问服务器、向自愿隧道运营商提供服务的拨号访问服务器以及提供隧道终止服务的隧道服务器。NAS可以根据策略和用户身份同时向不同的用户提供VPN和公共网络服务。

9.3.6 Service Quality
9.3.6 服务质量

A NAS may delivery different qualities, types, or levels of service to different users based on policy and identity. NAS's may perform bandwidth management, allow differential speeds or methods of access, or even participate in provisioned or signaled Quality of Service (QoS) networks.

NAS可以根据策略和身份向不同的用户提供不同质量、类型或级别的服务。NAS可以执行带宽管理,允许不同的速度或访问方法,甚至可以参与供应或信号服务质量(QoS)网络。

9.3.7 Roaming
9.3.7 漫游

NAS's are often operated in a shared or outsourced manner, or a NAS operator may enter into agreements with other service providers to grant access to users from these providers (roaming operations). NAS's often are operated as part of a global network. All these imply that a NAS often provides services to users from multiple administrative domains simultaneously. The features of NAS's may therefore be driven by requirements of roaming [22].

NAS通常以共享或外包的方式运行,或者NAS运营商可以与其他服务提供商签订协议,向这些提供商的用户授予访问权限(漫游操作)。NAS通常作为全球网络的一部分运行。所有这些都意味着NAS通常同时向来自多个管理域的用户提供服务。因此,NAS的功能可能由漫游需求驱动[22]。

10. Security Considerations
10. 安全考虑

This document describes a model not a particular solution.

本文档描述的是一个模型,而不是一个特定的解决方案。

As mentioned in section 9.3.1 and elsewhere, NAS'es are concerned about the security of several aspects of their operation, including:

如第9.3.1节和其他章节所述,NAS企业关注其运营的几个方面的安全,包括:

- Providing sufficiently robust authentication techniques as required by network policies, - NAS authentication of configured authentication server(s), - Server ability to authenticate configured clients, - Hiding of the authentication information from network snooping to protect from attacks and provide user privacy, - Protecting the integrity of message exchanges from attacks such as; replay, or man-in-the middle, - Inability of other hosts to interfere with services authorized to NAS, or gain unauthorized services, - Inability of other hosts to probe or guess at authentication information. - Protection of NAS system configuration and administration from unauthorized users - Protection of the network from illegal packets sourced by accessing connections

- 提供网络策略要求的足够强健的身份验证技术,-配置的身份验证服务器的NAS身份验证,-服务器对配置的客户端进行身份验证的能力,-隐藏身份验证信息以防网络窥探,以防攻击并提供用户隐私,-保护消息交换的完整性免受攻击,例如:;重播,或中间人,-其他主机无法干扰授权给NAS的服务,或获得未经授权的服务,-其他主机无法探测或猜测身份验证信息。-保护NAS系统配置和管理不受未经授权用户的影响-保护网络不受通过访问连接获取的非法数据包的影响

11. References
11. 工具书类

[1] Rigney, C., Willens, S., Rubens, A. and W. Simpson, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, June 2000.

[1] Rigney,C.,Willens,S.,Rubens,A.和W.Simpson,“远程认证拨入用户服务(RADIUS)”,RFC 28652000年6月。

[2] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000.

[2] 里格尼,C.,“半径会计”,RFC 28662000年6月。

[3] Calhoun, P., "Diameter Base Protocol", Work in Progress.

[3] Calhoun,P.,“直径基准协议”,正在进行中。

[4] Zorn, G., "Yet Another Authentication Protocol (YAAP)", Work in Progress.

[4] Zorn,G.“另一种身份验证协议(YAAP)”,正在进行中。

[5] Mamakos, L., Lidl, K., Evarts, K., Carrel, D., Simone, D. and R. Wheeler, "A Method for Transmitting PPP Over Ethernet (PPPoE)", RFC 2516, February 1999.

[5] Mamakos,L.,Lidl,K.,Evarts,K.,Carrel,D.,Simone,D.和R.Wheeler,“通过以太网传输PPP(PPPoE)的方法”,RFC 2516,1999年2月。

[6] Valencia, A., Littlewood, M. and T. Kolar, "Cisco Layer Two Forwarding (Protocol) L2F", RFC 2341, May 1998.

[6] Valencia,A.,Littlewood,M.和T.Kolar,“思科第二层转发(协议)L2F”,RFC 23411998年5月。

[7] Hamzeh, K., "Ascend Tunnel Management Protocol - ATMP", RFC 2107, February 1997.

[7] Hamzeh,K.,“上升隧道管理协议-ATMP”,RFC 2107,1997年2月。

[8] Valencia, A., Townsley, W., Rubens, A., Pall, G., Zorn, G., and B. Palter, "Layer Two Tunneling Protocol (L2TP)", RFC 2661, August 1999.

[8] 瓦伦西亚,A.,汤斯利,W.,鲁本斯,A.,帕尔,G.,佐恩,G.,和B.帕尔特,“第二层隧道协议(L2TP)”,RFC 26611999年8月。

[9] Zorn, G., Leifer, D., Rubens, A., Shriver, J. and M. Holdrege, "RADIUS Attributes for Tunnel Protocol Support", RFC 2868, June 2000.

[9] Zorn,G.,Leifer,D.,Rubens,A.,Shriver,J.和M.Holdrege,“隧道协议支持的半径属性”,RFC 28682000年6月。

[10] Zorn, G., Aboba, B. and D. Mitton, "RADIUS Accounting Modifications for Tunnel Protocol Support", RFC 2867, June 2000.

[10] Zorn,G.,Aboba,B.和D.Mitton,“隧道协议支持的半径计算修改”,RFC 2867,2000年6月。

[11] Aboba, B. and G. Zorn, "Implementation of PPTP/L2TP Compulsory Tunneling via RADIUS", RFC 2809, April 2000.

[11] Aboba,B.和G.Zorn,“通过半径实施PPTP/L2TP强制隧道”,RFC 2809,2000年4月。

[12] Simpson, W., "PPP Challenge Handshake Authentication Protocol (CHAP)", RFC 1994, August 1996.

[12] 辛普森,W.,“PPP挑战握手认证协议(CHAP)”,RFC 1994,1996年8月。

[13] Zorn, G. and S. Cobb, "Microsoft PPP CHAP Extensions", RFC 2433, March 1998.

[13] Zorn,G.和S.Cobb,“微软PPP CHAP扩展”,RFC 2433,1998年3月。

[14] Blunk, L. and J. Vollbrecht, "PPP Extensible Authentication Protocol (EAP)", RFC 2284, March 1998.

[14] Blunk,L.和J.Vollbrecht,“PPP可扩展认证协议(EAP)”,RFC 2284,1998年3月。

[15] Calhoun, et al., "Extensible Authentication Protocol Support in RADIUS", Work in Progress.

[15] Calhoun等人,“RADIUS中的可扩展身份验证协议支持”,正在进行中。

[16] Aboba, B. and M. Beadles, "The Network Access Identifier", RFC 2486, January 1999.

[16] Aboba,B.和M.Beadles,“网络接入标识符”,RFC 2486,1999年1月。

[17] Braden, R., Zhang, L., Berson, S., Herzog, S. and S. Jamin, "Resource ReSerVation Protocol (RSVP) Version 1 Functional Specification", RFC 2205, September 1997.

[17] Braden,R.,Zhang,L.,Berson,S.,Herzog,S.和S.Jamin,“资源预留协议(RSVP)版本1功能规范”,RFC 22052997年9月。

[18] Simpson, W., Editor, "The Point-to-Point Protocol (PPP)", STD 51, RFC 1661, July 1994.

[18] 辛普森,W.,编辑,“点对点协议(PPP)”,STD 51,RFC 1661994年7月。

[19] Boyle, J., Cohen, R., Durham, D., Herzog, S., Raja, R. and A. Sastry. "The COPS (Common Open Policy Service) Protocol", RFC 2748, January 2000.

[19] J.博伊尔、R.科恩、D.达勒姆、S.赫尔佐格、R.拉贾和A.萨斯特里。《共同开放政策服务议定书》,RFC 2748,2000年1月。

[20] Case, J., Fedor, M., Schoffstall, M. and J. Davin. "A Simple Network Management Protocol (SNMP)", STD 15, RFC 1157, May 1990.

[20] 凯斯,J.,费多,M.,肖夫斯敦,M.和J.戴文。“简单网络管理协议(SNMP)”,STD 15,RFC 1157,1990年5月。

[21] Atkinson, R. and S. Kent, "Security Architecture for the Internet Protocol", RFC 2401, November 1998.

[21] Atkinson,R.和S.Kent,“互联网协议的安全架构”,RFC 2401,1998年11月。

[22] Aboba, Zorn, "Dialup Roaming Requirements", Work in Progress.

[22] Aboba,Zorn,“拨号漫游要求”,正在进行中。

12. Acknowledgments
12. 致谢

This document is a synthesis of my earlier draft and Mark Beadles' NAS Reference Model draft.

本文档综合了我先前的草稿和Mark Beadles的NAS参考模型草稿。

13. Authors' Addresses
13. 作者地址

David Mitton Nortel Networks 880 Technology Park Drive Billerica, MA 01821

David Mitton Nortel Networks马萨诸塞州比尔里卡科技园大道880号01821

Phone: 978-288-4570 EMail: dmitton@nortelnetworks.com

电话:978-288-4570电子邮件:dmitton@nortelnetworks.com

Mark Beadles SmartPipes Inc. 545 Metro Place South Suite 100 Dublin, OH 43017

Mark Beadles SmartPipes Inc.俄亥俄州都柏林地铁广场南545号套房100号43017

Phone: 614-327-8046 EMail: mbeadles@smartpipes.com

电话:614-327-8046电子邮件:mbeadles@smartpipes.com

14. Appendix - Acronyms and Glossary:

14. 附录-首字母缩略词和术语表:

AAA - Authentication, Authorization, Accounting, The three primary services required by a NAS server or protocol.

AAA—身份验证、授权、记帐,NAS服务器或协议所需的三种主要服务。

NAS - Network Access Server, a system that provides access to a network. In some cases also know as a RAS, Remote Access Server.

NAS—网络访问服务器,提供网络访问的系统。在某些情况下,也称为RAS,即远程访问服务器。

CLI - Command Line Interface, an interface to a command line service for use with an common asynchronous terminal facility.

CLI-命令行接口,与通用异步终端设施一起使用的命令行服务接口。

SLIP - Serial Line Internet Protocol, an IP-only serial datalink, predecessor to PPP.

SLIP-串行线路互联网协议,仅限IP的串行数据链路,PPP的前身。

PPP - Point-to-Point Protocol; a serial datalink level protocol that supports IP as well as other network protocols. PPP has three major states of operation: LCP - Link layer Control Protocol, Authentication, of which there are several types (PAP, CHAP, EAP), and NCP - Network layer Control Protocol, which negotiates the network layer parameters for each of the protocols in use.

点对点协议;支持IP和其他网络协议的串行数据链路级协议。PPP有三种主要的运行状态:LCP-链路层控制协议、身份验证(其中有几种类型(PAP、CHAP、EAP)和NCP-网络层控制协议,它们为使用中的每个协议协商网络层参数。

IPX - Novell's NetWare transport protocol

IPX-Novell的NetWare传输协议

NETBEUI - A Microsoft/IBM LAN protocol used by Microsoft file services and the NETBIOS applications programming interface.

NETBEUI—Microsoft文件服务和NETBIOS应用程序编程接口使用的Microsoft/IBM LAN协议。

ARAP - AppleTalk Remote Access Protocol

ARAP-AppleTalk远程访问协议

LAT - Local Area Transport; a Digital Equipment Corp. LAN protocol for terminal services.

LAT-本地区交通;一种用于终端服务的数字设备公司局域网协议。

PPPoe - PPP over Ethernet; a protocol that forwards PPP frames on an LAN infrastructure. Often used to aggregate PPP streams at a common server bank.

PPPoe——以太网上的PPP;在局域网基础设施上转发PPP帧的协议。通常用于在公共服务器组聚合PPP流。

VPN - Virtual Private Network; a term for networks that appear to be private to the user by the use of tunneling techniques.

虚拟专用网;通过使用隧道技术,对用户来说似乎是私有的网络的术语。

FR - Frame Relay, a synchronous WAN protocol and telephone network intraconnect service.

帧中继,一种同步广域网协议和电话网络内部连接服务。

PSVC - Permanent Switched Virtual Circuit - a service which delivers an virtual permanent circuit by a switched network.

永久交换虚拟电路-通过交换网络提供虚拟永久电路的服务。

PSTN - Public Switched Telephone Network

公共交换电话网

ISDN - Integrated Services Digital Network, a telephone network facility for transmitting digital and analog information over a digital network connection. A NAS may have the ability to receive the information from the telephone network in digital form.

综合业务数字网,通过数字网络连接传输数字和模拟信息的电话网络设施。NAS可以从电话网络接收数字形式的信息。

ISP - Internet Service Provider; a provider of Internet access (also Network Service Provider, NSP).

互联网服务供应商;互联网接入提供商(也是网络服务提供商,NSP)。

BRI - Basic Rate Interface; a digital telephone interface.

BRI—基本速率接口;数字电话接口。

PRI - Primary Rate Interface; a digital telephone interface of 64K bits per second.

PRI—主速率接口;每秒64K位的数字电话接口。

T1 - A digital telephone interface which provides 24-36 channels of PRI data and one control channel (2.048 Mbps).

T1-数字电话接口,提供24-36个PRI数据通道和一个控制通道(2.048 Mbps)。

T3 - A digital telephone interface which provides 28 T1 services. Signalling control for the entire connection is provided on a dedicated in-band channel.

T3-提供28个T1服务的数字电话接口。整个连接的信令控制在专用带内信道上提供。

NFAS - Non-Facility Associated Signaling, a telephone network protocol/service for providing call information on a separate wire connection from the call itself. Used with multiple T1 or T3 connections.

NFAS-非设施相关信令,一种电话网络协议/服务,用于在独立于呼叫本身的有线连接上提供呼叫信息。与多个T1或T3连接一起使用。

SS7 - A telephone network protocol for communicating call supervision information on a separate data network from the voice network.

SS7-一种电话网络协议,用于在独立于语音网络的数据网络上传送呼叫监控信息。

POP - Point Of Presence; a geographic location of equipment and interconnection to the network. An ISP typically manages all equipment in a single POP in a similar manner.

流行点;设备和网络互连的地理位置。ISP通常以类似的方式在一个POP中管理所有设备。

VSA - Vendor Specific Attributes; RADIUS attributes defined by vendors using the provision of attribute 26.

VSA-供应商特定属性;供应商使用属性26的规定定义的半径属性。

15. Full Copyright Statement
15. 完整版权声明

Copyright (C) The Internet Society (2000). All Rights Reserved.

版权所有(C)互联网协会(2000年)。版权所有。

This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.

本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。

The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.

上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。

This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。

Acknowledgement

确认

Funding for the RFC Editor function is currently provided by the Internet Society.

RFC编辑功能的资金目前由互联网协会提供。