Documents

AAATransportProfile_RFC3539

Description
Network Working Group Request for Comments: 3539 Category: Standards Track B. Aboba Microsoft J. Wood Sun Microsystems, Inc. June 2003 Authentication, Authorization and Accounting (AAA) Transport Profile Status of this Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the Internet Official Protocol Standards (STD 1) for the standardization state and sta
Categories
Published
of 42
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
Share
Transcript
  Network Working Group B. AbobaRequest for Comments: 3539 MicrosoftCategory: Standards Track J. WoodSun Microsystems, Inc.June 2003Authentication, Authorization and Accounting (AAA) Transport ProfileStatus of this MemoThis document specifies an Internet standards track protocol for theInternet community, and requests discussion and suggestions forimprovements. Please refer to the current edition of the InternetOfficial Protocol Standards (STD 1) for the standardization stateand status of this protocol. Distribution of this memo is unlimited.Copyright NoticeCopyright (C) The Internet Society (2003). All Rights Reserved.AbstractThis document discusses transport issues that arise within protocolsfor Authentication, Authorization and Accounting (AAA). It alsoprovides recommendations on the use of transport by AAA protocols.This includes usage of standards-track RFCs as well as experimentalproposals.Table of Contents1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 21.1. Requirements Language. . . . . . . . . . . . . . . . . . 21.2. Terminology. . . . . . . . . . . . . . . . . . . . . . . 22. Issues in Transport Usage. . . . . . . . . . . . . . . . . . . 52.1. Application-driven Versus Network-driven . . . . . . . . 52.2. Slow Failover. . . . . . . . . . . . . . . . . . . . . . 62.3. Use of Nagle Algorithm . . . . . . . . . . . . . . . . . 72.4. Multiple Connections . . . . . . . . . . . . . . . . . . 72.5. Duplicate Detection. . . . . . . . . . . . . . . . . . . 82.6. Invalidation of Transport Parameter Estimates. . . . . . 82.7. Inability to use Fast Re-Transmit. . . . . . . . . . . . 92.8. Congestion Avoidance . . . . . . . . . . . . . . . . . . 92.9. Delayed Acknowledgments. . . . . . . . . . . . . . . . . 112.10. Premature Failover . . . . . . . . . . . . . . . . . . . 112.11. Head of Line Blocking. . . . . . . . . . . . . . . . . . 112.12. Connection Load Balancing. . . . . . . . . . . . . . . . 12Aboba & Wood Standards Track [Page 1]  RFC 3539 AAA Transport Profile June 20033. AAA Transport Profile. . . . . . . . . . . . . . . . . . . . . 123.1. Transport Mappings . . . . . . . . . . . . . . . . . . . 123.2. Use of Nagle Algorithm . . . . . . . . . . . . . . . . . 123.3. Multiple Connections . . . . . . . . . . . . . . . . . . 133.4. Application Layer Watchdog . . . . . . . . . . . . . . . 133.5. Duplicate Detection. . . . . . . . . . . . . . . . . . . 193.6. Invalidation of Transport Parameter Estimates. . . . . . 203.7. Inability to use Fast Re-Transmit. . . . . . . . . . . . 213.8. Head of Line Blocking. . . . . . . . . . . . . . . . . . 223.9. Congestion Avoidance . . . . . . . . . . . . . . . . . . 233.10. Premature Failover . . . . . . . . . . . . . . . . . . . 244. Security Considerations. . . . . . . . . . . . . . . . . . . . 245. IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 256. References . . . . . . . . . . . . . . . . . . . . . . . . . . 256.1. Normative References . . . . . . . . . . . . . . . . . . 256.2. Informative References . . . . . . . . . . . . . . . . . 26Appendix A - Detailed Watchdog Algorithm Description . . . . . . . 28Appendix B - AAA Agents. . . . . . . . . . . . . . . . . . . . . . 33B.1. Relays and Proxies . . . . . . . . . . . . . . . . . . . 33B.2. Re-directs . . . . . . . . . . . . . . . . . . . . . . . 35B.3. Store and Forward Proxies. . . . . . . . . . . . . . . . 36B.4. Transport Layer Proxies. . . . . . . . . . . . . . . . . 38Intellectual Property Statement. . . . . . . . . . . . . . . . . . 39Acknowledgments. . . . . . . . . . . . . . . . . . . . . . . . . . 39Author Addresses . . . . . . . . . . . . . . . . . . . . . . . . . 40Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 411. IntroductionThis document discusses transport issues that arise within protocolsfor Authentication, Authorization and Accounting (AAA). It alsoprovides recommendations on the use of transport by AAA protocols.This includes usage of standards-track RFCs as well as experimentalproposals.1.1. Requirements LanguageIn this document, the key words MAY , MUST, MUST NOT , optional , recommended , SHOULD , and SHOULD NOT , are to be interpreted asdescribed in [RFC2119].1.2. TerminologyAccountingThe act of collecting information on resource usage for thepurpose of trend analysis, auditing, billing, or costallocation.Aboba & Wood Standards Track [Page 2]  RFC 3539 AAA Transport Profile June 2003Administrative DomainAn internet, or a collection of networks, computers, anddatabases under a common administration.Agent A AAA agent is an intermediary that communicates with AAAclients and servers. Several types of AAA agents exist,including Relays, Re-directs, and Proxies.Application-driven transportTransport behavior is said to be application-driven whenthe rate at which messages are sent is limited by the rateat which the application generates data, rather than by thesize of the congestion window. In the most extreme case,the time between transactions exceeds the round-trip timebetween sender and receiver, implying that the applicationoperates with an effective congestion window of one. AAAtransport is typically application driven.Attribute Value Pair (AVP)The variable length concatenation of a unique Attribute(represented by an integer) and a Value containing theactual value identified by the attribute.AuthenticationThe act of verifying a claimed identity, in the form of apre-existing label from a mutually known name space, as thesrcinator of a message (message authentication) or as theend-point of a channel (entity authentication).AuthorizationThe act of determining if a particular right, such asaccess to some resource, can be granted to the presenter ofa particular credential.Billing The act of preparing an invoice.Network Access IdentifierThe Network Access Identifier (NAI) is the userID submittedby the host during network access authentication. Inroaming, the purpose of the NAI is to identify the user aswell as to assist in the routing of the authenticationrequest. The NAI may not necessarily be the same as theuser's e-mail address or the user-ID submitted in anapplication layer authentication.Aboba & Wood Standards Track [Page 3]  RFC 3539 AAA Transport Profile June 2003Network Access Server (NAS)A Network Access Server (NAS) is a device that hostsconnect to in order to get access to the network.Proxy In addition to forwarding requests and responses, proxiesenforce policies relating to resource usage andprovisioning. This is typically accomplished by trackingthe state of NAS devices. While proxies typically do notrespond to client Requests prior to receiving a Responsefrom the server, they may srcinate Reject messages incases where policies are violated. As a result, proxiesneed to understand the semantics of the messages passingthrough them, and may not support all extensions.Local ProxyA Local Proxy is a proxy that exists within the sameadministrative domain as the network device (e.g. NAS) thatissued the AAA request. Typically a local proxy is used tomultiplex AAA messages to and from a large number ofnetwork devices, and may implement policy.Store and forward proxyStore and forward proxies distinguish themselves from otherproxy species by sending a reply to the NAS prior toproxying the request to the server. As a result, store andforward proxies need to implement AAA client and serverfunctionality for the messages that they handle. Store andForward proxies also typically keep state on conversationsin progress in order to assure delivery of proxied Requestsand Responses. While store and forward proxies are mostfrequently deployed for accounting, they also can be usedto implement authentication/authorization policy.Network-driven transportTransport behavior is said to be network driven when therate at which messages are sent is limited by thecongestion window, not by the rate at which the applicationcan generate data. File transfer is an example of anapplication where transport is network driven.Re-direct Rather than forwarding Requests and Responses betweenclients and servers, Re-directs refer clients to serversand allow them to communicate directly. Since Re-directsdo not sit in the forwarding path, they do not alter anyAVPs transitting between client and server. Re-directs donot srcinate messages and are capable of handling anymessage type. A Re-direct may be configured only to re-direct messages of certain types, while acting as a RelayAboba & Wood Standards Track [Page 4]
Search
Similar documents
Tags
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks