Chapter 6 - AAA on the Internet

The term AAA has been traditionally used to refer to Authentication, Authorization, and Accounting activities. All of those activities are of crucial importance for the operation of an IP network, although typically they are not so visible to the end user. The importance of AAA functions lies in the fact that they provide the required protection and control in accessing a network. As a consequence, the administrator of the network can bill the end user for services used.
Nội dung trích xuất từ tài liệu:
Chapter 6 - AAA on the Internet Chapter 6AAA on the Internet6.1 Authentication, Authorization, and AccountingThe term AAA has been traditionally used to refer to Authentication, Authorization, andAccounting activities. All of those activities are of crucial importance for the operation ofan IP network, although typically they are not so visible to the end user. The importance of AAA functions lies in the fact that they provide the required protectionand control in accessing a network. As a consequence, the administrator of the network canbill the end user for services used. By services we are referring to any type of services relatedto the access of the network, such as high bandwidth, provision of routing services, gatewayservices, etc. Before we proceed with this chapter, let us agree on a common terminology.Authentication. This is the act of verifying the identity of an entity (subject).Authorization. This is the act of determining whether a requesting entity (subject) will be allowed access to a resource (object) (e.g., network access, certain amount of bandwidth, etc.).Accounting. This is the act of collecting information on resource usage for the purposes of capacity planning, auditing, billing, or cost allocation. All of these concepts are intimately linked. For instance, it is not feasible to record theusage of a resource when the entity (subject) making usage of the resource (object) is notyet known. Therefore, in order to account for the usage of a resource the entity has to beauthenticated. Once the subject is authenticated, it can be authorized to access the resource.Here, we are speaking generically. A resource could be access to a network, a radio resource,or access to a conference bridge. The rest of this chapter describes the Internet architecture needed to provide the networkfunctions of AAA. We will learn about the protocols that the IETF has developed to providethe mentioned functions.6.2 AAA Framework on the InternetAt the beginning of 1997 the IETF defined the Remote Authentication Dial In User Service(RADIUS, RFC 2058 [260]) as the protocol to perform AAA functions on the Internet.The 3G IP Multimedia Subsystem (IMS): Merging the Internet and the Cellular Worlds Third EditionGonzalo Camarillo and Miguel A . Garc ıa-Mart´n ´ ı© 2008 John Wiley & Sons, Ltd. ISBN: 978-0-470-51662-1 CHAPTER 6. AAA ON THE INTERNET216The IETF revised the protocol in mid-1997 in RFC 2138 [261] and again in 2000 inRFC 2865 [262]. RADIUS offers a Network Access Server (NAS) the possibility of requesting authenti-cation and authorization to a centralized RADIUS server. A typical example of the usage ofRADIUS is shown in Figure 6.1. A user has established an agreement to access the Internetwith an operator that provides a collection of dial-up access servers. A computer equippedwith a modem dials up a Network Access Server. A circuit-switched connection is establishedbetween the computer (actually, the modem in the computer) and the Network Access Server.The Network Access Server does not contain a list of users who can access the network, sincethere may be a large collection of servers that are geographically widely spread and it wouldnot be feasible to manage the list in all access servers. Instead, the Network Access Server isconfigured to request authentication and authorization from an AAA server, using an AAAprotocol like RADIUS. The AAA server contains all the data needed to authenticate and thenauthorize the user (e.g., a password). Once the user is authenticated and authorized the usercan get access to the network. The Network Access Server will be providing accountinginformation reports to the AAA server, so that the network operator can appropriately bill theuser. IP Network Exchange Network Access AAA Server Computer Server Circuit-switched Connection AAA data Figure 6.1: AAA functions in a dial-up scenario The RADIUS protocol performs relatively well in small-scale configurations and for theparticular application that it was designed for, that is, a user dials into a dial-up server andthe dial-up server requests authentication and authorization from an AAA server. RADIUSoffers problems in large environments where congestion and lost data can occur. RADIUSruns over UDP and, therefore, lacks congestion control. RADIUS lacks some functionalitythat is required in certain applications or networks, such as the ability of the AAA s ...