?? rfc2809.txt
字號:
Network Working Group B. Aboba
Request for Comments: 2809 Microsoft
Category: Informational G. Zorn
Cisco
April 2000
Implementation of L2TP Compulsory Tunneling via RADIUS
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2000). All Rights Reserved.
Abstract
This document discusses implementation issues arising in the
provisioning of compulsory tunneling in dial-up networks using the
L2TP protocol. This provisioning can be accomplished via the
integration of RADIUS and tunneling protocols. Implementation issues
encountered with other tunneling protocols are left to separate
documents.
本文檔討論了在撥號網絡中使用L2TP協議提供強制隧道連接服務中出現的應用問題。
此服務的提供能夠通過RADIUS協議和隧道連接協議的結合來完成。其他隧道協議遇到
的應用問題遺留到其他獨立的文檔描述。
1. Terminology
Voluntary Tunneling
自發隧道連接
In voluntary tunneling, a tunnel is created by the user,
typically via use of a tunneling client.
在自發隧道連接中,隧道由用戶創建,典型的是通過應用隧道連
接客戶端。
Compulsory Tunneling
強制隧道連接
In compulsory tunneling, a tunnel is created without any
action from the user and without allowing the user any
choice.
在強制隧道連接中,隧道的創建不涉及到任何的用戶行為,并且不允許
用戶有任何選擇。
Tunnel Network Server
隧道網絡服務器
This is a server which terminates a tunnel. In L2TP
terminology, this is known as the L2TP Network Server
(LNS).
這是用來終結隧道的服務器。在L2TP的術語中,此服務器被稱為L2TP
網絡服務器(LNS)。
Aboba & Zorn Informational [Page 1]
RFC 2809 L2TP Compulsory Tunneling via RADIUS April 2000
Network Access Server
網絡接入服務器
The Network Access Server (NAS) is the device that clients
contact in order to get access to the network. In L2TP
terminology, a NAS performing compulsory tunneling is
referred to as the L2TP Access Concentrator (LAC).
網絡接入服務器(NAS)是客戶端為了接入網絡而連接的網絡設備。在L2TP
術語中,執行強制隧道連接的NAS被稱為L2TP接入集中器(LAC)。
RADIUS authentication server
RADIUS 認證服務器
This is a server which provides for
authentication/authorization via the protocol described in
[1].
這是通過〔1〕協議提供認證/授權服務的服務器。
RADIUS proxy
RADIUS 代理
In order to provide for the routing of RADIUS
authentication requests, a RADIUS proxy can be employed.
To the NAS, the RADIUS proxy appears to act as a RADIUS
server, and to the RADIUS server, the proxy appears to act
as a RADIUS client. Can be used to locate the tunnel
endpoint when realm-based tunneling is used.
為了提供RADIUS認證請求的轉發功能,可以使用RADIUS 代理。
在NAS看來,RADIUS 代理表現為一個RADIUS服務器;對于Radius 服務器,
RADIUS 代理表現為一個RADIUS 客戶端。當實現基于域的隧道連接時,
這可以用來定位隧道的終結點。
2. Requirements language
In this document, the key words "MAY", "MUST, "MUST NOT", "optional",
"recommended", "SHOULD", and "SHOULD NOT", are to be interpreted as
described in [4].
3. Introduction
Many applications of tunneling protocols involve dial-up network
access. Some, such as the provisioning of secure access to corporate
intranets via the Internet, are characterized by voluntary tunneling:
the tunnel is created at the request of the user for a specific
purpose. Other applications involve compulsory tunneling: the tunnel
is created without any action from the user and without allowing the
user any choice.
許多隧道連接協議應用涉及到撥號網絡。其中一些,如通過Internet提供到
企業Intranets的安全訪問服務,表現出自發隧道連接的特征:隧道創建基于
用戶的請求,是為了明確的目的。其他一些應用涉及到強制隧道連接:隧道的
創建沒有任何用戶的行為并且不允許任何用戶的選擇。
Examples of applications that might be implemented using compulsory
tunnels are Internet software upgrade servers, software registration
servers and banking services. These are all services which, without
compulsory tunneling, would probably be provided using dedicated
networks or at least dedicated network access servers (NAS), since
they are characterized by the need to limit user access to specific
hosts.
如軟件升級服務器、軟件注冊服務器和銀行服務,是可以通過使用強制隧道的實現例子。
如果沒有強制隧道連接的話,這些服務將可能使用專門的網絡,或者至少是專門的
網絡接入服務器(NAS)來實現。其原因是這些服務的需求特征是限制用戶訪問特
殊的服務器。
Given the existence of widespread support for compulsory tunneling,
however, these types of services could be accessed via any Internet
service provider (ISP). The most popular means of authorizing dial-
up network users today is through the RADIUS protocol. The use of
RADIUS allows the dial-up users' authorization and authentication
Aboba & Zorn Informational [Page 2]
RFC 2809 L2TP Compulsory Tunneling via RADIUS April 2000
data to be maintained in a central location, rather than on each NAS.
It makes sense to use RADIUS to centrally administer compulsory
tunneling, since RADIUS is widely deployed and was designed to carry
this type of information. New RADIUS attributes are needed to carry
the tunneling information from the RADIUS server to the NAS. Those
attributes are defined in [3].
但是,在存在對強制隧道連接分布廣泛的支持的條件下,這些類型的服務能夠通
過任何Internet服務提供商(ISP)得到。今天,撥號網絡用戶授權的最普遍的協
議是通過RADIUS。使用RADIUS允許撥號用戶的認證和授權數據能被保存在一個中心
存儲地,而不是在每個NAS上。使用RADIUS來集中的管理強制隧道連接是有意義的,
因為RADIUS被廣泛的部署,并且被設計來承載此類型的信息。需要新的RADIUS屬性
來承載從RADIUS服務器到NAS的隧道連接信息。這些屬性被定義在〔3〕中。
3.1. Advantages of RADIUS-based compulsory tunneling
基于RADIUS的強制隧道連接的優點
Current proposals for routing of tunnel requests include static
tunneling, where all users are automatically tunneled to a given
endpoint, and realm-based tunneling, where the tunnel endpoint is
determined from the realm portion of the userID. User-based tunneling
as provided by integration of RADIUS and tunnel protocols offers
significant advantages over both of these approaches.
當前的對路由隧道請求的建議包括了靜態隧道連接和基于域的隧道連接。靜態隧道
連接中所有的用戶被自動隧道定向到一個指定的終結點;基于域的隧道連接的終結
點由用戶ID(userID)的域部分決定。基于用戶的隧道連接,因為由RADIUS和隧道協
議相結合來提供,具有超過此兩種方法的重要的優勢。
Static tunneling requires dedication of a NAS device to the purpose.
In the case of an ISP, this is undesirable because it requires them
to dedicate a NAS to tunneling service for a given customer, rather
than allowing them to use existing NASes deployed in the field. As a
result static tunneling is likely to be costly for deployment of a
global service.
靜態隧道連接需要NAS設備來決定目的地。在ISP的情形下,這并不如其所愿,
因為這需要他們必須專用一個NAS設備于一個給定的用戶提供隧道連接服務,而不是
允許他們使用已經部署在這地區的NAS設備。導致的結果,靜態隧道連接如果全局部
署的話,將會導致高額成本。
Realm-based tunneling assumes that all users within a given realm
wish to be treated the same way. This limits flexibility in account
management. For example, BIGCO may desire to provide Janet with an
account that allows access to both the Internet and the intranet,
with Janet's intranet access provided by a tunnel server located in
the engineering department. However BIGCO may desire to provide Fred
with an account that provides only access to the intranet, with
Fred's intranet access provided by a tunnel network server located in
the sales department. Such a situation cannot be accommodated with
realm-based tunneling, but can be accommodated via user-based
tunneling as enabled by the attributes defined in [3].
基于域的隧道連接認為所有的在給定域中的用戶將被相同對待。這限制了賬號管理的
靈活性。例如,BIGCO 可能希望提供Janet一個允許同時訪問Internet和Intranet的
賬號,Janet的Intranet連接由工程部的隧道網絡服務器提供;然而,BIGCO可能希望
提供Fred只能訪問Intranet的賬號,而Fred的Intranet連接由銷售部的隧道網絡服務
器提供。這種的情況不能被基于域的隧道連接所兼容,但是能被基于用戶的隧道連接
所包含。〔3〕中定義的屬性使這種基于用戶的連接成為可能。
4. Authentication alternatives
認證的兩種選擇
RADIUS-based compulsory tunneling can support both single
authentication, where the user is authenticated at the NAS or tunnel
server, or dual authentication, where the user is authenticated at
both the NAS and the tunnel server. When single authentication is
supported, a variety of modes are possible, including telephone-
number based authentication. When dual-authentication is used, a
number of modes are available, including dual CHAP authentications;
Aboba & Zorn Informational [Page 3]
RFC 2809 L2TP Compulsory Tunneling via RADIUS April 2000
CHAP/EAP authentication; CHAP/PAP(token) authentication; and EAP/EAP
authentication, using the same EAP type for both authentications. EAP
is described in [5].
基于RADIUS的強制隧道連接既能支持在NAS或隧道服務器的單一認證,又能支持需在
兩端進行的雙重認證。當支持單一認證的時候,多種模式就變為可能了,包括
基于電話號碼的認證。當支持雙重認證的時候,一些模式就可實現了,包括雙重CHAP認證、
CHAP/EAP 認證、CHAP/PAP(token)認證、EAP/EAP認證(兩端認證使用相同的EAP類型)。
EAP認證在〔5〕中描述。
The alternatives are described in more detail below.
認證方式在下面詳細描述。
4.1. Single authentication
單一認證
Single authentication alternatives include:
單一認證包括:
NAS authentication
NAS authentication with RADIUS reply forwarding
Tunnel server authentication
NAS 認證
RADIUS回應轉發的NAS認證
隧道服務器認證
4.1.1. NAS authentication
NAS 認證
With this approach, authentication and authorization (including
tunneling information) occurs once, at the NAS. The advantages of
this approach are that it disallows network access for unauthorized
NAS users, and permits accounting to done at the NAS. Disadvantages
are that it requires that the tunnel server trust the NAS, since no
user authentication occurs at the tunnel server. Due to the lack of
user authentication, accounting cannot take place at the tunnel
server with strong assurance that the correct party is being billed.
使用這種方式,認證和授權(包括隧道連接信息)在NAS端發生一次。這種方式的
優點是,它不允許未授權的用戶訪問網絡,而且可以在NAS端實現計費。缺點是它
必須建立在隧道服務器信任(trust)NAS的基礎上,因為用戶認證不發生在隧道服
務器端。由于沒有用戶認證,不能在隧道服務器端實現能確保正確部分被記帳的計費。
NAS-only authentication is most typically employed along with LCP
forwarding and tunnel authentication, both of which are supported in
?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -