CURRENT_MEETING_REPORT_

Reported by John Vollbrecht/Merit Network and Allan Rubens/Merit Network

Minutes of the Network Access Server Requirements Working Group
(NASREQ)

The NAS Requirements Working Group met on Tuesday 29 March.

The meeting was divided into two parts:  the first hour was devoted to
going over the draft NASREQ document, discussing the radius protocol
specification revisions done since the last IETF, and discussing the
NAC/NAS authentication requirements that have been passed off to the
PPPEXT Working Group for implementation.

During the second hour there was discussion of distributed
authentication, authorization and accounting (AAA) for network access
servers (NASs).  There was considerable interest in forming a new
working group to come up with a requirements document, and perhaps an
API or protocol to support a distributed AAA architecture for a NAS.

The NASREQ Working Group will disband after this meeting.  The NASREQ
draft will be updated to reflect changes discussed at the meeting and
additional changes submitted as a result of the meeting.  The draft will
be submitted as an Internet-Draft sometime before the Toronto IETF.

Dave Carrel and John Vollbrecht will take the lead in discussing and
possibly drafting a charter for a new working group oriented to NAS
interfaces to authentication, authorization and accounting services.


NASREQ Document Discussion

Bob Morgan suggested that NASREQ might be a chapter in a Router
Requirements document.  It was noted that there are unique things in
NAS's and that the document has turned out to be more a list of
wished-for standards than what might be considered ``requirements.''
The document was reviewed and volunteers were solicited to clean up or
add sections, as noted below.


   o It was agreed that PPP auto-dection should be required.  There
     should be a pointer to the write-up in the PPP document that
     describes how to do this.  There is some trickiness to auto-baud.

   o A non-disclosing pw for both PPP and character stream is needed.
     Cliff Neuman agreed to rewrite section 4.1.3 to include this.

   o The group decided that mutual authentication is not a requirement
     now, but at some point in a few years it may become required.

   o PPP must support IP. It may support IPX, AppleTalk, etc.  Nevil
     Brownlee agreed to modify section 4.1.5 to make this clear.

   o There was discussion about filtering on user ID (there is none in
     packets, so it really meant filtering on session).  Marco
     Hernanadez agreed to rewrite section 4.1.7.

   o Routing protocols were discussed and it was decided that these were
     not unique to NAS. The use of standard routing protocols as
     required should be encouraged.

   o SNMP support requirements were discussed.  SNMP should be
     supported.  A modem MIB would be nice, as well as some accounting
     and ``huntgroup'' utilization support.  Chris Gressley volunteered
     to rewrite the SNMP section.

   o Some discussion of whether caller ID should be discussed.  Peter
     Phillips volunteered to write up a caller ID section.

   o NAS-helper interface has been removed from the document as the NAS
     and helper are seen different pieces of NAS internal implementation
     and are vendor design choice.  Interfaces to the combination are
     more appropriately subject to standards requirements.


Radius Protocol

Carl Rigney talked about the Radius protocol.  An Internet-Draft was
available in paper form and is now in the Internet-Drafts directories.
A range of attributes have been added for ``experimental'' options.  He
solicited accounting requirements.  There was some discussion on whether
public key support for signing messages could be implemented.  Carl was
open to that but wanted more direction on how it should be done.

A number of people have been working on Radius and the protocol; the
hope is that it will continue to evolve.  Code is freely available from
Livingston.


Distributed Authentication

John Vollbrecht presented a set of diagrams showing how distributed
authentication and authorization could be architected.  Figure 1 showed
the problem with distributed NASs wanting to authenticate a user at the
user's home authentication database---which may not be the
authentication database supported at the institution that runs the NAS.
Figures 2 and 3 show alternate ways to route messages.  The preferred
way is that shown in Figure 3, with a public key registry containing
public keys for the AAServer as well as its IP address.

Figure 4 adds a helper, but is otherwise the same as Figure 1.  Figure 5
shows multiple NASs supported by a set of helpers, and getting AAServer
connection information from a registry as in Figure 3.  The last figure
shows the interfaces between NAS and helper and between helper and
AAServer.  The group agreed that the NAS-helper interface was not to be
standardized but the interface to authentication, authorization and
accounting servers could be, and that other working groups of the IETF
were working on such standards.  There was a consensus that it would be
good to push on this architecture to provide input to the other working
groups.

Dave Carrel proposed that we attack the interface by defining a set of
APIs that could be coded to by NAS vendors in their product and by
AAServer implementors.  It was pointed out that Marshall Rose was not
supportive of standardizing APIs.  Others suggested that a protocol
would be a better thing to standardize anyway.  The API approach seemed
more likely to be something that vendors could agree to support.  The
point was made that defining what is required in the API would go a long
way to defining what is required in a protocol, and that making progress
toward such a definition would be difficult and worthwhile whether the
formal goal was APIs or a protocol(s).

There was general agreement that we should pursue a new working group,
using the NASREQ mailing list for discussion of a possible charter.


Attendees

Susie Armstrong          susie@mentat.com
Jim Barnes               barnes@xylogics.com
Perkins Bass             bass@eskimo.com
Kym Blair                kdblair@dockmaster.ncsc.mil
Stephen Bowman           srb@nwnet.net
Henry Clark              henryc@oar.net
Cheri Dowell             cdowell@atlas.arc.nasa.gov
Robert Enger             enger@seka.reston.ans.net
Warwick Ford             wford@cnr.ca
Jerome Freedman          jfjr@mbunix.mitre.org
Chris Gorsuch            chrisg@lobby.ti.com
Richard Graveman         rfg@ctt.bellcore.com
Dragan Grebovich         dragan@bnr.ca
Christine Gressley       gressley@uiuc.edu
Richard Harris           rharris@atc.boeing.com
Marco Hernandez          marco@cren.net
Marc Horowitz            marc@security.ov.com
Jeff Hughes              jeff@col.hp.com
Jim Hughes               hughes@network.com
Jan-Olof Jemnemo         Jan-Olof.Jemnemo@intg.telia.se
Bent Jensen              bent@cisco.com
Robert Karsten           robert@lachman.com
Charlie Kaufman          kaufman@zk3.dec.com
Hiroshi Kawazoe          kawazoe@trl.ibm.co.jp
Sun-Kwan Kimn            sunkimn@cup.hp.com
Paul Lambert             paul_lambert@email.mot.com
John Linn                linn@security.ov.com
Joshua Littlefield       josh@cayman.com
Bill Mar                 bmar@cac.washington.edu
Michael Michnikov        mbmg@mitre.org
Richard Moore            moorerr@msu.edu
Bob Morgan               morgan@networking.stanford.edu
Kenneth Mueller          ken@cmc.com
Brad Parker              brad@fcr.com
Alan Perelman            a_perelman@emulex.com
Peter Phillips           pphillip@cs.ubc.ca
Michael Ressler          mpr@ctt.bellcore.com
Carl Rigney              cdr@livingston.com
Chris Seabrook           cds@ossi.com
William Simpson          bsimpson@morningstar.com
Shirley Sun              suns@centrum.com
John Vollbrecht          jrv@merit.edu
Dale Walters             walters@osi3.ncsl.nist.gov
Shian-Tung Wong          shian@dcsd.sj.nec.com