分享
 
 
 

RFC2867 - RADIUS Accounting Modifications for Tunnel Protocol Support

王朝other·作者佚名  2008-05-31
窄屏简体版  字體: |||超大  

Network Working Group G. Zorn

Request for Comments: 2867 Cisco Systems, Inc.

Category: Informational B. Aboba

Updates: 2866 Microsoft Corporation

D. Mitton

Nortel Networks

June 2000

RADIUS Accounting Modifications for Tunnel Protocol Support

Status of this Memo

This memo provides information for the Internet community. It does

not specify an Internet standard of any kind. Distribution of this

memo is unlimited.

Copyright Notice

Copyright (C) The Internet Society (2000). All Rights Reserved.

Abstract

This document defines new RADIUS accounting Attributes and new values

for the existing Acct-Status-Type Attribute [1] designed to support

the provision of compulsory tunneling in dial-up networks.

Specification of Requirements

In this document, the key Words "MAY", "MUST, "MUST NOT", "optional",

"recommended", "SHOULD", and "SHOULD NOT", are to be interpreted as

described in [2].

1. IntrodUCtion

Many applications of tunneling protocols such as PPTP [5] and L2TP

[4] involve dial-up network Access. Some, such as the provision of

secure access to corporate intranets via the Internet, are

characterized by voluntary tunneling: the tunnel is created at the

request of the user for a specific purpose. Other applications

involve compulsory tunneling: the tunnel is created without any

action from the user and without allowing the user any choice in the

matter, as a service of the Internet service provider (ISP).

Typically, ISPs providing a service want to collect data regarding

that service for billing, network planning, etc. One way to collect

usage data in dial-up networks is by means of RADIUS Accounting [1].

The use of RADIUS Accounting allows dial-up usage data to be

collected at a central location, rather than stored on each NAS.

In order to collect usage data regarding tunneling, new RADIUS

attributes are needed; this document defines these attributes. In

addition, several new values for the Acct-Status-Type attribute are

proposed. Specific recommendations for, and examples of, the

application of this attribute for the L2TP protocol can be found in

RFC2809.

2. Implementation Notes

Compulsory tunneling may be part of a package of services provided by

one entity to another. For example, a corporation might contract

with an ISP to provide remote intranet access to its employees via

compulsory tunneling. In this case, the integration of RADIUS and

tunnel protocols allows the ISP and the corporation to synchronize

their accounting activities so that each side receives a record of

the user's resource consumption. This provides the corporation with

the means to audit ISP bills.

In auditing, the User-Name, Acct-Tunnel-Connection, Tunnel-Client-

Endpoint and Tunnel-Server-Endpoint attributes are typically used to

uniquely identify the call, allowing the Accounting-Request sent by

the NAS to be reconciled with the corresponding Accounting-Request

sent by the tunnel server.

When implementing RADIUS accounting for L2TP/PPTP tunneling, the

Call-Serial-Number SHOULD be used in the Acct-Tunnel-Connection

attribute. In L2TP, the Call-Serial-Number is a 32-bit field and in

PPTP it is a 16-bit field. In PPTP the combination of IP Address and

Call-Serial-Number SHOULD be unique, but this is not required. In

addition, no method for determining the Call-Serial-Number is

specified, which leaves open the possibility of wrapping after a

reboot.

Note that a 16-bit Call-Serial-Number is not sufficient to

distinguish a given call from all other calls over an extended time

period. For example, if the Call-Serial-Number is assigned

monotonically, the NAS in question has 96 ports which are continually

busy and the average call is of 20 minutes duration, then a 16-bit

Call-Serial-Number will wrap within 65536/(96 * 3 calls/hour * 24

hours/day) = 9.48 days.

3. New Acct-Status-Type Values

3.1. Tunnel-Start

Value

9

Description

This value MAY be used to mark the establishment of a tunnel

with another node. If this value is used, the following

attributes SHOULD also be included in the Accounting-Request

packet:

User-Name (1)

NAS-IP-Address (4)

Acct-Delay-Time (41)

Event-Timestamp (55)

Tunnel-Type (64)

Tunnel-Medium-Type (65)

Tunnel-Client-Endpoint (66)

Tunnel-Server-Endpoint (67)

Acct-Tunnel-Connection (68)

3.2. Tunnel-Stop

Value

10

Description

This value MAY be used to mark the destruction of a tunnel to

or from another node. If this value is used, the following

attributes SHOULD also be included in the Accounting-Request

packet:

User-Name (1)

NAS-IP-Address (4)

Acct-Delay-Time (41)

Acct-Input-Octets (42)

Acct-Output-Octets (43)

Acct-Session-Id (44)

Acct-Session-Time (46)

Acct-Input-Packets (47)

Acct-Output-Packets (48)

Acct-Terminate-Cause (49)

Acct-Multi-Session-Id (51)

Event-Timestamp (55)

Tunnel-Type (64)

Tunnel-Medium-Type (65)

Tunnel-Client-Endpoint (66)

Tunnel-Server-Endpoint (67)

Acct-Tunnel-Connection (68)

Acct-Tunnel-Packets-Lost (86)

3.3. Tunnel-Reject

Value

11

Description

This value MAY be used to mark the rejection of the

establishment of a tunnel with another node. If this value is

used, the following attributes SHOULD also be included in the

Accounting-Request packet:

User-Name (1)

NAS-IP-Address (4)

Acct-Delay-Time (41)

Acct-Terminate-Cause (49)

Event-Timestamp (55)

Tunnel-Type (64)

Tunnel-Medium-Type (65)

Tunnel-Client-Endpoint (66)

Tunnel-Server-Endpoint (67)

Acct-Tunnel-Connection (68)

3.4. Tunnel-Link-Start

Value

12

Description

This value MAY be used to mark the creation of a tunnel link.

Only some tunnel types (e.g., L2TP) support multiple links per

tunnel. This Attribute is intended to mark the creation of a

link within a tunnel that carries multiple links. For example,

if a mandatory tunnel were to carry M links over its lifetime,

2(M+1) RADIUS Accounting messages might be sent: one each

marking the initiation and destruction of the tunnel itself and

one each for the initiation and destruction of each link within

the tunnel. If only a single link can be carried in a given

tunnel (e.g., IPsec in the tunnel mode), this Attribute need

not be included in accounting packets, since the presence of

the Tunnel-Start Attribute will imply the initiation of the

(only possible) link.

If this value is used, the following attributes SHOULD also be

included in the Accounting-Request packet:

User-Name (1)

NAS-IP-Address (4)

NAS-Port (5)

Acct-Delay-Time (41)

Event-Timestamp (55)

Tunnel-Type (64)

Tunnel-Medium-Type (65)

Tunnel-Client-Endpoint (66)

Tunnel-Server-Endpoint (67)

Acct-Tunnel-Connection (68)

3.5. Tunnel-Link-Stop

Value

13

Description

This value MAY be used to mark the destruction of a tunnel

link. Only some tunnel types (e.g., L2TP) support multiple

links per tunnel. This Attribute is intended to mark the

destruction of a link within a tunnel that carries multiple

links. For example, if a mandatory tunnel were to carry M

links over its lifetime, 2(M+1) RADIUS Accounting messages

might be sent: one each marking the initiation and destruction

of the tunnel itself and one each for the initiation and

destruction of each link within the tunnel. If only a single

link can be carried in a given tunnel (e.g., IPsec in the

tunnel mode), this Attribute need not be included in accounting

packets, since the presence of the Tunnel-Stop Attribute will

imply the termination of the (only possible) link.

If this value is used, the following attributes SHOULD also be

included in the Accounting-Request packet:

User-Name (1)

NAS-IP-Address (4)

NAS-Port (5)

Acct-Delay-Time (41)

Acct-Input-Octets (42)

Acct-Output-Octets (43)

Acct-Session-Id (44)

Acct-Session-Time (46)

Acct-Input-Packets (47)

Acct-Output-Packets (48)

Acct-Terminate-Cause (49)

Acct-Multi-Session-Id (51)

Event-Timestamp (55)

NAS-Port-Type (61)

Tunnel-Type (64)

Tunnel-Medium-Type (65)

Tunnel-Client-Endpoint (66)

Tunnel-Server-Endpoint (67)

Acct-Tunnel-Connection (68)

Acct-Tunnel-Packets-Lost (86)

3.6. Tunnel-Link-Reject

Value

14

Description

This value MAY be used to mark the rejection of the

establishment of a new link in an existing tunnel. Only some

tunnel types (e.g., L2TP) support multiple links per tunnel.

If only a single link can be carried in a given tunnel (e.g.,

IPsec in the tunnel mode), this Attribute need not be included

in accounting packets, since in this case the Tunnel-Reject

Attribute has the same meaning.

If this value is used, the following attributes SHOULD also be

included in the Accounting-Request packet:

User-Name (1)

NAS-IP-Address (4)

Acct-Delay-Time (41)

Acct-Terminate-Cause (49)

Event-Timestamp (55)

Tunnel-Type (64)

Tunnel-Medium-Type (65)

Tunnel-Client-Endpoint (66)

Tunnel-Server-Endpoint (67)

Acct-Tunnel-Connection (68)

4. Attributes

4.1. Acct-Tunnel-Connection

Description

This Attribute indicates the identifier assigned to the tunnel

session. It SHOULD be included in Accounting-Request packets

which contain an Acct-Status-Type attribute having the value

Start, Stop or any of the values described above. This

attribute, along with the Tunnel-Client-Endpoint and Tunnel-

Server-Endpoint attributes [3], may be used to provide a means

to uniquely identify a tunnel session for auditing purposes.

A summary of the Acct-Tunnel-Connection Attribute format is shown

below. The fields are transmitted from left to right.

0 1 2

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Type Length String ...

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Type

68 for Acct-Tunnel-Connection

Length

>= 3

String

The format of the identifier represented by the String field

depends upon the value of the Tunnel-Type attribute [3]. For

example, to fully identify an L2TP tunnel connection, the L2TP

Tunnel ID and Call ID might be encoded in this field. The

exact encoding of this field is implementation dependent.

4.2. Acct-Tunnel-Packets-Lost

Description

This Attribute indicates the number of packets lost on a given

link. It SHOULD be included in Accounting-Request packets

which contain an Acct-Status-Type attribute having the value

Tunnel-Link-Stop.

A summary of the Acct-Tunnel-Packets-Lost Attribute format is

shown below. The fields are transmitted from left to right.

0 1 2 3

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Type Length Lost

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Lost (cont)

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Type

86 for Acct-Tunnel-Packets-Lost

Length

6

Lost

The Lost field is 4 octets in length and represents the number

of packets lost on the link.

5. Table of Attributes

The following table provides a guide to which attributes may be found

in Accounting-Request packets. No tunnel attributes should be found

in Accounting-Response packets.

Request # Attribute

0-1 64 Tunnel-Type

0-1 65 Tunnel-Medium-Type

0-1 66 Tunnel-Client-Endpoint

0-1 67 Tunnel-Server-Endpoint

0-1 68 Acct-Tunnel-Connection

0 69 Tunnel-Password

0-1 81 Tunnel-Private-Group-ID

0-1 82 Tunnel-Assignment-ID

0 83 Tunnel-Preference

0-1 86 Acct-Tunnel-Packets-Lost

The following table defines the meaning of the above table entries.

0 This attribute MUST NOT be present in packet.

0+ Zero or more instances of this attribute MAY be present in

packet.

0-1 Zero or one instance of this attribute MAY be present in

packet.

6. Security Considerations

By "sniffing" RADIUS Accounting packets, it might be possible for an

eavesdropper to perform a passive analysis of tunnel connections.

7. References

[1] Rigney, C., "RADIUS Accounting", RFC2866, June 2000.

[2] Bradner, S., "Key words for use in RFCs to Indicate Requirement

Levels", BCP 14, RFC2119, March 1997.

[3] Zorn, G., Leifer, D., Rubens, A., Shriver, J., Holdrege, M. and

I. Goyret, "RADIUS Attributes for Tunnel Protocol Support", RFC

2868, June 2000.

[4] Townsley, W., Valencia, A., Rubens, A., Pall, G., Zorn, G. and

B. Palter, "Layer Two Tunneling Protocol "L2TP"", RFC2661,

August 1999.

[5] Hamzeh, K., Pall, G., Verthein, W., Taarud, J., Little, W. and

G. Zorn, "Point-to-Point Tunneling Protocol (PPTP)", RFC2637,

July 1999.

8. Acknowledgments

Thanks to Aydin Edguer, Ly Loi, Matt Holdrege and Gurdeep Singh Pall

for salient input and review.

9. Authors' Addresses

Questions about this memo can be directed to:

Glen Zorn

Cisco Systems, Inc.

500 108th Avenue N.E., Suite 500

Bellevue, Washington 98004

USA

Phone: +1 425 438 8218

FAX: +1 425 438 1848

EMail: gwz@cisco.com

Dave Mitton

Nortel Networks

880 Technology Park Drive

Billerica, MA 01821

Phone: +1 978 288 4570

Fax: +1 978 288 3030

EMail: dmitton@nortelnetworks.com

Bernard Aboba

Microsoft Corporation

One Microsoft Way

Redmond, Washington 98052

Phone: +1 425 936 6605

Fax: +1 425 936 7329

EMail: aboba@internaut.com

10. Full Copyright Statement

Copyright (C) The Internet Society (2000). All Rights Reserved.

This document and translations of it may be copied and furnished to

others, and derivative works that comment on or otherwise eXPlain it

or assist in its implementation may be prepared, copied, published

and distributed, in whole or in part, without restriction of any

kind, provided that the above copyright notice and this paragraph are

included on all such copies and derivative works. However, this

document itself may not be modified in any way, such as by removing

the copyright notice or references to the Internet Society or other

Internet organizations, except as needed for the purpose of

developing Internet standards in which case the procedures for

copyrights defined in the Internet Standards process must be

followed, or as required to translate it into languages other than

English.

The limited permissions granted above are perpetual and will not be

revoked by the Internet Society or its successors or assigns.

This document and the information contained herein is provided on an

"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING

TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING

BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION

HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF

MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement

Funding for the RFCEditor function is currently provided by the

Internet Society.

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有