CURRENT_MEETING_REPORT_ Reported by John Vollbrecht/Merit Network and Allan Rubens/Merit Network Minutes of the Network Access Server Requirements Working Group (NASREQ) The NAS Requirements Working Group met on Tuesday 29 March. The meeting was divided into two parts: the first hour was devoted to going over the draft NASREQ document, discussing the radius protocol specification revisions done since the last IETF, and discussing the NAC/NAS authentication requirements that have been passed off to the PPPEXT Working Group for implementation. During the second hour there was discussion of distributed authentication, authorization and accounting (AAA) for network access servers (NASs). There was considerable interest in forming a new working group to come up with a requirements document, and perhaps an API or protocol to support a distributed AAA architecture for a NAS. The NASREQ Working Group will disband after this meeting. The NASREQ draft will be updated to reflect changes discussed at the meeting and additional changes submitted as a result of the meeting. The draft will be submitted as an Internet-Draft sometime before the Toronto IETF. Dave Carrel and John Vollbrecht will take the lead in discussing and possibly drafting a charter for a new working group oriented to NAS interfaces to authentication, authorization and accounting services. NASREQ Document Discussion Bob Morgan suggested that NASREQ might be a chapter in a Router Requirements document. It was noted that there are unique things in NAS's and that the document has turned out to be more a list of wished-for standards than what might be considered ``requirements.'' The document was reviewed and volunteers were solicited to clean up or add sections, as noted below. o It was agreed that PPP auto-dection should be required. There should be a pointer to the write-up in the PPP document that describes how to do this. There is some trickiness to auto-baud. o A non-disclosing pw for both PPP and character stream is needed. Cliff Neuman agreed to rewrite section 4.1.3 to include this. o The group decided that mutual authentication is not a requirement now, but at some point in a few years it may become required. o PPP must support IP. It may support IPX, AppleTalk, etc. Nevil Brownlee agreed to modify section 4.1.5 to make this clear. o There was discussion about filtering on user ID (there is none in packets, so it really meant filtering on session). Marco Hernanadez agreed to rewrite section 4.1.7. o Routing protocols were discussed and it was decided that these were not unique to NAS. The use of standard routing protocols as required should be encouraged. o SNMP support requirements were discussed. SNMP should be supported. A modem MIB would be nice, as well as some accounting and ``huntgroup'' utilization support. Chris Gressley volunteered to rewrite the SNMP section. o Some discussion of whether caller ID should be discussed. Peter Phillips volunteered to write up a caller ID section. o NAS-helper interface has been removed from the document as the NAS and helper are seen different pieces of NAS internal implementation and are vendor design choice. Interfaces to the combination are more appropriately subject to standards requirements. Radius Protocol Carl Rigney talked about the Radius protocol. An Internet-Draft was available in paper form and is now in the Internet-Drafts directories. A range of attributes have been added for ``experimental'' options. He solicited accounting requirements. There was some discussion on whether public key support for signing messages could be implemented. Carl was open to that but wanted more direction on how it should be done. A number of people have been working on Radius and the protocol; the hope is that it will continue to evolve. Code is freely available from Livingston. Distributed Authentication John Vollbrecht presented a set of diagrams showing how distributed authentication and authorization could be architected. Figure 1 showed the problem with distributed NASs wanting to authenticate a user at the user's home authentication database---which may not be the authentication database supported at the institution that runs the NAS. Figures 2 and 3 show alternate ways to route messages. The preferred way is that shown in Figure 3, with a public key registry containing public keys for the AAServer as well as its IP address. Figure 4 adds a helper, but is otherwise the same as Figure 1. Figure 5 shows multiple NASs supported by a set of helpers, and getting AAServer connection information from a registry as in Figure 3. The last figure shows the interfaces between NAS and helper and between helper and AAServer. The group agreed that the NAS-helper interface was not to be standardized but the interface to authentication, authorization and accounting servers could be, and that other working groups of the IETF were working on such standards. There was a consensus that it would be good to push on this architecture to provide input to the other working groups. Dave Carrel proposed that we attack the interface by defining a set of APIs that could be coded to by NAS vendors in their product and by AAServer implementors. It was pointed out that Marshall Rose was not supportive of standardizing APIs. Others suggested that a protocol would be a better thing to standardize anyway. The API approach seemed more likely to be something that vendors could agree to support. The point was made that defining what is required in the API would go a long way to defining what is required in a protocol, and that making progress toward such a definition would be difficult and worthwhile whether the formal goal was APIs or a protocol(s). There was general agreement that we should pursue a new working group, using the NASREQ mailing list for discussion of a possible charter. Attendees Susie Armstrong susie@mentat.com Jim Barnes barnes@xylogics.com Perkins Bass bass@eskimo.com Kym Blair kdblair@dockmaster.ncsc.mil Stephen Bowman srb@nwnet.net Henry Clark henryc@oar.net Cheri Dowell cdowell@atlas.arc.nasa.gov Robert Enger enger@seka.reston.ans.net Warwick Ford wford@cnr.ca Jerome Freedman jfjr@mbunix.mitre.org Chris Gorsuch chrisg@lobby.ti.com Richard Graveman rfg@ctt.bellcore.com Dragan Grebovich dragan@bnr.ca Christine Gressley gressley@uiuc.edu Richard Harris rharris@atc.boeing.com Marco Hernandez marco@cren.net Marc Horowitz marc@security.ov.com Jeff Hughes jeff@col.hp.com Jim Hughes hughes@network.com Jan-Olof Jemnemo Jan-Olof.Jemnemo@intg.telia.se Bent Jensen bent@cisco.com Robert Karsten robert@lachman.com Charlie Kaufman kaufman@zk3.dec.com Hiroshi Kawazoe kawazoe@trl.ibm.co.jp Sun-Kwan Kimn sunkimn@cup.hp.com Paul Lambert paul_lambert@email.mot.com John Linn linn@security.ov.com Joshua Littlefield josh@cayman.com Bill Mar bmar@cac.washington.edu Michael Michnikov mbmg@mitre.org Richard Moore moorerr@msu.edu Bob Morgan morgan@networking.stanford.edu Kenneth Mueller ken@cmc.com Brad Parker brad@fcr.com Alan Perelman a_perelman@emulex.com Peter Phillips pphillip@cs.ubc.ca Michael Ressler mpr@ctt.bellcore.com Carl Rigney cdr@livingston.com Chris Seabrook cds@ossi.com William Simpson bsimpson@morningstar.com Shirley Sun suns@centrum.com John Vollbrecht jrv@merit.edu Dale Walters walters@osi3.ncsl.nist.gov Shian-Tung Wong shian@dcsd.sj.nec.com