Internet Draft RADIUS Working Group Bernard Aboba INTERNET-DRAFT Microsoft Category: Standards Track Glen Zorn <draft-ietf-radius-tunnel-imp-02.txt> Microsoft 11 July 1997 Implementation of PPTP/L2TP Compulsory Tunneling via RADIUS 1. Status of this Memo This document is an Internet-Draft. Internet-Drafts are working docu- ments of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute work- ing documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference mate- rial or to cite them other than as ``work in progress.'' To learn the current status of any Internet-Draft, please check the ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow Directories on ds.internic.net (US East Coast), nic.nordu.net (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim). The distribution of this memo is unlimited. It is filed asand expires January 1, 1998. Please send comments to the authors. 2. Abstract This document discusses implementation issues arising in the provi- sioning of compulsory tunneling in dial-up networks using the PPTP and L2TP protocols. This provisioning can be accomplished via the inte- gration of RADIUS and tunneling protocols. Implementation issues encountered with other tunneling protocols are left to separate docu- ments. 3. Terminology Voluntary Tunneling In compulsory tunneling, a tunnel is created without any action from the user and without allowing the user any choice. Compulsory Tunneling In compulsory tunneling, a tunnel is created without any action from the user and without allowing the user any Aboba & Zorn [Page 1] INTERNET-DRAFT 11 July 1997 choice. Roaming "Roaming capability" can be loosely defined as the ability to use any one of multiple Internet service providers (ISPs), while maintaining a formal, customer-vendor rela- tionship with only one. Examples of cases where roaming capaility might be required include ISP "confederations" and ISP-provided corporate network access support. Shared Use Network This is an IP dialup network whose use is shared by two or more organizations. Shared use networks typically implement distributed authentication and accounting in order to facil- itate the relationship among the sharing parties. Since these facilities are also required for implementation of roaming, implementation of shared use is frequently a first step toward development of roaming capabilities. In fact, one of the ways by which a provider can offer roaming ser- vice is to conclude shared use agreements with multiple net- works. However, to date the ability to accomplish this has been hampered by lack of interoperability among shared use implementations. Tunnel Network Server This is a server which terminates a tunnel. In PPTP termi- nology, this is known as the PPTP Network Server (PNS). In L2TP terminology, this is known as the L2TP Network Server (LNS). Network Access Server The Network Access Server (NAS) is the device that clients contact in order to get access to the network. In PPTP ter- minology this is referred to as the PPTP Access Concentrator (PAC). In L2TP terminology, the NAS is referred to as the L2TP Access Concentrator (LAC). RADIUS server This is a server which provides for authentication/autho- rization via the protocol described in [3], and for account- ing as described in [4]. RADIUS proxy In order to provide for the routing of RADIUS authentication and accounting requests, a RADIUS proxy can be employed. To the NAS, the RADIUS proxy appears to act as a RADIUS server, and to the RADIUS server, the proxy appears to act as a RADIUS client. Network Access Identifier In order to provide for the routing of RADIUS authentication and accounting requests, the userID field used in PPP and in the subsequent RADIUS authentication and accounting requests, known as the Network Access Identifier (NAI) MAY contain structure. This structure provides a means by which Aboba & Zorn [Page 2] INTERNET-DRAFT 11 July 1997 the RADIUS proxy will locate the RADIUS server that is to receive the request. This same structure MAY also be used to locate the tunnel endpoint when domain-based tunneling is used. 4. Requirements language This specification uses the same words as [9] for defining the signif- icance of each particular requirement. These words are: MUST This word, or the adjectives "REQUIRED" or "SHALL", means that the definition is an absolute requirement of the speci- fication. MUST NOT This phrase, or the phrase "SHALL NOT", means that the defi- nition is an absolute prohibition of the specification. SHOULD This word, or the adjective "RECOMMENDED", means that there MAY exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course. SHOULD NOT This phrase means that there MAY exist valid reasons in par- ticular circumstances when the particular behavior is acceptable or even useful, but the full implications should be understood and the case carefully weighed before imple- menting any behavior described with this label. MAY This word, or the adjective "OPTIONAL", means that an item is truly optional. One vendor may choose to include the item because a particular marketplace requires it or because the vendor feels that it enhances the product while another vendor may omit the same item. An implementation which does not include a particular option MUST be prepared to interop- erate with another implementation which does include the option, though perhaps with reduced functionality. In the same vein an implementation which does include a particular option MUST be prepared to interoperate with another imple- mentation which does not include the option.(except, of course, for the feature the option provides) Silently Discard The i