AAA Frequently Used Terms (working draft)

This document defines several terms frequently used in AAA related documents. These terms are used in most documents on these pages. Different research groups and organisations may use different definitions, so these definitions are probably not gloably accepted.

AAA: Authentication, Authorization, and Accounting. The three primary services required by a NAS server or protocol. All three services are logically independent and may be separately implemented with the output of each used as the input of the next.
AAA Server: An AAA Server is a server or servers that provide authentication, authorization and accounting services. These may be co-located with the NAS, or more typically, are located on a separate server and communicate with the NAS's User Management Interface via an AAA protocol. The AAA functions may be located on a single server, or may be broken up among multiple servers.
Accounting: The act of collecting information on resource usage for the purpose of capacity and trend analysis, cost allocation, auditing and billing. Accounting management requires that resource consumption be measured, rated, assigned, and communicated between appropriate parties. Typical information that is gathered in accounting is the identity of the user, the nature of the service delivered, when the service began, and when it ended.
Accounting Attributes: Quantities which can be measured and reported.
Accounting Management: Record resource usage and enforce resource usage policy. Accounting Management provides the mechanisms to charge accounts for resource usage and to deny storage resources to overdrawn accounts. Charges may be incurred for the use of any storage system resource, including such typical resources as bytes stored, data transferred, volumes mounted, and desired quality of service.
Accounting management requires that resource consumption be measured, rated, assigned, and communicated between appropriate parties.
Accounting Protocol: A protocol used to convey data for accounting purposes.
Accounting Server: A network element that accepts Usage Events from Service Elements. It acts as an interface to back-end rating and billing systems. The accounting server receives accounting data from devices and translates it into session records. The accounting server may also take responsibility for the routing of session records to interested parties.
Administrative Domain: An intranet, or a collection of networks, computers, and databases under a common administration. Computer entities operating in a common administration may be assumed to share administratively created security associations.
Archival accounting: In archival accounting, the goal is to collect all accounting data, to reconstruct missing entries as best as possible in the event of data loss, and to archive data for a mandated time period. Legal or financial requirements frequently mandate archival accounting practices, and may often dictate that data be kept confidential, regardless of whether it is to be used for billing purposes or not.
Attendant: A node designed to provide the service interface between a client and the local domain (service element).
Authentication: The act of verifying a claimed identity, in the form of a pre-existing label from a mutually known name space, as the originator of a message (message authentication) or as the end-point of a channel (entity authentication).
The authentication process may also establishes the entity's attributes (e.g., role, security label, group membership, etc.).
Authentication is accomplished via the presentation of an identity and credentials. Examples of types of credentials are passwords, one-time tokens, digital certificates, and phone numbers (calling/called).
Authorization: Authorization refers to the granting of specific types of service (including "no service") to a user, based on their authentication, what services they are requesting, and the current system state. Authorization may be based on restrictions, for example time-of-day restrictions, physical location restrictions, credit limit or restrictions against multiple logins by the same user. Authorization determines the nature of the service which is granted to a user and may provide restrictions to the given service.
Attribute-Value-Pair (AVP): A representation for a Usage Attribute consisting of the name of the Attribute and a value.
Auditing: The act of verifying the correctness of a procedure. In order to be able to conduct an audit it is necessary to be able to definitively determine what procedures were actually carried out so as to be able to compare this to the recommended process. Accomplishing this may require security services such as authentication and integrity protection.
Auditing refers to the tracking of activity by users. The purpose of auditing is to determine the nature of a user's network activity. It is generaly done by checking usage to some policy.
Auditing allso refers to the checking of the billing process, where the procedure of billing is checked.
Batch Accounting: Batch accounting refers to accounting information that is saved until it is delivered at a later time. This generaly reduces overhead of transport of accounting information.
Billing: The act of preparing an invoice.
Broker: An intermediary agent, trusted by two other AAA servers, able to obtain and provide security services from those AAA servers. For instance, a broker may obtain and provide authorizations, or assurances that credentials are valid.
Call Accounting: A call accounting system is an application that captures and records telephone call data placed to and from your telephone system. This data can then be organized into various reports that can be analyzed by your management team. Call data includes the extension from which the call originated, the number dialed, whether the call was a local or toll call, the city and state associated with the number dialed, the date and time the call was placed, the duration of the call, the circuit the call was routed over, and if applicable, the account code identifying which client or project you wish to correlate the call to. Caller ID information is also provided, if telephone system supports it.
Challenge-Handshake Authentication Protocol (CHAP): CHAP is a more secure procedure for connecting to a system with PPP. CHAP is defined in RFC 1334. After the link is made, the server sends a challenge message to the connection requestor. The requestor responds with a value obtained by using a one-way hash function. The server checks the response by comparing it to its own calculation of the expected hash value. If the values match, the authentication is acknowledged; otherwise the connection is usually terminated. At any time, the server can request the connected party to send a new challenge message. Because CHAP identifiers are changed frequently and because authentication can be requested by the server at any time, CHAP provides more security than PAP.
Client: A node wishing to obtain service from a service element within an administrative domain.
Confidentiality: The protection of information so that someone not authorized to access the information cannot read the information even though the unauthorized person might see the information's container (e.g., computer file or network packet).
Cost Allocation: The act of allocating costs between entities. Note that cost allocation and rating are fundamentally different processes. In cost allocation the objective is typically to allocate a known cost among several entities. In rating the objective is to determine the amount owed. In cost allocation, the cost per unit of resource may need to be determined; in rating, this is typically a given.
Device Monitoring: Device monitoring refers to the tracking of status, activity, and usage of a Service Element as a network device.
Encryption: Encryption is a security mechanism used to transform data from an intelligible form (plaintext) into an unintelligible form (ciphertext), to provide confidentiality. The inverse transformation process is designated "decryption". Oftimes the term "encryption" is used to generically refer to both processes.
End-to-End Security: End-to-End is the security model that requires that security information be able to traverse, and validated even when an AAA message is processed by intermediate nodes such as proxies, brokers, etc.
Finite sessions: Service-usage in which a session begins at a certain time and ends at a later time.
Foreign Domain: An administrative domain, visited by a Mobile IP client, and containing the AAA infrastructure needed to carry out the necessary operations enabling Mobile IP registrations. From the point of view of the foreign agent, the foreign domain is the local domain.
Home Domain: The administrative domain where the user has an account. This is the Internet service provider or corporate network with whom the user maintains an account relationship.
An administrative domain, containing the network whose prefix matches that of a mobile node's home address, and containing the AAA infrastructure needed to carry out the necessary operations enabling Mobile IP registrations. From the point of view of the home agent, the home domain is the local domain.
Hop-by-hop Security: Hop-by-hop is the security model that requires that each direct set of peers in a proxy network share a security association, and the security information does not traverse an AAA entity.
Hypertext Transfer Protocol (HTTP): HTTP is a protocol for exchanging files (text, graphic images, sound, video, and other multimedia files) on the World Wide Web. Relative to the TCP/IP suite of protocols (which are the basis for information exchange on the Internet), HTTP is an application protocol.
Essential concepts that are part of HTTP include (as its name implies) the idea that files can contain references to other files whose selection will elicit additional transfer requests. The latest version of HTTP is HTTP 1.1 and is defined in RFC 2068.
Indivisible events: A event that has no distingisable lengh such as a single http request. Some services consist of a lot of indivisible events. Indivisible events can be simulated with a start and a stop message but is clumsy
Infinite sessions: Services which are turned on at one time such as when you order for some web space from a server, continue for possibly a very long time, and might but need not be terminated later
Integrated Services Digital Network (ISDN): Integrated Services Digital Network is a telephone network facility for transmitting digital and analog information over a digital network connection.
Integrity: Integrity is a security service that ensures that modifications to data are detectable.
Inter-domain accounting: Inter-domain accounting involves the collection of information on resource usage of an entity within an administrative domain, for use within another administrative domain. In inter-domain accounting, accounting packets and session records will typically cross administrative boundaries.
Interim accounting: An interim accounting message provides a snapshot of usage during a user's session. It is typically implemented in order to provide for partial accounting of a user's session in the event of a device reboot or other network problem that prevents the reception of a session summary packet or session record. Interim accounting packets can always be summarized without the loss of information.
Internet Assigned Numbers Authority (IANA): Based at the University of Southern California's Information Sciences Institute, IANA is in charge of all "unique parameters" on the Internet, including IP (Internet Protocol) addresses. The IANA is chartered by the Internet Society (ISOC) to act as the clearinghouse to assign and coordinate the use of numerous Internet protocol parameters.
The Internet Assigned Numbers Authority can be found at http://www.iana.org/.
Internet-Drafts: Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are not an archival document series. These documents should not be cited or quoted in any formal document. Unrevised documents placed in the Internet-Drafts directories have a maximum life of six months. After that time, they must be updated, or they will be deleted.
Internet drafts can be found at http://www.ietf.org/internet-drafts/.
Internet Engineering Task Force (IETF): The Internet Engineering Task Force (IETF) is a large open international community of network designers, operators, vendors, and researchers concerned with the evolution of the Internet architecture and the smooth operation of the Internet. It is open to any interested individual.
The IETF is the protocol engineering and development arm of the Internet. Though it existed informally for some time, the group was formally established by the IAB in 1986 with Phill Gross as the first Chair.
The actual technical work of the IETF is done in its working groups, which are organized by topic into several areas (e.g., routing, transport, security, etc.). Much of the work is handled via mailing lists. The IETF holds meetings three times per year.
The Internet Engineering Task Force can be found at http://www.ietf.org/.
Internet Protocol (IP): The Internet Protocol (IP) is the protocol by which data is sent from one computer to another on the Internet. Each computer on the Internet has at least one address that uniquely identifies it from all other computers on the Internet.
IP is a connectionless protocol, which means that there is no established connection between the end points that are communicating. Each packet that travels through the Internet is treated as an independent unit of data without any relation to any other unit of data.
The most widely used version of IP today is Internet Protocol Version 4 (IPv4) and is defined in RFC 791. However, IP Version 6 (IPv6), defined in RFC 2460 (and several other documents), is also beginning to be supported. IPv6 provides for much longer addresses and therefore for the possibility of many more Internet users.
Internet Protocol Security (IPSec): IPSec (Internet Protocol Security) is a developing standard for security at the network or packet processing layer of network communication. Earlier security approaches have inserted security at the application layer of the communications model. IPSec will be especially useful for implementing virtual private networks and for remote user access through dial-up connection to private networks. A big advantage of IPSec is that security arrangements can be handled without requiring changes to individual user computers.
Internet Service Provider (ISP): A provider of Internet access (also Network Service Provider, NSP).
Intra-domain accounting: Intra-domain accounting involves the collection of information on resource usage within an administrative domain, for use within that domain. In intra-domain accounting, accounting packets and session records typically do not cross administrative boundaries.
Local Domain: An administrative domain containing the AAA infrastructure of immediate interest to a client. Where roaming is implemented the local ISP may be different from the home ISP.
Local Proxy: A Local Proxy is a AAA server that satisfies the definition of a Proxy, and exists within the same administrative domain as the network device (e.g. NAS) that issued the AAA request. Typically, a local proxy will enforce local policies prior to forwarding responses to the network devices, and are generally used to multiplex AAA messages from a large number of network devices.
Meter: A meter is a process which examines a stream of packets on a communications medium or between a pair of media. The meter records aggregate counts of packets belonging to flows between communicating entities. The assignment of packets to flows may be done by executing a series of rules. Meters can reasonably be implemented in any of three environments -- dedicated monitors, in routers or in general-purpose systems.
Network Access Identifier (NAI): The Network Access Identifier (NAI) is the userID submitted by the client during network access authentication. In roaming, the purpose of the NAI is to identify the user as well as to assist in the routing of the authentication request. NAI's resemble e-mail addressed but may not necessarily be the same as the user's e-mail address or the userID submitted in an application layer authentication.
Network Access Server (NAS): The Network Access Server is a service element that clients dial in order to get access to the network.In some cases also know as a Remote Access Server (RAS). A Network Access Server is a device which usually has interfaces both to the backbone and to the telco (POTS or ISDN) and receives calls from hosts that want to access the backbone by dialup services. A NAS is e.g. located at an internet provider's point of precence to give their customers internet access.
Non-Proxy Broker: A Routing Broker is occasionally referred to as a Non-Proxy Broker.
Non-repudiation: A security service that provides protection against false denial of involvement in a communication. Non-repudiation refers to having undeniable proof that a message has been sent. When a entity repudiates a communication, stored evidence can be presented to a third party to resolve the dispute. There are three different kinds of non-repudiation.
Non-repudiation of origin provides the recipient of the message with evidence that proves the origin of the message, and thus protects the recipient against an attempt by the originator to falsely deny sending the message.
Non-repudiation receipt provides the originator of the message with evidence that proves the data was received as addressed, and thus protects the originator against an attempt by the recipient to falsely deny receiving the data.
Non-repudiation of commitment assures that neither party can later deny that they agreed to the information exchanged, and its implied obligations. The difference between non-repudiation of receipt versus commitment is important: to agree having received a message is not the same as agreeing to what that message says.
Password Authentication Protocol (PAP): PAP is a procedure used by PPP servers to validate a connection request. PAP is defined in RFC 1334. After a link is established, the requestor sends a password and an id to the server. The server either validates the request and sends back an acknowledgement, terminates the connection, or offers the requestor another chance.
Passwords are sent without encryption and the originator can make repeated attempts to gain access. For these reasons, a server that supports CHAP will offer to use that protocol before using PAP.
Performance Management: Measure, predict, and optimize storage system performance over time. Efficient and cost-effective storage system utilization is accomplished by monitoring performance indicators such as response times, resource utilization, demand and contention, and queue lengths. This data can be used to change the system configuration, balance requests among modules, change module implementations (e.g., connectivity, distribution, replication), and plan for future demand.
Point-to-Point Protocol (PPP): PPP is a serial datalink level protocol that supports IP as well as other network protocols. PPP has three major states of operation: LCP - Link layer Control Protocol, Authentication - PAP, CHAP or EAP and NCP - Network layer Control Protocol, which negotiates the network layer parameters for each of the protocols in use.
Point Of Presence (POP): A POP is a geographic location of equipment and interconnection to the network. An ISP typically manages all equipment in a single POP in a similar manner. POP is allso the Post Office Protocol.
Property: A component of a Usage Event. A Usage Event describing a phone call, for instance, might have a "duration" Property.
Proxy: A AAA proxy is an entity that acts as both a client and a server. When a request is received from a client, the proxy acts as a AAA server. When the same request needs to be forwarded to another AAA entity, the proxy acts as a AAA client. A proxy can be employed to provide for the routing of AAA requests.
Proxy Broker: A Proxy Broker is a AAA entity that satisfies the definition of a Broker, and acts as a Transparent Proxy by acting as the forwarding agent for all AAA messages between the local ISP and the home domain's AAA servers.
Rating: Rating refers to the process by which charges are assigned to a subscriber based on the usage of a resource.
Real-time accounting: Real-time accounting involves the processing of information on resource usage within a defined time window. Time constraints are typically imposed in order to limit financial risk.
Replay Attack: An attack on an authentication system by recording and replaying previously sent valid messages (or parts of messages). Any constant authentication information, such as a password or electronically transmitted biometric data, can be recorded and used later to forge messages that appear to be authentic.
Repudiation: Denial by a system entity that was involved in an association (especially an association that transfers information) of having participated in the relationship.
Request for comments (RFC): The Requests for Comments (RFCs) form a series of notes, started in 1969, about the Internet (originally the ARPANET). The notes discuss many aspects of computer communication, focusing on networking protocols, procedures, programs, and concepts but also including meeting notes, opinion, and sometimes humor.
RFCs are available at http://www.ietf.org/rfc/.
Resource Reservation Protocol (RSVP): RSVP is a network control protocol that will allow Internet applications to obtain special qualities-of-service for their data flows. This will generally require reserving resources along the data path(s). RSVP is a component of the future "integrated services" Internet, which will provide both best-effort and real-time qualities of service When an application in a host requests a specific QoS for its data stream, RSVP is used to deliver the request to each router along the path(s) of the data stream and to maintain router and host state to provide the requested service.
Roaming Capability: Roaming capability can be loosely defined as the ability to use any one of multiple Internet service providers (ISPs), while maintaining a formal, customer-vendor relationship with only one. Examples of cases where roaming capability might be required include ISP "confederations" and ISP- provided corporate network access support.
Roaming relationships: Roaming relationships include relationships between companies and ISPs, relationships among peer ISPs within a roaming association, and relationships between an ISP and a roaming consortia. Together, the set of relationships forming a path between a local ISP's authentication proxy and the home authentication server is known as the roaming relationship path.
Routing Broker: A Routing Broker is a AAA entity that satisfies the definition of a Broker, but is NOT in the transmission path of AAA messages between the local ISP and the home domain's AAA servers. When a request is received by a Routing Broker, information is returned to the AAA requestor that includes the information necessary for it to be able to contact the Home AAA server directly. Certain organizations providing Routing Broker services MAY also act as a Certificate Authority, and allows the Routing Broker to return the certificates necessary for the local ISP and the home AAA servers to communicate securely.
Scalability: Scalability is the ability of a computer application or product to continue to function well as it (or its context) is changed in size or volume. Typically, the rescaling is to a larger size or volume.
Secure Sockets Layer (SSL): SSL is a application layer protocol created by Netscape for managing the security of message transmissions in a network. SSL uses the public-and-private key encryption system from RSA, which also includes the use of a digital certificate.
Service: A type of task that is performed by a Service Element for a Service Consumer (client). A Service is the actual product that a customer uses, such as a POTS line, cellular line, T1 or TCP/IP connection.
Service Consumer: Client of a Service Element. End-user of a network service.
Service Definition: A specification for a particular service. It is composed of a name or other identifier, versioning information, and a collection of Properties.
Service Element: A network element that provides a service to Service Consumers. Examples include RAS servers, voice and fax gateways, conference bridges.
Service Usage Record (SUR): A SUR is a subset of data that describes the usage of a service by a subscriber. SUR formats may be added to the system to support the capture of usage for new services.
Session: Each service provided by a service element to a client constitutes a session, with the beginning of the session defined as the point where service is first provided and the end of the session defined as the point where service is ended.
Session record: A session record represents a summary of the resource consumption of a user over the entire session. Accounting gateways creating the session record may do so by processing interim accounting events or accounting events from several devices serving the same user.
Simple Network Management Protocol (SNMP): SNMP is the protocol governing network management and the monitoring of network devices and their functions. It is not necessarily limited to TCP/IP networks. SNMP uses ASN.1 for encoding of messages. SNMP is not as simple as the name suggests. SNMP is defined in a great number of RFC's and is extended with MIB's (Management Information Base) for new devices and systems.
Subscriber: A Subscriber is an individual or company that is uniquely identified within the system as a user of services. This could be a cellular phone subscriber, a user of Internet services, etc.
Transmission Control Protocol (TCP): TCP is a protocol atopof IP to send data over the Internet. TCP is a connection-oriented protocol, which means that a connection is established and maintained until such time as the message or messages to be exchanged by the application programs at each end have been exchanged. TCP is responsible for ensuring that a message is divided into the packets that IP manages and for reassembling the packets back into the complete message at the other end. The Transmission Control Protocol is defined in RFC 793.
Transparent Proxy: A Transparent Proxy is a AAA server that satisfies the definition of a Proxy, but does not enforce any local policies (meaning that it does not add, delete or modify attributes or modify information within messages it forwards).
Usage Event: The description of an instance of service usage.
User Datagram Protocol (UDP): UDP is defined in RFC 768. UDP offers a limited amount of service ontopof IP and provides a procedure for application programs to send messages to other programs with a minimum of protocol mechanism. The protocol is transaction oriented, and delivery and duplicate protection are not guaranteed.
UDP provides two services not provided by the IP layer. It provides port numbers to help distinguish different user requests and, optionally, a checksum capability to verify that the data arrived intact.
Usage sensitive billing: A billing process that depends on usage information to prepare an invoice can be said to be usage-sensitive. In contrast, a process that is independent of usage information is said to be non-usage-sensitive.
Virtual Private Network (VPN): A term for networks that appear to be private to the user by the use of tunneling techniques.

Sources:

B. Aboba, J. Arkko, D. Herrington, "Introduction to Accounting Management", Internet draft (work in progress), draft-ietf-aaa-acct-01, March 2000.

N. Brownlee, A. Blount, "Accounting Attributes and Record Formats", Internet draft (work in progress), draft-ietf-aaa-accounting-attributes-0.txt, January 2000.

B. Aboba, P. R. Calhoun, S. M. Glass, T. Hiller, P. McCann, H. Shiino, G. Zorn, G. Dommety, C. Perkins, B. Patil, D. Mitton, S. Manning, M. Beadles, P. Walsh, X. Chen, T. Ayaki, S. Sivalingham, A. Hameed, M. Munson, S. Jacobs, T. Seki, B. Lim, B. Hirschman, R. Hsu, H. Koo, M. Lipford, Y. Xu, E. Campbell, S. Baba, E. Jaques, "Criteria for Evaluating AAA Protocols for Network Access", Internet draft (work in progress), draft-ietf-aaa-na-reqts-02.txt, February 2000.

A. Blount, "Accounting Protocol and Record Format Features", Internet draft (work in progress), draft-blount-acct-service-00.txt, September 1999.

J. Arkko, "Requirements for Internet-Scale Accounting Management", Internet draft (work in progress), draft-arkko-acctreq-00.txt, August 1998.

whatis.com, http://www.whatis.com/

S. Glass, S. Jacobs, C. Perkins, "Mobile IP Authentication, Authorization, and Accounting Requirements", Internet draft (work in progress), draft-ietf-mobileip-aaa-reqs-00.txt, October 1999.

B. Aboba, J. Vollbrecht, "Proxy Chaining and Policy Implementation in Roaming", RFC 2607, June 1999.

C. Rigney, "RADIUS Accounting", RFC 2139, April 1997.

C. Rigney, A. Rubens, W. Simpson, S. Willens, "Remote Authentication Dial In User Service (RADIUS)", RFC 2138, January 1997.

B. Aboba, D. Lidyard, "The Accounting data Interchange Format (ADIF)", Internet draft (work in progress), draft-ietf-roamops-actng-06.txt, August 1999.

P. R. Calhoun, G. Zorn, P. Pan, H. Akhtar, "DIAMETER Framework Document", Internet draft (work in progress), draft-calhoun-diameter-framework-05.txt, December 1999.

IETF (The Internet Engineering Task Force) Home Page, http://www.ietf.org/

and several other (on-line) sources

Arthur <arthur@ch.twi.tudelft.nl> http://ch.twi.tudelft.nl/~arthur/
2000-07-06