AAA Frequently Used Terms (working draft)
This document defines several terms frequently used in AAA related
documents. These terms are used in most documents on these pages.
Different research groups and organisations may use different definitions,
so these definitions are probably not gloably accepted.
Authentication, Authorization, and Accounting. The three primary services
required by a NAS server or protocol. All three services are logically
independent and may be separately implemented with the output of each used
as the input of the next.
- AAA Server
An AAA Server is a server or servers that provide authentication,
authorization and accounting services. These may be co-located with the
NAS, or more typically, are located on a separate server and communicate
with the NAS's User Management Interface via an AAA protocol. The AAA
functions may be located on a single server, or may be broken up among
The act of collecting information on resource usage for the purpose of
capacity and trend analysis, cost allocation, auditing and billing.
Accounting management requires that resource consumption be measured,
rated, assigned, and communicated between appropriate parties. Typical
information that is gathered in accounting is the identity of the user,
the nature of the service delivered, when the service began, and when it
- Accounting Attributes
Quantities which can be measured and reported.
- Accounting Management
Record resource usage and enforce resource usage policy. Accounting
Management provides the mechanisms to charge accounts for resource usage
and to deny storage resources to overdrawn accounts. Charges may be
incurred for the use of any storage system resource, including such
typical resources as bytes stored, data transferred, volumes mounted, and
desired quality of service.
Accounting management requires that resource consumption be measured,
rated, assigned, and communicated between appropriate parties.
- Accounting Protocol
A protocol used to convey data for accounting purposes.
- Accounting Server
A network element that accepts Usage Events from Service Elements. It acts
as an interface to back-end rating and billing systems. The accounting
server receives accounting data from devices and translates it into
session records. The accounting server may also take responsibility for
the routing of session records to interested parties.
- Administrative Domain
An intranet, or a collection of networks, computers, and databases under a
common administration. Computer entities operating in a common
administration may be assumed to share administratively created security
- Archival accounting
In archival accounting, the goal is to collect all accounting data, to
reconstruct missing entries as best as possible in the event of data loss,
and to archive data for a mandated time period. Legal or financial
requirements frequently mandate archival accounting practices, and may
often dictate that data be kept confidential, regardless of whether it is
to be used for billing purposes or not.
A node designed to provide the service interface between a client and the
local domain (service element).
The act of verifying a claimed identity, in the form of a pre-existing
label from a mutually known name space, as the originator of a message
(message authentication) or as the end-point of a channel (entity
The authentication process may also establishes the entity's attributes
(e.g., role, security label, group membership, etc.).
Authentication is accomplished via the presentation of an identity and
credentials. Examples of types of credentials are passwords, one-time
tokens, digital certificates, and phone numbers (calling/called).
Authorization refers to the granting of specific types of service
(including "no service") to a user, based on their authentication, what
services they are requesting, and the current system state. Authorization
may be based on restrictions, for example time-of-day restrictions,
physical location restrictions, credit limit or restrictions against
multiple logins by the same user. Authorization determines the nature of
the service which is granted to a user and may provide restrictions to the
- Attribute-Value-Pair (AVP)
A representation for a Usage Attribute consisting of the name of the
Attribute and a value.
The act of verifying the correctness of a procedure. In order to be able
to conduct an audit it is necessary to be able to definitively determine
what procedures were actually carried out so as to be able to compare this
to the recommended process. Accomplishing this may require security
services such as authentication and integrity protection.
Auditing refers to the tracking of activity by users. The purpose of
auditing is to determine the nature of a user's network activity. It is
generaly done by checking usage to some policy.
Auditing allso refers to the checking of the billing process, where the
procedure of billing is checked.
- Batch Accounting
Batch accounting refers to accounting information that is saved until it
is delivered at a later time. This generaly reduces overhead of transport
of accounting information.
The act of preparing an invoice.
An intermediary agent, trusted by two other AAA servers, able to obtain
and provide security services from those AAA servers. For instance, a
broker may obtain and provide authorizations, or assurances that
credentials are valid.
- Call Accounting
A call accounting system is an application that captures and records
telephone call data placed to and from your telephone system. This data
can then be organized into various reports that can be analyzed by your
management team. Call data includes the extension from which the call
originated, the number dialed, whether the call was a local or toll call,
the city and state associated with the number dialed, the date and time
the call was placed, the duration of the call, the circuit the call was
routed over, and if applicable, the account code identifying which client
or project you wish to correlate the call to. Caller ID information is
also provided, if telephone system supports it.
- Challenge-Handshake Authentication Protocol (CHAP)
CHAP is a more secure procedure for connecting to a system with PPP. CHAP
is defined in RFC 1334. After the link is made, the server sends a
challenge message to the connection requestor. The requestor responds with
a value obtained by using a one-way hash function. The server checks the
response by comparing it to its own calculation of the expected hash
value. If the values match, the authentication is acknowledged; otherwise
the connection is usually terminated. At any time, the server can request
the connected party to send a new challenge message. Because CHAP
identifiers are changed frequently and because authentication can be
requested by the server at any time, CHAP provides more security than PAP.
A node wishing to obtain service from a service element within an
The protection of information so that someone not authorized to access the
information cannot read the information even though the unauthorized
person might see the information's container (e.g., computer file or
- Cost Allocation
The act of allocating costs between entities. Note that cost allocation
and rating are fundamentally different processes. In cost allocation the
objective is typically to allocate a known cost among several entities.
In rating the objective is to determine the amount owed. In cost
allocation, the cost per unit of resource may need to be determined; in
rating, this is typically a given.
- Device Monitoring
Device monitoring refers to the tracking of status, activity, and usage of
a Service Element as a network device.
Encryption is a security mechanism used to transform data from an
intelligible form (plaintext) into an unintelligible form (ciphertext), to
provide confidentiality. The inverse transformation process is designated
"decryption". Oftimes the term "encryption" is used to generically refer
to both processes.
- End-to-End Security
End-to-End is the security model that requires that security information
be able to traverse, and validated even when an AAA message is processed
by intermediate nodes such as proxies, brokers, etc.
- Finite sessions
Service-usage in which a session begins at a certain time and ends at a
- Foreign Domain
An administrative domain, visited by a Mobile IP client, and containing
the AAA infrastructure needed to carry out the necessary operations
enabling Mobile IP registrations. From the point of view of the foreign
agent, the foreign domain is the local domain.
- Home Domain
The administrative domain where the user has an account. This is the
Internet service provider or corporate network with whom the user
maintains an account relationship.
An administrative domain, containing the network whose prefix matches that
of a mobile node's home address, and containing the AAA infrastructure
needed to carry out the necessary operations enabling Mobile IP
registrations. From the point of view of the home agent, the home domain
is the local domain.
- Hop-by-hop Security
Hop-by-hop is the security model that requires that each direct set of
peers in a proxy network share a security association, and the security
information does not traverse an AAA entity.
- Hypertext Transfer Protocol (HTTP)
HTTP is a protocol for exchanging files (text, graphic images, sound,
video, and other multimedia files) on the World Wide Web. Relative to the
TCP/IP suite of protocols (which are the basis for information exchange on
the Internet), HTTP is an application protocol.
Essential concepts that are part of HTTP include (as its name implies) the
idea that files can contain references to other files whose selection will
elicit additional transfer requests. The latest version of HTTP is HTTP
1.1 and is defined in RFC 2068.
- Indivisible events
A event that has no distingisable lengh such as a single http request.
Some services consist of a lot of indivisible events. Indivisible events
can be simulated with a start and a stop message but is clumsy
- Infinite sessions
Services which are turned on at one time such as when you order for some
web space from a server, continue for possibly a very long time, and might
but need not be terminated later
- Integrated Services Digital Network (ISDN)
Integrated Services Digital Network is a telephone network facility for
transmitting digital and analog information over a digital network
Integrity is a security service that ensures that modifications to data
- Inter-domain accounting
Inter-domain accounting involves the collection of information on resource
usage of an entity within an administrative domain, for use within another
administrative domain. In inter-domain accounting, accounting packets and
session records will typically cross administrative boundaries.
- Interim accounting
An interim accounting message provides a snapshot of usage during a user's
session. It is typically implemented in order to provide for partial
accounting of a user's session in the event of a device reboot or other
network problem that prevents the reception of a session summary packet or
session record. Interim accounting packets can always be
summarized without the loss of information.
- Internet Assigned Numbers Authority (IANA)
Based at the University of Southern California's Information Sciences
Institute, IANA is in charge of all "unique parameters" on the Internet,
including IP (Internet Protocol) addresses. The IANA is chartered by the
Internet Society (ISOC) to act as the clearinghouse to assign and
coordinate the use of numerous Internet protocol parameters.
The Internet Assigned Numbers Authority can be found at
Internet-Drafts are working documents of the Internet Engineering Task
Force (IETF), its areas, and its working groups. Note that other groups
may also distribute working documents as Internet-Drafts.
Internet-Drafts are not an archival document series. These documents
should not be cited or quoted in any formal document. Unrevised documents
placed in the Internet-Drafts directories have a maximum life of six
months. After that time, they must be updated, or they will be
Internet drafts can be found at
- Internet Engineering Task Force (IETF)
The Internet Engineering Task Force (IETF) is a large open international
community of network designers, operators, vendors, and researchers
concerned with the evolution of the Internet architecture and the smooth
operation of the Internet. It is open to any interested individual.
The IETF is the protocol engineering and development arm of the Internet.
Though it existed informally for some time, the group was formally
established by the IAB in 1986 with Phill Gross as the first Chair.
The actual technical work of the IETF is done in its working groups, which
are organized by topic into several areas (e.g., routing, transport,
security, etc.). Much of the work is handled via mailing lists. The IETF
holds meetings three times per year.
The Internet Engineering Task Force can be found at
- Internet Protocol (IP)
The Internet Protocol (IP) is the protocol by which data is sent from one
computer to another on the Internet. Each computer on the Internet has at
least one address that uniquely identifies it from all other computers on
IP is a connectionless protocol, which means that there is no established
connection between the end points that are communicating. Each packet that
travels through the Internet is treated as an independent unit of data
without any relation to any other unit of data.
The most widely used version of IP today is Internet Protocol Version 4
(IPv4) and is defined in RFC 791. However, IP Version 6 (IPv6), defined in
RFC 2460 (and several other documents), is also beginning to be supported.
IPv6 provides for much longer addresses and therefore for the possibility
of many more Internet users.
- Internet Protocol Security (IPSec)
IPSec (Internet Protocol Security) is a developing standard for security
at the network or packet processing layer of network communication.
Earlier security approaches have inserted security at the application
layer of the communications model. IPSec will be especially useful for
implementing virtual private networks and for remote user access through
dial-up connection to private networks. A big advantage of IPSec is that
security arrangements can be handled without requiring changes to
individual user computers.
- Internet Service Provider (ISP)
A provider of Internet access (also Network Service Provider, NSP).
- Intra-domain accounting
Intra-domain accounting involves the collection of information on resource
usage within an administrative domain, for use within that domain. In
intra-domain accounting, accounting packets and session records typically
do not cross administrative boundaries.
- Local Domain
An administrative domain containing the AAA infrastructure of immediate
interest to a client. Where roaming is implemented the local ISP may be
different from the home ISP.
- Local Proxy
A Local Proxy is a AAA server that satisfies the definition of a Proxy,
and exists within the same administrative domain as the network device
(e.g. NAS) that issued the AAA request. Typically, a local proxy will
enforce local policies prior to forwarding responses to the network
devices, and are generally used to multiplex AAA messages from a large
number of network devices.
A meter is a process which examines a stream of packets on a
communications medium or between a pair of media. The meter records
aggregate counts of packets belonging to flows between communicating
entities. The assignment of packets to flows may be done by executing a
series of rules. Meters can reasonably be implemented in any of three
environments -- dedicated monitors, in routers or in general-purpose
- Network Access Identifier (NAI)
The Network Access Identifier (NAI) is the userID submitted by the client
during network access authentication. In roaming, the purpose of the NAI
is to identify the user as well as to assist in the routing of the
authentication request. NAI's resemble e-mail addressed but may not
necessarily be the same as the user's e-mail address or the userID
submitted in an application layer authentication.
- Network Access Server (NAS)
The Network Access Server is a service element that clients dial in order
to get access to the network.In some cases also know as a Remote Access
Server (RAS). A Network Access Server is a device which usually has
interfaces both to the backbone and to the telco (POTS or ISDN) and
receives calls from hosts that want to access the backbone by dialup
services. A NAS is e.g. located at an internet provider's point of
precence to give their customers internet access.
- Non-Proxy Broker
A Routing Broker is occasionally referred to as a Non-Proxy Broker.
A security service that provides protection against false denial of
involvement in a communication. Non-repudiation refers to having
undeniable proof that a message has been sent. When a entity repudiates a
communication, stored evidence can be presented to a third party to
resolve the dispute. There are three different kinds of
Non-repudiation of origin provides the recipient of the message with
evidence that proves the origin of the message, and thus protects the
recipient against an attempt by the originator to falsely deny sending the
Non-repudiation receipt provides the originator of the message with
evidence that proves the data was received as addressed, and thus protects
the originator against an attempt by the recipient to falsely deny
receiving the data.
Non-repudiation of commitment assures that neither party can later deny
that they agreed to the information exchanged, and its implied
obligations. The difference between non-repudiation of receipt versus
commitment is important: to agree having received a message is not the
same as agreeing to what that message says.
- Password Authentication Protocol (PAP)
PAP is a procedure used by PPP servers to validate a connection request.
PAP is defined in RFC 1334. After a link is established, the requestor
sends a password and an id to the server. The server either validates the
request and sends back an acknowledgement, terminates the connection, or
offers the requestor another chance.
Passwords are sent without encryption and the originator can make repeated
attempts to gain access. For these reasons, a server that supports CHAP
will offer to use that protocol before using PAP.
- Performance Management
Measure, predict, and optimize storage system performance over time.
Efficient and cost-effective storage system utilization is accomplished by
monitoring performance indicators such as response times, resource
utilization, demand and contention, and queue lengths. This data can be
used to change the system configuration, balance requests among modules,
change module implementations (e.g., connectivity, distribution,
replication), and plan for future demand.
- Point-to-Point Protocol (PPP)
PPP is a serial datalink level protocol that supports IP as well as other
network protocols. PPP has three major states of operation: LCP - Link
layer Control Protocol, Authentication - PAP, CHAP or EAP and NCP -
Network layer Control Protocol, which negotiates the network layer
parameters for each of the protocols in use.
- Point Of Presence (POP)
A POP is a geographic location of equipment and interconnection to the
network. An ISP typically manages all equipment in a single POP in a
similar manner. POP is allso the Post Office Protocol.
A component of a Usage Event. A Usage Event describing a phone call, for
instance, might have a "duration" Property.
A AAA proxy is an entity that acts as both a client and a server. When a
request is received from a client, the proxy acts as a AAA server. When
the same request needs to be forwarded to another AAA entity, the proxy
acts as a AAA client. A proxy can be employed to provide for the routing
of AAA requests.
- Proxy Broker
A Proxy Broker is a AAA entity that satisfies the definition of a Broker,
and acts as a Transparent Proxy by acting as the forwarding agent for all
AAA messages between the local ISP and the home domain's AAA servers.
Rating refers to the process by which charges are assigned to a subscriber
based on the usage of a resource.
- Real-time accounting
Real-time accounting involves the processing of information on resource
usage within a defined time window. Time constraints are typically imposed
in order to limit financial risk.
- Replay Attack
An attack on an authentication system by recording and replaying
previously sent valid messages (or parts of messages). Any constant
authentication information, such as a password or electronically
transmitted biometric data, can be recorded and used later to forge
messages that appear to be authentic.
Denial by a system entity that was involved in an association (especially
an association that transfers information) of having participated in the
- Request for comments (RFC)
The Requests for Comments (RFCs) form a series of notes, started in 1969,
about the Internet (originally the ARPANET). The notes discuss many
aspects of computer communication, focusing on networking protocols,
procedures, programs, and concepts but also including meeting notes,
opinion, and sometimes humor.
RFCs are available at
- Resource Reservation Protocol (RSVP)
RSVP is a network control protocol that will allow Internet applications
to obtain special qualities-of-service for their data flows. This will
generally require reserving resources along the data path(s). RSVP is a
component of the future "integrated services" Internet, which will provide
both best-effort and real-time qualities of service When an application
in a host requests a specific QoS for its data stream, RSVP is used to
deliver the request to each router along the path(s) of the data stream
and to maintain router and host state to provide the requested service.
- Roaming Capability
Roaming capability can be loosely defined as the ability to use any one of
multiple Internet service providers (ISPs), while maintaining a formal,
customer-vendor relationship with only one. Examples of cases where
roaming capability might be required include ISP "confederations" and ISP-
provided corporate network access support.
- Roaming relationships
Roaming relationships include relationships between companies and ISPs,
relationships among peer ISPs within a roaming association, and
relationships between an ISP and a roaming consortia. Together, the set of
relationships forming a path between a local ISP's authentication proxy
and the home authentication server is known as the roaming relationship
- Routing Broker
A Routing Broker is a AAA entity that satisfies the definition of a
Broker, but is NOT in the transmission path of AAA messages between the
local ISP and the home domain's AAA servers. When a request is received by
a Routing Broker, information is returned to the AAA requestor that
includes the information necessary for it to be able to contact the Home
AAA server directly. Certain organizations providing Routing Broker
services MAY also act as a Certificate Authority, and allows the Routing
Broker to return the certificates necessary for the local ISP and the home
AAA servers to communicate securely.
Scalability is the ability of a computer application or product to
continue to function well as it (or its context) is changed in size or
volume. Typically, the rescaling is to a larger size or volume.
- Secure Sockets Layer (SSL)
SSL is a application layer protocol created by Netscape for managing the
security of message transmissions in a network. SSL uses the
public-and-private key encryption system from RSA, which also includes the
use of a digital certificate.
A type of task that is performed by a Service Element for a Service
Consumer (client). A Service is the actual product that a customer uses,
such as a POTS line, cellular line, T1 or TCP/IP connection.
- Service Consumer
Client of a Service Element. End-user of a network service.
- Service Definition
A specification for a particular service. It is composed of a name or
other identifier, versioning information, and a collection of Properties.
- Service Element
A network element that provides a service to Service Consumers. Examples
include RAS servers, voice and fax gateways, conference bridges.
- Service Usage Record (SUR)
A SUR is a subset of data that describes the usage of a service by a
subscriber. SUR formats may be added to the system to support the capture
of usage for new services.
Each service provided by a service element to a client constitutes a
session, with the beginning of the session defined as the point where
service is first provided and the end of the session defined as the point
where service is ended.
- Session record
A session record represents a summary of the resource consumption of a
user over the entire session. Accounting gateways creating the session
record may do so by processing interim accounting events or accounting
events from several devices serving the same user.
- Simple Network Management Protocol (SNMP)
SNMP is the protocol governing network management and the monitoring of
network devices and their functions. It is not necessarily limited to
TCP/IP networks. SNMP uses ASN.1 for encoding of messages. SNMP is not as
simple as the name suggests. SNMP is defined in a great number of RFC's
and is extended with MIB's (Management Information Base) for new devices
A Subscriber is an individual or company that is uniquely identified
within the system as a user of services. This could be a cellular phone
subscriber, a user of Internet services, etc.
- Transmission Control Protocol (TCP)
TCP is a protocol atopof IP to send data over the Internet. TCP is a
connection-oriented protocol, which means that a connection is established
and maintained until such time as the message or messages to be exchanged
by the application programs at each end have been exchanged. TCP is
responsible for ensuring that a message is divided into the packets that
IP manages and for reassembling the packets back into the complete message
at the other end. The Transmission Control Protocol is defined in RFC 793.
- Transparent Proxy
A Transparent Proxy is a AAA server that satisfies the definition of a
Proxy, but does not enforce any local policies (meaning that it does not
add, delete or modify attributes or modify information within messages it
- Usage Event
The description of an instance of service usage.
- User Datagram Protocol (UDP)
UDP is defined in RFC 768. UDP offers a limited amount of service ontopof
IP and provides a procedure for application programs to send messages
to other programs with a minimum of protocol mechanism. The protocol is
transaction oriented, and delivery and duplicate protection are not
UDP provides two services not provided by the IP layer. It provides port
numbers to help distinguish different user requests and, optionally, a
checksum capability to verify that the data arrived intact.
- Usage sensitive billing
A billing process that depends on usage information to prepare an invoice
can be said to be usage-sensitive. In contrast, a process that is
independent of usage information is said to be non-usage-sensitive.
- Virtual Private Network (VPN)
A term for networks that appear to be private to the user by the use of
- B. Aboba, J. Arkko, D. Herrington, "Introduction to Accounting
Management", Internet draft (work in progress), draft-ietf-aaa-acct-01,
- N. Brownlee, A. Blount, "Accounting Attributes and Record Formats",
Internet draft (work in progress),
draft-ietf-aaa-accounting-attributes-0.txt, January 2000.
- B. Aboba, P. R. Calhoun, S. M. Glass, T. Hiller, P. McCann, H. Shiino,
G. Zorn, G. Dommety, C. Perkins, B. Patil, D. Mitton, S. Manning, M. Beadles,
P. Walsh, X. Chen, T. Ayaki, S. Sivalingham, A. Hameed, M. Munson, S.
Jacobs, T. Seki, B. Lim, B. Hirschman, R. Hsu, H. Koo, M. Lipford, Y. Xu, E.
Campbell, S. Baba, E. Jaques, "Criteria for Evaluating AAA Protocols for
Network Access", Internet draft (work in progress),
draft-ietf-aaa-na-reqts-02.txt, February 2000.
- A. Blount, "Accounting Protocol and Record Format Features", Internet
draft (work in progress), draft-blount-acct-service-00.txt, September 1999.
- J. Arkko, "Requirements for Internet-Scale Accounting Management",
Internet draft (work in progress), draft-arkko-acctreq-00.txt, August 1998.
- whatis.com, http://www.whatis.com/
- S. Glass, S. Jacobs, C. Perkins, "Mobile IP Authentication,
Authorization, and Accounting Requirements", Internet draft (work in
progress), draft-ietf-mobileip-aaa-reqs-00.txt, October 1999.
- B. Aboba, J. Vollbrecht, "Proxy Chaining and Policy Implementation in
Roaming", RFC 2607, June 1999.
- C. Rigney, "RADIUS Accounting", RFC 2139, April 1997.
- C. Rigney, A. Rubens, W. Simpson, S. Willens, "Remote Authentication
Dial In User Service (RADIUS)", RFC 2138, January 1997.
- B. Aboba, D. Lidyard, "The Accounting data Interchange Format (ADIF)",
Internet draft (work in progress), draft-ietf-roamops-actng-06.txt, August
- P. R. Calhoun, G. Zorn, P. Pan, H. Akhtar, "DIAMETER Framework
Document", Internet draft (work in progress),
draft-calhoun-diameter-framework-05.txt, December 1999.
- IETF (The Internet Engineering Task Force) Home Page, http://www.ietf.org/
- and several other (on-line) sources