Triple A system

from Wikipedia, the free encyclopedia

Triple-A systems (or AAA systems , AAA for short ) are used on a large scale by wired and mobile network operators and Internet service providers . The three A stand for authentication ( English authentication ), authorization (Engl. Authorization ) and billing (Engl. Accounting ) network access by customers (end users).

The triple-A system basically does not participate in the data traffic it controls. It uses the protocol hierarchies of the Internet and basically uses the time information generally available in the network to generate authentic event messages with event data (pairs of come / go times).

The triple A system primarily has the task of controlling network elements in the transport network and collecting usage data recorded by these network elements or granting or denying access to them. The data that the authenticated customer transmits, on the other hand, is transmitted by the transport network (for example the public, global IP transport network known as the “Internet”).

Server function

Incoming connection requests, calls, requests for IP address assignments and other service requests are processed, answered, rejected and / or forwarded by a central server function for an entire network ( e.g. intranet or VPN ) or a cellular network - often many hundreds per second or more.

In the case of temporary Internet access, the Internet service provider must provide its customers

  • identify (authentication),
  • can determine which services are provided to the customer (authorization)
  • and ultimately determine to what extent the services were used (attribution, accounting)

or to put it simply, answer the questions “who”, “what” and “how much”. (In principle, an AAA server supplies the data for the internal allocation to defined accounts, but due to the lack of a pricing scheme and tax scheme, there is no documentation for billing against third parties other than evidence.)

The possibilities to influence the transport network include, among other things, allowing / denying a connection (authorization: only authorized users are allowed), enabling certain services (for example only access to certain IP addresses) and assigning the IP address to the end customer.

The Triple-A system can now grant access to these internal data structures and provide the associated customer account to external systems such as an e-mail server or proxy server for an IP address.

application

Most of the time, the data from the Triple-A systems is used by time recording systems ( personnel time recording ), accounting systems ( accounting , billing ) and updated by customer management systems ( CRM, customer relationship management ).

Identity Management Servers refer to the customer and contract data or manage the commercial aspects and data of the users or end customers.

Triple-A systems are usually specially tailored for each application and often serve specific requirements: for example, from mobile data communication such as authentication via SIM cards , dynamic (here: within an existing IP session or connection) control from Inter - / Intranet access and the like. Traditional RADIUS systems are often not efficient or flexible enough here. Connection to SS7 networks is also possible as part of such custom-made products .

A more recent application of triple A systems makes use of the fact that such a system keeps records of which customers are currently online in its internal data structures. The triple A system authenticated the customer and assigned him his IP address. This assignment (IP, customer) is stored until the customer's online connection ends, namely until the network element transmits the usage data at the end of the connection. With RADIUS, it is rather uncommon for usage data to be transmitted during the connection, as the original standard only provided for transmission at the end of the connection.

Context control

In modern triple-A systems, the identities are linked with complex access rights (context-related authorization).

protection and safety

A triple A system is the central element for the implementation of the goals of data protection and data security from the point of view of the network operator as well as from the point of view of their contractual partners. The protocols meet the requirements for certification for ITSEC security and TCSEC security according to the applicable rules of technology, in particular according to the international standard ISO / IEC 15408 ( Common Criteria for Information Technology Security Evaluation ).

history

An early application was the newly emerged “Dialup Internet” service, in which a computer only temporarily - for the duration of a connection - becomes part of the Internet and therefore only receives an IP address for a limited period of time. This variant of the Internet connection, initially regarded as “exotic”, is nowadays absolutely common.

Standards

The IETF published RADIUS and Diameter are used as standard protocols for operational operation . The protocol-immanent restrictions of RADIUS (especially encryption of only a subset of the content) led, among other things, to the development of Diameter. However, RADIUS is mainly used for local networks. The other well-known alternative TACACS + is a proprietary protocol from Cisco Systems , which was derived from TACACS and XTACACS and which lacks essential features for mobile services.

Proprietary protocols, but also SOAP , LDAP , and DNS are usually used to access this data and network functions .

See also

Web links

Individual evidence

  1. ^ TACACS + and RADIUS Comparison
  2. An Access Control Protocol, Sometimes Called TACACS
  3. TACACS User Identification Telnet Option