Beruflich Dokumente
Kultur Dokumente
Management
RFC 2975
SIPPING
IETF 53
Minneapolis, MN
Thursday March 21, 2002
Billing
Non-usage sensitive billing
Does not require usage information
In theory all accounting data can be lost without affecting the billing process.
Usage-sensitive billing
Packet loss = Revenue loss
Billing process may need to conform to financial reporting and legal requirements
An archival accounting approach may be needed.
Auditing
The act of verifying the correctness of a procedure; commonly relies on accounting data
To permit a credible audit, the auditing data collection process must be at least as
reliable as the entity being audited.
Cost allocation
Cost allocation models often have profound behavioral and financial impacts.
Due to financial and legal requirements, archival accounting practices are frequently
required in this application.
Interim accounting
Useful only when insufficient non-volatile storage available on the
client
Increases accounting traffic; interim interval must be set w/care
A well designed accounting system will not require interim records to
transit the wire
Reliable transport
Implies that the receiving transport layer has taken responsibility for
delivering the data to the application, but no guarantees!
Application-layer acknowledgement
Tells you that the accounting server has taken responsibility for the
data (e.g. written to stable storage)
Failover support
Integrity Protection
Has the data been tampered with?
Replay Protection
Has the data been replayed?
Confidentiality
Can the data be obtained by an eavesdropper?
No error messages
If the RADIUS accounting server is unable to successfully record
the accounting packet it MUST NOT send an AccountingResponse acknowledgment to the client.
Cant say disk failed or Im busy
Result: the client will retry instead of failing over
Security Issues
Transport security
Each accounting packet is authenticated and
integrity protected with the RADIUS shared
secret
Authenticator vulnerable to offline dictionary attack
Dont choose a weak password!
No confidentiality
Replay protection is a feature of accounting
post-processing, not the wire protocol
Fixes: run over IPsec (RFC 3162)
Object security
No protection against untrusted proxies
1-39
40
41
42
43
44
45
46
47
48
49
50
51
55
Replay Protection
Accounting request authenticator is not a nonce, as in
RADIUS authentication!
Only source of liveness in the Accounting packet is the
Acct-Session-Id and Event-Timestamp attributes
Identifier is only a single octet, can wrap
Acct-Session-Id MUST be included in Accounting Request, not
required to be temporally unique
Event-Timestamp attribute is optional (RFC 2869)
=
=
=
=
=
=
=
=
Alternatives
SNMP
The most popular accounting method
Supports polling model
Bulk retrieval best handled over TCP
Issues explained in RFC 2975
Alternatives, contd
Diameter
Runs over reliable transport
Failover support
Interim accounting
Application layer ACK, error messages
No response bloating
Push or Pull model
Secured via IPsec or TLS
Deployable with untrusted proxies via CMS
Feedback?