[Docs] [txt|pdf] [Tracker] [Email] [Nits]

Versions: 00 01 02 03 04 RFC 4017

Network Working Group                                    Dorothy Stanley
INTERNET-DRAFT                                                     Agere
Category: Informational                                     Jesse Walker
<draft-walker-ieee802-req-00.txt>                      Intel Corporation
3 February 2004                                            Bernard Aboba
                                                   Microsoft Corporation


               EAP Method Requirements for Wireless LANs

This document is an Internet-Draft and is in full conformance with all
provisions of Section 10 of RFC 2026.

Internet-Drafts are working documents of the Internet Engineering Task
Force (IETF), its areas, and its working groups.  Note that other groups
may also distribute working documents as Internet-Drafts.

Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time.  It is inappropriate to use Internet-Drafts as reference material
or to cite them other than as "work in progress."

The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt

The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.

Copyright Notice

Copyright (C) The Internet Society (2004).  All Rights Reserved.

Abstract

The Draft IEEE 802.11i MAC Security Enhancements Amendment makes use of
IEEE 802.1X which in turn relies on the Extensible Authentication
Protocol (EAP).  This document defines requirements for EAP methods used
in IEEE 802.11 wireless LAN deployments.  The material in this document
has been approved by IEEE 802.11 and it is being presented as an IETF
RFC for informational purposes.











Stanley, et al.               Informational                     [Page 1]

INTERNET-DRAFT         EAP Method Reqts. for WLAN        3 February 2004


1.  Introduction

The Draft IEEE 802.11i MAC Security Enhancements Amendment [IEEE802.11i]
makes use of IEEE 802.1X [IEEE8021X-REV] which in turn relies on the
Extensible Authentication Protocol (EAP), defined in [RFC2284bis].
Deployments of IEEE 802.11 wireless LANs today are based on EAP, and use
several EAP methods, including EAP-TLS [RFC2716], EAP-TTLS [TTLS], PEAP
[PEAP] and EAP-SIM [SIM].  These methods support authentication
credentials that include digital certificates, user-names and passwords,
secure tokens, and SIM secrets.

This document defines requirements for EAP methods used in IEEE 802.11
wireless LAN deployments.

1.1.  Requirements specification

In this document, several words are used to signify the requirements of
the specification.  These words are often capitalized. The key words
"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD
NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be
interpreted as described in [RFC2119].

An EAP authentication method is not compliant with this specification if
it fails to satisfy one or more of the MUST or MUST NOT requirements.
An EAP authentication method that satisfies all the MUST, MUST NOT,
SHOULD and SHOULD NOT requirements is said to be "unconditionally
compliant"; one that satisfies all the MUST and MUST NOT requirements
but not all the SHOULD or SHOULD NOT requirements is said to be
"conditionally compliant".

2.  Method requirements

2.1.  Credential types

The Draft IEEE 802.11i MAC Security Enhancements Amendment requires that
EAP authentication methods are available.  Wireless LAN deployments are
expected to use different credentials types, including digital
certificates, user-names and passwords, existing secure tokens, and
mobile network credentials (GSM and UMTS secrets).  Other credential
types that may be used include public/private key (without necessarily
requiring certificates), and asymmetric credential support (password on
one side, public/private key on the other).

2.2.  Mandatory requirements

EAP authentication methods suitable for use in wireless LAN
authentication MUST satisfy the following criteria:




Stanley, et al.               Informational                     [Page 2]

INTERNET-DRAFT         EAP Method Reqts. for WLAN        3 February 2004


[1]  Generation of keying material.  This corresponds to the "Key
     derivation" security claim defined in [RFC2284bis], Section 7.2.1.

[2]  Mutual authentication support.  This corresponds to the "Mutual
     authentication" security claim defined in [RFC2284bis], Section
     7.2.1.

[3]  Synchronization of state.  This corresponds to the "Protected
     result indication" security claim defined in [RFC2284bis], Section
     7.2.1.

[4]  Resistance to dictionary attacks.  This corresponds to the
     "Dictionary attack resistance" security claim defined in
     [RFC2284bis], Section 7.2.1.

[5]  Protection against man-in-the-middle attacks.  This corresponds to
     the "Cryptographic binding", "Integrity Protection", "Replay
     protection", and "Session Independence" security claims defined in
     [RFC2284bis], Section 7.2.1.

[6]  Protected ciphersuite negotiation.  If the method negotiates the
     ciphersuite used to protect the EAP conversation, then it MUST
     support the "Protected ciphersuite negotiation" security claim
     defined in [RFC2284bis], Section 7.2.1.

[7]  Key strength.  An EAP method suitable for use with IEEE 802.11 MUST
     be capable of generating keying material with 128-bits of effective
     key strength, as defined in [RFC2284bis] Section 7.2.1.  As noted
     in [RFC2284bis] Section 7.10, an EAP method supporting key
     derivation MUST export a Master Session Key (MSK) of at least 64
     octets, and an Extended Master Session Key (EMSK) of at least 64
     octets.

2.3.  Recommended requirements

EAP authentication methods used for wireless LAN authentication SHOULD
support the following features:

[8]  Fragmentation.  [RFC2284bis] Section 3.1 states: "EAP methods can
     assume a minimum EAP MTU of 1020 octets, in the absence of other
     information.  EAP methods SHOULD include support for fragmentation
     and reassembly if their payloads can be larger than this minimum
     EAP MTU."  This implies support for the "Fragmentation" claim
     defined in [RFC2284bis], Section 7.2.1.







Stanley, et al.               Informational                     [Page 3]

INTERNET-DRAFT         EAP Method Reqts. for WLAN        3 February 2004


2.4.  Optional features

EAP authentication methods used for wireless LAN authentication MAY
support the following features:

[9]  Channel binding.  This corresponds to the "Channel binding"
     security claim defined in [RFC2284bis], Section 7.2.1.

[10] End-user identity hiding.  This corresponds to the
     "Confidentiality" security claim defined in [RFC2284bis], Section
     7.2.1.

[11] Fast reconnect.  This corresponds to the "Fast reconnect" security
     claim defined in [RFC2284bis], Section 7.2.1.

2.5.  Non-compliant EAP authentication methods

EAP-MD5-Challenge (the current mandatory-to-implement EAP authentication
method), is defined in [RFC2284bis] Section 5.4.  EAP-MD5-Challenge and
two EAP authentication methods defined in [RFC2284bis], One-Time
Password (Section 5.5) and Generic Token Card (Section 5.6), are non-
compliant with the requirements defined in this document.

3.  References

3.1.  Normative References

[RFC2119]      Bradner, S., "Key words for use in RFCs to Indicate
               Requirement Levels", RFC 2119, March, 1997.

[RFC2284bis]   Blunk, L. , et al., "Extensible Authentication Protocol
               (EAP)", draft-ietf-eap-rfc2284bis-08.txt, Internet-Draft
               (work in progress), February 2004.

3.2.  Informative References

[RFC2716]      Aboba, B. and D. Simon, "PPP EAP TLS Authentication
               Protocol", RFC 2716, October 1999.

[PEAP]         Palekar, A., et al., "Protected EAP Protocol (PEAP)",
               draft-josefsson-pppext-eap-tls-eap-07.txt, Internet draft
               (work in progress), November 2003.

[TTLS]         Funk, P. and S. Blake-Wilson, "EAP Tunneled TLS
               Authentication Protocol (EAP-TTLS)", draft-ietf-pppext-
               eap-ttls-03.txt, August 2003.





Stanley, et al.               Informational                     [Page 4]

INTERNET-DRAFT         EAP Method Reqts. for WLAN        3 February 2004


[EAPSIM]       Haverinen, H. and J. Salowey, "EAP SIM Authentication",
               draft-haverinen-pppext-eap-sim-12.txt, Internet draft
               (work in progress), October 2003.

[IEEE802]      IEEE Standards for Local and Metropolitan Area Networks:
               Overview and Architecture, ANSI/IEEE Std 802, 1990.

[802.11]       Information technology - Telecommunications and
               information exchange between systems - Local and
               metropolitan area networks - Specific Requirements Part
               11:  Wireless LAN Medium Access Control (MAC) and
               Physical Layer (PHY) Specifications, IEEE Std.
               802.11-1999, 1999.

[IEEE8021X-REV]
               IEEE Standards for Local and Metropolitan Area Networks:
               Port based Network Access Control, IEEE Std 802.1X-REV,
               Draft 8, December 2003.

[IEEE802.11i]  Institute of Electrical and Electronics Engineers,
               "Unapproved Draft Supplement to Standard for
               Telecommunications and Information Exchange Between
               Systems - LAN/MAN Specific Requirements - Part 11:
               Wireless LAN Medium Access Control (MAC) and Physical
               Layer (PHY) Specifications: Specification for Enhanced
               Security", IEEE Draft 802.11i (work in progress), 2003.

Acknowledgments

The authors would like to acknowledge members of the IEEE 802.11i task
group, including David Nelson of Enterasys Networks and Clint Chaplin of
Symbol Technologies for contributions to this document.

Authors' Addresses

Dorothy Stanley
Agere Systems
2000 North Naperville Rd.
Naperville, IL 60566

EMail: dstanley@agere.com
Phone: +1 630 979 1572

Jesse R. Walker
Intel Corporation
2111 N.E. 25th Avenue
Hillsboro, OR  97214




Stanley, et al.               Informational                     [Page 5]

INTERNET-DRAFT         EAP Method Reqts. for WLAN        3 February 2004


EMail: jesse.walker@intel.com

Bernard Aboba
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052

EMail: bernarda@microsoft.com
Phone: +1 425 706 6605
Fax:   +1 425 936 7329

Intellectual Property Statement

The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to  pertain
to the implementation or use of the technology described in this
document or the extent to which any license under such rights might or
might not be available; neither does it represent that it has made any
effort to identify any such rights.  Information on the IETF's
procedures with respect to rights in standards-track and standards-
related documentation can be found in BCP-11.  Copies of claims of
rights made available for publication and any assurances of licenses to
be made available, or the result of an attempt made to obtain a general
license or permission for the use of such proprietary rights by
implementors or users of this specification can be obtained from the
IETF Secretariat.

The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary rights
which may cover technology that may be required to practice this
standard.  Please address the information to the IETF Executive
Director.

Full Copyright Statement

Copyright (C) The Internet Society (2004).  All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it or
assist in its implementation may be prepared, copied, published and
distributed, in whole or in part, without restriction of any kind,
provided that the above copyright notice and this paragraph are included
on all such copies and derivative works.  However, this document itself
may not be modified in any way, such as by removing the copyright notice
or references to the Internet Society or other Internet organizations,
except as needed for the purpose of developing Internet standards in
which case the procedures for copyrights defined in the Internet
Standards process must be followed, or as required to translate it into
languages other than English.  The limited permissions granted above are



Stanley, et al.               Informational                     [Page 6]

INTERNET-DRAFT         EAP Method Reqts. for WLAN        3 February 2004


perpetual and will not be revoked by the Internet Society or its
successors or assigns.  This document and the information contained
herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE
INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Expiration Date

This memo is filed as <draft-walker-ieee802-req-00.txt>,  and  expires
August 22, 2004.







































Stanley, et al.               Informational                     [Page 7]


Html markup produced by rfcmarkup 1.107, available from http://tools.ietf.org/tools/rfcmarkup/