[Docs] [txt|pdf] [Tracker] [Email] [Nits]

Versions: 00 01 02 03 04 05 06 07 08 09 10 11 12 RFC 5904

Network Working Group                                            G. Zorn
Internet-Draft                                      NetCube Technologies
Intended status: Standards Track                        October 16, 2008
Expires: April 19, 2009


   RADIUS Attributes for IEEE 802.16 Privacy Key Management Version 1
                        (PKMv1) Protocol Support
                     draft-zorn-radius-pkmv1-00.txt

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on April 19, 2009.

Copyright Notice

   Copyright (C) The IETF Trust (2008).

Abstract

   This document defines a set of RADIUS Attributes which are designed
   to provide RADIUS support for IEEE 802.16 Privacy Key Management
   Version 1.







Zorn                     Expires April 19, 2009                 [Page 1]

Internet-Draft         RADIUS Attributes for PKMv1          October 2008


Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  3
     2.1.  Specification of Requirements  . . . . . . . . . . . . . .  3
     2.2.  Acronyms . . . . . . . . . . . . . . . . . . . . . . . . .  3
   3.  Attributes . . . . . . . . . . . . . . . . . . . . . . . . . .  3
     3.1.  PKM-SS-Cert  . . . . . . . . . . . . . . . . . . . . . . .  4
     3.2.  PKM-CA-Cert  . . . . . . . . . . . . . . . . . . . . . . .  4
     3.3.  PKM-Config-Settings  . . . . . . . . . . . . . . . . . . .  5
     3.4.  PKM-Cryptosuite-List . . . . . . . . . . . . . . . . . . .  7
     3.5.  PKM-SAID . . . . . . . . . . . . . . . . . . . . . . . . .  8
     3.6.  PKM-SA-Descriptor  . . . . . . . . . . . . . . . . . . . .  9
     3.7.  PKM-AUTH-Key . . . . . . . . . . . . . . . . . . . . . . . 10
   4.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 11
     4.1.  Attributes . . . . . . . . . . . . . . . . . . . . . . . . 11
   5.  Security Considerations  . . . . . . . . . . . . . . . . . . . 11
   6.  Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 11
   7.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 11
     7.1.  Normative References . . . . . . . . . . . . . . . . . . . 11
     7.2.  Informative References . . . . . . . . . . . . . . . . . . 12
   Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 12
   Intellectual Property and Copyright Statements . . . . . . . . . . 13




























Zorn                     Expires April 19, 2009                 [Page 2]

Internet-Draft         RADIUS Attributes for PKMv1          October 2008


1.  Introduction

   Privacy Key Management Version 1 (PKMv1) [IEEE.802-16.2004] is a
   public-key based authentication and key establishment protocol
   typically used in fixed wireless broadband network deployments.  The
   protocol utilizes X.509 v3 certificates [RFC2459], RSA encryption
   [PKCS.1.1998] and a variety of secret key cryptographic methods to
   allow an 802.16 Base Station (BS) to authenticate a Subscriber
   Station (SS) and perform key establishment and maintenance between a
   SS and BS.

   This document defines a set of RADIUS Attributes which are designed
   to provide support for PKMv1.

   Discussion of this draft may be directed to the author.


2.  Terminology

2.1.  Specification of Requirements

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

2.2.  Acronyms

   SA
      Security Association

   SAID
      Security Association Identifier

   TEK
      Traffic Encryption Key

   For further information on these terms, please see
   [IEEE.802-16.2004].


3.  Attributes

   The following subsections describe the Attributes defined by this
   document.  This specification concerns the following values:

      <TBD1> PKM-SS-Cert





Zorn                     Expires April 19, 2009                 [Page 3]

Internet-Draft         RADIUS Attributes for PKMv1          October 2008


      <TBD2> PKM-CA-Cert

      <TBD3> PKM-Config-Settings

      <TBD4> PKM-Cryptosuite-List

      <TBD5> PKM-SAID

      <TBD6> PKM-SA-Descriptor

      <TBD7> PKM-Auth-Key

3.1.  PKM-SS-Cert

   Description

      The PKM-SS-Cert Attribute is variable length and contains the
      X.509 certificate [RFC2459] identifying the Subscriber Station; it
      MAY be transmitted in the Access-Request message.

   A summary of the PKM-SS-Cert Attribute format is shown below.  The
   fields are transmitted from left to right.

                        1                   2
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |    Type       |      Len      |    Value...
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type

      <TBD1> for PKM-SS-Cert

   Len

      > 2

   Value

      The Value field is variable length and contains an X.509
      certificate.

3.2.  PKM-CA-Cert








Zorn                     Expires April 19, 2009                 [Page 4]

Internet-Draft         RADIUS Attributes for PKMv1          October 2008


   Description

      The PKM-CA-Cert Attribute is variable length and contains the
      X.509 certificate [RFC2459] identifying the CA certificate for the
      SS; it MAY be transmitted in the Access-Request message.

   A summary of the PKM-CA-Cert Attribute format is shown below.  The
   fields are transmitted from left to right.

                        1                   2
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |    Type       |      Len      |    Value...
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type

      <TBD2> for PKM-CA-Cert

   Len

      > 2

   Value

      The Value field is variable length and contains an X.509
      certificate.

3.3.  PKM-Config-Settings

   Description

      The PKM-Config-Settings Attribute is 30 octets in length and
      consists of seven independent fields, each of type integer
      [RFC2865].  Each of the fields contains a timer and corresponds to
      a Type-Length-Value (TLV) tuple encapsulated in the IEEE 802.16
      "PKM configuration settings" attribute; for details on the
      contents of each field, see [IEEE.802-16.2004].  An instance of
      the PKM-Config-Settings Attribute MAY be included in the Access-
      Accept message.

   A summary of the PKM-Config-Settings Attribute format is shown below.
   The fields are transmitted from left to right.








Zorn                     Expires April 19, 2009                 [Page 5]

Internet-Draft         RADIUS Attributes for PKMv1          October 2008


                        1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |    Type       |      Len      |       Auth Wait Timeout
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       Auth Wait Timeout (cont.)   |      Reauth Wait Timeout
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      Reauth Wait Timeout (cont.)  |        Auth Grace Time
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        Auth Grace Time (cont.)    |        Op Wait Timeout
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        Op Wait Timeout (cont.)    |       Rekey Wait Timeout
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      Rekey Wait Timeout (cont.)   |         TEK Grace Time
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        TEK Grace Time (cont.)     |     Auth Rej Wait Timeout
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     Auth Rej Wait Timeout (cont.) |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type

      <TBD3> for PKM-Config-Settings

   Len

      30

   Auth Wait Timeout

      The Auth Wait Timeout field is 4 octets in length and corresponds
      to the "Authorize wait timeout" field of the 802.16 "PKM
      configuration settings" attribute [IEEE.802-16.2004].

   Reauth Wait Timeout

      The Reauth Wait Timeout field is 4 octets in length and
      corresponds to the "Reauthorize wait timeout" field of the 802.16
      "PKM configuration settings" attribute [IEEE.802-16.2004].

   Auth Grace Time

      The Auth Grace Time field is 4 octets in length and corresponds to
      the "Authorize grace time" field of the 802.16 "PKM configuration
      settings" attribute [IEEE.802-16.2004].






Zorn                     Expires April 19, 2009                 [Page 6]

Internet-Draft         RADIUS Attributes for PKMv1          October 2008


   Op Wait Timeout

      The Op Wait Timeout field is 4 octets in length and corresponds to
      the "Operational wait timeout" field of the 802.16 "PKM
      configuration settings" attribute [IEEE.802-16.2004].

   Rekey Wait Timeout

      The Rekey Wait Timeout field is 4 octets in length and corresponds
      to the "Rekey wait timeout" field of the 802.16 "PKM configuration
      settings" attribute [IEEE.802-16.2004].

   TEK Grace Time

      The TEK Grace Time field is 4 octets in length and corresponds to
      the "TEK grace time" field of the 802.16 "PKM configuration
      settings" attribute [IEEE.802-16.2004].

   Auth Rej Wait Timeout

      The Auth Rej Wait Timeout field is 4 octets in length and
      corresponds to the "Authorize reject wait timeout" field of the
      802.16 "PKM configuration settings" attribute [IEEE.802-16.2004].

3.4.  PKM-Cryptosuite-List

   Description

      The PKM-Cryptosuite-List Attribute is variable length and
      corresponds roughly to the "Cryptographic-Suite-List" 802.16
      attribute [IEEE.802-16.2004], the difference being that the RADIUS
      Attribute contains only the 3 octet cryptographic suite
      identifiers, omitting the IEEE Type and Length fields.

      The PKM-Cryptosuite-List Attribute MAY be present in an Access-
      Request message.


      Implementation Note

         The PKM-Cryptosuite-List Attribute is used as a building block
         to create the 802.16 "Security-Capabilities" attribute; since
         this document only pertains to PKM version 1, the "Version"
         sub-attribute in that structure MUST be set to 0x01 when the
         RADIUS client constructs it.


   A summary of the PKM-Cryptosuite-List Attribute format is shown



Zorn                     Expires April 19, 2009                 [Page 7]

Internet-Draft         RADIUS Attributes for PKMv1          October 2008


   below.  The fields are transmitted from left to right.

                        1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |      Type     |      Len      |          Value...
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type

      <TBD4> for PKM-Cryptosuite-List

   Len

      >= 5

   Value

      The Value field is variable length and contains a sequence of one
      or more cryptosuite identifiers, each of which is 3 octets in
      length and corresponds to the Value field of an IEEE 802.16
      Cryptographic-Suite attribute.

3.5.  PKM-SAID

   Description

      The PKM-SAID Attribute is 4 octets in length and contains a PKM
      Security Association Identifier [IEEE.802-16.2004].  It MAY be
      included in an Access-Request message.

   A summary of the PKM-SAID Attribute format is shown below.  The
   fields are transmitted from left to right.

                        1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |      Type     |      Len      |            SAID               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type

      <TBD5> for PKM-SAID

   Len

      4




Zorn                     Expires April 19, 2009                 [Page 8]

Internet-Draft         RADIUS Attributes for PKMv1          October 2008


   SAID

      The SAID field is two octets in length and corresponds to the
      Value field of the 802.16 PKM SAID attribute.

3.6.  PKM-SA-Descriptor

   Description

      The PKM-SA-Descriptor Attribute is 8 octets in length.  It
      consists of 3 fields, described below, which together specify the
      characteristics of a PKM security association.  One or more
      instances of the PKM-SA-Descriptor Attribute MAY occur in an
      Access-Accept message.

   A summary of the PKM-SA-Descriptor Attribute format is shown below.
   The fields are transmitted from left to right.

                        1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |      Type     |      Len      |            SAID               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |    SA Type    |                Cryptosuite                    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type

      <TBD6> for PKM-SA-Descriptor

   Len

      8

   SAID

      The SAID field is two octets in length and contains a PKM SAID
      Section 3.5.

   SA Type  The SA Type field is one octet in length.  The contents
      correspond to those of the Value field of an IEEE 802.16 SA-Type
      attribute.

   Cryptosuite

      The Cryptosuite field is 3 octets in length.  The contents
      correspond to those of the Value field of an IEEE 802.16
      Cryptographic-Suite attribute.



Zorn                     Expires April 19, 2009                 [Page 9]

Internet-Draft         RADIUS Attributes for PKMv1          October 2008


3.7.  PKM-AUTH-Key

   Description

      The PKM-AUTH-Key Attribute is 135 octets in length.  It consists
      of 3 fields, described below, which together specify the
      characteristics of a PKM authorization key.  The PKM-AUTH-Key
      Attribute MAY occur in an Access-Accept message.  Any packet that
      contains an instance of the PKM-SS-Cert Attribute MUST also
      contain an instance of the Message-Authenticator Attribute
      [RFC3579].

   A summary of the PKM-AUTH-Key Attribute format is shown below.  The
   fields are transmitted from left to right.

                        1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |      Type     |      Len      |           Lifetime
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
             Lifetime (cont.)      |    Sequence   |     Key...
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type

      <TBD7> for PKM-AUTH-Key

   Len

      135

   Lifetime

      The Lifetime field is 4 octets in length and represents the
      lifetime of the authorization key.

   Sequence  The Sequence field is one octet in length.  The contents
      correspond to those of the Value field of an IEEE 802.16 Key-
      Sequence attribute.

   Key

      The Key field is 128 octets in length.  The contents correspond to
      those of the Value field of an IEEE 802.16 AUTH-Key attribute.
      The Key field MUST be encrypted under the public key from the
      Subscriber Station certificate Section 3.1 using RSA encryption
      [PKCS.1.1998]; see [IEEE.802-16.2004] for further details.




Zorn                     Expires April 19, 2009                [Page 10]

Internet-Draft         RADIUS Attributes for PKMv1          October 2008


4.  IANA Considerations

   This section explains the criteria to be used by the IANA for
   assignment of numbers within namespaces used within this document.

4.1.  Attributes

   Upon publication of this document as an RFC, IANA must assign numbers
   to the following Attributes, following the allocation policies in RFC
   3575 [RFC3575].

      <TBD1> PKM-SS-Cert

      <TBD2> PKM-CA-Cert

      <TBD3> PKM-Config-Settings

      <TBD4> PKM-Cryptosuite-List

      <TBD5> PKM-SAID

      <TBD6> PKM-SA-Descriptor

      <TBD7> PKM-Auth-Key


5.  Security Considerations

   If the Access-Accept message is not subject to strong integrity
   protection, an attacker may be able to modify the contents of the
   PKM-Auth-Key Attribute.  For example, the Key field could be replaced
   with a key known to the attacker.


6.  Contributors

   Dong-ho Yu and Jay-young Heo contributed greatly to the creation of
   this document, both technically and through inspiration.


7.  References

7.1.  Normative References

   [IEEE.802-16.2004]
              "Information technology -  Telecommunications and
              information exchange between systems -  Local and
              metropolitan area networks -  Specific requirements -



Zorn                     Expires April 19, 2009                [Page 11]

Internet-Draft         RADIUS Attributes for PKMv1          October 2008


              Part 16: Wireless LAN Medium Access Control (MAC) and
              Physical Layer (PHY) specifications", IEEE Standard
              802.16, 2004, <http://standards.ieee.org/getieee802/
              download/802.16-2004.pdf>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2865]  Rigney, C., Willens, S., Rubens, A., and W. Simpson,
              "Remote Authentication Dial In User Service (RADIUS)",
              RFC 2865, June 2000.

   [RFC3575]  Aboba, B., "IANA Considerations for RADIUS (Remote
              Authentication Dial In User Service)", RFC 3575,
              July 2003.

7.2.  Informative References

   [PKCS.1.1998]
              Kaliski, BK. and JS. Staddon, "RSA Encryption Standard,
              Version 2.0", PKCS 1, October 1998,
              <ftp://ftp.rsasecurity.com/pub/pkcs/ascii/pkcs-1v2.asc>.

   [RFC2459]  Housley, R., Ford, W., Polk, T., and D. Solo, "Internet
              X.509 Public Key Infrastructure Certificate and CRL
              Profile", RFC 2459, January 1999.

   [RFC3579]  Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication
              Dial In User Service) Support For Extensible
              Authentication Protocol (EAP)", RFC 3579, September 2003.


Author's Address

   Glen Zorn
   NetCube Technologies
   1310 East Thomas Street
   #306
   Seattle, Washington  98102
   USA

   Phone: +1 (206) 377-9035
   Email: gwz@netcube.com








Zorn                     Expires April 19, 2009                [Page 12]

Internet-Draft         RADIUS Attributes for PKMv1          October 2008


Full Copyright Statement

   Copyright (C) The IETF Trust (2008).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.


Acknowledgment

   Funding for the RFC Editor function is provided by the IETF
   Administrative Support Activity (IASA).





Zorn                     Expires April 19, 2009                [Page 13]


Html markup produced by rfcmarkup 1.109, available from https://tools.ietf.org/tools/rfcmarkup/