draft-ietf-dime-erp-01.txt   draft-ietf-dime-erp-02.txt 
Diameter Maintenance and L. Dondeti Diameter Maintenance and J. Bournelle
Extensions (DIME) QUALCOMM, Inc. Extensions (DIME) L. Morand
Internet-Draft J. Bournelle Internet-Draft Orange Labs
Intended status: Standards Track L. Morand Intended status: Standards Track S. Decugis, Ed.
Expires: March 1, 2010 Orange Labs Expires: April 11, 2010 NICT
S. Decugis, Ed.
NICT
Q. Wu Q. Wu
Huawei Huawei
August 28, 2009 G. Zorn, Ed.
Network Zen
October 8, 2009
Diameter support for EAP Re-authentication Protocol (ERP) Diameter support for EAP Re-authentication Protocol (ERP)
draft-ietf-dime-erp-01.txt draft-ietf-dime-erp-02.txt
Status of This Memo Status of This Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
skipping to change at page 1, line 38 skipping to change at page 1, line 38
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on March 1, 2010. This Internet-Draft will expire on April 11, 2010.
Copyright Notice Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of Provisions Relating to IETF Documents in effect on the date of
publication of this document (http://trustee.ietf.org/license-info). publication of this document (http://trustee.ietf.org/license-info).
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. and restrictions with respect to this document.
Abstract Abstract
EAP Re-authentication Protocol (ERP) defines extensions to the EAP Re-authentication Protocol (ERP) defines extensions to the
Extensible Authentication Protocol (EAP) to support efficient re- Extensible Authentication Protocol (EAP) to support efficient re-
authentication between the EAP peer and an EAP re-authentication authentication between the peer and an EAP Re-authentication (ER)
server through an EAP/ERP authenticator. This document specifies server through a compatible authenticator. This document specifies
Diameter support for ERP. It defines a new Diameter ERP application Diameter support for ERP. It defines a new Diameter ERP application
to transport ERP messages between authenticator and ERP server, and a to transport ERP messages between ER authenticator and ER server, and
set of new AVPs that can be used to transport the cryptographic a set of new AVPs that can be used to transport the cryptographic
material needed by ERP server. material needed by the re-authentication server.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 2.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
3. Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . 4
4. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 4 4. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 4
5. Bootstrapping the ER server . . . . . . . . . . . . . . . . . 6 5. Bootstrapping the ER server . . . . . . . . . . . . . . . . . 6
5.1. Bootstrapping during initial EAP authentication . . . . . 6 5.1. Bootstrapping during initial EAP authentication . . . . . 6
5.2. Bootstrapping during first re-authentication . . . . . . . 8 5.2. Bootstrapping during first re-authentication . . . . . . . 8
6. Re-Authentication . . . . . . . . . . . . . . . . . . . . . . 9 6. Re-Authentication . . . . . . . . . . . . . . . . . . . . . . 9
7. Application Id . . . . . . . . . . . . . . . . . . . . . . . . 11 7. Application Id . . . . . . . . . . . . . . . . . . . . . . . . 11
8. AVPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 8. AVPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
8.1. ERP-RK-Request AVP . . . . . . . . . . . . . . . . . . . . 12 8.1. ERP-RK-Request AVP . . . . . . . . . . . . . . . . . . . . 12
8.2. ERP-Realm AVP . . . . . . . . . . . . . . . . . . . . . . 12 8.2. ERP-Realm AVP . . . . . . . . . . . . . . . . . . . . . . 12
8.3. ERP-RK-Answer AVP . . . . . . . . . . . . . . . . . . . . 12 8.3. ERP-RK-Answer AVP . . . . . . . . . . . . . . . . . . . . 12
skipping to change at page 3, line 39 skipping to change at page 3, line 39
2. Terminology 2. Terminology
This document uses terminology defined in [RFC3748], [RFC5295], This document uses terminology defined in [RFC3748], [RFC5295],
[RFC5296], and [RFC4072]. [RFC5296], and [RFC4072].
"Root key" (RK) or "bootstrapping material" refer to the rRK or rDSRK "Root key" (RK) or "bootstrapping material" refer to the rRK or rDSRK
derived from an EMSK, depending on the location of the ER server in derived from an EMSK, depending on the location of the ER server in
home or foreign domain. home or foreign domain.
We note in this document ERP/DER a Diameter-EAP-Request command with We use the notation "ERP/DER" in this document to refer to a
the Application Id set to Diameter ERP application. On the same Diameter-EAP-Request command with its Application Id set to Diameter
model, we use ERP/DEA, EAP/DER and EAP/DEA. ERP application. Similarly, we use the "ERP/DEA", "EAP/DER", and
"EAP/DEA".
2.1. Requirements Language 2.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
3. Assumptions 3. Assumptions
This document makes the following assumptions. This document makes the following assumptions.
The Home EAP server of a peer that wants to use ERP is extended to The Home EAP server of a peer that wants to use ERP is extended to
support: support:
Cryptographic operations needed to derive the ERP root key from Cryptographic operations needed to derive the ERP root key from
the EMSK. By deriving the ERP root key for a specific domain, the the EMSK. By deriving the ERP root key for a specific domain, the
home EAP server implicitly authorizes the use of ERP within this home EAP server implicitly authorizes the use of ERP within this
domain. domain.
Diameter operations to include this root key inside an appropriate Diameter operations needed to include this root key in a response
AVP as defined in this document, in an answer message message, when a request for this root key was received in a
corresponding to a request that contained a request for this request message. The two AVP that contain the request for and the
material (AVP for the request also defined in this document). root key material are defined in this document.
(recommanded) Ability to answer a DER message with EAP-Payload (recommended) Ability to answer a DER message with EAP-Payload
containing an explicit bootstrapping ERP message. containing an explicit bootstrapping ERP message.
The Authenticator (NAS) is extended to support: The Authenticator (NAS) is extended to support:
Allow the new ERP command codes (EAP-Initiate and EAP-Finish) in Allow the new ERP command codes (EAP-Initiate and EAP-Finish) in
its EAP pass-through mode. its EAP pass-through mode.
(optional) Send the EAP-Initiate/Re-Auth-Start message (optional) Send the EAP-Initiate/Re-Auth-Start message
(optional) Provide the local domain name via lower layer specific (optional) Provide the local domain name via lower layer specific
skipping to change at page 14, line 48 skipping to change at page 14, line 48
when a Re-Auth-Request is received for a peer on the authenticator. when a Re-Auth-Request is received for a peer on the authenticator.
11. Acknowledgements 11. Acknowledgements
Hannes Tschofenig wrote the initial draft for this document and Hannes Tschofenig wrote the initial draft for this document and
provided useful reviews. provided useful reviews.
Vidya Narayanan reviewed a rough draft version of the document and Vidya Narayanan reviewed a rough draft version of the document and
found some errors. found some errors.
Glen Zorn actively participated in the discussions on the design for Lakshminath Dondeti contributed to the early versions of the
Diameter ERP, providing the point of view and experience from HOKEY document.
workgroup.
Many thanks to these people! Many thanks to these people!
12. IANA Considerations 12. IANA Considerations
This document requires IANA registration of the following new This document requires IANA registration of the following new
elements in the Authentication, Authorization, and Accounting (AAA) elements in the Authentication, Authorization, and Accounting (AAA)
Parameters [1] registries. Parameters [1] registries.
12.1. Diameter ERP application 12.1. Diameter ERP application
skipping to change at page 17, line 5 skipping to change at page 17, line 5
14.2. Informative References 14.2. Informative References
[I-D.ietf-dime-app-design-guide] Fajardo, V., Asveren, T., [I-D.ietf-dime-app-design-guide] Fajardo, V., Asveren, T.,
Tschofenig, H., McGregor, G., and Tschofenig, H., McGregor, G., and
J. Loughney, "Diameter Applications J. Loughney, "Diameter Applications
Design Guidelines", Design Guidelines",
draft-ietf-dime-app-design-guide-08 draft-ietf-dime-app-design-guide-08
(work in progress), November 2008. (work in progress), November 2008.
[I-D.ietf-dime-erp] Dondeti, L., Bournelle, J., Morand,
L., and S. Decugis, "Diameter
Support for EAP Re-authentication
Protocol", draft-ietf-dime-erp-00
(work in progress), January 2009.
[I-D.ietf-hokey-key-mgm] Hoeper, K. and Y. Ohba, [I-D.ietf-hokey-key-mgm] Hoeper, K. and Y. Ohba,
"Distribution of EAP based keys for "Distribution of EAP based keys for
handover and re-authentication", handover and re-authentication",
draft-ietf-hokey-key-mgm-06 (work draft-ietf-hokey-key-mgm-06 (work
in progress), April 2009. in progress), April 2009.
[I-D.wu-dime-local-keytran] Wu, W., "Diameter support for local [I-D.wu-dime-local-keytran] Wu, W., "Diameter support for local
key transport protocol between key transport protocol between
local server and home AAA server", local server and home AAA server",
draft-wu-dime-local-keytran-00 draft-wu-dime-local-keytran-00
skipping to change at page 17, line 40 skipping to change at page 17, line 34
Eronen, "Extensible Authentication Eronen, "Extensible Authentication
Protocol (EAP) Key Management Protocol (EAP) Key Management
Framework", RFC 5247, August 2008. Framework", RFC 5247, August 2008.
URIs URIs
[1] <http://www.iana.org/assignments/aaa-parameters/> [1] <http://www.iana.org/assignments/aaa-parameters/>
Authors' Addresses Authors' Addresses
Lakshminath Dondeti
QUALCOMM, Inc.
5775 Morehouse Dr
San Diego, CA
USA
Phone: +1 858-845-1267
EMail: ldondeti@qualcomm.com
Julien Bournelle Julien Bournelle
Orange Labs Orange Labs
38-40 rue du general Leclerc 38-40 rue du general Leclerc
Issy-Les-Moulineaux 92794 Issy-Les-Moulineaux 92794
France France
EMail: julien.bournelle@orange-ftgroup.com EMail: julien.bournelle@orange-ftgroup.com
Lionel Morand Lionel Morand
Orange Labs Orange Labs
skipping to change at line 820 skipping to change at page 18, line 19
EMail: sdecugis@nict.go.jp EMail: sdecugis@nict.go.jp
Qin Wu Qin Wu
Huawei Technologies Co., Ltd Huawei Technologies Co., Ltd
Site B, Floor 12F, Huihong Mansion, No.91 Baixia Rd. Site B, Floor 12F, Huihong Mansion, No.91 Baixia Rd.
Nanjing 210001 Nanjing 210001
China China
EMail: sunseawq@huawei.com EMail: sunseawq@huawei.com
Glen Zorn (editor)
Network Zen
1310 East Thomas Street
#306
Seattle, Washington 98102
USA
Phone: +1 (206) 377-9035
EMail: gwz@net-zen.net
 End of changes. 14 change blocks. 
41 lines changed or deleted 27 lines changed or added

This html diff was produced by rfcdiff 1.37a. The latest version is available from http://tools.ietf.org/tools/rfcdiff/