Diameter Maintenance and
Network Working Group                                       J. Bournelle
Extensions (DIME)
Internet-Draft                                                 L. Morand
Internet-Draft                                               Orange Labs
Intended status: Standards Track                             Orange Labs
Expires: September 8, 2010                               S. Decugis, Ed.
Expires: April 11, 2010
                                                                   Q. Wu
                                                            G. Zorn, Ed.
                                                             Network Zen
                                                         October 8, 2009
                                                           March 7, 2010

     Diameter support for the EAP Re-authentication Protocol (ERP)


   The EAP Re-authentication Protocol (ERP)
                       draft-ietf-dime-erp-02.txt defines extensions to the
   Extensible Authentication Protocol (EAP) to support efficient re-
   authentication between the peer and an EAP Re-authentication (ER)
   server through a compatible authenticator.  This document specifies
   Diameter support for ERP.  It defines a new Diameter ERP application
   to transport ERP messages between an ER authenticator and the ER
   server, and a set of new AVPs that can be used to transport the
   cryptographic material needed by the re-authentication server.

Status of This Memo

   This Internet-Draft is submitted to IETF in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at

   The list of Internet-Draft Shadow Directories can be accessed at

   This Internet-Draft will expire on April 11, September 8, 2010.

Copyright Notice

   Copyright (c) 2009 2010 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document (http://trustee.ietf.org/license-info). document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.


   EAP Re-authentication Protocol (ERP) defines extensions to the
   Extensible Authentication Protocol (EAP) to support efficient re-
   authentication between the peer and an EAP Re-authentication (ER)
   server through a compatible authenticator.  This  Code Components extracted from this document specifies
   Diameter support for ERP.  It defines a new Diameter ERP application
   to transport ERP messages between ER authenticator and ER server, and
   a set must
   include Simplified BSD License text as described in Section 4.e of new AVPs that can be used to transport
   the cryptographic
   material needed by Trust Legal Provisions and are provided without warranty as
   described in the re-authentication server. BSD License.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  3
     2.1.  Requirements Language  . . . . . . . . . . . . . . . . . .  3
   3.  Assumptions  . . . . . . . . . . . . . . . . . . . . . . . . .  4
   4.  Protocol Overview  . . . . . . . . . . . . . . . . . . . . . .  4
   5.  Bootstrapping the ER server Server  . . . . . . . . . . . . . . . . .  6
     5.1.  Bootstrapping during initial During the Initial EAP authentication  . . . . .  6
     5.2.  Bootstrapping during first re-authentication . . During the First Re-authentication . . . . .  8
   6.  Re-Authentication  . . . . . . . . . . . . . . . . . . . . . .  9 10
   7.  Application Id . . . . . . . . . . . . . . . . . . . . . . . . 11 13
   8.  AVPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 13
     8.1.  ERP-RK-Request AVP . . . . . . . . . . . . . . . . . . . . 12 13
     8.2.  ERP-Realm AVP  . . . . . . . . . . . . . . . . . . . . . . 12 13
     8.3.  ERP-RK-Answer  Key AVP  . . . . . . . . . . . . . . . . . . . . 12
     8.4.  ERP-RK AVP . . . . . . . 14
       8.3.1.  Key-Type AVP . . . . . . . . . . . . . . . . . 13
     8.5.  ERP-RK-Name AVP . . . . 14
       8.3.2.  Keying-Material AVP  . . . . . . . . . . . . . . . . . 13
     8.6.  ERP-RK-Lifetime 14
       8.3.3.  Key-Name AVP . . . . . . . . . . . . . . . . . . . 13
   9.  Commands . . . . . . . . 14
       8.3.4.  Key-Lifetime AVP . . . . . . . . . . . . . . . . . . . 13
   10. 14
   9.  Open issues  . . . . . . . . . . . . . . . . . . . . . . . . . 14
   10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 14
   12. 15
   11. IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 15
     11.1. Diameter ERP application . . . . Application Identifier  . . . . . . . . . . . . . 15
     11.2. New AVPs . . . . . . . . . . . . . . . . . . . . . . . . . 15
   12. Security Considerations  . . . . . . . . . . . . . . . . . . . 15
   14. 16
   13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 16
     13.1. Normative References . . . . . . . . . . . . . . . . . . . 16
     13.2. Informative References . . . . . . . . . . . . . . . . . . 16 17

1.  Introduction

   RFC 5296 [RFC5296] defines the EAP Re-authentication Protocol (ERP).
   It consists in of the following steps:

   1.  Bootstrapping: a

      A root key for re-authentication is derived from the Extended
      Master Session Key (EMSK) created during EAP authentication
      [RFC5295].  This root key is transported from the EAP server to
      the ER server.

   2.  Re-authentication: a

      A one-round-trip exchange between the peer and the ER server,
      resulting in mutual authentication.  To accomplish support the EAP
      reauthentication functionality, ERP defines two new EAP codes -
      EAP-Initiate and EAP-Finish.

   This document defines how Diameter transports the ERP messages (Re-
   authentication step). during
   the re-authentication process.  For this purpose, we define a new
   Id Identifier for ERP, and re-use the Diameter EAP commands

   This document also discusses the distribution of the root key
   (bootstrapping step), either during
   bootstrapping, in conjunction with either the initial EAP
   authentication (implicit bootstrapping) or during the first ERP exchange
   (explicit bootstrapping).  Security considerations for this key
   distribution are detailed in RFC 5295 [RFC5295].

2.  Terminology

   This document uses terminology defined in RFC 3748 [RFC3748], RFC
   5295 [RFC5295], RFC 5296 [RFC5296], and RFC 4072 [RFC4072].

   "Root key" (RK) or "bootstrapping material" refer to the rRK or rDSRK
   derived from an EMSK, depending on the location of the ER server in
   home or foreign domain.

   We use the notation "ERP/DER" in this document to refer to a
   Diameter-EAP-Request command with its Application Id set to Diameter
   ERP application.  Similarly, we use the "ERP/DEA", "EAP/DER", and

2.1.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   document are to be interpreted as described in [RFC2119].

3.  Assumptions

   This document makes the following assumptions.

   The Home EAP server of a peer that wants to use ERP is extended to

      Cryptographic operations needed to derive the ERP root key from
      the EMSK.  By deriving the ERP root key for a specific domain, the
      home EAP server implicitly authorizes the use of ERP within this

      Diameter operations needed to include this root key in a response
      message, when a request for this root key was received in a
      request message.  The two AVP that contain the request for and the
      root key material are defined in this document.

      (recommended) Ability to answer a DER message with EAP-Payload
      containing an explicit bootstrapping ERP message.

   The Authenticator (NAS) is extended to support:

      Allow the new ERP command codes (EAP-Initiate and EAP-Finish) in
      its EAP pass-through mode.

      (optional) Send the EAP-Initiate/Re-Auth-Start message

      (optional) Provide the local domain name via lower layer specific
      mechanism or via TLV in assumes the EAP-Initiate/Re-Auth-Start message.

      Encapsulate ERP message and receive corresponding Diameter answer,
      as described in this document.

   If one existence of the components does not match these assumptions, the ERP
   mechanism will fail.  In such situation, a full EAP authentication
   may be attempted as a fallback mechanism.

   We consider at most one logical ER server
   entity in a domain.  If several physical servers are deployed for
   robustness, a replication mechanism must be deployed to synchronize
   the ERP states (root keys ) keys) between these servers.  This replication
   mechanism is out of the scope of this document.  If several multiple ER
   servers are deployed in the domain, we assume that they can be used

4.  Protocol Overview

   The following figure shows the components involved in ERP, and their

                            Diameter                    +--------+
            +-------------+   ERP   +-----------+  (*)  |  Home  |
    Peer <->|Authenticator|<=======>| ER server | <---> |  EAP   |
            +-------------+         +-----------+       | server |
    (*) Diameter EAP application, explicit bootstraping bootstrapping scenario only.


                      Figure 1: Diameter ERP overview. Overview

   The ER server is located either in the home domain (same as EAP
   server) or in the visited domain (same as authenticator, when it
   differs from the home domain).

      Can the ER server be located in a third domain (ex: broker's)
      according to ERP mechanism?

   When the peer initiates an ERP exchange, the authenticator creates a
   Diameter-EAP-Request message, as described in Diameter EAP
   application [RFC4072].  The Application Id of the message is set to
   that of the Diameter ERP application (code: TBD ) TBD) in the message.  The exact
   processing to generate
   generation of the ERP/DER message is detailed in section Section 6.

   If there is an ER server in the same domain as the authenticator
   (local domain), Diameter routing MUST

      Should this say "SHOULD: instead of "MUST"?

   be configured so that this ERP/
   DER ERP/DER message reachs this server, even
   if the Destination-Realm is not the local domain.

   If there is no local ER server, the message is routed according to
   its Destination-Realm AVP content, extracted from the realm component
   of the keyName-NAI attribute.  As specified in RFC 5296 [RFC5296],
   this realm is the home domain of the peer in case of a bootstrapping
   exchange ('B' (the 'B' flag is set in the ERP message) or the domain of
   the bootstrapped ER server otherwise . otherwise.

      This actually might allow the ER server to be in a third party

   If no ER server is available in the home domain either, the ERP/DER
   message cannot be delivered, and an error DIAMETER_UNABLE_TO_DELIVER
   is generated as specified in [RFC3588] and returned to the authenticator.  The
   authenticator may cache this information (with limited duration) to
   avoid further attempts for ERP with this realm.  It may also fallback
   to full EAP authentication to authenticate the peer.

   When an ER server receives the ERP/DER message, it searches its local
   database for a root key

      and authorization state?

   matching the keyName part of the User-Name AVP.  If such key is
   found, the ER server processes the ERP message as described in RFC
   5296 [RFC5296] then creates the ERP/DEA answer as described in
   Section 6.  The rMSK is included in this answer.

   Finally, the authenticator extracts the rMSK from the ERP/DEA as
   described in RFC 5296 [RFC5296], and forwards the content of the EAP-Payload EAP-
   Payload AVP, the EAP-Finish/Re-Auth message, to the peer.

   If the EAP-Initiate/Re-Auth message has its 'B' flag set
   (Bootstrapping exchange), the ER server should not possess the root
   key in its local database .

      This may not be true in future RFC5296bis?

   In this case, the ER server acts as a proxy, and forwards the message
   to the home EAP server after changing its Application Id to Diameter
   EAP and adding an AVP to request the root key.  See section Section 5
   for more detail on this process.

5.  Bootstrapping the ER server Server

   The bootstrapping process involves the home EAP server and the ER
   server, but also impacts the peer and the authenticator.  In ERP, the
   peer must derive the same keying material as the ER server.  To
   achieve this, it must learn the domain name of the ER server.  How
   this information is acquired is outside the scope of this
   specification, but it may involves that the authenticator is
   configured to advertize this domain name, especially in the case of
   re-authentication after a handover.

   The bootstrapping of an ER server with a given root key happens
   either during the initial EAP authentication of the peer when the
   EMSK -- from which the root key is derived -- is created, during the
   first re-authentication, or sometime between those events.  We only
   consider the first two possibilities in this specification, in the
   following subsections.

5.1.  Bootstrapping during initial During the Initial EAP authentication

   Bootstrapping the ER server during the initial EAP authentication
   (also known as implicit bootstrapping) offers the advantage that the
   server is immediatly available for re-authentication of the peer,
   thus minimizing the re-authentication delay.  On the other hand, it is
   possible that only a small number of peers will use re-
   authentication re-authentication
   in the visited domain.  Deriving and caching key material for all the
   peers (for example, for the peers that do not support ERP) is a waste
   of resources and SHOULD be avoided.

   To achieve implicit bootstrapping, the ER server must act as a
   Diameter EAP Proxy as defined in the Diameter Base Protocol
   [RFC3588], and routing must be configured so that Diameter messages
   of a full EAP authentication are routed through this proxy.  The
   figure bellow
   captures illustrates this mechanism.

                              ER server &
     Authenticator             EAP Proxy               Home EAP server
     =============            ===========              ===============
              Diameter EAP/DER
                                       Diameter EAP/DER

             Multi-round Diameter EAP exchanges, unmodified

                                        Diameter EAP/DEA
                                        (Key AVP (rRK))
              Diameter EAP/DEA


        Figure 2: ERP bootstrapping during full Bootstrapping During Full EAP authentication Authentication

   The ER server proxies the first DER of the full EAP authentication
   and adds the ERP-RK-Request AVP inside, if this AVP is not already in
   the message (which might happen if there are ER servers in the
   visited and the home domains), then forwards the request.

   If the EAP server does not support the ERP extensions, it will simply
   ignore this grouped AVP and continue as specified in RFC 4072
   [RFC4072].  If the server supports the ERP extensions, it caches the
   ERP-Realm value with the session, session data, and continues the EAP
   authentication.  When the authentication is complete, if it is
   successful and the EAP method generated an EMSK, the server MUST compute
   derive the rRK or rDSRK
   (depending on the value of ERP-Realm) as specified in RFC 5296 [RFC5296], and
   add include an ERP-RK-Answer AVP in
   instance of the Diameter-EAP-Request message, Key AVP Section 8.3 in
   addition to the MSK and EAP-Success payloads. Diameter-EAP-Answer

   When the ER server proxies a Diameter-EAP-Answer message with a
   Session-Id corresponding to a message to which it added an ERP-RK-
   Answer, and the Result-Code is DIAMETER_SUCCESS, it MUST examine the
   message, extract and remove any ERP-RK-Answer Key AVP Section 8.3 from the message,
   and save its content.  If the message does not contain an ERP-RK-
   Answer AVP, the ER server MAY save cache this information to avoid
   possible subsequent re-authentication attempts for this session.  In
   any case, the information stored SHOULD NOT have a lifetime greater
   than the EMSK lifetime

      How does the ER server knows the EMSK lifetime, if there is no
      ERP-RK-Answer?  What is the lifetime of the MSK for example?

   If the ER server is successfully bootstrapped, it MAY also add the
   ERP-Realm AVP after removing the ERP-RK-Answer AVP in the EAP/DEA
   message.  This could be used by the authenticator to notify the peer
   that ERP is bootstrapped, with the ER domain information.  How this
   information can be transmitted to the peer is outside the scope of
   this document.

      Is this possible?  It might be useful...

5.2.  Bootstrapping during first re-authentication During the First Re-authentication

   Bootstrapping the ER server during the first re-authentication (also
   known as explicit bootstrapping) offers several advantages: it saves
   resources, since we generate and cache only root key keys that we
   actually need, and it can accomodate inter-domain handovers or ER
   servers that
   loose lose their state (for example after reboot) . reboot).

      This last point might not be true currently, since the peer would
      not issue a bootstrapping exchange...  But this might change also
      with RFC5296bis AFAIU

   On the other hand, the first re-authentication with the ER server
   requires a one-round-
   trip one-round-trip exchange with the home EAP server, which
   adds some delay to the process (but it is more efficient than a full
   EAP authentication in any case).  It also requires some
   synchronization between the peer and the visited domain: since the
   ERP message used is different

      and the root key used also?

   for the explicit bootstrapping exchange and than for normal re-authentication, re-
   authentication; explicit bootstrapping should not be used if implicit
   bootstrapping was already performed.

      What should we do if the ER server receives an explicit
      bootstrapping request but already possess the rDSRK?  Can it
      answer without going to the home server?  That would be simpler --
      planned in rfc5296bis ?

   The ER server receives the ERP/DER message containing the EAP-
   Initiate/Re-Auth message with the 'B' flag set.  It proxies this
   message, and do performs the following processing in addition to
   standard proxy operations:


      Changes the Application Id in the header of the message to
      Diameter EAP Application (code 5).

      Change the content of Application-Auth-Id accordingly.

         Is t better to leave it unmodified?

      Add the ERP-RK-Request AVP, which contains the name of the domain
      where the ER server is located.

         Add the Destination-Host to reach the appropriate EAP server,
         the one with the EMSK.  How does the ER server know this

   Then the server forwards the EAP/DER request, which is routed to the
   home EAP server.

   If the home EAP server does not support the ERP extensions, it
   replies with an error since the encapsulated EAP-Initiate/Re-auth
   command is not understood.  Otherwise, it processes the ERP request
   as described in [RFC5296].  In particular, it includes the Domain-Name Domain-
   Name TLV attribute with the content from the ERP-Realm AVP.  It
   creates the EAP/DEA reply message following standard processing from [RFC4072]
   (in particular EAP-Master-Session-Key AVP is used to transport the
   rMSK), and includes [RFC4072]. including an instance of
   the ERP-RK-Answer AVP. Key AVP Section 8.3.

      What about authorization AVPs?

   The ER server receives this EAP/DEA and proxies it as follow, follows, in
   addition to standard proxy operations:

      Set the Application Id back to Diameter ERP (code TBD)

      Extract and cache the content of the ERP-RK-Answer. Key AVP.

         And authorization AVPs ?

   The DEA is then forwarded to the authenticator, that can use the rMSK
   as described in RFC 5296 [RFC5296].

   The figure below captures this proxy behavior:

       Authenticator            ER server             Home EAP server
       =============            =========             ===============
                 Diameter ERP/DER
                                           Diameter EAP/DER

                                           Diameter EAP/DEA
                                              (Key AVP)
                 Diameter ERP/DEA

                    (Key AVP)

             Figure 3: ERP explicit bootstrapping message flow Explicit Bootstrapping Message Flow

6.  Re-Authentication

   This section describes in detail a re-authentication exchange with a
   (bootstrapped) ER server.  The following figure summarizes the re-
   authentication exchange.

                                                        ER server
    Peer                 Authenticator            (local or home domain)
    ====                 =============            ======================
    [ <------------------------         ]
    [optional EAP-Initiate/Re-auth-start]

                                 Diameter ERP, cmd code DER
                                   User-Name: Keyname-NAI
                              EAP-Payload: EAP-Initiate/Re-auth


                                 Diameter ERP, cmd code DEA
                               EAP-Payload: EAP-Finish/Re-auth
                                        Key AVP: rMSK


             Figure 4: Diameter ERP exchange. Re-authentication Exchange

   In ERP, the peer sends an EAP-Initiate/Re-auth message to the ER
   server via the authenticator.  Alternatively, the NAS authenticator may
   send an EAP-Initiate/Re-auth-Start message to the peer to trigger the
   start of ERP.  In this case, the peer responds with an EAP-Initiate/Re-auth
   message to the NAS. EAP-Initiate/
   Re-auth message.

   If the authenticator does not support ERP (pure [RFC4072] support),
   it discards the EAP packets with an unknown ERP-specific code (EAP-
   Initiate).  The peer may fallback to full EAP authentication in such this

   When the authenticator receives an EAP-Initiate/Re-auth message from
   the peer, it process as described in [RFC5296] with regards to the
   EAP state machine.  It creates a Diameter EAP Request message
   following the general process of Diameter EAP DiameterEAP [RFC4072], with the
   following differences:

      The Application Id in the header is set to Diameter ERP (code TBD

      The value in Auth-Application-Id AVP is also set to Diameter ERP

      The keyName-NAI attribute from ERP message is used to create the
      content of User-Name AVP and Destination-Realm AVP.

         What about Session-ID AVP -- in case of re-auth at the same
         place, and in case of handover?

      The Auth-Request-Type AVP content is set to [Editor's note: FFS].

         Do we really do authorization with Diameter ERP ? -- need to
         pass the authorization attrs to the ER server in that case.
         Idea FFS: we do authorization only for explicit bootstrapping

      The EAP-Payload AVP contains the ERP message, EAP-Initiate/

   Then this ERP/DER message is sent as described in Section 4.

   The ER server receives and processes this request as described in
   Section 4.  It then creates a Diameter answer ERP/DEA, an ERP/DEA message following the general
   processing described in RFC 4072 [RFC4072], with the following

      The Application Id in the header is set to Diameter ERP (code

      The value in of the Auth-Application-Id AVP is also set to Diameter
      ERP Application.

      The Result-Code AVP is set to an error value in case ERP
      authentication fails, or to DIAMETER_SUCCESS if ERP is successful.

      The EAP-Payload EAP-Payload AVP contains the ERP message, EAP-Finish/Re-auth.

      In case of successful authentication, an instance of the EAP-Master-Session-Key Key AVP contains
      containing the Re-authentication Master Session Key (rMSK) derived
      by ERP. ERP is included.

         What about all the authorization attributes?  If we want to
         include them, they have to be present on the ER server...

   When the authenticator receives this ERP/DEA answer, it processes it
   as described in Diameter EAP [RFC4072] and RFC 5296 [RFC5296]: the
   content of EAP-Payload AVP content is forwarded to the peer, and the content
   contents of
   EAP-Master-Session-Key the Keying-Material AVP [I-D.ietf-dime-local-keytran] is
   used as a shared secret for Secure Association Protocol.

7.  Application Id

   We define a new Diameter application in this document, Diameter ERP
   Application, with an Application Id value of TBD.  Diameter nodes
   conforming to this specification in the role of ER server MUST
   advertise support by including an Auth-Application-Id AVP with a
   value of Diameter ERP Application in the of the Capabilities-
   Exchange-Request and Capabilities-Exchange-Answer commands, as
   described in commands [RFC3588].

   The primary use of the Diameter ERP Application Id is to ensure
   proper routing of the messages, and that the nodes that advertise the
   support for this application do understand the new AVPs defined in
   section Section 8 , 8, although these AVP have the 'M' flag cleared.

8.  AVPs

   This specification defines section discusses the following new AVPs. AVPs used by the Diameter ERP application.

8.1.  ERP-RK-Request AVP

   The ERP-RK-Request AVP (AVP Code TBD) is of type grouped AVP.  This
   AVP is used by the ER server to indicate its willingness to act as ER
   server for a particular session.

   This AVP has the M and V bits cleared.

                         ERP-RK-Request ::= < AVP Header: TBD >
                                            { ERP-Realm }
                                          * [ AVP ]


                       Figure 5: ERP-RK-Request ABNF

8.2.  ERP-Realm AVP

   The ERP-Realm AVP (AVP Code TBD) is of type DiameterIdentity.  It
   contains the name of the realm in which the ER server is located.

      We may re-use Origin-Realm here instead?  On the other hand, ERP-
      Realm may be useful if the ER server is in a third-party realm, if
      this is possible.

   This AVP has the M and V bits cleared.

8.3.  ERP-RK-Answer  Key AVP

   The ERP-RK-Answer Key AVP (AVP Code TBD) [I-D.ietf-dime-local-keytran] is of type grouped AVP.  It "Grouped" and is
   used by the home EAP server to provide ERP root key material to carry the
   ER server.

   This AVP has rMSK and associated attributes.  The usage of the M
   Key AVP and V bits cleared.

          ERP-RK-Answer ::= < its constituent AVPs in this application is specified in
   the following sub-sections.

8.3.1.  Key-Type AVP Header: TBD >
                            { ERP-RK }
                            { ERP-RK-Name }
                            { ERP-RK-Lifetime }
                          * [

   The value of the Key-Type AVP ]

                        Figure. ERP-RK-Answer ABNF

8.4.  ERP-RK MUST be set to 3 for rRK.

8.3.2.  Keying-Material AVP

   The ERP-RK Keying-Material AVP (AVP Code TBD) is of type OctetString.  It contains
   the root key (either rRK or rDSRK) sent by the home EAP server to
   the ER server, in answer to a request containing an ERP-RK-Request
   AVP.  How this material is derived and used is specified in RFC 5296

   This AVP has the M and V bits cleared.

8.5.  ERP-RK-Name AVP

   The ERP-RK-Name

8.3.3.  Key-Name AVP (AVP Code TBD) is of type OctetString.

   This AVP contains the EMSKname which identifies the keying material.  How
   The derivation of this name is derived is beyond the scope of this document and defined specified in RGC 5296 [RFC5296].

   This AVP has the M and V bits cleared.

8.6.  ERP-RK-Lifetime

8.3.4.  Key-Lifetime AVP

   The ERP-RK-Lifetime Key-Lifetime AVP (AVP Code TBD) is of type Unsigned32 and contains the root key material remaining lifetime of the keying material in
   seconds.  It MUST not NOT be greater than the remaining lifetime of the
   EMSK it is
   derived from.

   This AVP has from which the M and V bits cleared. material was derived.

9.  Commands

   We do not define any new command in this specification.  We reuse the
   Diameter-EAP-Request and Diameter-EAP-Answer commands defined in

   Since the original ABNF of these commands allow other optional AVPs
   ("* [ AVP ]"), and the new AVPs defined in this specification do not
   have the 'M' flag set, the ABNF does not need any change.  Anyway, a
   Diameter node that advertizes support for the Diameter ERP
   application MUST support the new AVPs defined in this specification.

      Command-Name          Abbrev. Code Reference Application
      Diameter-EAP-Request  DER     268  RFC 4072  Diameter ERP
      Diameter-EAP-Answer   DEA     268  RFC 4072  Diameter ERP

                           Figure. Command Codes

10.  Open issues

   This document does not address some known issues in Diameter ERP
   mechanism.  The authors would like to hear ideas about how to address

   The main issue is the use of ERP for authentication after a handover
   of the peer to a new authenticator (or different authenticator port).
   Diameter ERP is not meant to be a mobility protocol.  A number of
   issues appear when we try to do handover in Diameter ERP (alone): how
   to manage the Session-Id AVP; how does the ER server provide the
   Authorization AVPs; how does the peer learn the ERP domain of the new
   authenticator; how does the home server reachs the peer to for
   example terminate the session; and so on...  Therefore, the
   management of the session for a mobile peer is not (yet) addressed in
   this document.  It must be studied how Diameter ERP can be for
   example used in conjunction with a mobility application (Diameter
   MIP4, Diameter MIP6) to support the optimized re-authentication in
   such situation.

   Another issue concerns the case where the home realm contains several
   EAP servers.  In multi rounds full EAP authentication, the
   Destination-Host AVP provides the solution to reach the same server
   across the exchanges.  Only this server possess the EMSK for the
   session.  In case of explicit bootstrapping, the ER server must
   therefore be able to reach the correct server to request the DSRK.  A
   solution might consist in saving the Origin-Host AVP of all
   successful EAP/DEA in the ER server, which is a bit similar to the
   implicit bootstrapping scenario described here -- only we save the
   server name instead of the root key, and we must then be able to
   match the DSRK with the user name.

   Finally, this document currently lacks a description of what happens
   when a Re-Auth-Request is received for a peer on the authenticator.


10.  Acknowledgements

   Hannes Tschofenig wrote the initial draft for this document and
   provided useful reviews.

   Vidya Narayanan reviewed a rough draft version of the document and
   found some errors.

   Lakshminath Dondeti contributed to the early versions of the

   Many thanks to these people!


11.  IANA Considerations

   This document requires IANA registration of the following new
   elements in the Authentication, Authorization, and Accounting (AAA)
   Parameters [1] registries.


11.1.  Diameter ERP application Application Identifier

   This specification requires IANA to allocate a new value "Diameter
   ERP" in the "Application IDs" registry created by using the policy specified in
   Section 11.3 of RFC 3588 [RFC3588].

      Application Identifier             | Value
      Diameter ERP                       | TBD

              IANA consideration for Diameter ERP application


11.2.  New AVPs

   This specification requires IANA to allocate new values from the "AVP
   Codes" registry defined according to the policy specified in Section 11.1 of
   RFC 3588 [RFC3588] for the following AVPs:






   These AVPs are defined in section Section 8.


12.  Security Considerations

   The security considerations from the following RFC documents also apply
   [RFC3588], [RFC4072], [RFC5247], [RFC5295], and [RFC5296].

   o  RFC 3588 [RFC3588]

   o  RFC 4072 [RFC4072]

   o  RFC 5247 [RFC5247]

   o  RFC 5295 [RFC5295]

   o  [RFC5296]

      Do we really respect these security considerations with the
      mechanism we describe here?  Is it safe to use ERP-RK-Request /
      Answer AVPs?  What is the worst case?

   EAP channel bindings may be necessary to ensure that the Diameter
   client and the server are in sync regarding the key Requesting
   Entity's Identity.  Specifically, the Requesting Entity advertises
   its identity through the EAP lower layer, and the user or the EAP
   peer communicates that identity to the EAP server (and the EAP server
   communicates that identity to the Diameter server) via the EAP method
   for user/peer to server verification of the Requesting Entity's


      What does this paragraph actually mean?

13.  References


13.1.  Normative References

   [I-D.ietf-dime-local-keytran]  Zorn, G., Wu, W., and V. Cakulev,
                                  "Diameter Attribute-Value Pairs for
                                  Cryptographic Key Transport",
                                  draft-ietf-dime-local-keytran-02 (work
                                  in progress), March 2010.

   [RFC2119]                      Bradner, S., "Key words for use in
                                  RFCs to Indicate Requirement Levels",
                                  BCP 14, RFC 2119, March 1997.

   [RFC3588]                      Calhoun, P., Loughney, J., Guttman,
                                  E., Zorn, G., and J. Arkko, "Diameter
                                  Base Protocol", RFC 3588,
                                  September 2003.

   [RFC3748]                      Aboba, B., Blunk, L., Vollbrecht, J.,
                                  Carlson, J., and H. Levkowetz,
                                  "Extensible Authentication Protocol
                                  (EAP)", RFC 3748, June 2004.

   [RFC4072]                      Eronen, P., Hiller, T., and G. Zorn,
                                  "Diameter Extensible Authentication
                                  Protocol (EAP) Application", RFC 4072,
                                  August 2005.

   [RFC5295]                      Salowey, J., Dondeti, L., Narayanan,
                                  V., and M. Nakhjiri, "Specification
                                  for the Derivation of Root Keys from
                                  an Extended Master Session Key
                                  (EMSK)", RFC 5295, August 2008.

   [RFC5296]                      Narayanan, V. and L. Dondeti, "EAP
                                  Extensions for EAP Re-
                                     authentication Re-authentication
                                  Protocol (ERP)", RFC 5296,
                                  August 2008.


13.2.  Informative References

   [I-D.ietf-dime-app-design-guide]  Fajardo, V., Asveren, T.,
                                     Tschofenig, H., McGregor, G., and
                                     J. Loughney, "Diameter Applications
                                     Design Guidelines",
                                     (work in progress), November 2008.

   [I-D.ietf-hokey-key-mgm]          Hoeper, K. and Y. Ohba,
                                     "Distribution of EAP based keys for
                                     handover and re-authentication",
                                     draft-ietf-hokey-key-mgm-06 (work
                                     in progress), April 2009.

   [I-D.wu-dime-local-keytran]       Wu, W., "Diameter support for local
                                     key transport protocol between
                                     local server and  home AAA server",
                                     (work in progress), May 2009.

   [RFC4187]                         Arkko, J. and H. Haverinen,
                                     "Extensible Authentication Protocol
                                     Method for 3rd Generation
                                     Authentication and Key Agreement
                                     (EAP-AKA)", RFC 4187, January 2006.

   [RFC5247]                      Aboba, B., Simon, D., and P. Eronen,
                                  "Extensible Authentication Protocol
                                  (EAP) Key Management Framework",
                                  RFC 5247, August 2008.


   [1]  <http://www.iana.org/assignments/aaa-parameters/>

Authors' Addresses

   Julien Bournelle
   Orange Labs
   38-40 rue du general Leclerc
   Issy-Les-Moulineaux  92794

   EMail: julien.bournelle@orange-ftgroup.com

   Lionel Morand
   Orange Labs
   38-40 rue du general Leclerc
   Issy-Les-Moulineaux  92794

   EMail: lionel.morand@orange-ftgroup.com

   Sebastien Decugis (editor)
   4-2-1 Nukui-Kitamachi
   Tokyo  184-8795
   Koganei, Japan

   EMail: sdecugis@nict.go.jp

   Qin Wu
   Huawei Technologies Co., Ltd
   Site B, Floor 12F, Huihong Mansion, No.91 Baixia Rd.
   Nanjing  210001

   EMail: sunseawq@huawei.com

   Glen Zorn (editor)
   Network Zen
   1463 East Thomas Republican Street
   Seattle, Washington  98102  98112

   Phone: +1 (206) 377-9035 206 931 0768
   EMail: gwz@net-zen.net