draft-ietf-dime-erp-03.txt   draft-ietf-dime-erp-04.txt 
Network Working Group J. Bournelle Network Working Group J. Bournelle
Internet-Draft L. Morand Internet-Draft L. Morand
Intended status: Standards Track Orange Labs Intended status: Standards Track Orange Labs
Expires: September 8, 2010 S. Decugis, Ed. Expires: March 10, 2011 S. Decugis, Ed.
NICT NICT
Q. Wu Q. Wu
Huawei Huawei
G. Zorn, Ed. G. Zorn, Ed.
Network Zen Network Zen
March 7, 2010 September 6, 2010
Diameter support for the EAP Re-authentication Protocol (ERP) Diameter Support for the EAP Re-authentication Protocol (ERP)
draft-ietf-dime-erp-03.txt draft-ietf-dime-erp-04.txt
Abstract Abstract
The EAP Re-authentication Protocol (ERP) defines extensions to the The EAP Re-authentication Protocol (ERP) defines extensions to the
Extensible Authentication Protocol (EAP) to support efficient re- Extensible Authentication Protocol (EAP) to support efficient re-
authentication between the peer and an EAP Re-authentication (ER) authentication between the peer and an EAP Re-authentication (ER)
server through a compatible authenticator. This document specifies server through a compatible authenticator. This document specifies
Diameter support for ERP. It defines a new Diameter ERP application Diameter support for ERP. It defines a new Diameter ERP application
to transport ERP messages between an ER authenticator and the ER to transport ERP messages between an ER authenticator and the ER
server, and a set of new AVPs that can be used to transport the server, and a set of new AVPs that can be used to transport the
cryptographic material needed by the re-authentication server. cryptographic material needed by the re-authentication server.
Status of This Memo Status of This Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF). Note that other groups may also distribute
other groups may also distribute working documents as Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at This Internet-Draft will expire on March 10, 2011.
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on September 8, 2010.
Copyright Notice Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 2.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
3. Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . 4
4. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 4 4. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 4
5. Bootstrapping the ER Server . . . . . . . . . . . . . . . . . 6 5. Bootstrapping the ER Server . . . . . . . . . . . . . . . . . 6
5.1. Bootstrapping During the Initial EAP authentication . . . 6 5.1. Bootstrapping During the Initial EAP authentication . . . 6
skipping to change at page 3, line 42 skipping to change at page 3, line 42
2. Terminology 2. Terminology
This document uses terminology defined in RFC 3748 [RFC3748], RFC This document uses terminology defined in RFC 3748 [RFC3748], RFC
5295 [RFC5295], RFC 5296 [RFC5296], and RFC 4072 [RFC4072]. 5295 [RFC5295], RFC 5296 [RFC5296], and RFC 4072 [RFC4072].
"Root key" (RK) or "bootstrapping material" refer to the rRK or rDSRK "Root key" (RK) or "bootstrapping material" refer to the rRK or rDSRK
derived from an EMSK, depending on the location of the ER server in derived from an EMSK, depending on the location of the ER server in
home or foreign domain. home or foreign domain.
We use the notation "ERP/DER" in this document to refer to a We use the notation "ERP/DER" and "ERP/DEA" in this document to refer
Diameter-EAP-Request command with its Application Id set to Diameter to Diameter-EAP-Request and Diameter-EAP-Answer commands with the
ERP application. Similarly, we use the "ERP/DEA", "EAP/DER", and Application Id set to "Diameter ERP Application" Section 11.1; the
"EAP/DEA". same commands are denoted "EAP/DER" and "EAP/DEA" when the
Application Id in the message is set to "Diameter EAP Application"
[RFC4072].
2.1. Requirements Language 2.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
3. Assumptions 3. Assumptions
This document assumes the existence of at most one logical ER server This document assumes the existence of at most one logical ER server
skipping to change at page 4, line 38 skipping to change at page 4, line 39
The ER server is located either in the home domain (same as EAP The ER server is located either in the home domain (same as EAP
server) or in the visited domain (same as authenticator, when it server) or in the visited domain (same as authenticator, when it
differs from the home domain). differs from the home domain).
QUESTION: QUESTION:
Can the ER server be located in a third domain (ex: broker's) Can the ER server be located in a third domain (ex: broker's)
according to ERP mechanism? according to ERP mechanism?
When the peer initiates an ERP exchange, the authenticator creates a When the peer initiates an ERP exchange, the authenticator creates a
Diameter-EAP-Request message, as described in Diameter EAP Diameter-EAP-Request message [RFC4072]. The Application Id of the
application [RFC4072]. The Application Id of the message is set to message is set to that of the Diameter ERP application (code: TBD) in
that of the Diameter ERP application (code: TBD) in the message. The the message. The generation of the ERP/DER message is detailed in
generation of the ERP/DER message is detailed in section Section 6. Section 6.
If there is an ER server in the same domain as the authenticator If there is an ER server in the same domain as the authenticator
(local domain), Diameter routing MUST (local domain), Diameter routing MUST
QUESTION: QUESTION:
Should this say "SHOULD: instead of "MUST"? Should this say "SHOULD: instead of "MUST"?
be configured so that this ERP/DER message reachs this server, even be configured so that this ERP/DER message reachs this server, even
if the Destination-Realm is not the local domain. if the Destination-Realm is not the local domain.
skipping to change at page 5, line 47 skipping to change at page 5, line 48
If the EAP-Initiate/Re-Auth message has its 'B' flag set If the EAP-Initiate/Re-Auth message has its 'B' flag set
(Bootstrapping exchange), the ER server should not possess the root (Bootstrapping exchange), the ER server should not possess the root
key in its local database key in its local database
COMMENT: COMMENT:
This may not be true in future RFC5296bis? This may not be true in future RFC5296bis?
In this case, the ER server acts as a proxy, and forwards the message In this case, the ER server acts as a proxy, and forwards the message
to the home EAP server after changing its Application Id to Diameter to the home EAP server after changing its Application Id to Diameter
EAP and adding an AVP to request the root key. See section Section 5 EAP and adding an AVP to request the root key. See Section 5 for
for more detail on this process. more detail on this process.
5. Bootstrapping the ER Server 5. Bootstrapping the ER Server
The bootstrapping process involves the home EAP server and the ER The bootstrapping process involves the home EAP server and the ER
server, but also impacts the peer and the authenticator. In ERP, the server, but also impacts the peer and the authenticator. In ERP, the
peer must derive the same keying material as the ER server. To peer must derive the same keying material as the ER server. To
achieve this, it must learn the domain name of the ER server. How achieve this, it must learn the domain name of the ER server. How
this information is acquired is outside the scope of this this information is acquired is outside the scope of this
specification, but it may involves that the authenticator is specification, but it may involves that the authenticator is
configured to advertize this domain name, especially in the case of configured to advertize this domain name, especially in the case of
re-authentication after a handover. re-authentication after a handover.
The bootstrapping of an ER server with a given root key happens The bootstrapping of an ER server with a given root key happens
either during the initial EAP authentication of the peer when the either during the initial EAP authentication of the peer when the
EMSK -- from which the root key is derived -- is created, during the EMSK -- from which the root key is derived -- is created, during the
first re-authentication, or sometime between those events. We only first re-authentication, or sometime between those events. We only
consider the first two possibilities in this specification, in the consider the first two possibilities in this specification, in the
following subsections. following sub-sections.
5.1. Bootstrapping During the Initial EAP authentication 5.1. Bootstrapping During the Initial EAP authentication
Bootstrapping the ER server during the initial EAP authentication Bootstrapping the ER server during the initial EAP authentication
(also known as implicit bootstrapping) offers the advantage that the (also known as implicit bootstrapping) offers the advantage that the
server is immediatly available for re-authentication of the peer, server is immediatly available for re-authentication of the peer,
thus minimizing re-authentication delay. On the other hand, it is thus minimizing re-authentication delay. On the other hand, it is
possible that only a small number of peers will use re-authentication possible that only a small number of peers will use re-authentication
in the visited domain. Deriving and caching key material for all the in the visited domain. Deriving and caching key material for all the
peers (for example, for the peers that do not support ERP) is a waste peers (for example, for the peers that do not support ERP) is a waste
skipping to change at page 13, line 17 skipping to change at page 13, line 17
We define a new Diameter application in this document, Diameter ERP We define a new Diameter application in this document, Diameter ERP
Application, with an Application Id value of TBD. Diameter nodes Application, with an Application Id value of TBD. Diameter nodes
conforming to this specification in the role of ER server MUST conforming to this specification in the role of ER server MUST
advertise support by including an Auth-Application-Id AVP with a advertise support by including an Auth-Application-Id AVP with a
value of Diameter ERP Application in the of the Capabilities- value of Diameter ERP Application in the of the Capabilities-
Exchange-Request and Capabilities-Exchange-Answer commands [RFC3588]. Exchange-Request and Capabilities-Exchange-Answer commands [RFC3588].
The primary use of the Diameter ERP Application Id is to ensure The primary use of the Diameter ERP Application Id is to ensure
proper routing of the messages, and that the nodes that advertise the proper routing of the messages, and that the nodes that advertise the
support for this application do understand the new AVPs defined in support for this application do understand the new AVPs defined in
section Section 8, although these AVP have the 'M' flag cleared. Section 8, although these AVP have the 'M' flag cleared.
8. AVPs 8. AVPs
This section discusses the AVPs used by the Diameter ERP application. This section discusses the AVPs used by the Diameter ERP application.
8.1. ERP-RK-Request AVP 8.1. ERP-RK-Request AVP
The ERP-RK-Request AVP (AVP Code TBD) is of type grouped AVP. This The ERP-RK-Request AVP (AVP Code TBD) is of type grouped AVP. This
AVP is used by the ER server to indicate its willingness to act as ER AVP is used by the ER server to indicate its willingness to act as ER
server for a particular session. server for a particular session.
skipping to change at page 16, line 6 skipping to change at page 16, line 6
11.2. New AVPs 11.2. New AVPs
This specification requires IANA to allocate new values from the "AVP This specification requires IANA to allocate new values from the "AVP
Codes" registry according to the policy specified in Section 11.1 of Codes" registry according to the policy specified in Section 11.1 of
RFC 3588 [RFC3588] for the following AVPs: RFC 3588 [RFC3588] for the following AVPs:
ERP-RK-Request ERP-RK-Request
ERP-Realm ERP-Realm
These AVPs are defined in section Section 8. These AVPs are defined in Section 8.
12. Security Considerations 12. Security Considerations
The security considerations from the following documents also apply The security considerations from the following documents also apply
here: here:
o RFC 3588 [RFC3588] o RFC 3588 [RFC3588]
o RFC 4072 [RFC4072] o RFC 4072 [RFC4072]
skipping to change at page 16, line 47 skipping to change at page 16, line 47
QUESTION: QUESTION:
What does this paragraph actually mean? What does this paragraph actually mean?
13. References 13. References
13.1. Normative References 13.1. Normative References
[I-D.ietf-dime-local-keytran] Zorn, G., Wu, W., and V. Cakulev, [I-D.ietf-dime-local-keytran] Zorn, G., Wu, W., and V. Cakulev,
"Diameter Attribute-Value Pairs for "Diameter Attribute-Value Pairs for
Cryptographic Key Transport", Cryptographic Key Transport",
draft-ietf-dime-local-keytran-02 (work draft-ietf-dime-local-keytran-07 (work
in progress), March 2010. in progress), June 2010.
[RFC2119] Bradner, S., "Key words for use in [RFC2119] Bradner, S., "Key words for use in
RFCs to Indicate Requirement Levels", RFCs to Indicate Requirement Levels",
BCP 14, RFC 2119, March 1997. BCP 14, RFC 2119, March 1997.
[RFC3588] Calhoun, P., Loughney, J., Guttman, [RFC3588] Calhoun, P., Loughney, J., Guttman,
E., Zorn, G., and J. Arkko, "Diameter E., Zorn, G., and J. Arkko, "Diameter
Base Protocol", RFC 3588, Base Protocol", RFC 3588,
September 2003. September 2003.
 End of changes. 14 change blocks. 
31 lines changed or deleted 27 lines changed or added

This html diff was produced by rfcdiff 1.38. The latest version is available from http://tools.ietf.org/tools/rfcdiff/