draft-ietf-dime-erp-14.txt   draft-ietf-dime-erp-15.txt 
Network Working Group J. Bournelle Network Working Group J. Bournelle
Internet-Draft L. Morand Internet-Draft L. Morand
Intended status: Standards Track Orange Labs Intended status: Standards Track Orange Labs
Expires: April 25, 2013 S. Decugis Expires: June 13, 2013 S. Decugis
INSIDE Secure INSIDE Secure
Q. Wu Q. Wu
Huawei Huawei
G. Zorn G. Zorn
Network Zen Network Zen
October 22, 2012 December 10, 2012
Diameter Support for the EAP Re-authentication Protocol (ERP) Diameter Support for the EAP Re-authentication Protocol (ERP)
draft-ietf-dime-erp-14.txt draft-ietf-dime-erp-15.txt
Abstract Abstract
The EAP Re-authentication Protocol (ERP) defines extensions to the The EAP Re-authentication Protocol (ERP) defines extensions to the
Extensible Authentication Protocol (EAP) to support efficient re- Extensible Authentication Protocol (EAP) to support efficient re-
authentication between the peer and an EAP Re-authentication (ER) authentication between the peer and an EAP Re-authentication (ER)
server through a compatible authenticator. This document specifies server through a compatible authenticator. This document specifies
Diameter support for ERP. It defines a new Diameter ERP application Diameter support for ERP. It defines a new Diameter ERP application
to transport ERP messages between an ER authenticator and the ER to transport ERP messages between an ER authenticator and the ER
server, and a set of new AVPs that can be used to transport the server, and a set of new AVPs that can be used to transport the
skipping to change at page 1, line 43 skipping to change at page 1, line 43
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 25, 2013. This Internet-Draft will expire on June 13, 2013.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 44 skipping to change at page 2, line 44
8.3.4. Key-Lifetime AVP . . . . . . . . . . . . . . . . . . . 13 8.3.4. Key-Lifetime AVP . . . . . . . . . . . . . . . . . . . 13
9. Result-Code AVP Values . . . . . . . . . . . . . . . . . . . . 13 9. Result-Code AVP Values . . . . . . . . . . . . . . . . . . . . 13
9.1. Permanent Failures . . . . . . . . . . . . . . . . . . . . 13 9.1. Permanent Failures . . . . . . . . . . . . . . . . . . . . 13
10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 13 10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 13
11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 13 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 13
12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14
12.1. Diameter Application Identifier . . . . . . . . . . . . . 14 12.1. Diameter Application Identifier . . . . . . . . . . . . . 14
12.2. New AVPs . . . . . . . . . . . . . . . . . . . . . . . . . 14 12.2. New AVPs . . . . . . . . . . . . . . . . . . . . . . . . . 14
12.3. New Permanent Failures Result-Code AVP Values . . . . . . 14 12.3. New Permanent Failures Result-Code AVP Values . . . . . . 14
13. Security Considerations . . . . . . . . . . . . . . . . . . . 14 13. Security Considerations . . . . . . . . . . . . . . . . . . . 14
14. Normative References . . . . . . . . . . . . . . . . . . . . . 15 14. References . . . . . . . . . . . . . . . . . . . . . . . . . . 15
14.1. Normative References . . . . . . . . . . . . . . . . . . . 15
14.2. Informative References . . . . . . . . . . . . . . . . . . 15
1. Introduction 1. Introduction
Cao, et al. [RFC6696] defines the EAP Re-authentication Protocol Cao, et al. [RFC6696] defines the EAP Re-authentication Protocol
(ERP). It consists of the following steps: (ERP). It consists of the following steps:
Bootstrapping Bootstrapping
A root key for re-authentication is derived from the Extended A root key for re-authentication is derived from the Extended
Master Session Key (EMSK) created during EAP authentication Master Session Key (EMSK) created during EAP authentication
skipping to change at page 4, line 18 skipping to change at page 4, line 18
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
3. Assumptions 3. Assumptions
This document assumes the existence of at most one logical ER server This document assumes the existence of at most one logical ER server
entity in a domain. If several physical servers are deployed for entity in a domain. If several physical servers are deployed for
robustness, a replication mechanism must be deployed to synchronize robustness, a replication mechanism must be deployed to synchronize
the ERP state (e.g., root keys) between these servers. This the ERP state (e.g., root keys) between these servers. Any such
replication mechanism is out of the scope of this document. If replication mechanism is outside the scope of this document. If
multiple ER servers are deployed in the domain, we assume that they multiple ER servers are deployed in the domain, we assume that they
can be used interchangeably. If multiple ER servers are deployed can be used interchangeably. If multiple ER servers are deployed
across the domains, we assume only one ER server that is near to the across the domains, we assume only one ER server that is near the
peer is getting involved in the ERP. peer is involved in ERP.
Also this document assumes the existence of at most one EAP server This document also assumes the existence of at most one EAP server
entity in the home domain. In case of multiple physical home EAP entity in the home domain. In case of multiple physical home EAP
servers in the same domain, if the ER server wants to reach the same servers in the same domain, if the ER server wants to reach the same
home EAP server, the ER server may cache the Destination-Host AVP home EAP server, the ER server may cache the Destination-Host AVP
corresponding to the home EAP server it requests. corresponding to the home EAP server it requests.
4. Protocol Overview 4. Protocol Overview
The following figure shows the components involved in ERP, and their The following figure illustrates the components involved in ERP and
interactions. their interactions.
Diameter +--------+ Diameter +--------+
+-------------+ ERP +-----------+ (*) | Home | +-------------+ ERP +-----------+ (*) | Home |
Peer <->|Authenticator|<=======>| ER server | <---> | EAP | Peer <->|Authenticator|<=======>| ER server | <---> | EAP |
+-------------+ +-----------+ | server | +-------------+ +-----------+ | server |
+--------+ +--------+
(*) Diameter EAP application, explicit bootstrapping scenario only. (*) Diameter EAP application, explicit bootstrapping scenario only.
Figure 1: Diameter ERP Overview. Figure 1: Diameter ERP Overview.
skipping to change at page 5, line 21 skipping to change at page 5, line 21
If there is no local ER server, the message is routed according to If there is no local ER server, the message is routed according to
its Destination-Realm AVP content, extracted from the realm component its Destination-Realm AVP content, extracted from the realm component
of the keyName-NAI attribute. As specified in RFC 6696, this realm of the keyName-NAI attribute. As specified in RFC 6696, this realm
is the home domain of the peer in the case of bootstrapping exchange is the home domain of the peer in the case of bootstrapping exchange
('B' flag is set in ERP message) or the domain of the bootstrapped ER ('B' flag is set in ERP message) or the domain of the bootstrapped ER
server otherwise . server otherwise .
If no ER server is available in the home domain either, the ERP/DER If no ER server is available in the home domain either, the ERP/DER
message cannot be delivered, and an error DIAMETER_UNABLE_TO_DELIVER message cannot be delivered, and an error DIAMETER_UNABLE_TO_DELIVER
MUST be generated as specified in [I-D.ietf-dime-rfc3588bis] and MUST be generated as specified in [RFC6733] and returned to the
returned to the authenticator. The authenticator MAY cache this authenticator. The authenticator MAY cache this information (with
information (with limited duration) to avoid further attempts to limited duration) to avoid further attempts to execute ERP with this
execute ERP with this realm. It MAY also fallback to full EAP realm. It MAY also fallback to full EAP authentication to
authentication to authenticate the peer. authenticate the peer.
When an ER server receives the ERP/DER message, it searches its local When an ER server receives the ERP/DER message, it searches its local
database for a valid, unexpired root key matching the keyName part of database for a valid, unexpired root key matching the keyName part of
the User-Name AVP. If such key is found, the ER server processes the the User-Name AVP. If such key is found, the ER server processes the
ERP message as described in RFC 6696, then creates the ERP/DEA answer ERP message as described in RFC 6696, then creates the ERP/DEA answer
as described in Section 6. The rMSK is included in this answer. as described in Section 6. The rMSK is included in this answer.
Finally, the authenticator extracts the rMSK from the ERP/DEA as Finally, the authenticator extracts the rMSK from the ERP/DEA as
described in RFC 6696, and forwards the content of the EAP-Payload described in RFC 6696, and forwards the content of the EAP-Payload
AVP, the EAP-Finish/Re-Auth message, to the peer. AVP, the EAP-Finish/Re-Auth message, to the peer.
skipping to change at page 8, line 30 skipping to change at page 8, line 30
5.2. Bootstrapping During the First Re-authentication 5.2. Bootstrapping During the First Re-authentication
Bootstrapping the ER server during the first re-authentication (also Bootstrapping the ER server during the first re-authentication (also
known as explicit bootstrapping) is only needed when there is no known as explicit bootstrapping) is only needed when there is no
local ER server in the visited domain and there is an ER server in local ER server in the visited domain and there is an ER server in
the home domain. It is less resource-intensive, since the EMSK the home domain. It is less resource-intensive, since the EMSK
generated during initial EAP authentication is reused to derive root generated during initial EAP authentication is reused to derive root
keys. On the other hand, the first re-authentication requires a one- keys. On the other hand, the first re-authentication requires a one-
round-trip exchange with the home EAP server, since the EMSK is round-trip exchange with the home EAP server, since the EMSK is
generated during the initial EAP authentication and never leaves the generated during the initial EAP authentication and never leaves the
home EAP server, which is less efficient than the implicit home EAP server, which is less efficient than implicit bootstrapping.
bootstrapping scenario.
The EAP-Initiate/Re-auth message is sent to the home ER server. The The EAP-Initiate/Re-auth message is sent to the home ER server. The
home ER server receives the ERP/DER message containing the EAP- home ER server receives the ERP/DER message containing the EAP-
Initiate/Re-Auth message with the 'B' flag set. It creates the new Initiate/Re-Auth message with the 'B' flag set. It creates the new
EAP/DER message using the received DRP/DER message and performs the EAP/DER message using the received DRP/DER message and performs the
following processing: following processing:
Set the Application Id in the header of the message to <Diameter Set the Application Id in the header of the message to <Diameter
EAP Application> [RFC4072] EAP Application> [RFC4072]
skipping to change at page 9, line 19 skipping to change at page 9, line 18
the Domain- Name TLV attribute with the content from the ERP-Realm the Domain- Name TLV attribute with the content from the ERP-Realm
AVP. The server creates the EAP/DEA reply message [RFC4072] AVP. The server creates the EAP/DEA reply message [RFC4072]
including an instance of the Key AVP (Section 8.3) with Key-Type AVP including an instance of the Key AVP (Section 8.3) with Key-Type AVP
set to rRK and an instance of the Domain-Name TLV attribute with the set to rRK and an instance of the Domain-Name TLV attribute with the
content from the ERP-Realm AVP. content from the ERP-Realm AVP.
The ER server receives this EAP/DEA and proxies it as follows, in The ER server receives this EAP/DEA and proxies it as follows, in
addition to standard proxy operations: addition to standard proxy operations:
Set the Application Id back to Diameter ERP Application Id Set the Application Id back to Diameter ERP Application Id
(Section 12.1 ) (Section 12.1)
Extract and cache the content of the Key AVP with Key-Type set to Extract and cache the content of the Key AVP with Key-Type set to
rRK, as described in the implicit scenario (Section 5.1). rRK, as described in Section 5.1).
The ERP/DEA message is then forwarded to the authenticator, that can The ERP/DEA message is then forwarded to the authenticator, that can
use the rMSK as described in RFC 6696. use the rMSK as described in RFC 6696.
The figure below captures this proxy behavior: The figure below captures this proxy behavior:
Authenticator ER server Home Diameter server Authenticator ER server Home Diameter server
============= ========= ==================== ============= ========= ====================
-----------------------> ----------------------->
Diameter ERP/DER Diameter ERP/DER
skipping to change at page 10, line 51 skipping to change at page 10, line 51
specific code (EAP-Initiate). The peer should fallback to full EAP specific code (EAP-Initiate). The peer should fallback to full EAP
authentication in this case. authentication in this case.
When the authenticator receives an EAP-Initiate/Re-auth message from When the authenticator receives an EAP-Initiate/Re-auth message from
the peer, the message is processed as described in RFC 6696 with the peer, the message is processed as described in RFC 6696 with
regard to the EAP state machine. It creates a Diameter ERP/DER regard to the EAP state machine. It creates a Diameter ERP/DER
message following the general process of Diameter EAP [RFC4072], with message following the general process of Diameter EAP [RFC4072], with
the following differences: the following differences:
The Application Id in the header is set to <Diameter ERP> (code The Application Id in the header is set to <Diameter ERP> (code
TBD1 ). TBD1).
The value in Auth-Application-Id AVP is also set to <Diameter The value in Auth-Application-Id AVP is also set to <Diameter
ERP>. ERP>.
The keyName-NAI attribute from the ERP message is used to create The keyName-NAI attribute from the ERP message is used to create
the content of the User-Name and Destination-Realm AVPs. the content of the User-Name and Destination-Realm AVPs.
The Auth-Request-Type AVP content is set to the appropriate value. The Auth-Request-Type AVP content is set to the appropriate value.
The EAP-Payload AVP contains the EAP-Initiate/Re-Auth meassge. The EAP-Payload AVP contains the EAP-Initiate/Re-Auth message.
Then this ERP/DER message is sent as described in Section 4. Then this ERP/DER message is sent as described in Section 4.
The ER server receives and processes this request as described in The ER server receives and processes this request as described in
Section 4. It then creates an ERP/DEA message following the general Section 4. It then creates an ERP/DEA message following the general
process described in RFC4072 [RFC4072], with the following process described in RFC4072 [RFC4072], with the following
differences: differences:
The Application Id in the header is set to <Diameter ERP> (code The Application Id in the header is set to <Diameter ERP> (code
TBD1). TBD1).
skipping to change at page 11, line 37 skipping to change at page 11, line 37
The EAP-Payload AVP contains the EAP-Finish/Re-auth message. The EAP-Payload AVP contains the EAP-Finish/Re-auth message.
If authentication is successful, an instance of the Key AVP If authentication is successful, an instance of the Key AVP
containing the Re-authentication Master Session Key (rMSK) derived containing the Re-authentication Master Session Key (rMSK) derived
by ERP is included. by ERP is included.
When the authenticator receives this ERP/DEA answer, it processes it When the authenticator receives this ERP/DEA answer, it processes it
as described in the Diameter EAP Application specification [RFC4072] as described in the Diameter EAP Application specification [RFC4072]
and RFC 6696: the content of the EAP-Payload AVP is forwarded to the and RFC 6696: the content of the EAP-Payload AVP is forwarded to the
peer, and the contents of the Keying-Material AVP peer, and the contents of the Keying-Material AVP [RFC6734] is used
[I-D.ietf-dime-local-keytran] is used as a shared secret for a secure as a shared secret for a secure association protocol specific to the
association protocol specific to the lower-layer in use. lower-layer in use.
7. Application Id 7. Application Id
We define a new Diameter application in this document, Diameter ERP We define a new Diameter application in this document, Diameter ERP
Application, with an Application Id value of TBD1. Diameter nodes Application, with an Application Id value of TBD1. Diameter nodes
conforming to this specification in the role of ER server MUST conforming to this specification in the role of ER server MUST
advertise support by including an Auth-Application-Id AVP with a advertise support by including an Auth-Application-Id AVP with a
value of Diameter ERP in the Capabilities-Exchange-Request and value of Diameter ERP in the Capabilities-Exchange-Request and
Capabilities-Exchange-Answer commands [I-D.ietf-dime-rfc3588bis]. Capabilities-Exchange-Answer commands [RFC6733].
The primary use of the Diameter ERP Application Id is to ensure The primary use of the Diameter ERP Application Id is to ensure
proper routing of the messages, and that the nodes that advertise the proper routing of the messages, and that the nodes that advertise the
support for this application do understand the new AVPs defined in support for this application do understand the new AVPs defined in
Section 8, although these AVP have the 'M' flag cleared. Section 8, although these AVP have the 'M' flag cleared.
8. AVPs 8. AVPs
The following sub-sections discuss the AVPs used by the Diameter ERP The following sub-sections discuss the AVPs used by the Diameter ERP
application. application.
skipping to change at page 12, line 34 skipping to change at page 12, line 34
8.2. ERP-Realm AVP 8.2. ERP-Realm AVP
The ERP-Realm AVP (AVP Code TBD3) is of type DiameterIdentity. It The ERP-Realm AVP (AVP Code TBD3) is of type DiameterIdentity. It
contains the name of the realm in which the ER server is located. contains the name of the realm in which the ER server is located.
This AVP has the M and V bits cleared. This AVP has the M and V bits cleared.
8.3. Key AVP 8.3. Key AVP
The Key AVP [I-D.ietf-dime-local-keytran] is of type "Grouped" and is The Key AVP [RFC6734] is of type "Grouped" and is used to carry the
used to carry the rRK or rMSK and associated attributes. The usage rRK or rMSK and associated attributes. The usage of the Key AVP and
of the Key AVP and its constituent AVPs in this application is its constituent AVPs in this application is specified in the
specified in the following sub-sections. following sub-sections.
8.3.1. Key-Type AVP 8.3.1. Key-Type AVP
The value of the Key-Type AVP MUST be set to 2 for rRK or 3 for rMSK. The value of the Key-Type AVP MUST be set to 2 for rRK or 3 for rMSK.
8.3.2. Keying-Material AVP 8.3.2. Keying-Material AVP
The Keying-Material AVP contains the rRK sent by the home EAP server The Keying-Material AVP contains the rRK sent by the home EAP server
to the ER server, in answer to a request containing an ERP-RK-Request to the ER server, in answer to a request containing an ERP-RK-Request
AVP, or the rMSK sent by the ER server to the authenticator. How AVP, or the rMSK sent by the ER server to the authenticator. How
skipping to change at page 13, line 18 skipping to change at page 13, line 18
The derivation of this name is specified in RFC 6696. The derivation of this name is specified in RFC 6696.
8.3.4. Key-Lifetime AVP 8.3.4. Key-Lifetime AVP
The Key-Lifetime AVP contains the lifetime of the keying material in The Key-Lifetime AVP contains the lifetime of the keying material in
seconds. It MUST NOT be greater than the remaining lifetime of the seconds. It MUST NOT be greater than the remaining lifetime of the
EMSK from which the material was derived. EMSK from which the material was derived.
9. Result-Code AVP Values 9. Result-Code AVP Values
This section defines new Result-Code [I-D.ietf-dime-rfc3588bis] This section defines new Result-Code [RFC6733] values that MUST be
values that MUST be supported by all Diameter implementations that supported by all Diameter implementations that conform to this
conform to this specification. specification.
9.1. Permanent Failures 9.1. Permanent Failures
Errors that fall within the Permanent Failures category are used to Errors that fall within the Permanent Failures category are used to
inform the peer that the request failed and SHOULD NOT be attempted inform the peer that the request failed and SHOULD NOT be attempted
again. again.
DIAMETER_ERROR_ EAP_CODE_UNKNOWN (TBD4) DIAMETER_ERROR_ EAP_CODE_UNKNOWN (TBD4)
This error code is used by the Diameter server to inform the This error code is used by the Diameter server to inform the
skipping to change at page 13, line 43 skipping to change at page 13, line 43
10. Contributors 10. Contributors
Hannes Tschofenig wrote the initial draft of this document. Hannes Tschofenig wrote the initial draft of this document.
Lakshminath Dondeti contributed to the early versions of the Lakshminath Dondeti contributed to the early versions of the
document. document.
11. Acknowledgements 11. Acknowledgements
Hannes Tschofenig, Zhen Cao, Benoit Claise, Elwyn Davies and Jouni Hannes Tschofenig, Zhen Cao, Benoit Claise, Elwyn Davies, Menachem
Korhonen provided useful reviews. Dodge, Vincent Roca and Jouni Korhonen provided useful reviews.
Vidya Narayanan reviewed a rough draft version of the document and Vidya Narayanan reviewed a rough draft version of the document and
found some errors. found some errors.
Many thanks to these people! Many thanks to these people!
12. IANA Considerations 12. IANA Considerations
This document requires IANA registration of the following new This document requires IANA registration of the following new
elements in the Authentication, Authorization, and Accounting (AAA) elements in the Authentication, Authorization, and Accounting (AAA)
Parameters [1] registries. Parameters registries [AAAPARAMS].
12.1. Diameter Application Identifier 12.1. Diameter Application Identifier
This specification requires IANA to allocate a new value "Diameter This specification requires IANA to allocate a new value "Diameter
ERP" in the "Application IDs" registry using the policy specified in ERP" (code: TBD1) in the "Application IDs" registry using the policy
Section 11.3 of RFC 3588 [RFC3588]. specified in Section 11.3 of RFC 3588 [RFC3588].
12.2. New AVPs 12.2. New AVPs
This specification requires IANA to allocate new values from the "AVP This specification requires IANA to allocate new values from the "AVP
Codes" registry according to the policy specified in Section 11.1 of Codes" registry according to the policy specified in Section 11.1 of
Fajardo, et al. [I-D.ietf-dime-rfc3588bis] for the following AVPs: Fajardo, et al. [RFC6733] for the following AVPs:
ERP-RK-Request ERP-RK-Request (code: TBD2)
ERP-Realm ERP-Realm (code: TBD3)
These AVPs are defined in Section 8. These AVPs are defined in Section 8.
12.3. New Permanent Failures Result-Code AVP Values 12.3. New Permanent Failures Result-Code AVP Values
This specification requires IANA to allocate a new value from the This specification requires IANA to allocate a new value from the
"Result-Code AVP Values (code 268) - Permanent Failure" registry "Result-Code AVP Values (code 268) - Permanent Failure" registry
according to the policy specified in Section 11.3.2 of Fajardo, et according to the policy specified in Section 11.3.2 of Fajardo, et
al. [I-D.ietf-dime-rfc3588bis] for the following Result-Code: al. [RFC6733] for the following Result-Code:
DIAMETER_ERROR_EAP_CODE_UNKNOWN TBD4 DIAMETER_ERROR_EAP_CODE_UNKNOWN (code: TBD4)
This result-code value is defined in Section 9. This result-code value is defined in Section 9.
13. Security Considerations 13. Security Considerations
The security considerations from the following documents apply here: The security considerations from the following documents apply here:
o Fajardo, et al. [I-D.ietf-dime-rfc3588bis] o Fajardo, et al. [RFC6733]
o RFC 4072 [RFC4072] o RFC 4072 [RFC4072]
o RFC 6696 [RFC6696] o RFC 6696 [RFC6696]
o Zorn, Wu and Cakulev [I-D.ietf-dime-local-keytran] o Zorn, Wu and Cakulev [RFC6734]
14. Normative References 14. References
[I-D.ietf-dime-local-keytran] Zorn, G., Wu, W., and V. Cakulev, 14.1. Normative References
"Diameter Attribute-Value Pairs for
Cryptographic Key Transport",
draft-ietf-dime-local-keytran-14 (work
in progress), August 2011.
[I-D.ietf-dime-rfc3588bis] Fajardo, V., Arkko, J., Loughney, J., [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
and G. Zorn, "Diameter Base Protocol", Requirement Levels", BCP 14, RFC 2119, March 1997.
draft-ietf-dime-rfc3588bis-34 (work in
progress), June 2012.
[RFC2119] Bradner, S., "Key words for use in [RFC3588] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J.
RFCs to Indicate Requirement Levels", Arkko, "Diameter Base Protocol", RFC 3588,
BCP 14, RFC 2119, March 1997. September 2003.
[RFC3588] Calhoun, P., Loughney, J., Guttman, [RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and
E., Zorn, G., and J. Arkko, "Diameter H. Levkowetz, "Extensible Authentication Protocol
Base Protocol", RFC 3588, (EAP)", RFC 3748, June 2004.
September 2003.
[RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., [RFC4072] Eronen, P., Hiller, T., and G. Zorn, "Diameter
Carlson, J., and H. Levkowetz, Extensible Authentication Protocol (EAP) Application",
"Extensible Authentication Protocol RFC 4072, August 2005.
(EAP)", RFC 3748, June 2004.
[RFC4072] Eronen, P., Hiller, T., and G. Zorn, [RFC5295] Salowey, J., Dondeti, L., Narayanan, V., and M.
"Diameter Extensible Authentication Nakhjiri, "Specification for the Derivation of Root Keys
Protocol (EAP) Application", RFC 4072, from an Extended Master Session Key (EMSK)", RFC 5295,
August 2005. August 2008.
[RFC5295] Salowey, J., Dondeti, L., Narayanan, [RFC6696] Cao, Z., He, B., Shi, Y., Wu, Q., and G. Zorn, "EAP
V., and M. Nakhjiri, "Specification Extensions for the EAP Re-authentication Protocol
for the Derivation of Root Keys from (ERP)", RFC 6696, July 2012.
an Extended Master Session Key
(EMSK)", RFC 5295, August 2008.
[RFC6696] Cao, Z., He, B., Shi, Y., Wu, Q., and [RFC6733] Fajardo, V., Arkko, J., Loughney, J., and G. Zorn,
G. Zorn, "EAP Extensions for the EAP "Diameter Base Protocol", RFC 6733, October 2012.
Re-authentication Protocol (ERP)",
RFC 6696, July 2012.
[1] <http://www.iana.org/assignments/aaa-parameters/> [RFC6734] Zorn, G., Wu, Q., and V. Cakulev, "Diameter Attribute-
Value Pairs for Cryptographic Key Transport", RFC 6734,
October 2012.
14.2. Informative References
[AAAPARAMS] Internet Assigned Numbers Authority, "Authentication,
Authorization, and Accounting (AAA) Parameters",
http://www.iana.org/assignments/aaa-parameters/.
Authors' Addresses Authors' Addresses
Julien Bournelle Julien Bournelle
Orange Labs Orange Labs
38-40 rue du general Leclerc 38-40 rue du general Leclerc
Issy-Les-Moulineaux 92794 Issy-Les-Moulineaux 92794
France France
EMail: julien.bournelle@orange-ftgroup.com EMail: julien.bournelle@orange-ftgroup.com
 End of changes. 39 change blocks. 
81 lines changed or deleted 78 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/