draft-ietf-hokey-erp-aak-00.txt   draft-ietf-hokey-erp-aak-01.txt 
Network Working Group Z. Cao Network Working Group Z. Cao
Internet-Draft H. Deng Internet-Draft H. Deng
Intended status: Standards Track China Mobile Intended status: Standards Track China Mobile
Expires: October 11, 2010 Y. Wang Expires: October 29, 2010 Y. Wang
Q. Wu Q. Wu
Huawei Technologies Co., Ltd. Huawei Technologies Co., Ltd.
G. Zorn, Ed. G. Zorn, Ed.
Network Zen Network Zen
April 9, 2010 April 27, 2010
EAP Re-authentication Protocol Extensions for Authenticated Anticipatory EAP Re-authentication Protocol Extensions for Authenticated Anticipatory
Keying Keying (ERP/AAK)
draft-ietf-hokey-erp-aak-00 draft-ietf-hokey-erp-aak-01
Abstract Abstract
The Extensible Authentication Protocol (EAP) is a generic framework The Extensible Authentication Protocol (EAP) is a generic framework
supporting multiple types of authentication methods. supporting multiple types of authentication methods.
The EAP Re-authentication Protocol (ERP) specifies extensions to EAP The EAP Re-authentication Protocol (ERP) specifies extensions to EAP
and the EAP keying hierarchy to support an EAP method-independent and the EAP keying hierarchy to support an EAP method-independent
protocol for efficient re-authentication between the peer and an EAP protocol for efficient re-authentication between the peer and an EAP
re-authentication server through any authenticator. re-authentication server through any authenticator.
skipping to change at page 2, line 4 skipping to change at page 2, line 4
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 11, 2010. This Internet-Draft will expire on October 29, 2010.
Copyright Notice Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 28 skipping to change at page 2, line 28
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1. Standards Language . . . . . . . . . . . . . . . . . . . . 3 2.1. Standards Language . . . . . . . . . . . . . . . . . . . . 3
2.2. Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.2. Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. ERP/AAK Overview . . . . . . . . . . . . . . . . . . . . . . . 4 3. ERP/AAK Overview . . . . . . . . . . . . . . . . . . . . . . . 4
4. ERP/AAK Key Hierarchy . . . . . . . . . . . . . . . . . . . . 6 4. ERP/AAK Key Hierarchy . . . . . . . . . . . . . . . . . . . . 5
5. Packet and TLV Extension . . . . . . . . . . . . . . . . . . . 7 5. Packet and TLV Extension . . . . . . . . . . . . . . . . . . . 6
5.1. EAP-Initiate/Re-auth-Start Packet Extension . . . . . . . 7 5.1. EAP-Initiate/Re-auth-Start Packet Extension . . . . . . . 6
5.2. EAP-Initiate/Re-auth Packet Extension . . . . . . . . . . 8 5.2. EAP-Initiate/Re-auth Packet Extension . . . . . . . . . . 7
5.3. EAP-Finish/Re-auth extension . . . . . . . . . . . . . . . 9 5.3. EAP-Finish/Re-auth extension . . . . . . . . . . . . . . . 9
5.4. TV/TLV and sub-TLV Attributes . . . . . . . . . . . . . . 11 5.4. TV/TLV and sub-TLV Attributes . . . . . . . . . . . . . . 11
6. Lower Layer Considerations . . . . . . . . . . . . . . . . . . 12 6. Lower Layer Considerations . . . . . . . . . . . . . . . . . . 11
7. AAA Transport Consideration . . . . . . . . . . . . . . . . . 12 7. AAA Transport Consideration . . . . . . . . . . . . . . . . . 11
8. Security Considerations . . . . . . . . . . . . . . . . . . . 12 8. Security Considerations . . . . . . . . . . . . . . . . . . . 11
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 12
10.1. Normative References . . . . . . . . . . . . . . . . . . . 13 10.1. Normative References . . . . . . . . . . . . . . . . . . . 12
10.2. Informative References . . . . . . . . . . . . . . . . . . 13 10.2. Informative References . . . . . . . . . . . . . . . . . . 12
1. Introduction 1. Introduction
The Extensible Authentication Protocol (EAP) [RFC3748] is a generic The Extensible Authentication Protocol (EAP) [RFC3748] is a generic
framework supporting multiple types of authentication methods. In framework supporting multiple types of authentication methods. In
systems where EAP is used for authentication, it is desirable to not systems where EAP is used for authentication, it is desirable to not
repeat the entire EAP exchange with another authenticator. The EAP repeat the entire EAP exchange with another authenticator. The EAP
Re-authentication Protocol (ERP) [RFC5296] specifies extensions to Re-authentication Protocol (ERP) [RFC5296] specifies extensions to
EAP and the EAP keying hierarchy to support an EAP method-independent EAP and the EAP keying hierarchy to support an EAP method-independent
protocol for efficient re-authentication between the peer and an EAP protocol for efficient re-authentication between the peer and an EAP
re-authentication server through any authenticator. The re- re-authentication server through any authenticator. The re-
authentication server may be in the home network or in the local authentication server may be in the home network or in the local
network to which the peer is connecting. network to which the peer is connecting.
Authenticated Anticipatory Keying (AAK) [I-D.ietf-hokey-preauth-ps] Authenticated Anticipatory Keying (AAK) [RFC5836] is a method by
is a method by which cryptographic keying material may be established which cryptographic keying material may be established prior to
prior to handover upon one or more candidate attachment points handover upon one or more candidate attachment points (CAPs). AAK
(CAPs). AAK utilizes the AAA infrastructure for key transport. utilizes the AAA infrastructure for key transport.
This document specifies the extensions necessary to enable AAK This document specifies the extensions necessary to enable AAK
support in ERP. support in ERP.
2. Terminology 2. Terminology
2.1. Standards Language 2.1. Standards Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119] document are to be interpreted as described in RFC 2119 [RFC2119]
2.2. Acronyms 2.2. Acronyms
The following acronyms are used in this document; see the references The following acronyms are used in this document; see the references
for more details. for more details.
AAA AAA Authentication, Authorization and Accounting [RFC3588]
Authentication, Authorization and Accounting [RFC3588]
CAP
Candidate Attachment Point [I-D.ietf-hokey-preauth-ps]
EA
Abbreviation for "ERP/AAK"; used in figures CAP Candidate Attachment Point [RFC5836]
ERP/AAK EA Abbreviation for "ERP/AAK"; used in figures
EAP Re-authentication Protocol Extensions for Authenticated
Anticipatory Keying
MH MH Mobile Host
Mobile Host
SAP SAP Serving Attachment Point [RFC5836]
Serving Attachment Point [I-D.ietf-hokey-preauth-ps]
3. ERP/AAK Overview 3. ERP/AAK Overview
ERP/AAK is intended to allow the establishment of cryptographic ERP/AAK is intended to allow the establishment of cryptographic
keying materials on one or more Candidate Attachment Points prior to keying materials on one or more Candidate Attachment Points prior to
the arrival of the MH at the Candidate Access Network (CAN). The the arrival of the MH at the Candidate Access Network (CAN). The
document also specifies a method by which the SAP may send the document also specifies a method by which the SAP may send the
identities of neighboring attachment points to the peer in the EAP- identities of neighboring attachment points to the peer in the EAP-
Initiate/Re-auth-Start message. Initiate/Re-auth-Start message.
skipping to change at page 5, line 24 skipping to change at page 4, line 37
2. | EAP-Initiate/ | | | 2. | EAP-Initiate/ | | |
| Re-auth | | | | | Re-auth | | | |
| (E-flag) | | | | | (E-flag) | | | |
|---------->| | | | |---------->| | | |
3. | | AAA (EAP-Initiate/Re-auth(E-flag))| 3. | | AAA (EAP-Initiate/Re-auth(E-flag))|
| |---------------------------------->| | |---------------------------------->|
| | | | | | | | | |
| | | | +---------+---------+ | | | | +---------+---------+
| | | | | CA authorized & | | | | | | CA authorized & |
4. | | | | | authenticated; | 4. | | | | | authenticated; |
| | | | | EA keying | | | | | | EE keying |
| | | | | materials derived | | | | | | materials derived |
| | | | +---------+---------+ | | | | +---------+---------+
| | | | | | | | | |
5. | | | AAA (pMSK) | 5. | | | | AAA(pMSKx) |
| | | |<----------->| | | |AAA(pMSK1)|<----------->|
| | |<---------------------->| | | |<---------------------->|
| | | | | | | | | |
6. | | AAA (EAP-Finish/Re-auth(E-flag)) | 6. | | AAA (EAP-Finish/Re-auth(E-flag)) |
| |<----------------------------------| | |<----------------------------------|
| | | | | | | | | |
7. | EAP-Finish/ | | | 7. | EAP-Finish/ | | |
| Re-auth(E-flag) | | | | Re-auth(E-flag) | | |
|<----------| | | | |<----------| | | |
| | | | | | | | | |
Figure 1: ERP/AAK Operation Figure 1: ERP/AAK Operation
ERP/AAK re-uses the packet format defined by ERP, but specifies a new ERP/AAK re-uses the packet format defined by ERP, but specifies a new
flag to differentiate EAP early-authentication from EAP re- flag to differentiate EAP early-authentication from EAP re-
authentication. The peer initiates ERP/AAK itself, or does so in authentication. The peer initiates ERP/AAK itself, or does so in
response to an EAP-Initiate/Re-Auth-Start message from the SAP. In response to an EAP-Initiate/Re-Auth-Start message from the SAP. In
this document, it is required that the SAP should support ERP/AAK. this document, it is required that the SAP should support ERP/AAK.
If either the peer or the SAP does not support ERP/AAK, it should If either the peer or the SAP does not support ERP/AAK, it should
fall back to full EAP authentication. fall back to full EAP authentication.
skipping to change at page 12, line 31 skipping to change at page 11, line 44
6. Lower Layer Considerations 6. Lower Layer Considerations
Similar to ERP, the lower layer specifications may need to be revised Similar to ERP, the lower layer specifications may need to be revised
to support ERP/AAK. Refer to section 6 of [RFC5296] for additional to support ERP/AAK. Refer to section 6 of [RFC5296] for additional
guidance. guidance.
7. AAA Transport Consideration 7. AAA Transport Consideration
AAA transport of ERP/AAK message is the same as AAA transport of the AAA transport of ERP/AAK message is the same as AAA transport of the
ERP message specified ERP [RFC5296]. In addition, the document ERP message [RFC5296]. In addition, the document requires AAA
requires AAA transport of the ERP/AAK keying materials delivered by transport of the ERP/AAK keying materials delivered by the ERP/AAK
the ERP/AAK server to the CAP. Hence, a new Diameter ERP/AAK server to the CAP. Hence, a new Diameter ERP/AAK application message
application message should be specified to transport the keying should be specified to transport the keying materials.
materials.
8. Security Considerations 8. Security Considerations
TBD. TBD.
9. IANA Considerations 9. IANA Considerations
New TLV types: New TLV types:
NAS-Identifier NAS-Identifier
skipping to change at page 13, line 34 skipping to change at page 12, line 46
August 2008. August 2008.
10.2. Informative References 10.2. Informative References
[I-D.ietf-dime-local-keytran] Zorn, G., Wu, W., and V. Cakulev, [I-D.ietf-dime-local-keytran] Zorn, G., Wu, W., and V. Cakulev,
"Diameter Attribute-Value Pairs for "Diameter Attribute-Value Pairs for
Cryptographic Key Transport", Cryptographic Key Transport",
draft-ietf-dime-local-keytran-02 (work draft-ietf-dime-local-keytran-02 (work
in progress), March 2010. in progress), March 2010.
[I-D.ietf-hokey-preauth-ps] Ohba, Y., Wu, Q., and G. Zorn,
"Extensible Authentication Protocol
(EAP) Early Authentication Problem
Statement",
draft-ietf-hokey-preauth-ps-12 (work
in progress), December 2009.
[RFC3588] Calhoun, P., Loughney, J., Guttman, [RFC3588] Calhoun, P., Loughney, J., Guttman,
E., Zorn, G., and J. Arkko, "Diameter E., Zorn, G., and J. Arkko, "Diameter
Base Protocol", RFC 3588, Base Protocol", RFC 3588,
September 2003. September 2003.
[RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., [RFC3748] Aboba, B., Blunk, L., Vollbrecht, J.,
Carlson, J., and H. Levkowetz, Carlson, J., and H. Levkowetz,
"Extensible Authentication Protocol "Extensible Authentication Protocol
(EAP)", RFC 3748, June 2004. (EAP)", RFC 3748, June 2004.
[RFC5836] Ohba, Y., Wu, Q., and G. Zorn,
"Extensible Authentication Protocol
(EAP) Early Authentication Problem
Statement", RFC 5836, April 2010.
Authors' Addresses Authors' Addresses
Zhen Cao Zhen Cao
China Mobile China Mobile
53A Xibianmennei Ave., Xuanwu District 53A Xibianmennei Ave., Xuanwu District
Beijing, Beijing 100053 Beijing, Beijing 100053
P.R. China P.R. China
EMail: caozhen@chinamobile.com EMail: zehn.cao@gmail.com
Hui Deng Hui Deng
China Mobile China Mobile
53A Xibianmennei Ave., Xuanwu District 53A Xibianmennei Ave., Xuanwu District
Beijing, Beijing 100053 Beijing, Beijing 100053
P.R. China P.R. China
EMail: denghui02@gmail.com EMail: denghui02@gmail.com
Yungui Wang Yungui Wang
 End of changes. 20 change blocks. 
51 lines changed or deleted 37 lines changed or added

This html diff was produced by rfcdiff 1.38. The latest version is available from http://tools.ietf.org/tools/rfcdiff/