| draft-ietf-hokey-erp-aak-00.txt | draft-ietf-hokey-erp-aak-01.txt | |||
|---|---|---|---|---|
| Network Working Group Z. Cao | Network Working Group Z. Cao | |||
| Internet-Draft H. Deng | Internet-Draft H. Deng | |||
| Intended status: Standards Track China Mobile | Intended status: Standards Track China Mobile | |||
| Expires: October 11, 2010 Y. Wang | Expires: October 29, 2010 Y. Wang | |||
| Q. Wu | Q. Wu | |||
| Huawei Technologies Co., Ltd. | Huawei Technologies Co., Ltd. | |||
| G. Zorn, Ed. | G. Zorn, Ed. | |||
| Network Zen | Network Zen | |||
| April 9, 2010 | April 27, 2010 | |||
| EAP Re-authentication Protocol Extensions for Authenticated Anticipatory | EAP Re-authentication Protocol Extensions for Authenticated Anticipatory | |||
| Keying | Keying (ERP/AAK) | |||
| draft-ietf-hokey-erp-aak-00 | draft-ietf-hokey-erp-aak-01 | |||
| Abstract | Abstract | |||
| The Extensible Authentication Protocol (EAP) is a generic framework | The Extensible Authentication Protocol (EAP) is a generic framework | |||
| supporting multiple types of authentication methods. | supporting multiple types of authentication methods. | |||
| The EAP Re-authentication Protocol (ERP) specifies extensions to EAP | The EAP Re-authentication Protocol (ERP) specifies extensions to EAP | |||
| and the EAP keying hierarchy to support an EAP method-independent | and the EAP keying hierarchy to support an EAP method-independent | |||
| protocol for efficient re-authentication between the peer and an EAP | protocol for efficient re-authentication between the peer and an EAP | |||
| re-authentication server through any authenticator. | re-authentication server through any authenticator. | |||
| skipping to change at page 2, line 4 | skipping to change at page 2, line 4 | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on October 11, 2010. | This Internet-Draft will expire on October 29, 2010. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2010 IETF Trust and the persons identified as the | Copyright (c) 2010 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 28 | skipping to change at page 2, line 28 | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2.1. Standards Language . . . . . . . . . . . . . . . . . . . . 3 | 2.1. Standards Language . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2.2. Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2.2. Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. ERP/AAK Overview . . . . . . . . . . . . . . . . . . . . . . . 4 | 3. ERP/AAK Overview . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 4. ERP/AAK Key Hierarchy . . . . . . . . . . . . . . . . . . . . 6 | 4. ERP/AAK Key Hierarchy . . . . . . . . . . . . . . . . . . . . 5 | |||
| 5. Packet and TLV Extension . . . . . . . . . . . . . . . . . . . 7 | 5. Packet and TLV Extension . . . . . . . . . . . . . . . . . . . 6 | |||
| 5.1. EAP-Initiate/Re-auth-Start Packet Extension . . . . . . . 7 | 5.1. EAP-Initiate/Re-auth-Start Packet Extension . . . . . . . 6 | |||
| 5.2. EAP-Initiate/Re-auth Packet Extension . . . . . . . . . . 8 | 5.2. EAP-Initiate/Re-auth Packet Extension . . . . . . . . . . 7 | |||
| 5.3. EAP-Finish/Re-auth extension . . . . . . . . . . . . . . . 9 | 5.3. EAP-Finish/Re-auth extension . . . . . . . . . . . . . . . 9 | |||
| 5.4. TV/TLV and sub-TLV Attributes . . . . . . . . . . . . . . 11 | 5.4. TV/TLV and sub-TLV Attributes . . . . . . . . . . . . . . 11 | |||
| 6. Lower Layer Considerations . . . . . . . . . . . . . . . . . . 12 | 6. Lower Layer Considerations . . . . . . . . . . . . . . . . . . 11 | |||
| 7. AAA Transport Consideration . . . . . . . . . . . . . . . . . 12 | 7. AAA Transport Consideration . . . . . . . . . . . . . . . . . 11 | |||
| 8. Security Considerations . . . . . . . . . . . . . . . . . . . 12 | 8. Security Considerations . . . . . . . . . . . . . . . . . . . 11 | |||
| 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 | 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13 | 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 10.1. Normative References . . . . . . . . . . . . . . . . . . . 13 | 10.1. Normative References . . . . . . . . . . . . . . . . . . . 12 | |||
| 10.2. Informative References . . . . . . . . . . . . . . . . . . 13 | 10.2. Informative References . . . . . . . . . . . . . . . . . . 12 | |||
| 1. Introduction | 1. Introduction | |||
| The Extensible Authentication Protocol (EAP) [RFC3748] is a generic | The Extensible Authentication Protocol (EAP) [RFC3748] is a generic | |||
| framework supporting multiple types of authentication methods. In | framework supporting multiple types of authentication methods. In | |||
| systems where EAP is used for authentication, it is desirable to not | systems where EAP is used for authentication, it is desirable to not | |||
| repeat the entire EAP exchange with another authenticator. The EAP | repeat the entire EAP exchange with another authenticator. The EAP | |||
| Re-authentication Protocol (ERP) [RFC5296] specifies extensions to | Re-authentication Protocol (ERP) [RFC5296] specifies extensions to | |||
| EAP and the EAP keying hierarchy to support an EAP method-independent | EAP and the EAP keying hierarchy to support an EAP method-independent | |||
| protocol for efficient re-authentication between the peer and an EAP | protocol for efficient re-authentication between the peer and an EAP | |||
| re-authentication server through any authenticator. The re- | re-authentication server through any authenticator. The re- | |||
| authentication server may be in the home network or in the local | authentication server may be in the home network or in the local | |||
| network to which the peer is connecting. | network to which the peer is connecting. | |||
| Authenticated Anticipatory Keying (AAK) [I-D.ietf-hokey-preauth-ps] | Authenticated Anticipatory Keying (AAK) [RFC5836] is a method by | |||
| is a method by which cryptographic keying material may be established | which cryptographic keying material may be established prior to | |||
| prior to handover upon one or more candidate attachment points | handover upon one or more candidate attachment points (CAPs). AAK | |||
| (CAPs). AAK utilizes the AAA infrastructure for key transport. | utilizes the AAA infrastructure for key transport. | |||
| This document specifies the extensions necessary to enable AAK | This document specifies the extensions necessary to enable AAK | |||
| support in ERP. | support in ERP. | |||
| 2. Terminology | 2. Terminology | |||
| 2.1. Standards Language | 2.1. Standards Language | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in RFC 2119 [RFC2119] | document are to be interpreted as described in RFC 2119 [RFC2119] | |||
| 2.2. Acronyms | 2.2. Acronyms | |||
| The following acronyms are used in this document; see the references | The following acronyms are used in this document; see the references | |||
| for more details. | for more details. | |||
| AAA | AAA Authentication, Authorization and Accounting [RFC3588] | |||
| Authentication, Authorization and Accounting [RFC3588] | ||||
| CAP | ||||
| Candidate Attachment Point [I-D.ietf-hokey-preauth-ps] | ||||
| EA | ||||
| Abbreviation for "ERP/AAK"; used in figures | CAP Candidate Attachment Point [RFC5836] | |||
| ERP/AAK | EA Abbreviation for "ERP/AAK"; used in figures | |||
| EAP Re-authentication Protocol Extensions for Authenticated | ||||
| Anticipatory Keying | ||||
| MH | MH Mobile Host | |||
| Mobile Host | ||||
| SAP | SAP Serving Attachment Point [RFC5836] | |||
| Serving Attachment Point [I-D.ietf-hokey-preauth-ps] | ||||
| 3. ERP/AAK Overview | 3. ERP/AAK Overview | |||
| ERP/AAK is intended to allow the establishment of cryptographic | ERP/AAK is intended to allow the establishment of cryptographic | |||
| keying materials on one or more Candidate Attachment Points prior to | keying materials on one or more Candidate Attachment Points prior to | |||
| the arrival of the MH at the Candidate Access Network (CAN). The | the arrival of the MH at the Candidate Access Network (CAN). The | |||
| document also specifies a method by which the SAP may send the | document also specifies a method by which the SAP may send the | |||
| identities of neighboring attachment points to the peer in the EAP- | identities of neighboring attachment points to the peer in the EAP- | |||
| Initiate/Re-auth-Start message. | Initiate/Re-auth-Start message. | |||
| skipping to change at page 5, line 24 | skipping to change at page 4, line 37 | |||
| 2. | EAP-Initiate/ | | | | 2. | EAP-Initiate/ | | | | |||
| | Re-auth | | | | | | Re-auth | | | | | |||
| | (E-flag) | | | | | | (E-flag) | | | | | |||
| |---------->| | | | | |---------->| | | | | |||
| 3. | | AAA (EAP-Initiate/Re-auth(E-flag))| | 3. | | AAA (EAP-Initiate/Re-auth(E-flag))| | |||
| | |---------------------------------->| | | |---------------------------------->| | |||
| | | | | | | | | | | | | |||
| | | | | +---------+---------+ | | | | | +---------+---------+ | |||
| | | | | | CA authorized & | | | | | | | CA authorized & | | |||
| 4. | | | | | authenticated; | | 4. | | | | | authenticated; | | |||
| | | | | | EA keying | | | | | | | EE keying | | |||
| | | | | | materials derived | | | | | | | materials derived | | |||
| | | | | +---------+---------+ | | | | | +---------+---------+ | |||
| | | | | | | | | | | | | |||
| 5. | | | AAA (pMSK) | | 5. | | | | AAA(pMSKx) | | |||
| | | | |<----------->| | | | |AAA(pMSK1)|<----------->| | |||
| | | |<---------------------->| | | | |<---------------------->| | |||
| | | | | | | | | | | | | |||
| 6. | | AAA (EAP-Finish/Re-auth(E-flag)) | | 6. | | AAA (EAP-Finish/Re-auth(E-flag)) | | |||
| | |<----------------------------------| | | |<----------------------------------| | |||
| | | | | | | | | | | | | |||
| 7. | EAP-Finish/ | | | | 7. | EAP-Finish/ | | | | |||
| | Re-auth(E-flag) | | | | | Re-auth(E-flag) | | | | |||
| |<----------| | | | | |<----------| | | | | |||
| | | | | | | | | | | | | |||
| Figure 1: ERP/AAK Operation | Figure 1: ERP/AAK Operation | |||
| ERP/AAK re-uses the packet format defined by ERP, but specifies a new | ERP/AAK re-uses the packet format defined by ERP, but specifies a new | |||
| flag to differentiate EAP early-authentication from EAP re- | flag to differentiate EAP early-authentication from EAP re- | |||
| authentication. The peer initiates ERP/AAK itself, or does so in | authentication. The peer initiates ERP/AAK itself, or does so in | |||
| response to an EAP-Initiate/Re-Auth-Start message from the SAP. In | response to an EAP-Initiate/Re-Auth-Start message from the SAP. In | |||
| this document, it is required that the SAP should support ERP/AAK. | this document, it is required that the SAP should support ERP/AAK. | |||
| If either the peer or the SAP does not support ERP/AAK, it should | If either the peer or the SAP does not support ERP/AAK, it should | |||
| fall back to full EAP authentication. | fall back to full EAP authentication. | |||
| skipping to change at page 12, line 31 | skipping to change at page 11, line 44 | |||
| 6. Lower Layer Considerations | 6. Lower Layer Considerations | |||
| Similar to ERP, the lower layer specifications may need to be revised | Similar to ERP, the lower layer specifications may need to be revised | |||
| to support ERP/AAK. Refer to section 6 of [RFC5296] for additional | to support ERP/AAK. Refer to section 6 of [RFC5296] for additional | |||
| guidance. | guidance. | |||
| 7. AAA Transport Consideration | 7. AAA Transport Consideration | |||
| AAA transport of ERP/AAK message is the same as AAA transport of the | AAA transport of ERP/AAK message is the same as AAA transport of the | |||
| ERP message specified ERP [RFC5296]. In addition, the document | ERP message [RFC5296]. In addition, the document requires AAA | |||
| requires AAA transport of the ERP/AAK keying materials delivered by | transport of the ERP/AAK keying materials delivered by the ERP/AAK | |||
| the ERP/AAK server to the CAP. Hence, a new Diameter ERP/AAK | server to the CAP. Hence, a new Diameter ERP/AAK application message | |||
| application message should be specified to transport the keying | should be specified to transport the keying materials. | |||
| materials. | ||||
| 8. Security Considerations | 8. Security Considerations | |||
| TBD. | TBD. | |||
| 9. IANA Considerations | 9. IANA Considerations | |||
| New TLV types: | New TLV types: | |||
| NAS-Identifier | NAS-Identifier | |||
| skipping to change at page 13, line 34 | skipping to change at page 12, line 46 | |||
| August 2008. | August 2008. | |||
| 10.2. Informative References | 10.2. Informative References | |||
| [I-D.ietf-dime-local-keytran] Zorn, G., Wu, W., and V. Cakulev, | [I-D.ietf-dime-local-keytran] Zorn, G., Wu, W., and V. Cakulev, | |||
| "Diameter Attribute-Value Pairs for | "Diameter Attribute-Value Pairs for | |||
| Cryptographic Key Transport", | Cryptographic Key Transport", | |||
| draft-ietf-dime-local-keytran-02 (work | draft-ietf-dime-local-keytran-02 (work | |||
| in progress), March 2010. | in progress), March 2010. | |||
| [I-D.ietf-hokey-preauth-ps] Ohba, Y., Wu, Q., and G. Zorn, | ||||
| "Extensible Authentication Protocol | ||||
| (EAP) Early Authentication Problem | ||||
| Statement", | ||||
| draft-ietf-hokey-preauth-ps-12 (work | ||||
| in progress), December 2009. | ||||
| [RFC3588] Calhoun, P., Loughney, J., Guttman, | [RFC3588] Calhoun, P., Loughney, J., Guttman, | |||
| E., Zorn, G., and J. Arkko, "Diameter | E., Zorn, G., and J. Arkko, "Diameter | |||
| Base Protocol", RFC 3588, | Base Protocol", RFC 3588, | |||
| September 2003. | September 2003. | |||
| [RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., | [RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., | |||
| Carlson, J., and H. Levkowetz, | Carlson, J., and H. Levkowetz, | |||
| "Extensible Authentication Protocol | "Extensible Authentication Protocol | |||
| (EAP)", RFC 3748, June 2004. | (EAP)", RFC 3748, June 2004. | |||
| [RFC5836] Ohba, Y., Wu, Q., and G. Zorn, | ||||
| "Extensible Authentication Protocol | ||||
| (EAP) Early Authentication Problem | ||||
| Statement", RFC 5836, April 2010. | ||||
| Authors' Addresses | Authors' Addresses | |||
| Zhen Cao | Zhen Cao | |||
| China Mobile | China Mobile | |||
| 53A Xibianmennei Ave., Xuanwu District | 53A Xibianmennei Ave., Xuanwu District | |||
| Beijing, Beijing 100053 | Beijing, Beijing 100053 | |||
| P.R. China | P.R. China | |||
| EMail: caozhen@chinamobile.com | EMail: zehn.cao@gmail.com | |||
| Hui Deng | Hui Deng | |||
| China Mobile | China Mobile | |||
| 53A Xibianmennei Ave., Xuanwu District | 53A Xibianmennei Ave., Xuanwu District | |||
| Beijing, Beijing 100053 | Beijing, Beijing 100053 | |||
| P.R. China | P.R. China | |||
| EMail: denghui02@gmail.com | EMail: denghui02@gmail.com | |||
| Yungui Wang | Yungui Wang | |||
| End of changes. 20 change blocks. | ||||
| 51 lines changed or deleted | 37 lines changed or added | |||
This html diff was produced by rfcdiff 1.38. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||