| draft-ietf-hokey-erp-aak-02.txt | draft-ietf-hokey-erp-aak-03.txt | |||
|---|---|---|---|---|
| Network Working Group Z. Cao | Network Working Group Z. Cao | |||
| Internet-Draft H. Deng | Internet-Draft H. Deng | |||
| Intended status: Standards Track China Mobile | Intended status: Standards Track China Mobile | |||
| Expires: November 12, 2010 Y. Wang | Expires: May 12, 2011 Y. Wang | |||
| Q. Wu | Q. Wu | |||
| Huawei Technologies Co., Ltd. | Huawei Technologies Co., Ltd. | |||
| G. Zorn, Ed. | G. Zorn | |||
| Network Zen | Network Zen | |||
| May 11, 2010 | November 8, 2010 | |||
| EAP Re-authentication Protocol Extensions for Authenticated Anticipatory | EAP Re-authentication Protocol Extensions for Authenticated Anticipatory | |||
| Keying (ERP/AAK) | Keying (ERP/AAK) | |||
| draft-ietf-hokey-erp-aak-02 | draft-ietf-hokey-erp-aak-03 | |||
| Abstract | Abstract | |||
| The Extensible Authentication Protocol (EAP) is a generic framework | The Extensible Authentication Protocol (EAP) is a generic framework | |||
| supporting multiple types of authentication methods. | supporting multiple of authentication methods. | |||
| The EAP Re-authentication Protocol (ERP) specifies extensions to EAP | The EAP Re-authentication Protocol (ERP) specifies extensions to EAP | |||
| and the EAP keying hierarchy to support an EAP method-independent | and the EAP keying hierarchy to support an EAP method-independent | |||
| protocol for efficient re-authentication between the peer and an EAP | protocol for efficient re-authentication between the peer and an EAP | |||
| re-authentication server through any authenticator. | re-authentication server through any authenticator. | |||
| Authenticated Anticipatory Keying (AAK) is a method by which | Authenticated Anticipatory Keying (AAK) is a method by which | |||
| cryptographic keying material may be established prior to handover | cryptographic keying material may be established prior to handover | |||
| upon one or more candidate attachment points (CAPs), AAK uses the AAA | upon one or more candidate attachment points (CAPs). AAK uses the | |||
| infrastructure for key transport. | AAA infrastructure for key transport. | |||
| This document specifies the extensions necessary to enable AAK | This document specifies the extensions necessary to enable AAK | |||
| support in ERP. | support in ERP. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on November 12, 2010. | This Internet-Draft will expire on May 12, 2011. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2010 IETF Trust and the persons identified as the | Copyright (c) 2010 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 3, line 32 | skipping to change at page 3, line 32 | |||
| This document specifies the extensions necessary to enable AAK | This document specifies the extensions necessary to enable AAK | |||
| support in ERP. | support in ERP. | |||
| 2. Terminology | 2. Terminology | |||
| 2.1. Standards Language | 2.1. Standards Language | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in RFC 2119 [RFC2119] | document are to be interpreted as described in RFC 2119 [RFC2119]. | |||
| 2.2. Acronyms | 2.2. Acronyms | |||
| The following acronyms are used in this document; see the references | The following acronyms are used in this document; see the references | |||
| for more details. | for more details. | |||
| AAA Authentication, Authorization and Accounting [RFC3588] | AAA Authentication, Authorization and Accounting [RFC3588] | |||
| CAP Candidate Attachment Point [RFC5836] | CAP Candidate Attachment Point [RFC5836] | |||
| skipping to change at page 4, line 37 | skipping to change at page 4, line 37 | |||
| 2. | EAP-Initiate/ | | | | 2. | EAP-Initiate/ | | | | |||
| | Re-auth | | | | | | Re-auth | | | | | |||
| | (E-flag) | | | | | | (E-flag) | | | | | |||
| |---------->| | | | | |---------->| | | | | |||
| 3. | | AAA (EAP-Initiate/Re-auth(E-flag))| | 3. | | AAA (EAP-Initiate/Re-auth(E-flag))| | |||
| | |---------------------------------->| | | |---------------------------------->| | |||
| | | | | | | | | | | | | |||
| | | | | +---------+---------+ | | | | | +---------+---------+ | |||
| | | | | | CA authorized & | | | | | | | CA authorized & | | |||
| 4. | | | | | authenticated; | | 4. | | | | | authenticated; | | |||
| | | | | | EE keying | | | | | | | EA keying | | |||
| | | | | | materials derived | | | | | | | materials derived | | |||
| | | | | +---------+---------+ | | | | | +---------+---------+ | |||
| | | | | | | | | | | | | |||
| 5. | | | | AAA(pMSKx) | | 5. | | | | AAA(pMSKx) | | |||
| | | |AAA(pMSK1)|<----------->| | | | |AAA(pMSK1)|<----------->| | |||
| | | |<---------------------->| | | | |<---------------------->| | |||
| | | | | | | | | | | | | |||
| 6. | | AAA (EAP-Finish/Re-auth(E-flag)) | | 6. | | AAA (EAP-Finish/Re-auth(E-flag)) | | |||
| | |<----------------------------------| | | |<----------------------------------| | |||
| | | | | | | | | | | | | |||
| skipping to change at page 5, line 41 | skipping to change at page 5, line 41 | |||
| authenticated and authorized successfully, the ERP/AAK server derives | authenticated and authorized successfully, the ERP/AAK server derives | |||
| the pRK and the subsequent pMSK for each CAP. | the pRK and the subsequent pMSK for each CAP. | |||
| The ERP/AAK server transports the pMSK to the authenticated and | The ERP/AAK server transports the pMSK to the authenticated and | |||
| authorized CAP(s) via AAA as described in Section 7. After the | authorized CAP(s) via AAA as described in Section 7. After the | |||
| keying materials are delivered, the ERP/AAK server should determine | keying materials are delivered, the ERP/AAK server should determine | |||
| each CA whether accepts the pMSK and whether the peer could be | each CA whether accepts the pMSK and whether the peer could be | |||
| attached to. | attached to. | |||
| At last, the ERP/AAK server sends the early-authentication finish | At last, the ERP/AAK server sends the early-authentication finish | |||
| message (EAP-Finish/Re-auth with E-flag) containing the determinate | message (EAP-Finish/Re-auth with E-flag set) containing the | |||
| CAP(s) to the peer via the SAP. | determinate CAP(s) to the peer via the SAP. | |||
| 4. ERP/AAK Key Hierarchy | 4. ERP/AAK Key Hierarchy | |||
| As an optimization of ERP, ERP/AAK uses key hierarchy similar to that | As an optimization of ERP, ERP/AAK uses key hierarchy similar to that | |||
| of ERP. The EMSK is used to derive the ERP/AAK pre-established Root | of ERP. The EMSK is used to derive the ERP/AAK pre-established Root | |||
| Key (pRK). Similarly, the ERP/AAK pre-established Integrity Key | Key (pRK). Similarly, the ERP/AAK pre-established Integrity Key | |||
| (pIK) and the pre-established Master Session Key (pMSK) are derived | (pIK) and the pre-established Master Session Key (pMSK) are derived | |||
| from the pRK. The pMSK is established for the CAP(s) when the peer | from the pRK. The pMSK is established for the CAP(s) when the peer | |||
| early authenticates to the network. The pIK is established for the | early authenticates to the network. The pIK is established for the | |||
| peer to re-authenticate the network after handover. The hierarchy | peer to re-authenticate the network after handover. The hierarchy | |||
| skipping to change at page 12, line 43 | skipping to change at page 12, line 43 | |||
| [RFC5296] Narayanan, V. and L. Dondeti, "EAP | [RFC5296] Narayanan, V. and L. Dondeti, "EAP | |||
| Extensions for EAP Re-authentication | Extensions for EAP Re-authentication | |||
| Protocol (ERP)", RFC 5296, | Protocol (ERP)", RFC 5296, | |||
| August 2008. | August 2008. | |||
| 10.2. Informative References | 10.2. Informative References | |||
| [I-D.ietf-dime-local-keytran] Zorn, G., Wu, W., and V. Cakulev, | [I-D.ietf-dime-local-keytran] Zorn, G., Wu, W., and V. Cakulev, | |||
| "Diameter Attribute-Value Pairs for | "Diameter Attribute-Value Pairs for | |||
| Cryptographic Key Transport", | Cryptographic Key Transport", | |||
| draft-ietf-dime-local-keytran-03 (work | draft-ietf-dime-local-keytran-08 (work | |||
| in progress), May 2010. | in progress), October 2010. | |||
| [RFC3588] Calhoun, P., Loughney, J., Guttman, | [RFC3588] Calhoun, P., Loughney, J., Guttman, | |||
| E., Zorn, G., and J. Arkko, "Diameter | E., Zorn, G., and J. Arkko, "Diameter | |||
| Base Protocol", RFC 3588, | Base Protocol", RFC 3588, | |||
| September 2003. | September 2003. | |||
| [RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., | [RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., | |||
| Carlson, J., and H. Levkowetz, | Carlson, J., and H. Levkowetz, | |||
| "Extensible Authentication Protocol | "Extensible Authentication Protocol | |||
| (EAP)", RFC 3748, June 2004. | (EAP)", RFC 3748, June 2004. | |||
| skipping to change at page 14, line 4 | skipping to change at page 14, line 4 | |||
| EMail: w52006@huawei.com | EMail: w52006@huawei.com | |||
| Qin Wu | Qin Wu | |||
| Huawei Technologies Co., Ltd. | Huawei Technologies Co., Ltd. | |||
| Floor 12, HuiHong Mansion, No.91 BaiXia Rd. | Floor 12, HuiHong Mansion, No.91 BaiXia Rd. | |||
| Nanjing, Jiangsu 210001 | Nanjing, Jiangsu 210001 | |||
| P.R. China | P.R. China | |||
| Phone: +86 25 84565892 | Phone: +86 25 84565892 | |||
| EMail: sunseawq@huawei.com | EMail: sunseawq@huawei.com | |||
| Glen Zorn (editor) | Glen Zorn | |||
| Network Zen | Network Zen | |||
| 1463 East Republican Street | 227/358 Thanon Sanphawut | |||
| #358 | Bang Na, Bangkok 10260 | |||
| Seattle, Washington 98112 | Thailand | |||
| USA | ||||
| Phone: +66 (0) 87-040-4617 | ||||
| EMail: gwz@net-zen.net | EMail: gwz@net-zen.net | |||
| End of changes. 14 change blocks. | ||||
| 19 lines changed or deleted | 19 lines changed or added | |||
This html diff was produced by rfcdiff 1.40. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||