draft-ietf-pana-statemachine-00.txt   draft-ietf-pana-statemachine-01.txt 
PANA Working Group V. Fajardo PANA Working Group V. Fajardo
Internet-Draft Y. Ohba Internet-Draft Y. Ohba
Expires: December 12, 2005 TARI Expires: January 12, 2006 TARI
R. Lopez R. Lopez
Univ. of Murcia Univ. of Murcia
June 10, 2005 July 11, 2005
State Machines for Protocol for Carrying Authentication for Network State Machines for Protocol for Carrying Authentication for Network
Access (PANA) Access (PANA)
draft-ietf-pana-statemachine-00 draft-ietf-pana-statemachine-01
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 37 skipping to change at page 1, line 37
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on December 12, 2005. This Internet-Draft will expire on January 12, 2006.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2005). Copyright (C) The Internet Society (2005).
Abstract Abstract
This document defines the conceptual state machines for the Protocol This document defines the conceptual state machines for the Protocol
for Carrying Authentication for Network Access (PANA). The state for Carrying Authentication for Network Access (PANA). The state
machines consist of the PANA Client (PaC) state machine and the PANA machines consist of the PANA Client (PaC) state machine and the PANA
skipping to change at page 2, line 17 skipping to change at page 2, line 17
Implementations may achieve the same results using different methods. Implementations may achieve the same results using different methods.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Interface Between PANA and EAP . . . . . . . . . . . . . . . . 5 2. Interface Between PANA and EAP . . . . . . . . . . . . . . . . 5
3. Document Authority . . . . . . . . . . . . . . . . . . . . . . 7 3. Document Authority . . . . . . . . . . . . . . . . . . . . . . 7
4. Notations . . . . . . . . . . . . . . . . . . . . . . . . . . 8 4. Notations . . . . . . . . . . . . . . . . . . . . . . . . . . 8
5. Common Rules . . . . . . . . . . . . . . . . . . . . . . . . . 10 5. Common Rules . . . . . . . . . . . . . . . . . . . . . . . . . 10
5.1 Common Procedures . . . . . . . . . . . . . . . . . . . . 10 5.1 Common Procedures . . . . . . . . . . . . . . . . . . . . 10
5.2 Common Variables . . . . . . . . . . . . . . . . . . . . . 11 5.2 Common Variables . . . . . . . . . . . . . . . . . . . . . 12
5.3 Constants . . . . . . . . . . . . . . . . . . . . . . . . 13 5.3 Constants . . . . . . . . . . . . . . . . . . . . . . . . 13
5.4 Common Message Initialization Rules . . . . . . . . . . . 14 5.4 Common Message Initialization Rules . . . . . . . . . . . 14
5.5 Common Error Handling Rules . . . . . . . . . . . . . . . 14 5.5 Common Error Handling Rules . . . . . . . . . . . . . . . 14
5.6 Common State Transitions . . . . . . . . . . . . . . . . . 14 5.6 Common State Transitions . . . . . . . . . . . . . . . . . 14
6. PaC State Machine . . . . . . . . . . . . . . . . . . . . . . 16 6. PaC State Machine . . . . . . . . . . . . . . . . . . . . . . 16
6.1 Interface between PaC and EAP Peer . . . . . . . . . . . . 16 6.1 Interface between PaC and EAP Peer . . . . . . . . . . . . 16
6.1.1 Delivering EAP Messages from PaC to EAP Peer . . . . . 16 6.1.1 Delivering EAP Messages from PaC to EAP Peer . . . . . 16
6.1.2 Delivering EAP Responses from EAP Peer to PaC . . . . 16 6.1.2 Delivering EAP Responses from EAP Peer to PaC . . . . 16
6.1.3 EAP Restart Notification from PaC to EAP Peer . . . . 16 6.1.3 EAP Restart Notification from PaC to EAP Peer . . . . 16
6.1.4 EAP Authentication Result Notification from EAP 6.1.4 EAP Authentication Result Notification from EAP
Peer to PaC . . . . . . . . . . . . . . . . . . . . . 17 Peer to PaC . . . . . . . . . . . . . . . . . . . . . 17
6.1.5 Alternate Failure Notification from PaC to EAP Peer . 17 6.1.5 Alternate Failure Notification from PaC to EAP Peer . 17
6.1.6 EAP Invalid Message Notification from EAP Peer to 6.1.6 EAP Invalid Message Notification from EAP Peer to
PaC . . . . . . . . . . . . . . . . . . . . . . . . . 17 PaC . . . . . . . . . . . . . . . . . . . . . . . . . 17
6.2 Variables . . . . . . . . . . . . . . . . . . . . . . . . 17 6.2 Variables . . . . . . . . . . . . . . . . . . . . . . . . 17
6.3 Procedures . . . . . . . . . . . . . . . . . . . . . . . . 18 6.3 Procedures . . . . . . . . . . . . . . . . . . . . . . . . 18
6.4 PaC State Transition Table . . . . . . . . . . . . . . . . 19 6.4 PaC State Transition Table . . . . . . . . . . . . . . . . 19
7. PAA State Machine . . . . . . . . . . . . . . . . . . . . . . 30 7. PAA State Machine . . . . . . . . . . . . . . . . . . . . . . 31
7.1 Interface between PAA and EAP Authenticator . . . . . . . 30 7.1 Interface between PAA and EAP Authenticator . . . . . . . 31
7.1.1 EAP Restart Notification from PAA to EAP 7.1.1 EAP Restart Notification from PAA to EAP
Authenticator . . . . . . . . . . . . . . . . . . . . 30 Authenticator . . . . . . . . . . . . . . . . . . . . 31
7.1.2 Delivering EAP Responses from PAA to EAP 7.1.2 Delivering EAP Responses from PAA to EAP
Authenticator . . . . . . . . . . . . . . . . . . . . 30 Authenticator . . . . . . . . . . . . . . . . . . . . 31
7.1.3 Delivering EAP Messages from EAP Authenticator to 7.1.3 Delivering EAP Messages from EAP Authenticator to
PAA . . . . . . . . . . . . . . . . . . . . . . . . . 30 PAA . . . . . . . . . . . . . . . . . . . . . . . . . 31
7.1.4 EAP Authentication Result Notification from EAP 7.1.4 EAP Authentication Result Notification from EAP
Authenticator to PAA . . . . . . . . . . . . . . . . . 30 Authenticator to PAA . . . . . . . . . . . . . . . . . 31
7.2 Variables . . . . . . . . . . . . . . . . . . . . . . . . 31 7.2 Variables . . . . . . . . . . . . . . . . . . . . . . . . 32
7.3 Procedures . . . . . . . . . . . . . . . . . . . . . . . . 33 7.3 Procedures . . . . . . . . . . . . . . . . . . . . . . . . 34
7.4 PAA State Transition Table . . . . . . . . . . . . . . . . 33 7.4 PAA State Transition Table . . . . . . . . . . . . . . . . 34
8. Mobility Optimization Support . . . . . . . . . . . . . . . . 48 8. Mobility Optimization Support . . . . . . . . . . . . . . . . 49
8.1 Common Variables . . . . . . . . . . . . . . . . . . . . . 48 8.1 Common Variables . . . . . . . . . . . . . . . . . . . . . 49
8.2 PaC Mobility Optimization State Machine . . . . . . . . . 48 8.2 PaC Mobility Optimization State Machine . . . . . . . . . 49
8.2.1 Variables . . . . . . . . . . . . . . . . . . . . . . 48 8.2.1 Variables . . . . . . . . . . . . . . . . . . . . . . 49
8.2.2 Procedures . . . . . . . . . . . . . . . . . . . . . . 49 8.2.2 Procedures . . . . . . . . . . . . . . . . . . . . . . 50
8.2.3 PaC Mobility Optimization State Transition Table 8.2.3 PaC Mobility Optimization State Transition Table
Addendum . . . . . . . . . . . . . . . . . . . . . . . 49 Addendum . . . . . . . . . . . . . . . . . . . . . . . 50
8.3 PAA Mobility Optimization . . . . . . . . . . . . . . . . 52 8.3 PAA Mobility Optimization . . . . . . . . . . . . . . . . 53
8.3.1 Procedures . . . . . . . . . . . . . . . . . . . . . . 52 8.3.1 Procedures . . . . . . . . . . . . . . . . . . . . . . 53
8.3.2 PAA Mobility Optimization State Transition Table 8.3.2 PAA Mobility Optimization State Transition Table
Addendum . . . . . . . . . . . . . . . . . . . . . . . 52 Addendum . . . . . . . . . . . . . . . . . . . . . . . 53
9. Implementation Considerations . . . . . . . . . . . . . . . . 54 9. Implementation Considerations . . . . . . . . . . . . . . . . 55
9.1 PAA and PaC Interface to Service Management Entity . . . . 54 9.1 PAA and PaC Interface to Service Management Entity . . . . 55
9.2 Multicast Traffic . . . . . . . . . . . . . . . . . . . . 54 9.2 Multicast Traffic . . . . . . . . . . . . . . . . . . . . 55
10. Security Considerations . . . . . . . . . . . . . . . . . . 55 10. Security Considerations . . . . . . . . . . . . . . . . . . 56
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 56 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . 57
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 57 12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 58
12.1 Normative References . . . . . . . . . . . . . . . . . . . 57 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 59
12.2 Informative References . . . . . . . . . . . . . . . . . . 57 13.1 Normative References . . . . . . . . . . . . . . . . . . . 59
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 57 13.2 Informative References . . . . . . . . . . . . . . . . . . 59
Intellectual Property and Copyright Statements . . . . . . . . 59 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 59
Intellectual Property and Copyright Statements . . . . . . . . 61
1. Introduction 1. Introduction
This document defines the state machines for Protocol Carrying This document defines the state machines for Protocol Carrying
Authentication for Network Access (PANA) [I-D.ietf-pana-pana]. There Authentication for Network Access (PANA) [I-D.ietf-pana-pana]. There
are state machines for the PANA client (PaC) and for the PANA are state machines for the PANA client (PaC) and for the PANA
Authentication Agent (PAA). Each state machine is specified through Authentication Agent (PAA). Each state machine is specified through
a set of variables, procedures and a state transition table. a set of variables, procedures and a state transition table.
A PANA protocol execution consists of several exchanges to carry A PANA protocol execution consists of several exchanges to carry
skipping to change at page 8, line 39 skipping to change at page 8, line 39
eap-statemachine] are executed on entry to a state, which is one eap-statemachine] are executed on entry to a state, which is one
major difference from this document.) Each exit action is deemed to major difference from this document.) Each exit action is deemed to
be atomic; i.e., execution of an exit action completes before the be atomic; i.e., execution of an exit action completes before the
next sequential exit action starts to execute. No exit action next sequential exit action starts to execute. No exit action
execute outside of a state block. The exit actions in only one state execute outside of a state block. The exit actions in only one state
block execute at a time even if the conditions for execution of state block execute at a time even if the conditions for execution of state
blocks in different state machines are satisfied. All exit actions blocks in different state machines are satisfied. All exit actions
in an executing state block complete execution before the transition in an executing state block complete execution before the transition
to and execution of any other state blocks. The execution of any to and execution of any other state blocks. The execution of any
state block appears to be atomic with respect to the execution of any state block appears to be atomic with respect to the execution of any
other state block and the transition condition to that state from other state block and the transition condition to that state from the
the previous state is TRUE when execution commences. The order previous state is TRUE when execution commences. The order of
of execution of state blocks in different state machines is undefined execution of state blocks in different state machines is undefined
except as constrained by their transition conditions. A variable except as constrained by their transition conditions. A variable
that is set to a particular value in a state block retains this value that is set to a particular value in a state block retains this value
until a subsequent state block executes an exit action that modifies until a subsequent state block executes an exit action that modifies
the value. the value.
On completion of the transition from the previous state to the On completion of the transition from the previous state to the
current state, all exit conditions occurring during the current state current state, all exit conditions occurring during the current state
(including exit conditions defined for the wildcard state) are (including exit conditions defined for the wildcard state) are
evaluated until an exit condition for that state is met. evaluated until an exit condition for that state is met.
skipping to change at page 11, line 10 skipping to change at page 11, line 10
variable to zero and set an appropriate value to RTX_MAX_NUM variable to zero and set an appropriate value to RTX_MAX_NUM
variable. variable.
void RtxTimerStop() void RtxTimerStop()
A procedure to stop the retransmission timer. A procedure to stop the retransmission timer.
void SessionTimerStart() void SessionTimerStart()
A procedure to start PANA session timer. A procedure to start PANA session timer.
void SessionTimerStop()
A procedure to stop the PANA session timer.
void Retransmit() void Retransmit()
A procedure to retransmit a PANA message and increment RTX_COUNTER A procedure to retransmit a PANA message and increment RTX_COUNTER
by one(1). by one(1).
void EAP_Restart() void EAP_Restart()
A procedure to (re)start an EAP conversation resulting in the re- A procedure to (re)start an EAP conversation resulting in the re-
initialization of an existing EAP session. initialization of an existing EAP session.
skipping to change at page 19, line 11 skipping to change at page 19, line 11
This procedure returns TRUE when the PaC chooses one ISP, This procedure returns TRUE when the PaC chooses one ISP,
otherwise returns FALSE. otherwise returns FALSE.
boolean ppac_available() boolean ppac_available()
This procedure returns TRUE when the Post-PANA-Address- This procedure returns TRUE when the Post-PANA-Address-
Configuration method specified by the PAA is available in the PaC Configuration method specified by the PAA is available in the PaC
and that the PaC will be able to comply. and that the PaC will be able to comply.
boolean pcap_supported()
This procedure returns TRUE when the cryptographic data protection
supplied in the Protection-Capability AVP can be supported by the
PaC.
boolean eap_piggyback() boolean eap_piggyback()
This procedures returns TRUE to indicate whether the next EAP This procedures returns TRUE to indicate whether the next EAP
response will be carried in the pending PAN message for response will be carried in the pending PAN message for
optimization. optimization.
void alt_reject() void alt_reject()
This procedure informs the EAP peer of an authentication failure This procedure informs the EAP peer of an authentication failure
event without accompanying an EAP message. event without accompanying an EAP message.
skipping to change at page 19, line 44 skipping to change at page 19, line 50
------------------------------ ------------------------------
State: OFFLINE (Initial State) State: OFFLINE (Initial State)
------------------------------ ------------------------------
Initialization Action: Initialization Action:
SEPARATE=Set|Unset; SEPARATE=Set|Unset;
CARRY_DEVICE_ID=Unset; CARRY_DEVICE_ID=Unset;
1ST_EAP=Unset; 1ST_EAP=Unset;
RtxTimerStop(); RtxTimerStop();
EAP_Restart();
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+-------------- ------------------------+--------------------------+--------------
- - - - - - - - - - - - - (PSR processing) - - - - - - - - - - - - - - - - - - - - - - - - (PSR processing) - - - - - - - - - - -
Rx:PSR && RtxTimerStop(); WAIT_EAP_MSG_ Rx:PSR && RtxTimerStop(); WAIT_EAP_MSG_
PSR.exist_avp EAP_Restart(); IN_DISC PSR.exist_avp EAP_Restart(); IN_DISC
("EAP-Payload") TxEAP(); ("EAP-Payload") TxEAP();
SEPARATE=Unset; SEPARATE=Unset;
Rx:PSR && RtxTimerStop(); WAIT_PAA Rx:PSR && RtxTimerStop(); WAIT_PAA
skipping to change at page 20, line 45 skipping to change at page 21, line 4
(PSR.S_flag!=1 || Tx:PSA(); (PSR.S_flag!=1 || Tx:PSA();
SEPARATE==Unset) && SEPARATE=Unset; SEPARATE==Unset) && SEPARATE=Unset;
!PSR.exist_avp EAP_Restart(); !PSR.exist_avp EAP_Restart();
("Cookie") ("Cookie")
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - -(Authentication trigger from application) - - - - - - - - - - - -(Authentication trigger from application) - - -
AUTH_USER Tx:PDI(); OFFLINE AUTH_USER Tx:PDI(); OFFLINE
RtxTimerStart(); RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
--------------------------- ---------------------------
State: WAIT_EAP_MSG_IN_DISC State: WAIT_EAP_MSG_IN_DISC
--------------------------- ---------------------------
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - (Return PSA with EAP-Payload) - - - - - - - - - - - - - - - - - (Return PSA with EAP-Payload) - - - - - -
EAP_RESPONSE PSA.insert_avp WAIT_PAA EAP_RESPONSE PSA.insert_avp WAIT_PAA
("EAP-Payload")) ("EAP-Payload")
if (choose_isp())
PSA.insert_avp("ISP");
Tx:PSA(); Tx:PSA();
EAP_RESP_TIMEOUT || None(); OFFLINE EAP_RESP_TIMEOUT || None(); OFFLINE
EAP_INVALID_MSG EAP_INVALID_MSG
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
--------------- ---------------
State: WAIT_PAA State: WAIT_PAA
--------------- ---------------
skipping to change at page 24, line 46 skipping to change at page 25, line 4
PAR.S_flag=PAN.S_flag; PAR.S_flag=PAN.S_flag;
PAR.N_flag=PAN.N_flag; PAR.N_flag=PAN.N_flag;
Tx:PAR(); Tx:PAR();
RtxTimerStart(); RtxTimerStart();
EAP_RESP_TIMEOUT if (key_available()) WAIT_PAA EAP_RESP_TIMEOUT if (key_available()) WAIT_PAA
PAN.insert_avp("MAC"); PAN.insert_avp("MAC");
PAN.S_flag=PAR.S_flag; PAN.S_flag=PAR.S_flag;
PAN.N_flag=PAR.N_flag; PAN.N_flag=PAR.N_flag;
Tx:PAN(); Tx:PAN();
EAP_INVALID_MSG || None(); WAIT_PAA EAP_INVALID_MSG || None(); WAIT_PAA
EAP_SUCCESS || EAP_SUCCESS ||
EAP_FAILURE EAP_FAILURE
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
---------------------- ----------------------
State: WAIT_EAP_RESULT State: WAIT_EAP_RESULT
---------------------- ----------------------
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - - - - (Return PSA)- - - - - - - - - - - - - - - - - - - - - - - - - (EAP Result) - - - - - - - - - - - - -
EAP_SUCCESS && PBA.insert_avp("MAC"); OPEN EAP_SUCCESS && PBA.insert_avp("MAC"); OPEN
PBR.exist_avp PBA.insert_avp("Key-Id"); PBR.exist_avp PBA.insert_avp("Key-Id");
("Key-Id") && if (CARRY_DEVICE_ID) ("Key-Id") && if (CARRY_DEVICE_ID)
ppac_available() PBA.insert_avp ppac_available() && PBA.insert_avp
("Device-Id"); (!PBR.exist_avp ("Device-Id");
PBA.insert_avp("PPAC"); ("Protection- PBA.insert_avp("PPAC");
Tx:PBA(); Capability") || Tx:PBA();
Authorize(); (PBR.exist_avp Authorize();
SessionTimerStart(); ("Protection- SessionTimerStart();
Capability") &&
pcap_supported()))
EAP_SUCCESS && if (key_available()) OPEN EAP_SUCCESS && if (key_available()) OPEN
!PBR.exist_avp PBA.insert_avp("MAC"); !PBR.exist_avp PBA.insert_avp("MAC");
("Key-Id") && if (CARRY_DEVICE_ID) ("Key-Id") && if (CARRY_DEVICE_ID)
ppac_available() PBA.insert_avp ppac_available() && PBA.insert_avp
("Device-Id"); (!PBR.exist_avp ("Device-Id");
PBA.insert_avp("PPAC"); ("Protection- PBA.insert_avp("PPAC");
Tx:PBA(); Capability") || Tx:PBA();
Authorize(); (PBR.exist_avp Authorize();
SessionTimerStart(); ("Protection- SessionTimerStart();
Capability") &&
pcap_supported()))
EAP_SUCCESS && if (key_available()) WAIT_PEA EAP_SUCCESS && if (key_available()) WAIT_PEA
!ppac_available() PER.insert_avp("MAC"); !ppac_available() PER.insert_avp("MAC");
PER.RESULT_CODE= PER.RESULT_CODE=
PANA_PPAC_CAPABILITY_ PANA_PPAC_CAPABILITY_
UNSUPPORTED UNSUPPORTED
Tx:PER(); Tx:PER();
RtxTimerStart(); RtxTimerStart();
EAP_FAILURE if (key_available()) CLOSED EAP_SUCCESS && if (key_available()) WAIT_PEA
PBA.insert_avp("MAC"); (PBR.exist_avp PER.insert_avp("MAC");
Tx:PBA(); ("Protection- PER.RESULT_CODE=
Capability") && PANA_PROTECTION_
!pcap_supported()) CAPABILITY_UNSUPPORTED
Tx:PER();
RtxTimerStart();
EAP_FAILURE && if (key_available()) OPEN
(SEPARATE==Set) && PBA.insert_avp("MAC");
ppac_available() && if (CARRY_DEVICE_ID)
(!PBR.exist_avp PBA.insert_avp
("Protection- ("Device-Id");
Capability") || PBA.insert_avp("PPAC");
(PBR.exist_avp Tx:PBA();
("Protection- Authorize();
Capability") && SessionTimerStart();
pcap_supported()))
EAP_FAILURE && if (key_available()) WAIT_PEA
(SEPARATE==Set) && PER.insert_avp("MAC");
!ppac_available() PER.RESULT_CODE=
PANA_PPAC_CAPABILITY_
UNSUPPORTED
Tx:PER();
RtxTimerStart();
EAP_FAILURE && if (key_available()) WAIT_PEA
(SEPARATE==Set) && PER.insert_avp("MAC");
(PBR.exist_avp PER.RESULT_CODE=
("Protection- PANA_PROTECTION_
Capability") && CAPABILITY_UNSUPPORTED
!pcap_supported()) Tx:PER();
RtxTimerStart();
EAP_INVALID_MSG None(); WAIT_PAA EAP_INVALID_MSG None(); WAIT_PAA
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
---------------------------- ----------------------------
State: WAIT_EAP_RESULT_CLOSE State: WAIT_EAP_RESULT_CLOSE
---------------------------- ----------------------------
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - - - - (Return PSA)- - - - - - - - - - - - - - - - - - - - - - - - - (EAP Result) - - - - - - - - - - - - -
EAP_SUCCESS && PBA.insert_avp("MAC"); CLOSED EAP_SUCCESS && PBA.insert_avp("MAC"); CLOSED
PBR.exist_avp PBA.insert_avp("Key-Id"); PBR.exist_avp PBA.insert_avp("Key-Id");
("Key-Id") Tx:PBA(); ("Key-Id") Tx:PBA();
Disconnect(); Disconnect();
EAP_SUCCESS && if (key_available()) CLOSED EAP_SUCCESS && if (key_available()) CLOSED
!PBR.exist_avp PBA.insert_avp("MAC"); !PBR.exist_avp PBA.insert_avp("MAC");
("Key-Id") Tx:PBA(); ("Key-Id") Tx:PBA();
Disconnect(); Disconnect();
skipping to change at page 26, line 27 skipping to change at page 27, line 19
EAP_INVALID_MSG None(); WAIT_PAA EAP_INVALID_MSG None(); WAIT_PAA
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-------------------------- --------------------------
State: WAIT_1ST_EAP_RESULT State: WAIT_1ST_EAP_RESULT
-------------------------- --------------------------
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - - - - (Return PSA)- - - - - - - - - - - - - - - - - - - - - - - - - - (First EAP) - - - - - - - - - - - -
EAP_SUCCESS && PFEA.insert_avp("Key-Id"); WAIT_PAA EAP_SUCCESS && PFEA.insert_avp("Key-Id"); WAIT_PAA
PFER.exist_avp PFEA.S_flag=1; PFER.exist_avp PFEA.S_flag=1;
("Key-Id") PFEA.N_flag=PFER.N_flag; ("Key-Id") PFEA.N_flag=PFER.N_flag;
PFEA.insert_avp("MAC"); PFEA.insert_avp("MAC");
Tx:PFEA(); Tx:PFEA();
EAP_Restart(); EAP_Restart();
(EAP_SUCCESS && if (key_available()) WAIT_PAA (EAP_SUCCESS && if (key_available()) WAIT_PAA
!PFER.exist_avp PFEA.insert_avp("MAC"); !PFER.exist_avp PFEA.insert_avp("MAC");
("Key-Id")) || PFEA.S_flag=1; ("Key-Id")) || PFEA.S_flag=1;
skipping to change at page 26, line 51 skipping to change at page 27, line 43
EAP_INVALID_MSG EAP_Restart(); WAIT_PAA EAP_INVALID_MSG EAP_Restart(); WAIT_PAA
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-------------------------------- --------------------------------
State: WAIT_1ST_EAP_RESULT_CLOSE State: WAIT_1ST_EAP_RESULT_CLOSE
-------------------------------- --------------------------------
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - - - - (Return PSA)- - - - - - - - - - - - - - - - - - - - - - - - - - (First EAP) - - - - - - - - - - - -
EAP_SUCCESS && PFEA.insert_avp("Key-Id"); CLOSED EAP_SUCCESS && PFEA.insert_avp("Key-Id"); CLOSED
PFER.exist_avp PFEA.S_flag=0; PFER.exist_avp PFEA.S_flag=0;
("Key-Id") PFEA.N_flag=0; ("Key-Id") PFEA.N_flag=0;
PFEA.insert_avp("MAC"); PFEA.insert_avp("MAC");
Tx:PFEA(); Tx:PFEA();
Disconnect(); Disconnect();
(EAP_SUCCESS && if (key_available()) CLOSED (EAP_SUCCESS && if (key_available()) CLOSED
!PFER.exist_avp PFEA.insert_avp("MAC"); !PFER.exist_avp PFEA.insert_avp("MAC");
("Key-Id")) || PFEA.S_flag=0; ("Key-Id")) || PFEA.S_flag=0;
skipping to change at page 27, line 45 skipping to change at page 28, line 37
Tx:PPR(); Tx:PPR();
RtxTimerStart(); RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - (re-authentication initiated by PaC)- - - - - - - - - - - - - - - (re-authentication initiated by PaC)- - - - - -
REAUTH SEPARATE=Set|Unset; WAIT_PRAA REAUTH SEPARATE=Set|Unset; WAIT_PRAA
1ST_EAP=Unset; 1ST_EAP=Unset;
if (key_available()) if (key_available())
PRAR.insert_avp("MAC"); PRAR.insert_avp("MAC");
Tx:PRAR(); Tx:PRAR();
RtxTimerStart(); RtxTimerStart();
SessionTimerStop();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - (re-authentication initiated by PAA)- - - - - - - - - - - - - - - (re-authentication initiated by PAA)- - - - - -
Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG
!eap_piggyback() 1ST_EAP=Unset; !eap_piggyback() 1ST_EAP=Unset;
EAP_RespTimerStart(); EAP_RespTimerStart();
TxEAP(); TxEAP();
if (key_available()) if (key_available())
PAN.insert_avp("MAC"); PAN.insert_avp("MAC");
PAN.S_flag=PAR.S_flag; PAN.S_flag=PAR.S_flag;
PAN.N_flag=PAR.N_flag; PAN.N_flag=PAR.N_flag;
Tx:PAN(); Tx:PAN();
SessionTimerStop();
Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG
eap_piggyback() 1ST_EAP=Unset; eap_piggyback() 1ST_EAP=Unset;
EAP_RespTimerStart(); EAP_RespTimerStart();
TxEAP(); TxEAP();
SessionTimerStop();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - -(Session termination initiated by PAA) - - - - - - - - - - - - - -(Session termination initiated by PAA) - - - - - -
Rx:PTR if (key_available()) CLOSED Rx:PTR if (key_available()) CLOSED
PTA.insert_avp("MAC"); PTA.insert_avp("MAC");
Tx:PTA(); Tx:PTA();
Disconnect(); Disconnect();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - -(Session termination initiated by PaC) - - - - - - - - - - - - - -(Session termination initiated by PaC) - - - - - -
TERMINATE if (key_available()) SESS_TERM TERMINATE if (key_available()) SESS_TERM
PTR.insert_avp("MAC"); PTR.insert_avp("MAC");
skipping to change at page 36, line 34 skipping to change at page 37, line 34
PSA.S_flag==0) PSA.S_flag==0)
SEPARATE=Unset; SEPARATE=Unset;
if (PSA.exist_avp if (PSA.exist_avp
("EAP-Payload")) ("EAP-Payload"))
TxEAP(); TxEAP();
else { else {
if (SEPARATE==Set) if (SEPARATE==Set)
NAP_AUTH=Set|Unset; NAP_AUTH=Set|Unset;
EAP_Restart(); EAP_Restart();
} }
RtxTimerStop();
EAP_TIMEOUT if (key_available()) WAIT_PEA EAP_TIMEOUT if (key_available()) WAIT_PEA
PER.insert_avp("MAC"); PER.insert_avp("MAC");
Tx:PER(); Tx:PER();
RtxTimerStart(); RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
------------------- -------------------
State: WAIT_EAP_MSG State: WAIT_EAP_MSG
------------------- -------------------
skipping to change at page 43, line 44 skipping to change at page 44, line 44
Event/Condition Action Exit State Event/Condition Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - (re-authentication initiated by PaC) - - - - - - - - - - - - - - (re-authentication initiated by PaC) - - - - - -
Rx:PRAR if (key_available()) WAIT_EAP_MSG Rx:PRAR if (key_available()) WAIT_EAP_MSG
PRAA.insert_avp("MAC"); PRAA.insert_avp("MAC");
EAP_Restart(); EAP_Restart();
1ST_EAP=Unset; 1ST_EAP=Unset;
NAP_AUTH=Set|Unset; NAP_AUTH=Set|Unset;
Tx:PRAA(); Tx:PRAA();
SessionTimerStop();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - (re-authentication initiated by PAA)- - - - - - - - - - - - - - (re-authentication initiated by PAA)- - - - - -
REAUTH EAP_Restart(); WAIT_EAP_MSG REAUTH EAP_Restart(); WAIT_EAP_MSG
1ST_EAP=Unset; 1ST_EAP=Unset;
NAP_AUTH=Set|Unset; NAP_AUTH=Set|Unset;
SessionTimerStop();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - (liveness test based on PPR-PPA exchange initiated by PAA)- - - (liveness test based on PPR-PPA exchange initiated by PAA)-
PANA_PING Tx:PPR(); WAIT_PPA PANA_PING Tx:PPR(); WAIT_PPA
RtxTimerStart(); RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - (liveness test based on PPR-PPA exchange initiated by PaC)- - - (liveness test based on PPR-PPA exchange initiated by PaC)-
Rx:PPR if (key_available()) OPEN Rx:PPR if (key_available()) OPEN
PPA.insert_avp("MAC"); PPA.insert_avp("MAC");
Tx:PPA(); Tx:PPA();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
skipping to change at page 45, line 27 skipping to change at page 46, line 29
PAN.N_flag=1; PAN.N_flag=1;
} }
RtxTimerStop(); RtxTimerStop();
Tx:PAN(); Tx:PAN();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - (PAN without an EAP response) - - - - - - - - - - - - - - - - - (PAN without an EAP response) - - - - - - -
Rx:PAN && RtxTimerStop(); WAIT_PAN_OR_PAR Rx:PAN && RtxTimerStop(); WAIT_PAN_OR_PAR
!PAN.exist_avp !PAN.exist_avp
("EAP-Payload") ("EAP-Payload")
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - -(EAP retransmission) - - - - - - - - - -
EAP_REQUEST if (key_available()) WAIT_PAN_OR_PAR
PAR.insert_avp("MAC");
if (SEPARATE==Set) {
PAR.S_flag=1;
if (NAP_AUTH==Set)
PAR.N_flag=1;
}
Tx:PAR();
RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - -(EAP authentication timeout)- - - - - - - - - - - - - - - - - -(EAP authentication timeout)- - - - - - - - -
EAP_TIMEOUT && if (key_available()) WAIT_PEA EAP_TIMEOUT && if (key_available()) WAIT_PEA
1ST_EAP==Unset && PER.insert_avp("MAC"); 1ST_EAP==Unset && PER.insert_avp("MAC");
SEPARATE==Unset Tx:PER(); SEPARATE==Unset Tx:PER();
RtxTimerStart(); RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - -(EAP authentication timeout for 1st EAP)- - - - - - - - - - - -(EAP authentication timeout for 1st EAP)- - - - - -
EAP_TIMEOUT && 1ST_EAP=Failure WAIT_PFEA EAP_TIMEOUT && 1ST_EAP=Failure WAIT_PFEA
1ST_EAP==Unset && if (key_available()) 1ST_EAP==Unset && if (key_available())
SEPARATE==Set && PFER.insert_avp("MAC"); SEPARATE==Set && PFER.insert_avp("MAC");
skipping to change at page 51, line 40 skipping to change at page 52, line 40
- exit conditions that exist in the OPEN state of the PaC - - exit conditions that exist in the OPEN state of the PaC -
- base protocol state machine. - - base protocol state machine. -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
REAUTH SEPARATE=Set|Unset; WAIT_PRAA REAUTH SEPARATE=Set|Unset; WAIT_PRAA
1ST_EAP=Unset; 1ST_EAP=Unset;
PANA_SA_RESUMED=Unset; PANA_SA_RESUMED=Unset;
if (key_available()) if (key_available())
PRAR.insert_avp("MAC"); PRAR.insert_avp("MAC");
Tx:PRAR(); Tx:PRAR();
RtxTimerStart(); RtxTimerStart();
SessionTimerStop();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - (re-authentication initiated by PAA)- - - - - - - - - - - - - - - (re-authentication initiated by PAA)- - - - - -
Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG
!eap_piggyback() 1ST_EAP=Unset; !eap_piggyback() 1ST_EAP=Unset;
PANA_SA_RESUMED=Unset; PANA_SA_RESUMED=Unset;
EAP_RespTimerStart(); EAP_RespTimerStart();
TxEAP(); TxEAP();
if (key_available()) if (key_available())
PAN.insert_avp("MAC"); PAN.insert_avp("MAC");
PAN.S_flag=PAR.S_flag; PAN.S_flag=PAR.S_flag;
PAN.N_flag=PAR.N_flag; PAN.N_flag=PAR.N_flag;
Tx:PAN(); Tx:PAN();
SessionTimerStop();
Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG
eap_piggyback() 1ST_EAP=Unset; eap_piggyback() 1ST_EAP=Unset;
PANA_SA_RESUMED=Unset; PANA_SA_RESUMED=Unset;
EAP_RespTimerStart(); EAP_RespTimerStart();
TxEAP(); TxEAP();
SessionTimerStop();
8.3 PAA Mobility Optimization 8.3 PAA Mobility Optimization
8.3.1 Procedures 8.3.1 Procedures
boolean retrieve_pana_sa(Session-Id) boolean retrieve_pana_sa(Session-Id)
This procedure returns TRUE when a PANA SA for the PANA Session This procedure returns TRUE when a PANA SA for the PANA Session
corresponds to the specified Session-Id has been retrieved, corresponds to the specified Session-Id has been retrieved,
otherwise returns FALSE. otherwise returns FALSE.
skipping to change at page 56, line 5 skipping to change at page 57, line 5
filtering that allows the use of only one socket to receive both filtering that allows the use of only one socket to receive both
unicast and specific multicast address. However it might introduce unicast and specific multicast address. However it might introduce
portability problems. portability problems.
10. Security Considerations 10. Security Considerations
This document's intent is to describe the PANA state machines fully. This document's intent is to describe the PANA state machines fully.
To this end, any security concerns with this document are likely a To this end, any security concerns with this document are likely a
reflection of security concerns with PANA itself. reflection of security concerns with PANA itself.
11. Acknowledgments 11. IANA Considerations
This document has no actions for IANA.
12. Acknowledgments
This work was started from state machines originally made by Dan This work was started from state machines originally made by Dan
Forsberg. Forsberg.
12. References 13. References
12.1 Normative References 13.1 Normative References
[I-D.ietf-pana-pana] [I-D.ietf-pana-pana]
Forsberg, D., "Protocol for Carrying Authentication for Forsberg, D., "Protocol for Carrying Authentication for
Network Access (PANA)", draft-ietf-pana-pana-08 (work in Network Access (PANA)", draft-ietf-pana-pana-08 (work in
progress), May 2005. progress), May 2005.
[I-D.ietf-eap-statemachine] [I-D.ietf-eap-statemachine]
Vollbrecht, J., Eronen, P., Petroni, N., and Y. Ohba, Vollbrecht, J., Eronen, P., Petroni, N., and Y. Ohba,
"State Machines for Extensible Authentication Protocol "State Machines for Extensible Authentication Protocol
(EAP) Peer and Authenticator", (EAP) Peer and Authenticator",
draft-ietf-eap-statemachine-06 (work in progress), draft-ietf-eap-statemachine-06 (work in progress),
December 2004. December 2004.
[I-D.ietf-pana-mobopts] [I-D.ietf-pana-mobopts]
Forsberg, D., "PANA Mobility Optimizations", Forsberg, D., "PANA Mobility Optimizations",
draft-ietf-pana-mobopts-00 (work in progress), draft-ietf-pana-mobopts-00 (work in progress),
January 2005. January 2005.
12.2 Informative References 13.2 Informative References
[I-D.ietf-pana-requirements] [RFC4058] Yegin, A., Ohba, Y., Penno, R., Tsirtsis, G., and C. Wang,
Yegin, A. and Y. Ohba, "Protocol for Carrying "Protocol for Carrying Authentication for Network Access
Authentication for Network Access (PANA)Requirements", (PANA) Requirements", RFC 4058, May 2005.
draft-ietf-pana-requirements-09 (work in progress),
August 2004.
[I-D.ietf-pana-snmp] [I-D.ietf-pana-snmp]
Mghazli, Y., "SNMP usage for PAA-EP interface", Mghazli, Y., "SNMP usage for PAA-EP interface",
draft-ietf-pana-snmp-03 (work in progress), February 2005. draft-ietf-pana-snmp-04 (work in progress), July 2005.
Authors' Addresses Authors' Addresses
Victor Fajardo Victor Fajardo
Toshiba America Research, Inc. Toshiba America Research, Inc.
1 Telcordia Drive 1 Telcordia Drive
Piscataway, NJ 08854 Piscataway, NJ 08854
USA USA
Phone: +1 732 699 5368 Phone: +1 732 699 5368
 End of changes. 

This html diff was produced by rfcdiff 1.25, available from http://www.levkowetz.com/ietf/tools/rfcdiff/