--- 1/draft-ietf-pana-statemachine-00.txt 2006-02-05 01:00:43.000000000 +0100 +++ 2/draft-ietf-pana-statemachine-01.txt 2006-02-05 01:00:43.000000000 +0100 @@ -1,21 +1,21 @@ PANA Working Group V. Fajardo Internet-Draft Y. Ohba -Expires: December 12, 2005 TARI +Expires: January 12, 2006 TARI R. Lopez Univ. of Murcia - June 10, 2005 + July 11, 2005 State Machines for Protocol for Carrying Authentication for Network Access (PANA) - draft-ietf-pana-statemachine-00 + draft-ietf-pana-statemachine-01 Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that @@ -26,21 +26,21 @@ and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. - This Internet-Draft will expire on December 12, 2005. + This Internet-Draft will expire on January 12, 2006. Copyright Notice Copyright (C) The Internet Society (2005). Abstract This document defines the conceptual state machines for the Protocol for Carrying Authentication for Network Access (PANA). The state machines consist of the PANA Client (PaC) state machine and the PANA @@ -52,72 +52,73 @@ Implementations may achieve the same results using different methods. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Interface Between PANA and EAP . . . . . . . . . . . . . . . . 5 3. Document Authority . . . . . . . . . . . . . . . . . . . . . . 7 4. Notations . . . . . . . . . . . . . . . . . . . . . . . . . . 8 5. Common Rules . . . . . . . . . . . . . . . . . . . . . . . . . 10 5.1 Common Procedures . . . . . . . . . . . . . . . . . . . . 10 - 5.2 Common Variables . . . . . . . . . . . . . . . . . . . . . 11 + 5.2 Common Variables . . . . . . . . . . . . . . . . . . . . . 12 5.3 Constants . . . . . . . . . . . . . . . . . . . . . . . . 13 5.4 Common Message Initialization Rules . . . . . . . . . . . 14 5.5 Common Error Handling Rules . . . . . . . . . . . . . . . 14 5.6 Common State Transitions . . . . . . . . . . . . . . . . . 14 6. PaC State Machine . . . . . . . . . . . . . . . . . . . . . . 16 6.1 Interface between PaC and EAP Peer . . . . . . . . . . . . 16 6.1.1 Delivering EAP Messages from PaC to EAP Peer . . . . . 16 6.1.2 Delivering EAP Responses from EAP Peer to PaC . . . . 16 6.1.3 EAP Restart Notification from PaC to EAP Peer . . . . 16 6.1.4 EAP Authentication Result Notification from EAP Peer to PaC . . . . . . . . . . . . . . . . . . . . . 17 6.1.5 Alternate Failure Notification from PaC to EAP Peer . 17 6.1.6 EAP Invalid Message Notification from EAP Peer to PaC . . . . . . . . . . . . . . . . . . . . . . . . . 17 6.2 Variables . . . . . . . . . . . . . . . . . . . . . . . . 17 6.3 Procedures . . . . . . . . . . . . . . . . . . . . . . . . 18 6.4 PaC State Transition Table . . . . . . . . . . . . . . . . 19 - 7. PAA State Machine . . . . . . . . . . . . . . . . . . . . . . 30 - 7.1 Interface between PAA and EAP Authenticator . . . . . . . 30 + 7. PAA State Machine . . . . . . . . . . . . . . . . . . . . . . 31 + 7.1 Interface between PAA and EAP Authenticator . . . . . . . 31 7.1.1 EAP Restart Notification from PAA to EAP - Authenticator . . . . . . . . . . . . . . . . . . . . 30 + Authenticator . . . . . . . . . . . . . . . . . . . . 31 7.1.2 Delivering EAP Responses from PAA to EAP - Authenticator . . . . . . . . . . . . . . . . . . . . 30 + Authenticator . . . . . . . . . . . . . . . . . . . . 31 7.1.3 Delivering EAP Messages from EAP Authenticator to - PAA . . . . . . . . . . . . . . . . . . . . . . . . . 30 + PAA . . . . . . . . . . . . . . . . . . . . . . . . . 31 7.1.4 EAP Authentication Result Notification from EAP - Authenticator to PAA . . . . . . . . . . . . . . . . . 30 - 7.2 Variables . . . . . . . . . . . . . . . . . . . . . . . . 31 - 7.3 Procedures . . . . . . . . . . . . . . . . . . . . . . . . 33 - 7.4 PAA State Transition Table . . . . . . . . . . . . . . . . 33 - 8. Mobility Optimization Support . . . . . . . . . . . . . . . . 48 - 8.1 Common Variables . . . . . . . . . . . . . . . . . . . . . 48 - 8.2 PaC Mobility Optimization State Machine . . . . . . . . . 48 - 8.2.1 Variables . . . . . . . . . . . . . . . . . . . . . . 48 - 8.2.2 Procedures . . . . . . . . . . . . . . . . . . . . . . 49 + Authenticator to PAA . . . . . . . . . . . . . . . . . 31 + 7.2 Variables . . . . . . . . . . . . . . . . . . . . . . . . 32 + 7.3 Procedures . . . . . . . . . . . . . . . . . . . . . . . . 34 + 7.4 PAA State Transition Table . . . . . . . . . . . . . . . . 34 + 8. Mobility Optimization Support . . . . . . . . . . . . . . . . 49 + 8.1 Common Variables . . . . . . . . . . . . . . . . . . . . . 49 + 8.2 PaC Mobility Optimization State Machine . . . . . . . . . 49 + 8.2.1 Variables . . . . . . . . . . . . . . . . . . . . . . 49 + 8.2.2 Procedures . . . . . . . . . . . . . . . . . . . . . . 50 8.2.3 PaC Mobility Optimization State Transition Table - Addendum . . . . . . . . . . . . . . . . . . . . . . . 49 - 8.3 PAA Mobility Optimization . . . . . . . . . . . . . . . . 52 - 8.3.1 Procedures . . . . . . . . . . . . . . . . . . . . . . 52 + Addendum . . . . . . . . . . . . . . . . . . . . . . . 50 + 8.3 PAA Mobility Optimization . . . . . . . . . . . . . . . . 53 + 8.3.1 Procedures . . . . . . . . . . . . . . . . . . . . . . 53 8.3.2 PAA Mobility Optimization State Transition Table - Addendum . . . . . . . . . . . . . . . . . . . . . . . 52 - 9. Implementation Considerations . . . . . . . . . . . . . . . . 54 - 9.1 PAA and PaC Interface to Service Management Entity . . . . 54 - 9.2 Multicast Traffic . . . . . . . . . . . . . . . . . . . . 54 - 10. Security Considerations . . . . . . . . . . . . . . . . . . 55 - 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 56 - 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 57 - 12.1 Normative References . . . . . . . . . . . . . . . . . . . 57 - 12.2 Informative References . . . . . . . . . . . . . . . . . . 57 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 57 - Intellectual Property and Copyright Statements . . . . . . . . 59 + Addendum . . . . . . . . . . . . . . . . . . . . . . . 53 + 9. Implementation Considerations . . . . . . . . . . . . . . . . 55 + 9.1 PAA and PaC Interface to Service Management Entity . . . . 55 + 9.2 Multicast Traffic . . . . . . . . . . . . . . . . . . . . 55 + 10. Security Considerations . . . . . . . . . . . . . . . . . . 56 + 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . 57 + 12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 58 + 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 59 + 13.1 Normative References . . . . . . . . . . . . . . . . . . . 59 + 13.2 Informative References . . . . . . . . . . . . . . . . . . 59 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 59 + Intellectual Property and Copyright Statements . . . . . . . . 61 1. Introduction This document defines the state machines for Protocol Carrying Authentication for Network Access (PANA) [I-D.ietf-pana-pana]. There are state machines for the PANA client (PaC) and for the PANA Authentication Agent (PAA). Each state machine is specified through a set of variables, procedures and a state transition table. A PANA protocol execution consists of several exchanges to carry @@ -247,23 +248,23 @@ eap-statemachine] are executed on entry to a state, which is one major difference from this document.) Each exit action is deemed to be atomic; i.e., execution of an exit action completes before the next sequential exit action starts to execute. No exit action execute outside of a state block. The exit actions in only one state block execute at a time even if the conditions for execution of state blocks in different state machines are satisfied. All exit actions in an executing state block complete execution before the transition to and execution of any other state blocks. The execution of any state block appears to be atomic with respect to the execution of any - other state block and the transition condition to that state from - the previous state is TRUE when execution commences. The order - of execution of state blocks in different state machines is undefined + other state block and the transition condition to that state from the + previous state is TRUE when execution commences. The order of + execution of state blocks in different state machines is undefined except as constrained by their transition conditions. A variable that is set to a particular value in a state block retains this value until a subsequent state block executes an exit action that modifies the value. On completion of the transition from the previous state to the current state, all exit conditions occurring during the current state (including exit conditions defined for the wildcard state) are evaluated until an exit condition for that state is met. @@ -318,20 +319,24 @@ variable to zero and set an appropriate value to RTX_MAX_NUM variable. void RtxTimerStop() A procedure to stop the retransmission timer. void SessionTimerStart() A procedure to start PANA session timer. + void SessionTimerStop() + + A procedure to stop the PANA session timer. + void Retransmit() A procedure to retransmit a PANA message and increment RTX_COUNTER by one(1). void EAP_Restart() A procedure to (re)start an EAP conversation resulting in the re- initialization of an existing EAP session. @@ -664,20 +670,26 @@ This procedure returns TRUE when the PaC chooses one ISP, otherwise returns FALSE. boolean ppac_available() This procedure returns TRUE when the Post-PANA-Address- Configuration method specified by the PAA is available in the PaC and that the PaC will be able to comply. + boolean pcap_supported() + + This procedure returns TRUE when the cryptographic data protection + supplied in the Protection-Capability AVP can be supported by the + PaC. + boolean eap_piggyback() This procedures returns TRUE to indicate whether the next EAP response will be carried in the pending PAN message for optimization. void alt_reject() This procedure informs the EAP peer of an authentication failure event without accompanying an EAP message. @@ -697,21 +709,20 @@ ------------------------------ State: OFFLINE (Initial State) ------------------------------ Initialization Action: SEPARATE=Set|Unset; CARRY_DEVICE_ID=Unset; 1ST_EAP=Unset; RtxTimerStop(); - EAP_Restart(); Exit Condition Exit Action Exit State ------------------------+--------------------------+-------------- - - - - - - - - - - - - - (PSR processing) - - - - - - - - - - - Rx:PSR && RtxTimerStop(); WAIT_EAP_MSG_ PSR.exist_avp EAP_Restart(); IN_DISC ("EAP-Payload") TxEAP(); SEPARATE=Unset; Rx:PSR && RtxTimerStop(); WAIT_PAA @@ -746,30 +757,31 @@ (PSR.S_flag!=1 || Tx:PSA(); SEPARATE==Unset) && SEPARATE=Unset; !PSR.exist_avp EAP_Restart(); ("Cookie") - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(Authentication trigger from application) - - - AUTH_USER Tx:PDI(); OFFLINE RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --------------------------- State: WAIT_EAP_MSG_IN_DISC --------------------------- Exit Condition Exit Action Exit State ------------------------+--------------------------+------------ - - - - - - - - - - - (Return PSA with EAP-Payload) - - - - - - EAP_RESPONSE PSA.insert_avp WAIT_PAA - ("EAP-Payload")) + ("EAP-Payload") + if (choose_isp()) + PSA.insert_avp("ISP"); Tx:PSA(); EAP_RESP_TIMEOUT || None(); OFFLINE EAP_INVALID_MSG - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --------------- State: WAIT_PAA --------------- @@ -938,74 +949,109 @@ PAR.S_flag=PAN.S_flag; PAR.N_flag=PAN.N_flag; Tx:PAR(); RtxTimerStart(); EAP_RESP_TIMEOUT if (key_available()) WAIT_PAA PAN.insert_avp("MAC"); PAN.S_flag=PAR.S_flag; PAN.N_flag=PAR.N_flag; Tx:PAN(); - EAP_INVALID_MSG || None(); WAIT_PAA EAP_SUCCESS || EAP_FAILURE - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ---------------------- State: WAIT_EAP_RESULT ---------------------- Exit Condition Exit Action Exit State ------------------------+--------------------------+------------ - - - - - - - - - - - - - - - (Return PSA)- - - - - - - - - - - - + - - - - - - - - - - - - - (EAP Result) - - - - - - - - - - - - - EAP_SUCCESS && PBA.insert_avp("MAC"); OPEN PBR.exist_avp PBA.insert_avp("Key-Id"); ("Key-Id") && if (CARRY_DEVICE_ID) - ppac_available() PBA.insert_avp - ("Device-Id"); - PBA.insert_avp("PPAC"); - Tx:PBA(); - Authorize(); - SessionTimerStart(); + ppac_available() && PBA.insert_avp + (!PBR.exist_avp ("Device-Id"); + ("Protection- PBA.insert_avp("PPAC"); + Capability") || Tx:PBA(); + (PBR.exist_avp Authorize(); + ("Protection- SessionTimerStart(); + Capability") && + pcap_supported())) EAP_SUCCESS && if (key_available()) OPEN !PBR.exist_avp PBA.insert_avp("MAC"); ("Key-Id") && if (CARRY_DEVICE_ID) - ppac_available() PBA.insert_avp - ("Device-Id"); - PBA.insert_avp("PPAC"); - Tx:PBA(); - Authorize(); - SessionTimerStart(); + ppac_available() && PBA.insert_avp + (!PBR.exist_avp ("Device-Id"); + ("Protection- PBA.insert_avp("PPAC"); + Capability") || Tx:PBA(); + (PBR.exist_avp Authorize(); + ("Protection- SessionTimerStart(); + Capability") && + pcap_supported())) EAP_SUCCESS && if (key_available()) WAIT_PEA !ppac_available() PER.insert_avp("MAC"); PER.RESULT_CODE= PANA_PPAC_CAPABILITY_ UNSUPPORTED Tx:PER(); RtxTimerStart(); - EAP_FAILURE if (key_available()) CLOSED - PBA.insert_avp("MAC"); - Tx:PBA(); + EAP_SUCCESS && if (key_available()) WAIT_PEA + (PBR.exist_avp PER.insert_avp("MAC"); + ("Protection- PER.RESULT_CODE= + Capability") && PANA_PROTECTION_ + !pcap_supported()) CAPABILITY_UNSUPPORTED + Tx:PER(); + RtxTimerStart(); + + EAP_FAILURE && if (key_available()) OPEN + (SEPARATE==Set) && PBA.insert_avp("MAC"); + ppac_available() && if (CARRY_DEVICE_ID) + (!PBR.exist_avp PBA.insert_avp + ("Protection- ("Device-Id"); + Capability") || PBA.insert_avp("PPAC"); + (PBR.exist_avp Tx:PBA(); + ("Protection- Authorize(); + Capability") && SessionTimerStart(); + pcap_supported())) + + EAP_FAILURE && if (key_available()) WAIT_PEA + (SEPARATE==Set) && PER.insert_avp("MAC"); + !ppac_available() PER.RESULT_CODE= + PANA_PPAC_CAPABILITY_ + UNSUPPORTED + Tx:PER(); + RtxTimerStart(); + + EAP_FAILURE && if (key_available()) WAIT_PEA + (SEPARATE==Set) && PER.insert_avp("MAC"); + (PBR.exist_avp PER.RESULT_CODE= + ("Protection- PANA_PROTECTION_ + Capability") && CAPABILITY_UNSUPPORTED + !pcap_supported()) Tx:PER(); + RtxTimerStart(); EAP_INVALID_MSG None(); WAIT_PAA - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ---------------------------- State: WAIT_EAP_RESULT_CLOSE ---------------------------- Exit Condition Exit Action Exit State ------------------------+--------------------------+------------ - - - - - - - - - - - - - - - (Return PSA)- - - - - - - - - - - - + - - - - - - - - - - - - - (EAP Result) - - - - - - - - - - - - - EAP_SUCCESS && PBA.insert_avp("MAC"); CLOSED PBR.exist_avp PBA.insert_avp("Key-Id"); ("Key-Id") Tx:PBA(); Disconnect(); EAP_SUCCESS && if (key_available()) CLOSED !PBR.exist_avp PBA.insert_avp("MAC"); ("Key-Id") Tx:PBA(); Disconnect(); @@ -1014,21 +1060,21 @@ EAP_INVALID_MSG None(); WAIT_PAA - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -------------------------- State: WAIT_1ST_EAP_RESULT -------------------------- Exit Condition Exit Action Exit State ------------------------+--------------------------+------------ - - - - - - - - - - - - - - - (Return PSA)- - - - - - - - - - - - + - - - - - - - - - - - - - - (First EAP) - - - - - - - - - - - - EAP_SUCCESS && PFEA.insert_avp("Key-Id"); WAIT_PAA PFER.exist_avp PFEA.S_flag=1; ("Key-Id") PFEA.N_flag=PFER.N_flag; PFEA.insert_avp("MAC"); Tx:PFEA(); EAP_Restart(); (EAP_SUCCESS && if (key_available()) WAIT_PAA !PFER.exist_avp PFEA.insert_avp("MAC"); ("Key-Id")) || PFEA.S_flag=1; @@ -1038,21 +1084,21 @@ EAP_INVALID_MSG EAP_Restart(); WAIT_PAA - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -------------------------------- State: WAIT_1ST_EAP_RESULT_CLOSE -------------------------------- Exit Condition Exit Action Exit State ------------------------+--------------------------+------------ - - - - - - - - - - - - - - - (Return PSA)- - - - - - - - - - - - + - - - - - - - - - - - - - - (First EAP) - - - - - - - - - - - - EAP_SUCCESS && PFEA.insert_avp("Key-Id"); CLOSED PFER.exist_avp PFEA.S_flag=0; ("Key-Id") PFEA.N_flag=0; PFEA.insert_avp("MAC"); Tx:PFEA(); Disconnect(); (EAP_SUCCESS && if (key_available()) CLOSED !PFER.exist_avp PFEA.insert_avp("MAC"); ("Key-Id")) || PFEA.S_flag=0; @@ -1080,36 +1126,39 @@ Tx:PPR(); RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (re-authentication initiated by PaC)- - - - - - REAUTH SEPARATE=Set|Unset; WAIT_PRAA 1ST_EAP=Unset; if (key_available()) PRAR.insert_avp("MAC"); Tx:PRAR(); RtxTimerStart(); + SessionTimerStop(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (re-authentication initiated by PAA)- - - - - - Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG !eap_piggyback() 1ST_EAP=Unset; EAP_RespTimerStart(); TxEAP(); if (key_available()) PAN.insert_avp("MAC"); PAN.S_flag=PAR.S_flag; PAN.N_flag=PAR.N_flag; Tx:PAN(); + SessionTimerStop(); Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG eap_piggyback() 1ST_EAP=Unset; EAP_RespTimerStart(); TxEAP(); + SessionTimerStop(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(Session termination initiated by PAA) - - - - - - Rx:PTR if (key_available()) CLOSED PTA.insert_avp("MAC"); Tx:PTA(); Disconnect(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(Session termination initiated by PaC) - - - - - - TERMINATE if (key_available()) SESS_TERM PTR.insert_avp("MAC"); @@ -1480,20 +1529,21 @@ PSA.S_flag==0) SEPARATE=Unset; if (PSA.exist_avp ("EAP-Payload")) TxEAP(); else { if (SEPARATE==Set) NAP_AUTH=Set|Unset; EAP_Restart(); } + RtxTimerStop(); EAP_TIMEOUT if (key_available()) WAIT_PEA PER.insert_avp("MAC"); Tx:PER(); RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ------------------- State: WAIT_EAP_MSG ------------------- @@ -1822,25 +1872,27 @@ Event/Condition Action Exit State ------------------------+--------------------------+------------ - - - - - - - - (re-authentication initiated by PaC) - - - - - - Rx:PRAR if (key_available()) WAIT_EAP_MSG PRAA.insert_avp("MAC"); EAP_Restart(); 1ST_EAP=Unset; NAP_AUTH=Set|Unset; Tx:PRAA(); + SessionTimerStop(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (re-authentication initiated by PAA)- - - - - - REAUTH EAP_Restart(); WAIT_EAP_MSG 1ST_EAP=Unset; NAP_AUTH=Set|Unset; + SessionTimerStop(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (liveness test based on PPR-PPA exchange initiated by PAA)- PANA_PING Tx:PPR(); WAIT_PPA RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (liveness test based on PPR-PPA exchange initiated by PaC)- Rx:PPR if (key_available()) OPEN PPA.insert_avp("MAC"); Tx:PPA(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - @@ -1899,20 +1952,31 @@ PAN.N_flag=1; } RtxTimerStop(); Tx:PAN(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (PAN without an EAP response) - - - - - - - Rx:PAN && RtxTimerStop(); WAIT_PAN_OR_PAR !PAN.exist_avp ("EAP-Payload") - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + - - - - - - - - - - - -(EAP retransmission) - - - - - - - - - - + EAP_REQUEST if (key_available()) WAIT_PAN_OR_PAR + PAR.insert_avp("MAC"); + if (SEPARATE==Set) { + PAR.S_flag=1; + if (NAP_AUTH==Set) + PAR.N_flag=1; + } + Tx:PAR(); + RtxTimerStart(); + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(EAP authentication timeout)- - - - - - - - - EAP_TIMEOUT && if (key_available()) WAIT_PEA 1ST_EAP==Unset && PER.insert_avp("MAC"); SEPARATE==Unset Tx:PER(); RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(EAP authentication timeout for 1st EAP)- - - - - - EAP_TIMEOUT && 1ST_EAP=Failure WAIT_PFEA 1ST_EAP==Unset && if (key_available()) SEPARATE==Set && PFER.insert_avp("MAC"); @@ -2169,37 +2233,41 @@ - exit conditions that exist in the OPEN state of the PaC - - base protocol state machine. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - REAUTH SEPARATE=Set|Unset; WAIT_PRAA 1ST_EAP=Unset; PANA_SA_RESUMED=Unset; if (key_available()) PRAR.insert_avp("MAC"); Tx:PRAR(); RtxTimerStart(); + SessionTimerStop(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (re-authentication initiated by PAA)- - - - - - Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG !eap_piggyback() 1ST_EAP=Unset; PANA_SA_RESUMED=Unset; EAP_RespTimerStart(); TxEAP(); if (key_available()) PAN.insert_avp("MAC"); PAN.S_flag=PAR.S_flag; PAN.N_flag=PAR.N_flag; Tx:PAN(); + SessionTimerStop(); + Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG eap_piggyback() 1ST_EAP=Unset; PANA_SA_RESUMED=Unset; EAP_RespTimerStart(); TxEAP(); + SessionTimerStop(); 8.3 PAA Mobility Optimization 8.3.1 Procedures boolean retrieve_pana_sa(Session-Id) This procedure returns TRUE when a PANA SA for the PANA Session corresponds to the specified Session-Id has been retrieved, otherwise returns FALSE. @@ -2282,57 +2350,59 @@ filtering that allows the use of only one socket to receive both unicast and specific multicast address. However it might introduce portability problems. 10. Security Considerations This document's intent is to describe the PANA state machines fully. To this end, any security concerns with this document are likely a reflection of security concerns with PANA itself. -11. Acknowledgments +11. IANA Considerations + + This document has no actions for IANA. + +12. Acknowledgments This work was started from state machines originally made by Dan Forsberg. -12. References +13. References -12.1 Normative References +13.1 Normative References [I-D.ietf-pana-pana] Forsberg, D., "Protocol for Carrying Authentication for Network Access (PANA)", draft-ietf-pana-pana-08 (work in progress), May 2005. [I-D.ietf-eap-statemachine] Vollbrecht, J., Eronen, P., Petroni, N., and Y. Ohba, "State Machines for Extensible Authentication Protocol (EAP) Peer and Authenticator", draft-ietf-eap-statemachine-06 (work in progress), December 2004. [I-D.ietf-pana-mobopts] Forsberg, D., "PANA Mobility Optimizations", draft-ietf-pana-mobopts-00 (work in progress), January 2005. -12.2 Informative References +13.2 Informative References - [I-D.ietf-pana-requirements] - Yegin, A. and Y. Ohba, "Protocol for Carrying - Authentication for Network Access (PANA)Requirements", - draft-ietf-pana-requirements-09 (work in progress), - August 2004. + [RFC4058] Yegin, A., Ohba, Y., Penno, R., Tsirtsis, G., and C. Wang, + "Protocol for Carrying Authentication for Network Access + (PANA) Requirements", RFC 4058, May 2005. [I-D.ietf-pana-snmp] Mghazli, Y., "SNMP usage for PAA-EP interface", - draft-ietf-pana-snmp-03 (work in progress), February 2005. + draft-ietf-pana-snmp-04 (work in progress), July 2005. Authors' Addresses Victor Fajardo Toshiba America Research, Inc. 1 Telcordia Drive Piscataway, NJ 08854 USA Phone: +1 732 699 5368