| draft-ietf-pana-statemachine-01.txt | draft-ietf-pana-statemachine-02.txt | |||
|---|---|---|---|---|
| PANA Working Group V. Fajardo | PANA Working Group V. Fajardo | |||
| Internet-Draft Y. Ohba | Internet-Draft Y. Ohba | |||
| Expires: January 12, 2006 TARI | Expires: April 21, 2006 TARI | |||
| R. Lopez | R. Lopez | |||
| Univ. of Murcia | Univ. of Murcia | |||
| July 11, 2005 | October 18, 2005 | |||
| State Machines for Protocol for Carrying Authentication for Network | State Machines for Protocol for Carrying Authentication for Network | |||
| Access (PANA) | Access (PANA) | |||
| draft-ietf-pana-statemachine-01 | draft-ietf-pana-statemachine-02 | |||
| Status of this Memo | Status of this Memo | |||
| By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
| applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
| have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
| aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| skipping to change at page 1, line 37 | skipping to change at page 1, line 37 | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on January 12, 2006. | This Internet-Draft will expire on April 21, 2006. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (C) The Internet Society (2005). | Copyright (C) The Internet Society (2005). | |||
| Abstract | Abstract | |||
| This document defines the conceptual state machines for the Protocol | This document defines the conceptual state machines for the Protocol | |||
| for Carrying Authentication for Network Access (PANA). The state | for Carrying Authentication for Network Access (PANA). The state | |||
| machines consist of the PANA Client (PaC) state machine and the PANA | machines consist of the PANA Client (PaC) state machine and the PANA | |||
| skipping to change at page 2, line 16 | skipping to change at page 2, line 16 | |||
| The state machines and associated model are informative only. | The state machines and associated model are informative only. | |||
| Implementations may achieve the same results using different methods. | Implementations may achieve the same results using different methods. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2. Interface Between PANA and EAP . . . . . . . . . . . . . . . . 5 | 2. Interface Between PANA and EAP . . . . . . . . . . . . . . . . 5 | |||
| 3. Document Authority . . . . . . . . . . . . . . . . . . . . . . 7 | 3. Document Authority . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 4. Notations . . . . . . . . . . . . . . . . . . . . . . . . . . 8 | 4. Notations . . . . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 5. Common Rules . . . . . . . . . . . . . . . . . . . . . . . . . 10 | 5. Common Rules . . . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 5.1 Common Procedures . . . . . . . . . . . . . . . . . . . . 10 | 5.1. Common Procedures . . . . . . . . . . . . . . . . . . . . 10 | |||
| 5.2 Common Variables . . . . . . . . . . . . . . . . . . . . . 12 | 5.2. Common Variables . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 5.3 Constants . . . . . . . . . . . . . . . . . . . . . . . . 13 | 5.3. Constants . . . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 5.4 Common Message Initialization Rules . . . . . . . . . . . 14 | 5.4. Common Message Initialization Rules . . . . . . . . . . . 13 | |||
| 5.5 Common Error Handling Rules . . . . . . . . . . . . . . . 14 | 5.5. Common Error Handling Rules . . . . . . . . . . . . . . . 14 | |||
| 5.6 Common State Transitions . . . . . . . . . . . . . . . . . 14 | 5.6. Common State Transitions . . . . . . . . . . . . . . . . . 14 | |||
| 6. PaC State Machine . . . . . . . . . . . . . . . . . . . . . . 16 | 6. PaC State Machine . . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 6.1 Interface between PaC and EAP Peer . . . . . . . . . . . . 16 | 6.1. Interface between PaC and EAP Peer . . . . . . . . . . . . 16 | |||
| 6.1.1 Delivering EAP Messages from PaC to EAP Peer . . . . . 16 | 6.1.1. Delivering EAP Messages from PaC to EAP Peer . . . . . 16 | |||
| 6.1.2 Delivering EAP Responses from EAP Peer to PaC . . . . 16 | 6.1.2. Delivering EAP Responses from EAP Peer to PaC . . . . 16 | |||
| 6.1.3 EAP Restart Notification from PaC to EAP Peer . . . . 16 | 6.1.3. EAP Restart Notification from PaC to EAP Peer . . . . 16 | |||
| 6.1.4 EAP Authentication Result Notification from EAP | 6.1.4. EAP Authentication Result Notification from EAP | |||
| Peer to PaC . . . . . . . . . . . . . . . . . . . . . 17 | Peer to PaC . . . . . . . . . . . . . . . . . . . . . 17 | |||
| 6.1.5 Alternate Failure Notification from PaC to EAP Peer . 17 | 6.1.5. Alternate Failure Notification from PaC to EAP Peer . 17 | |||
| 6.1.6 EAP Invalid Message Notification from EAP Peer to | 6.1.6. EAP Invalid Message Notification from EAP Peer to | |||
| PaC . . . . . . . . . . . . . . . . . . . . . . . . . 17 | PaC . . . . . . . . . . . . . . . . . . . . . . . . . 17 | |||
| 6.2 Variables . . . . . . . . . . . . . . . . . . . . . . . . 17 | 6.2. Variables . . . . . . . . . . . . . . . . . . . . . . . . 17 | |||
| 6.3 Procedures . . . . . . . . . . . . . . . . . . . . . . . . 18 | 6.3. Procedures . . . . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 6.4 PaC State Transition Table . . . . . . . . . . . . . . . . 19 | 6.4. PaC State Transition Table . . . . . . . . . . . . . . . . 19 | |||
| 7. PAA State Machine . . . . . . . . . . . . . . . . . . . . . . 31 | 7. PAA State Machine . . . . . . . . . . . . . . . . . . . . . . 31 | |||
| 7.1 Interface between PAA and EAP Authenticator . . . . . . . 31 | 7.1. Interface between PAA and EAP Authenticator . . . . . . . 31 | |||
| 7.1.1 EAP Restart Notification from PAA to EAP | 7.1.1. EAP Restart Notification from PAA to EAP | |||
| Authenticator . . . . . . . . . . . . . . . . . . . . 31 | Authenticator . . . . . . . . . . . . . . . . . . . . 31 | |||
| 7.1.2 Delivering EAP Responses from PAA to EAP | 7.1.2. Delivering EAP Responses from PAA to EAP | |||
| Authenticator . . . . . . . . . . . . . . . . . . . . 31 | Authenticator . . . . . . . . . . . . . . . . . . . . 31 | |||
| 7.1.3 Delivering EAP Messages from EAP Authenticator to | 7.1.3. Delivering EAP Messages from EAP Authenticator to | |||
| PAA . . . . . . . . . . . . . . . . . . . . . . . . . 31 | PAA . . . . . . . . . . . . . . . . . . . . . . . . . 31 | |||
| 7.1.4 EAP Authentication Result Notification from EAP | 7.1.4. EAP Authentication Result Notification from EAP | |||
| Authenticator to PAA . . . . . . . . . . . . . . . . . 31 | Authenticator to PAA . . . . . . . . . . . . . . . . . 31 | |||
| 7.2 Variables . . . . . . . . . . . . . . . . . . . . . . . . 32 | 7.2. Variables . . . . . . . . . . . . . . . . . . . . . . . . 32 | |||
| 7.3 Procedures . . . . . . . . . . . . . . . . . . . . . . . . 34 | 7.3. Procedures . . . . . . . . . . . . . . . . . . . . . . . . 34 | |||
| 7.4 PAA State Transition Table . . . . . . . . . . . . . . . . 34 | 7.4. PAA State Transition Table . . . . . . . . . . . . . . . . 34 | |||
| 8. Mobility Optimization Support . . . . . . . . . . . . . . . . 49 | 8. Mobility Optimization Support . . . . . . . . . . . . . . . . 49 | |||
| 8.1 Common Variables . . . . . . . . . . . . . . . . . . . . . 49 | 8.1. Common Variables . . . . . . . . . . . . . . . . . . . . . 49 | |||
| 8.2 PaC Mobility Optimization State Machine . . . . . . . . . 49 | 8.2. PaC Mobility Optimization State Machine . . . . . . . . . 49 | |||
| 8.2.1 Variables . . . . . . . . . . . . . . . . . . . . . . 49 | 8.2.1. Variables . . . . . . . . . . . . . . . . . . . . . . 49 | |||
| 8.2.2 Procedures . . . . . . . . . . . . . . . . . . . . . . 50 | 8.2.2. Procedures . . . . . . . . . . . . . . . . . . . . . . 50 | |||
| 8.2.3 PaC Mobility Optimization State Transition Table | 8.2.3. PaC Mobility Optimization State Transition Table | |||
| Addendum . . . . . . . . . . . . . . . . . . . . . . . 50 | Addendum . . . . . . . . . . . . . . . . . . . . . . . 50 | |||
| 8.3 PAA Mobility Optimization . . . . . . . . . . . . . . . . 53 | 8.3. PAA Mobility Optimization . . . . . . . . . . . . . . . . 53 | |||
| 8.3.1 Procedures . . . . . . . . . . . . . . . . . . . . . . 53 | 8.3.1. Procedures . . . . . . . . . . . . . . . . . . . . . . 53 | |||
| 8.3.2 PAA Mobility Optimization State Transition Table | 8.3.2. PAA Mobility Optimization State Transition Table | |||
| Addendum . . . . . . . . . . . . . . . . . . . . . . . 53 | Addendum . . . . . . . . . . . . . . . . . . . . . . . 53 | |||
| 9. Implementation Considerations . . . . . . . . . . . . . . . . 55 | 9. Implementation Considerations . . . . . . . . . . . . . . . . 55 | |||
| 9.1 PAA and PaC Interface to Service Management Entity . . . . 55 | 9.1. PAA and PaC Interface to Service Management Entity . . . . 55 | |||
| 9.2 Multicast Traffic . . . . . . . . . . . . . . . . . . . . 55 | 9.2. Multicast Traffic . . . . . . . . . . . . . . . . . . . . 55 | |||
| 10. Security Considerations . . . . . . . . . . . . . . . . . . 56 | 10. Security Considerations . . . . . . . . . . . . . . . . . . . 56 | |||
| 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . 57 | 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 57 | |||
| 12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 58 | 12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 58 | |||
| 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 59 | 13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 59 | |||
| 13.1 Normative References . . . . . . . . . . . . . . . . . . . 59 | 13.1. Normative References . . . . . . . . . . . . . . . . . . . 59 | |||
| 13.2 Informative References . . . . . . . . . . . . . . . . . . 59 | 13.2. Informative References . . . . . . . . . . . . . . . . . . 59 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 59 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 60 | |||
| Intellectual Property and Copyright Statements . . . . . . . . 61 | Intellectual Property and Copyright Statements . . . . . . . . . . 61 | |||
| 1. Introduction | 1. Introduction | |||
| This document defines the state machines for Protocol Carrying | This document defines the state machines for Protocol Carrying | |||
| Authentication for Network Access (PANA) [I-D.ietf-pana-pana]. There | Authentication for Network Access (PANA) [I-D.ietf-pana-pana]. There | |||
| are state machines for the PANA client (PaC) and for the PANA | are state machines for the PANA client (PaC) and for the PANA | |||
| Authentication Agent (PAA). Each state machine is specified through | Authentication Agent (PAA). Each state machine is specified through | |||
| a set of variables, procedures and a state transition table. | a set of variables, procedures and a state transition table. | |||
| A PANA protocol execution consists of several exchanges to carry | A PANA protocol execution consists of several exchanges to carry | |||
| skipping to change at page 10, line 16 | skipping to change at page 10, line 16 | |||
| There are following procedures, variables, message initializing rules | There are following procedures, variables, message initializing rules | |||
| and state transitions that are common to both the PaC and PAA state | and state transitions that are common to both the PaC and PAA state | |||
| machines. | machines. | |||
| Throughout this document, the character string "PANA_MESSAGE_NAME" | Throughout this document, the character string "PANA_MESSAGE_NAME" | |||
| matches any one of the abbreviated PANA message names, i.e., "PDI", | matches any one of the abbreviated PANA message names, i.e., "PDI", | |||
| "PSR", "PSA", "PAR", "PAN", "PBR", "PBA", "PFER", "PFEA", "PTR", | "PSR", "PSA", "PAR", "PAN", "PBR", "PBA", "PFER", "PFEA", "PTR", | |||
| "PTA", "PPR", "PPA", "PRAR", "PRAA", "PUR", "PUA", "PER" and "PEA". | "PTA", "PPR", "PPA", "PRAR", "PRAA", "PUR", "PUA", "PER" and "PEA". | |||
| 5.1 Common Procedures | 5.1. Common Procedures | |||
| void None() | void None() | |||
| A null procedure, i.e., nothing is done. | A null procedure, i.e., nothing is done. | |||
| void Disconnect() | void Disconnect() | |||
| A procedure to delete the PANA session as well as the | A procedure to delete the PANA session as well as the | |||
| corresponding EAP session and authorization state. | corresponding EAP session and authorization state. | |||
| skipping to change at page 12, line 5 | skipping to change at page 12, line 5 | |||
| TRUE. Otherwise, it returns FALSE. | TRUE. Otherwise, it returns FALSE. | |||
| boolean fatal(int) | boolean fatal(int) | |||
| A procedure to check whether an integer result code value | A procedure to check whether an integer result code value | |||
| indicates a fatal error. If the result code indicates a fatal | indicates a fatal error. If the result code indicates a fatal | |||
| error, the procedure returns TRUE, otherwise, it return FALSE. A | error, the procedure returns TRUE, otherwise, it return FALSE. A | |||
| fatal error would also result in the termination of the session | fatal error would also result in the termination of the session | |||
| and release of all resources related to that session. | and release of all resources related to that session. | |||
| 5.2 Common Variables | 5.2. Common Variables | |||
| PANA_MESSAGE_NAME.S_flag | PANA_MESSAGE_NAME.S_flag | |||
| This variable contains the S-Flag value of the specified PANA | This variable contains the S-Flag value of the specified PANA | |||
| message. | message. | |||
| PBR.RESULT_CODE | PBR.RESULT_CODE | |||
| This variable contains the Result-Code AVP value in the PANA-Bind- | This variable contains the Result-Code AVP value in the PANA-Bind- | |||
| Request message in process. When this variable carries | Request message in process. When this variable carries | |||
| skipping to change at page 13, line 18 | skipping to change at page 13, line 18 | |||
| termination is triggered. | termination is triggered. | |||
| PANA_PING | PANA_PING | |||
| This event variable is set to TRUE when initiation of liveness | This event variable is set to TRUE when initiation of liveness | |||
| test based on PPR-PPA exchange is triggered. | test based on PPR-PPA exchange is triggered. | |||
| NOTIFY | NOTIFY | |||
| This event variable is set to TRUE if the PaC or PAA wants to send | This event variable is set to TRUE if the PaC or PAA wants to send | |||
| attribute updates or notifications. For attribute updates, | attribute updates or notifications. | |||
| UPDATE_POPA should be used by the PaC. | ||||
| SESS_TIMEOUT | SESS_TIMEOUT | |||
| This event is variable is set to TRUE when the session timer is | This event is variable is set to TRUE when the session timer is | |||
| expired. | expired. | |||
| ABORT_ON_1ST_EAP_FAILURE | ABORT_ON_1ST_EAP_FAILURE | |||
| This variable indicates whether the PANA session is immediately | This variable indicates whether the PANA session is immediately | |||
| terminated when the 1st EAP authentication fails. | terminated when the 1st EAP authentication fails. | |||
| skipping to change at page 13, line 43 | skipping to change at page 13, line 42 | |||
| This variable indicates whether a Device-Id AVP is carried in a | This variable indicates whether a Device-Id AVP is carried in a | |||
| PANA-Bind-Request or PANA_Bind-Answer message. For the PAA, this | PANA-Bind-Request or PANA_Bind-Answer message. For the PAA, this | |||
| variable MUST be set when a link-layer or IP address is used as | variable MUST be set when a link-layer or IP address is used as | |||
| the device identifier of the PaC and a Protection-Capability AVP | the device identifier of the PaC and a Protection-Capability AVP | |||
| is included in the PANA-Bind-Request message. | is included in the PANA-Bind-Request message. | |||
| ANY | ANY | |||
| This event variable is set to TRUE when any event occurs. | This event variable is set to TRUE when any event occurs. | |||
| 5.3 Constants | 5.3. Constants | |||
| RTX_MAX_NUM | RTX_MAX_NUM | |||
| Configurable maximum for how many retransmissions should be | Configurable maximum for how many retransmissions should be | |||
| attempted before aborting. | attempted before aborting. | |||
| 5.4 Common Message Initialization Rules | 5.4. Common Message Initialization Rules | |||
| When a message is prepared for sending, it is initialized as follows: | When a message is prepared for sending, it is initialized as follows: | |||
| o For a request message, R-flag of the header is set. Otherwise, | o For a request message, R-flag of the header is set. Otherwise, | |||
| R-flag is not set. | R-flag is not set. | |||
| o S-flag and N-flag of the header are not set. | o S-flag and N-flag of the header are not set. | |||
| o AVPs that are mandatory included in a message are inserted with | o AVPs that are mandatory included in a message are inserted with | |||
| appropriate values set. | appropriate values set. | |||
| o A Notification AVP is inserted if there is some notification | o A Notification AVP is inserted if there is some notification | |||
| string to send to the communicating peer. | string to send to the communicating peer. | |||
| 5.5 Common Error Handling Rules | 5.5. Common Error Handling Rules | |||
| For simplicity, the PANA state machines defined in this document do | For simplicity, the PANA state machines defined in this document do | |||
| not support an optional feature of sending a PER message when an | not support an optional feature of sending a PER message when an | |||
| invalid PANA message is received [I-D.ietf-pana-pana], while the | invalid PANA message is received [I-D.ietf-pana-pana], while the | |||
| state machines support sending a PER message generated in other cases | state machines support sending a PER message generated in other cases | |||
| as well as receiving and processing a PER message. It is left to | as well as receiving and processing a PER message. It is left to | |||
| implementations as to whether they provide a means to send a PER | implementations as to whether they provide a means to send a PER | |||
| message when an invalid PANA message is received. | message when an invalid PANA message is received. | |||
| 5.6 Common State Transitions | 5.6. Common State Transitions | |||
| The following transitions can occur at any state. | The following transitions can occur at any state. | |||
| ---------- | ---------- | |||
| State: ANY | State: ANY | |||
| ---------- | ---------- | |||
| Exit Condition Exit Action Exit State | Exit Condition Exit Action Exit State | |||
| ------------------------+--------------------------+------------ | ------------------------+--------------------------+------------ | |||
| - - - - - - - - - - - - - (Re-transmissions)- - - - - - - - - - | - - - - - - - - - - - - - (Re-transmissions)- - - - - - - - - - | |||
| skipping to change at page 16, line 7 | skipping to change at page 16, line 7 | |||
| ------------- | ------------- | |||
| Exit Condition Exit Action Exit State | Exit Condition Exit Action Exit State | |||
| ------------------------+--------------------------+------------ | ------------------------+--------------------------+------------ | |||
| - - - - - - - -(Session termination initiated by PaC) - - - - - | - - - - - - - -(Session termination initiated by PaC) - - - - - | |||
| ANY None(); CLOSED | ANY None(); CLOSED | |||
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |||
| 6. PaC State Machine | 6. PaC State Machine | |||
| 6.1 Interface between PaC and EAP Peer | 6.1. Interface between PaC and EAP Peer | |||
| This interface defines the interactions between a PaC and an EAP | This interface defines the interactions between a PaC and an EAP | |||
| peer. The interface serves as a mechanism to deliver EAP messages | peer. The interface serves as a mechanism to deliver EAP messages | |||
| for the EAP peer. It allows the EAP peer to receive EAP requests and | for the EAP peer. It allows the EAP peer to receive EAP requests and | |||
| send EAP responses via the PaC. It also provides a mechanism to | send EAP responses via the PaC. It also provides a mechanism to | |||
| notify the EAP peer of PaC events and a mechanism to receive | notify the EAP peer of PaC events and a mechanism to receive | |||
| notification of EAP peer events. The EAP message delivery mechanism | notification of EAP peer events. The EAP message delivery mechanism | |||
| as well as the event notification mechanism in this interface have | as well as the event notification mechanism in this interface have | |||
| direct correlation with the PaC state transition table entries. | direct correlation with the PaC state transition table entries. | |||
| These message delivery and event notifications mechanisms occur only | These message delivery and event notifications mechanisms occur only | |||
| within the context of their associated states or exit actions. | within the context of their associated states or exit actions. | |||
| 6.1.1 Delivering EAP Messages from PaC to EAP Peer | 6.1.1. Delivering EAP Messages from PaC to EAP Peer | |||
| TxEAP() procedure in the PaC state machine serves as the mechanism to | TxEAP() procedure in the PaC state machine serves as the mechanism to | |||
| deliver EAP request, EAP success and EAP failure messages contained | deliver EAP request, EAP success and EAP failure messages contained | |||
| in PANA-Auth-Request messages to the EAP peer. This procedure is | in PANA-Auth-Request messages to the EAP peer. This procedure is | |||
| enabled only after an EAP restart event is notified to the EAP peer | enabled only after an EAP restart event is notified to the EAP peer | |||
| and before any event resulting in a termination of the EAP peer | and before any event resulting in a termination of the EAP peer | |||
| session. In the case where the EAP peer follows the EAP peer state | session. In the case where the EAP peer follows the EAP peer state | |||
| machine defined in [I-D.ietf-eap-statemachine], TxEAP() procedure | machine defined in [I-D.ietf-eap-statemachine], TxEAP() procedure | |||
| sets eapReq variable of the EAP peer state machine and puts the EAP | sets eapReq variable of the EAP peer state machine and puts the EAP | |||
| request in eapReqData variable of the EAP peer state machine. | request in eapReqData variable of the EAP peer state machine. | |||
| 6.1.2 Delivering EAP Responses from EAP Peer to PaC | 6.1.2. Delivering EAP Responses from EAP Peer to PaC | |||
| An EAP response is delivered from the EAP peer to the PaC via | An EAP response is delivered from the EAP peer to the PaC via | |||
| EAP_RESPONSE event variable. The event variable is set when the EAP | EAP_RESPONSE event variable. The event variable is set when the EAP | |||
| peer passes the EAP response to its lower-layer. In the case where | peer passes the EAP response to its lower-layer. In the case where | |||
| the EAP peer follows the EAP peer state machine defined in [I-D.ietf- | the EAP peer follows the EAP peer state machine defined in [I-D.ietf- | |||
| eap-statemachine], EAP_RESPONSE event variable refers to eapResp | eap-statemachine], EAP_RESPONSE event variable refers to eapResp | |||
| variable of the EAP peer state machine and the EAP response is | variable of the EAP peer state machine and the EAP response is | |||
| contained in eapRespData variable of the EAP peer state machine. | contained in eapRespData variable of the EAP peer state machine. | |||
| 6.1.3 EAP Restart Notification from PaC to EAP Peer | 6.1.3. EAP Restart Notification from PaC to EAP Peer | |||
| The EAP peer state machine defined in [I-D.ietf-eap-statemachine] has | The EAP peer state machine defined in [I-D.ietf-eap-statemachine] has | |||
| an initialization procedure before receiving an EAP request. To | an initialization procedure before receiving an EAP request. To | |||
| initialize the EAP state machine, the PaC state machine defines an | initialize the EAP state machine, the PaC state machine defines an | |||
| event notification mechanism to send an EAP (re)start event to the | event notification mechanism to send an EAP (re)start event to the | |||
| EAP peer. The event notification is done via EAP_Restart() procedure | EAP peer. The event notification is done via EAP_Restart() procedure | |||
| in the initialization action of the PaC state machine. | in the initialization action of the PaC state machine. | |||
| 6.1.4 EAP Authentication Result Notification from EAP Peer to PaC | 6.1.4. EAP Authentication Result Notification from EAP Peer to PaC | |||
| In order for the EAP peer to notify the PaC of an EAP authentication | In order for the EAP peer to notify the PaC of an EAP authentication | |||
| result, EAP_SUCCESS and EAP_FAILURE event variables are defined. In | result, EAP_SUCCESS and EAP_FAILURE event variables are defined. In | |||
| the case where the EAP peer follows the EAP peer state machine | the case where the EAP peer follows the EAP peer state machine | |||
| defined in [I-D.ietf-eap-statemachine], EAP_SUCCESS and EAP_FAILURE | defined in [I-D.ietf-eap-statemachine], EAP_SUCCESS and EAP_FAILURE | |||
| event variables refer to eapSuccess and eapFail variables of the EAP | event variables refer to eapSuccess and eapFail variables of the EAP | |||
| peer state machine, respectively. In this case, if EAP_SUCCESS event | peer state machine, respectively. In this case, if EAP_SUCCESS event | |||
| variable is set to TRUE and a AAA-Key is generated by the EAP | variable is set to TRUE and a AAA-Key is generated by the EAP | |||
| authentication method in use, eapKeyAvailable variable is set to TRUE | authentication method in use, eapKeyAvailable variable is set to TRUE | |||
| and eapKeyData variable contains the AAA-Key. Note that EAP_SUCCESS | and eapKeyData variable contains the AAA-Key. Note that EAP_SUCCESS | |||
| and EAP_FAILURE event variables may be set to TRUE even before the | and EAP_FAILURE event variables may be set to TRUE even before the | |||
| PaC receives a PBR or a PFER from the PAA. | PaC receives a PBR or a PFER from the PAA. | |||
| 6.1.5 Alternate Failure Notification from PaC to EAP Peer | 6.1.5. Alternate Failure Notification from PaC to EAP Peer | |||
| alt_reject() procedure in the PaC state machine serves as the | alt_reject() procedure in the PaC state machine serves as the | |||
| mechanism to deliver an authentication failure event to the EAP peer | mechanism to deliver an authentication failure event to the EAP peer | |||
| without accompanying an EAP message. In the case where the EAP peer | without accompanying an EAP message. In the case where the EAP peer | |||
| follows the EAP peer state machine defined in [I-D.ietf-eap- | follows the EAP peer state machine defined in [I-D.ietf-eap- | |||
| statemachine], alt_reject() procedure sets altReject variable of the | statemachine], alt_reject() procedure sets altReject variable of the | |||
| EAP peer state machine. Note that the EAP peer state machine in | EAP peer state machine. Note that the EAP peer state machine in | |||
| [I-D.ietf-eap-statemachine] also defines altAccept variable, however, | [I-D.ietf-eap-statemachine] also defines altAccept variable, however, | |||
| it is never used in PANA in which EAP-Success messages are reliably | it is never used in PANA in which EAP-Success messages are reliably | |||
| delivered by PANA-Bind exchange. | delivered by PANA-Bind exchange. | |||
| 6.1.6 EAP Invalid Message Notification from EAP Peer to PaC | 6.1.6. EAP Invalid Message Notification from EAP Peer to PaC | |||
| In order for the EAP peer to notify the PaC of a receipt of an | In order for the EAP peer to notify the PaC of a receipt of an | |||
| invalid EAP message, EAP_INVALID_MSG event variable is defined. In | invalid EAP message, EAP_INVALID_MSG event variable is defined. In | |||
| the case where the EAP peer follows the EAP peer state machine | the case where the EAP peer follows the EAP peer state machine | |||
| defined in [I-D.ietf-eap-statemachine], EAP_INVALID_MSG event | defined in [I-D.ietf-eap-statemachine], EAP_INVALID_MSG event | |||
| variable refers to eapNoResp variable of the EAP peer state machine. | variable refers to eapNoResp variable of the EAP peer state machine. | |||
| 6.2 Variables | 6.2. Variables | |||
| SEPARATE | SEPARATE | |||
| This variable indicates whether the PaC desires NAP/ISP separate | This variable indicates whether the PaC desires NAP/ISP separate | |||
| authentication. | authentication. | |||
| 1ST_EAP | 1ST_EAP | |||
| This variable indicates whether the 1st EAP authentication is | This variable indicates whether the 1st EAP authentication is | |||
| success, failure or yet completed. | success, failure or yet completed. | |||
| skipping to change at page 18, line 32 | skipping to change at page 18, line 32 | |||
| This event variable is set to TRUE when the EAP peer delivers an | This event variable is set to TRUE when the EAP peer delivers an | |||
| EAP Response to the PaC. This event accompanies an EAP-Response | EAP Response to the PaC. This event accompanies an EAP-Response | |||
| message received from the EAP peer. | message received from the EAP peer. | |||
| EAP_INVALID_MSG | EAP_INVALID_MSG | |||
| This event variable is set to TRUE when the EAP peer silently | This event variable is set to TRUE when the EAP peer silently | |||
| discards an EAP message. This event does not accompany any EAP | discards an EAP message. This event does not accompany any EAP | |||
| message. | message. | |||
| UPDATE_POPA | ||||
| This event variable is set to TRUE when there is a change in the | ||||
| POPA of the PaC. | ||||
| EAP_RESP_TIMEOUT | EAP_RESP_TIMEOUT | |||
| This event variable is set to TRUE when the PaC that has passed an | This event variable is set to TRUE when the PaC that has passed an | |||
| EAP-Request to the EAP-layer does not receive a corresponding EAP- | EAP-Request to the EAP-layer does not receive a corresponding EAP- | |||
| Response from the the EAP-layer in a given period. | Response from the the EAP-layer in a given period. | |||
| 6.3 Procedures | 6.3. Procedures | |||
| boolean choose_isp() | boolean choose_isp() | |||
| This procedure returns TRUE when the PaC chooses one ISP, | This procedure returns TRUE when the PaC chooses one ISP, | |||
| otherwise returns FALSE. | otherwise returns FALSE. | |||
| boolean ppac_available() | boolean ppac_available() | |||
| This procedure returns TRUE when the Post-PANA-Address- | This procedure returns TRUE when the Post-PANA-Address- | |||
| Configuration method specified by the PAA is available in the PaC | Configuration method specified by the PAA is available in the PaC | |||
| skipping to change at page 19, line 38 | skipping to change at page 19, line 32 | |||
| void EAP_RespTimerStart() | void EAP_RespTimerStart() | |||
| A procedure to start a timer to receive an EAP-Response from the | A procedure to start a timer to receive an EAP-Response from the | |||
| EAP peer. | EAP peer. | |||
| void EAP_RespTimerStop() | void EAP_RespTimerStop() | |||
| A procedure to stop a timer to receive an EAP-Response from the | A procedure to stop a timer to receive an EAP-Response from the | |||
| EAP peer. | EAP peer. | |||
| 6.4 PaC State Transition Table | 6.4. PaC State Transition Table | |||
| ------------------------------ | ------------------------------ | |||
| State: OFFLINE (Initial State) | State: OFFLINE (Initial State) | |||
| ------------------------------ | ------------------------------ | |||
| Initialization Action: | Initialization Action: | |||
| SEPARATE=Set|Unset; | SEPARATE=Set|Unset; | |||
| CARRY_DEVICE_ID=Unset; | CARRY_DEVICE_ID=Unset; | |||
| 1ST_EAP=Unset; | 1ST_EAP=Unset; | |||
| skipping to change at page 29, line 22 | skipping to change at page 29, line 16 | |||
| Tx:PTA(); | Tx:PTA(); | |||
| Disconnect(); | Disconnect(); | |||
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |||
| - - - - - - - -(Session termination initiated by PaC) - - - - - - | - - - - - - - -(Session termination initiated by PaC) - - - - - - | |||
| TERMINATE if (key_available()) SESS_TERM | TERMINATE if (key_available()) SESS_TERM | |||
| PTR.insert_avp("MAC"); | PTR.insert_avp("MAC"); | |||
| Tx:PTR(); | Tx:PTR(); | |||
| RtxTimerStart(); | RtxTimerStart(); | |||
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |||
| - - - - - - - - - - - - -(Address update) - - - - - - - - - - - - | - - - - - - - - - - - - -(Address update) - - - - - - - - - - - - | |||
| UPDATE_POPA || if (key_available()) WAIT_PUA | NOTIFY if (key_available()) WAIT_PUA | |||
| NOTIFY PUR.insert_avp("MAC"); | PUR.insert_avp("MAC"); | |||
| Tx:PUR(); | Tx:PUR(); | |||
| RtxTimerStart(); | RtxTimerStart(); | |||
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |||
| - - - - - - - - - - -(Notification update)- - - - - - - - - - - | - - - - - - - - - - -(Notification update)- - - - - - - - - - - | |||
| Rx:PUR if (key_available()) OPEN | Rx:PUR if (key_available()) OPEN | |||
| PUA.insert_avp("MAC"); | PUA.insert_avp("MAC"); | |||
| Tx:PUA(); | Tx:PUA(); | |||
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |||
| ---------------- | ---------------- | |||
| skipping to change at page 31, line 7 | skipping to change at page 31, line 7 | |||
| Exit Condition Exit Action Exit State | Exit Condition Exit Action Exit State | |||
| ------------------------+--------------------------+------------ | ------------------------+--------------------------+------------ | |||
| - - - - - - - - - - - - - -(PEA processing) - - - - - - - - - - | - - - - - - - - - - - - - -(PEA processing) - - - - - - - - - - | |||
| Rx:PEA RtxTimerStop(); CLOSED | Rx:PEA RtxTimerStop(); CLOSED | |||
| Disconnect(); | Disconnect(); | |||
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |||
| 7. PAA State Machine | 7. PAA State Machine | |||
| 7.1 Interface between PAA and EAP Authenticator | 7.1. Interface between PAA and EAP Authenticator | |||
| The interface between a PAA and an EAP authenticator provides a | The interface between a PAA and an EAP authenticator provides a | |||
| mechanism to deliver EAP messages for the EAP authenticator as well | mechanism to deliver EAP messages for the EAP authenticator as well | |||
| as a mechanism to notify the EAP authenticator of PAA events and to | as a mechanism to notify the EAP authenticator of PAA events and to | |||
| receive notification of EAP authenticator events. These message | receive notification of EAP authenticator events. These message | |||
| delivery and event notification mechanisms occur only within context | delivery and event notification mechanisms occur only within context | |||
| of their associated states or exit actions. | of their associated states or exit actions. | |||
| 7.1.1 EAP Restart Notification from PAA to EAP Authenticator | 7.1.1. EAP Restart Notification from PAA to EAP Authenticator | |||
| An EAP authenticator state machine defined in [I-D.ietf-eap- | An EAP authenticator state machine defined in [I-D.ietf-eap- | |||
| statemachine] has an initialization procedure before sending the | statemachine] has an initialization procedure before sending the | |||
| first EAP request. To initialize the EAP state machine, the PAA | first EAP request. To initialize the EAP state machine, the PAA | |||
| state machine defines an event notification mechanism to send an EAP | state machine defines an event notification mechanism to send an EAP | |||
| (re)start event to the EAP peer. The event notification is done via | (re)start event to the EAP peer. The event notification is done via | |||
| EAP_Restart() procedure in the initialization action of the PAA state | EAP_Restart() procedure in the initialization action of the PAA state | |||
| machine. | machine. | |||
| 7.1.2 Delivering EAP Responses from PAA to EAP Authenticator | 7.1.2. Delivering EAP Responses from PAA to EAP Authenticator | |||
| TxEAP() procedure in the PAA state machine serves as the mechanism to | TxEAP() procedure in the PAA state machine serves as the mechanism to | |||
| deliver EAP-Responses contained in PANA-Auth-Answer messages to the | deliver EAP-Responses contained in PANA-Auth-Answer messages to the | |||
| EAP authenticator. This procedure is enabled only after an EAP | EAP authenticator. This procedure is enabled only after an EAP | |||
| restart event is notified to the EAP authenticator and before any | restart event is notified to the EAP authenticator and before any | |||
| event resulting in a termination of the EAP authenticator session. | event resulting in a termination of the EAP authenticator session. | |||
| In the case where the EAP authenticator follows the EAP authenticator | In the case where the EAP authenticator follows the EAP authenticator | |||
| state machines defined in [I-D.ietf-eap-statemachine], TxEAP() | state machines defined in [I-D.ietf-eap-statemachine], TxEAP() | |||
| procedure sets eapResp variable of the EAP authenticator state | procedure sets eapResp variable of the EAP authenticator state | |||
| machine and puts the EAP response in eapRespData variable of the EAP | machine and puts the EAP response in eapRespData variable of the EAP | |||
| authenticator state machine. | authenticator state machine. | |||
| 7.1.3 Delivering EAP Messages from EAP Authenticator to PAA | 7.1.3. Delivering EAP Messages from EAP Authenticator to PAA | |||
| An EAP request is delivered from the EAP authenticator to the PAA via | An EAP request is delivered from the EAP authenticator to the PAA via | |||
| EAP_REQUEST event variable. The event variable is set when the EAP | EAP_REQUEST event variable. The event variable is set when the EAP | |||
| authenticator passes the EAP request to its lower-layer. In the case | authenticator passes the EAP request to its lower-layer. In the case | |||
| where the EAP authenticator follows the EAP authenticator state | where the EAP authenticator follows the EAP authenticator state | |||
| machines defined in [I-D.ietf-eap-statemachine], EAP_REQUEST event | machines defined in [I-D.ietf-eap-statemachine], EAP_REQUEST event | |||
| variable refers to eapReq variable of the EAP authenticator state | variable refers to eapReq variable of the EAP authenticator state | |||
| machine and the EAP request is contained in eapReqData variable of | machine and the EAP request is contained in eapReqData variable of | |||
| the EAP authenticator state machine. | the EAP authenticator state machine. | |||
| 7.1.4 EAP Authentication Result Notification from EAP Authenticator to | 7.1.4. EAP Authentication Result Notification from EAP Authenticator to | |||
| PAA | PAA | |||
| In order for the EAP authenticator to notify the PAA of the EAP | In order for the EAP authenticator to notify the PAA of the EAP | |||
| authentication result, EAP_SUCCESS, EAP_FAILURE and EAP_TIMEOUT event | authentication result, EAP_SUCCESS, EAP_FAILURE and EAP_TIMEOUT event | |||
| variables are defined. In the case where the EAP authenticator | variables are defined. In the case where the EAP authenticator | |||
| follows the EAP authenticator state machines defined in [I-D.ietf- | follows the EAP authenticator state machines defined in [I-D.ietf- | |||
| eap-statemachine], EAP_SUCCESS, EAP_FAILURE and EAP_TIMEOUT event | eap-statemachine], EAP_SUCCESS, EAP_FAILURE and EAP_TIMEOUT event | |||
| variables refer to eapSuccess, eapFail and eapTimeout variables of | variables refer to eapSuccess, eapFail and eapTimeout variables of | |||
| the EAP authenticator state machine, respectively. In this case, if | the EAP authenticator state machine, respectively. In this case, if | |||
| EAP_SUCCESS event variable is set to TRUE, an EAP-Success message is | EAP_SUCCESS event variable is set to TRUE, an EAP-Success message is | |||
| contained in eapReqData variable of the EAP authenticator state | contained in eapReqData variable of the EAP authenticator state | |||
| machine, and additionally, eapKeyAvailable variable is set to TRUE | machine, and additionally, eapKeyAvailable variable is set to TRUE | |||
| and eapKeyData variable contains a AAA-Key if the AAA-Key is | and eapKeyData variable contains a AAA-Key if the AAA-Key is | |||
| generated as a result of successful authentication by the EAP | generated as a result of successful authentication by the EAP | |||
| authentication method in use. Similarly, if EAP_FAILURE event | authentication method in use. Similarly, if EAP_FAILURE event | |||
| variable is set to TRUE, an EAP-Failure message is contained in | variable is set to TRUE, an EAP-Failure message is contained in | |||
| eapReqData variable of the EAP authenticator state machine. The PAA | eapReqData variable of the EAP authenticator state machine. The PAA | |||
| uses EAP_SUCCESS, EAP_FAILURE and EAP_TIMEOUT event variables as a | uses EAP_SUCCESS, EAP_FAILURE and EAP_TIMEOUT event variables as a | |||
| trigger to send a PBR or a PFER message to the PaC. | trigger to send a PBR or a PFER message to the PaC. | |||
| 7.2 Variables | 7.2. Variables | |||
| USE_COOKIE | USE_COOKIE | |||
| This variable indicates whether the PAA uses Cookie. | This variable indicates whether the PAA uses Cookie. | |||
| EAP_PIGGYBACK | EAP_PIGGYBACK | |||
| This variable indicates whether the PAA is able to piggyback an | This variable indicates whether the PAA is able to piggyback an | |||
| EAP-Request in PANA-Start-Request. | EAP-Request in PANA-Start-Request. | |||
| skipping to change at page 34, line 23 | skipping to change at page 34, line 23 | |||
| This event variable is set to TRUE when the EAP authenticator | This event variable is set to TRUE when the EAP authenticator | |||
| delivers an EAP Request to the PAA. This event accompanies an | delivers an EAP Request to the PAA. This event accompanies an | |||
| EAP-Request message received from the EAP authenticator. | EAP-Request message received from the EAP authenticator. | |||
| EAP_TIMEOUT | EAP_TIMEOUT | |||
| This event variable is set to TRUE when EAP conversation times out | This event variable is set to TRUE when EAP conversation times out | |||
| without generating an EAP-Success or an EAP-Failure message. This | without generating an EAP-Success or an EAP-Failure message. This | |||
| event does not accompany any EAP message. | event does not accompany any EAP message. | |||
| 7.3 Procedures | 7.3. Procedures | |||
| boolean new_key_available() | boolean new_key_available() | |||
| A procedure to check whether the PANA session has a new | A procedure to check whether the PANA session has a new | |||
| PANA_MAC_KEY. If the state machine already have a PANA_MAC_KEY, | PANA_MAC_KEY. If the state machine already have a PANA_MAC_KEY, | |||
| it returns FALSE. If the state machine does not have a | it returns FALSE. If the state machine does not have a | |||
| PANA_MAC_KEY, it tries to retrieve a AAA-Key from the EAP entity. | PANA_MAC_KEY, it tries to retrieve a AAA-Key from the EAP entity. | |||
| If a AAA-Key has been retrieved, it computes a PANA_MAC_KEY from | If a AAA-Key has been retrieved, it computes a PANA_MAC_KEY from | |||
| the AAA-Key and returns TRUE. Otherwise, it returns FALSE. | the AAA-Key and returns TRUE. Otherwise, it returns FALSE. | |||
| skipping to change at page 34, line 47 | skipping to change at page 34, line 47 | |||
| PUR message. If the source IP address of the message is different | PUR message. If the source IP address of the message is different | |||
| from the last known IP address stored in the PANA session, this | from the last known IP address stored in the PANA session, this | |||
| procedure returns TRUE. Otherwise, it returns FALSE. | procedure returns TRUE. Otherwise, it returns FALSE. | |||
| void update_popa() | void update_popa() | |||
| A procedure to extract the PaC's source IP address from the | A procedure to extract the PaC's source IP address from the | |||
| current PUR message and update the PANA session with this new IP | current PUR message and update the PANA session with this new IP | |||
| address. | address. | |||
| 7.4 PAA State Transition Table | 7.4. PAA State Transition Table | |||
| ------------------------------ | ------------------------------ | |||
| State: OFFLINE (Initial State) | State: OFFLINE (Initial State) | |||
| ------------------------------ | ------------------------------ | |||
| Initialization Action: | Initialization Action: | |||
| USE_COOKIE=Set|Unset; | USE_COOKIE=Set|Unset; | |||
| EAP_PIGGYBACK=Set|Unset; | EAP_PIGGYBACK=Set|Unset; | |||
| SEPARATE=Set|Unset; | SEPARATE=Set|Unset; | |||
| if (EAP_PIGGYBACK==Set) | if (USE_COOKIE==Unset && EAP_PIGGYBACK==Set) | |||
| SEPARATE=Unset; | SEPARATE=Unset; | |||
| 1ST_EAP=Unset; | 1ST_EAP=Unset; | |||
| ABORT_ON_1ST_EAP_FAILURE=Set|Unset; | ABORT_ON_1ST_EAP_FAILURE=Set|Unset; | |||
| CARRY_LIFETIME=Set|Unset; | CARRY_LIFETIME=Set|Unset; | |||
| CARRY_DEVICE_ID=Set|Unset; | CARRY_DEVICE_ID=Set|Unset; | |||
| CARRY_NAP_INFO=Set|Unset; | CARRY_NAP_INFO=Set|Unset; | |||
| CARRY_ISP_INFO=Set|Unset; | CARRY_ISP_INFO=Set|Unset; | |||
| CARRY_PPAC=Set|Unset; | CARRY_PPAC=Set|Unset; | |||
| PROTECTION_CAP_IN_PSR=Set|Unset; | PROTECTION_CAP_IN_PSR=Set|Unset; | |||
| PROTECTION_CAP_IN_PBR=Set|Unset; | PROTECTION_CAP_IN_PBR=Set|Unset; | |||
| skipping to change at page 40, line 35 | skipping to change at page 40, line 34 | |||
| SEPARATE==Set && if (CARRY_DEVICE_ID==Set) | SEPARATE==Set && if (CARRY_DEVICE_ID==Set) | |||
| Authorize() PBR.insert_avp | Authorize() PBR.insert_avp | |||
| ("Device-Id"); | ("Device-Id"); | |||
| if (CARRY_LIFETIME==Set) | if (CARRY_LIFETIME==Set) | |||
| PBR.insert_avp | PBR.insert_avp | |||
| ("Session-Lifetime"); | ("Session-Lifetime"); | |||
| if (PROTECTION_CAP_IN_PBR | if (PROTECTION_CAP_IN_PBR | |||
| ==Set) | ==Set) | |||
| PBR.insert_avp | PBR.insert_avp | |||
| ("Protection-Cap."); | ("Protection-Cap."); | |||
| if (new_key_available()) | ||||
| PBR.insert_avp | ||||
| ("Key-Id"); | ||||
| if (key_available()) | if (key_available()) | |||
| PBR.insert_avp("MAC"); | PBR.insert_avp("MAC"); | |||
| PBR.S_flag=1; | PBR.S_flag=1; | |||
| if (NAP_AUTH) | if (NAP_AUTH) | |||
| PBR.N_flag=1; | PBR.N_flag=1; | |||
| Tx:PBR(); | Tx:PBR(); | |||
| RtxTimerStart(); | RtxTimerStart(); | |||
| EAP_FAILURE && PBR.insert_avp WAIT_FAIL_PBA | EAP_FAILURE && PBR.insert_avp WAIT_FAIL_PBA | |||
| 1ST_EAP==Success && ("EAP-Payload"); | 1ST_EAP==Success && ("EAP-Payload"); | |||
| skipping to change at page 42, line 21 | skipping to change at page 42, line 17 | |||
| if (key_available()) | if (key_available()) | |||
| PBR.insert_avp("MAC"); | PBR.insert_avp("MAC"); | |||
| PBR.S_flag=1; | PBR.S_flag=1; | |||
| if (NAP_AUTH) | if (NAP_AUTH) | |||
| PBR.N_flag=1; | PBR.N_flag=1; | |||
| Tx:PBR(); | Tx:PBR(); | |||
| RtxTimerStart(); | RtxTimerStart(); | |||
| EAP_SUCCESS && PBR.insert_avp WAIT_FAIL_PBA | EAP_SUCCESS && PBR.insert_avp WAIT_FAIL_PBA | |||
| 1ST_EAP==Failure && ("EAP-Payload"); | 1ST_EAP==Failure && ("EAP-Payload"); | |||
| SEPARATE==Set && if (key_available()) | SEPARATE==Set && if (new_key_available()) | |||
| !Authorize() PBR.insert_avp("MAC"); | !Authorize() PBR.insert_avp | |||
| ("Key-Id"); | ||||
| if (key_available()) | ||||
| PBR.insert_avp("MAC"); | ||||
| PBR.S_flag=1; | PBR.S_flag=1; | |||
| if (NAP_AUTH) | if (NAP_AUTH) | |||
| PBR.N_flag=1; | PBR.N_flag=1; | |||
| Tx:PBR(); | Tx:PBR(); | |||
| RtxTimerStart(); | RtxTimerStart(); | |||
| EAP_TIMEOUT && if (key_available()) WAIT_FAIL_PBA | EAP_TIMEOUT && if (key_available()) WAIT_FAIL_PBA | |||
| 1ST_EAP==Failure && PBR.insert_avp("MAC"); | 1ST_EAP==Failure && PBR.insert_avp("MAC"); | |||
| SEPARATE==Set PBR.S_flag=1; | SEPARATE==Set PBR.S_flag=1; | |||
| if (NAP_AUTH) | if (NAP_AUTH) | |||
| skipping to change at page 49, line 32 | skipping to change at page 49, line 32 | |||
| modifications are to accomodate the mobility variables and procedures | modifications are to accomodate the mobility variables and procedures | |||
| as they relate to existing state transition actions and events. | as they relate to existing state transition actions and events. | |||
| These modifications to existing state transition are noted in state | These modifications to existing state transition are noted in state | |||
| transition tables in this section. These modified state transitions | transition tables in this section. These modified state transitions | |||
| are intended to replace thier base protocol counterpart. Addition of | are intended to replace thier base protocol counterpart. Addition of | |||
| new state transitions specific to mobility optimization is also | new state transitions specific to mobility optimization is also | |||
| present. Variable initialization also need to be added to the | present. Variable initialization also need to be added to the | |||
| appropriate base protocol state to complete the mobility optimization | appropriate base protocol state to complete the mobility optimization | |||
| support. | support. | |||
| 8.1 Common Variables | 8.1. Common Variables | |||
| MOBILITY | MOBILITY | |||
| This variable indicates whether the mobility handling feature | This variable indicates whether the mobility handling feature | |||
| described in [I-D.ietf-pana-mobopts] is supported. This should be | described in [I-D.ietf-pana-mobopts] is supported. This should be | |||
| present in both PaC and PAA state machine. Existing state | present in both PaC and PAA state machine. Existing state | |||
| transitions in the base protocol state machine that can be | transitions in the base protocol state machine that can be | |||
| affected by mobility optimization must treat this variable as | affected by mobility optimization must treat this variable as | |||
| being Unset unless the state transitions is explicitly redefined | being Unset unless the state transitions is explicitly redefined | |||
| in this section. | in this section. | |||
| 8.2 PaC Mobility Optimization State Machine | 8.2. PaC Mobility Optimization State Machine | |||
| 8.2.1 Variables | 8.2.1. Variables | |||
| PANA_SA_RESUMED | PANA_SA_RESUMED | |||
| This variable indicates whether the PANA SA of a previous PANA | This variable indicates whether the PANA SA of a previous PANA | |||
| session was resumed during the discovery and initial handshake. | session was resumed during the discovery and initial handshake. | |||
| 8.2.2 Procedures | 8.2.2. Procedures | |||
| boolean resume_pana_sa() | boolean resume_pana_sa() | |||
| This procedure returns TRUE when a PANA SA for a previously | This procedure returns TRUE when a PANA SA for a previously | |||
| established PANA Session is resumed, otherwise returns FALSE. | established PANA Session is resumed, otherwise returns FALSE. | |||
| Once a PANA SA is resumed, key_available() procedure must return | Once a PANA SA is resumed, key_available() procedure must return | |||
| TRUE. Existing state transitions in the base protocol state | TRUE. Existing state transitions in the base protocol state | |||
| machine that can be affected by mobility optimization must assume | machine that can be affected by mobility optimization must assume | |||
| that this procedure always returns FALSE unless the state | that this procedure always returns FALSE unless the state | |||
| transition is explicitly redefined in this section. | transition is explicitly redefined in this section. | |||
| 8.2.3 PaC Mobility Optimization State Transition Table Addendum | 8.2.3. PaC Mobility Optimization State Transition Table Addendum | |||
| ------------------------------ | ------------------------------ | |||
| State: OFFLINE (Initial State) | State: OFFLINE (Initial State) | |||
| ------------------------------ | ------------------------------ | |||
| Initialization Action: | Initialization Action: | |||
| MOBILITY=Set|Unset; | MOBILITY=Set|Unset; | |||
| PANA_SA_RESUMED=Unset; | PANA_SA_RESUMED=Unset; | |||
| skipping to change at page 53, line 6 | skipping to change at page 53, line 4 | |||
| !eap_piggyback() 1ST_EAP=Unset; | !eap_piggyback() 1ST_EAP=Unset; | |||
| PANA_SA_RESUMED=Unset; | PANA_SA_RESUMED=Unset; | |||
| EAP_RespTimerStart(); | EAP_RespTimerStart(); | |||
| TxEAP(); | TxEAP(); | |||
| if (key_available()) | if (key_available()) | |||
| PAN.insert_avp("MAC"); | PAN.insert_avp("MAC"); | |||
| PAN.S_flag=PAR.S_flag; | PAN.S_flag=PAR.S_flag; | |||
| PAN.N_flag=PAR.N_flag; | PAN.N_flag=PAR.N_flag; | |||
| Tx:PAN(); | Tx:PAN(); | |||
| SessionTimerStop(); | SessionTimerStop(); | |||
| Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG | Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG | |||
| eap_piggyback() 1ST_EAP=Unset; | eap_piggyback() 1ST_EAP=Unset; | |||
| PANA_SA_RESUMED=Unset; | PANA_SA_RESUMED=Unset; | |||
| EAP_RespTimerStart(); | EAP_RespTimerStart(); | |||
| TxEAP(); | TxEAP(); | |||
| SessionTimerStop(); | SessionTimerStop(); | |||
| 8.3 PAA Mobility Optimization | ------------------------+--------------------------+------------ | |||
| - - - - - - - - (PSR processing with mobility support)- - - - - | ||||
| - The following state transitions are intended to be added - | ||||
| - to the OPEN state of the PaC base protocol state machine - | ||||
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | ||||
| Rx:PSR && RtxTimerStop(); WAIT_PAA | ||||
| !PSR.exist_avp PSA.insert_avp | ||||
| ("EAP-Payload") && ("Session-Id"); | ||||
| MOBILITY==Set && SEPARATE=Unset; | ||||
| resume_pana_sa() && PANA_SA_RESUMED=Set; | ||||
| PSR.exist_avp PSA.insert_avp("Cookie"); | ||||
| ("Cookie") PSA.insert_avp("MAC"); | ||||
| Tx:PSA(); | ||||
| RtxTimerStart(); | ||||
| 8.3.1 Procedures | Rx:PSR && RtxTimerStop(); WAIT_PAA | |||
| !PSR.exist_avp PSA.insert_avp | ||||
| ("EAP-Payload") && ("Session-Id"); | ||||
| MOBILITY==Set && PSA.insert_avp("MAC"); | ||||
| resume_pana_sa() && Tx:PSA(); | ||||
| !PSR.exist_avp PANA_SA_RESUMED=Set; | ||||
| ("Cookie") | ||||
| 8.3. PAA Mobility Optimization | ||||
| 8.3.1. Procedures | ||||
| boolean retrieve_pana_sa(Session-Id) | boolean retrieve_pana_sa(Session-Id) | |||
| This procedure returns TRUE when a PANA SA for the PANA Session | This procedure returns TRUE when a PANA SA for the PANA Session | |||
| corresponds to the specified Session-Id has been retrieved, | corresponds to the specified Session-Id has been retrieved, | |||
| otherwise returns FALSE. | otherwise returns FALSE. | |||
| 8.3.2 PAA Mobility Optimization State Transition Table Addendum | 8.3.2. PAA Mobility Optimization State Transition Table Addendum | |||
| ------------------------------ | ------------------------------ | |||
| State: OFFLINE (Initial State) | State: OFFLINE (Initial State) | |||
| ------------------------------ | ------------------------------ | |||
| Initialization Action: | Initialization Action: | |||
| MOBILITY=Set|Unset; | MOBILITY=Set|Unset; | |||
| Exit Condition Exit Action Exit State | Exit Condition Exit Action Exit State | |||
| ------------------------+--------------------------+------------ | ------------------------+--------------------------+------------ | |||
| - - - - - - - (PSA processing without mobility support) - - - - | - - - - - - - (PSA processing with mobility support) - - - - - - | |||
| - The following state transitions are intended to replace - | - The following state transitions are intended to replace - | |||
| - existing base protocol state transitions. Original base - | - existing base protocol state transitions. Original base - | |||
| - protocol state transitions can be referenced by exit - | - protocol state transitions can be referenced by exit - | |||
| - conditions that excludes MOBILITY variable checks and - | - conditions that excludes MOBILITY variable checks and - | |||
| - retrieve_pana_sa() procedure calls. - | - retrieve_pana_sa() procedure calls. - | |||
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |||
| Rx:PSA && if (SEPARATE==Set && WAIT_EAP_MSG | Rx:PSA && if (SEPARATE==Set && WAIT_EAP_MSG | |||
| USE_COOKIE==Set && PSA.S_flag==0) | (!PSA.exist_avp PSA.S_flag==0) | |||
| (!PSA.exist_avp SEPARATE=Unset; | ("Session-Id") || SEPARATE=Unset; | |||
| ("Session-Id") || if (SEPARATE==Set) | MOBILITY==Unset || if (SEPARATE==Set) | |||
| MOBILITY==Unset || NAP_AUTH=Set|Unset; | (MOBILITY==Set && NAP_AUTH=Set|Unset; | |||
| (MOBILITY==Set && EAP_Restart(); | !retrieve_pana_sa EAP_Restart(); | |||
| !retrieve_pana_sa | ||||
| (PSA.SESSION_ID))) | (PSA.SESSION_ID))) | |||
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |||
| - - - - - - - - (PSA processing with mobility support)- - - - - | - - - - - - - - (PSA processing with mobility support)- - - - - | |||
| Rx:PSA && PBR.insert_avp("MAC"); WAIT_SUCC_PBA | Rx:PSA && PBR.insert_avp("MAC"); WAIT_SUCC_PBA | |||
| USE_COOKIE==Set && PBR.insert_avp("Key-Id"); | PSA.exist_avp PBR.insert_avp("Key-Id"); | |||
| PSA.exist_avp if (CARRY_DEVICE_ID==Set) | ("Session-Id") && if (CARRY_DEVICE_ID==Set) | |||
| ("Session-Id") && PBR.insert_avp | MOBILITY==Set && PBR.insert_avp | |||
| MOBILITY==Set && ("Device-Id"); | retrieve_pana_sa ("Device-Id"); | |||
| retrieve_pana_sa if (PROTECTION_CAP_IN_PBR | (PSA.SESSION_ID) if (PROTECTION_CAP_IN_PBR | |||
| (PSA.SESSION_ID) ==Set) | ==Set) | |||
| PBR.insert_avp | PBR.insert_avp | |||
| ("Protection-Cap."); | ("Protection-Cap."); | |||
| Tx:PBR(); | Tx:PBR(); | |||
| RtxTimerStart(); | RtxTimerStart(); | |||
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |||
| 9. Implementation Considerations | 9. Implementation Considerations | |||
| 9.1 PAA and PaC Interface to Service Management Entity | 9.1. PAA and PaC Interface to Service Management Entity | |||
| In general, it is assumed in each device that has a PANA protocol | In general, it is assumed in each device that has a PANA protocol | |||
| stack that there is a Service Management Entity (SME) that manages | stack that there is a Service Management Entity (SME) that manages | |||
| the PANA protocol stack. It is recommended that a generic interface | the PANA protocol stack. It is recommended that a generic interface | |||
| (i.e., the SME-PANA interface) between the SME and the PANA protocol | (i.e., the SME-PANA interface) between the SME and the PANA protocol | |||
| stack be provided by the implementation. Especially, common | stack be provided by the implementation. Especially, common | |||
| procedures such as startup, shutdown, re-authenticate signals and | procedures such as startup, shutdown, re-authenticate signals and | |||
| provisions for extracting keying material should be provided by such | provisions for extracting keying material should be provided by such | |||
| an interface. The SME-PANA interface in a PAA device should also | an interface. The SME-PANA interface in a PAA device should also | |||
| provide a method for communicating filtering parameters to the EP(s). | provide a method for communicating filtering parameters to the EP(s). | |||
| When cryptographic filtering is used, the filtering parameters | When cryptographic filtering is used, the filtering parameters | |||
| include keying material used for bootstrapping per-packet ciphering. | include keying material used for bootstrapping per-packet ciphering. | |||
| When a PAA device interacts with the backend authentication server | When a PAA device interacts with the backend authentication server | |||
| using a AAA protocol, its SME may also have an interface to the AAA | using a AAA protocol, its SME may also have an interface to the AAA | |||
| protocol to obtain authorization parameters such as the authorization | protocol to obtain authorization parameters such as the authorization | |||
| lifetime and additional filtering parameters. | lifetime and additional filtering parameters. | |||
| 9.2 Multicast Traffic | 9.2. Multicast Traffic | |||
| In general, binding a UDP socket to a multicast address and/or port | In general, binding a UDP socket to a multicast address and/or port | |||
| is system dependent. In most systems, a socket can be bound to any | is system dependent. In most systems, a socket can be bound to any | |||
| address and a specific port. This allows the socket to receive all | address and a specific port. This allows the socket to receive all | |||
| packets destined for the local host (on all it's local addresses) for | packets destined for the local host (on all it's local addresses) for | |||
| that port. If the host subscribes to a multicast addresses then this | that port. If the host subscribes to a multicast addresses then this | |||
| socket will also receive multicast traffic as well. In some systems, | socket will also receive multicast traffic as well. In some systems, | |||
| this would also result in the socket receiving all multicast traffic | this would also result in the socket receiving all multicast traffic | |||
| even though it has subscribed to only one multicast address. This is | even though it has subscribed to only one multicast address. This is | |||
| because most physical interfaces has either multicast traffic enabled | because most physical interfaces has either multicast traffic enabled | |||
| skipping to change at page 59, line 7 | skipping to change at page 59, line 7 | |||
| This document has no actions for IANA. | This document has no actions for IANA. | |||
| 12. Acknowledgments | 12. Acknowledgments | |||
| This work was started from state machines originally made by Dan | This work was started from state machines originally made by Dan | |||
| Forsberg. | Forsberg. | |||
| 13. References | 13. References | |||
| 13.1 Normative References | 13.1. Normative References | |||
| [I-D.ietf-pana-pana] | [I-D.ietf-pana-pana] | |||
| Forsberg, D., "Protocol for Carrying Authentication for | Forsberg, D., "Protocol for Carrying Authentication for | |||
| Network Access (PANA)", draft-ietf-pana-pana-08 (work in | Network Access (PANA)", draft-ietf-pana-pana-10 (work in | |||
| progress), May 2005. | progress), July 2005. | |||
| [I-D.ietf-eap-statemachine] | [I-D.ietf-eap-statemachine] | |||
| Vollbrecht, J., Eronen, P., Petroni, N., and Y. Ohba, | Vollbrecht, J., Eronen, P., Petroni, N., and Y. Ohba, | |||
| "State Machines for Extensible Authentication Protocol | "State Machines for Extensible Authentication Protocol | |||
| (EAP) Peer and Authenticator", | (EAP) Peer and Authenticator", | |||
| draft-ietf-eap-statemachine-06 (work in progress), | draft-ietf-eap-statemachine-06 (work in progress), | |||
| December 2004. | December 2004. | |||
| [I-D.ietf-pana-mobopts] | [I-D.ietf-pana-mobopts] | |||
| Forsberg, D., "PANA Mobility Optimizations", | Forsberg, D., "PANA Mobility Optimizations", | |||
| draft-ietf-pana-mobopts-00 (work in progress), | draft-ietf-pana-mobopts-00 (work in progress), | |||
| January 2005. | January 2005. | |||
| 13.2 Informative References | 13.2. Informative References | |||
| [RFC4058] Yegin, A., Ohba, Y., Penno, R., Tsirtsis, G., and C. Wang, | [RFC4058] Yegin, A., Ohba, Y., Penno, R., Tsirtsis, G., and C. Wang, | |||
| "Protocol for Carrying Authentication for Network Access | "Protocol for Carrying Authentication for Network Access | |||
| (PANA) Requirements", RFC 4058, May 2005. | (PANA) Requirements", RFC 4058, May 2005. | |||
| [I-D.ietf-pana-snmp] | [I-D.ietf-pana-snmp] | |||
| Mghazli, Y., "SNMP usage for PAA-EP interface", | Mghazli, Y., "SNMP usage for PAA-EP interface", | |||
| draft-ietf-pana-snmp-04 (work in progress), July 2005. | draft-ietf-pana-snmp-04 (work in progress), July 2005. | |||
| Authors' Addresses | Authors' Addresses | |||
| End of changes. 64 change blocks. | ||||
| 114 lines changed or deleted | 128 lines changed or added | |||
This html diff was produced by rfcdiff 1.27, available from http://www.levkowetz.com/ietf/tools/rfcdiff/ | ||||