draft-ietf-pana-statemachine-01.txt   draft-ietf-pana-statemachine-02.txt 
PANA Working Group V. Fajardo PANA Working Group V. Fajardo
Internet-Draft Y. Ohba Internet-Draft Y. Ohba
Expires: January 12, 2006 TARI Expires: April 21, 2006 TARI
R. Lopez R. Lopez
Univ. of Murcia Univ. of Murcia
July 11, 2005 October 18, 2005
State Machines for Protocol for Carrying Authentication for Network State Machines for Protocol for Carrying Authentication for Network
Access (PANA) Access (PANA)
draft-ietf-pana-statemachine-01 draft-ietf-pana-statemachine-02
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 37 skipping to change at page 1, line 37
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on January 12, 2006. This Internet-Draft will expire on April 21, 2006.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2005). Copyright (C) The Internet Society (2005).
Abstract Abstract
This document defines the conceptual state machines for the Protocol This document defines the conceptual state machines for the Protocol
for Carrying Authentication for Network Access (PANA). The state for Carrying Authentication for Network Access (PANA). The state
machines consist of the PANA Client (PaC) state machine and the PANA machines consist of the PANA Client (PaC) state machine and the PANA
skipping to change at page 2, line 16 skipping to change at page 2, line 16
The state machines and associated model are informative only. The state machines and associated model are informative only.
Implementations may achieve the same results using different methods. Implementations may achieve the same results using different methods.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Interface Between PANA and EAP . . . . . . . . . . . . . . . . 5 2. Interface Between PANA and EAP . . . . . . . . . . . . . . . . 5
3. Document Authority . . . . . . . . . . . . . . . . . . . . . . 7 3. Document Authority . . . . . . . . . . . . . . . . . . . . . . 7
4. Notations . . . . . . . . . . . . . . . . . . . . . . . . . . 8 4. Notations . . . . . . . . . . . . . . . . . . . . . . . . . . 8
5. Common Rules . . . . . . . . . . . . . . . . . . . . . . . . . 10 5. Common Rules . . . . . . . . . . . . . . . . . . . . . . . . . 10
5.1 Common Procedures . . . . . . . . . . . . . . . . . . . . 10 5.1. Common Procedures . . . . . . . . . . . . . . . . . . . . 10
5.2 Common Variables . . . . . . . . . . . . . . . . . . . . . 12 5.2. Common Variables . . . . . . . . . . . . . . . . . . . . . 12
5.3 Constants . . . . . . . . . . . . . . . . . . . . . . . . 13 5.3. Constants . . . . . . . . . . . . . . . . . . . . . . . . 13
5.4 Common Message Initialization Rules . . . . . . . . . . . 14 5.4. Common Message Initialization Rules . . . . . . . . . . . 13
5.5 Common Error Handling Rules . . . . . . . . . . . . . . . 14 5.5. Common Error Handling Rules . . . . . . . . . . . . . . . 14
5.6 Common State Transitions . . . . . . . . . . . . . . . . . 14 5.6. Common State Transitions . . . . . . . . . . . . . . . . . 14
6. PaC State Machine . . . . . . . . . . . . . . . . . . . . . . 16 6. PaC State Machine . . . . . . . . . . . . . . . . . . . . . . 16
6.1 Interface between PaC and EAP Peer . . . . . . . . . . . . 16 6.1. Interface between PaC and EAP Peer . . . . . . . . . . . . 16
6.1.1 Delivering EAP Messages from PaC to EAP Peer . . . . . 16 6.1.1. Delivering EAP Messages from PaC to EAP Peer . . . . . 16
6.1.2 Delivering EAP Responses from EAP Peer to PaC . . . . 16 6.1.2. Delivering EAP Responses from EAP Peer to PaC . . . . 16
6.1.3 EAP Restart Notification from PaC to EAP Peer . . . . 16 6.1.3. EAP Restart Notification from PaC to EAP Peer . . . . 16
6.1.4 EAP Authentication Result Notification from EAP 6.1.4. EAP Authentication Result Notification from EAP
Peer to PaC . . . . . . . . . . . . . . . . . . . . . 17 Peer to PaC . . . . . . . . . . . . . . . . . . . . . 17
6.1.5 Alternate Failure Notification from PaC to EAP Peer . 17 6.1.5. Alternate Failure Notification from PaC to EAP Peer . 17
6.1.6 EAP Invalid Message Notification from EAP Peer to 6.1.6. EAP Invalid Message Notification from EAP Peer to
PaC . . . . . . . . . . . . . . . . . . . . . . . . . 17 PaC . . . . . . . . . . . . . . . . . . . . . . . . . 17
6.2 Variables . . . . . . . . . . . . . . . . . . . . . . . . 17 6.2. Variables . . . . . . . . . . . . . . . . . . . . . . . . 17
6.3 Procedures . . . . . . . . . . . . . . . . . . . . . . . . 18 6.3. Procedures . . . . . . . . . . . . . . . . . . . . . . . . 18
6.4 PaC State Transition Table . . . . . . . . . . . . . . . . 19 6.4. PaC State Transition Table . . . . . . . . . . . . . . . . 19
7. PAA State Machine . . . . . . . . . . . . . . . . . . . . . . 31 7. PAA State Machine . . . . . . . . . . . . . . . . . . . . . . 31
7.1 Interface between PAA and EAP Authenticator . . . . . . . 31 7.1. Interface between PAA and EAP Authenticator . . . . . . . 31
7.1.1 EAP Restart Notification from PAA to EAP 7.1.1. EAP Restart Notification from PAA to EAP
Authenticator . . . . . . . . . . . . . . . . . . . . 31 Authenticator . . . . . . . . . . . . . . . . . . . . 31
7.1.2 Delivering EAP Responses from PAA to EAP 7.1.2. Delivering EAP Responses from PAA to EAP
Authenticator . . . . . . . . . . . . . . . . . . . . 31 Authenticator . . . . . . . . . . . . . . . . . . . . 31
7.1.3 Delivering EAP Messages from EAP Authenticator to 7.1.3. Delivering EAP Messages from EAP Authenticator to
PAA . . . . . . . . . . . . . . . . . . . . . . . . . 31 PAA . . . . . . . . . . . . . . . . . . . . . . . . . 31
7.1.4 EAP Authentication Result Notification from EAP 7.1.4. EAP Authentication Result Notification from EAP
Authenticator to PAA . . . . . . . . . . . . . . . . . 31 Authenticator to PAA . . . . . . . . . . . . . . . . . 31
7.2 Variables . . . . . . . . . . . . . . . . . . . . . . . . 32 7.2. Variables . . . . . . . . . . . . . . . . . . . . . . . . 32
7.3 Procedures . . . . . . . . . . . . . . . . . . . . . . . . 34 7.3. Procedures . . . . . . . . . . . . . . . . . . . . . . . . 34
7.4 PAA State Transition Table . . . . . . . . . . . . . . . . 34 7.4. PAA State Transition Table . . . . . . . . . . . . . . . . 34
8. Mobility Optimization Support . . . . . . . . . . . . . . . . 49 8. Mobility Optimization Support . . . . . . . . . . . . . . . . 49
8.1 Common Variables . . . . . . . . . . . . . . . . . . . . . 49 8.1. Common Variables . . . . . . . . . . . . . . . . . . . . . 49
8.2 PaC Mobility Optimization State Machine . . . . . . . . . 49 8.2. PaC Mobility Optimization State Machine . . . . . . . . . 49
8.2.1 Variables . . . . . . . . . . . . . . . . . . . . . . 49 8.2.1. Variables . . . . . . . . . . . . . . . . . . . . . . 49
8.2.2 Procedures . . . . . . . . . . . . . . . . . . . . . . 50 8.2.2. Procedures . . . . . . . . . . . . . . . . . . . . . . 50
8.2.3 PaC Mobility Optimization State Transition Table 8.2.3. PaC Mobility Optimization State Transition Table
Addendum . . . . . . . . . . . . . . . . . . . . . . . 50 Addendum . . . . . . . . . . . . . . . . . . . . . . . 50
8.3 PAA Mobility Optimization . . . . . . . . . . . . . . . . 53 8.3. PAA Mobility Optimization . . . . . . . . . . . . . . . . 53
8.3.1 Procedures . . . . . . . . . . . . . . . . . . . . . . 53 8.3.1. Procedures . . . . . . . . . . . . . . . . . . . . . . 53
8.3.2 PAA Mobility Optimization State Transition Table 8.3.2. PAA Mobility Optimization State Transition Table
Addendum . . . . . . . . . . . . . . . . . . . . . . . 53 Addendum . . . . . . . . . . . . . . . . . . . . . . . 53
9. Implementation Considerations . . . . . . . . . . . . . . . . 55 9. Implementation Considerations . . . . . . . . . . . . . . . . 55
9.1 PAA and PaC Interface to Service Management Entity . . . . 55 9.1. PAA and PaC Interface to Service Management Entity . . . . 55
9.2 Multicast Traffic . . . . . . . . . . . . . . . . . . . . 55 9.2. Multicast Traffic . . . . . . . . . . . . . . . . . . . . 55
10. Security Considerations . . . . . . . . . . . . . . . . . . 56 10. Security Considerations . . . . . . . . . . . . . . . . . . . 56
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . 57 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 57
12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 58 12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 58
13. References . . . . . . . . . . . . . . . . . . . . . . . . . 59 13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 59
13.1 Normative References . . . . . . . . . . . . . . . . . . . 59 13.1. Normative References . . . . . . . . . . . . . . . . . . . 59
13.2 Informative References . . . . . . . . . . . . . . . . . . 59 13.2. Informative References . . . . . . . . . . . . . . . . . . 59
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 59 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 60
Intellectual Property and Copyright Statements . . . . . . . . 61 Intellectual Property and Copyright Statements . . . . . . . . . . 61
1. Introduction 1. Introduction
This document defines the state machines for Protocol Carrying This document defines the state machines for Protocol Carrying
Authentication for Network Access (PANA) [I-D.ietf-pana-pana]. There Authentication for Network Access (PANA) [I-D.ietf-pana-pana]. There
are state machines for the PANA client (PaC) and for the PANA are state machines for the PANA client (PaC) and for the PANA
Authentication Agent (PAA). Each state machine is specified through Authentication Agent (PAA). Each state machine is specified through
a set of variables, procedures and a state transition table. a set of variables, procedures and a state transition table.
A PANA protocol execution consists of several exchanges to carry A PANA protocol execution consists of several exchanges to carry
skipping to change at page 10, line 16 skipping to change at page 10, line 16
There are following procedures, variables, message initializing rules There are following procedures, variables, message initializing rules
and state transitions that are common to both the PaC and PAA state and state transitions that are common to both the PaC and PAA state
machines. machines.
Throughout this document, the character string "PANA_MESSAGE_NAME" Throughout this document, the character string "PANA_MESSAGE_NAME"
matches any one of the abbreviated PANA message names, i.e., "PDI", matches any one of the abbreviated PANA message names, i.e., "PDI",
"PSR", "PSA", "PAR", "PAN", "PBR", "PBA", "PFER", "PFEA", "PTR", "PSR", "PSA", "PAR", "PAN", "PBR", "PBA", "PFER", "PFEA", "PTR",
"PTA", "PPR", "PPA", "PRAR", "PRAA", "PUR", "PUA", "PER" and "PEA". "PTA", "PPR", "PPA", "PRAR", "PRAA", "PUR", "PUA", "PER" and "PEA".
5.1 Common Procedures 5.1. Common Procedures
void None() void None()
A null procedure, i.e., nothing is done. A null procedure, i.e., nothing is done.
void Disconnect() void Disconnect()
A procedure to delete the PANA session as well as the A procedure to delete the PANA session as well as the
corresponding EAP session and authorization state. corresponding EAP session and authorization state.
skipping to change at page 12, line 5 skipping to change at page 12, line 5
TRUE. Otherwise, it returns FALSE. TRUE. Otherwise, it returns FALSE.
boolean fatal(int) boolean fatal(int)
A procedure to check whether an integer result code value A procedure to check whether an integer result code value
indicates a fatal error. If the result code indicates a fatal indicates a fatal error. If the result code indicates a fatal
error, the procedure returns TRUE, otherwise, it return FALSE. A error, the procedure returns TRUE, otherwise, it return FALSE. A
fatal error would also result in the termination of the session fatal error would also result in the termination of the session
and release of all resources related to that session. and release of all resources related to that session.
5.2 Common Variables 5.2. Common Variables
PANA_MESSAGE_NAME.S_flag PANA_MESSAGE_NAME.S_flag
This variable contains the S-Flag value of the specified PANA This variable contains the S-Flag value of the specified PANA
message. message.
PBR.RESULT_CODE PBR.RESULT_CODE
This variable contains the Result-Code AVP value in the PANA-Bind- This variable contains the Result-Code AVP value in the PANA-Bind-
Request message in process. When this variable carries Request message in process. When this variable carries
skipping to change at page 13, line 18 skipping to change at page 13, line 18
termination is triggered. termination is triggered.
PANA_PING PANA_PING
This event variable is set to TRUE when initiation of liveness This event variable is set to TRUE when initiation of liveness
test based on PPR-PPA exchange is triggered. test based on PPR-PPA exchange is triggered.
NOTIFY NOTIFY
This event variable is set to TRUE if the PaC or PAA wants to send This event variable is set to TRUE if the PaC or PAA wants to send
attribute updates or notifications. For attribute updates, attribute updates or notifications.
UPDATE_POPA should be used by the PaC.
SESS_TIMEOUT SESS_TIMEOUT
This event is variable is set to TRUE when the session timer is This event is variable is set to TRUE when the session timer is
expired. expired.
ABORT_ON_1ST_EAP_FAILURE ABORT_ON_1ST_EAP_FAILURE
This variable indicates whether the PANA session is immediately This variable indicates whether the PANA session is immediately
terminated when the 1st EAP authentication fails. terminated when the 1st EAP authentication fails.
skipping to change at page 13, line 43 skipping to change at page 13, line 42
This variable indicates whether a Device-Id AVP is carried in a This variable indicates whether a Device-Id AVP is carried in a
PANA-Bind-Request or PANA_Bind-Answer message. For the PAA, this PANA-Bind-Request or PANA_Bind-Answer message. For the PAA, this
variable MUST be set when a link-layer or IP address is used as variable MUST be set when a link-layer or IP address is used as
the device identifier of the PaC and a Protection-Capability AVP the device identifier of the PaC and a Protection-Capability AVP
is included in the PANA-Bind-Request message. is included in the PANA-Bind-Request message.
ANY ANY
This event variable is set to TRUE when any event occurs. This event variable is set to TRUE when any event occurs.
5.3 Constants 5.3. Constants
RTX_MAX_NUM RTX_MAX_NUM
Configurable maximum for how many retransmissions should be Configurable maximum for how many retransmissions should be
attempted before aborting. attempted before aborting.
5.4 Common Message Initialization Rules 5.4. Common Message Initialization Rules
When a message is prepared for sending, it is initialized as follows: When a message is prepared for sending, it is initialized as follows:
o For a request message, R-flag of the header is set. Otherwise, o For a request message, R-flag of the header is set. Otherwise,
R-flag is not set. R-flag is not set.
o S-flag and N-flag of the header are not set. o S-flag and N-flag of the header are not set.
o AVPs that are mandatory included in a message are inserted with o AVPs that are mandatory included in a message are inserted with
appropriate values set. appropriate values set.
o A Notification AVP is inserted if there is some notification o A Notification AVP is inserted if there is some notification
string to send to the communicating peer. string to send to the communicating peer.
5.5 Common Error Handling Rules 5.5. Common Error Handling Rules
For simplicity, the PANA state machines defined in this document do For simplicity, the PANA state machines defined in this document do
not support an optional feature of sending a PER message when an not support an optional feature of sending a PER message when an
invalid PANA message is received [I-D.ietf-pana-pana], while the invalid PANA message is received [I-D.ietf-pana-pana], while the
state machines support sending a PER message generated in other cases state machines support sending a PER message generated in other cases
as well as receiving and processing a PER message. It is left to as well as receiving and processing a PER message. It is left to
implementations as to whether they provide a means to send a PER implementations as to whether they provide a means to send a PER
message when an invalid PANA message is received. message when an invalid PANA message is received.
5.6 Common State Transitions 5.6. Common State Transitions
The following transitions can occur at any state. The following transitions can occur at any state.
---------- ----------
State: ANY State: ANY
---------- ----------
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - - - (Re-transmissions)- - - - - - - - - - - - - - - - - - - - - - - (Re-transmissions)- - - - - - - - - -
skipping to change at page 16, line 7 skipping to change at page 16, line 7
------------- -------------
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - -(Session termination initiated by PaC) - - - - - - - - - - - - -(Session termination initiated by PaC) - - - - -
ANY None(); CLOSED ANY None(); CLOSED
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6. PaC State Machine 6. PaC State Machine
6.1 Interface between PaC and EAP Peer 6.1. Interface between PaC and EAP Peer
This interface defines the interactions between a PaC and an EAP This interface defines the interactions between a PaC and an EAP
peer. The interface serves as a mechanism to deliver EAP messages peer. The interface serves as a mechanism to deliver EAP messages
for the EAP peer. It allows the EAP peer to receive EAP requests and for the EAP peer. It allows the EAP peer to receive EAP requests and
send EAP responses via the PaC. It also provides a mechanism to send EAP responses via the PaC. It also provides a mechanism to
notify the EAP peer of PaC events and a mechanism to receive notify the EAP peer of PaC events and a mechanism to receive
notification of EAP peer events. The EAP message delivery mechanism notification of EAP peer events. The EAP message delivery mechanism
as well as the event notification mechanism in this interface have as well as the event notification mechanism in this interface have
direct correlation with the PaC state transition table entries. direct correlation with the PaC state transition table entries.
These message delivery and event notifications mechanisms occur only These message delivery and event notifications mechanisms occur only
within the context of their associated states or exit actions. within the context of their associated states or exit actions.
6.1.1 Delivering EAP Messages from PaC to EAP Peer 6.1.1. Delivering EAP Messages from PaC to EAP Peer
TxEAP() procedure in the PaC state machine serves as the mechanism to TxEAP() procedure in the PaC state machine serves as the mechanism to
deliver EAP request, EAP success and EAP failure messages contained deliver EAP request, EAP success and EAP failure messages contained
in PANA-Auth-Request messages to the EAP peer. This procedure is in PANA-Auth-Request messages to the EAP peer. This procedure is
enabled only after an EAP restart event is notified to the EAP peer enabled only after an EAP restart event is notified to the EAP peer
and before any event resulting in a termination of the EAP peer and before any event resulting in a termination of the EAP peer
session. In the case where the EAP peer follows the EAP peer state session. In the case where the EAP peer follows the EAP peer state
machine defined in [I-D.ietf-eap-statemachine], TxEAP() procedure machine defined in [I-D.ietf-eap-statemachine], TxEAP() procedure
sets eapReq variable of the EAP peer state machine and puts the EAP sets eapReq variable of the EAP peer state machine and puts the EAP
request in eapReqData variable of the EAP peer state machine. request in eapReqData variable of the EAP peer state machine.
6.1.2 Delivering EAP Responses from EAP Peer to PaC 6.1.2. Delivering EAP Responses from EAP Peer to PaC
An EAP response is delivered from the EAP peer to the PaC via An EAP response is delivered from the EAP peer to the PaC via
EAP_RESPONSE event variable. The event variable is set when the EAP EAP_RESPONSE event variable. The event variable is set when the EAP
peer passes the EAP response to its lower-layer. In the case where peer passes the EAP response to its lower-layer. In the case where
the EAP peer follows the EAP peer state machine defined in [I-D.ietf- the EAP peer follows the EAP peer state machine defined in [I-D.ietf-
eap-statemachine], EAP_RESPONSE event variable refers to eapResp eap-statemachine], EAP_RESPONSE event variable refers to eapResp
variable of the EAP peer state machine and the EAP response is variable of the EAP peer state machine and the EAP response is
contained in eapRespData variable of the EAP peer state machine. contained in eapRespData variable of the EAP peer state machine.
6.1.3 EAP Restart Notification from PaC to EAP Peer 6.1.3. EAP Restart Notification from PaC to EAP Peer
The EAP peer state machine defined in [I-D.ietf-eap-statemachine] has The EAP peer state machine defined in [I-D.ietf-eap-statemachine] has
an initialization procedure before receiving an EAP request. To an initialization procedure before receiving an EAP request. To
initialize the EAP state machine, the PaC state machine defines an initialize the EAP state machine, the PaC state machine defines an
event notification mechanism to send an EAP (re)start event to the event notification mechanism to send an EAP (re)start event to the
EAP peer. The event notification is done via EAP_Restart() procedure EAP peer. The event notification is done via EAP_Restart() procedure
in the initialization action of the PaC state machine. in the initialization action of the PaC state machine.
6.1.4 EAP Authentication Result Notification from EAP Peer to PaC 6.1.4. EAP Authentication Result Notification from EAP Peer to PaC
In order for the EAP peer to notify the PaC of an EAP authentication In order for the EAP peer to notify the PaC of an EAP authentication
result, EAP_SUCCESS and EAP_FAILURE event variables are defined. In result, EAP_SUCCESS and EAP_FAILURE event variables are defined. In
the case where the EAP peer follows the EAP peer state machine the case where the EAP peer follows the EAP peer state machine
defined in [I-D.ietf-eap-statemachine], EAP_SUCCESS and EAP_FAILURE defined in [I-D.ietf-eap-statemachine], EAP_SUCCESS and EAP_FAILURE
event variables refer to eapSuccess and eapFail variables of the EAP event variables refer to eapSuccess and eapFail variables of the EAP
peer state machine, respectively. In this case, if EAP_SUCCESS event peer state machine, respectively. In this case, if EAP_SUCCESS event
variable is set to TRUE and a AAA-Key is generated by the EAP variable is set to TRUE and a AAA-Key is generated by the EAP
authentication method in use, eapKeyAvailable variable is set to TRUE authentication method in use, eapKeyAvailable variable is set to TRUE
and eapKeyData variable contains the AAA-Key. Note that EAP_SUCCESS and eapKeyData variable contains the AAA-Key. Note that EAP_SUCCESS
and EAP_FAILURE event variables may be set to TRUE even before the and EAP_FAILURE event variables may be set to TRUE even before the
PaC receives a PBR or a PFER from the PAA. PaC receives a PBR or a PFER from the PAA.
6.1.5 Alternate Failure Notification from PaC to EAP Peer 6.1.5. Alternate Failure Notification from PaC to EAP Peer
alt_reject() procedure in the PaC state machine serves as the alt_reject() procedure in the PaC state machine serves as the
mechanism to deliver an authentication failure event to the EAP peer mechanism to deliver an authentication failure event to the EAP peer
without accompanying an EAP message. In the case where the EAP peer without accompanying an EAP message. In the case where the EAP peer
follows the EAP peer state machine defined in [I-D.ietf-eap- follows the EAP peer state machine defined in [I-D.ietf-eap-
statemachine], alt_reject() procedure sets altReject variable of the statemachine], alt_reject() procedure sets altReject variable of the
EAP peer state machine. Note that the EAP peer state machine in EAP peer state machine. Note that the EAP peer state machine in
[I-D.ietf-eap-statemachine] also defines altAccept variable, however, [I-D.ietf-eap-statemachine] also defines altAccept variable, however,
it is never used in PANA in which EAP-Success messages are reliably it is never used in PANA in which EAP-Success messages are reliably
delivered by PANA-Bind exchange. delivered by PANA-Bind exchange.
6.1.6 EAP Invalid Message Notification from EAP Peer to PaC 6.1.6. EAP Invalid Message Notification from EAP Peer to PaC
In order for the EAP peer to notify the PaC of a receipt of an In order for the EAP peer to notify the PaC of a receipt of an
invalid EAP message, EAP_INVALID_MSG event variable is defined. In invalid EAP message, EAP_INVALID_MSG event variable is defined. In
the case where the EAP peer follows the EAP peer state machine the case where the EAP peer follows the EAP peer state machine
defined in [I-D.ietf-eap-statemachine], EAP_INVALID_MSG event defined in [I-D.ietf-eap-statemachine], EAP_INVALID_MSG event
variable refers to eapNoResp variable of the EAP peer state machine. variable refers to eapNoResp variable of the EAP peer state machine.
6.2 Variables 6.2. Variables
SEPARATE SEPARATE
This variable indicates whether the PaC desires NAP/ISP separate This variable indicates whether the PaC desires NAP/ISP separate
authentication. authentication.
1ST_EAP 1ST_EAP
This variable indicates whether the 1st EAP authentication is This variable indicates whether the 1st EAP authentication is
success, failure or yet completed. success, failure or yet completed.
skipping to change at page 18, line 32 skipping to change at page 18, line 32
This event variable is set to TRUE when the EAP peer delivers an This event variable is set to TRUE when the EAP peer delivers an
EAP Response to the PaC. This event accompanies an EAP-Response EAP Response to the PaC. This event accompanies an EAP-Response
message received from the EAP peer. message received from the EAP peer.
EAP_INVALID_MSG EAP_INVALID_MSG
This event variable is set to TRUE when the EAP peer silently This event variable is set to TRUE when the EAP peer silently
discards an EAP message. This event does not accompany any EAP discards an EAP message. This event does not accompany any EAP
message. message.
UPDATE_POPA
This event variable is set to TRUE when there is a change in the
POPA of the PaC.
EAP_RESP_TIMEOUT EAP_RESP_TIMEOUT
This event variable is set to TRUE when the PaC that has passed an This event variable is set to TRUE when the PaC that has passed an
EAP-Request to the EAP-layer does not receive a corresponding EAP- EAP-Request to the EAP-layer does not receive a corresponding EAP-
Response from the the EAP-layer in a given period. Response from the the EAP-layer in a given period.
6.3 Procedures 6.3. Procedures
boolean choose_isp() boolean choose_isp()
This procedure returns TRUE when the PaC chooses one ISP, This procedure returns TRUE when the PaC chooses one ISP,
otherwise returns FALSE. otherwise returns FALSE.
boolean ppac_available() boolean ppac_available()
This procedure returns TRUE when the Post-PANA-Address- This procedure returns TRUE when the Post-PANA-Address-
Configuration method specified by the PAA is available in the PaC Configuration method specified by the PAA is available in the PaC
skipping to change at page 19, line 38 skipping to change at page 19, line 32
void EAP_RespTimerStart() void EAP_RespTimerStart()
A procedure to start a timer to receive an EAP-Response from the A procedure to start a timer to receive an EAP-Response from the
EAP peer. EAP peer.
void EAP_RespTimerStop() void EAP_RespTimerStop()
A procedure to stop a timer to receive an EAP-Response from the A procedure to stop a timer to receive an EAP-Response from the
EAP peer. EAP peer.
6.4 PaC State Transition Table 6.4. PaC State Transition Table
------------------------------ ------------------------------
State: OFFLINE (Initial State) State: OFFLINE (Initial State)
------------------------------ ------------------------------
Initialization Action: Initialization Action:
SEPARATE=Set|Unset; SEPARATE=Set|Unset;
CARRY_DEVICE_ID=Unset; CARRY_DEVICE_ID=Unset;
1ST_EAP=Unset; 1ST_EAP=Unset;
skipping to change at page 29, line 22 skipping to change at page 29, line 16
Tx:PTA(); Tx:PTA();
Disconnect(); Disconnect();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - -(Session termination initiated by PaC) - - - - - - - - - - - - - -(Session termination initiated by PaC) - - - - - -
TERMINATE if (key_available()) SESS_TERM TERMINATE if (key_available()) SESS_TERM
PTR.insert_avp("MAC"); PTR.insert_avp("MAC");
Tx:PTR(); Tx:PTR();
RtxTimerStart(); RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - -(Address update) - - - - - - - - - - - - - - - - - - - - - - - - -(Address update) - - - - - - - - - - - -
UPDATE_POPA || if (key_available()) WAIT_PUA NOTIFY if (key_available()) WAIT_PUA
NOTIFY PUR.insert_avp("MAC"); PUR.insert_avp("MAC");
Tx:PUR(); Tx:PUR();
RtxTimerStart(); RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - -(Notification update)- - - - - - - - - - - - - - - - - - - - - -(Notification update)- - - - - - - - - - -
Rx:PUR if (key_available()) OPEN Rx:PUR if (key_available()) OPEN
PUA.insert_avp("MAC"); PUA.insert_avp("MAC");
Tx:PUA(); Tx:PUA();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
---------------- ----------------
skipping to change at page 31, line 7 skipping to change at page 31, line 7
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - - - -(PEA processing) - - - - - - - - - - - - - - - - - - - - - - - -(PEA processing) - - - - - - - - - -
Rx:PEA RtxTimerStop(); CLOSED Rx:PEA RtxTimerStop(); CLOSED
Disconnect(); Disconnect();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7. PAA State Machine 7. PAA State Machine
7.1 Interface between PAA and EAP Authenticator 7.1. Interface between PAA and EAP Authenticator
The interface between a PAA and an EAP authenticator provides a The interface between a PAA and an EAP authenticator provides a
mechanism to deliver EAP messages for the EAP authenticator as well mechanism to deliver EAP messages for the EAP authenticator as well
as a mechanism to notify the EAP authenticator of PAA events and to as a mechanism to notify the EAP authenticator of PAA events and to
receive notification of EAP authenticator events. These message receive notification of EAP authenticator events. These message
delivery and event notification mechanisms occur only within context delivery and event notification mechanisms occur only within context
of their associated states or exit actions. of their associated states or exit actions.
7.1.1 EAP Restart Notification from PAA to EAP Authenticator 7.1.1. EAP Restart Notification from PAA to EAP Authenticator
An EAP authenticator state machine defined in [I-D.ietf-eap- An EAP authenticator state machine defined in [I-D.ietf-eap-
statemachine] has an initialization procedure before sending the statemachine] has an initialization procedure before sending the
first EAP request. To initialize the EAP state machine, the PAA first EAP request. To initialize the EAP state machine, the PAA
state machine defines an event notification mechanism to send an EAP state machine defines an event notification mechanism to send an EAP
(re)start event to the EAP peer. The event notification is done via (re)start event to the EAP peer. The event notification is done via
EAP_Restart() procedure in the initialization action of the PAA state EAP_Restart() procedure in the initialization action of the PAA state
machine. machine.
7.1.2 Delivering EAP Responses from PAA to EAP Authenticator 7.1.2. Delivering EAP Responses from PAA to EAP Authenticator
TxEAP() procedure in the PAA state machine serves as the mechanism to TxEAP() procedure in the PAA state machine serves as the mechanism to
deliver EAP-Responses contained in PANA-Auth-Answer messages to the deliver EAP-Responses contained in PANA-Auth-Answer messages to the
EAP authenticator. This procedure is enabled only after an EAP EAP authenticator. This procedure is enabled only after an EAP
restart event is notified to the EAP authenticator and before any restart event is notified to the EAP authenticator and before any
event resulting in a termination of the EAP authenticator session. event resulting in a termination of the EAP authenticator session.
In the case where the EAP authenticator follows the EAP authenticator In the case where the EAP authenticator follows the EAP authenticator
state machines defined in [I-D.ietf-eap-statemachine], TxEAP() state machines defined in [I-D.ietf-eap-statemachine], TxEAP()
procedure sets eapResp variable of the EAP authenticator state procedure sets eapResp variable of the EAP authenticator state
machine and puts the EAP response in eapRespData variable of the EAP machine and puts the EAP response in eapRespData variable of the EAP
authenticator state machine. authenticator state machine.
7.1.3 Delivering EAP Messages from EAP Authenticator to PAA 7.1.3. Delivering EAP Messages from EAP Authenticator to PAA
An EAP request is delivered from the EAP authenticator to the PAA via An EAP request is delivered from the EAP authenticator to the PAA via
EAP_REQUEST event variable. The event variable is set when the EAP EAP_REQUEST event variable. The event variable is set when the EAP
authenticator passes the EAP request to its lower-layer. In the case authenticator passes the EAP request to its lower-layer. In the case
where the EAP authenticator follows the EAP authenticator state where the EAP authenticator follows the EAP authenticator state
machines defined in [I-D.ietf-eap-statemachine], EAP_REQUEST event machines defined in [I-D.ietf-eap-statemachine], EAP_REQUEST event
variable refers to eapReq variable of the EAP authenticator state variable refers to eapReq variable of the EAP authenticator state
machine and the EAP request is contained in eapReqData variable of machine and the EAP request is contained in eapReqData variable of
the EAP authenticator state machine. the EAP authenticator state machine.
7.1.4 EAP Authentication Result Notification from EAP Authenticator to 7.1.4. EAP Authentication Result Notification from EAP Authenticator to
PAA PAA
In order for the EAP authenticator to notify the PAA of the EAP In order for the EAP authenticator to notify the PAA of the EAP
authentication result, EAP_SUCCESS, EAP_FAILURE and EAP_TIMEOUT event authentication result, EAP_SUCCESS, EAP_FAILURE and EAP_TIMEOUT event
variables are defined. In the case where the EAP authenticator variables are defined. In the case where the EAP authenticator
follows the EAP authenticator state machines defined in [I-D.ietf- follows the EAP authenticator state machines defined in [I-D.ietf-
eap-statemachine], EAP_SUCCESS, EAP_FAILURE and EAP_TIMEOUT event eap-statemachine], EAP_SUCCESS, EAP_FAILURE and EAP_TIMEOUT event
variables refer to eapSuccess, eapFail and eapTimeout variables of variables refer to eapSuccess, eapFail and eapTimeout variables of
the EAP authenticator state machine, respectively. In this case, if the EAP authenticator state machine, respectively. In this case, if
EAP_SUCCESS event variable is set to TRUE, an EAP-Success message is EAP_SUCCESS event variable is set to TRUE, an EAP-Success message is
contained in eapReqData variable of the EAP authenticator state contained in eapReqData variable of the EAP authenticator state
machine, and additionally, eapKeyAvailable variable is set to TRUE machine, and additionally, eapKeyAvailable variable is set to TRUE
and eapKeyData variable contains a AAA-Key if the AAA-Key is and eapKeyData variable contains a AAA-Key if the AAA-Key is
generated as a result of successful authentication by the EAP generated as a result of successful authentication by the EAP
authentication method in use. Similarly, if EAP_FAILURE event authentication method in use. Similarly, if EAP_FAILURE event
variable is set to TRUE, an EAP-Failure message is contained in variable is set to TRUE, an EAP-Failure message is contained in
eapReqData variable of the EAP authenticator state machine. The PAA eapReqData variable of the EAP authenticator state machine. The PAA
uses EAP_SUCCESS, EAP_FAILURE and EAP_TIMEOUT event variables as a uses EAP_SUCCESS, EAP_FAILURE and EAP_TIMEOUT event variables as a
trigger to send a PBR or a PFER message to the PaC. trigger to send a PBR or a PFER message to the PaC.
7.2 Variables 7.2. Variables
USE_COOKIE USE_COOKIE
This variable indicates whether the PAA uses Cookie. This variable indicates whether the PAA uses Cookie.
EAP_PIGGYBACK EAP_PIGGYBACK
This variable indicates whether the PAA is able to piggyback an This variable indicates whether the PAA is able to piggyback an
EAP-Request in PANA-Start-Request. EAP-Request in PANA-Start-Request.
skipping to change at page 34, line 23 skipping to change at page 34, line 23
This event variable is set to TRUE when the EAP authenticator This event variable is set to TRUE when the EAP authenticator
delivers an EAP Request to the PAA. This event accompanies an delivers an EAP Request to the PAA. This event accompanies an
EAP-Request message received from the EAP authenticator. EAP-Request message received from the EAP authenticator.
EAP_TIMEOUT EAP_TIMEOUT
This event variable is set to TRUE when EAP conversation times out This event variable is set to TRUE when EAP conversation times out
without generating an EAP-Success or an EAP-Failure message. This without generating an EAP-Success or an EAP-Failure message. This
event does not accompany any EAP message. event does not accompany any EAP message.
7.3 Procedures 7.3. Procedures
boolean new_key_available() boolean new_key_available()
A procedure to check whether the PANA session has a new A procedure to check whether the PANA session has a new
PANA_MAC_KEY. If the state machine already have a PANA_MAC_KEY, PANA_MAC_KEY. If the state machine already have a PANA_MAC_KEY,
it returns FALSE. If the state machine does not have a it returns FALSE. If the state machine does not have a
PANA_MAC_KEY, it tries to retrieve a AAA-Key from the EAP entity. PANA_MAC_KEY, it tries to retrieve a AAA-Key from the EAP entity.
If a AAA-Key has been retrieved, it computes a PANA_MAC_KEY from If a AAA-Key has been retrieved, it computes a PANA_MAC_KEY from
the AAA-Key and returns TRUE. Otherwise, it returns FALSE. the AAA-Key and returns TRUE. Otherwise, it returns FALSE.
skipping to change at page 34, line 47 skipping to change at page 34, line 47
PUR message. If the source IP address of the message is different PUR message. If the source IP address of the message is different
from the last known IP address stored in the PANA session, this from the last known IP address stored in the PANA session, this
procedure returns TRUE. Otherwise, it returns FALSE. procedure returns TRUE. Otherwise, it returns FALSE.
void update_popa() void update_popa()
A procedure to extract the PaC's source IP address from the A procedure to extract the PaC's source IP address from the
current PUR message and update the PANA session with this new IP current PUR message and update the PANA session with this new IP
address. address.
7.4 PAA State Transition Table 7.4. PAA State Transition Table
------------------------------ ------------------------------
State: OFFLINE (Initial State) State: OFFLINE (Initial State)
------------------------------ ------------------------------
Initialization Action: Initialization Action:
USE_COOKIE=Set|Unset; USE_COOKIE=Set|Unset;
EAP_PIGGYBACK=Set|Unset; EAP_PIGGYBACK=Set|Unset;
SEPARATE=Set|Unset; SEPARATE=Set|Unset;
if (EAP_PIGGYBACK==Set) if (USE_COOKIE==Unset && EAP_PIGGYBACK==Set)
SEPARATE=Unset; SEPARATE=Unset;
1ST_EAP=Unset; 1ST_EAP=Unset;
ABORT_ON_1ST_EAP_FAILURE=Set|Unset; ABORT_ON_1ST_EAP_FAILURE=Set|Unset;
CARRY_LIFETIME=Set|Unset; CARRY_LIFETIME=Set|Unset;
CARRY_DEVICE_ID=Set|Unset; CARRY_DEVICE_ID=Set|Unset;
CARRY_NAP_INFO=Set|Unset; CARRY_NAP_INFO=Set|Unset;
CARRY_ISP_INFO=Set|Unset; CARRY_ISP_INFO=Set|Unset;
CARRY_PPAC=Set|Unset; CARRY_PPAC=Set|Unset;
PROTECTION_CAP_IN_PSR=Set|Unset; PROTECTION_CAP_IN_PSR=Set|Unset;
PROTECTION_CAP_IN_PBR=Set|Unset; PROTECTION_CAP_IN_PBR=Set|Unset;
skipping to change at page 40, line 35 skipping to change at page 40, line 34
SEPARATE==Set && if (CARRY_DEVICE_ID==Set) SEPARATE==Set && if (CARRY_DEVICE_ID==Set)
Authorize() PBR.insert_avp Authorize() PBR.insert_avp
("Device-Id"); ("Device-Id");
if (CARRY_LIFETIME==Set) if (CARRY_LIFETIME==Set)
PBR.insert_avp PBR.insert_avp
("Session-Lifetime"); ("Session-Lifetime");
if (PROTECTION_CAP_IN_PBR if (PROTECTION_CAP_IN_PBR
==Set) ==Set)
PBR.insert_avp PBR.insert_avp
("Protection-Cap."); ("Protection-Cap.");
if (new_key_available())
PBR.insert_avp
("Key-Id");
if (key_available()) if (key_available())
PBR.insert_avp("MAC"); PBR.insert_avp("MAC");
PBR.S_flag=1; PBR.S_flag=1;
if (NAP_AUTH) if (NAP_AUTH)
PBR.N_flag=1; PBR.N_flag=1;
Tx:PBR(); Tx:PBR();
RtxTimerStart(); RtxTimerStart();
EAP_FAILURE && PBR.insert_avp WAIT_FAIL_PBA EAP_FAILURE && PBR.insert_avp WAIT_FAIL_PBA
1ST_EAP==Success && ("EAP-Payload"); 1ST_EAP==Success && ("EAP-Payload");
skipping to change at page 42, line 21 skipping to change at page 42, line 17
if (key_available()) if (key_available())
PBR.insert_avp("MAC"); PBR.insert_avp("MAC");
PBR.S_flag=1; PBR.S_flag=1;
if (NAP_AUTH) if (NAP_AUTH)
PBR.N_flag=1; PBR.N_flag=1;
Tx:PBR(); Tx:PBR();
RtxTimerStart(); RtxTimerStart();
EAP_SUCCESS && PBR.insert_avp WAIT_FAIL_PBA EAP_SUCCESS && PBR.insert_avp WAIT_FAIL_PBA
1ST_EAP==Failure && ("EAP-Payload"); 1ST_EAP==Failure && ("EAP-Payload");
SEPARATE==Set && if (key_available()) SEPARATE==Set && if (new_key_available())
!Authorize() PBR.insert_avp("MAC"); !Authorize() PBR.insert_avp
("Key-Id");
if (key_available())
PBR.insert_avp("MAC");
PBR.S_flag=1; PBR.S_flag=1;
if (NAP_AUTH) if (NAP_AUTH)
PBR.N_flag=1; PBR.N_flag=1;
Tx:PBR(); Tx:PBR();
RtxTimerStart(); RtxTimerStart();
EAP_TIMEOUT && if (key_available()) WAIT_FAIL_PBA EAP_TIMEOUT && if (key_available()) WAIT_FAIL_PBA
1ST_EAP==Failure && PBR.insert_avp("MAC"); 1ST_EAP==Failure && PBR.insert_avp("MAC");
SEPARATE==Set PBR.S_flag=1; SEPARATE==Set PBR.S_flag=1;
if (NAP_AUTH) if (NAP_AUTH)
skipping to change at page 49, line 32 skipping to change at page 49, line 32
modifications are to accomodate the mobility variables and procedures modifications are to accomodate the mobility variables and procedures
as they relate to existing state transition actions and events. as they relate to existing state transition actions and events.
These modifications to existing state transition are noted in state These modifications to existing state transition are noted in state
transition tables in this section. These modified state transitions transition tables in this section. These modified state transitions
are intended to replace thier base protocol counterpart. Addition of are intended to replace thier base protocol counterpart. Addition of
new state transitions specific to mobility optimization is also new state transitions specific to mobility optimization is also
present. Variable initialization also need to be added to the present. Variable initialization also need to be added to the
appropriate base protocol state to complete the mobility optimization appropriate base protocol state to complete the mobility optimization
support. support.
8.1 Common Variables 8.1. Common Variables
MOBILITY MOBILITY
This variable indicates whether the mobility handling feature This variable indicates whether the mobility handling feature
described in [I-D.ietf-pana-mobopts] is supported. This should be described in [I-D.ietf-pana-mobopts] is supported. This should be
present in both PaC and PAA state machine. Existing state present in both PaC and PAA state machine. Existing state
transitions in the base protocol state machine that can be transitions in the base protocol state machine that can be
affected by mobility optimization must treat this variable as affected by mobility optimization must treat this variable as
being Unset unless the state transitions is explicitly redefined being Unset unless the state transitions is explicitly redefined
in this section. in this section.
8.2 PaC Mobility Optimization State Machine 8.2. PaC Mobility Optimization State Machine
8.2.1 Variables 8.2.1. Variables
PANA_SA_RESUMED PANA_SA_RESUMED
This variable indicates whether the PANA SA of a previous PANA This variable indicates whether the PANA SA of a previous PANA
session was resumed during the discovery and initial handshake. session was resumed during the discovery and initial handshake.
8.2.2 Procedures 8.2.2. Procedures
boolean resume_pana_sa() boolean resume_pana_sa()
This procedure returns TRUE when a PANA SA for a previously This procedure returns TRUE when a PANA SA for a previously
established PANA Session is resumed, otherwise returns FALSE. established PANA Session is resumed, otherwise returns FALSE.
Once a PANA SA is resumed, key_available() procedure must return Once a PANA SA is resumed, key_available() procedure must return
TRUE. Existing state transitions in the base protocol state TRUE. Existing state transitions in the base protocol state
machine that can be affected by mobility optimization must assume machine that can be affected by mobility optimization must assume
that this procedure always returns FALSE unless the state that this procedure always returns FALSE unless the state
transition is explicitly redefined in this section. transition is explicitly redefined in this section.
8.2.3 PaC Mobility Optimization State Transition Table Addendum 8.2.3. PaC Mobility Optimization State Transition Table Addendum
------------------------------ ------------------------------
State: OFFLINE (Initial State) State: OFFLINE (Initial State)
------------------------------ ------------------------------
Initialization Action: Initialization Action:
MOBILITY=Set|Unset; MOBILITY=Set|Unset;
PANA_SA_RESUMED=Unset; PANA_SA_RESUMED=Unset;
skipping to change at page 53, line 6 skipping to change at page 53, line 4
!eap_piggyback() 1ST_EAP=Unset; !eap_piggyback() 1ST_EAP=Unset;
PANA_SA_RESUMED=Unset; PANA_SA_RESUMED=Unset;
EAP_RespTimerStart(); EAP_RespTimerStart();
TxEAP(); TxEAP();
if (key_available()) if (key_available())
PAN.insert_avp("MAC"); PAN.insert_avp("MAC");
PAN.S_flag=PAR.S_flag; PAN.S_flag=PAR.S_flag;
PAN.N_flag=PAR.N_flag; PAN.N_flag=PAR.N_flag;
Tx:PAN(); Tx:PAN();
SessionTimerStop(); SessionTimerStop();
Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG
eap_piggyback() 1ST_EAP=Unset; eap_piggyback() 1ST_EAP=Unset;
PANA_SA_RESUMED=Unset; PANA_SA_RESUMED=Unset;
EAP_RespTimerStart(); EAP_RespTimerStart();
TxEAP(); TxEAP();
SessionTimerStop(); SessionTimerStop();
8.3 PAA Mobility Optimization ------------------------+--------------------------+------------
- - - - - - - - (PSR processing with mobility support)- - - - -
- The following state transitions are intended to be added -
- to the OPEN state of the PaC base protocol state machine -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Rx:PSR && RtxTimerStop(); WAIT_PAA
!PSR.exist_avp PSA.insert_avp
("EAP-Payload") && ("Session-Id");
MOBILITY==Set && SEPARATE=Unset;
resume_pana_sa() && PANA_SA_RESUMED=Set;
PSR.exist_avp PSA.insert_avp("Cookie");
("Cookie") PSA.insert_avp("MAC");
Tx:PSA();
RtxTimerStart();
8.3.1 Procedures Rx:PSR && RtxTimerStop(); WAIT_PAA
!PSR.exist_avp PSA.insert_avp
("EAP-Payload") && ("Session-Id");
MOBILITY==Set && PSA.insert_avp("MAC");
resume_pana_sa() && Tx:PSA();
!PSR.exist_avp PANA_SA_RESUMED=Set;
("Cookie")
8.3. PAA Mobility Optimization
8.3.1. Procedures
boolean retrieve_pana_sa(Session-Id) boolean retrieve_pana_sa(Session-Id)
This procedure returns TRUE when a PANA SA for the PANA Session This procedure returns TRUE when a PANA SA for the PANA Session
corresponds to the specified Session-Id has been retrieved, corresponds to the specified Session-Id has been retrieved,
otherwise returns FALSE. otherwise returns FALSE.
8.3.2 PAA Mobility Optimization State Transition Table Addendum 8.3.2. PAA Mobility Optimization State Transition Table Addendum
------------------------------ ------------------------------
State: OFFLINE (Initial State) State: OFFLINE (Initial State)
------------------------------ ------------------------------
Initialization Action: Initialization Action:
MOBILITY=Set|Unset; MOBILITY=Set|Unset;
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - (PSA processing without mobility support) - - - - - - - - - - - (PSA processing with mobility support) - - - - - -
- The following state transitions are intended to replace - - The following state transitions are intended to replace -
- existing base protocol state transitions. Original base - - existing base protocol state transitions. Original base -
- protocol state transitions can be referenced by exit - - protocol state transitions can be referenced by exit -
- conditions that excludes MOBILITY variable checks and - - conditions that excludes MOBILITY variable checks and -
- retrieve_pana_sa() procedure calls. - - retrieve_pana_sa() procedure calls. -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Rx:PSA && if (SEPARATE==Set && WAIT_EAP_MSG Rx:PSA && if (SEPARATE==Set && WAIT_EAP_MSG
USE_COOKIE==Set && PSA.S_flag==0) (!PSA.exist_avp PSA.S_flag==0)
(!PSA.exist_avp SEPARATE=Unset; ("Session-Id") || SEPARATE=Unset;
("Session-Id") || if (SEPARATE==Set) MOBILITY==Unset || if (SEPARATE==Set)
MOBILITY==Unset || NAP_AUTH=Set|Unset; (MOBILITY==Set && NAP_AUTH=Set|Unset;
(MOBILITY==Set && EAP_Restart(); !retrieve_pana_sa EAP_Restart();
!retrieve_pana_sa
(PSA.SESSION_ID))) (PSA.SESSION_ID)))
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - (PSA processing with mobility support)- - - - - - - - - - - - - (PSA processing with mobility support)- - - - -
Rx:PSA && PBR.insert_avp("MAC"); WAIT_SUCC_PBA Rx:PSA && PBR.insert_avp("MAC"); WAIT_SUCC_PBA
USE_COOKIE==Set && PBR.insert_avp("Key-Id"); PSA.exist_avp PBR.insert_avp("Key-Id");
PSA.exist_avp if (CARRY_DEVICE_ID==Set) ("Session-Id") && if (CARRY_DEVICE_ID==Set)
("Session-Id") && PBR.insert_avp MOBILITY==Set && PBR.insert_avp
MOBILITY==Set && ("Device-Id"); retrieve_pana_sa ("Device-Id");
retrieve_pana_sa if (PROTECTION_CAP_IN_PBR (PSA.SESSION_ID) if (PROTECTION_CAP_IN_PBR
(PSA.SESSION_ID) ==Set) ==Set)
PBR.insert_avp PBR.insert_avp
("Protection-Cap."); ("Protection-Cap.");
Tx:PBR(); Tx:PBR();
RtxTimerStart(); RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9. Implementation Considerations 9. Implementation Considerations
9.1 PAA and PaC Interface to Service Management Entity 9.1. PAA and PaC Interface to Service Management Entity
In general, it is assumed in each device that has a PANA protocol In general, it is assumed in each device that has a PANA protocol
stack that there is a Service Management Entity (SME) that manages stack that there is a Service Management Entity (SME) that manages
the PANA protocol stack. It is recommended that a generic interface the PANA protocol stack. It is recommended that a generic interface
(i.e., the SME-PANA interface) between the SME and the PANA protocol (i.e., the SME-PANA interface) between the SME and the PANA protocol
stack be provided by the implementation. Especially, common stack be provided by the implementation. Especially, common
procedures such as startup, shutdown, re-authenticate signals and procedures such as startup, shutdown, re-authenticate signals and
provisions for extracting keying material should be provided by such provisions for extracting keying material should be provided by such
an interface. The SME-PANA interface in a PAA device should also an interface. The SME-PANA interface in a PAA device should also
provide a method for communicating filtering parameters to the EP(s). provide a method for communicating filtering parameters to the EP(s).
When cryptographic filtering is used, the filtering parameters When cryptographic filtering is used, the filtering parameters
include keying material used for bootstrapping per-packet ciphering. include keying material used for bootstrapping per-packet ciphering.
When a PAA device interacts with the backend authentication server When a PAA device interacts with the backend authentication server
using a AAA protocol, its SME may also have an interface to the AAA using a AAA protocol, its SME may also have an interface to the AAA
protocol to obtain authorization parameters such as the authorization protocol to obtain authorization parameters such as the authorization
lifetime and additional filtering parameters. lifetime and additional filtering parameters.
9.2 Multicast Traffic 9.2. Multicast Traffic
In general, binding a UDP socket to a multicast address and/or port In general, binding a UDP socket to a multicast address and/or port
is system dependent. In most systems, a socket can be bound to any is system dependent. In most systems, a socket can be bound to any
address and a specific port. This allows the socket to receive all address and a specific port. This allows the socket to receive all
packets destined for the local host (on all it's local addresses) for packets destined for the local host (on all it's local addresses) for
that port. If the host subscribes to a multicast addresses then this that port. If the host subscribes to a multicast addresses then this
socket will also receive multicast traffic as well. In some systems, socket will also receive multicast traffic as well. In some systems,
this would also result in the socket receiving all multicast traffic this would also result in the socket receiving all multicast traffic
even though it has subscribed to only one multicast address. This is even though it has subscribed to only one multicast address. This is
because most physical interfaces has either multicast traffic enabled because most physical interfaces has either multicast traffic enabled
skipping to change at page 59, line 7 skipping to change at page 59, line 7
This document has no actions for IANA. This document has no actions for IANA.
12. Acknowledgments 12. Acknowledgments
This work was started from state machines originally made by Dan This work was started from state machines originally made by Dan
Forsberg. Forsberg.
13. References 13. References
13.1 Normative References 13.1. Normative References
[I-D.ietf-pana-pana] [I-D.ietf-pana-pana]
Forsberg, D., "Protocol for Carrying Authentication for Forsberg, D., "Protocol for Carrying Authentication for
Network Access (PANA)", draft-ietf-pana-pana-08 (work in Network Access (PANA)", draft-ietf-pana-pana-10 (work in
progress), May 2005. progress), July 2005.
[I-D.ietf-eap-statemachine] [I-D.ietf-eap-statemachine]
Vollbrecht, J., Eronen, P., Petroni, N., and Y. Ohba, Vollbrecht, J., Eronen, P., Petroni, N., and Y. Ohba,
"State Machines for Extensible Authentication Protocol "State Machines for Extensible Authentication Protocol
(EAP) Peer and Authenticator", (EAP) Peer and Authenticator",
draft-ietf-eap-statemachine-06 (work in progress), draft-ietf-eap-statemachine-06 (work in progress),
December 2004. December 2004.
[I-D.ietf-pana-mobopts] [I-D.ietf-pana-mobopts]
Forsberg, D., "PANA Mobility Optimizations", Forsberg, D., "PANA Mobility Optimizations",
draft-ietf-pana-mobopts-00 (work in progress), draft-ietf-pana-mobopts-00 (work in progress),
January 2005. January 2005.
13.2 Informative References 13.2. Informative References
[RFC4058] Yegin, A., Ohba, Y., Penno, R., Tsirtsis, G., and C. Wang, [RFC4058] Yegin, A., Ohba, Y., Penno, R., Tsirtsis, G., and C. Wang,
"Protocol for Carrying Authentication for Network Access "Protocol for Carrying Authentication for Network Access
(PANA) Requirements", RFC 4058, May 2005. (PANA) Requirements", RFC 4058, May 2005.
[I-D.ietf-pana-snmp] [I-D.ietf-pana-snmp]
Mghazli, Y., "SNMP usage for PAA-EP interface", Mghazli, Y., "SNMP usage for PAA-EP interface",
draft-ietf-pana-snmp-04 (work in progress), July 2005. draft-ietf-pana-snmp-04 (work in progress), July 2005.
Authors' Addresses Authors' Addresses
 End of changes. 64 change blocks. 
114 lines changed or deleted 128 lines changed or added

This html diff was produced by rfcdiff 1.27, available from http://www.levkowetz.com/ietf/tools/rfcdiff/