--- 1/draft-ietf-pana-statemachine-01.txt 2006-02-04 17:26:00.000000000 +0100 +++ 2/draft-ietf-pana-statemachine-02.txt 2006-02-04 17:26:00.000000000 +0100 @@ -1,21 +1,21 @@ PANA Working Group V. Fajardo Internet-Draft Y. Ohba -Expires: January 12, 2006 TARI +Expires: April 21, 2006 TARI R. Lopez Univ. of Murcia - July 11, 2005 + October 18, 2005 State Machines for Protocol for Carrying Authentication for Network Access (PANA) - draft-ietf-pana-statemachine-01 + draft-ietf-pana-statemachine-02 Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that @@ -26,21 +26,21 @@ and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. - This Internet-Draft will expire on January 12, 2006. + This Internet-Draft will expire on April 21, 2006. Copyright Notice Copyright (C) The Internet Society (2005). Abstract This document defines the conceptual state machines for the Protocol for Carrying Authentication for Network Access (PANA). The state machines consist of the PANA Client (PaC) state machine and the PANA @@ -51,74 +51,74 @@ The state machines and associated model are informative only. Implementations may achieve the same results using different methods. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Interface Between PANA and EAP . . . . . . . . . . . . . . . . 5 3. Document Authority . . . . . . . . . . . . . . . . . . . . . . 7 4. Notations . . . . . . . . . . . . . . . . . . . . . . . . . . 8 5. Common Rules . . . . . . . . . . . . . . . . . . . . . . . . . 10 - 5.1 Common Procedures . . . . . . . . . . . . . . . . . . . . 10 - 5.2 Common Variables . . . . . . . . . . . . . . . . . . . . . 12 - 5.3 Constants . . . . . . . . . . . . . . . . . . . . . . . . 13 - 5.4 Common Message Initialization Rules . . . . . . . . . . . 14 - 5.5 Common Error Handling Rules . . . . . . . . . . . . . . . 14 - 5.6 Common State Transitions . . . . . . . . . . . . . . . . . 14 + 5.1. Common Procedures . . . . . . . . . . . . . . . . . . . . 10 + 5.2. Common Variables . . . . . . . . . . . . . . . . . . . . . 12 + 5.3. Constants . . . . . . . . . . . . . . . . . . . . . . . . 13 + 5.4. Common Message Initialization Rules . . . . . . . . . . . 13 + 5.5. Common Error Handling Rules . . . . . . . . . . . . . . . 14 + 5.6. Common State Transitions . . . . . . . . . . . . . . . . . 14 6. PaC State Machine . . . . . . . . . . . . . . . . . . . . . . 16 - 6.1 Interface between PaC and EAP Peer . . . . . . . . . . . . 16 - 6.1.1 Delivering EAP Messages from PaC to EAP Peer . . . . . 16 - 6.1.2 Delivering EAP Responses from EAP Peer to PaC . . . . 16 - 6.1.3 EAP Restart Notification from PaC to EAP Peer . . . . 16 - 6.1.4 EAP Authentication Result Notification from EAP + 6.1. Interface between PaC and EAP Peer . . . . . . . . . . . . 16 + 6.1.1. Delivering EAP Messages from PaC to EAP Peer . . . . . 16 + 6.1.2. Delivering EAP Responses from EAP Peer to PaC . . . . 16 + 6.1.3. EAP Restart Notification from PaC to EAP Peer . . . . 16 + 6.1.4. EAP Authentication Result Notification from EAP Peer to PaC . . . . . . . . . . . . . . . . . . . . . 17 - 6.1.5 Alternate Failure Notification from PaC to EAP Peer . 17 - 6.1.6 EAP Invalid Message Notification from EAP Peer to + 6.1.5. Alternate Failure Notification from PaC to EAP Peer . 17 + 6.1.6. EAP Invalid Message Notification from EAP Peer to PaC . . . . . . . . . . . . . . . . . . . . . . . . . 17 - 6.2 Variables . . . . . . . . . . . . . . . . . . . . . . . . 17 - 6.3 Procedures . . . . . . . . . . . . . . . . . . . . . . . . 18 - 6.4 PaC State Transition Table . . . . . . . . . . . . . . . . 19 + 6.2. Variables . . . . . . . . . . . . . . . . . . . . . . . . 17 + 6.3. Procedures . . . . . . . . . . . . . . . . . . . . . . . . 18 + 6.4. PaC State Transition Table . . . . . . . . . . . . . . . . 19 7. PAA State Machine . . . . . . . . . . . . . . . . . . . . . . 31 - 7.1 Interface between PAA and EAP Authenticator . . . . . . . 31 - 7.1.1 EAP Restart Notification from PAA to EAP + 7.1. Interface between PAA and EAP Authenticator . . . . . . . 31 + 7.1.1. EAP Restart Notification from PAA to EAP Authenticator . . . . . . . . . . . . . . . . . . . . 31 - 7.1.2 Delivering EAP Responses from PAA to EAP + 7.1.2. Delivering EAP Responses from PAA to EAP Authenticator . . . . . . . . . . . . . . . . . . . . 31 - 7.1.3 Delivering EAP Messages from EAP Authenticator to + 7.1.3. Delivering EAP Messages from EAP Authenticator to PAA . . . . . . . . . . . . . . . . . . . . . . . . . 31 - 7.1.4 EAP Authentication Result Notification from EAP + 7.1.4. EAP Authentication Result Notification from EAP Authenticator to PAA . . . . . . . . . . . . . . . . . 31 - 7.2 Variables . . . . . . . . . . . . . . . . . . . . . . . . 32 - 7.3 Procedures . . . . . . . . . . . . . . . . . . . . . . . . 34 - 7.4 PAA State Transition Table . . . . . . . . . . . . . . . . 34 + 7.2. Variables . . . . . . . . . . . . . . . . . . . . . . . . 32 + 7.3. Procedures . . . . . . . . . . . . . . . . . . . . . . . . 34 + 7.4. PAA State Transition Table . . . . . . . . . . . . . . . . 34 8. Mobility Optimization Support . . . . . . . . . . . . . . . . 49 - 8.1 Common Variables . . . . . . . . . . . . . . . . . . . . . 49 - 8.2 PaC Mobility Optimization State Machine . . . . . . . . . 49 - 8.2.1 Variables . . . . . . . . . . . . . . . . . . . . . . 49 - 8.2.2 Procedures . . . . . . . . . . . . . . . . . . . . . . 50 - 8.2.3 PaC Mobility Optimization State Transition Table + 8.1. Common Variables . . . . . . . . . . . . . . . . . . . . . 49 + 8.2. PaC Mobility Optimization State Machine . . . . . . . . . 49 + 8.2.1. Variables . . . . . . . . . . . . . . . . . . . . . . 49 + 8.2.2. Procedures . . . . . . . . . . . . . . . . . . . . . . 50 + 8.2.3. PaC Mobility Optimization State Transition Table Addendum . . . . . . . . . . . . . . . . . . . . . . . 50 - 8.3 PAA Mobility Optimization . . . . . . . . . . . . . . . . 53 - 8.3.1 Procedures . . . . . . . . . . . . . . . . . . . . . . 53 - 8.3.2 PAA Mobility Optimization State Transition Table + 8.3. PAA Mobility Optimization . . . . . . . . . . . . . . . . 53 + 8.3.1. Procedures . . . . . . . . . . . . . . . . . . . . . . 53 + 8.3.2. PAA Mobility Optimization State Transition Table Addendum . . . . . . . . . . . . . . . . . . . . . . . 53 9. Implementation Considerations . . . . . . . . . . . . . . . . 55 - 9.1 PAA and PaC Interface to Service Management Entity . . . . 55 - 9.2 Multicast Traffic . . . . . . . . . . . . . . . . . . . . 55 - 10. Security Considerations . . . . . . . . . . . . . . . . . . 56 - 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . 57 - 12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 58 - 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 59 - 13.1 Normative References . . . . . . . . . . . . . . . . . . . 59 - 13.2 Informative References . . . . . . . . . . . . . . . . . . 59 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 59 - Intellectual Property and Copyright Statements . . . . . . . . 61 + 9.1. PAA and PaC Interface to Service Management Entity . . . . 55 + 9.2. Multicast Traffic . . . . . . . . . . . . . . . . . . . . 55 + 10. Security Considerations . . . . . . . . . . . . . . . . . . . 56 + 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 57 + 12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 58 + 13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 59 + 13.1. Normative References . . . . . . . . . . . . . . . . . . . 59 + 13.2. Informative References . . . . . . . . . . . . . . . . . . 59 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 60 + Intellectual Property and Copyright Statements . . . . . . . . . . 61 1. Introduction This document defines the state machines for Protocol Carrying Authentication for Network Access (PANA) [I-D.ietf-pana-pana]. There are state machines for the PANA client (PaC) and for the PANA Authentication Agent (PAA). Each state machine is specified through a set of variables, procedures and a state transition table. A PANA protocol execution consists of several exchanges to carry @@ -279,21 +279,21 @@ There are following procedures, variables, message initializing rules and state transitions that are common to both the PaC and PAA state machines. Throughout this document, the character string "PANA_MESSAGE_NAME" matches any one of the abbreviated PANA message names, i.e., "PDI", "PSR", "PSA", "PAR", "PAN", "PBR", "PBA", "PFER", "PFEA", "PTR", "PTA", "PPR", "PPA", "PRAR", "PRAA", "PUR", "PUA", "PER" and "PEA". -5.1 Common Procedures +5.1. Common Procedures void None() A null procedure, i.e., nothing is done. void Disconnect() A procedure to delete the PANA session as well as the corresponding EAP session and authorization state. @@ -361,21 +361,21 @@ TRUE. Otherwise, it returns FALSE. boolean fatal(int) A procedure to check whether an integer result code value indicates a fatal error. If the result code indicates a fatal error, the procedure returns TRUE, otherwise, it return FALSE. A fatal error would also result in the termination of the session and release of all resources related to that session. -5.2 Common Variables +5.2. Common Variables PANA_MESSAGE_NAME.S_flag This variable contains the S-Flag value of the specified PANA message. PBR.RESULT_CODE This variable contains the Result-Code AVP value in the PANA-Bind- Request message in process. When this variable carries @@ -421,22 +421,21 @@ termination is triggered. PANA_PING This event variable is set to TRUE when initiation of liveness test based on PPR-PPA exchange is triggered. NOTIFY This event variable is set to TRUE if the PaC or PAA wants to send - attribute updates or notifications. For attribute updates, - UPDATE_POPA should be used by the PaC. + attribute updates or notifications. SESS_TIMEOUT This event is variable is set to TRUE when the session timer is expired. ABORT_ON_1ST_EAP_FAILURE This variable indicates whether the PANA session is immediately terminated when the 1st EAP authentication fails. @@ -446,53 +445,53 @@ This variable indicates whether a Device-Id AVP is carried in a PANA-Bind-Request or PANA_Bind-Answer message. For the PAA, this variable MUST be set when a link-layer or IP address is used as the device identifier of the PaC and a Protection-Capability AVP is included in the PANA-Bind-Request message. ANY This event variable is set to TRUE when any event occurs. -5.3 Constants +5.3. Constants RTX_MAX_NUM Configurable maximum for how many retransmissions should be attempted before aborting. -5.4 Common Message Initialization Rules +5.4. Common Message Initialization Rules When a message is prepared for sending, it is initialized as follows: o For a request message, R-flag of the header is set. Otherwise, R-flag is not set. o S-flag and N-flag of the header are not set. o AVPs that are mandatory included in a message are inserted with appropriate values set. o A Notification AVP is inserted if there is some notification string to send to the communicating peer. -5.5 Common Error Handling Rules +5.5. Common Error Handling Rules For simplicity, the PANA state machines defined in this document do not support an optional feature of sending a PER message when an invalid PANA message is received [I-D.ietf-pana-pana], while the state machines support sending a PER message generated in other cases as well as receiving and processing a PER message. It is left to implementations as to whether they provide a means to send a PER message when an invalid PANA message is received. -5.6 Common State Transitions +5.6. Common State Transitions The following transitions can occur at any state. ---------- State: ANY ---------- Exit Condition Exit Action Exit State ------------------------+--------------------------+------------ - - - - - - - - - - - - - (Re-transmissions)- - - - - - - - - - @@ -529,99 +528,99 @@ ------------- Exit Condition Exit Action Exit State ------------------------+--------------------------+------------ - - - - - - - -(Session termination initiated by PaC) - - - - - ANY None(); CLOSED - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6. PaC State Machine -6.1 Interface between PaC and EAP Peer +6.1. Interface between PaC and EAP Peer This interface defines the interactions between a PaC and an EAP peer. The interface serves as a mechanism to deliver EAP messages for the EAP peer. It allows the EAP peer to receive EAP requests and send EAP responses via the PaC. It also provides a mechanism to notify the EAP peer of PaC events and a mechanism to receive notification of EAP peer events. The EAP message delivery mechanism as well as the event notification mechanism in this interface have direct correlation with the PaC state transition table entries. These message delivery and event notifications mechanisms occur only within the context of their associated states or exit actions. -6.1.1 Delivering EAP Messages from PaC to EAP Peer +6.1.1. Delivering EAP Messages from PaC to EAP Peer TxEAP() procedure in the PaC state machine serves as the mechanism to deliver EAP request, EAP success and EAP failure messages contained in PANA-Auth-Request messages to the EAP peer. This procedure is enabled only after an EAP restart event is notified to the EAP peer and before any event resulting in a termination of the EAP peer session. In the case where the EAP peer follows the EAP peer state machine defined in [I-D.ietf-eap-statemachine], TxEAP() procedure sets eapReq variable of the EAP peer state machine and puts the EAP request in eapReqData variable of the EAP peer state machine. -6.1.2 Delivering EAP Responses from EAP Peer to PaC +6.1.2. Delivering EAP Responses from EAP Peer to PaC An EAP response is delivered from the EAP peer to the PaC via EAP_RESPONSE event variable. The event variable is set when the EAP peer passes the EAP response to its lower-layer. In the case where the EAP peer follows the EAP peer state machine defined in [I-D.ietf- eap-statemachine], EAP_RESPONSE event variable refers to eapResp variable of the EAP peer state machine and the EAP response is contained in eapRespData variable of the EAP peer state machine. -6.1.3 EAP Restart Notification from PaC to EAP Peer +6.1.3. EAP Restart Notification from PaC to EAP Peer The EAP peer state machine defined in [I-D.ietf-eap-statemachine] has an initialization procedure before receiving an EAP request. To initialize the EAP state machine, the PaC state machine defines an event notification mechanism to send an EAP (re)start event to the EAP peer. The event notification is done via EAP_Restart() procedure in the initialization action of the PaC state machine. -6.1.4 EAP Authentication Result Notification from EAP Peer to PaC +6.1.4. EAP Authentication Result Notification from EAP Peer to PaC In order for the EAP peer to notify the PaC of an EAP authentication result, EAP_SUCCESS and EAP_FAILURE event variables are defined. In the case where the EAP peer follows the EAP peer state machine defined in [I-D.ietf-eap-statemachine], EAP_SUCCESS and EAP_FAILURE event variables refer to eapSuccess and eapFail variables of the EAP peer state machine, respectively. In this case, if EAP_SUCCESS event variable is set to TRUE and a AAA-Key is generated by the EAP authentication method in use, eapKeyAvailable variable is set to TRUE and eapKeyData variable contains the AAA-Key. Note that EAP_SUCCESS and EAP_FAILURE event variables may be set to TRUE even before the PaC receives a PBR or a PFER from the PAA. -6.1.5 Alternate Failure Notification from PaC to EAP Peer +6.1.5. Alternate Failure Notification from PaC to EAP Peer alt_reject() procedure in the PaC state machine serves as the mechanism to deliver an authentication failure event to the EAP peer without accompanying an EAP message. In the case where the EAP peer follows the EAP peer state machine defined in [I-D.ietf-eap- statemachine], alt_reject() procedure sets altReject variable of the EAP peer state machine. Note that the EAP peer state machine in [I-D.ietf-eap-statemachine] also defines altAccept variable, however, it is never used in PANA in which EAP-Success messages are reliably delivered by PANA-Bind exchange. -6.1.6 EAP Invalid Message Notification from EAP Peer to PaC +6.1.6. EAP Invalid Message Notification from EAP Peer to PaC In order for the EAP peer to notify the PaC of a receipt of an invalid EAP message, EAP_INVALID_MSG event variable is defined. In the case where the EAP peer follows the EAP peer state machine defined in [I-D.ietf-eap-statemachine], EAP_INVALID_MSG event variable refers to eapNoResp variable of the EAP peer state machine. -6.2 Variables +6.2. Variables SEPARATE This variable indicates whether the PaC desires NAP/ISP separate authentication. 1ST_EAP This variable indicates whether the 1st EAP authentication is success, failure or yet completed. @@ -646,32 +645,27 @@ This event variable is set to TRUE when the EAP peer delivers an EAP Response to the PaC. This event accompanies an EAP-Response message received from the EAP peer. EAP_INVALID_MSG This event variable is set to TRUE when the EAP peer silently discards an EAP message. This event does not accompany any EAP message. - UPDATE_POPA - - This event variable is set to TRUE when there is a change in the - POPA of the PaC. - EAP_RESP_TIMEOUT This event variable is set to TRUE when the PaC that has passed an EAP-Request to the EAP-layer does not receive a corresponding EAP- Response from the the EAP-layer in a given period. -6.3 Procedures +6.3. Procedures boolean choose_isp() This procedure returns TRUE when the PaC chooses one ISP, otherwise returns FALSE. boolean ppac_available() This procedure returns TRUE when the Post-PANA-Address- Configuration method specified by the PAA is available in the PaC @@ -697,21 +691,21 @@ void EAP_RespTimerStart() A procedure to start a timer to receive an EAP-Response from the EAP peer. void EAP_RespTimerStop() A procedure to stop a timer to receive an EAP-Response from the EAP peer. -6.4 PaC State Transition Table +6.4. PaC State Transition Table ------------------------------ State: OFFLINE (Initial State) ------------------------------ Initialization Action: SEPARATE=Set|Unset; CARRY_DEVICE_ID=Unset; 1ST_EAP=Unset; @@ -1159,22 +1152,22 @@ Tx:PTA(); Disconnect(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(Session termination initiated by PaC) - - - - - - TERMINATE if (key_available()) SESS_TERM PTR.insert_avp("MAC"); Tx:PTR(); RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(Address update) - - - - - - - - - - - - - UPDATE_POPA || if (key_available()) WAIT_PUA - NOTIFY PUR.insert_avp("MAC"); + NOTIFY if (key_available()) WAIT_PUA + PUR.insert_avp("MAC"); Tx:PUR(); RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(Notification update)- - - - - - - - - - - Rx:PUR if (key_available()) OPEN PUA.insert_avp("MAC"); Tx:PUA(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ---------------- @@ -1222,84 +1216,84 @@ Exit Condition Exit Action Exit State ------------------------+--------------------------+------------ - - - - - - - - - - - - - -(PEA processing) - - - - - - - - - - Rx:PEA RtxTimerStop(); CLOSED Disconnect(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 7. PAA State Machine -7.1 Interface between PAA and EAP Authenticator +7.1. Interface between PAA and EAP Authenticator The interface between a PAA and an EAP authenticator provides a mechanism to deliver EAP messages for the EAP authenticator as well as a mechanism to notify the EAP authenticator of PAA events and to receive notification of EAP authenticator events. These message delivery and event notification mechanisms occur only within context of their associated states or exit actions. -7.1.1 EAP Restart Notification from PAA to EAP Authenticator +7.1.1. EAP Restart Notification from PAA to EAP Authenticator An EAP authenticator state machine defined in [I-D.ietf-eap- statemachine] has an initialization procedure before sending the first EAP request. To initialize the EAP state machine, the PAA state machine defines an event notification mechanism to send an EAP (re)start event to the EAP peer. The event notification is done via EAP_Restart() procedure in the initialization action of the PAA state machine. -7.1.2 Delivering EAP Responses from PAA to EAP Authenticator +7.1.2. Delivering EAP Responses from PAA to EAP Authenticator TxEAP() procedure in the PAA state machine serves as the mechanism to deliver EAP-Responses contained in PANA-Auth-Answer messages to the EAP authenticator. This procedure is enabled only after an EAP restart event is notified to the EAP authenticator and before any event resulting in a termination of the EAP authenticator session. In the case where the EAP authenticator follows the EAP authenticator state machines defined in [I-D.ietf-eap-statemachine], TxEAP() procedure sets eapResp variable of the EAP authenticator state machine and puts the EAP response in eapRespData variable of the EAP authenticator state machine. -7.1.3 Delivering EAP Messages from EAP Authenticator to PAA +7.1.3. Delivering EAP Messages from EAP Authenticator to PAA An EAP request is delivered from the EAP authenticator to the PAA via EAP_REQUEST event variable. The event variable is set when the EAP authenticator passes the EAP request to its lower-layer. In the case where the EAP authenticator follows the EAP authenticator state machines defined in [I-D.ietf-eap-statemachine], EAP_REQUEST event variable refers to eapReq variable of the EAP authenticator state machine and the EAP request is contained in eapReqData variable of the EAP authenticator state machine. -7.1.4 EAP Authentication Result Notification from EAP Authenticator to +7.1.4. EAP Authentication Result Notification from EAP Authenticator to PAA In order for the EAP authenticator to notify the PAA of the EAP authentication result, EAP_SUCCESS, EAP_FAILURE and EAP_TIMEOUT event variables are defined. In the case where the EAP authenticator follows the EAP authenticator state machines defined in [I-D.ietf- eap-statemachine], EAP_SUCCESS, EAP_FAILURE and EAP_TIMEOUT event variables refer to eapSuccess, eapFail and eapTimeout variables of the EAP authenticator state machine, respectively. In this case, if EAP_SUCCESS event variable is set to TRUE, an EAP-Success message is contained in eapReqData variable of the EAP authenticator state machine, and additionally, eapKeyAvailable variable is set to TRUE and eapKeyData variable contains a AAA-Key if the AAA-Key is generated as a result of successful authentication by the EAP authentication method in use. Similarly, if EAP_FAILURE event variable is set to TRUE, an EAP-Failure message is contained in eapReqData variable of the EAP authenticator state machine. The PAA uses EAP_SUCCESS, EAP_FAILURE and EAP_TIMEOUT event variables as a trigger to send a PBR or a PFER message to the PaC. -7.2 Variables +7.2. Variables USE_COOKIE This variable indicates whether the PAA uses Cookie. EAP_PIGGYBACK This variable indicates whether the PAA is able to piggyback an EAP-Request in PANA-Start-Request. @@ -1375,21 +1369,21 @@ This event variable is set to TRUE when the EAP authenticator delivers an EAP Request to the PAA. This event accompanies an EAP-Request message received from the EAP authenticator. EAP_TIMEOUT This event variable is set to TRUE when EAP conversation times out without generating an EAP-Success or an EAP-Failure message. This event does not accompany any EAP message. -7.3 Procedures +7.3. Procedures boolean new_key_available() A procedure to check whether the PANA session has a new PANA_MAC_KEY. If the state machine already have a PANA_MAC_KEY, it returns FALSE. If the state machine does not have a PANA_MAC_KEY, it tries to retrieve a AAA-Key from the EAP entity. If a AAA-Key has been retrieved, it computes a PANA_MAC_KEY from the AAA-Key and returns TRUE. Otherwise, it returns FALSE. @@ -1399,32 +1393,31 @@ PUR message. If the source IP address of the message is different from the last known IP address stored in the PANA session, this procedure returns TRUE. Otherwise, it returns FALSE. void update_popa() A procedure to extract the PaC's source IP address from the current PUR message and update the PANA session with this new IP address. -7.4 PAA State Transition Table +7.4. PAA State Transition Table ------------------------------ State: OFFLINE (Initial State) ------------------------------ - Initialization Action: USE_COOKIE=Set|Unset; EAP_PIGGYBACK=Set|Unset; SEPARATE=Set|Unset; - if (EAP_PIGGYBACK==Set) + if (USE_COOKIE==Unset && EAP_PIGGYBACK==Set) SEPARATE=Unset; 1ST_EAP=Unset; ABORT_ON_1ST_EAP_FAILURE=Set|Unset; CARRY_LIFETIME=Set|Unset; CARRY_DEVICE_ID=Set|Unset; CARRY_NAP_INFO=Set|Unset; CARRY_ISP_INFO=Set|Unset; CARRY_PPAC=Set|Unset; PROTECTION_CAP_IN_PSR=Set|Unset; PROTECTION_CAP_IN_PBR=Set|Unset; @@ -1672,23 +1666,20 @@ SEPARATE==Set && if (CARRY_DEVICE_ID==Set) Authorize() PBR.insert_avp ("Device-Id"); if (CARRY_LIFETIME==Set) PBR.insert_avp ("Session-Lifetime"); if (PROTECTION_CAP_IN_PBR ==Set) PBR.insert_avp ("Protection-Cap."); - if (new_key_available()) - PBR.insert_avp - ("Key-Id"); if (key_available()) PBR.insert_avp("MAC"); PBR.S_flag=1; if (NAP_AUTH) PBR.N_flag=1; Tx:PBR(); RtxTimerStart(); EAP_FAILURE && PBR.insert_avp WAIT_FAIL_PBA 1ST_EAP==Success && ("EAP-Payload"); @@ -1754,22 +1744,25 @@ if (key_available()) PBR.insert_avp("MAC"); PBR.S_flag=1; if (NAP_AUTH) PBR.N_flag=1; Tx:PBR(); RtxTimerStart(); EAP_SUCCESS && PBR.insert_avp WAIT_FAIL_PBA 1ST_EAP==Failure && ("EAP-Payload"); - SEPARATE==Set && if (key_available()) - !Authorize() PBR.insert_avp("MAC"); + SEPARATE==Set && if (new_key_available()) + !Authorize() PBR.insert_avp + ("Key-Id"); + if (key_available()) + PBR.insert_avp("MAC"); PBR.S_flag=1; if (NAP_AUTH) PBR.N_flag=1; Tx:PBR(); RtxTimerStart(); EAP_TIMEOUT && if (key_available()) WAIT_FAIL_PBA 1ST_EAP==Failure && PBR.insert_avp("MAC"); SEPARATE==Set PBR.S_flag=1; if (NAP_AUTH) @@ -2086,53 +2076,53 @@ modifications are to accomodate the mobility variables and procedures as they relate to existing state transition actions and events. These modifications to existing state transition are noted in state transition tables in this section. These modified state transitions are intended to replace thier base protocol counterpart. Addition of new state transitions specific to mobility optimization is also present. Variable initialization also need to be added to the appropriate base protocol state to complete the mobility optimization support. -8.1 Common Variables +8.1. Common Variables MOBILITY This variable indicates whether the mobility handling feature described in [I-D.ietf-pana-mobopts] is supported. This should be present in both PaC and PAA state machine. Existing state transitions in the base protocol state machine that can be affected by mobility optimization must treat this variable as being Unset unless the state transitions is explicitly redefined in this section. -8.2 PaC Mobility Optimization State Machine +8.2. PaC Mobility Optimization State Machine -8.2.1 Variables +8.2.1. Variables PANA_SA_RESUMED This variable indicates whether the PANA SA of a previous PANA session was resumed during the discovery and initial handshake. -8.2.2 Procedures +8.2.2. Procedures boolean resume_pana_sa() This procedure returns TRUE when a PANA SA for a previously established PANA Session is resumed, otherwise returns FALSE. Once a PANA SA is resumed, key_available() procedure must return TRUE. Existing state transitions in the base protocol state machine that can be affected by mobility optimization must assume that this procedure always returns FALSE unless the state transition is explicitly redefined in this section. -8.2.3 PaC Mobility Optimization State Transition Table Addendum +8.2.3. PaC Mobility Optimization State Transition Table Addendum ------------------------------ State: OFFLINE (Initial State) ------------------------------ Initialization Action: MOBILITY=Set|Unset; PANA_SA_RESUMED=Unset; @@ -2247,100 +2237,121 @@ !eap_piggyback() 1ST_EAP=Unset; PANA_SA_RESUMED=Unset; EAP_RespTimerStart(); TxEAP(); if (key_available()) PAN.insert_avp("MAC"); PAN.S_flag=PAR.S_flag; PAN.N_flag=PAR.N_flag; Tx:PAN(); SessionTimerStop(); - Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG eap_piggyback() 1ST_EAP=Unset; PANA_SA_RESUMED=Unset; EAP_RespTimerStart(); TxEAP(); SessionTimerStop(); -8.3 PAA Mobility Optimization + ------------------------+--------------------------+------------ + - - - - - - - - (PSR processing with mobility support)- - - - - + - The following state transitions are intended to be added - + - to the OPEN state of the PaC base protocol state machine - + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + Rx:PSR && RtxTimerStop(); WAIT_PAA + !PSR.exist_avp PSA.insert_avp + ("EAP-Payload") && ("Session-Id"); + MOBILITY==Set && SEPARATE=Unset; + resume_pana_sa() && PANA_SA_RESUMED=Set; + PSR.exist_avp PSA.insert_avp("Cookie"); + ("Cookie") PSA.insert_avp("MAC"); + Tx:PSA(); + RtxTimerStart(); -8.3.1 Procedures + Rx:PSR && RtxTimerStop(); WAIT_PAA + !PSR.exist_avp PSA.insert_avp + ("EAP-Payload") && ("Session-Id"); + MOBILITY==Set && PSA.insert_avp("MAC"); + resume_pana_sa() && Tx:PSA(); + !PSR.exist_avp PANA_SA_RESUMED=Set; + ("Cookie") + +8.3. PAA Mobility Optimization + +8.3.1. Procedures boolean retrieve_pana_sa(Session-Id) This procedure returns TRUE when a PANA SA for the PANA Session corresponds to the specified Session-Id has been retrieved, otherwise returns FALSE. -8.3.2 PAA Mobility Optimization State Transition Table Addendum +8.3.2. PAA Mobility Optimization State Transition Table Addendum ------------------------------ State: OFFLINE (Initial State) ------------------------------ Initialization Action: MOBILITY=Set|Unset; Exit Condition Exit Action Exit State ------------------------+--------------------------+------------ - - - - - - - - (PSA processing without mobility support) - - - - + - - - - - - - (PSA processing with mobility support) - - - - - - - The following state transitions are intended to replace - - existing base protocol state transitions. Original base - - protocol state transitions can be referenced by exit - - conditions that excludes MOBILITY variable checks and - - retrieve_pana_sa() procedure calls. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Rx:PSA && if (SEPARATE==Set && WAIT_EAP_MSG - USE_COOKIE==Set && PSA.S_flag==0) - (!PSA.exist_avp SEPARATE=Unset; - ("Session-Id") || if (SEPARATE==Set) - MOBILITY==Unset || NAP_AUTH=Set|Unset; - (MOBILITY==Set && EAP_Restart(); - !retrieve_pana_sa + (!PSA.exist_avp PSA.S_flag==0) + ("Session-Id") || SEPARATE=Unset; + MOBILITY==Unset || if (SEPARATE==Set) + (MOBILITY==Set && NAP_AUTH=Set|Unset; + !retrieve_pana_sa EAP_Restart(); (PSA.SESSION_ID))) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (PSA processing with mobility support)- - - - - Rx:PSA && PBR.insert_avp("MAC"); WAIT_SUCC_PBA - USE_COOKIE==Set && PBR.insert_avp("Key-Id"); - PSA.exist_avp if (CARRY_DEVICE_ID==Set) - ("Session-Id") && PBR.insert_avp - MOBILITY==Set && ("Device-Id"); - retrieve_pana_sa if (PROTECTION_CAP_IN_PBR - (PSA.SESSION_ID) ==Set) + PSA.exist_avp PBR.insert_avp("Key-Id"); + ("Session-Id") && if (CARRY_DEVICE_ID==Set) + MOBILITY==Set && PBR.insert_avp + retrieve_pana_sa ("Device-Id"); + (PSA.SESSION_ID) if (PROTECTION_CAP_IN_PBR + ==Set) PBR.insert_avp ("Protection-Cap."); Tx:PBR(); RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 9. Implementation Considerations -9.1 PAA and PaC Interface to Service Management Entity +9.1. PAA and PaC Interface to Service Management Entity In general, it is assumed in each device that has a PANA protocol stack that there is a Service Management Entity (SME) that manages the PANA protocol stack. It is recommended that a generic interface (i.e., the SME-PANA interface) between the SME and the PANA protocol stack be provided by the implementation. Especially, common procedures such as startup, shutdown, re-authenticate signals and provisions for extracting keying material should be provided by such an interface. The SME-PANA interface in a PAA device should also provide a method for communicating filtering parameters to the EP(s). When cryptographic filtering is used, the filtering parameters include keying material used for bootstrapping per-packet ciphering. When a PAA device interacts with the backend authentication server using a AAA protocol, its SME may also have an interface to the AAA protocol to obtain authorization parameters such as the authorization lifetime and additional filtering parameters. -9.2 Multicast Traffic +9.2. Multicast Traffic In general, binding a UDP socket to a multicast address and/or port is system dependent. In most systems, a socket can be bound to any address and a specific port. This allows the socket to receive all packets destined for the local host (on all it's local addresses) for that port. If the host subscribes to a multicast addresses then this socket will also receive multicast traffic as well. In some systems, this would also result in the socket receiving all multicast traffic even though it has subscribed to only one multicast address. This is because most physical interfaces has either multicast traffic enabled @@ -2361,40 +2372,40 @@ This document has no actions for IANA. 12. Acknowledgments This work was started from state machines originally made by Dan Forsberg. 13. References -13.1 Normative References +13.1. Normative References [I-D.ietf-pana-pana] Forsberg, D., "Protocol for Carrying Authentication for - Network Access (PANA)", draft-ietf-pana-pana-08 (work in - progress), May 2005. + Network Access (PANA)", draft-ietf-pana-pana-10 (work in + progress), July 2005. [I-D.ietf-eap-statemachine] Vollbrecht, J., Eronen, P., Petroni, N., and Y. Ohba, "State Machines for Extensible Authentication Protocol (EAP) Peer and Authenticator", draft-ietf-eap-statemachine-06 (work in progress), December 2004. [I-D.ietf-pana-mobopts] Forsberg, D., "PANA Mobility Optimizations", draft-ietf-pana-mobopts-00 (work in progress), January 2005. -13.2 Informative References +13.2. Informative References [RFC4058] Yegin, A., Ohba, Y., Penno, R., Tsirtsis, G., and C. Wang, "Protocol for Carrying Authentication for Network Access (PANA) Requirements", RFC 4058, May 2005. [I-D.ietf-pana-snmp] Mghazli, Y., "SNMP usage for PAA-EP interface", draft-ietf-pana-snmp-04 (work in progress), July 2005. Authors' Addresses