draft-ietf-pana-statemachine-03.txt   draft-ietf-pana-statemachine-04.txt 
PANA Working Group V. Fajardo PANA Working Group V. Fajardo
Internet-Draft Y. Ohba Internet-Draft Y. Ohba
Expires: April 23, 2006 TARI Expires: December 1, 2006 TARI
R. Lopez R. Lopez
Univ. of Murcia Univ. of Murcia
October 20, 2005 May 30, 2006
State Machines for Protocol for Carrying Authentication for Network State Machines for Protocol for Carrying Authentication for Network
Access (PANA) Access (PANA)
draft-ietf-pana-statemachine-03 draft-ietf-pana-statemachine-04
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 37 skipping to change at page 1, line 37
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on April 23, 2006. This Internet-Draft will expire on December 1, 2006.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2005). Copyright (C) The Internet Society (2006).
Abstract Abstract
This document defines the conceptual state machines for the Protocol This document defines the conceptual state machines for the Protocol
for Carrying Authentication for Network Access (PANA). The state for Carrying Authentication for Network Access (PANA). The state
machines consist of the PANA Client (PaC) state machine and the PANA machines consist of the PANA Client (PaC) state machine and the PANA
Authentication Agent (PAA) state machine. The two state machines Authentication Agent (PAA) state machine. The two state machines
show how PANA can interface to EAP state machines and can be show how PANA can interface to EAP state machines and can be
implemented with supporting various features including separate NAP implemented with supporting various features including separate NAP
and ISP authentications, ISP selection and mobility optimization. and ISP authentications, ISP selection and mobility optimization.
skipping to change at page 2, line 35 skipping to change at page 2, line 35
6.1.2. Delivering EAP Responses from EAP Peer to PaC . . . . 16 6.1.2. Delivering EAP Responses from EAP Peer to PaC . . . . 16
6.1.3. EAP Restart Notification from PaC to EAP Peer . . . . 16 6.1.3. EAP Restart Notification from PaC to EAP Peer . . . . 16
6.1.4. EAP Authentication Result Notification from EAP 6.1.4. EAP Authentication Result Notification from EAP
Peer to PaC . . . . . . . . . . . . . . . . . . . . . 17 Peer to PaC . . . . . . . . . . . . . . . . . . . . . 17
6.1.5. Alternate Failure Notification from PaC to EAP Peer . 17 6.1.5. Alternate Failure Notification from PaC to EAP Peer . 17
6.1.6. EAP Invalid Message Notification from EAP Peer to 6.1.6. EAP Invalid Message Notification from EAP Peer to
PaC . . . . . . . . . . . . . . . . . . . . . . . . . 17 PaC . . . . . . . . . . . . . . . . . . . . . . . . . 17
6.2. Variables . . . . . . . . . . . . . . . . . . . . . . . . 17 6.2. Variables . . . . . . . . . . . . . . . . . . . . . . . . 17
6.3. Procedures . . . . . . . . . . . . . . . . . . . . . . . . 18 6.3. Procedures . . . . . . . . . . . . . . . . . . . . . . . . 18
6.4. PaC State Transition Table . . . . . . . . . . . . . . . . 19 6.4. PaC State Transition Table . . . . . . . . . . . . . . . . 19
7. PAA State Machine . . . . . . . . . . . . . . . . . . . . . . 31 7. PAA State Machine . . . . . . . . . . . . . . . . . . . . . . 33
7.1. Interface between PAA and EAP Authenticator . . . . . . . 31 7.1. Interface between PAA and EAP Authenticator . . . . . . . 33
7.1.1. EAP Restart Notification from PAA to EAP 7.1.1. EAP Restart Notification from PAA to EAP
Authenticator . . . . . . . . . . . . . . . . . . . . 31 Authenticator . . . . . . . . . . . . . . . . . . . . 33
7.1.2. Delivering EAP Responses from PAA to EAP 7.1.2. Delivering EAP Responses from PAA to EAP
Authenticator . . . . . . . . . . . . . . . . . . . . 31 Authenticator . . . . . . . . . . . . . . . . . . . . 33
7.1.3. Delivering EAP Messages from EAP Authenticator to 7.1.3. Delivering EAP Messages from EAP Authenticator to
PAA . . . . . . . . . . . . . . . . . . . . . . . . . 31 PAA . . . . . . . . . . . . . . . . . . . . . . . . . 33
7.1.4. EAP Authentication Result Notification from EAP 7.1.4. EAP Authentication Result Notification from EAP
Authenticator to PAA . . . . . . . . . . . . . . . . . 31 Authenticator to PAA . . . . . . . . . . . . . . . . . 33
7.2. Variables . . . . . . . . . . . . . . . . . . . . . . . . 32 7.2. Variables . . . . . . . . . . . . . . . . . . . . . . . . 34
7.3. Procedures . . . . . . . . . . . . . . . . . . . . . . . . 34 7.3. Procedures . . . . . . . . . . . . . . . . . . . . . . . . 36
7.4. PAA State Transition Table . . . . . . . . . . . . . . . . 34 7.4. PAA State Transition Table . . . . . . . . . . . . . . . . 37
8. Mobility Optimization Support . . . . . . . . . . . . . . . . 49 8. Mobility Optimization Support . . . . . . . . . . . . . . . . 52
8.1. Common Variables . . . . . . . . . . . . . . . . . . . . . 49 8.1. Common Variables . . . . . . . . . . . . . . . . . . . . . 52
8.2. PaC Mobility Optimization State Machine . . . . . . . . . 50 8.2. PaC Mobility Optimization State Machine . . . . . . . . . 53
8.2.1. Variables . . . . . . . . . . . . . . . . . . . . . . 50 8.2.1. Variables . . . . . . . . . . . . . . . . . . . . . . 53
8.2.2. Procedures . . . . . . . . . . . . . . . . . . . . . . 50 8.2.2. Procedures . . . . . . . . . . . . . . . . . . . . . . 53
8.2.3. PaC Mobility Optimization State Transition Table 8.2.3. PaC Mobility Optimization State Transition Table
Addendum . . . . . . . . . . . . . . . . . . . . . . . 50
8.3. PAA Mobility Optimization . . . . . . . . . . . . . . . . 53
8.3.1. Procedures . . . . . . . . . . . . . . . . . . . . . . 53
8.3.2. PAA Mobility Optimization State Transition Table
Addendum . . . . . . . . . . . . . . . . . . . . . . . 53 Addendum . . . . . . . . . . . . . . . . . . . . . . . 53
9. Implementation Considerations . . . . . . . . . . . . . . . . 55 8.3. PAA Mobility Optimization . . . . . . . . . . . . . . . . 56
9.1. PAA and PaC Interface to Service Management Entity . . . . 55 8.3.1. Procedures . . . . . . . . . . . . . . . . . . . . . . 56
9.2. Multicast Traffic . . . . . . . . . . . . . . . . . . . . 55 8.3.2. PAA Mobility Optimization State Transition Table
10. Security Considerations . . . . . . . . . . . . . . . . . . . 56 Addendum . . . . . . . . . . . . . . . . . . . . . . . 56
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 57 9. Implementation Considerations . . . . . . . . . . . . . . . . 58
12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 58 9.1. PAA and PaC Interface to Service Management Entity . . . . 58
13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 59 9.2. Multicast Traffic . . . . . . . . . . . . . . . . . . . . 58
13.1. Normative References . . . . . . . . . . . . . . . . . . . 59 10. Security Considerations . . . . . . . . . . . . . . . . . . . 59
13.2. Informative References . . . . . . . . . . . . . . . . . . 59 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 60
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 60 12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 61
Intellectual Property and Copyright Statements . . . . . . . . . . 61 13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 62
13.1. Normative References . . . . . . . . . . . . . . . . . . . 62
13.2. Informative References . . . . . . . . . . . . . . . . . . 62
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 63
Intellectual Property and Copyright Statements . . . . . . . . . . 64
1. Introduction 1. Introduction
This document defines the state machines for Protocol Carrying This document defines the state machines for Protocol Carrying
Authentication for Network Access (PANA) [I-D.ietf-pana-pana]. There Authentication for Network Access (PANA) [I-D.ietf-pana-pana]. There
are state machines for the PANA client (PaC) and for the PANA are state machines for the PANA client (PaC) and for the PANA
Authentication Agent (PAA). Each state machine is specified through Authentication Agent (PAA). Each state machine is specified through
a set of variables, procedures and a state transition table. a set of variables, procedures and a state transition table.
A PANA protocol execution consists of several exchanges to carry A PANA protocol execution consists of several exchanges to carry
skipping to change at page 4, line 26 skipping to change at page 4, line 26
layer for EAP protocol. Thus, a PANA state machine bases its layer for EAP protocol. Thus, a PANA state machine bases its
execution on an EAP state machine execution and vice versa. Thus execution on an EAP state machine execution and vice versa. Thus
this document also shows for each of PaC and PAA an interface between this document also shows for each of PaC and PAA an interface between
an EAP state machine and a PANA state machine and how this interface an EAP state machine and a PANA state machine and how this interface
allows to exchange information between them. Thanks to this allows to exchange information between them. Thanks to this
interface, a PANA state machine can be informed about several events interface, a PANA state machine can be informed about several events
generated in an EAP state machine and make its execution conditional generated in an EAP state machine and make its execution conditional
to its events. to its events.
The details of EAP state machines are out of the scope of this The details of EAP state machines are out of the scope of this
document. Additional information can be found in [I-D.ietf-eap- document. Additional information can be found in [RFC4137].
statemachine]. Nevertheless PANA state machines presented here have Nevertheless PANA state machines presented here have been coordinated
been coordinated with state machines shown by [I-D.ietf-eap- with state machines shown by [RFC4137].
statemachine].
This document, apart from defining PaC and PAA state machines and This document, apart from defining PaC and PAA state machines and
their interfaces to EAP state machines (running on top of PANA), their interfaces to EAP state machines (running on top of PANA),
provides some implementation considerations, taking into account that provides some implementation considerations, taking into account that
it is not a specification but an implementation guideline. it is not a specification but an implementation guideline.
2. Interface Between PANA and EAP 2. Interface Between PANA and EAP
PANA carries EAP messages exchanged between an EAP peer and an EAP PANA carries EAP messages exchanged between an EAP peer and an EAP
authenticator (see Figure 1). Thus a PANA state machine must authenticator (see Figure 1). Thus a PANA state machine must
skipping to change at page 6, line 8 skipping to change at page 6, line 8
PaC state machine that is responsible for actually transmitting this PaC state machine that is responsible for actually transmitting this
message. message.
On the other hand, the PAA state machine presents response messages On the other hand, the PAA state machine presents response messages
(EAP-Response messages) to the EAP authenticator state machine (EAP-Response messages) to the EAP authenticator state machine
through interface defined between them. The EAP authenticator through interface defined between them. The EAP authenticator
processes these messages and generate EAP messages (EAP-Request, EAP- processes these messages and generate EAP messages (EAP-Request, EAP-
Success and EAP-Failure messages) that are send to the PAA state Success and EAP-Failure messages) that are send to the PAA state
machine to be sent. machine to be sent.
For example, [I-D.ietf-eap-statemachine] specifies four interfaces to For example, [RFC4137] specifies four interfaces to lower layers: (i)
lower layers: (i) an interface between the EAP peer state machine and an interface between the EAP peer state machine and a lower layer,
a lower layer, (ii) an interface between the EAP standalone (ii) an interface between the EAP standalone authenticator state
authenticator state machine and a lower layer, (iii) an interface machine and a lower layer, (iii) an interface between the EAP full
between the EAP full authenticator state machine and a lower layer authenticator state machine and a lower layer and (iv) an interface
and (iv) an interface between the EAP backend authenticator state between the EAP backend authenticator state machine and a lower
machine and a lower layer. In this document, the PANA protocol is layer. In this document, the PANA protocol is the lower layer of EAP
the lower layer of EAP and only the first three interfaces are of and only the first three interfaces are of interest to PANA. The
interest to PANA. The second and third interfaces are the same. In second and third interfaces are the same. In this regard, the EAP
this regard, the EAP standalone authenticator or the EAP full standalone authenticator or the EAP full authenticator and its state
authenticator and its state machine in [I-D.ietf-eap-statemachine] machine in [RFC4137] are referred to as the EAP authenticator and the
are referred to as the EAP authenticator and the EAP authenticator EAP authenticator state machine, respectively, in this document. If
state machine, respectively, in this document. If an EAP peer and an an EAP peer and an EAP authenticator follow the state machines
EAP authenticator follow the state machines defined in [I-D.ietf-eap- defined in [RFC4137], the interfaces between PANA and EAP could be
statemachine], the interfaces between PANA and EAP could be based on based on that document. Detailed definition of interfaces between
that document. Detailed definition of interfaces between PANA and PANA and EAP are described in the subsequent sections.
EAP are described in the subsequent sections.
3. Document Authority 3. Document Authority
When a discrepancy occurs between any part of this document and any When a discrepancy occurs between any part of this document and any
of the related documents ([I-D.ietf-pana-pana], [I-D.ietf-pana- of the related documents ([I-D.ietf-pana-pana], [I-D.ietf-pana-
mobopts], [I-D.ietf-eap-statemachine] the latter (the other mobopts], [RFC4137] the latter (the other documents) are considered
documents) are considered authoritative and takes precedence. authoritative and takes precedence.
4. Notations 4. Notations
The following state transition tables are completed mostly based on The following state transition tables are completed mostly based on
the conventions specified in [I-D.ietf-eap-statemachine]. The the conventions specified in [RFC4137]. The complete text is
complete text is described below. described below.
State transition tables are used to represent the operation of the State transition tables are used to represent the operation of the
protocol by a number of cooperating state machines each comprising a protocol by a number of cooperating state machines each comprising a
group of connected, mutually exclusive states. Only one state of group of connected, mutually exclusive states. Only one state of
each machine can be active at any given time. each machine can be active at any given time.
All permissible transitions from a given state to other states and All permissible transitions from a given state to other states and
associated actions performed when the transitions occur are associated actions performed when the transitions occur are
represented by using triplets of (exit condition, exit action, exit represented by using triplets of (exit condition, exit action, exit
state). All conditions are expressions that evaluate to TRUE or state). All conditions are expressions that evaluate to TRUE or
FALSE; if a condition evaluates to TRUE, then the condition is met. FALSE; if a condition evaluates to TRUE, then the condition is met.
A state "ANY" is a wildcard state that matches the current state in A state "ANY" is a wildcard state that matches the current state in
each state machine. The exit conditions of a wildcard state are each state machine. The exit conditions of a wildcard state are
evaluated after all other exit conditions of specific to the current evaluated after all other exit conditions of specific to the current
state are met. state are met.
On exit from a state, the exit actions defined for the state and the On exit from a state, the exit actions defined for the state and the
exit condition are executed exactly once, in the order that they exit condition are executed exactly once, in the order that they
appear on the page. (Note that the procedures defined in [I-D.ietf- appear on the page. (Note that the procedures defined in [RFC4137]
eap-statemachine] are executed on entry to a state, which is one are executed on entry to a state, which is one major difference from
major difference from this document.) Each exit action is deemed to this document.) Each exit action is deemed to be atomic; i.e.,
be atomic; i.e., execution of an exit action completes before the execution of an exit action completes before the next sequential exit
next sequential exit action starts to execute. No exit action action starts to execute. No exit action execute outside of a state
execute outside of a state block. The exit actions in only one state block. The exit actions in only one state block execute at a time
block execute at a time even if the conditions for execution of state even if the conditions for execution of state blocks in different
blocks in different state machines are satisfied. All exit actions state machines are satisfied. All exit actions in an executing state
in an executing state block complete execution before the transition block complete execution before the transition to and execution of
to and execution of any other state blocks. The execution of any any other state blocks. The execution of any state block appears to
state block appears to be atomic with respect to the execution of any be atomic with respect to the execution of any other state block and
other state block and the transition condition to that state from the the transition condition to that state from the previous state is
previous state is TRUE when execution commences. The order of TRUE when execution commences. The order of execution of state
execution of state blocks in different state machines is undefined blocks in different state machines is undefined except as constrained
except as constrained by their transition conditions. A variable by their transition conditions. A variable that is set to a
that is set to a particular value in a state block retains this value particular value in a state block retains this value until a
until a subsequent state block executes an exit action that modifies subsequent state block executes an exit action that modifies the
the value. value.
On completion of the transition from the previous state to the On completion of the transition from the previous state to the
current state, all exit conditions occurring during the current state current state, all exit conditions occurring during the current state
(including exit conditions defined for the wildcard state) are (including exit conditions defined for the wildcard state) are
evaluated until an exit condition for that state is met. evaluated until an exit condition for that state is met.
Any event variable is set to TRUE when the corresponding event occurs Any event variable is set to TRUE when the corresponding event occurs
and set to FALSE immediately after completion of the action and set to FALSE immediately after completion of the action
associated with the current state and the event. associated with the current state and the event.
The interpretation of the special symbols and operators used is The interpretation of the special symbols and operators used is
defined in [I-D.ietf-eap-statemachine]. defined in [RFC4137].
5. Common Rules 5. Common Rules
There are following procedures, variables, message initializing rules There are following procedures, variables, message initializing rules
and state transitions that are common to both the PaC and PAA state and state transitions that are common to both the PaC and PAA state
machines. machines.
Throughout this document, the character string "PANA_MESSAGE_NAME" Throughout this document, the character string "PANA_MESSAGE_NAME"
matches any one of the abbreviated PANA message names, i.e., "PDI", matches any one of the abbreviated PANA message names, i.e., "PDI",
"PSR", "PSA", "PAR", "PAN", "PBR", "PBA", "PFER", "PFEA", "PTR", "PSR", "PSA", "PAR", "PAN", "PBR", "PBA", "PFER", "PFEA", "PTR",
skipping to change at page 11, line 37 skipping to change at page 11, line 37
specified PANA message. specified PANA message.
boolean PANA_MESSAGE_NAME.exist_avp("AVP_NAME") boolean PANA_MESSAGE_NAME.exist_avp("AVP_NAME")
A procedure that checks whether an AVP of the specified AVP name A procedure that checks whether an AVP of the specified AVP name
exists in the specified PANA message and returns TRUE if the exists in the specified PANA message and returns TRUE if the
specified AVP is found, otherwise returns FALSE. specified AVP is found, otherwise returns FALSE.
boolean key_available() boolean key_available()
A procedure to check whether the PANA session has a PANA_MAC_KEY. A procedure to check whether the PANA session has a PANA_AUTH_KEY.
If the state machine already has a PANA_MAC_KEY, it returns TRUE. If the state machine already has a PANA_AUTH_KEY, it returns TRUE.
If the state machine does not have a PANA_MAC_KEY, it tries to If the state machine does not have a PANA_AUTH_KEY, it tries to
retrieve a AAA-Key from the EAP entity. If a AAA-Key is retrieve a AAA-Key from the EAP entity. If a AAA-Key is
retrieved, it computes a PANA_MAC_KEY from the AAA-Key and returns retrieved, it computes a PANA_AUTH_KEY from the AAA-Key and
TRUE. Otherwise, it returns FALSE. returns TRUE. Otherwise, it returns FALSE.
boolean fatal(int) boolean fatal(int)
A procedure to check whether an integer result code value A procedure to check whether an integer result code value
indicates a fatal error. If the result code indicates a fatal indicates a fatal error. If the result code indicates a fatal
error, the procedure returns TRUE, otherwise, it return FALSE. A error, the procedure returns TRUE, otherwise, it return FALSE. A
fatal error would also result in the termination of the session fatal error would also result in the termination of the session
and release of all resources related to that session. and release of all resources related to that session.
5.2. Common Variables 5.2. Common Variables
skipping to change at page 13, line 34 skipping to change at page 13, line 34
ABORT_ON_1ST_EAP_FAILURE ABORT_ON_1ST_EAP_FAILURE
This variable indicates whether the PANA session is immediately This variable indicates whether the PANA session is immediately
terminated when the 1st EAP authentication fails. terminated when the 1st EAP authentication fails.
CARRY_DEVICE_ID CARRY_DEVICE_ID
This variable indicates whether a Device-Id AVP is carried in a This variable indicates whether a Device-Id AVP is carried in a
PANA-Bind-Request or PANA_Bind-Answer message. For the PAA, this PANA-Bind-Request or PANA_Bind-Answer message. For the PAA, this
variable MUST be set when a link-layer or IP address is used as variable must be set when a link-layer or IP address is used as
the device identifier of the PaC and a Protection-Capability AVP the device identifier of the PaC and a Protection-Capability AVP
is included in the PANA-Bind-Request message. is included in the PANA-Bind-Request message.
ANY ANY
This event variable is set to TRUE when any event occurs. This event variable is set to TRUE when any event occurs.
5.3. Constants 5.3. Constants
RTX_MAX_NUM RTX_MAX_NUM
skipping to change at page 15, line 24 skipping to change at page 15, line 24
RTX_MAX_NUM RTX_MAX_NUM
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - (Reach maximum number of transmissions)- - - - - - - - - - - - - (Reach maximum number of transmissions)- - - - - -
RTX_TIMEOUT && Disconnect(); CLOSED RTX_TIMEOUT && Disconnect(); CLOSED
RTX_COUNTER>= RTX_COUNTER>=
RTX_MAX_NUM RTX_MAX_NUM
SESS_TIMEOUT Disconnect(); CLOSED SESS_TIMEOUT Disconnect(); CLOSED
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - -(PANA-Error-Message-Processing)- - - - - - - - - - - - - - - - -(PANA-Error-Message-Processing)- - - - - -
Rx:PER && PEA.insert_avp("MAC"); CLOSED Rx:PER && PEA.insert_avp("AUTH"); CLOSED
fatal Tx:PEA(); fatal Tx:PEA();
(PER.RESULT_CODE) && Disconnect(); (PER.RESULT_CODE) && Disconnect();
PER.exist_avp("MAC") && PER.exist_avp("AUTH") &&
key_available() key_available()
Rx:PER && Tx:PEA(); (no change) Rx:PER && Tx:PEA(); (no change)
!fatal !fatal
(PER.RESULT_CODE) || (PER.RESULT_CODE) ||
!PER.exist_avp("MAC") || !PER.exist_avp("AUTH") ||
!key_available() !key_available()
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following transitions can occur on any exit condition within the The following transitions can occur on any exit condition within the
specified state. specified state.
------------- -------------
State: CLOSED State: CLOSED
------------- -------------
skipping to change at page 16, line 28 skipping to change at page 16, line 28
within the context of their associated states or exit actions. within the context of their associated states or exit actions.
6.1.1. Delivering EAP Messages from PaC to EAP Peer 6.1.1. Delivering EAP Messages from PaC to EAP Peer
TxEAP() procedure in the PaC state machine serves as the mechanism to TxEAP() procedure in the PaC state machine serves as the mechanism to
deliver EAP request, EAP success and EAP failure messages contained deliver EAP request, EAP success and EAP failure messages contained
in PANA-Auth-Request messages to the EAP peer. This procedure is in PANA-Auth-Request messages to the EAP peer. This procedure is
enabled only after an EAP restart event is notified to the EAP peer enabled only after an EAP restart event is notified to the EAP peer
and before any event resulting in a termination of the EAP peer and before any event resulting in a termination of the EAP peer
session. In the case where the EAP peer follows the EAP peer state session. In the case where the EAP peer follows the EAP peer state
machine defined in [I-D.ietf-eap-statemachine], TxEAP() procedure machine defined in [RFC4137], TxEAP() procedure sets eapReq variable
sets eapReq variable of the EAP peer state machine and puts the EAP of the EAP peer state machine and puts the EAP request in eapReqData
request in eapReqData variable of the EAP peer state machine. variable of the EAP peer state machine.
6.1.2. Delivering EAP Responses from EAP Peer to PaC 6.1.2. Delivering EAP Responses from EAP Peer to PaC
An EAP response is delivered from the EAP peer to the PaC via An EAP response is delivered from the EAP peer to the PaC via
EAP_RESPONSE event variable. The event variable is set when the EAP EAP_RESPONSE event variable. The event variable is set when the EAP
peer passes the EAP response to its lower-layer. In the case where peer passes the EAP response to its lower-layer. In the case where
the EAP peer follows the EAP peer state machine defined in [I-D.ietf- the EAP peer follows the EAP peer state machine defined in [RFC4137],
eap-statemachine], EAP_RESPONSE event variable refers to eapResp EAP_RESPONSE event variable refers to eapResp variable of the EAP
variable of the EAP peer state machine and the EAP response is peer state machine and the EAP response is contained in eapRespData
contained in eapRespData variable of the EAP peer state machine. variable of the EAP peer state machine.
6.1.3. EAP Restart Notification from PaC to EAP Peer 6.1.3. EAP Restart Notification from PaC to EAP Peer
The EAP peer state machine defined in [I-D.ietf-eap-statemachine] has The EAP peer state machine defined in [RFC4137] has an initialization
an initialization procedure before receiving an EAP request. To procedure before receiving an EAP request. To initialize the EAP
initialize the EAP state machine, the PaC state machine defines an state machine, the PaC state machine defines an event notification
event notification mechanism to send an EAP (re)start event to the mechanism to send an EAP (re)start event to the EAP peer. The event
EAP peer. The event notification is done via EAP_Restart() procedure notification is done via EAP_Restart() procedure in the
in the initialization action of the PaC state machine. initialization action of the PaC state machine.
6.1.4. EAP Authentication Result Notification from EAP Peer to PaC 6.1.4. EAP Authentication Result Notification from EAP Peer to PaC
In order for the EAP peer to notify the PaC of an EAP authentication In order for the EAP peer to notify the PaC of an EAP authentication
result, EAP_SUCCESS and EAP_FAILURE event variables are defined. In result, EAP_SUCCESS and EAP_FAILURE event variables are defined. In
the case where the EAP peer follows the EAP peer state machine the case where the EAP peer follows the EAP peer state machine
defined in [I-D.ietf-eap-statemachine], EAP_SUCCESS and EAP_FAILURE defined in [RFC4137], EAP_SUCCESS and EAP_FAILURE event variables
event variables refer to eapSuccess and eapFail variables of the EAP refer to eapSuccess and eapFail variables of the EAP peer state
peer state machine, respectively. In this case, if EAP_SUCCESS event machine, respectively. In this case, if EAP_SUCCESS event variable
variable is set to TRUE and a AAA-Key is generated by the EAP is set to TRUE and a AAA-Key is generated by the EAP authentication
authentication method in use, eapKeyAvailable variable is set to TRUE method in use, eapKeyAvailable variable is set to TRUE and eapKeyData
and eapKeyData variable contains the AAA-Key. Note that EAP_SUCCESS variable contains the AAA-Key. Note that EAP_SUCCESS and EAP_FAILURE
and EAP_FAILURE event variables may be set to TRUE even before the event variables may be set to TRUE even before the PaC receives a PBR
PaC receives a PBR or a PFER from the PAA. or a PFER from the PAA.
6.1.5. Alternate Failure Notification from PaC to EAP Peer 6.1.5. Alternate Failure Notification from PaC to EAP Peer
alt_reject() procedure in the PaC state machine serves as the alt_reject() procedure in the PaC state machine serves as the
mechanism to deliver an authentication failure event to the EAP peer mechanism to deliver an authentication failure event to the EAP peer
without accompanying an EAP message. In the case where the EAP peer without accompanying an EAP message. In the case where the EAP peer
follows the EAP peer state machine defined in [I-D.ietf-eap- follows the EAP peer state machine defined in [RFC4137], alt_reject()
statemachine], alt_reject() procedure sets altReject variable of the procedure sets altReject variable of the EAP peer state machine.
EAP peer state machine. Note that the EAP peer state machine in Note that the EAP peer state machine in [RFC4137] also defines
[I-D.ietf-eap-statemachine] also defines altAccept variable, however, altAccept variable, however, it is never used in PANA in which EAP-
it is never used in PANA in which EAP-Success messages are reliably Success messages are reliably delivered by PANA-Bind exchange.
delivered by PANA-Bind exchange.
6.1.6. EAP Invalid Message Notification from EAP Peer to PaC 6.1.6. EAP Invalid Message Notification from EAP Peer to PaC
In order for the EAP peer to notify the PaC of a receipt of an In order for the EAP peer to notify the PaC of a receipt of an
invalid EAP message, EAP_INVALID_MSG event variable is defined. In invalid EAP message, EAP_INVALID_MSG event variable is defined. In
the case where the EAP peer follows the EAP peer state machine the case where the EAP peer follows the EAP peer state machine
defined in [I-D.ietf-eap-statemachine], EAP_INVALID_MSG event defined in [RFC4137], EAP_INVALID_MSG event variable refers to
variable refers to eapNoResp variable of the EAP peer state machine. eapNoResp variable of the EAP peer state machine.
6.2. Variables 6.2. Variables
SEPARATE SEPARATE
This variable indicates whether the PaC desires NAP/ISP separate This variable indicates whether the PaC desires NAP/ISP separate
authentication. authentication.
1ST_EAP 1ST_EAP
skipping to change at page 19, line 11 skipping to change at page 19, line 11
This procedure returns TRUE when the Post-PANA-Address- This procedure returns TRUE when the Post-PANA-Address-
Configuration method specified by the PAA is available in the PaC Configuration method specified by the PAA is available in the PaC
and that the PaC will be able to comply. and that the PaC will be able to comply.
boolean pcap_supported() boolean pcap_supported()
This procedure returns TRUE when the cryptographic data protection This procedure returns TRUE when the cryptographic data protection
supplied in the Protection-Capability AVP can be supported by the supplied in the Protection-Capability AVP can be supported by the
PaC. PaC.
boolean algorithm_supported()
This procedure returns TRUE when the integrity algorithm supplied
in the Algorithm AVP can be supported by the PaC.
boolean eap_piggyback() boolean eap_piggyback()
This procedures returns TRUE to indicate whether the next EAP This procedures returns TRUE to indicate whether the next EAP
response will be carried in the pending PAN message for response will be carried in the pending PAN message for
optimization. optimization.
void alt_reject() void alt_reject()
This procedure informs the EAP peer of an authentication failure This procedure informs the EAP peer of an authentication failure
event without accompanying an EAP message. event without accompanying an EAP message.
skipping to change at page 19, line 50 skipping to change at page 20, line 6
SEPARATE=Set|Unset; SEPARATE=Set|Unset;
CARRY_DEVICE_ID=Unset; CARRY_DEVICE_ID=Unset;
1ST_EAP=Unset; 1ST_EAP=Unset;
RtxTimerStop(); RtxTimerStop();
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+-------------- ------------------------+--------------------------+--------------
- - - - - - - - - - - - - (PSR processing) - - - - - - - - - - - - - - - - - - - - - - - - (PSR processing) - - - - - - - - - - -
Rx:PSR && RtxTimerStop(); WAIT_EAP_MSG_ Rx:PSR && RtxTimerStop(); WAIT_EAP_MSG_
PSR.exist_avp EAP_Restart(); IN_DISC PSR.exist_avp EAP_Restart(); IN_DISC
("EAP-Payload") TxEAP(); ("EAP-Payload") && TxEAP();
SEPARATE=Unset; (!PSR.exist_avp SEPARATE=Unset;
("Protection-Cap.") ||
(PSR.exist_avp
("Protection-Cap.") &&
pcap_supported())) &&
(!PSR.exist_avp
("Algorithm") ||
(PSR.exist_avp
("Algorithm") &&
algorithm_supported()))
Rx:PSR && RtxTimerStop(); WAIT_PAA Rx:PSR && RtxTimerStop(); WAIT_PAA
!PSR.exist_avp if (choose_isp()) !PSR.exist_avp if (choose_isp())
("EAP-Payload") && PSA.insert_avp("ISP"); ("EAP-Payload") && PSA.insert_avp("ISP");
PSR.S_flag==1 && PSA.S_flag=1; PSR.S_flag==1 && PSA.S_flag=1;
SEPARATE==Set && PSA.insert_avp("Cookie"); SEPARATE==Set && PSA.insert_avp("Cookie");
PSR.exist_avp Tx:PSA(); PSR.exist_avp Tx:PSA();
("Cookie") RtxTimerStart(); ("Cookie") && RtxTimerStart();
EAP_Restart(); (!PSR.exist_avp EAP_Restart();
("Protection-Cap.") ||
(PSR.exist_avp
("Protection-Cap.") &&
pcap_supported())) &&
(!PSR.exist_avp
("Algorithm") ||
(PSR.exist_avp
("Algorithm") &&
algorithm_supported()))
Rx:PSR && RtxTimerStop(); WAIT_PAA Rx:PSR && RtxTimerStop(); WAIT_PAA
!PSR.exist_avp if (choose_isp()) !PSR.exist_avp if (choose_isp())
("EAP-Payload") && PSA.insert_avp("ISP"); ("EAP-Payload") && PSA.insert_avp("ISP");
PSR.S_flag==1 && PSA.S_flag=1; PSR.S_flag==1 && PSA.S_flag=1;
SEPARATE==Set && Tx:PSA(); SEPARATE==Set && Tx:PSA();
!PSR.exist_avp EAP_Restart(); !PSR.exist_avp EAP_Restart();
("Cookie") ("Cookie") &&
(!PSR.exist_avp
("Protection-Cap.") ||
(PSR.exist_avp
("Protection-Cap.") &&
pcap_supported())) &&
(!PSR.exist_avp
("Algorithm") ||
(PSR.exist_avp
("Algorithm") &&
algorithm_supported()))
Rx:PSR && RtxTimerStop(); WAIT_PAA Rx:PSR && RtxTimerStop(); WAIT_PAA
!PSR.exist_avp if (choose_isp()) !PSR.exist_avp if (choose_isp())
("EAP-Payload") && PSA.insert_avp("ISP"); ("EAP-Payload") && PSA.insert_avp("ISP");
(PSR.S_flag!=1 || PSA.insert_avp("Cookie"); (PSR.S_flag!=1 || PSA.insert_avp("Cookie");
SEPARATE==Unset) && Tx:PSA(); SEPARATE==Unset) && Tx:PSA();
PSR.exist_avp RtxTimerStart(); PSR.exist_avp RtxTimerStart();
("Cookie") SEPARATE=Unset; ("Cookie") && SEPARATE=Unset;
EAP_Restart(); (!PSR.exist_avp EAP_Restart();
("Protection-Cap.") ||
(PSR.exist_avp
("Protection-Cap.") &&
pcap_supported())) &&
(!PSR.exist_avp
("Algorithm") ||
(PSR.exist_avp
("Algorithm") &&
algorithm_supported()))
Rx:PSR && RtxTimerStop(); WAIT_PAA Rx:PSR && RtxTimerStop(); WAIT_PAA
!PSR.exist_avp if (choose_isp()) !PSR.exist_avp if (choose_isp())
("EAP-Payload") && PSA.insert_avp("ISP"); ("EAP-Payload") && PSA.insert_avp("ISP");
(PSR.S_flag!=1 || Tx:PSA(); (PSR.S_flag!=1 || Tx:PSA();
SEPARATE==Unset) && SEPARATE=Unset; SEPARATE==Unset) && SEPARATE=Unset;
!PSR.exist_avp EAP_Restart(); !PSR.exist_avp EAP_Restart();
("Cookie") ("Cookie") &&
(!PSR.exist_avp
("Protection-Cap.") ||
(PSR.exist_avp
("Protection-Cap.") &&
pcap_supported())) &&
(!PSR.exist_avp
("Algorithm") ||
(PSR.exist_avp
("Algorithm") &&
algorithm_supported()))
Rx:PSR && None(); OFFLINE
(PSR.exist_avp
("Protection-Cap.") &&
!pcap_supported()) ||
(PSR.exist_avp
("Algorithm") &&
algorithm_supported())
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - -(Authentication trigger from application) - - - - - - - - - - - -(Authentication trigger from application) - - -
AUTH_USER Tx:PDI(); OFFLINE AUTH_USER Tx:PDI(); OFFLINE
RtxTimerStart(); RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
--------------------------- ---------------------------
State: WAIT_EAP_MSG_IN_DISC State: WAIT_EAP_MSG_IN_DISC
--------------------------- ---------------------------
skipping to change at page 21, line 25 skipping to change at page 22, line 36
State: WAIT_PAA State: WAIT_PAA
--------------- ---------------
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - - - - -(PAR-PAN exchange) - - - - - - - - - - - - - - - - - - - - - - -(PAR-PAN exchange) - - - - - - - -
Rx:PAR && RtxTimerStop(); WAIT_EAP_MSG Rx:PAR && RtxTimerStop(); WAIT_EAP_MSG
!eap_piggyback() TxEAP(); !eap_piggyback() TxEAP();
EAP_RespTimerStart(); EAP_RespTimerStart();
if (key_available()) if (key_available())
PAN.insert_avp("MAC"); PAN.insert_avp("AUTH");
PAN.S_flag=PAR.S_flag; PAN.S_flag=PAR.S_flag;
PAN.N_flag=PAR.N_flag; PAN.N_flag=PAR.N_flag;
Tx:PAN(); Tx:PAN();
Rx:PAR && RtxTimerStop(); WAIT_EAP_MSG Rx:PAR && RtxTimerStop(); WAIT_EAP_MSG
eap_piggyback() TxEAP(); eap_piggyback() TxEAP();
EAP_RespTimerStart(); EAP_RespTimerStart();
Rx:PAN RtxTimerStop(); WAIT_PAA Rx:PAN RtxTimerStop(); WAIT_PAA
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - -(1st EAP result) - - - - - - - - - - - - - - - - - - - - - - - -(1st EAP result) - - - - - - - - -
Rx:PFER && 1ST_EAP=Success; WAIT_1ST_EAP_ Rx:PFER && 1ST_EAP=Success; WAIT_1ST_EAP_
1ST_EAP==Unset && TxEAP(); RESULT 1ST_EAP==Unset && TxEAP(); RESULT
SEPARATE==Set && SEPARATE==Set &&
PFER.RESULT_CODE== PFER.RESULT_CODE==
PANA_SUCCESS && PANA_SUCCESS &&
PFER.S_flag==1 PFER.S_flag==1 &&
(!PSR.exist_avp
("Algorithm") ||
(PSR.exist_avp
("Algorithm") &&
algorithm_supported()))
Rx:PFER && 1ST_EAP=Failure; WAIT_1ST_EAP_ Rx:PFER && 1ST_EAP=Failure; WAIT_1ST_EAP_
1ST_EAP==Unset && TxEAP(); RESULT 1ST_EAP==Unset && TxEAP(); RESULT
SEPARATE==Set && SEPARATE==Set &&
PFER.RESULT_CODE!= PFER.RESULT_CODE!=
PANA_SUCCESS && PANA_SUCCESS &&
PFER.S_flag==1 && PFER.S_flag==1 &&
ABORT_ON_1ST_EAP_FAILURE ABORT_ON_1ST_EAP_FAILURE
==Unset && ==Unset &&
PFER.exist_avp PFER.exist_avp
skipping to change at page 22, line 44 skipping to change at page 24, line 13
(PFER.S_flag==0 || (PFER.S_flag==0 ||
ABORT_ON_1ST_EAP_FAILURE ABORT_ON_1ST_EAP_FAILURE
==Set) && ==Set) &&
!PFER.exist_avp !PFER.exist_avp
("EAP-Payload") ("EAP-Payload")
Rx:PBR && TxEAP(); WAIT_EAP_RESULT Rx:PBR && TxEAP(); WAIT_EAP_RESULT
1ST_EAP==Unset && if (PBR.exist_avp 1ST_EAP==Unset && if (PBR.exist_avp
SEPARATE==Unset && ("Device-Id")) SEPARATE==Unset && ("Device-Id"))
PBR.RESULT_CODE== CARRY_DEVICE_ID=Set; PBR.RESULT_CODE== CARRY_DEVICE_ID=Set;
PANA_SUCCESS PANA_SUCCESS &&
(!PSR.exist_avp
("Algorithm") ||
(PSR.exist_avp
("Algorithm") &&
algorithm_supported()))
Rx:PBR && TxEAP(); WAIT_EAP_RESULT_ Rx:PBR && TxEAP(); WAIT_EAP_RESULT_
1ST_EAP==Unset && CLOSE 1ST_EAP==Unset && CLOSE
SEPARATE==Unset && SEPARATE==Unset &&
PBR.RESULT_CODE!= PBR.RESULT_CODE!=
PANA_SUCCESS && PANA_SUCCESS &&
PBR.exist_avp PBR.exist_avp
("EAP-Payload") ("EAP-Payload")
Rx:PBR && alt_reject(); WAIT_EAP_RESULT_ Rx:PBR && alt_reject(); WAIT_EAP_RESULT_
skipping to change at page 23, line 20 skipping to change at page 24, line 42
PANA_SUCCESS && PANA_SUCCESS &&
!PBR.exist_avp !PBR.exist_avp
("EAP-Payload") ("EAP-Payload")
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - -(2nd EAP result) - - - - - - - - - - - - - - - - - - - - - - - -(2nd EAP result) - - - - - - - - -
Rx:PBR && TxEAP(); WAIT_EAP_RESULT Rx:PBR && TxEAP(); WAIT_EAP_RESULT
1ST_EAP==Success && if (PBR.exist_avp 1ST_EAP==Success && if (PBR.exist_avp
PBR.RESULT_CODE== ("Device-Id")) PBR.RESULT_CODE== ("Device-Id"))
PANA_SUCCESS && CARRY_DEVICE_ID=Set; PANA_SUCCESS && CARRY_DEVICE_ID=Set;
PBR.exist_avp PBR.exist_avp
("EAP-Payload") ("EAP-Payload") &&
(!PSR.exist_avp
("Algorithm") ||
(PSR.exist_avp
("Algorithm") &&
algorithm_supported()))
Rx:PBR && alt_reject(); WAIT_EAP_RESULT Rx:PBR && alt_reject(); WAIT_EAP_RESULT
1ST_EAP==Success && if (PBR.exist_avp 1ST_EAP==Success && if (PBR.exist_avp
PBR.RESULT_CODE== ("Device-Id")) PBR.RESULT_CODE== ("Device-Id"))
PANA_SUCCESS && CARRY_DEVICE_ID=Set; PANA_SUCCESS && CARRY_DEVICE_ID=Set;
!PBR.exist_avp !PBR.exist_avp
("EAP-Payload") ("EAP-Payload") &&
(!PSR.exist_avp
("Algorithm") ||
(PSR.exist_avp
("Algorithm") &&
algorithm_supported()))
Rx:PBR && TxEAP(); WAIT_EAP_RESULT_ Rx:PBR && TxEAP(); WAIT_EAP_RESULT_
1ST_EAP==Success && CLOSE 1ST_EAP==Success && CLOSE
PBR.RESULT_CODE!= PBR.RESULT_CODE!=
PANA_SUCCESS && PANA_SUCCESS &&
PBR.exist_avp PBR.exist_avp
("EAP-Payload") ("EAP-Payload")
Rx:PBR && alt_reject(); WAIT_EAP_RESULT_ Rx:PBR && alt_reject(); WAIT_EAP_RESULT_
1ST_EAP==Success && CLOSE 1ST_EAP==Success && CLOSE
PBR.RESULT_CODE!= PBR.RESULT_CODE!=
PANA_SUCCESS && PANA_SUCCESS &&
!PBR.exist_avp !PBR.exist_avp
("EAP-Payload") ("EAP-Payload")
Rx:PBR && TxEAP(); WAIT_EAP_RESULT Rx:PBR && TxEAP(); WAIT_EAP_RESULT
1ST_EAP==Failure && if (PBR.exist_avp 1ST_EAP==Failure && if (PBR.exist_avp
PBR.RESULT_CODE== ("Device-Id")) PBR.RESULT_CODE== ("Device-Id"))
PANA_SUCCESS CARRY_DEVICE_ID=Set; PANA_SUCCESS && CARRY_DEVICE_ID=Set;
(!PSR.exist_avp
("Algorithm") ||
(PSR.exist_avp
("Algorithm") &&
algorithm_supported()))
Rx:PBR && TxEAP(); WAIT_EAP_RESULT_ Rx:PBR && TxEAP(); WAIT_EAP_RESULT_
1ST_EAP==Failure && CLOSE 1ST_EAP==Failure && CLOSE
PBR.RESULT_CODE!= PBR.RESULT_CODE!=
PANA_SUCCESS && PANA_SUCCESS &&
PBR.exist_avp PBR.exist_avp
("EAP-Payload") ("EAP-Payload")
Rx:PBR && alt_reject(); WAIT_EAP_RESULT_ Rx:PBR && alt_reject(); WAIT_EAP_RESULT_
1ST_EAP==Failure && CLOSE 1ST_EAP==Failure && CLOSE
skipping to change at page 24, line 26 skipping to change at page 26, line 15
State: WAIT_EAP_MSG State: WAIT_EAP_MSG
------------------- -------------------
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - (Return PAN/PAR) - - - - - - - - - - - - - - - - - - - - - - - - (Return PAN/PAR) - - - - - - - - - - - - - -
EAP_RESPONSE && EAP_RespTimerStop() WAIT_PAA EAP_RESPONSE && EAP_RespTimerStop() WAIT_PAA
eap_piggyback() PAN.insert_avp eap_piggyback() PAN.insert_avp
("EAP-Payload"); ("EAP-Payload");
if (key_available()) if (key_available())
PAN.insert_avp("MAC"); PAN.insert_avp("AUTH");
PAN.S_flag=PAR.S_flag; PAN.S_flag=PAR.S_flag;
PAN.N_flag=PAR.N_flag; PAN.N_flag=PAR.N_flag;
Tx:PAN(); Tx:PAN();
EAP_RESPONSE && EAP_RespTimerStop() WAIT_PAA EAP_RESPONSE && EAP_RespTimerStop() WAIT_PAA
!eap_piggyback() PAR.insert_avp !eap_piggyback() PAR.insert_avp
("EAP-Payload"); ("EAP-Payload");
if (key_available()) if (key_available())
PAR.insert_avp("MAC"); PAR.insert_avp("AUTH");
PAR.S_flag=PAN.S_flag; PAR.S_flag=PAN.S_flag;
PAR.N_flag=PAN.N_flag; PAR.N_flag=PAN.N_flag;
Tx:PAR(); Tx:PAR();
RtxTimerStart(); RtxTimerStart();
EAP_RESP_TIMEOUT if (key_available()) WAIT_PAA EAP_RESP_TIMEOUT if (key_available()) WAIT_PAA
PAN.insert_avp("MAC"); PAN.insert_avp("AUTH");
PAN.S_flag=PAR.S_flag; PAN.S_flag=PAR.S_flag;
PAN.N_flag=PAR.N_flag; PAN.N_flag=PAR.N_flag;
Tx:PAN(); Tx:PAN();
EAP_INVALID_MSG || None(); WAIT_PAA EAP_INVALID_MSG || None(); WAIT_PAA
EAP_SUCCESS || EAP_SUCCESS ||
EAP_FAILURE EAP_FAILURE
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
---------------------- ----------------------
State: WAIT_EAP_RESULT State: WAIT_EAP_RESULT
---------------------- ----------------------
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - - - (EAP Result) - - - - - - - - - - - - - - - - - - - - - - - - - - (EAP Result) - - - - - - - - - - - - -
EAP_SUCCESS && PBA.insert_avp("MAC"); OPEN EAP_SUCCESS && PBA.insert_avp("AUTH"); OPEN
PBR.exist_avp PBA.insert_avp("Key-Id"); PBR.exist_avp PBA.insert_avp("Key-Id");
("Key-Id") && if (CARRY_DEVICE_ID) ("Key-Id") && if (CARRY_DEVICE_ID)
ppac_available() && PBA.insert_avp ppac_available() && PBA.insert_avp
(!PBR.exist_avp ("Device-Id"); (!PBR.exist_avp ("Device-Id");
("Protection- PBA.insert_avp("PPAC"); ("Protection- PBA.insert_avp("PPAC");
Capability") || Tx:PBA(); Capability") || Tx:PBA();
(PBR.exist_avp Authorize(); (PBR.exist_avp Authorize();
("Protection- SessionTimerStart(); ("Protection- SessionTimerStart();
Capability") && Capability") &&
pcap_supported())) pcap_supported()))
EAP_SUCCESS && if (key_available()) OPEN EAP_SUCCESS && if (key_available()) OPEN
!PBR.exist_avp PBA.insert_avp("MAC"); !PBR.exist_avp PBA.insert_avp("AUTH");
("Key-Id") && if (CARRY_DEVICE_ID) ("Key-Id") && if (CARRY_DEVICE_ID)
ppac_available() && PBA.insert_avp ppac_available() && PBA.insert_avp
(!PBR.exist_avp ("Device-Id"); (!PBR.exist_avp ("Device-Id");
("Protection- PBA.insert_avp("PPAC"); ("Protection- PBA.insert_avp("PPAC");
Capability") || Tx:PBA(); Capability") || Tx:PBA();
(PBR.exist_avp Authorize(); (PBR.exist_avp Authorize();
("Protection- SessionTimerStart(); ("Protection- SessionTimerStart();
Capability") && Capability") &&
pcap_supported())) pcap_supported()))
EAP_SUCCESS && if (key_available()) WAIT_PEA EAP_SUCCESS && if (key_available()) WAIT_PEA
!ppac_available() PER.insert_avp("MAC"); !ppac_available() PER.insert_avp("AUTH");
PER.RESULT_CODE= PER.RESULT_CODE=
PANA_PPAC_CAPABILITY_ PANA_PPAC_CAPABILITY_
UNSUPPORTED UNSUPPORTED
Tx:PER(); Tx:PER();
RtxTimerStart(); RtxTimerStart();
EAP_SUCCESS && if (key_available()) WAIT_PEA EAP_SUCCESS && if (key_available()) WAIT_PEA
(PBR.exist_avp PER.insert_avp("MAC"); (PBR.exist_avp PER.insert_avp("AUTH");
("Protection- PER.RESULT_CODE= ("Protection- PER.RESULT_CODE=
Capability") && PANA_PROTECTION_ Capability") && PANA_PROTECTION_
!pcap_supported()) CAPABILITY_UNSUPPORTED !pcap_supported()) CAPABILITY_UNSUPPORTED
Tx:PER(); Tx:PER();
RtxTimerStart(); RtxTimerStart();
EAP_FAILURE && if (key_available()) OPEN EAP_FAILURE && if (key_available()) OPEN
(SEPARATE==Set) && PBA.insert_avp("MAC"); (SEPARATE==Set) && PBA.insert_avp("AUTH");
ppac_available() && if (CARRY_DEVICE_ID) ppac_available() && if (CARRY_DEVICE_ID)
(!PBR.exist_avp PBA.insert_avp (!PBR.exist_avp PBA.insert_avp
("Protection- ("Device-Id"); ("Protection- ("Device-Id");
Capability") || PBA.insert_avp("PPAC"); Capability") || PBA.insert_avp("PPAC");
(PBR.exist_avp Tx:PBA(); (PBR.exist_avp Tx:PBA();
("Protection- Authorize(); ("Protection- Authorize();
Capability") && SessionTimerStart(); Capability") && SessionTimerStart();
pcap_supported())) pcap_supported()))
EAP_FAILURE && if (key_available()) WAIT_PEA EAP_FAILURE && if (key_available()) WAIT_PEA
(SEPARATE==Set) && PER.insert_avp("MAC"); (SEPARATE==Set) && PER.insert_avp("AUTH");
!ppac_available() PER.RESULT_CODE= !ppac_available() PER.RESULT_CODE=
PANA_PPAC_CAPABILITY_ PANA_PPAC_CAPABILITY_
UNSUPPORTED UNSUPPORTED
Tx:PER(); Tx:PER();
RtxTimerStart(); RtxTimerStart();
EAP_FAILURE && if (key_available()) WAIT_PEA EAP_FAILURE && if (key_available()) WAIT_PEA
(SEPARATE==Set) && PER.insert_avp("MAC"); (SEPARATE==Set) && PER.insert_avp("AUTH");
(PBR.exist_avp PER.RESULT_CODE= (PBR.exist_avp PER.RESULT_CODE=
("Protection- PANA_PROTECTION_ ("Protection- PANA_PROTECTION_
Capability") && CAPABILITY_UNSUPPORTED Capability") && CAPABILITY_UNSUPPORTED
!pcap_supported()) Tx:PER(); !pcap_supported()) Tx:PER();
RtxTimerStart(); RtxTimerStart();
EAP_INVALID_MSG None(); WAIT_PAA EAP_INVALID_MSG None(); WAIT_PAA
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
---------------------------- ----------------------------
State: WAIT_EAP_RESULT_CLOSE State: WAIT_EAP_RESULT_CLOSE
---------------------------- ----------------------------
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - - - (EAP Result) - - - - - - - - - - - - - - - - - - - - - - - - - - (EAP Result) - - - - - - - - - - - - -
EAP_SUCCESS && PBA.insert_avp("MAC"); CLOSED EAP_SUCCESS && PBA.insert_avp("AUTH"); CLOSED
PBR.exist_avp PBA.insert_avp("Key-Id"); PBR.exist_avp PBA.insert_avp("Key-Id");
("Key-Id") Tx:PBA(); ("Key-Id") Tx:PBA();
Disconnect(); Disconnect();
EAP_SUCCESS && if (key_available()) CLOSED EAP_SUCCESS && if (key_available()) CLOSED
!PBR.exist_avp PBA.insert_avp("MAC"); !PBR.exist_avp PBA.insert_avp("AUTH");
("Key-Id") Tx:PBA(); ("Key-Id") Tx:PBA();
Disconnect(); Disconnect();
EAP_FAILURE Tx:PBA(); CLOSED EAP_FAILURE Tx:PBA(); CLOSED
Disconnect(); Disconnect();
EAP_INVALID_MSG None(); WAIT_PAA EAP_INVALID_MSG None(); WAIT_PAA
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-------------------------- --------------------------
State: WAIT_1ST_EAP_RESULT State: WAIT_1ST_EAP_RESULT
-------------------------- --------------------------
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - - - - (First EAP) - - - - - - - - - - - - - - - - - - - - - - - - - - (First EAP) - - - - - - - - - - - -
skipping to change at page 27, line 17 skipping to change at page 29, line 7
-------------------------- --------------------------
State: WAIT_1ST_EAP_RESULT State: WAIT_1ST_EAP_RESULT
-------------------------- --------------------------
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - - - - (First EAP) - - - - - - - - - - - - - - - - - - - - - - - - - - (First EAP) - - - - - - - - - - - -
EAP_SUCCESS && PFEA.insert_avp("Key-Id"); WAIT_PAA EAP_SUCCESS && PFEA.insert_avp("Key-Id"); WAIT_PAA
PFER.exist_avp PFEA.S_flag=1; PFER.exist_avp PFEA.S_flag=1;
("Key-Id") PFEA.N_flag=PFER.N_flag; ("Key-Id") PFEA.N_flag=PFER.N_flag;
PFEA.insert_avp("MAC"); PFEA.insert_avp("AUTH");
Tx:PFEA(); Tx:PFEA();
EAP_Restart(); EAP_Restart();
(EAP_SUCCESS && if (key_available()) WAIT_PAA (EAP_SUCCESS && if (key_available()) WAIT_PAA
!PFER.exist_avp PFEA.insert_avp("MAC"); !PFER.exist_avp PFEA.insert_avp("AUTH");
("Key-Id")) || PFEA.S_flag=1; ("Key-Id")) || PFEA.S_flag=1;
EAP_FAILURE PFEA.N_flag=PFER.N_flag; EAP_FAILURE PFEA.N_flag=PFER.N_flag;
Tx:PFEA(); Tx:PFEA();
EAP_Restart(); EAP_Restart();
EAP_INVALID_MSG EAP_Restart(); WAIT_PAA EAP_INVALID_MSG EAP_Restart(); WAIT_PAA
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-------------------------------- --------------------------------
State: WAIT_1ST_EAP_RESULT_CLOSE State: WAIT_1ST_EAP_RESULT_CLOSE
-------------------------------- --------------------------------
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - - - - (First EAP) - - - - - - - - - - - - - - - - - - - - - - - - - - (First EAP) - - - - - - - - - - - -
EAP_SUCCESS && PFEA.insert_avp("Key-Id"); CLOSED EAP_SUCCESS && PFEA.insert_avp("Key-Id"); CLOSED
PFER.exist_avp PFEA.S_flag=0; PFER.exist_avp PFEA.S_flag=0;
("Key-Id") PFEA.N_flag=0; ("Key-Id") PFEA.N_flag=0;
PFEA.insert_avp("MAC"); PFEA.insert_avp("AUTH");
Tx:PFEA(); Tx:PFEA();
Disconnect(); Disconnect();
(EAP_SUCCESS && if (key_available()) CLOSED (EAP_SUCCESS && if (key_available()) CLOSED
!PFER.exist_avp PFEA.insert_avp("MAC"); !PFER.exist_avp PFEA.insert_avp("AUTH");
("Key-Id")) || PFEA.S_flag=0; ("Key-Id")) || PFEA.S_flag=0;
EAP_FAILURE PFEA.N_flag=0; EAP_FAILURE PFEA.N_flag=0;
Tx:PFEA(); Tx:PFEA();
Disconnect(); Disconnect();
EAP_INVALID_MSG None(); WAIT_PAA EAP_INVALID_MSG None(); WAIT_PAA
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
----------- -----------
State: OPEN State: OPEN
----------- -----------
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - (liveness test initiated by PAA)- - - - - - - - - - - - - - - - (liveness test initiated by PAA)- - - - - -
skipping to change at page 28, line 15 skipping to change at page 30, line 5
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
----------- -----------
State: OPEN State: OPEN
----------- -----------
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - (liveness test initiated by PAA)- - - - - - - - - - - - - - - - (liveness test initiated by PAA)- - - - - -
Rx:PPR if (key_available()) OPEN Rx:PPR if (key_available()) OPEN
PPA.insert_avp("MAC"); PPA.insert_avp("AUTH");
Tx:PPA(); Tx:PPA();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - (liveness test initiated by PaC)- - - - - - - - - - - - - - - - (liveness test initiated by PaC)- - - - - -
PANA_PING if (key_available()) WAIT_PPA PANA_PING if (key_available()) WAIT_PPA
PPR.insert_avp("MAC"); PPR.insert_avp("AUTH");
Tx:PPR(); Tx:PPR();
RtxTimerStart(); RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - (re-authentication initiated by PaC)- - - - - - - - - - - - - - - (re-authentication initiated by PaC)- - - - - -
REAUTH SEPARATE=Set|Unset; WAIT_PRAA REAUTH SEPARATE=Set|Unset; WAIT_PRAA
1ST_EAP=Unset; 1ST_EAP=Unset;
if (key_available()) if (key_available())
PRAR.insert_avp("MAC"); PRAR.insert_avp("AUTH");
Tx:PRAR(); Tx:PRAR();
RtxTimerStart(); RtxTimerStart();
SessionTimerStop(); SessionTimerStop();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - (re-authentication initiated by PAA)- - - - - - - - - - - - - - - (re-authentication initiated by PAA)- - - - - -
Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG
!eap_piggyback() 1ST_EAP=Unset; !eap_piggyback() 1ST_EAP=Unset;
EAP_RespTimerStart(); EAP_RespTimerStart();
TxEAP(); TxEAP();
if (key_available()) if (key_available())
PAN.insert_avp("MAC"); PAN.insert_avp("AUTH");
PAN.S_flag=PAR.S_flag; PAN.S_flag=PAR.S_flag;
PAN.N_flag=PAR.N_flag; PAN.N_flag=PAR.N_flag;
Tx:PAN(); Tx:PAN();
SessionTimerStop(); SessionTimerStop();
Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG
eap_piggyback() 1ST_EAP=Unset; eap_piggyback() 1ST_EAP=Unset;
EAP_RespTimerStart(); EAP_RespTimerStart();
TxEAP(); TxEAP();
SessionTimerStop(); SessionTimerStop();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - -(Session termination initiated by PAA) - - - - - - - - - - - - - -(Session termination initiated by PAA) - - - - - -
Rx:PTR if (key_available()) CLOSED Rx:PTR if (key_available()) CLOSED
PTA.insert_avp("MAC"); PTA.insert_avp("AUTH");
Tx:PTA(); Tx:PTA();
Disconnect(); Disconnect();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - -(Session termination initiated by PaC) - - - - - - - - - - - - - -(Session termination initiated by PaC) - - - - - -
TERMINATE if (key_available()) SESS_TERM TERMINATE if (key_available()) SESS_TERM
PTR.insert_avp("MAC"); PTR.insert_avp("AUTH");
Tx:PTR(); Tx:PTR();
RtxTimerStart(); RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - -(Address update) - - - - - - - - - - - - - - - - - - - - - - - - -(Address update) - - - - - - - - - - - -
NOTIFY if (key_available()) WAIT_PUA NOTIFY if (key_available()) WAIT_PUA
PUR.insert_avp("MAC"); PUR.insert_avp("AUTH");
Tx:PUR(); Tx:PUR();
RtxTimerStart(); RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - -(Notification update)- - - - - - - - - - - - - - - - - - - - - -(Notification update)- - - - - - - - - - -
Rx:PUR if (key_available()) OPEN Rx:PUR if (key_available()) OPEN
PUA.insert_avp("MAC"); PUA.insert_avp("AUTH");
Tx:PUA(); Tx:PUA();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
---------------- ----------------
State: WAIT_PRAA State: WAIT_PRAA
---------------- ----------------
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - -(re-authentication initiated by PaC) - - - - - - - - - - - - - -(re-authentication initiated by PaC) - - - - -
skipping to change at page 31, line 18 skipping to change at page 33, line 18
The interface between a PAA and an EAP authenticator provides a The interface between a PAA and an EAP authenticator provides a
mechanism to deliver EAP messages for the EAP authenticator as well mechanism to deliver EAP messages for the EAP authenticator as well
as a mechanism to notify the EAP authenticator of PAA events and to as a mechanism to notify the EAP authenticator of PAA events and to
receive notification of EAP authenticator events. These message receive notification of EAP authenticator events. These message
delivery and event notification mechanisms occur only within context delivery and event notification mechanisms occur only within context
of their associated states or exit actions. of their associated states or exit actions.
7.1.1. EAP Restart Notification from PAA to EAP Authenticator 7.1.1. EAP Restart Notification from PAA to EAP Authenticator
An EAP authenticator state machine defined in [I-D.ietf-eap- An EAP authenticator state machine defined in [RFC4137] has an
statemachine] has an initialization procedure before sending the initialization procedure before sending the first EAP request. To
first EAP request. To initialize the EAP state machine, the PAA initialize the EAP state machine, the PAA state machine defines an
state machine defines an event notification mechanism to send an EAP event notification mechanism to send an EAP (re)start event to the
(re)start event to the EAP peer. The event notification is done via EAP peer. The event notification is done via EAP_Restart() procedure
EAP_Restart() procedure in the initialization action of the PAA state in the initialization action of the PAA state machine.
machine.
7.1.2. Delivering EAP Responses from PAA to EAP Authenticator 7.1.2. Delivering EAP Responses from PAA to EAP Authenticator
TxEAP() procedure in the PAA state machine serves as the mechanism to TxEAP() procedure in the PAA state machine serves as the mechanism to
deliver EAP-Responses contained in PANA-Auth-Answer messages to the deliver EAP-Responses contained in PANA-Auth-Answer messages to the
EAP authenticator. This procedure is enabled only after an EAP EAP authenticator. This procedure is enabled only after an EAP
restart event is notified to the EAP authenticator and before any restart event is notified to the EAP authenticator and before any
event resulting in a termination of the EAP authenticator session. event resulting in a termination of the EAP authenticator session.
In the case where the EAP authenticator follows the EAP authenticator In the case where the EAP authenticator follows the EAP authenticator
state machines defined in [I-D.ietf-eap-statemachine], TxEAP() state machines defined in [RFC4137], TxEAP() procedure sets eapResp
procedure sets eapResp variable of the EAP authenticator state variable of the EAP authenticator state machine and puts the EAP
machine and puts the EAP response in eapRespData variable of the EAP response in eapRespData variable of the EAP authenticator state
authenticator state machine. machine.
7.1.3. Delivering EAP Messages from EAP Authenticator to PAA 7.1.3. Delivering EAP Messages from EAP Authenticator to PAA
An EAP request is delivered from the EAP authenticator to the PAA via An EAP request is delivered from the EAP authenticator to the PAA via
EAP_REQUEST event variable. The event variable is set when the EAP EAP_REQUEST event variable. The event variable is set when the EAP
authenticator passes the EAP request to its lower-layer. In the case authenticator passes the EAP request to its lower-layer. In the case
where the EAP authenticator follows the EAP authenticator state where the EAP authenticator follows the EAP authenticator state
machines defined in [I-D.ietf-eap-statemachine], EAP_REQUEST event machines defined in [RFC4137], EAP_REQUEST event variable refers to
variable refers to eapReq variable of the EAP authenticator state eapReq variable of the EAP authenticator state machine and the EAP
machine and the EAP request is contained in eapReqData variable of request is contained in eapReqData variable of the EAP authenticator
the EAP authenticator state machine. state machine.
7.1.4. EAP Authentication Result Notification from EAP Authenticator to 7.1.4. EAP Authentication Result Notification from EAP Authenticator to
PAA PAA
In order for the EAP authenticator to notify the PAA of the EAP In order for the EAP authenticator to notify the PAA of the EAP
authentication result, EAP_SUCCESS, EAP_FAILURE and EAP_TIMEOUT event authentication result, EAP_SUCCESS, EAP_FAILURE and EAP_TIMEOUT event
variables are defined. In the case where the EAP authenticator variables are defined. In the case where the EAP authenticator
follows the EAP authenticator state machines defined in [I-D.ietf- follows the EAP authenticator state machines defined in [RFC4137],
eap-statemachine], EAP_SUCCESS, EAP_FAILURE and EAP_TIMEOUT event EAP_SUCCESS, EAP_FAILURE and EAP_TIMEOUT event variables refer to
variables refer to eapSuccess, eapFail and eapTimeout variables of eapSuccess, eapFail and eapTimeout variables of the EAP authenticator
the EAP authenticator state machine, respectively. In this case, if state machine, respectively. In this case, if EAP_SUCCESS event
EAP_SUCCESS event variable is set to TRUE, an EAP-Success message is variable is set to TRUE, an EAP-Success message is contained in
contained in eapReqData variable of the EAP authenticator state eapReqData variable of the EAP authenticator state machine, and
machine, and additionally, eapKeyAvailable variable is set to TRUE additionally, eapKeyAvailable variable is set to TRUE and eapKeyData
and eapKeyData variable contains a AAA-Key if the AAA-Key is variable contains a AAA-Key if the AAA-Key is generated as a result
generated as a result of successful authentication by the EAP of successful authentication by the EAP authentication method in use.
authentication method in use. Similarly, if EAP_FAILURE event Similarly, if EAP_FAILURE event variable is set to TRUE, an EAP-
variable is set to TRUE, an EAP-Failure message is contained in Failure message is contained in eapReqData variable of the EAP
eapReqData variable of the EAP authenticator state machine. The PAA authenticator state machine. The PAA uses EAP_SUCCESS, EAP_FAILURE
uses EAP_SUCCESS, EAP_FAILURE and EAP_TIMEOUT event variables as a and EAP_TIMEOUT event variables as a trigger to send a PBR or a PFER
trigger to send a PBR or a PFER message to the PaC. message to the PaC.
7.2. Variables 7.2. Variables
USE_COOKIE USE_COOKIE
This variable indicates whether the PAA uses Cookie. This variable indicates whether the PAA uses Cookie.
EAP_PIGGYBACK EAP_PIGGYBACK
This variable indicates whether the PAA is able to piggyback an This variable indicates whether the PAA is able to piggyback an
skipping to change at page 33, line 12 skipping to change at page 35, line 12
CARRY_LIFETIME CARRY_LIFETIME
This variable indicates whether a Session-Lifetime AVP is carried This variable indicates whether a Session-Lifetime AVP is carried
in PANA-Bind-Request message. in PANA-Bind-Request message.
PROTECTION_CAP_IN_PSR PROTECTION_CAP_IN_PSR
This variable indicates whether a Protection-Capability AVP is This variable indicates whether a Protection-Capability AVP is
carried in a PANA-Start-Request message. carried in a PANA-Start-Request message.
AUTH_ALGORITHM_IN_PSR
This variable indicates whether a Algorithm AVP is carried in a
PANA-Start-Request message.
PROTECTION_CAP_IN_PBR PROTECTION_CAP_IN_PBR
This variable indicates whether a Protection-Capability AVP is This variable indicates whether a Protection-Capability AVP is
carried in a PANA-Bind-Request message. carried in a PANA-Bind-Request message.
CARRY_NAP_INFO CARRY_NAP_INFO
This variable indicates whether a NAP-Information AVP is carried This variable indicates whether a NAP-Information AVP is carried
in PANA-Start-Request message. in PANA-Start-Request message.
skipping to change at page 34, line 28 skipping to change at page 36, line 31
This event variable is set to TRUE when EAP conversation times out This event variable is set to TRUE when EAP conversation times out
without generating an EAP-Success or an EAP-Failure message. This without generating an EAP-Success or an EAP-Failure message. This
event does not accompany any EAP message. event does not accompany any EAP message.
7.3. Procedures 7.3. Procedures
boolean new_key_available() boolean new_key_available()
A procedure to check whether the PANA session has a new A procedure to check whether the PANA session has a new
PANA_MAC_KEY. If the state machine already have a PANA_MAC_KEY, PANA_AUTH_KEY. If the state machine already have a PANA_AUTH_KEY,
it returns FALSE. If the state machine does not have a it returns FALSE. If the state machine does not have a
PANA_MAC_KEY, it tries to retrieve a AAA-Key from the EAP entity. PANA_AUTH_KEY, it tries to retrieve a AAA-Key from the EAP entity.
If a AAA-Key has been retrieved, it computes a PANA_MAC_KEY from If a AAA-Key has been retrieved, it computes a PANA_AUTH_KEY from
the AAA-Key and returns TRUE. Otherwise, it returns FALSE. the AAA-Key and returns TRUE. Otherwise, it returns FALSE.
boolean new_source_address() boolean new_source_address()
A procedure to check the PaC's source IP address from the current A procedure to check the PaC's source IP address from the current
PUR message. If the source IP address of the message is different PUR message. If the source IP address of the message is different
from the last known IP address stored in the PANA session, this from the last known IP address stored in the PANA session, this
procedure returns TRUE. Otherwise, it returns FALSE. procedure returns TRUE. Otherwise, it returns FALSE.
void update_popa() void update_popa()
skipping to change at page 36, line 4 skipping to change at page 38, line 10
PSR.insert_avp PSR.insert_avp
("ISP-Information"); ("ISP-Information");
if (CARRY_PPAC==Set) if (CARRY_PPAC==Set)
PSR.insert_avp PSR.insert_avp
("Post-PANA-Address- ("Post-PANA-Address-
Configuration"); Configuration");
if (PROTECTION_CAP_IN_PSR if (PROTECTION_CAP_IN_PSR
==Set) ==Set)
PSR.insert_avp PSR.insert_avp
("Protection-Cap."); ("Protection-Cap.");
if (AUTH_ALGORITHM_IN_PSR
==Set)
PSR.insert_avp
("Algorithm");
Tx:PSR(); Tx:PSR();
RtxTimerStart(); RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - (Stateless discovery) - - - - - - - - - - - - - - - - - - - - - (Stateless discovery) - - - - - - - -
(Rx:PDI || if (SEPARATE==Set) OFFLINE (Rx:PDI || if (SEPARATE==Set) OFFLINE
PAC_FOUND) && PSR.S_flag=1; PAC_FOUND) && PSR.S_flag=1;
USE_COOKIE==Set PSR.insert_avp USE_COOKIE==Set PSR.insert_avp
("Cookie"); ("Cookie");
if (CARRY_NAP_INFO==Set) if (CARRY_NAP_INFO==Set)
PSR.insert_avp PSR.insert_avp
skipping to change at page 37, line 35 skipping to change at page 39, line 45
("EAP-Payload")) ("EAP-Payload"))
TxEAP(); TxEAP();
else { else {
if (SEPARATE==Set) if (SEPARATE==Set)
NAP_AUTH=Set|Unset; NAP_AUTH=Set|Unset;
EAP_Restart(); EAP_Restart();
} }
RtxTimerStop(); RtxTimerStop();
EAP_TIMEOUT if (key_available()) WAIT_PEA EAP_TIMEOUT if (key_available()) WAIT_PEA
PER.insert_avp("MAC"); PER.insert_avp("AUTH");
Tx:PER(); Tx:PER();
RtxTimerStart(); RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
------------------- -------------------
State: WAIT_EAP_MSG State: WAIT_EAP_MSG
------------------- -------------------
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - -(Receiving EAP-Request)- - - - - - - - - - - - - - - - - - - - -(Receiving EAP-Request)- - - - - - - - -
EAP_REQUEST if (key_available()) WAIT_PAN_OR_PAR EAP_REQUEST if (key_available()) WAIT_PAN_OR_PAR
PAR.insert_avp("MAC"); PAR.insert_avp("AUTH");
if (SEPARATE==Set) { if (SEPARATE==Set) {
PAR.S_flag=1; PAR.S_flag=1;
if (NAP_AUTH==Set) if (NAP_AUTH==Set)
PAR.N_flag=1; PAR.N_flag=1;
} }
Tx:PAR(); Tx:PAR();
RtxTimerStart(); RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - -(Receiving EAP-Success/Failure single EAP)- - - - - - - - - - -(Receiving EAP-Success/Failure single EAP)- - - -
EAP_FAILURE && PBR.insert_avp WAIT_FAIL_PBA EAP_FAILURE && PBR.insert_avp WAIT_FAIL_PBA
1ST_EAP==Unset && ("EAP-Payload"); 1ST_EAP==Unset && ("EAP-Payload");
SEPARATE==Unset if (key_available()) SEPARATE==Unset if (key_available())
PBR.insert_avp("MAC"); PBR.insert_avp("AUTH");
Tx:PBR(); Tx:PBR();
RtxTimerStart(); RtxTimerStart();
EAP_SUCCESS && PBR.insert_avp WAIT_SUCC_PBA EAP_SUCCESS && PBR.insert_avp WAIT_SUCC_PBA
1ST_EAP==Unset && ("EAP-Payload"); 1ST_EAP==Unset && ("EAP-Payload");
SEPARATE==Unset && if (CARRY_DEVICE_ID==Set) SEPARATE==Unset && if (CARRY_DEVICE_ID==Set)
Authorize() PBR.insert_avp Authorize() PBR.insert_avp
("Device-Id"); ("Device-Id");
if (CARRY_LIFETIME==Set) if (CARRY_LIFETIME==Set)
PBR.insert_avp PBR.insert_avp
("Session-Lifetime"); ("Session-Lifetime");
if (PROTECTION_CAP_IN_PBR if (PROTECTION_CAP_IN_PBR
==Set) ==Set)
PBR.insert_avp PBR.insert_avp
("Protection-Cap."); ("Protection-Cap.");
if (new_key_available()) if (new_key_available())
PBR.insert_avp PBR.insert_avp
("Key-Id"); ("Key-Id");
PBR.insert_avp
("Algorithm");
if (key_available()) if (key_available())
PBR.insert_avp("MAC"); PBR.insert_avp("AUTH");
Tx:PBR(); Tx:PBR();
RtxTimerStart(); RtxTimerStart();
EAP_SUCCESS && PBR.insert_avp WAIT_FAIL_PBA EAP_SUCCESS && PBR.insert_avp WAIT_FAIL_PBA
1ST_EAP==Unset && ("EAP-Payload"); 1ST_EAP==Unset && ("EAP-Payload");
SEPARATE==Unset && if (new_key_available()) SEPARATE==Unset && if (new_key_available())
!Authorize() PBR.insert_avp !Authorize() PBR.insert_avp
("Key-Id"); ("Key-Id");
PBR.insert_avp
("Algorithm");
if (key_available()) if (key_available())
PBR.insert_avp("MAC"); PBR.insert_avp("AUTH");
Tx:PBR(); Tx:PBR();
RtxTimerStart(); RtxTimerStart();
EAP_TIMEOUT && if (key_available()) WAIT_PEA EAP_TIMEOUT && if (key_available()) WAIT_PEA
1ST_EAP==Unset && PER.insert_avp("MAC"); 1ST_EAP==Unset && PER.insert_avp("AUTH");
SEPARATE==Unset Tx:PER(); SEPARATE==Unset Tx:PER();
RtxTimerStart(); RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - -(Receiving EAP-Success/Failure for 1st EAP)- - - - - - - - - - -(Receiving EAP-Success/Failure for 1st EAP)- - - -
EAP_FAILURE && 1ST_EAP=Failure WAIT_PFEA EAP_FAILURE && 1ST_EAP=Failure WAIT_PFEA
1ST_EAP==Unset && PFER.insert_avp 1ST_EAP==Unset && PFER.insert_avp
SEPARATE==Set && ("EAP-Payload"); SEPARATE==Set && ("EAP-Payload");
ABORT_ON_1ST_EAP_FAILURE if (key_available()) ABORT_ON_1ST_EAP_FAILURE if (key_available())
==Unset PFER.insert_avp("MAC"); ==Unset PFER.insert_avp("AUTH");
PFER.S_flag=1; PFER.S_flag=1;
if (NAP_AUTH) if (NAP_AUTH)
PFER.N_flag=1; PFER.N_flag=1;
Tx:PFER(); Tx:PFER();
RtxTimerStart(); RtxTimerStart();
EAP_FAILURE && 1ST_EAP=Failure WAIT_FAIL_PFEA EAP_FAILURE && 1ST_EAP=Failure WAIT_FAIL_PFEA
1ST_EAP==Unset && PFER.insert_avp 1ST_EAP==Unset && PFER.insert_avp
SEPARATE==Set && ("EAP-Payload"); SEPARATE==Set && ("EAP-Payload");
ABORT_ON_1ST_EAP_FAILURE if (key_available()) ABORT_ON_1ST_EAP_FAILURE if (key_available())
==Set PFER.insert_avp("MAC"); ==Set PFER.insert_avp("AUTH");
PFER.S_flag=0; PFER.S_flag=0;
Tx:PFER(); Tx:PFER();
RtxTimerStart(); RtxTimerStart();
EAP_SUCCESS && 1ST_EAP=Success WAIT_PFEA EAP_SUCCESS && 1ST_EAP=Success WAIT_PFEA
1ST_EAP==Unset && PFER.insert_avp 1ST_EAP==Unset && PFER.insert_avp
SEPARATE==Set ("EAP-Payload"); SEPARATE==Set ("EAP-Payload");
if (new_key_available()) if (new_key_available())
PFER.insert_avp PFER.insert_avp
("Key-Id"); ("Key-Id");
PFER.insert_avp
("Algorithm");
if (key_available()) if (key_available())
PFER.insert_avp("MAC"); PFER.insert_avp("AUTH");
PFER.S_flag=1; PFER.S_flag=1;
if (NAP_AUTH) if (NAP_AUTH)
PFER.N_flag=1; PFER.N_flag=1;
Tx:PFER(); Tx:PFER();
RtxTimerStart(); RtxTimerStart();
EAP_TIMEOUT && 1ST_EAP=Failure WAIT_PFEA EAP_TIMEOUT && 1ST_EAP=Failure WAIT_PFEA
1ST_EAP==Unset && if (key_available()) 1ST_EAP==Unset && if (key_available())
SEPARATE==Set && PFER.insert_avp("MAC"); SEPARATE==Set && PFER.insert_avp("AUTH");
ABORT_ON_1ST_EAP_FAILURE PFER.S_flag=1; ABORT_ON_1ST_EAP_FAILURE PFER.S_flag=1;
==Unset if (NAP_AUTH) ==Unset if (NAP_AUTH)
PFER.N_flag=1; PFER.N_flag=1;
Tx:PFER(); Tx:PFER();
RtxTimerStart(); RtxTimerStart();
EAP_TIMEOUT && 1ST_EAP=Failure WAIT_FAIL_PFEA EAP_TIMEOUT && 1ST_EAP=Failure WAIT_FAIL_PFEA
1ST_EAP==Unset && if (key_available()) 1ST_EAP==Unset && if (key_available())
SEPARATE==Set && PFER.insert_avp("MAC"); SEPARATE==Set && PFER.insert_avp("AUTH");
ABORT_ON_1ST_EAP_FAILURE SEPARATE=Unset; ABORT_ON_1ST_EAP_FAILURE SEPARATE=Unset;
==Set PFER.S_flag=0; ==Set PFER.S_flag=0;
Tx:PFER(); Tx:PFER();
RtxTimerStart(); RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - -(Receiving EAP-Success/Failure for 2nd EAP)- - - - - - - - - - -(Receiving EAP-Success/Failure for 2nd EAP)- - - -
EAP_FAILURE && PBR.insert_avp WAIT_FAIL_PBA EAP_FAILURE && PBR.insert_avp WAIT_FAIL_PBA
1ST_EAP==Failure && ("EAP-Payload"); 1ST_EAP==Failure && ("EAP-Payload");
SEPARATE==Set if (key_available()) SEPARATE==Set if (key_available())
PBR.insert_avp("MAC"); PBR.insert_avp("AUTH");
PBR.S_flag=1; PBR.S_flag=1;
if (NAP_AUTH) if (NAP_AUTH)
PBR.N_flag=1; PBR.N_flag=1;
Tx:PBR(); Tx:PBR();
RtxTimerStart(); RtxTimerStart();
EAP_FAILURE && PBR.insert_avp WAIT_SUCC_PBA EAP_FAILURE && PBR.insert_avp WAIT_SUCC_PBA
1ST_EAP==Success && ("EAP-Payload"); 1ST_EAP==Success && ("EAP-Payload");
SEPARATE==Set && if (CARRY_DEVICE_ID==Set) SEPARATE==Set && if (CARRY_DEVICE_ID==Set)
Authorize() PBR.insert_avp Authorize() PBR.insert_avp
("Device-Id"); ("Device-Id");
if (CARRY_LIFETIME==Set) if (CARRY_LIFETIME==Set)
PBR.insert_avp PBR.insert_avp
("Session-Lifetime"); ("Session-Lifetime");
if (PROTECTION_CAP_IN_PBR if (PROTECTION_CAP_IN_PBR
==Set) ==Set)
PBR.insert_avp PBR.insert_avp
("Protection-Cap."); ("Protection-Cap.");
if (key_available()) if (key_available())
PBR.insert_avp("MAC"); PBR.insert_avp("AUTH");
PBR.S_flag=1; PBR.S_flag=1;
if (NAP_AUTH) if (NAP_AUTH)
PBR.N_flag=1; PBR.N_flag=1;
Tx:PBR(); Tx:PBR();
RtxTimerStart(); RtxTimerStart();
EAP_FAILURE && PBR.insert_avp WAIT_FAIL_PBA EAP_FAILURE && PBR.insert_avp WAIT_FAIL_PBA
1ST_EAP==Success && ("EAP-Payload"); 1ST_EAP==Success && ("EAP-Payload");
SEPARATE==Set && if (key_available()) SEPARATE==Set && if (key_available())
!Authorize() PBR.insert_avp("MAC"); !Authorize() PBR.insert_avp("AUTH");
PBR.S_flag=1; PBR.S_flag=1;
if (NAP_AUTH) if (NAP_AUTH)
PBR.N_flag=1; PBR.N_flag=1;
Tx:PBR(); Tx:PBR();
RtxTimerStart(); RtxTimerStart();
EAP_SUCCESS && PBR.insert_avp WAIT_SUCC_PBA EAP_SUCCESS && PBR.insert_avp WAIT_SUCC_PBA
1ST_EAP==Success && ("EAP-Payload"); 1ST_EAP==Success && ("EAP-Payload");
SEPARATE==Set && if (CARRY_DEVICE_ID==Set) SEPARATE==Set && if (CARRY_DEVICE_ID==Set)
Authorize() PBR.insert_avp Authorize() PBR.insert_avp
("Device-Id"); ("Device-Id");
if (CARRY_LIFETIME==Set) if (CARRY_LIFETIME==Set)
PBR.insert_avp PBR.insert_avp
("Session-Lifetime"); ("Session-Lifetime");
if (PROTECTION_CAP_IN_PBR if (PROTECTION_CAP_IN_PBR
==Set) ==Set)
skipping to change at page 41, line 19 skipping to change at page 43, line 35
if (CARRY_LIFETIME==Set) if (CARRY_LIFETIME==Set)
PBR.insert_avp PBR.insert_avp
("Session-Lifetime"); ("Session-Lifetime");
if (PROTECTION_CAP_IN_PBR if (PROTECTION_CAP_IN_PBR
==Set) ==Set)
PBR.insert_avp PBR.insert_avp
("Protection-Cap."); ("Protection-Cap.");
if (new_key_available()) if (new_key_available())
PBR.insert_avp PBR.insert_avp
("Key-Id"); ("Key-Id");
PBR.insert_avp
("Algorithm");
if (key_available()) if (key_available())
PBR.insert_avp("MAC"); PBR.insert_avp("AUTH");
PBR.S_flag=1; PBR.S_flag=1;
if (NAP_AUTH) if (NAP_AUTH)
PBR.N_flag=1; PBR.N_flag=1;
Tx:PBR(); Tx:PBR();
RtxTimerStart(); RtxTimerStart();
EAP_SUCCESS && PBR.insert_avp WAIT_FAIL_PBA EAP_SUCCESS && PBR.insert_avp WAIT_FAIL_PBA
1ST_EAP==Success && ("EAP-Payload"); 1ST_EAP==Success && ("EAP-Payload");
SEPARATE==Set && if (new_key_available()) SEPARATE==Set && if (new_key_available())
!Authorize() PBR.insert_avp !Authorize() PBR.insert_avp
("Key-Id"); ("Key-Id");
PBR.insert_avp
("Algorithm");
if (key_available()) if (key_available())
PBR.insert_avp("MAC"); PBR.insert_avp("AUTH");
PBR.S_flag=1; PBR.S_flag=1;
if (NAP_AUTH) if (NAP_AUTH)
PBR.N_flag=1; PBR.N_flag=1;
Tx:PBR(); Tx:PBR();
RtxTimerStart(); RtxTimerStart();
EAP_SUCCESS && PBR.insert_avp WAIT_SUCC_PBA EAP_SUCCESS && PBR.insert_avp WAIT_SUCC_PBA
1ST_EAP==Failure && ("EAP-Payload"); 1ST_EAP==Failure && ("EAP-Payload");
SEPARATE==Set && if (CARRY_DEVICE_ID==Set) SEPARATE==Set && if (CARRY_DEVICE_ID==Set)
Authorize() PBR.insert_avp Authorize() PBR.insert_avp
skipping to change at page 42, line 7 skipping to change at page 44, line 27
if (CARRY_LIFETIME==Set) if (CARRY_LIFETIME==Set)
PBR.insert_avp PBR.insert_avp
("Session-Lifetime"); ("Session-Lifetime");
if (PROTECTION_CAP_IN_PBR if (PROTECTION_CAP_IN_PBR
==Set) ==Set)
PBR.insert_avp PBR.insert_avp
("Protection-Cap."); ("Protection-Cap.");
if (new_key_available()) if (new_key_available())
PBR.insert_avp PBR.insert_avp
("Key-Id"); ("Key-Id");
PBR.insert_avp
("Algorithm");
if (key_available()) if (key_available())
PBR.insert_avp("MAC"); PBR.insert_avp("AUTH");
PBR.S_flag=1; PBR.S_flag=1;
if (NAP_AUTH) if (NAP_AUTH)
PBR.N_flag=1; PBR.N_flag=1;
Tx:PBR(); Tx:PBR();
RtxTimerStart(); RtxTimerStart();
EAP_SUCCESS && PBR.insert_avp WAIT_FAIL_PBA EAP_SUCCESS && PBR.insert_avp WAIT_FAIL_PBA
1ST_EAP==Failure && ("EAP-Payload"); 1ST_EAP==Failure && ("EAP-Payload");
SEPARATE==Set && if (new_key_available()) SEPARATE==Set && if (new_key_available())
!Authorize() PBR.insert_avp !Authorize() PBR.insert_avp
("Key-Id"); ("Key-Id");
PBR.insert_avp
("Algorithm");
if (key_available()) if (key_available())
PBR.insert_avp("MAC"); PBR.insert_avp("AUTH");
PBR.S_flag=1; PBR.S_flag=1;
if (NAP_AUTH) if (NAP_AUTH)
PBR.N_flag=1; PBR.N_flag=1;
Tx:PBR(); Tx:PBR();
RtxTimerStart(); RtxTimerStart();
EAP_TIMEOUT && if (key_available()) WAIT_FAIL_PBA EAP_TIMEOUT && if (key_available()) WAIT_FAIL_PBA
1ST_EAP==Failure && PBR.insert_avp("MAC"); 1ST_EAP==Failure && PBR.insert_avp("AUTH");
SEPARATE==Set PBR.S_flag=1; SEPARATE==Set PBR.S_flag=1;
if (NAP_AUTH) if (NAP_AUTH)
PBR.N_flag=1; PBR.N_flag=1;
Tx:PBR(); Tx:PBR();
RtxTimerStart(); RtxTimerStart();
EAP_TIMEOUT && if (CARRY_DEVICE_ID==Set) WAIT_SUCC_PBA EAP_TIMEOUT && if (CARRY_DEVICE_ID==Set) WAIT_SUCC_PBA
1ST_EAP==Success && PBR.insert_avp 1ST_EAP==Success && PBR.insert_avp
SEPARATE==Set && ("Device-Id"); SEPARATE==Set && ("Device-Id");
Authorize() if (CARRY_LIFETIME==Set) Authorize() if (CARRY_LIFETIME==Set)
PBR.insert_avp PBR.insert_avp
("Session-Lifetime"); ("Session-Lifetime");
if (PROTECTION_CAP_IN_PBR if (PROTECTION_CAP_IN_PBR
==Set) ==Set)
PBR.insert_avp PBR.insert_avp
("Protection-Cap."); ("Protection-Cap.");
if (new_key_available()) if (new_key_available())
PBR.insert_avp PBR.insert_avp
("Key-Id"); ("Key-Id");
PBR.insert_avp
("Algorithm");
if (key_available()) if (key_available())
PBR.insert_avp("MAC"); PBR.insert_avp("AUTH");
PBR.S_flag=1; PBR.S_flag=1;
if (NAP_AUTH) if (NAP_AUTH)
PBR.N_flag=1; PBR.N_flag=1;
Tx:PBR(); Tx:PBR();
RtxTimerStart(); RtxTimerStart();
EAP_TIMEOUT && if (key_available()) WAIT_FAIL_PBA EAP_TIMEOUT && if (key_available()) WAIT_FAIL_PBA
1ST_EAP==Success && PBR.insert_avp("MAC"); 1ST_EAP==Success && PBR.insert_avp("AUTH");
SEPARATE==Set && PBR.S_flag=1; SEPARATE==Set && PBR.S_flag=1;
!Authorize() if (NAP_AUTH) !Authorize() if (NAP_AUTH)
PBR.N_flag=1; PBR.N_flag=1;
Tx:PBR(); Tx:PBR();
RtxTimerStart(); RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
---------------- ----------------
State: WAIT_PFEA State: WAIT_PFEA
---------------- ----------------
skipping to change at page 44, line 37 skipping to change at page 47, line 15
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
----------- -----------
State: OPEN State: OPEN
----------- -----------
Event/Condition Action Exit State Event/Condition Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - (re-authentication initiated by PaC) - - - - - - - - - - - - - - (re-authentication initiated by PaC) - - - - - -
Rx:PRAR if (key_available()) WAIT_EAP_MSG Rx:PRAR if (key_available()) WAIT_EAP_MSG
PRAA.insert_avp("MAC"); PRAA.insert_avp("AUTH");
EAP_Restart(); EAP_Restart();
1ST_EAP=Unset; 1ST_EAP=Unset;
NAP_AUTH=Set|Unset; NAP_AUTH=Set|Unset;
Tx:PRAA(); Tx:PRAA();
SessionTimerStop(); SessionTimerStop();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - (re-authentication initiated by PAA)- - - - - - - - - - - - - - (re-authentication initiated by PAA)- - - - - -
REAUTH EAP_Restart(); WAIT_EAP_MSG REAUTH EAP_Restart(); WAIT_EAP_MSG
1ST_EAP=Unset; 1ST_EAP=Unset;
NAP_AUTH=Set|Unset; NAP_AUTH=Set|Unset;
SessionTimerStop(); SessionTimerStop();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - (liveness test based on PPR-PPA exchange initiated by PAA)- - - (liveness test based on PPR-PPA exchange initiated by PAA)-
PANA_PING Tx:PPR(); WAIT_PPA PANA_PING Tx:PPR(); WAIT_PPA
RtxTimerStart(); RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - (liveness test based on PPR-PPA exchange initiated by PaC)- - - (liveness test based on PPR-PPA exchange initiated by PaC)-
Rx:PPR if (key_available()) OPEN Rx:PPR if (key_available()) OPEN
PPA.insert_avp("MAC"); PPA.insert_avp("AUTH");
Tx:PPA(); Tx:PPA();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - (Session termination initated from PAA) - - - - - - - - - - - - (Session termination initated from PAA) - - - -
TERMINATE if (key_available()) SESS_TERM TERMINATE if (key_available()) SESS_TERM
PTR.insert_avp("MAC"); PTR.insert_avp("AUTH");
Tx:PTR(); Tx:PTR();
RtxTimerStart(); RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - (Session termination initated from PaC) - - - - - - - - - - - - (Session termination initated from PaC) - - - -
Rx:PTR if (key_available()) CLOSED Rx:PTR if (key_available()) CLOSED
PTA.insert_avp("MAC"); PTA.insert_avp("AUTH");
Tx:PTA(); Tx:PTA();
Disconnect(); Disconnect();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - -(Notification message) - - - - - - - - - - - - - - - - - - - - -(Notification message) - - - - - - - - - - -
NOTIFY if (key_available()) WAIT_PUA NOTIFY if (key_available()) WAIT_PUA
PUR.insert_avp("MAC"); PUR.insert_avp("AUTH");
Tx:PUR(); Tx:PUR();
RtxTimerStart(); RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - -(Notification/Address update) - - - - - - - - - - - - - - - - -(Notification/Address update) - - - - - - - - -
Rx:PUR If (key_avaialble()) OPEN Rx:PUR If (key_avaialble()) OPEN
PUA.insert_avp("MAC"); PUA.insert_avp("AUTH");
Tx:PUA(); Tx:PUA();
if (new_source_address()) if (new_source_address())
update_popa(); update_popa();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
--------------- ---------------
State: WAIT_PPA State: WAIT_PPA
--------------- ---------------
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
skipping to change at page 46, line 4 skipping to change at page 48, line 28
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - - - -(PPA processing) - - - - - - - - - - - - - - - - - - - - - - - -(PPA processing) - - - - - - - - - -
Rx:PPA RtxTimerStop(); OPEN Rx:PPA RtxTimerStop(); OPEN
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
---------------------- ----------------------
State: WAIT_PAN_OR_PAR State: WAIT_PAN_OR_PAR
---------------------- ----------------------
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - (Pass EAP Response to the EAP authenticator)- - - - - - - - - - (Pass EAP Response to the EAP authenticator)- - - -
Rx:PAN && TxEAP(); WAIT_EAP_MSG Rx:PAN && TxEAP(); WAIT_EAP_MSG
PAN.exist_avp PAN.exist_avp
("EAP-Payload") ("EAP-Payload")
Rx:PAR TxEAP(); WAIT_EAP_MSG Rx:PAR TxEAP(); WAIT_EAP_MSG
if (key_available()) if (key_available())
PAN.insert_avp("MAC"); PAN.insert_avp("AUTH");
if (SEPARATE==Set) { if (SEPARATE==Set) {
PAN.S_flag=1; PAN.S_flag=1;
if (NAP_AUTH==Set) if (NAP_AUTH==Set)
PAN.N_flag=1; PAN.N_flag=1;
} }
RtxTimerStop(); RtxTimerStop();
Tx:PAN(); Tx:PAN();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - (PAN without an EAP response) - - - - - - - - - - - - - - - - - (PAN without an EAP response) - - - - - - -
Rx:PAN && RtxTimerStop(); WAIT_PAN_OR_PAR Rx:PAN && RtxTimerStop(); WAIT_PAN_OR_PAR
!PAN.exist_avp !PAN.exist_avp
("EAP-Payload") ("EAP-Payload")
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - -(EAP retransmission) - - - - - - - - - - - - - - - - - - - - - -(EAP retransmission) - - - - - - - - - -
EAP_REQUEST if (key_available()) WAIT_PAN_OR_PAR EAP_REQUEST if (key_available()) WAIT_PAN_OR_PAR
PAR.insert_avp("MAC"); PAR.insert_avp("AUTH");
if (SEPARATE==Set) { if (SEPARATE==Set) {
PAR.S_flag=1; PAR.S_flag=1;
if (NAP_AUTH==Set) if (NAP_AUTH==Set)
PAR.N_flag=1; PAR.N_flag=1;
} }
Tx:PAR(); Tx:PAR();
RtxTimerStart(); RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - -(EAP authentication timeout)- - - - - - - - - - - - - - - - - -(EAP authentication timeout)- - - - - - - - -
EAP_TIMEOUT && if (key_available()) WAIT_PEA EAP_TIMEOUT && if (key_available()) WAIT_PEA
1ST_EAP==Unset && PER.insert_avp("MAC"); 1ST_EAP==Unset && PER.insert_avp("AUTH");
SEPARATE==Unset Tx:PER(); SEPARATE==Unset Tx:PER();
RtxTimerStart(); RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - -(EAP authentication timeout for 1st EAP)- - - - - - - - - - - -(EAP authentication timeout for 1st EAP)- - - - - -
EAP_TIMEOUT && 1ST_EAP=Failure WAIT_PFEA EAP_TIMEOUT && 1ST_EAP=Failure WAIT_PFEA
1ST_EAP==Unset && if (key_available()) 1ST_EAP==Unset && if (key_available())
SEPARATE==Set && PFER.insert_avp("MAC"); SEPARATE==Set && PFER.insert_avp("AUTH");
ABORT_ON_1ST_EAP_FAILURE PFER.S_flag=1; ABORT_ON_1ST_EAP_FAILURE PFER.S_flag=1;
==Unset if (NAP_AUTH) ==Unset if (NAP_AUTH)
PFER.N_flag=1; PFER.N_flag=1;
Tx:PFER(); Tx:PFER();
RtxTimerStart(); RtxTimerStart();
EAP_TIMEOUT && 1ST_EAP=Failure WAIT_FAIL_PFEA EAP_TIMEOUT && 1ST_EAP=Failure WAIT_FAIL_PFEA
1ST_EAP==Unset && if (key_available()) 1ST_EAP==Unset && if (key_available())
SEPARATE==Set && PFER.insert_avp("MAC"); SEPARATE==Set && PFER.insert_avp("AUTH");
ABORT_ON_1ST_EAP_FAILURE SEPARATE=Unset; ABORT_ON_1ST_EAP_FAILURE SEPARATE=Unset;
==Set PFER.S_flag=0; ==Set PFER.S_flag=0;
Tx:PFER(); Tx:PFER();
RtxTimerStart(); RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - -(EAP authentication timeout for 2nd EAP)- - - - - - - - - - - -(EAP authentication timeout for 2nd EAP)- - - - - -
EAP_TIMEOUT && if (key_available()) WAIT_FAIL_PBA EAP_TIMEOUT && if (key_available()) WAIT_FAIL_PBA
1ST_EAP==Failure && PBR.insert_avp("MAC"); 1ST_EAP==Failure && PBR.insert_avp("AUTH");
SEPARATE==Set PBR.S_flag=1; SEPARATE==Set PBR.S_flag=1;
if (NAP_AUTH) if (NAP_AUTH)
PBR.N_flag=1; PBR.N_flag=1;
Tx:PBR(); Tx:PBR();
RtxTimerStart(); RtxTimerStart();
EAP_TIMEOUT && if (CARRY_DEVICE_ID==Set) WAIT_SUCC_PBA EAP_TIMEOUT && if (CARRY_DEVICE_ID==Set) WAIT_SUCC_PBA
1ST_EAP==Success && PBR.insert_avp 1ST_EAP==Success && PBR.insert_avp
SEPARATE==Set && ("Device-Id"); SEPARATE==Set && ("Device-Id");
Authorize() if (CARRY_LIFETIME==Set) Authorize() if (CARRY_LIFETIME==Set)
PBR.insert_avp PBR.insert_avp
("Session-Lifetime"); ("Session-Lifetime");
if (PROTECTION_CAP_IN_PBR if (PROTECTION_CAP_IN_PBR
==Set) ==Set)
PBR.insert_avp PBR.insert_avp
("Protection-Cap."); ("Protection-Cap.");
if (new_key_available()) if (new_key_available())
PBR.insert_avp PBR.insert_avp
("Key-Id"); ("Key-Id");
PBR.insert_avp
("Algorithm");
if (key_available()) if (key_available())
PBR.insert_avp("MAC"); PBR.insert_avp("AUTH");
PBR.S_flag=1; PBR.S_flag=1;
if (NAP_AUTH) if (NAP_AUTH)
PBR.N_flag=1; PBR.N_flag=1;
Tx:PBR(); Tx:PBR();
RtxTimerStart(); RtxTimerStart();
EAP_TIMEOUT && if (key_available()) WAIT_FAIL_PBA EAP_TIMEOUT && if (key_available()) WAIT_FAIL_PBA
1ST_EAP==Success && PBR.insert_avp("MAC"); 1ST_EAP==Success && PBR.insert_avp("AUTH");
SEPARATE==Set && PBR.S_flag=1; SEPARATE==Set && PBR.S_flag=1;
!Authorize() if (NAP_AUTH) !Authorize() if (NAP_AUTH)
PBR.N_flag=1; PBR.N_flag=1;
Tx:PBR(); Tx:PBR();
RtxTimerStart(); RtxTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
--------------- ---------------
State: WAIT_PUA State: WAIT_PUA
--------------- ---------------
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
- - - - - - - - - - - - - (PUA processing)- - - - - - - - - - - - - - - - - - - - - - - - (PUA processing)- - - - - - - - - - -
Rx:PUA RtxTimerStop(); OPEN Rx:PUA RtxTimerStop(); OPEN
skipping to change at page 49, line 27 skipping to change at page 52, line 27
PaC changing its point of attachment during an active PANA session. PaC changing its point of attachment during an active PANA session.
Mobility optimization is achieved by avoiding a full EAP Mobility optimization is achieved by avoiding a full EAP
authentication sequence during this change. To support this, state authentication sequence during this change. To support this, state
transitions described in this section assume that the PaC state transitions described in this section assume that the PaC state
machine reverts to the OFFLINE state but maintains the session machine reverts to the OFFLINE state but maintains the session
information including security association from the previous active information including security association from the previous active
session. It is also assumed that the PAA state machine initializes session. It is also assumed that the PAA state machine initializes
to the OFFLINE state as normal but must also have access to session to the OFFLINE state as normal but must also have access to session
information and security association from the previous active information and security association from the previous active
session. A method of how a PAA session context is transferred can be session. A method of how a PAA session context is transferred can be
found in [I-D.bournelle-pana-ctp]. found in [I-D.ietf-pana-cxtp].
The variables, procedures and state transition described in this The variables, procedures and state transition described in this
section is designed to be seamlessly integrated into the appropriate section is designed to be seamlessly integrated into the appropriate
base protocol state machines. They should be treated as a mobility base protocol state machines. They should be treated as a mobility
optimization addendum to the base protocol state machine. In this optimization addendum to the base protocol state machine. In this
addendum, no additional states has been defined but some addendum, no additional states has been defined but some
modifications to the base protocol state machine is required. The modifications to the base protocol state machine is required. The
modifications are to accomodate the mobility variables and procedures modifications are to accomodate the mobility variables and procedures
as they relate to existing state transition actions and events. as they relate to existing state transition actions and events.
These modifications to existing state transition are noted in state These modifications to existing state transition are noted in state
skipping to change at page 51, line 5 skipping to change at page 54, line 5
- The following state transitions are intended to be added - - The following state transitions are intended to be added -
- to the OFFLINE state of the PaC base protocol state - - to the OFFLINE state of the PaC base protocol state -
- machine. - - machine. -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Rx:PSR && RtxTimerStop(); WAIT_PAA Rx:PSR && RtxTimerStop(); WAIT_PAA
!PSR.exist_avp PSA.insert_avp !PSR.exist_avp PSA.insert_avp
("EAP-Payload") && ("Session-Id"); ("EAP-Payload") && ("Session-Id");
MOBILITY==Set && SEPARATE=Unset; MOBILITY==Set && SEPARATE=Unset;
resume_pana_sa() && PANA_SA_RESUMED=Set; resume_pana_sa() && PANA_SA_RESUMED=Set;
PSR.exist_avp PSA.insert_avp("Cookie"); PSR.exist_avp PSA.insert_avp("Cookie");
("Cookie") PSA.insert_avp("MAC"); ("Cookie") PSA.insert_avp("AUTH");
Tx:PSA(); Tx:PSA();
RtxTimerStart(); RtxTimerStart();
Rx:PSR && RtxTimerStop(); WAIT_PAA Rx:PSR && RtxTimerStop(); WAIT_PAA
!PSR.exist_avp PSA.insert_avp !PSR.exist_avp PSA.insert_avp
("EAP-Payload") && ("Session-Id"); ("EAP-Payload") && ("Session-Id");
MOBILITY==Set && PSA.insert_avp("MAC"); MOBILITY==Set && PSA.insert_avp("AUTH");
resume_pana_sa() && Tx:PSA(); resume_pana_sa() && Tx:PSA();
!PSR.exist_avp PANA_SA_RESUMED=Set; !PSR.exist_avp PANA_SA_RESUMED=Set;
("Cookie") ("Cookie")
--------------- ---------------
State: WAIT_PAA State: WAIT_PAA
--------------- ---------------
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------ ------------------------+--------------------------+------------
skipping to change at page 51, line 35 skipping to change at page 54, line 35
- existing base protocol state transitions. Original base - - existing base protocol state transitions. Original base -
- protocol state transitions can be referenced by the same - - protocol state transitions can be referenced by the same -
- exit conditions that exist in the WAIT_PAA state of the PaC - - exit conditions that exist in the WAIT_PAA state of the PaC -
- base protocol state machine. - - base protocol state machine. -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Rx:PAR && RtxTimerStop(); WAIT_EAP_MSG Rx:PAR && RtxTimerStop(); WAIT_EAP_MSG
!eap_piggyback() TxEAP(); !eap_piggyback() TxEAP();
PANA_SA_RESUMED=Unset; PANA_SA_RESUMED=Unset;
EAP_RespTimerStart(); EAP_RespTimerStart();
if (key_available()) if (key_available())
PAN.insert_avp("MAC"); PAN.insert_avp("AUTH");
PAN.S_flag=PAR.S_flag; PAN.S_flag=PAR.S_flag;
PAN.N_flag=PAR.N_flag; PAN.N_flag=PAR.N_flag;
Tx:PAN(); Tx:PAN();
Rx:PAR && RtxTimerStop(); WAIT_EAP_MSG Rx:PAR && RtxTimerStop(); WAIT_EAP_MSG
eap_piggyback() TxEAP(); eap_piggyback() TxEAP();
PANA_SA_RESUMED=Unset; PANA_SA_RESUMED=Unset;
EAP_RespTimerStart(); EAP_RespTimerStart();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
skipping to change at page 52, line 18 skipping to change at page 55, line 18
PANA_SUCCESS && PANA_SUCCESS &&
PANA_SA_RESUMED!=Set PANA_SA_RESUMED!=Set
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - (PBR processing with mobility support)- - - - - - - - - - - - - (PBR processing with mobility support)- - - - -
- The following state transitions are intended to be added - - The following state transitions are intended to be added -
- to the WAIT_PAA state of the PaC base protocol state - - to the WAIT_PAA state of the PaC base protocol state -
- machine. - - machine. -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Rx:PBR && PBA.insert_avp("Key-Id"); OPEN Rx:PBR && PBA.insert_avp("Key-Id"); OPEN
1ST_EAP==Unset && PBA.insert_avp("MAC"); 1ST_EAP==Unset && PBA.insert_avp("AUTH");
SEPARATE==Unset && if (PBR.exist_avp SEPARATE==Unset && if (PBR.exist_avp
PBR.RESULT_CODE== ("Device-Id")) PBR.RESULT_CODE== ("Device-Id"))
PANA_SUCCESS && PBA.insert("Device-Id"); PANA_SUCCESS && PBA.insert("Device-Id");
PANA_SA_RESUMED==Set && Tx:PBA(); PANA_SA_RESUMED==Set && Tx:PBA();
PBR.exist_avp Authorize(); PBR.exist_avp Authorize();
("Key-Id") && SessionTimerStart(); ("Key-Id") && SessionTimerStart();
PBR.exist_avp PBR.exist_avp
("MAC") ("AUTH")
----------- -----------
State: OPEN State: OPEN
----------- -----------
Exit Condition Exit Action Exit State Exit Condition Exit Action Exit State
------------------------+--------------------------+------------- ------------------------+--------------------------+-------------
- - - - - - - - - (re-authentication initiated by PaC)- - - - - - - - - - - - - - - (re-authentication initiated by PaC)- - - - - -
- The following state transitions are intended to replace - - The following state transitions are intended to replace -
- existing base protocol state transitions. Original base - - existing base protocol state transitions. Original base -
- protocol state transitions can be referenced by the same - - protocol state transitions can be referenced by the same -
- exit conditions that exist in the OPEN state of the PaC - - exit conditions that exist in the OPEN state of the PaC -
- base protocol state machine. - - base protocol state machine. -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
REAUTH SEPARATE=Set|Unset; WAIT_PRAA REAUTH SEPARATE=Set|Unset; WAIT_PRAA
1ST_EAP=Unset; 1ST_EAP=Unset;
PANA_SA_RESUMED=Unset; PANA_SA_RESUMED=Unset;
if (key_available()) if (key_available())
PRAR.insert_avp("MAC"); PRAR.insert_avp("AUTH");
Tx:PRAR(); Tx:PRAR();
RtxTimerStart(); RtxTimerStart();
SessionTimerStop(); SessionTimerStop();
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - (re-authentication initiated by PAA)- - - - - - - - - - - - - - - (re-authentication initiated by PAA)- - - - - -
Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG
!eap_piggyback() 1ST_EAP=Unset; !eap_piggyback() 1ST_EAP=Unset;
PANA_SA_RESUMED=Unset; PANA_SA_RESUMED=Unset;
EAP_RespTimerStart(); EAP_RespTimerStart();
TxEAP(); TxEAP();
if (key_available()) if (key_available())
PAN.insert_avp("MAC"); PAN.insert_avp("AUTH");
PAN.S_flag=PAR.S_flag; PAN.S_flag=PAR.S_flag;
PAN.N_flag=PAR.N_flag; PAN.N_flag=PAR.N_flag;
Tx:PAN(); Tx:PAN();
SessionTimerStop(); SessionTimerStop();
Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG
eap_piggyback() 1ST_EAP=Unset; eap_piggyback() 1ST_EAP=Unset;
PANA_SA_RESUMED=Unset; PANA_SA_RESUMED=Unset;
EAP_RespTimerStart(); EAP_RespTimerStart();
TxEAP(); TxEAP();
skipping to change at page 54, line 30 skipping to change at page 57, line 30
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Rx:PSA && if (SEPARATE==Set && WAIT_EAP_MSG Rx:PSA && if (SEPARATE==Set && WAIT_EAP_MSG
(!PSA.exist_avp PSA.S_flag==0) (!PSA.exist_avp PSA.S_flag==0)
("Session-Id") || SEPARATE=Unset; ("Session-Id") || SEPARATE=Unset;
MOBILITY==Unset || if (SEPARATE==Set) MOBILITY==Unset || if (SEPARATE==Set)
(MOBILITY==Set && NAP_AUTH=Set|Unset; (MOBILITY==Set && NAP_AUTH=Set|Unset;
!retrieve_pana_sa EAP_Restart(); !retrieve_pana_sa EAP_Restart();
(PSA.SESSION_ID))) (PSA.SESSION_ID)))
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - (PSA processing with mobility support)- - - - - - - - - - - - - (PSA processing with mobility support)- - - - -
Rx:PSA && PBR.insert_avp("MAC"); WAIT_SUCC_PBA Rx:PSA && PBR.insert_avp("AUTH"); WAIT_SUCC_PBA
PSA.exist_avp PBR.insert_avp("Key-Id"); PSA.exist_avp PBR.insert_avp("Key-Id");
("Session-Id") && if (CARRY_DEVICE_ID==Set) ("Session-Id") && if (CARRY_DEVICE_ID==Set)
MOBILITY==Set && PBR.insert_avp MOBILITY==Set && PBR.insert_avp
retrieve_pana_sa ("Device-Id"); retrieve_pana_sa ("Device-Id");
(PSA.SESSION_ID) if (PROTECTION_CAP_IN_PBR (PSA.SESSION_ID) if (PROTECTION_CAP_IN_PBR
==Set) ==Set)
PBR.insert_avp PBR.insert_avp
("Protection-Cap."); ("Protection-Cap.");
Tx:PBR(); Tx:PBR();
RtxTimerStart(); RtxTimerStart();
skipping to change at page 59, line 11 skipping to change at page 62, line 11
This work was started from state machines originally made by Dan This work was started from state machines originally made by Dan
Forsberg. Forsberg.
13. References 13. References
13.1. Normative References 13.1. Normative References
[I-D.ietf-pana-pana] [I-D.ietf-pana-pana]
Forsberg, D., "Protocol for Carrying Authentication for Forsberg, D., "Protocol for Carrying Authentication for
Network Access (PANA)", draft-ietf-pana-pana-10 (work in Network Access (PANA)", draft-ietf-pana-pana-11 (work in
progress), July 2005. progress), March 2006.
[I-D.ietf-eap-statemachine]
Vollbrecht, J., Eronen, P., Petroni, N., and Y. Ohba,
"State Machines for Extensible Authentication Protocol
(EAP) Peer and Authenticator",
draft-ietf-eap-statemachine-06 (work in progress),
December 2004.
[I-D.ietf-pana-mobopts] [I-D.ietf-pana-mobopts]
Forsberg, D., "PANA Mobility Optimizations", Forsberg, D., "PANA Mobility Optimizations",
draft-ietf-pana-mobopts-00 (work in progress), draft-ietf-pana-mobopts-01 (work in progress),
January 2005. October 2005.
13.2. Informative References 13.2. Informative References
[RFC4058] Yegin, A., Ohba, Y., Penno, R., Tsirtsis, G., and C. Wang, [RFC4137] Vollbrecht, J., Eronen, P., Petroni, N., and Y. Ohba,
"Protocol for Carrying Authentication for Network Access "State Machines for Extensible Authentication Protocol
(PANA) Requirements", RFC 4058, May 2005. (EAP) Peer and Authenticator", RFC 4137, August 2005.
[I-D.ietf-pana-snmp]
Mghazli, Y., "SNMP usage for PAA-EP interface",
draft-ietf-pana-snmp-04 (work in progress), July 2005.
[I-D.bournelle-pana-ctp] [I-D.ietf-pana-cxtp]
Bournelle, J., "Use of Context Transfer Protocol (CxTP) Bournelle, J., "Use of Context Transfer Protocol (CXTP)
for PANA", draft-bournelle-pana-ctp-03 (work in progress), for PANA", draft-ietf-pana-cxtp-01 (work in progress),
June 2005. March 2006.
Authors' Addresses Authors' Addresses
Victor Fajardo Victor Fajardo
Toshiba America Research, Inc. Toshiba America Research, Inc.
1 Telcordia Drive 1 Telcordia Drive
Piscataway, NJ 08854 Piscataway, NJ 08854
USA USA
Phone: +1 732 699 5368 Phone: +1 732 699 5368
skipping to change at page 61, line 41 skipping to change at page 64, line 41
This document and the information contained herein are provided on an This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement Copyright Statement
Copyright (C) The Internet Society (2005). This document is subject Copyright (C) The Internet Society (2006). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights. except as set forth therein, the authors retain all their rights.
Acknowledgment Acknowledgment
Funding for the RFC Editor function is currently provided by the Funding for the RFC Editor function is currently provided by the
Internet Society. Internet Society.
 End of changes. 141 change blocks. 
255 lines changed or deleted 358 lines changed or added

This html diff was produced by rfcdiff 1.31. The latest version is available from http://www.levkowetz.com/ietf/tools/rfcdiff/