--- 1/draft-ietf-pana-statemachine-03.txt 2006-05-31 22:12:36.000000000 +0200 +++ 2/draft-ietf-pana-statemachine-04.txt 2006-05-31 22:12:36.000000000 +0200 @@ -1,21 +1,21 @@ PANA Working Group V. Fajardo Internet-Draft Y. Ohba -Expires: April 23, 2006 TARI +Expires: December 1, 2006 TARI R. Lopez Univ. of Murcia - October 20, 2005 + May 30, 2006 State Machines for Protocol for Carrying Authentication for Network Access (PANA) - draft-ietf-pana-statemachine-03 + draft-ietf-pana-statemachine-04 Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that @@ -26,25 +26,25 @@ and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. - This Internet-Draft will expire on April 23, 2006. + This Internet-Draft will expire on December 1, 2006. Copyright Notice - Copyright (C) The Internet Society (2005). + Copyright (C) The Internet Society (2006). Abstract This document defines the conceptual state machines for the Protocol for Carrying Authentication for Network Access (PANA). The state machines consist of the PANA Client (PaC) state machine and the PANA Authentication Agent (PAA) state machine. The two state machines show how PANA can interface to EAP state machines and can be implemented with supporting various features including separate NAP and ISP authentications, ISP selection and mobility optimization. @@ -70,55 +70,55 @@ 6.1.2. Delivering EAP Responses from EAP Peer to PaC . . . . 16 6.1.3. EAP Restart Notification from PaC to EAP Peer . . . . 16 6.1.4. EAP Authentication Result Notification from EAP Peer to PaC . . . . . . . . . . . . . . . . . . . . . 17 6.1.5. Alternate Failure Notification from PaC to EAP Peer . 17 6.1.6. EAP Invalid Message Notification from EAP Peer to PaC . . . . . . . . . . . . . . . . . . . . . . . . . 17 6.2. Variables . . . . . . . . . . . . . . . . . . . . . . . . 17 6.3. Procedures . . . . . . . . . . . . . . . . . . . . . . . . 18 6.4. PaC State Transition Table . . . . . . . . . . . . . . . . 19 - 7. PAA State Machine . . . . . . . . . . . . . . . . . . . . . . 31 - 7.1. Interface between PAA and EAP Authenticator . . . . . . . 31 + 7. PAA State Machine . . . . . . . . . . . . . . . . . . . . . . 33 + 7.1. Interface between PAA and EAP Authenticator . . . . . . . 33 7.1.1. EAP Restart Notification from PAA to EAP - Authenticator . . . . . . . . . . . . . . . . . . . . 31 + Authenticator . . . . . . . . . . . . . . . . . . . . 33 7.1.2. Delivering EAP Responses from PAA to EAP - Authenticator . . . . . . . . . . . . . . . . . . . . 31 + Authenticator . . . . . . . . . . . . . . . . . . . . 33 7.1.3. Delivering EAP Messages from EAP Authenticator to - PAA . . . . . . . . . . . . . . . . . . . . . . . . . 31 + PAA . . . . . . . . . . . . . . . . . . . . . . . . . 33 7.1.4. EAP Authentication Result Notification from EAP - Authenticator to PAA . . . . . . . . . . . . . . . . . 31 - 7.2. Variables . . . . . . . . . . . . . . . . . . . . . . . . 32 - 7.3. Procedures . . . . . . . . . . . . . . . . . . . . . . . . 34 - 7.4. PAA State Transition Table . . . . . . . . . . . . . . . . 34 - 8. Mobility Optimization Support . . . . . . . . . . . . . . . . 49 - 8.1. Common Variables . . . . . . . . . . . . . . . . . . . . . 49 - 8.2. PaC Mobility Optimization State Machine . . . . . . . . . 50 - 8.2.1. Variables . . . . . . . . . . . . . . . . . . . . . . 50 - 8.2.2. Procedures . . . . . . . . . . . . . . . . . . . . . . 50 + Authenticator to PAA . . . . . . . . . . . . . . . . . 33 + 7.2. Variables . . . . . . . . . . . . . . . . . . . . . . . . 34 + 7.3. Procedures . . . . . . . . . . . . . . . . . . . . . . . . 36 + 7.4. PAA State Transition Table . . . . . . . . . . . . . . . . 37 + 8. Mobility Optimization Support . . . . . . . . . . . . . . . . 52 + 8.1. Common Variables . . . . . . . . . . . . . . . . . . . . . 52 + 8.2. PaC Mobility Optimization State Machine . . . . . . . . . 53 + 8.2.1. Variables . . . . . . . . . . . . . . . . . . . . . . 53 + 8.2.2. Procedures . . . . . . . . . . . . . . . . . . . . . . 53 8.2.3. PaC Mobility Optimization State Transition Table - Addendum . . . . . . . . . . . . . . . . . . . . . . . 50 - 8.3. PAA Mobility Optimization . . . . . . . . . . . . . . . . 53 - 8.3.1. Procedures . . . . . . . . . . . . . . . . . . . . . . 53 - 8.3.2. PAA Mobility Optimization State Transition Table Addendum . . . . . . . . . . . . . . . . . . . . . . . 53 - 9. Implementation Considerations . . . . . . . . . . . . . . . . 55 - 9.1. PAA and PaC Interface to Service Management Entity . . . . 55 - 9.2. Multicast Traffic . . . . . . . . . . . . . . . . . . . . 55 - 10. Security Considerations . . . . . . . . . . . . . . . . . . . 56 - 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 57 - 12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 58 - 13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 59 - 13.1. Normative References . . . . . . . . . . . . . . . . . . . 59 - 13.2. Informative References . . . . . . . . . . . . . . . . . . 59 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 60 - Intellectual Property and Copyright Statements . . . . . . . . . . 61 + 8.3. PAA Mobility Optimization . . . . . . . . . . . . . . . . 56 + 8.3.1. Procedures . . . . . . . . . . . . . . . . . . . . . . 56 + 8.3.2. PAA Mobility Optimization State Transition Table + Addendum . . . . . . . . . . . . . . . . . . . . . . . 56 + 9. Implementation Considerations . . . . . . . . . . . . . . . . 58 + 9.1. PAA and PaC Interface to Service Management Entity . . . . 58 + 9.2. Multicast Traffic . . . . . . . . . . . . . . . . . . . . 58 + 10. Security Considerations . . . . . . . . . . . . . . . . . . . 59 + 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 60 + 12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 61 + 13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 62 + 13.1. Normative References . . . . . . . . . . . . . . . . . . . 62 + 13.2. Informative References . . . . . . . . . . . . . . . . . . 62 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 63 + Intellectual Property and Copyright Statements . . . . . . . . . . 64 1. Introduction This document defines the state machines for Protocol Carrying Authentication for Network Access (PANA) [I-D.ietf-pana-pana]. There are state machines for the PANA client (PaC) and for the PANA Authentication Agent (PAA). Each state machine is specified through a set of variables, procedures and a state transition table. A PANA protocol execution consists of several exchanges to carry @@ -127,24 +127,23 @@ layer for EAP protocol. Thus, a PANA state machine bases its execution on an EAP state machine execution and vice versa. Thus this document also shows for each of PaC and PAA an interface between an EAP state machine and a PANA state machine and how this interface allows to exchange information between them. Thanks to this interface, a PANA state machine can be informed about several events generated in an EAP state machine and make its execution conditional to its events. The details of EAP state machines are out of the scope of this - document. Additional information can be found in [I-D.ietf-eap- - statemachine]. Nevertheless PANA state machines presented here have - been coordinated with state machines shown by [I-D.ietf-eap- - statemachine]. + document. Additional information can be found in [RFC4137]. + Nevertheless PANA state machines presented here have been coordinated + with state machines shown by [RFC4137]. This document, apart from defining PaC and PAA state machines and their interfaces to EAP state machines (running on top of PANA), provides some implementation considerations, taking into account that it is not a specification but an implementation guideline. 2. Interface Between PANA and EAP PANA carries EAP messages exchanged between an EAP peer and an EAP authenticator (see Figure 1). Thus a PANA state machine must @@ -189,98 +188,97 @@ PaC state machine that is responsible for actually transmitting this message. On the other hand, the PAA state machine presents response messages (EAP-Response messages) to the EAP authenticator state machine through interface defined between them. The EAP authenticator processes these messages and generate EAP messages (EAP-Request, EAP- Success and EAP-Failure messages) that are send to the PAA state machine to be sent. - For example, [I-D.ietf-eap-statemachine] specifies four interfaces to - lower layers: (i) an interface between the EAP peer state machine and - a lower layer, (ii) an interface between the EAP standalone - authenticator state machine and a lower layer, (iii) an interface - between the EAP full authenticator state machine and a lower layer - and (iv) an interface between the EAP backend authenticator state - machine and a lower layer. In this document, the PANA protocol is - the lower layer of EAP and only the first three interfaces are of - interest to PANA. The second and third interfaces are the same. In - this regard, the EAP standalone authenticator or the EAP full - authenticator and its state machine in [I-D.ietf-eap-statemachine] - are referred to as the EAP authenticator and the EAP authenticator - state machine, respectively, in this document. If an EAP peer and an - EAP authenticator follow the state machines defined in [I-D.ietf-eap- - statemachine], the interfaces between PANA and EAP could be based on - that document. Detailed definition of interfaces between PANA and - EAP are described in the subsequent sections. + For example, [RFC4137] specifies four interfaces to lower layers: (i) + an interface between the EAP peer state machine and a lower layer, + (ii) an interface between the EAP standalone authenticator state + machine and a lower layer, (iii) an interface between the EAP full + authenticator state machine and a lower layer and (iv) an interface + between the EAP backend authenticator state machine and a lower + layer. In this document, the PANA protocol is the lower layer of EAP + and only the first three interfaces are of interest to PANA. The + second and third interfaces are the same. In this regard, the EAP + standalone authenticator or the EAP full authenticator and its state + machine in [RFC4137] are referred to as the EAP authenticator and the + EAP authenticator state machine, respectively, in this document. If + an EAP peer and an EAP authenticator follow the state machines + defined in [RFC4137], the interfaces between PANA and EAP could be + based on that document. Detailed definition of interfaces between + PANA and EAP are described in the subsequent sections. 3. Document Authority When a discrepancy occurs between any part of this document and any of the related documents ([I-D.ietf-pana-pana], [I-D.ietf-pana- - mobopts], [I-D.ietf-eap-statemachine] the latter (the other - documents) are considered authoritative and takes precedence. + mobopts], [RFC4137] the latter (the other documents) are considered + authoritative and takes precedence. 4. Notations The following state transition tables are completed mostly based on - the conventions specified in [I-D.ietf-eap-statemachine]. The - complete text is described below. + the conventions specified in [RFC4137]. The complete text is + described below. State transition tables are used to represent the operation of the protocol by a number of cooperating state machines each comprising a group of connected, mutually exclusive states. Only one state of each machine can be active at any given time. All permissible transitions from a given state to other states and associated actions performed when the transitions occur are represented by using triplets of (exit condition, exit action, exit state). All conditions are expressions that evaluate to TRUE or FALSE; if a condition evaluates to TRUE, then the condition is met. A state "ANY" is a wildcard state that matches the current state in each state machine. The exit conditions of a wildcard state are evaluated after all other exit conditions of specific to the current state are met. On exit from a state, the exit actions defined for the state and the exit condition are executed exactly once, in the order that they - appear on the page. (Note that the procedures defined in [I-D.ietf- - eap-statemachine] are executed on entry to a state, which is one - major difference from this document.) Each exit action is deemed to - be atomic; i.e., execution of an exit action completes before the - next sequential exit action starts to execute. No exit action - execute outside of a state block. The exit actions in only one state - block execute at a time even if the conditions for execution of state - blocks in different state machines are satisfied. All exit actions - in an executing state block complete execution before the transition - to and execution of any other state blocks. The execution of any - state block appears to be atomic with respect to the execution of any - other state block and the transition condition to that state from the - previous state is TRUE when execution commences. The order of - execution of state blocks in different state machines is undefined - except as constrained by their transition conditions. A variable - that is set to a particular value in a state block retains this value - until a subsequent state block executes an exit action that modifies - the value. + appear on the page. (Note that the procedures defined in [RFC4137] + are executed on entry to a state, which is one major difference from + this document.) Each exit action is deemed to be atomic; i.e., + execution of an exit action completes before the next sequential exit + action starts to execute. No exit action execute outside of a state + block. The exit actions in only one state block execute at a time + even if the conditions for execution of state blocks in different + state machines are satisfied. All exit actions in an executing state + block complete execution before the transition to and execution of + any other state blocks. The execution of any state block appears to + be atomic with respect to the execution of any other state block and + the transition condition to that state from the previous state is + TRUE when execution commences. The order of execution of state + blocks in different state machines is undefined except as constrained + by their transition conditions. A variable that is set to a + particular value in a state block retains this value until a + subsequent state block executes an exit action that modifies the + value. On completion of the transition from the previous state to the current state, all exit conditions occurring during the current state (including exit conditions defined for the wildcard state) are evaluated until an exit condition for that state is met. Any event variable is set to TRUE when the corresponding event occurs and set to FALSE immediately after completion of the action associated with the current state and the event. The interpretation of the special symbols and operators used is - defined in [I-D.ietf-eap-statemachine]. + defined in [RFC4137]. 5. Common Rules There are following procedures, variables, message initializing rules and state transitions that are common to both the PaC and PAA state machines. Throughout this document, the character string "PANA_MESSAGE_NAME" matches any one of the abbreviated PANA message names, i.e., "PDI", "PSR", "PSA", "PAR", "PAN", "PBR", "PBA", "PFER", "PFEA", "PTR", @@ -346,26 +344,26 @@ specified PANA message. boolean PANA_MESSAGE_NAME.exist_avp("AVP_NAME") A procedure that checks whether an AVP of the specified AVP name exists in the specified PANA message and returns TRUE if the specified AVP is found, otherwise returns FALSE. boolean key_available() - A procedure to check whether the PANA session has a PANA_MAC_KEY. - If the state machine already has a PANA_MAC_KEY, it returns TRUE. - If the state machine does not have a PANA_MAC_KEY, it tries to + A procedure to check whether the PANA session has a PANA_AUTH_KEY. + If the state machine already has a PANA_AUTH_KEY, it returns TRUE. + If the state machine does not have a PANA_AUTH_KEY, it tries to retrieve a AAA-Key from the EAP entity. If a AAA-Key is - retrieved, it computes a PANA_MAC_KEY from the AAA-Key and returns - TRUE. Otherwise, it returns FALSE. + retrieved, it computes a PANA_AUTH_KEY from the AAA-Key and + returns TRUE. Otherwise, it returns FALSE. boolean fatal(int) A procedure to check whether an integer result code value indicates a fatal error. If the result code indicates a fatal error, the procedure returns TRUE, otherwise, it return FALSE. A fatal error would also result in the termination of the session and release of all resources related to that session. 5.2. Common Variables @@ -437,21 +435,21 @@ ABORT_ON_1ST_EAP_FAILURE This variable indicates whether the PANA session is immediately terminated when the 1st EAP authentication fails. CARRY_DEVICE_ID This variable indicates whether a Device-Id AVP is carried in a PANA-Bind-Request or PANA_Bind-Answer message. For the PAA, this - variable MUST be set when a link-layer or IP address is used as + variable must be set when a link-layer or IP address is used as the device identifier of the PaC and a Protection-Capability AVP is included in the PANA-Bind-Request message. ANY This event variable is set to TRUE when any event occurs. 5.3. Constants RTX_MAX_NUM @@ -500,30 +498,30 @@ RTX_MAX_NUM - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Reach maximum number of transmissions)- - - - - - RTX_TIMEOUT && Disconnect(); CLOSED RTX_COUNTER>= RTX_MAX_NUM SESS_TIMEOUT Disconnect(); CLOSED - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(PANA-Error-Message-Processing)- - - - - - - Rx:PER && PEA.insert_avp("MAC"); CLOSED + Rx:PER && PEA.insert_avp("AUTH"); CLOSED fatal Tx:PEA(); (PER.RESULT_CODE) && Disconnect(); - PER.exist_avp("MAC") && + PER.exist_avp("AUTH") && key_available() Rx:PER && Tx:PEA(); (no change) !fatal (PER.RESULT_CODE) || - !PER.exist_avp("MAC") || + !PER.exist_avp("AUTH") || !key_available() - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The following transitions can occur on any exit condition within the specified state. ------------- State: CLOSED ------------- @@ -549,76 +547,75 @@ within the context of their associated states or exit actions. 6.1.1. Delivering EAP Messages from PaC to EAP Peer TxEAP() procedure in the PaC state machine serves as the mechanism to deliver EAP request, EAP success and EAP failure messages contained in PANA-Auth-Request messages to the EAP peer. This procedure is enabled only after an EAP restart event is notified to the EAP peer and before any event resulting in a termination of the EAP peer session. In the case where the EAP peer follows the EAP peer state - machine defined in [I-D.ietf-eap-statemachine], TxEAP() procedure - sets eapReq variable of the EAP peer state machine and puts the EAP - request in eapReqData variable of the EAP peer state machine. + machine defined in [RFC4137], TxEAP() procedure sets eapReq variable + of the EAP peer state machine and puts the EAP request in eapReqData + variable of the EAP peer state machine. 6.1.2. Delivering EAP Responses from EAP Peer to PaC An EAP response is delivered from the EAP peer to the PaC via EAP_RESPONSE event variable. The event variable is set when the EAP peer passes the EAP response to its lower-layer. In the case where - the EAP peer follows the EAP peer state machine defined in [I-D.ietf- - eap-statemachine], EAP_RESPONSE event variable refers to eapResp - variable of the EAP peer state machine and the EAP response is - contained in eapRespData variable of the EAP peer state machine. + the EAP peer follows the EAP peer state machine defined in [RFC4137], + EAP_RESPONSE event variable refers to eapResp variable of the EAP + peer state machine and the EAP response is contained in eapRespData + variable of the EAP peer state machine. 6.1.3. EAP Restart Notification from PaC to EAP Peer - The EAP peer state machine defined in [I-D.ietf-eap-statemachine] has - an initialization procedure before receiving an EAP request. To - initialize the EAP state machine, the PaC state machine defines an - event notification mechanism to send an EAP (re)start event to the - EAP peer. The event notification is done via EAP_Restart() procedure - in the initialization action of the PaC state machine. + The EAP peer state machine defined in [RFC4137] has an initialization + procedure before receiving an EAP request. To initialize the EAP + state machine, the PaC state machine defines an event notification + mechanism to send an EAP (re)start event to the EAP peer. The event + notification is done via EAP_Restart() procedure in the + initialization action of the PaC state machine. 6.1.4. EAP Authentication Result Notification from EAP Peer to PaC In order for the EAP peer to notify the PaC of an EAP authentication result, EAP_SUCCESS and EAP_FAILURE event variables are defined. In the case where the EAP peer follows the EAP peer state machine - defined in [I-D.ietf-eap-statemachine], EAP_SUCCESS and EAP_FAILURE - event variables refer to eapSuccess and eapFail variables of the EAP - peer state machine, respectively. In this case, if EAP_SUCCESS event - variable is set to TRUE and a AAA-Key is generated by the EAP - authentication method in use, eapKeyAvailable variable is set to TRUE - and eapKeyData variable contains the AAA-Key. Note that EAP_SUCCESS - and EAP_FAILURE event variables may be set to TRUE even before the - PaC receives a PBR or a PFER from the PAA. + defined in [RFC4137], EAP_SUCCESS and EAP_FAILURE event variables + refer to eapSuccess and eapFail variables of the EAP peer state + machine, respectively. In this case, if EAP_SUCCESS event variable + is set to TRUE and a AAA-Key is generated by the EAP authentication + method in use, eapKeyAvailable variable is set to TRUE and eapKeyData + variable contains the AAA-Key. Note that EAP_SUCCESS and EAP_FAILURE + event variables may be set to TRUE even before the PaC receives a PBR + or a PFER from the PAA. 6.1.5. Alternate Failure Notification from PaC to EAP Peer alt_reject() procedure in the PaC state machine serves as the mechanism to deliver an authentication failure event to the EAP peer without accompanying an EAP message. In the case where the EAP peer - follows the EAP peer state machine defined in [I-D.ietf-eap- - statemachine], alt_reject() procedure sets altReject variable of the - EAP peer state machine. Note that the EAP peer state machine in - [I-D.ietf-eap-statemachine] also defines altAccept variable, however, - it is never used in PANA in which EAP-Success messages are reliably - delivered by PANA-Bind exchange. + follows the EAP peer state machine defined in [RFC4137], alt_reject() + procedure sets altReject variable of the EAP peer state machine. + Note that the EAP peer state machine in [RFC4137] also defines + altAccept variable, however, it is never used in PANA in which EAP- + Success messages are reliably delivered by PANA-Bind exchange. 6.1.6. EAP Invalid Message Notification from EAP Peer to PaC In order for the EAP peer to notify the PaC of a receipt of an invalid EAP message, EAP_INVALID_MSG event variable is defined. In the case where the EAP peer follows the EAP peer state machine - defined in [I-D.ietf-eap-statemachine], EAP_INVALID_MSG event - variable refers to eapNoResp variable of the EAP peer state machine. + defined in [RFC4137], EAP_INVALID_MSG event variable refers to + eapNoResp variable of the EAP peer state machine. 6.2. Variables SEPARATE This variable indicates whether the PaC desires NAP/ISP separate authentication. 1ST_EAP @@ -670,20 +667,25 @@ This procedure returns TRUE when the Post-PANA-Address- Configuration method specified by the PAA is available in the PaC and that the PaC will be able to comply. boolean pcap_supported() This procedure returns TRUE when the cryptographic data protection supplied in the Protection-Capability AVP can be supported by the PaC. + boolean algorithm_supported() + + This procedure returns TRUE when the integrity algorithm supplied + in the Algorithm AVP can be supported by the PaC. + boolean eap_piggyback() This procedures returns TRUE to indicate whether the next EAP response will be carried in the pending PAN message for optimization. void alt_reject() This procedure informs the EAP peer of an authentication failure event without accompanying an EAP message. @@ -709,55 +711,111 @@ SEPARATE=Set|Unset; CARRY_DEVICE_ID=Unset; 1ST_EAP=Unset; RtxTimerStop(); Exit Condition Exit Action Exit State ------------------------+--------------------------+-------------- - - - - - - - - - - - - - (PSR processing) - - - - - - - - - - - Rx:PSR && RtxTimerStop(); WAIT_EAP_MSG_ PSR.exist_avp EAP_Restart(); IN_DISC - ("EAP-Payload") TxEAP(); - SEPARATE=Unset; + ("EAP-Payload") && TxEAP(); + (!PSR.exist_avp SEPARATE=Unset; + ("Protection-Cap.") || + (PSR.exist_avp + ("Protection-Cap.") && + pcap_supported())) && + (!PSR.exist_avp + ("Algorithm") || + (PSR.exist_avp + ("Algorithm") && + algorithm_supported())) + Rx:PSR && RtxTimerStop(); WAIT_PAA !PSR.exist_avp if (choose_isp()) ("EAP-Payload") && PSA.insert_avp("ISP"); PSR.S_flag==1 && PSA.S_flag=1; SEPARATE==Set && PSA.insert_avp("Cookie"); PSR.exist_avp Tx:PSA(); - ("Cookie") RtxTimerStart(); - EAP_Restart(); + ("Cookie") && RtxTimerStart(); + (!PSR.exist_avp EAP_Restart(); + ("Protection-Cap.") || + (PSR.exist_avp + ("Protection-Cap.") && + pcap_supported())) && + (!PSR.exist_avp + ("Algorithm") || + (PSR.exist_avp + ("Algorithm") && + algorithm_supported())) Rx:PSR && RtxTimerStop(); WAIT_PAA !PSR.exist_avp if (choose_isp()) ("EAP-Payload") && PSA.insert_avp("ISP"); PSR.S_flag==1 && PSA.S_flag=1; SEPARATE==Set && Tx:PSA(); !PSR.exist_avp EAP_Restart(); - ("Cookie") + ("Cookie") && + (!PSR.exist_avp + ("Protection-Cap.") || + (PSR.exist_avp + ("Protection-Cap.") && + pcap_supported())) && + (!PSR.exist_avp + ("Algorithm") || + (PSR.exist_avp + ("Algorithm") && + algorithm_supported())) Rx:PSR && RtxTimerStop(); WAIT_PAA !PSR.exist_avp if (choose_isp()) ("EAP-Payload") && PSA.insert_avp("ISP"); (PSR.S_flag!=1 || PSA.insert_avp("Cookie"); SEPARATE==Unset) && Tx:PSA(); PSR.exist_avp RtxTimerStart(); - ("Cookie") SEPARATE=Unset; - EAP_Restart(); + ("Cookie") && SEPARATE=Unset; + (!PSR.exist_avp EAP_Restart(); + ("Protection-Cap.") || + (PSR.exist_avp + ("Protection-Cap.") && + pcap_supported())) && + (!PSR.exist_avp + ("Algorithm") || + (PSR.exist_avp + ("Algorithm") && + algorithm_supported())) Rx:PSR && RtxTimerStop(); WAIT_PAA !PSR.exist_avp if (choose_isp()) ("EAP-Payload") && PSA.insert_avp("ISP"); (PSR.S_flag!=1 || Tx:PSA(); SEPARATE==Unset) && SEPARATE=Unset; !PSR.exist_avp EAP_Restart(); - ("Cookie") + ("Cookie") && + (!PSR.exist_avp + ("Protection-Cap.") || + (PSR.exist_avp + ("Protection-Cap.") && + pcap_supported())) && + (!PSR.exist_avp + ("Algorithm") || + (PSR.exist_avp + ("Algorithm") && + algorithm_supported())) + + Rx:PSR && None(); OFFLINE + (PSR.exist_avp + ("Protection-Cap.") && + !pcap_supported()) || + (PSR.exist_avp + ("Algorithm") && + algorithm_supported()) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(Authentication trigger from application) - - - AUTH_USER Tx:PDI(); OFFLINE RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --------------------------- State: WAIT_EAP_MSG_IN_DISC --------------------------- @@ -779,38 +837,43 @@ State: WAIT_PAA --------------- Exit Condition Exit Action Exit State ------------------------+--------------------------+------------ - - - - - - - - - - - - - - -(PAR-PAN exchange) - - - - - - - - Rx:PAR && RtxTimerStop(); WAIT_EAP_MSG !eap_piggyback() TxEAP(); EAP_RespTimerStart(); if (key_available()) - PAN.insert_avp("MAC"); + PAN.insert_avp("AUTH"); PAN.S_flag=PAR.S_flag; PAN.N_flag=PAR.N_flag; Tx:PAN(); Rx:PAR && RtxTimerStop(); WAIT_EAP_MSG eap_piggyback() TxEAP(); EAP_RespTimerStart(); Rx:PAN RtxTimerStop(); WAIT_PAA - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(1st EAP result) - - - - - - - - - Rx:PFER && 1ST_EAP=Success; WAIT_1ST_EAP_ 1ST_EAP==Unset && TxEAP(); RESULT SEPARATE==Set && PFER.RESULT_CODE== PANA_SUCCESS && - PFER.S_flag==1 + PFER.S_flag==1 && + (!PSR.exist_avp + ("Algorithm") || + (PSR.exist_avp + ("Algorithm") && + algorithm_supported())) Rx:PFER && 1ST_EAP=Failure; WAIT_1ST_EAP_ 1ST_EAP==Unset && TxEAP(); RESULT SEPARATE==Set && PFER.RESULT_CODE!= PANA_SUCCESS && PFER.S_flag==1 && ABORT_ON_1ST_EAP_FAILURE ==Unset && PFER.exist_avp @@ -846,21 +909,26 @@ (PFER.S_flag==0 || ABORT_ON_1ST_EAP_FAILURE ==Set) && !PFER.exist_avp ("EAP-Payload") Rx:PBR && TxEAP(); WAIT_EAP_RESULT 1ST_EAP==Unset && if (PBR.exist_avp SEPARATE==Unset && ("Device-Id")) PBR.RESULT_CODE== CARRY_DEVICE_ID=Set; - PANA_SUCCESS + PANA_SUCCESS && + (!PSR.exist_avp + ("Algorithm") || + (PSR.exist_avp + ("Algorithm") && + algorithm_supported())) Rx:PBR && TxEAP(); WAIT_EAP_RESULT_ 1ST_EAP==Unset && CLOSE SEPARATE==Unset && PBR.RESULT_CODE!= PANA_SUCCESS && PBR.exist_avp ("EAP-Payload") Rx:PBR && alt_reject(); WAIT_EAP_RESULT_ @@ -870,47 +938,62 @@ PANA_SUCCESS && !PBR.exist_avp ("EAP-Payload") - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(2nd EAP result) - - - - - - - - - Rx:PBR && TxEAP(); WAIT_EAP_RESULT 1ST_EAP==Success && if (PBR.exist_avp PBR.RESULT_CODE== ("Device-Id")) PANA_SUCCESS && CARRY_DEVICE_ID=Set; PBR.exist_avp - ("EAP-Payload") + ("EAP-Payload") && + (!PSR.exist_avp + ("Algorithm") || + (PSR.exist_avp + ("Algorithm") && + algorithm_supported())) Rx:PBR && alt_reject(); WAIT_EAP_RESULT 1ST_EAP==Success && if (PBR.exist_avp PBR.RESULT_CODE== ("Device-Id")) PANA_SUCCESS && CARRY_DEVICE_ID=Set; !PBR.exist_avp - ("EAP-Payload") + ("EAP-Payload") && + (!PSR.exist_avp + ("Algorithm") || + (PSR.exist_avp + ("Algorithm") && + algorithm_supported())) Rx:PBR && TxEAP(); WAIT_EAP_RESULT_ 1ST_EAP==Success && CLOSE PBR.RESULT_CODE!= PANA_SUCCESS && PBR.exist_avp ("EAP-Payload") Rx:PBR && alt_reject(); WAIT_EAP_RESULT_ 1ST_EAP==Success && CLOSE PBR.RESULT_CODE!= PANA_SUCCESS && !PBR.exist_avp ("EAP-Payload") Rx:PBR && TxEAP(); WAIT_EAP_RESULT 1ST_EAP==Failure && if (PBR.exist_avp PBR.RESULT_CODE== ("Device-Id")) - PANA_SUCCESS CARRY_DEVICE_ID=Set; + PANA_SUCCESS && CARRY_DEVICE_ID=Set; + (!PSR.exist_avp + ("Algorithm") || + (PSR.exist_avp + ("Algorithm") && + algorithm_supported())) Rx:PBR && TxEAP(); WAIT_EAP_RESULT_ 1ST_EAP==Failure && CLOSE PBR.RESULT_CODE!= PANA_SUCCESS && PBR.exist_avp ("EAP-Payload") Rx:PBR && alt_reject(); WAIT_EAP_RESULT_ 1ST_EAP==Failure && CLOSE @@ -924,141 +1006,143 @@ State: WAIT_EAP_MSG ------------------- Exit Condition Exit Action Exit State ------------------------+--------------------------+------------ - - - - - - - - - - (Return PAN/PAR) - - - - - - - - - - - - - - EAP_RESPONSE && EAP_RespTimerStop() WAIT_PAA eap_piggyback() PAN.insert_avp ("EAP-Payload"); if (key_available()) - PAN.insert_avp("MAC"); + PAN.insert_avp("AUTH"); PAN.S_flag=PAR.S_flag; PAN.N_flag=PAR.N_flag; Tx:PAN(); EAP_RESPONSE && EAP_RespTimerStop() WAIT_PAA !eap_piggyback() PAR.insert_avp ("EAP-Payload"); if (key_available()) - PAR.insert_avp("MAC"); + PAR.insert_avp("AUTH"); PAR.S_flag=PAN.S_flag; PAR.N_flag=PAN.N_flag; Tx:PAR(); RtxTimerStart(); EAP_RESP_TIMEOUT if (key_available()) WAIT_PAA - PAN.insert_avp("MAC"); + PAN.insert_avp("AUTH"); PAN.S_flag=PAR.S_flag; PAN.N_flag=PAR.N_flag; Tx:PAN(); EAP_INVALID_MSG || None(); WAIT_PAA EAP_SUCCESS || EAP_FAILURE - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ---------------------- State: WAIT_EAP_RESULT ---------------------- Exit Condition Exit Action Exit State ------------------------+--------------------------+------------ - - - - - - - - - - - - - (EAP Result) - - - - - - - - - - - - - - EAP_SUCCESS && PBA.insert_avp("MAC"); OPEN + EAP_SUCCESS && PBA.insert_avp("AUTH"); OPEN PBR.exist_avp PBA.insert_avp("Key-Id"); ("Key-Id") && if (CARRY_DEVICE_ID) ppac_available() && PBA.insert_avp (!PBR.exist_avp ("Device-Id"); ("Protection- PBA.insert_avp("PPAC"); Capability") || Tx:PBA(); (PBR.exist_avp Authorize(); ("Protection- SessionTimerStart(); Capability") && pcap_supported())) EAP_SUCCESS && if (key_available()) OPEN - !PBR.exist_avp PBA.insert_avp("MAC"); + !PBR.exist_avp PBA.insert_avp("AUTH"); ("Key-Id") && if (CARRY_DEVICE_ID) ppac_available() && PBA.insert_avp (!PBR.exist_avp ("Device-Id"); ("Protection- PBA.insert_avp("PPAC"); Capability") || Tx:PBA(); (PBR.exist_avp Authorize(); ("Protection- SessionTimerStart(); Capability") && pcap_supported())) EAP_SUCCESS && if (key_available()) WAIT_PEA - !ppac_available() PER.insert_avp("MAC"); + !ppac_available() PER.insert_avp("AUTH"); PER.RESULT_CODE= PANA_PPAC_CAPABILITY_ UNSUPPORTED Tx:PER(); RtxTimerStart(); EAP_SUCCESS && if (key_available()) WAIT_PEA - (PBR.exist_avp PER.insert_avp("MAC"); + (PBR.exist_avp PER.insert_avp("AUTH"); ("Protection- PER.RESULT_CODE= Capability") && PANA_PROTECTION_ !pcap_supported()) CAPABILITY_UNSUPPORTED Tx:PER(); RtxTimerStart(); EAP_FAILURE && if (key_available()) OPEN - (SEPARATE==Set) && PBA.insert_avp("MAC"); + (SEPARATE==Set) && PBA.insert_avp("AUTH"); ppac_available() && if (CARRY_DEVICE_ID) (!PBR.exist_avp PBA.insert_avp ("Protection- ("Device-Id"); Capability") || PBA.insert_avp("PPAC"); (PBR.exist_avp Tx:PBA(); ("Protection- Authorize(); Capability") && SessionTimerStart(); pcap_supported())) EAP_FAILURE && if (key_available()) WAIT_PEA - (SEPARATE==Set) && PER.insert_avp("MAC"); + (SEPARATE==Set) && PER.insert_avp("AUTH"); !ppac_available() PER.RESULT_CODE= PANA_PPAC_CAPABILITY_ UNSUPPORTED Tx:PER(); RtxTimerStart(); EAP_FAILURE && if (key_available()) WAIT_PEA - (SEPARATE==Set) && PER.insert_avp("MAC"); + (SEPARATE==Set) && PER.insert_avp("AUTH"); (PBR.exist_avp PER.RESULT_CODE= ("Protection- PANA_PROTECTION_ Capability") && CAPABILITY_UNSUPPORTED !pcap_supported()) Tx:PER(); RtxTimerStart(); EAP_INVALID_MSG None(); WAIT_PAA - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ---------------------------- State: WAIT_EAP_RESULT_CLOSE ---------------------------- Exit Condition Exit Action Exit State ------------------------+--------------------------+------------ - - - - - - - - - - - - - (EAP Result) - - - - - - - - - - - - - - EAP_SUCCESS && PBA.insert_avp("MAC"); CLOSED + EAP_SUCCESS && PBA.insert_avp("AUTH"); CLOSED PBR.exist_avp PBA.insert_avp("Key-Id"); ("Key-Id") Tx:PBA(); Disconnect(); EAP_SUCCESS && if (key_available()) CLOSED - !PBR.exist_avp PBA.insert_avp("MAC"); + !PBR.exist_avp PBA.insert_avp("AUTH"); ("Key-Id") Tx:PBA(); Disconnect(); EAP_FAILURE Tx:PBA(); CLOSED Disconnect(); + EAP_INVALID_MSG None(); WAIT_PAA - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -------------------------- State: WAIT_1ST_EAP_RESULT -------------------------- Exit Condition Exit Action Exit State ------------------------+--------------------------+------------ - - - - - - - - - - - - - - (First EAP) - - - - - - - - - - - - @@ -1058,54 +1142,55 @@ -------------------------- State: WAIT_1ST_EAP_RESULT -------------------------- Exit Condition Exit Action Exit State ------------------------+--------------------------+------------ - - - - - - - - - - - - - - (First EAP) - - - - - - - - - - - - EAP_SUCCESS && PFEA.insert_avp("Key-Id"); WAIT_PAA PFER.exist_avp PFEA.S_flag=1; ("Key-Id") PFEA.N_flag=PFER.N_flag; - PFEA.insert_avp("MAC"); + PFEA.insert_avp("AUTH"); Tx:PFEA(); EAP_Restart(); (EAP_SUCCESS && if (key_available()) WAIT_PAA - !PFER.exist_avp PFEA.insert_avp("MAC"); + !PFER.exist_avp PFEA.insert_avp("AUTH"); ("Key-Id")) || PFEA.S_flag=1; EAP_FAILURE PFEA.N_flag=PFER.N_flag; Tx:PFEA(); EAP_Restart(); EAP_INVALID_MSG EAP_Restart(); WAIT_PAA - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -------------------------------- State: WAIT_1ST_EAP_RESULT_CLOSE -------------------------------- Exit Condition Exit Action Exit State ------------------------+--------------------------+------------ - - - - - - - - - - - - - - (First EAP) - - - - - - - - - - - - EAP_SUCCESS && PFEA.insert_avp("Key-Id"); CLOSED PFER.exist_avp PFEA.S_flag=0; ("Key-Id") PFEA.N_flag=0; - PFEA.insert_avp("MAC"); + PFEA.insert_avp("AUTH"); Tx:PFEA(); Disconnect(); (EAP_SUCCESS && if (key_available()) CLOSED - !PFER.exist_avp PFEA.insert_avp("MAC"); + !PFER.exist_avp PFEA.insert_avp("AUTH"); ("Key-Id")) || PFEA.S_flag=0; EAP_FAILURE PFEA.N_flag=0; Tx:PFEA(); Disconnect(); + EAP_INVALID_MSG None(); WAIT_PAA - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ----------- State: OPEN ----------- Exit Condition Exit Action Exit State ------------------------+--------------------------+------------ - - - - - - - - - - (liveness test initiated by PAA)- - - - - - @@ -1103,77 +1188,77 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ----------- State: OPEN ----------- Exit Condition Exit Action Exit State ------------------------+--------------------------+------------ - - - - - - - - - - (liveness test initiated by PAA)- - - - - - Rx:PPR if (key_available()) OPEN - PPA.insert_avp("MAC"); + PPA.insert_avp("AUTH"); Tx:PPA(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (liveness test initiated by PaC)- - - - - - PANA_PING if (key_available()) WAIT_PPA - PPR.insert_avp("MAC"); + PPR.insert_avp("AUTH"); Tx:PPR(); RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (re-authentication initiated by PaC)- - - - - - REAUTH SEPARATE=Set|Unset; WAIT_PRAA 1ST_EAP=Unset; if (key_available()) - PRAR.insert_avp("MAC"); + PRAR.insert_avp("AUTH"); Tx:PRAR(); RtxTimerStart(); SessionTimerStop(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (re-authentication initiated by PAA)- - - - - - Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG !eap_piggyback() 1ST_EAP=Unset; EAP_RespTimerStart(); TxEAP(); if (key_available()) - PAN.insert_avp("MAC"); + PAN.insert_avp("AUTH"); PAN.S_flag=PAR.S_flag; PAN.N_flag=PAR.N_flag; Tx:PAN(); SessionTimerStop(); Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG eap_piggyback() 1ST_EAP=Unset; EAP_RespTimerStart(); TxEAP(); SessionTimerStop(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(Session termination initiated by PAA) - - - - - - Rx:PTR if (key_available()) CLOSED - PTA.insert_avp("MAC"); + PTA.insert_avp("AUTH"); Tx:PTA(); Disconnect(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(Session termination initiated by PaC) - - - - - - TERMINATE if (key_available()) SESS_TERM - PTR.insert_avp("MAC"); + PTR.insert_avp("AUTH"); Tx:PTR(); RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(Address update) - - - - - - - - - - - - NOTIFY if (key_available()) WAIT_PUA - PUR.insert_avp("MAC"); + PUR.insert_avp("AUTH"); Tx:PUR(); RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(Notification update)- - - - - - - - - - - Rx:PUR if (key_available()) OPEN - PUA.insert_avp("MAC"); + PUA.insert_avp("AUTH"); Tx:PUA(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ---------------- State: WAIT_PRAA ---------------- Exit Condition Exit Action Exit State ------------------------+--------------------------+------------ - - - - - - - - -(re-authentication initiated by PaC) - - - - - @@ -1227,71 +1312,71 @@ The interface between a PAA and an EAP authenticator provides a mechanism to deliver EAP messages for the EAP authenticator as well as a mechanism to notify the EAP authenticator of PAA events and to receive notification of EAP authenticator events. These message delivery and event notification mechanisms occur only within context of their associated states or exit actions. 7.1.1. EAP Restart Notification from PAA to EAP Authenticator - An EAP authenticator state machine defined in [I-D.ietf-eap- - statemachine] has an initialization procedure before sending the - first EAP request. To initialize the EAP state machine, the PAA - state machine defines an event notification mechanism to send an EAP - (re)start event to the EAP peer. The event notification is done via - EAP_Restart() procedure in the initialization action of the PAA state - machine. + An EAP authenticator state machine defined in [RFC4137] has an + initialization procedure before sending the first EAP request. To + initialize the EAP state machine, the PAA state machine defines an + event notification mechanism to send an EAP (re)start event to the + EAP peer. The event notification is done via EAP_Restart() procedure + in the initialization action of the PAA state machine. 7.1.2. Delivering EAP Responses from PAA to EAP Authenticator TxEAP() procedure in the PAA state machine serves as the mechanism to deliver EAP-Responses contained in PANA-Auth-Answer messages to the EAP authenticator. This procedure is enabled only after an EAP restart event is notified to the EAP authenticator and before any event resulting in a termination of the EAP authenticator session. In the case where the EAP authenticator follows the EAP authenticator - state machines defined in [I-D.ietf-eap-statemachine], TxEAP() - procedure sets eapResp variable of the EAP authenticator state - machine and puts the EAP response in eapRespData variable of the EAP - authenticator state machine. + state machines defined in [RFC4137], TxEAP() procedure sets eapResp + variable of the EAP authenticator state machine and puts the EAP + response in eapRespData variable of the EAP authenticator state + machine. 7.1.3. Delivering EAP Messages from EAP Authenticator to PAA An EAP request is delivered from the EAP authenticator to the PAA via EAP_REQUEST event variable. The event variable is set when the EAP authenticator passes the EAP request to its lower-layer. In the case where the EAP authenticator follows the EAP authenticator state - machines defined in [I-D.ietf-eap-statemachine], EAP_REQUEST event - variable refers to eapReq variable of the EAP authenticator state - machine and the EAP request is contained in eapReqData variable of - the EAP authenticator state machine. + machines defined in [RFC4137], EAP_REQUEST event variable refers to + eapReq variable of the EAP authenticator state machine and the EAP + request is contained in eapReqData variable of the EAP authenticator + state machine. 7.1.4. EAP Authentication Result Notification from EAP Authenticator to PAA + In order for the EAP authenticator to notify the PAA of the EAP authentication result, EAP_SUCCESS, EAP_FAILURE and EAP_TIMEOUT event variables are defined. In the case where the EAP authenticator - follows the EAP authenticator state machines defined in [I-D.ietf- - eap-statemachine], EAP_SUCCESS, EAP_FAILURE and EAP_TIMEOUT event - variables refer to eapSuccess, eapFail and eapTimeout variables of - the EAP authenticator state machine, respectively. In this case, if - EAP_SUCCESS event variable is set to TRUE, an EAP-Success message is - contained in eapReqData variable of the EAP authenticator state - machine, and additionally, eapKeyAvailable variable is set to TRUE - and eapKeyData variable contains a AAA-Key if the AAA-Key is - generated as a result of successful authentication by the EAP - authentication method in use. Similarly, if EAP_FAILURE event - variable is set to TRUE, an EAP-Failure message is contained in - eapReqData variable of the EAP authenticator state machine. The PAA - uses EAP_SUCCESS, EAP_FAILURE and EAP_TIMEOUT event variables as a - trigger to send a PBR or a PFER message to the PaC. + follows the EAP authenticator state machines defined in [RFC4137], + EAP_SUCCESS, EAP_FAILURE and EAP_TIMEOUT event variables refer to + eapSuccess, eapFail and eapTimeout variables of the EAP authenticator + state machine, respectively. In this case, if EAP_SUCCESS event + variable is set to TRUE, an EAP-Success message is contained in + eapReqData variable of the EAP authenticator state machine, and + additionally, eapKeyAvailable variable is set to TRUE and eapKeyData + variable contains a AAA-Key if the AAA-Key is generated as a result + of successful authentication by the EAP authentication method in use. + Similarly, if EAP_FAILURE event variable is set to TRUE, an EAP- + Failure message is contained in eapReqData variable of the EAP + authenticator state machine. The PAA uses EAP_SUCCESS, EAP_FAILURE + and EAP_TIMEOUT event variables as a trigger to send a PBR or a PFER + message to the PaC. 7.2. Variables USE_COOKIE This variable indicates whether the PAA uses Cookie. EAP_PIGGYBACK This variable indicates whether the PAA is able to piggyback an @@ -1314,20 +1399,25 @@ CARRY_LIFETIME This variable indicates whether a Session-Lifetime AVP is carried in PANA-Bind-Request message. PROTECTION_CAP_IN_PSR This variable indicates whether a Protection-Capability AVP is carried in a PANA-Start-Request message. + AUTH_ALGORITHM_IN_PSR + + This variable indicates whether a Algorithm AVP is carried in a + PANA-Start-Request message. + PROTECTION_CAP_IN_PBR This variable indicates whether a Protection-Capability AVP is carried in a PANA-Bind-Request message. CARRY_NAP_INFO This variable indicates whether a NAP-Information AVP is carried in PANA-Start-Request message. @@ -1374,24 +1463,24 @@ This event variable is set to TRUE when EAP conversation times out without generating an EAP-Success or an EAP-Failure message. This event does not accompany any EAP message. 7.3. Procedures boolean new_key_available() A procedure to check whether the PANA session has a new - PANA_MAC_KEY. If the state machine already have a PANA_MAC_KEY, + PANA_AUTH_KEY. If the state machine already have a PANA_AUTH_KEY, it returns FALSE. If the state machine does not have a - PANA_MAC_KEY, it tries to retrieve a AAA-Key from the EAP entity. - If a AAA-Key has been retrieved, it computes a PANA_MAC_KEY from + PANA_AUTH_KEY, it tries to retrieve a AAA-Key from the EAP entity. + If a AAA-Key has been retrieved, it computes a PANA_AUTH_KEY from the AAA-Key and returns TRUE. Otherwise, it returns FALSE. boolean new_source_address() A procedure to check the PaC's source IP address from the current PUR message. If the source IP address of the message is different from the last known IP address stored in the PANA session, this procedure returns TRUE. Otherwise, it returns FALSE. void update_popa() @@ -1446,20 +1536,24 @@ PSR.insert_avp ("ISP-Information"); if (CARRY_PPAC==Set) PSR.insert_avp ("Post-PANA-Address- Configuration"); if (PROTECTION_CAP_IN_PSR ==Set) PSR.insert_avp ("Protection-Cap."); + if (AUTH_ALGORITHM_IN_PSR + ==Set) + PSR.insert_avp + ("Algorithm"); Tx:PSR(); RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Stateless discovery) - - - - - - - - (Rx:PDI || if (SEPARATE==Set) OFFLINE PAC_FOUND) && PSR.S_flag=1; USE_COOKIE==Set PSR.insert_avp ("Cookie"); if (CARRY_NAP_INFO==Set) PSR.insert_avp @@ -1525,178 +1619,184 @@ ("EAP-Payload")) TxEAP(); else { if (SEPARATE==Set) NAP_AUTH=Set|Unset; EAP_Restart(); } RtxTimerStop(); EAP_TIMEOUT if (key_available()) WAIT_PEA - PER.insert_avp("MAC"); + PER.insert_avp("AUTH"); Tx:PER(); RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ------------------- State: WAIT_EAP_MSG ------------------- Exit Condition Exit Action Exit State ------------------------+--------------------------+------------ - - - - - - - - - - - -(Receiving EAP-Request)- - - - - - - - - EAP_REQUEST if (key_available()) WAIT_PAN_OR_PAR - PAR.insert_avp("MAC"); + PAR.insert_avp("AUTH"); if (SEPARATE==Set) { PAR.S_flag=1; if (NAP_AUTH==Set) PAR.N_flag=1; } Tx:PAR(); RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(Receiving EAP-Success/Failure single EAP)- - - - EAP_FAILURE && PBR.insert_avp WAIT_FAIL_PBA 1ST_EAP==Unset && ("EAP-Payload"); SEPARATE==Unset if (key_available()) - PBR.insert_avp("MAC"); + PBR.insert_avp("AUTH"); Tx:PBR(); RtxTimerStart(); EAP_SUCCESS && PBR.insert_avp WAIT_SUCC_PBA 1ST_EAP==Unset && ("EAP-Payload"); SEPARATE==Unset && if (CARRY_DEVICE_ID==Set) Authorize() PBR.insert_avp ("Device-Id"); if (CARRY_LIFETIME==Set) PBR.insert_avp ("Session-Lifetime"); if (PROTECTION_CAP_IN_PBR ==Set) PBR.insert_avp ("Protection-Cap."); if (new_key_available()) PBR.insert_avp ("Key-Id"); + PBR.insert_avp + ("Algorithm"); if (key_available()) - PBR.insert_avp("MAC"); + PBR.insert_avp("AUTH"); Tx:PBR(); RtxTimerStart(); EAP_SUCCESS && PBR.insert_avp WAIT_FAIL_PBA 1ST_EAP==Unset && ("EAP-Payload"); SEPARATE==Unset && if (new_key_available()) !Authorize() PBR.insert_avp ("Key-Id"); + PBR.insert_avp + ("Algorithm"); if (key_available()) - PBR.insert_avp("MAC"); + PBR.insert_avp("AUTH"); Tx:PBR(); RtxTimerStart(); EAP_TIMEOUT && if (key_available()) WAIT_PEA - 1ST_EAP==Unset && PER.insert_avp("MAC"); + 1ST_EAP==Unset && PER.insert_avp("AUTH"); SEPARATE==Unset Tx:PER(); RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(Receiving EAP-Success/Failure for 1st EAP)- - - - EAP_FAILURE && 1ST_EAP=Failure WAIT_PFEA 1ST_EAP==Unset && PFER.insert_avp SEPARATE==Set && ("EAP-Payload"); ABORT_ON_1ST_EAP_FAILURE if (key_available()) - ==Unset PFER.insert_avp("MAC"); + ==Unset PFER.insert_avp("AUTH"); PFER.S_flag=1; if (NAP_AUTH) PFER.N_flag=1; Tx:PFER(); RtxTimerStart(); EAP_FAILURE && 1ST_EAP=Failure WAIT_FAIL_PFEA 1ST_EAP==Unset && PFER.insert_avp SEPARATE==Set && ("EAP-Payload"); ABORT_ON_1ST_EAP_FAILURE if (key_available()) - ==Set PFER.insert_avp("MAC"); + ==Set PFER.insert_avp("AUTH"); PFER.S_flag=0; Tx:PFER(); RtxTimerStart(); EAP_SUCCESS && 1ST_EAP=Success WAIT_PFEA 1ST_EAP==Unset && PFER.insert_avp SEPARATE==Set ("EAP-Payload"); if (new_key_available()) PFER.insert_avp ("Key-Id"); + PFER.insert_avp + ("Algorithm"); if (key_available()) - PFER.insert_avp("MAC"); + PFER.insert_avp("AUTH"); PFER.S_flag=1; if (NAP_AUTH) PFER.N_flag=1; Tx:PFER(); RtxTimerStart(); EAP_TIMEOUT && 1ST_EAP=Failure WAIT_PFEA 1ST_EAP==Unset && if (key_available()) - SEPARATE==Set && PFER.insert_avp("MAC"); + SEPARATE==Set && PFER.insert_avp("AUTH"); ABORT_ON_1ST_EAP_FAILURE PFER.S_flag=1; ==Unset if (NAP_AUTH) PFER.N_flag=1; Tx:PFER(); RtxTimerStart(); EAP_TIMEOUT && 1ST_EAP=Failure WAIT_FAIL_PFEA 1ST_EAP==Unset && if (key_available()) - SEPARATE==Set && PFER.insert_avp("MAC"); + SEPARATE==Set && PFER.insert_avp("AUTH"); ABORT_ON_1ST_EAP_FAILURE SEPARATE=Unset; ==Set PFER.S_flag=0; Tx:PFER(); RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(Receiving EAP-Success/Failure for 2nd EAP)- - - - EAP_FAILURE && PBR.insert_avp WAIT_FAIL_PBA 1ST_EAP==Failure && ("EAP-Payload"); SEPARATE==Set if (key_available()) - PBR.insert_avp("MAC"); + PBR.insert_avp("AUTH"); PBR.S_flag=1; if (NAP_AUTH) PBR.N_flag=1; Tx:PBR(); RtxTimerStart(); EAP_FAILURE && PBR.insert_avp WAIT_SUCC_PBA 1ST_EAP==Success && ("EAP-Payload"); SEPARATE==Set && if (CARRY_DEVICE_ID==Set) Authorize() PBR.insert_avp ("Device-Id"); if (CARRY_LIFETIME==Set) PBR.insert_avp ("Session-Lifetime"); if (PROTECTION_CAP_IN_PBR ==Set) PBR.insert_avp ("Protection-Cap."); if (key_available()) - PBR.insert_avp("MAC"); + PBR.insert_avp("AUTH"); PBR.S_flag=1; if (NAP_AUTH) PBR.N_flag=1; Tx:PBR(); RtxTimerStart(); EAP_FAILURE && PBR.insert_avp WAIT_FAIL_PBA 1ST_EAP==Success && ("EAP-Payload"); SEPARATE==Set && if (key_available()) - !Authorize() PBR.insert_avp("MAC"); + !Authorize() PBR.insert_avp("AUTH"); PBR.S_flag=1; if (NAP_AUTH) PBR.N_flag=1; Tx:PBR(); RtxTimerStart(); + EAP_SUCCESS && PBR.insert_avp WAIT_SUCC_PBA 1ST_EAP==Success && ("EAP-Payload"); SEPARATE==Set && if (CARRY_DEVICE_ID==Set) Authorize() PBR.insert_avp ("Device-Id"); if (CARRY_LIFETIME==Set) PBR.insert_avp ("Session-Lifetime"); if (PROTECTION_CAP_IN_PBR ==Set) @@ -1698,35 +1798,39 @@ if (CARRY_LIFETIME==Set) PBR.insert_avp ("Session-Lifetime"); if (PROTECTION_CAP_IN_PBR ==Set) PBR.insert_avp ("Protection-Cap."); if (new_key_available()) PBR.insert_avp ("Key-Id"); + PBR.insert_avp + ("Algorithm"); if (key_available()) - PBR.insert_avp("MAC"); + PBR.insert_avp("AUTH"); PBR.S_flag=1; if (NAP_AUTH) PBR.N_flag=1; Tx:PBR(); RtxTimerStart(); EAP_SUCCESS && PBR.insert_avp WAIT_FAIL_PBA 1ST_EAP==Success && ("EAP-Payload"); SEPARATE==Set && if (new_key_available()) !Authorize() PBR.insert_avp ("Key-Id"); + PBR.insert_avp + ("Algorithm"); if (key_available()) - PBR.insert_avp("MAC"); + PBR.insert_avp("AUTH"); PBR.S_flag=1; if (NAP_AUTH) PBR.N_flag=1; Tx:PBR(); RtxTimerStart(); EAP_SUCCESS && PBR.insert_avp WAIT_SUCC_PBA 1ST_EAP==Failure && ("EAP-Payload"); SEPARATE==Set && if (CARRY_DEVICE_ID==Set) Authorize() PBR.insert_avp @@ -1734,72 +1838,77 @@ if (CARRY_LIFETIME==Set) PBR.insert_avp ("Session-Lifetime"); if (PROTECTION_CAP_IN_PBR ==Set) PBR.insert_avp ("Protection-Cap."); if (new_key_available()) PBR.insert_avp ("Key-Id"); + PBR.insert_avp + ("Algorithm"); if (key_available()) - PBR.insert_avp("MAC"); + PBR.insert_avp("AUTH"); PBR.S_flag=1; if (NAP_AUTH) PBR.N_flag=1; Tx:PBR(); RtxTimerStart(); EAP_SUCCESS && PBR.insert_avp WAIT_FAIL_PBA 1ST_EAP==Failure && ("EAP-Payload"); SEPARATE==Set && if (new_key_available()) !Authorize() PBR.insert_avp ("Key-Id"); + PBR.insert_avp + ("Algorithm"); if (key_available()) - PBR.insert_avp("MAC"); + PBR.insert_avp("AUTH"); PBR.S_flag=1; if (NAP_AUTH) PBR.N_flag=1; Tx:PBR(); RtxTimerStart(); - EAP_TIMEOUT && if (key_available()) WAIT_FAIL_PBA - 1ST_EAP==Failure && PBR.insert_avp("MAC"); + 1ST_EAP==Failure && PBR.insert_avp("AUTH"); SEPARATE==Set PBR.S_flag=1; if (NAP_AUTH) PBR.N_flag=1; Tx:PBR(); RtxTimerStart(); EAP_TIMEOUT && if (CARRY_DEVICE_ID==Set) WAIT_SUCC_PBA 1ST_EAP==Success && PBR.insert_avp SEPARATE==Set && ("Device-Id"); Authorize() if (CARRY_LIFETIME==Set) PBR.insert_avp ("Session-Lifetime"); if (PROTECTION_CAP_IN_PBR ==Set) PBR.insert_avp ("Protection-Cap."); if (new_key_available()) PBR.insert_avp ("Key-Id"); + PBR.insert_avp + ("Algorithm"); if (key_available()) - PBR.insert_avp("MAC"); + PBR.insert_avp("AUTH"); PBR.S_flag=1; if (NAP_AUTH) PBR.N_flag=1; Tx:PBR(); RtxTimerStart(); EAP_TIMEOUT && if (key_available()) WAIT_FAIL_PBA - 1ST_EAP==Success && PBR.insert_avp("MAC"); + 1ST_EAP==Success && PBR.insert_avp("AUTH"); SEPARATE==Set && PBR.S_flag=1; !Authorize() if (NAP_AUTH) PBR.N_flag=1; Tx:PBR(); RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ---------------- State: WAIT_PFEA ---------------- @@ -1859,63 +1969,63 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ----------- State: OPEN ----------- Event/Condition Action Exit State ------------------------+--------------------------+------------ - - - - - - - - (re-authentication initiated by PaC) - - - - - - Rx:PRAR if (key_available()) WAIT_EAP_MSG - PRAA.insert_avp("MAC"); + PRAA.insert_avp("AUTH"); EAP_Restart(); 1ST_EAP=Unset; NAP_AUTH=Set|Unset; Tx:PRAA(); SessionTimerStop(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (re-authentication initiated by PAA)- - - - - - REAUTH EAP_Restart(); WAIT_EAP_MSG 1ST_EAP=Unset; NAP_AUTH=Set|Unset; SessionTimerStop(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (liveness test based on PPR-PPA exchange initiated by PAA)- PANA_PING Tx:PPR(); WAIT_PPA RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (liveness test based on PPR-PPA exchange initiated by PaC)- Rx:PPR if (key_available()) OPEN - PPA.insert_avp("MAC"); + PPA.insert_avp("AUTH"); Tx:PPA(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Session termination initated from PAA) - - - - TERMINATE if (key_available()) SESS_TERM - PTR.insert_avp("MAC"); + PTR.insert_avp("AUTH"); Tx:PTR(); RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Session termination initated from PaC) - - - - Rx:PTR if (key_available()) CLOSED - PTA.insert_avp("MAC"); + PTA.insert_avp("AUTH"); Tx:PTA(); Disconnect(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(Notification message) - - - - - - - - - - - NOTIFY if (key_available()) WAIT_PUA - PUR.insert_avp("MAC"); + PUR.insert_avp("AUTH"); Tx:PUR(); RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(Notification/Address update) - - - - - - - - - Rx:PUR If (key_avaialble()) OPEN - PUA.insert_avp("MAC"); + PUA.insert_avp("AUTH"); Tx:PUA(); if (new_source_address()) update_popa(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --------------- State: WAIT_PPA --------------- Exit Condition Exit Action Exit State @@ -1920,115 +2030,119 @@ Exit Condition Exit Action Exit State ------------------------+--------------------------+------------ - - - - - - - - - - - - - -(PPA processing) - - - - - - - - - - Rx:PPA RtxTimerStop(); OPEN - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ---------------------- State: WAIT_PAN_OR_PAR ---------------------- + Exit Condition Exit Action Exit State ------------------------+--------------------------+------------ - - - - - - (Pass EAP Response to the EAP authenticator)- - - - Rx:PAN && TxEAP(); WAIT_EAP_MSG PAN.exist_avp ("EAP-Payload") Rx:PAR TxEAP(); WAIT_EAP_MSG if (key_available()) - PAN.insert_avp("MAC"); + PAN.insert_avp("AUTH"); if (SEPARATE==Set) { PAN.S_flag=1; if (NAP_AUTH==Set) PAN.N_flag=1; } RtxTimerStop(); Tx:PAN(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (PAN without an EAP response) - - - - - - - Rx:PAN && RtxTimerStop(); WAIT_PAN_OR_PAR !PAN.exist_avp ("EAP-Payload") - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(EAP retransmission) - - - - - - - - - - EAP_REQUEST if (key_available()) WAIT_PAN_OR_PAR - PAR.insert_avp("MAC"); + PAR.insert_avp("AUTH"); if (SEPARATE==Set) { PAR.S_flag=1; if (NAP_AUTH==Set) PAR.N_flag=1; } Tx:PAR(); RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(EAP authentication timeout)- - - - - - - - - EAP_TIMEOUT && if (key_available()) WAIT_PEA - 1ST_EAP==Unset && PER.insert_avp("MAC"); + 1ST_EAP==Unset && PER.insert_avp("AUTH"); SEPARATE==Unset Tx:PER(); RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(EAP authentication timeout for 1st EAP)- - - - - - EAP_TIMEOUT && 1ST_EAP=Failure WAIT_PFEA 1ST_EAP==Unset && if (key_available()) - SEPARATE==Set && PFER.insert_avp("MAC"); + SEPARATE==Set && PFER.insert_avp("AUTH"); ABORT_ON_1ST_EAP_FAILURE PFER.S_flag=1; ==Unset if (NAP_AUTH) PFER.N_flag=1; Tx:PFER(); RtxTimerStart(); EAP_TIMEOUT && 1ST_EAP=Failure WAIT_FAIL_PFEA 1ST_EAP==Unset && if (key_available()) - SEPARATE==Set && PFER.insert_avp("MAC"); + SEPARATE==Set && PFER.insert_avp("AUTH"); ABORT_ON_1ST_EAP_FAILURE SEPARATE=Unset; ==Set PFER.S_flag=0; Tx:PFER(); RtxTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(EAP authentication timeout for 2nd EAP)- - - - - - EAP_TIMEOUT && if (key_available()) WAIT_FAIL_PBA - 1ST_EAP==Failure && PBR.insert_avp("MAC"); + 1ST_EAP==Failure && PBR.insert_avp("AUTH"); SEPARATE==Set PBR.S_flag=1; if (NAP_AUTH) PBR.N_flag=1; Tx:PBR(); RtxTimerStart(); EAP_TIMEOUT && if (CARRY_DEVICE_ID==Set) WAIT_SUCC_PBA 1ST_EAP==Success && PBR.insert_avp SEPARATE==Set && ("Device-Id"); Authorize() if (CARRY_LIFETIME==Set) PBR.insert_avp ("Session-Lifetime"); if (PROTECTION_CAP_IN_PBR ==Set) PBR.insert_avp ("Protection-Cap."); if (new_key_available()) PBR.insert_avp ("Key-Id"); + PBR.insert_avp + ("Algorithm"); if (key_available()) - PBR.insert_avp("MAC"); + PBR.insert_avp("AUTH"); PBR.S_flag=1; if (NAP_AUTH) PBR.N_flag=1; Tx:PBR(); RtxTimerStart(); EAP_TIMEOUT && if (key_available()) WAIT_FAIL_PBA - 1ST_EAP==Success && PBR.insert_avp("MAC"); + 1ST_EAP==Success && PBR.insert_avp("AUTH"); SEPARATE==Set && PBR.S_flag=1; !Authorize() if (NAP_AUTH) PBR.N_flag=1; Tx:PBR(); RtxTimerStart(); + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --------------- State: WAIT_PUA --------------- Exit Condition Exit Action Exit State ------------------------+--------------------------+------------ - - - - - - - - - - - - - (PUA processing)- - - - - - - - - - - Rx:PUA RtxTimerStop(); OPEN @@ -2071,21 +2185,21 @@ PaC changing its point of attachment during an active PANA session. Mobility optimization is achieved by avoiding a full EAP authentication sequence during this change. To support this, state transitions described in this section assume that the PaC state machine reverts to the OFFLINE state but maintains the session information including security association from the previous active session. It is also assumed that the PAA state machine initializes to the OFFLINE state as normal but must also have access to session information and security association from the previous active session. A method of how a PAA session context is transferred can be - found in [I-D.bournelle-pana-ctp]. + found in [I-D.ietf-pana-cxtp]. The variables, procedures and state transition described in this section is designed to be seamlessly integrated into the appropriate base protocol state machines. They should be treated as a mobility optimization addendum to the base protocol state machine. In this addendum, no additional states has been defined but some modifications to the base protocol state machine is required. The modifications are to accomodate the mobility variables and procedures as they relate to existing state transition actions and events. These modifications to existing state transition are noted in state @@ -2146,28 +2260,28 @@ - The following state transitions are intended to be added - - to the OFFLINE state of the PaC base protocol state - - machine. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Rx:PSR && RtxTimerStop(); WAIT_PAA !PSR.exist_avp PSA.insert_avp ("EAP-Payload") && ("Session-Id"); MOBILITY==Set && SEPARATE=Unset; resume_pana_sa() && PANA_SA_RESUMED=Set; PSR.exist_avp PSA.insert_avp("Cookie"); - ("Cookie") PSA.insert_avp("MAC"); + ("Cookie") PSA.insert_avp("AUTH"); Tx:PSA(); RtxTimerStart(); Rx:PSR && RtxTimerStop(); WAIT_PAA !PSR.exist_avp PSA.insert_avp ("EAP-Payload") && ("Session-Id"); - MOBILITY==Set && PSA.insert_avp("MAC"); + MOBILITY==Set && PSA.insert_avp("AUTH"); resume_pana_sa() && Tx:PSA(); !PSR.exist_avp PANA_SA_RESUMED=Set; ("Cookie") --------------- State: WAIT_PAA --------------- Exit Condition Exit Action Exit State ------------------------+--------------------------+------------ @@ -2176,21 +2290,21 @@ - existing base protocol state transitions. Original base - - protocol state transitions can be referenced by the same - - exit conditions that exist in the WAIT_PAA state of the PaC - - base protocol state machine. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Rx:PAR && RtxTimerStop(); WAIT_EAP_MSG !eap_piggyback() TxEAP(); PANA_SA_RESUMED=Unset; EAP_RespTimerStart(); if (key_available()) - PAN.insert_avp("MAC"); + PAN.insert_avp("AUTH"); PAN.S_flag=PAR.S_flag; PAN.N_flag=PAR.N_flag; Tx:PAN(); Rx:PAR && RtxTimerStop(); WAIT_EAP_MSG eap_piggyback() TxEAP(); PANA_SA_RESUMED=Unset; EAP_RespTimerStart(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - @@ -2207,60 +2321,60 @@ PANA_SUCCESS && PANA_SA_RESUMED!=Set - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (PBR processing with mobility support)- - - - - - The following state transitions are intended to be added - - to the WAIT_PAA state of the PaC base protocol state - - machine. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Rx:PBR && PBA.insert_avp("Key-Id"); OPEN - 1ST_EAP==Unset && PBA.insert_avp("MAC"); + 1ST_EAP==Unset && PBA.insert_avp("AUTH"); SEPARATE==Unset && if (PBR.exist_avp PBR.RESULT_CODE== ("Device-Id")) PANA_SUCCESS && PBA.insert("Device-Id"); PANA_SA_RESUMED==Set && Tx:PBA(); PBR.exist_avp Authorize(); ("Key-Id") && SessionTimerStart(); PBR.exist_avp - ("MAC") + ("AUTH") ----------- State: OPEN ----------- Exit Condition Exit Action Exit State ------------------------+--------------------------+------------- - - - - - - - - - (re-authentication initiated by PaC)- - - - - - - The following state transitions are intended to replace - - existing base protocol state transitions. Original base - - protocol state transitions can be referenced by the same - - exit conditions that exist in the OPEN state of the PaC - - base protocol state machine. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - REAUTH SEPARATE=Set|Unset; WAIT_PRAA 1ST_EAP=Unset; PANA_SA_RESUMED=Unset; if (key_available()) - PRAR.insert_avp("MAC"); + PRAR.insert_avp("AUTH"); Tx:PRAR(); RtxTimerStart(); SessionTimerStop(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (re-authentication initiated by PAA)- - - - - - Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG !eap_piggyback() 1ST_EAP=Unset; PANA_SA_RESUMED=Unset; EAP_RespTimerStart(); TxEAP(); if (key_available()) - PAN.insert_avp("MAC"); + PAN.insert_avp("AUTH"); PAN.S_flag=PAR.S_flag; PAN.N_flag=PAR.N_flag; Tx:PAN(); SessionTimerStop(); Rx:PAR && SEPARATE=Set|Unset; WAIT_EAP_MSG eap_piggyback() 1ST_EAP=Unset; PANA_SA_RESUMED=Unset; EAP_RespTimerStart(); TxEAP(); @@ -2296,21 +2410,21 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Rx:PSA && if (SEPARATE==Set && WAIT_EAP_MSG (!PSA.exist_avp PSA.S_flag==0) ("Session-Id") || SEPARATE=Unset; MOBILITY==Unset || if (SEPARATE==Set) (MOBILITY==Set && NAP_AUTH=Set|Unset; !retrieve_pana_sa EAP_Restart(); (PSA.SESSION_ID))) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (PSA processing with mobility support)- - - - - - Rx:PSA && PBR.insert_avp("MAC"); WAIT_SUCC_PBA + Rx:PSA && PBR.insert_avp("AUTH"); WAIT_SUCC_PBA PSA.exist_avp PBR.insert_avp("Key-Id"); ("Session-Id") && if (CARRY_DEVICE_ID==Set) MOBILITY==Set && PBR.insert_avp retrieve_pana_sa ("Device-Id"); (PSA.SESSION_ID) if (PROTECTION_CAP_IN_PBR ==Set) PBR.insert_avp ("Protection-Cap."); Tx:PBR(); RtxTimerStart(); @@ -2368,49 +2482,38 @@ This work was started from state machines originally made by Dan Forsberg. 13. References 13.1. Normative References [I-D.ietf-pana-pana] Forsberg, D., "Protocol for Carrying Authentication for - Network Access (PANA)", draft-ietf-pana-pana-10 (work in - progress), July 2005. - - [I-D.ietf-eap-statemachine] - Vollbrecht, J., Eronen, P., Petroni, N., and Y. Ohba, - "State Machines for Extensible Authentication Protocol - (EAP) Peer and Authenticator", - draft-ietf-eap-statemachine-06 (work in progress), - December 2004. + Network Access (PANA)", draft-ietf-pana-pana-11 (work in + progress), March 2006. [I-D.ietf-pana-mobopts] Forsberg, D., "PANA Mobility Optimizations", - draft-ietf-pana-mobopts-00 (work in progress), - January 2005. + draft-ietf-pana-mobopts-01 (work in progress), + October 2005. 13.2. Informative References - [RFC4058] Yegin, A., Ohba, Y., Penno, R., Tsirtsis, G., and C. Wang, - "Protocol for Carrying Authentication for Network Access - (PANA) Requirements", RFC 4058, May 2005. - - [I-D.ietf-pana-snmp] - Mghazli, Y., "SNMP usage for PAA-EP interface", - draft-ietf-pana-snmp-04 (work in progress), July 2005. + [RFC4137] Vollbrecht, J., Eronen, P., Petroni, N., and Y. Ohba, + "State Machines for Extensible Authentication Protocol + (EAP) Peer and Authenticator", RFC 4137, August 2005. - [I-D.bournelle-pana-ctp] - Bournelle, J., "Use of Context Transfer Protocol (CxTP) - for PANA", draft-bournelle-pana-ctp-03 (work in progress), - June 2005. + [I-D.ietf-pana-cxtp] + Bournelle, J., "Use of Context Transfer Protocol (CXTP) + for PANA", draft-ietf-pana-cxtp-01 (work in progress), + March 2006. Authors' Addresses Victor Fajardo Toshiba America Research, Inc. 1 Telcordia Drive Piscataway, NJ 08854 USA Phone: +1 732 699 5368 @@ -2461,18 +2564,18 @@ This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement - Copyright (C) The Internet Society (2005). This document is subject + Copyright (C) The Internet Society (2006). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society.